Guest User

Untitled

a guest
Jul 3rd, 2016
257
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 288.67 KB | None | 0 0
  1. # WELCOME TO SQUID 3.5.12
  2. # ----------------------------
  3. #
  4. # This is the documentation for the Squid configuration file.
  5. # This documentation can also be found online at:
  6. # http://www.squid-cache.org/Doc/config/
  7. #
  8. # You may wish to look at the Squid home page and wiki for the
  9. # FAQ and other documentation:
  10. # http://www.squid-cache.org/
  11. # http://wiki.squid-cache.org/SquidFaq
  12. # http://wiki.squid-cache.org/ConfigExamples
  13. #
  14. # This documentation shows what the defaults for various directives
  15. # happen to be. If you don't need to change the default, you should
  16. # leave the line out of your squid.conf in most cases.
  17. #
  18. # In some cases "none" refers to no default setting at all,
  19. # while in other cases it refers to the value of the option
  20. # - the comments for that keyword indicate if this is the case.
  21. #
  22.  
  23. # Configuration options can be included using the "include" directive.
  24. # Include takes a list of files to include. Quoting and wildcards are
  25. # supported.
  26. #
  27. # For example,
  28. #
  29. # include /path/to/included/file/squid.acl.config
  30. #
  31. # Includes can be nested up to a hard-coded depth of 16 levels.
  32. # This arbitrary restriction is to prevent recursive include references
  33. # from causing Squid entering an infinite loop whilst trying to load
  34. # configuration files.
  35. #
  36. # Values with byte units
  37. #
  38. # Squid accepts size units on some size related directives. All
  39. # such directives are documented with a default value displaying
  40. # a unit.
  41. #
  42. # Units accepted by Squid are:
  43. # bytes - byte
  44. # KB - Kilobyte (1024 bytes)
  45. # MB - Megabyte
  46. # GB - Gigabyte
  47. #
  48. # Values with spaces, quotes, and other special characters
  49. #
  50. # Squid supports directive parameters with spaces, quotes, and other
  51. # special characters. Surround such parameters with "double quotes". Use
  52. # the configuration_includes_quoted_values directive to enable or
  53. # disable that support.
  54. #
  55. # Squid supports reading configuration option parameters from external
  56. # files using the syntax:
  57. # parameters("/path/filename")
  58. # For example:
  59. # acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
  60. #
  61. # Conditional configuration
  62. #
  63. # If-statements can be used to make configuration directives
  64. # depend on conditions:
  65. #
  66. # if <CONDITION>
  67. # ... regular configuration directives ...
  68. # [else
  69. # ... regular configuration directives ...]
  70. # endif
  71. #
  72. # The else part is optional. The keywords "if", "else", and "endif"
  73. # must be typed on their own lines, as if they were regular
  74. # configuration directives.
  75. #
  76. # NOTE: An else-if condition is not supported.
  77. #
  78. # These individual conditions types are supported:
  79. #
  80. # true
  81. # Always evaluates to true.
  82. # false
  83. # Always evaluates to false.
  84. # <integer> = <integer>
  85. # Equality comparison of two integer numbers.
  86. #
  87. #
  88. # SMP-Related Macros
  89. #
  90. # The following SMP-related preprocessor macros can be used.
  91. #
  92. # ${process_name} expands to the current Squid process "name"
  93. # (e.g., squid1, squid2, or cache1).
  94. #
  95. # ${process_number} expands to the current Squid process
  96. # identifier, which is an integer number (e.g., 1, 2, 3) unique
  97. # across all Squid processes of the current service instance.
  98. #
  99. # ${service_name} expands into the current Squid service instance
  100. # name identifier which is provided by -n on the command line.
  101. #
  102.  
  103. # TAG: broken_vary_encoding
  104. # This option is not yet supported by Squid-3.
  105. #Default:
  106. # none
  107.  
  108. # TAG: cache_vary
  109. # This option is not yet supported by Squid-3.
  110. #Default:
  111. # none
  112.  
  113. # TAG: error_map
  114. # This option is not yet supported by Squid-3.
  115. #Default:
  116. # none
  117.  
  118. # TAG: external_refresh_check
  119. # This option is not yet supported by Squid-3.
  120. #Default:
  121. # none
  122.  
  123. # TAG: location_rewrite_program
  124. # This option is not yet supported by Squid-3.
  125. #Default:
  126. # none
  127.  
  128. # TAG: refresh_stale_hit
  129. # This option is not yet supported by Squid-3.
  130. #Default:
  131. # none
  132.  
  133. # TAG: hierarchy_stoplist
  134. # Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use.
  135. #Default:
  136. # none
  137.  
  138. # TAG: log_access
  139. # Remove this line. Use acls with access_log directives to control access logging
  140. #Default:
  141. # none
  142.  
  143. # TAG: log_icap
  144. # Remove this line. Use acls with icap_log directives to control icap logging
  145. #Default:
  146. # none
  147.  
  148. # TAG: ignore_ims_on_miss
  149. # Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'.
  150. #Default:
  151. # none
  152.  
  153. # TAG: chunked_request_body_max_size
  154. # Remove this line. Squid is now HTTP/1.1 compliant.
  155. #Default:
  156. # none
  157.  
  158. # TAG: dns_v4_fallback
  159. # Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
  160. #Default:
  161. # none
  162.  
  163. # TAG: emulate_httpd_log
  164. # Replace this with an access_log directive using the format 'common' or 'combined'.
  165. #Default:
  166. # none
  167.  
  168. # TAG: forward_log
  169. # Use a regular access.log with ACL limiting it to MISS events.
  170. #Default:
  171. # none
  172.  
  173. # TAG: ftp_list_width
  174. # Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
  175. #Default:
  176. # none
  177.  
  178. # TAG: ignore_expect_100
  179. # Remove this line. The HTTP/1.1 feature is now fully supported by default.
  180. #Default:
  181. # none
  182.  
  183. # TAG: log_fqdn
  184. # Remove this option from your config. To log FQDN use %>A in the log format.
  185. #Default:
  186. # none
  187.  
  188. # TAG: log_ip_on_direct
  189. # Remove this option from your config. To log server or peer names use %<A in the log format.
  190. #Default:
  191. # none
  192.  
  193. # TAG: maximum_single_addr_tries
  194. # Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
  195. #Default:
  196. # none
  197.  
  198. # TAG: referer_log
  199. # Replace this with an access_log directive using the format 'referrer'.
  200. #Default:
  201. # none
  202.  
  203. # TAG: update_headers
  204. # Remove this line. The feature is supported by default in storage types where update is implemented.
  205. #Default:
  206. # none
  207.  
  208. # TAG: url_rewrite_concurrency
  209. # Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
  210. #Default:
  211. # none
  212.  
  213. # TAG: useragent_log
  214. # Replace this with an access_log directive using the format 'useragent'.
  215. #Default:
  216. # none
  217.  
  218. # TAG: dns_testnames
  219. # Remove this line. DNS is no longer tested on startup.
  220. #Default:
  221. # none
  222.  
  223. # TAG: extension_methods
  224. # Remove this line. All valid methods for HTTP are accepted by default.
  225. #Default:
  226. # none
  227.  
  228. # TAG: zero_buffers
  229. #Default:
  230. # none
  231.  
  232. # TAG: incoming_rate
  233. #Default:
  234. # none
  235.  
  236. # TAG: server_http11
  237. # Remove this line. HTTP/1.1 is supported by default.
  238. #Default:
  239. # none
  240.  
  241. # TAG: upgrade_http0.9
  242. # Remove this line. ICY/1.0 streaming protocol is supported by default.
  243. #Default:
  244. # none
  245.  
  246. # TAG: zph_local
  247. # Alter these entries. Use the qos_flows directive instead.
  248. #Default:
  249. # none
  250.  
  251. # TAG: header_access
  252. # Since squid-3.0 replace with request_header_access or reply_header_access
  253. # depending on whether you wish to match client requests or server replies.
  254. #Default:
  255. # none
  256.  
  257. # TAG: httpd_accel_no_pmtu_disc
  258. # Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
  259. #Default:
  260. # none
  261.  
  262. # TAG: wais_relay_host
  263. # Replace this line with 'cache_peer' configuration.
  264. #Default:
  265. # none
  266.  
  267. # TAG: wais_relay_port
  268. # Replace this line with 'cache_peer' configuration.
  269. #Default:
  270. # none
  271.  
  272. # OPTIONS FOR SMP
  273. # -----------------------------------------------------------------------------
  274.  
  275. # TAG: workers
  276. # Number of main Squid processes or "workers" to fork and maintain.
  277. # 0: "no daemon" mode, like running "squid -N ..."
  278. # 1: "no SMP" mode, start one main Squid process daemon (default)
  279. # N: start N main Squid process daemons (i.e., SMP mode)
  280. #
  281. # In SMP mode, each worker does nearly all what a single Squid daemon
  282. # does (e.g., listen on http_port and forward HTTP requests).
  283. #Default:
  284. # SMP support disabled.
  285.  
  286. # TAG: cpu_affinity_map
  287. # Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
  288. #
  289. # Sets 1:1 mapping between Squid processes and CPU cores. For example,
  290. #
  291. # cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
  292. #
  293. # affects processes 1 through 4 only and places them on the first
  294. # four even cores, starting with core #1.
  295. #
  296. # CPU cores are numbered starting from 1. Requires support for
  297. # sched_getaffinity(2) and sched_setaffinity(2) system calls.
  298. #
  299. # Multiple cpu_affinity_map options are merged.
  300. #
  301. # See also: workers
  302. #Default:
  303. # Let operating system decide.
  304.  
  305. # OPTIONS FOR AUTHENTICATION
  306. # -----------------------------------------------------------------------------
  307.  
  308. # TAG: auth_param
  309. # This is used to define parameters for the various authentication
  310. # schemes supported by Squid.
  311. #
  312. # format: auth_param scheme parameter [setting]
  313. #
  314. # The order in which authentication schemes are presented to the client is
  315. # dependent on the order the scheme first appears in config file. IE
  316. # has a bug (it's not RFC 2617 compliant) in that it will use the basic
  317. # scheme if basic is the first entry presented, even if more secure
  318. # schemes are presented. For now use the order in the recommended
  319. # settings section below. If other browsers have difficulties (don't
  320. # recognize the schemes offered even if you are using basic) either
  321. # put basic first, or disable the other schemes (by commenting out their
  322. # program entry).
  323. #
  324. # Once an authentication scheme is fully configured, it can only be
  325. # shutdown by shutting squid down and restarting. Changes can be made on
  326. # the fly and activated with a reconfigure. I.E. You can change to a
  327. # different helper, but not unconfigure the helper completely.
  328. #
  329. # Please note that while this directive defines how Squid processes
  330. # authentication it does not automatically activate authentication.
  331. # To use authentication you must in addition make use of ACLs based
  332. # on login name in http_access (proxy_auth, proxy_auth_regex or
  333. # external with %LOGIN used in the format tag). The browser will be
  334. # challenged for authentication on the first such acl encountered
  335. # in http_access processing and will also be re-challenged for new
  336. # login credentials if the request is being denied by a proxy_auth
  337. # type acl.
  338. #
  339. # WARNING: authentication can't be used in a transparently intercepting
  340. # proxy as the client then thinks it is talking to an origin server and
  341. # not the proxy. This is a limitation of bending the TCP/IP protocol to
  342. # transparently intercepting port 80, not a limitation in Squid.
  343. # Ports flagged 'transparent', 'intercept', or 'tproxy' have
  344. # authentication disabled.
  345. #
  346. # === Parameters common to all schemes. ===
  347. #
  348. # "program" cmdline
  349. # Specifies the command for the external authenticator.
  350. #
  351. # By default, each authentication scheme is not used unless a
  352. # program is specified.
  353. #
  354. # See http://wiki.squid-cache.org/Features/AddonHelpers for
  355. # more details on helper operations and creating your own.
  356. #
  357. # "key_extras" format
  358. # Specifies a string to be append to request line format for
  359. # the authentication helper. "Quoted" format values may contain
  360. # spaces and logformat %macros. In theory, any logformat %macro
  361. # can be used. In practice, a %macro expands as a dash (-) if
  362. # the helper request is sent before the required macro
  363. # information is available to Squid.
  364. #
  365. # By default, Squid uses request formats provided in
  366. # scheme-specific examples below (search for %credentials).
  367. #
  368. # The expanded key_extras value is added to the Squid credentials
  369. # cache and, hence, will affect authentication. It can be used to
  370. # autenticate different users with identical user names (e.g.,
  371. # when user authentication depends on http_port).
  372. #
  373. # Avoid adding frequently changing information to key_extras. For
  374. # example, if you add user source IP, and it changes frequently
  375. # in your environment, then max_user_ip ACL is going to treat
  376. # every user+IP combination as a unique "user", breaking the ACL
  377. # and wasting a lot of memory on those user records. It will also
  378. # force users to authenticate from scratch whenever their IP
  379. # changes.
  380. #
  381. # "realm" string
  382. # Specifies the protection scope (aka realm name) which is to be
  383. # reported to the client for the authentication scheme. It is
  384. # commonly part of the text the user will see when prompted for
  385. # their username and password.
  386. #
  387. # For Basic the default is "Squid proxy-caching web server".
  388. # For Digest there is no default, this parameter is mandatory.
  389. # For NTLM and Negotiate this parameter is ignored.
  390. #
  391. # "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
  392. #
  393. # The maximum number of authenticator processes to spawn. If
  394. # you start too few Squid will have to wait for them to process
  395. # a backlog of credential verifications, slowing it down. When
  396. # password verifications are done via a (slow) network you are
  397. # likely to need lots of authenticator processes.
  398. #
  399. # The startup= and idle= options permit some skew in the exact
  400. # amount run. A minimum of startup=N will begin during startup
  401. # and reconfigure. Squid will start more in groups of up to
  402. # idle=N in an attempt to meet traffic needs and to keep idle=N
  403. # free above those traffic needs up to the maximum.
  404. #
  405. # The concurrency= option sets the number of concurrent requests
  406. # the helper can process. The default of 0 is used for helpers
  407. # who only supports one request at a time. Setting this to a
  408. # number greater than 0 changes the protocol used to include a
  409. # channel ID field first on the request/response line, allowing
  410. # multiple requests to be sent to the same helper in parallel
  411. # without waiting for the response.
  412. #
  413. # Concurrency must not be set unless it's known the helper
  414. # supports the input format with channel-ID fields.
  415. #
  416. # NOTE: NTLM and Negotiate schemes do not support concurrency
  417. # in the Squid code module even though some helpers can.
  418. #
  419. #
  420. #
  421. # === Example Configuration ===
  422. #
  423. # This configuration displays the recommended authentication scheme
  424. # order from most to least secure with recommended minimum configuration
  425. # settings for each scheme:
  426. #
  427. ##auth_param negotiate program <uncomment and complete this line to activate>
  428. ##auth_param negotiate children 20 startup=0 idle=1
  429. ##auth_param negotiate keep_alive on
  430. ##
  431. ##auth_param digest program <uncomment and complete this line to activate>
  432. ##auth_param digest children 20 startup=0 idle=1
  433. ##auth_param digest realm Squid proxy-caching web server
  434. ##auth_param digest nonce_garbage_interval 5 minutes
  435. ##auth_param digest nonce_max_duration 30 minutes
  436. ##auth_param digest nonce_max_count 50
  437. ##
  438. ##auth_param ntlm program <uncomment and complete this line to activate>
  439. ##auth_param ntlm children 20 startup=0 idle=1
  440. ##auth_param ntlm keep_alive on
  441. ##
  442. ##auth_param basic program <uncomment and complete this line>
  443. ##auth_param basic children 5 startup=5 idle=1
  444. ##auth_param basic realm Squid proxy-caching web server
  445. ##auth_param basic credentialsttl 2 hours
  446. #Default:
  447. # none
  448.  
  449. # TAG: authenticate_cache_garbage_interval
  450. # The time period between garbage collection across the username cache.
  451. # This is a trade-off between memory utilization (long intervals - say
  452. # 2 days) and CPU (short intervals - say 1 minute). Only change if you
  453. # have good reason to.
  454. #Default:
  455. # authenticate_cache_garbage_interval 1 hour
  456.  
  457. # TAG: authenticate_ttl
  458. # The time a user & their credentials stay in the logged in
  459. # user cache since their last request. When the garbage
  460. # interval passes, all user credentials that have passed their
  461. # TTL are removed from memory.
  462. #Default:
  463. # authenticate_ttl 1 hour
  464.  
  465. # TAG: authenticate_ip_ttl
  466. # If you use proxy authentication and the 'max_user_ip' ACL,
  467. # this directive controls how long Squid remembers the IP
  468. # addresses associated with each user. Use a small value
  469. # (e.g., 60 seconds) if your users might change addresses
  470. # quickly, as is the case with dialup. You might be safe
  471. # using a larger value (e.g., 2 hours) in a corporate LAN
  472. # environment with relatively static address assignments.
  473. #Default:
  474. # authenticate_ip_ttl 1 second
  475.  
  476. # ACCESS CONTROLS
  477. # -----------------------------------------------------------------------------
  478.  
  479. # TAG: external_acl_type
  480. # This option defines external acl classes using a helper program
  481. # to look up the status
  482. #
  483. # external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
  484. #
  485. # Options:
  486. #
  487. # ttl=n TTL in seconds for cached results (defaults to 3600
  488. # for 1 hour)
  489. #
  490. # negative_ttl=n
  491. # TTL for cached negative lookups (default same
  492. # as ttl)
  493. #
  494. # grace=n Percentage remaining of TTL where a refresh of a
  495. # cached entry should be initiated without needing to
  496. # wait for a new reply. (default is for no grace period)
  497. #
  498. # cache=n Limit the result cache size, default is 262144.
  499. # The expanded FORMAT value is used as the cache key, so
  500. # if the details in FORMAT are highly variable a larger
  501. # cache may be needed to produce reduction in helper load.
  502. #
  503. # children-max=n
  504. # Maximum number of acl helper processes spawned to service
  505. # external acl lookups of this type. (default 20)
  506. #
  507. # children-startup=n
  508. # Minimum number of acl helper processes to spawn during
  509. # startup and reconfigure to service external acl lookups
  510. # of this type. (default 0)
  511. #
  512. # children-idle=n
  513. # Number of acl helper processes to keep ahead of traffic
  514. # loads. Squid will spawn this many at once whenever load
  515. # rises above the capabilities of existing processes.
  516. # Up to the value of children-max. (default 1)
  517. #
  518. # concurrency=n concurrency level per process. Only used with helpers
  519. # capable of processing more than one query at a time.
  520. #
  521. # protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers.
  522. #
  523. # ipv4 / ipv6 IP protocol used to communicate with this helper.
  524. # The default is to auto-detect IPv6 and use it when available.
  525. #
  526. #
  527. # FORMAT specifications
  528. #
  529. # %LOGIN Authenticated user login name
  530. # %un A user name. Expands to the first available name
  531. # from the following list of information sources:
  532. # - authenticated user name, like %ul or %LOGIN
  533. # - user name sent by an external ACL, like %EXT_USER
  534. # - SSL client name, like %us in logformat
  535. # - ident user name, like %ui in logformat
  536. # %EXT_USER Username from previous external acl
  537. # %EXT_LOG Log details from previous external acl
  538. # %EXT_TAG Tag from previous external acl
  539. # %IDENT Ident user name
  540. # %SRC Client IP
  541. # %SRCPORT Client source port
  542. # %URI Requested URI
  543. # %DST Requested host
  544. # %PROTO Requested URL scheme
  545. # %PORT Requested port
  546. # %PATH Requested URL path
  547. # %METHOD Request method
  548. # %MYADDR Squid interface address
  549. # %MYPORT Squid http_port number
  550. # %PATH Requested URL-path (including query-string if any)
  551. # %USER_CERT SSL User certificate in PEM format
  552. # %USER_CERTCHAIN SSL User certificate chain in PEM format
  553. # %USER_CERT_xx SSL User certificate subject attribute xx
  554. # %USER_CA_CERT_xx SSL User certificate issuer attribute xx
  555. # %ssl::>sni SSL client SNI sent to Squid
  556. # %ssl::<cert_subject SSL server certificate DN
  557. # %ssl::<cert_issuer SSL server certificate issuer DN
  558. #
  559. # %>{Header} HTTP request header "Header"
  560. # %>{Hdr:member}
  561. # HTTP request header "Hdr" list member "member"
  562. # %>{Hdr:;member}
  563. # HTTP request header list member using ; as
  564. # list separator. ; can be any non-alphanumeric
  565. # character.
  566. #
  567. # %<{Header} HTTP reply header "Header"
  568. # %<{Hdr:member}
  569. # HTTP reply header "Hdr" list member "member"
  570. # %<{Hdr:;member}
  571. # HTTP reply header list member using ; as
  572. # list separator. ; can be any non-alphanumeric
  573. # character.
  574. #
  575. # %ACL The name of the ACL being tested.
  576. # %DATA The ACL arguments. If not used then any arguments
  577. # is automatically added at the end of the line
  578. # sent to the helper.
  579. # NOTE: this will encode the arguments as one token,
  580. # whereas the default will pass each separately.
  581. #
  582. # %% The percent sign. Useful for helpers which need
  583. # an unchanging input format.
  584. #
  585. #
  586. # General request syntax:
  587. #
  588. # [channel-ID] FORMAT-values [acl-values ...]
  589. #
  590. #
  591. # FORMAT-values consists of transaction details expanded with
  592. # whitespace separation per the config file FORMAT specification
  593. # using the FORMAT macros listed above.
  594. #
  595. # acl-values consists of any string specified in the referencing
  596. # config 'acl ... external' line. see the "acl external" directive.
  597. #
  598. # Request values sent to the helper are URL escaped to protect
  599. # each value in requests against whitespaces.
  600. #
  601. # If using protocol=2.5 then the request sent to the helper is not
  602. # URL escaped to protect against whitespace.
  603. #
  604. # NOTE: protocol=3.0 is deprecated as no longer necessary.
  605. #
  606. # When using the concurrency= option the protocol is changed by
  607. # introducing a query channel tag in front of the request/response.
  608. # The query channel tag is a number between 0 and concurrency-1.
  609. # This value must be echoed back unchanged to Squid as the first part
  610. # of the response relating to its request.
  611. #
  612. #
  613. # The helper receives lines expanded per the above format specification
  614. # and for each input line returns 1 line starting with OK/ERR/BH result
  615. # code and optionally followed by additional keywords with more details.
  616. #
  617. #
  618. # General result syntax:
  619. #
  620. # [channel-ID] result keyword=value ...
  621. #
  622. # Result consists of one of the codes:
  623. #
  624. # OK
  625. # the ACL test produced a match.
  626. #
  627. # ERR
  628. # the ACL test does not produce a match.
  629. #
  630. # BH
  631. # An internal error occurred in the helper, preventing
  632. # a result being identified.
  633. #
  634. # The meaning of 'a match' is determined by your squid.conf
  635. # access control configuration. See the Squid wiki for details.
  636. #
  637. # Defined keywords:
  638. #
  639. # user= The users name (login)
  640. #
  641. # password= The users password (for login= cache_peer option)
  642. #
  643. # message= Message describing the reason for this response.
  644. # Available as %o in error pages.
  645. # Useful on (ERR and BH results).
  646. #
  647. # tag= Apply a tag to a request. Only sets a tag once,
  648. # does not alter existing tags.
  649. #
  650. # log= String to be logged in access.log. Available as
  651. # %ea in logformat specifications.
  652. #
  653. # clt_conn_tag= Associates a TAG with the client TCP connection.
  654. # Please see url_rewrite_program related documentation
  655. # for this kv-pair.
  656. #
  657. # Any keywords may be sent on any response whether OK, ERR or BH.
  658. #
  659. # All response keyword values need to be a single token with URL
  660. # escaping, or enclosed in double quotes (") and escaped using \ on
  661. # any double quotes or \ characters within the value. The wrapping
  662. # double quotes are removed before the value is interpreted by Squid.
  663. # \r and \n are also replace by CR and LF.
  664. #
  665. # Some example key values:
  666. #
  667. # user=John%20Smith
  668. # user="John Smith"
  669. # user="J. \"Bob\" Smith"
  670. #Default:
  671. # none
  672.  
  673. # TAG: acl
  674. # Defining an Access List
  675. #
  676. # Every access list definition must begin with an aclname and acltype,
  677. # followed by either type-specific arguments or a quoted filename that
  678. # they are read from.
  679. #
  680. # acl aclname acltype argument ...
  681. # acl aclname acltype "file" ...
  682. #
  683. # When using "file", the file should contain one item per line.
  684. #
  685. # Some acl types supports options which changes their default behaviour.
  686. # The available options are:
  687. #
  688. # -i,+i By default, regular expressions are CASE-SENSITIVE. To make them
  689. # case-insensitive, use the -i option. To return case-sensitive
  690. # use the +i option between patterns, or make a new ACL line
  691. # without -i.
  692. #
  693. # -n Disable lookups and address type conversions. If lookup or
  694. # conversion is required because the parameter type (IP or
  695. # domain name) does not match the message address type (domain
  696. # name or IP), then the ACL would immediately declare a mismatch
  697. # without any warnings or lookups.
  698. #
  699. # -- Used to stop processing all options, in the case the first acl
  700. # value has '-' character as first character (for example the '-'
  701. # is a valid domain name)
  702. #
  703. # Some acl types require suspending the current request in order
  704. # to access some external data source.
  705. # Those which do are marked with the tag [slow], those which
  706. # don't are marked as [fast].
  707. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl
  708. # for further information
  709. #
  710. # ***** ACL TYPES AVAILABLE *****
  711. #
  712. # acl aclname src ip-address/mask ... # clients IP address [fast]
  713. # acl aclname src addr1-addr2/mask ... # range of addresses [fast]
  714. # acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow]
  715. # acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
  716. #
  717. # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
  718. # # [fast]
  719. # # The 'arp' ACL code is not portable to all operating systems.
  720. # # It works on Linux, Solaris, Windows, FreeBSD, and some other
  721. # # BSD variants.
  722. # #
  723. # # NOTE: Squid can only determine the MAC/EUI address for IPv4
  724. # # clients that are on the same subnet. If the client is on a
  725. # # different subnet, then Squid cannot find out its address.
  726. # #
  727. # # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either
  728. # # encoded directly in the IPv6 address or not available.
  729. #
  730. # acl aclname srcdomain .foo.com ...
  731. # # reverse lookup, from client IP [slow]
  732. # acl aclname dstdomain [-n] .foo.com ...
  733. # # Destination server from URL [fast]
  734. # acl aclname srcdom_regex [-i] \.foo\.com ...
  735. # # regex matching client name [slow]
  736. # acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
  737. # # regex matching server [fast]
  738. # #
  739. # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
  740. # # based URL is used and no match is found. The name "none" is used
  741. # # if the reverse lookup fails.
  742. #
  743. # acl aclname src_as number ...
  744. # acl aclname dst_as number ...
  745. # # [fast]
  746. # # Except for access control, AS numbers can be used for
  747. # # routing of requests to specific caches. Here's an
  748. # # example for routing all requests for AS#1241 and only
  749. # # those to mycache.mydomain.net:
  750. # # acl asexample dst_as 1241
  751. # # cache_peer_access mycache.mydomain.net allow asexample
  752. # # cache_peer_access mycache_mydomain.net deny all
  753. #
  754. # acl aclname peername myPeer ...
  755. # # [fast]
  756. # # match against a named cache_peer entry
  757. # # set unique name= on cache_peer lines for reliable use.
  758. #
  759. # acl aclname time [day-abbrevs] [h1:m1-h2:m2]
  760. # # [fast]
  761. # # day-abbrevs:
  762. # # S - Sunday
  763. # # M - Monday
  764. # # T - Tuesday
  765. # # W - Wednesday
  766. # # H - Thursday
  767. # # F - Friday
  768. # # A - Saturday
  769. # # h1:m1 must be less than h2:m2
  770. #
  771. # acl aclname url_regex [-i] ^http:// ...
  772. # # regex matching on whole URL [fast]
  773. # acl aclname urllogin [-i] [^a-zA-Z0-9] ...
  774. # # regex matching on URL login field
  775. # acl aclname urlpath_regex [-i] \.gif$ ...
  776. # # regex matching on URL path [fast]
  777. #
  778. # acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
  779. # # ranges are alloed
  780. # acl aclname localport 3128 ... # TCP port the client connected to [fast]
  781. # # NP: for interception mode this is usually '80'
  782. #
  783. # acl aclname myportname 3128 ... # *_port name [fast]
  784. #
  785. # acl aclname proto HTTP FTP ... # request protocol [fast]
  786. #
  787. # acl aclname method GET POST ... # HTTP request method [fast]
  788. #
  789. # acl aclname http_status 200 301 500- 400-403 ...
  790. # # status code in reply [fast]
  791. #
  792. # acl aclname browser [-i] regexp ...
  793. # # pattern match on User-Agent header (see also req_header below) [fast]
  794. #
  795. # acl aclname referer_regex [-i] regexp ...
  796. # # pattern match on Referer header [fast]
  797. # # Referer is highly unreliable, so use with care
  798. #
  799. # acl aclname ident username ...
  800. # acl aclname ident_regex [-i] pattern ...
  801. # # string match on ident output [slow]
  802. # # use REQUIRED to accept any non-null ident.
  803. #
  804. # acl aclname proxy_auth [-i] username ...
  805. # acl aclname proxy_auth_regex [-i] pattern ...
  806. # # perform http authentication challenge to the client and match against
  807. # # supplied credentials [slow]
  808. # #
  809. # # takes a list of allowed usernames.
  810. # # use REQUIRED to accept any valid username.
  811. # #
  812. # # Will use proxy authentication in forward-proxy scenarios, and plain
  813. # # http authenticaiton in reverse-proxy scenarios
  814. # #
  815. # # NOTE: when a Proxy-Authentication header is sent but it is not
  816. # # needed during ACL checking the username is NOT logged
  817. # # in access.log.
  818. # #
  819. # # NOTE: proxy_auth requires a EXTERNAL authentication program
  820. # # to check username/password combinations (see
  821. # # auth_param directive).
  822. # #
  823. # # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
  824. # # as the browser needs to be configured for using a proxy in order
  825. # # to respond to proxy authentication.
  826. #
  827. # acl aclname snmp_community string ...
  828. # # A community string to limit access to your SNMP Agent [fast]
  829. # # Example:
  830. # #
  831. # # acl snmppublic snmp_community public
  832. #
  833. # acl aclname maxconn number
  834. # # This will be matched when the client's IP address has
  835. # # more than <number> TCP connections established. [fast]
  836. # # NOTE: This only measures direct TCP links so X-Forwarded-For
  837. # # indirect clients are not counted.
  838. #
  839. # acl aclname max_user_ip [-s] number
  840. # # This will be matched when the user attempts to log in from more
  841. # # than <number> different ip addresses. The authenticate_ip_ttl
  842. # # parameter controls the timeout on the ip entries. [fast]
  843. # # If -s is specified the limit is strict, denying browsing
  844. # # from any further IP addresses until the ttl has expired. Without
  845. # # -s Squid will just annoy the user by "randomly" denying requests.
  846. # # (the counter is reset each time the limit is reached and a
  847. # # request is denied)
  848. # # NOTE: in acceleration mode or where there is mesh of child proxies,
  849. # # clients may appear to come from multiple addresses if they are
  850. # # going through proxy farms, so a limit of 1 may cause user problems.
  851. #
  852. # acl aclname random probability
  853. # # Pseudo-randomly match requests. Based on the probability given.
  854. # # Probability may be written as a decimal (0.333), fraction (1/3)
  855. # # or ratio of matches:non-matches (3:5).
  856. #
  857. # acl aclname req_mime_type [-i] mime-type ...
  858. # # regex match against the mime type of the request generated
  859. # # by the client. Can be used to detect file upload or some
  860. # # types HTTP tunneling requests [fast]
  861. # # NOTE: This does NOT match the reply. You cannot use this
  862. # # to match the returned file type.
  863. #
  864. # acl aclname req_header header-name [-i] any\.regex\.here
  865. # # regex match against any of the known request headers. May be
  866. # # thought of as a superset of "browser", "referer" and "mime-type"
  867. # # ACL [fast]
  868. #
  869. # acl aclname rep_mime_type [-i] mime-type ...
  870. # # regex match against the mime type of the reply received by
  871. # # squid. Can be used to detect file download or some
  872. # # types HTTP tunneling requests. [fast]
  873. # # NOTE: This has no effect in http_access rules. It only has
  874. # # effect in rules that affect the reply data stream such as
  875. # # http_reply_access.
  876. #
  877. # acl aclname rep_header header-name [-i] any\.regex\.here
  878. # # regex match against any of the known reply headers. May be
  879. # # thought of as a superset of "browser", "referer" and "mime-type"
  880. # # ACLs [fast]
  881. #
  882. # acl aclname external class_name [arguments...]
  883. # # external ACL lookup via a helper class defined by the
  884. # # external_acl_type directive [slow]
  885. #
  886. # acl aclname user_cert attribute values...
  887. # # match against attributes in a user SSL certificate
  888. # # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
  889. #
  890. # acl aclname ca_cert attribute values...
  891. # # match against attributes a users issuing CA SSL certificate
  892. # # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
  893. #
  894. # acl aclname ext_user username ...
  895. # acl aclname ext_user_regex [-i] pattern ...
  896. # # string match on username returned by external acl helper [slow]
  897. # # use REQUIRED to accept any non-null user name.
  898. #
  899. # acl aclname tag tagvalue ...
  900. # # string match on tag returned by external acl helper [fast]
  901. # # DEPRECATED. Only the first tag will match with this ACL.
  902. # # Use the 'note' ACL instead for handling multiple tag values.
  903. #
  904. # acl aclname hier_code codename ...
  905. # # string match against squid hierarchy code(s); [fast]
  906. # # e.g., DIRECT, PARENT_HIT, NONE, etc.
  907. # #
  908. # # NOTE: This has no effect in http_access rules. It only has
  909. # # effect in rules that affect the reply data stream such as
  910. # # http_reply_access.
  911. #
  912. # acl aclname note name [value ...]
  913. # # match transaction annotation [fast]
  914. # # Without values, matches any annotation with a given name.
  915. # # With value(s), matches any annotation with a given name that
  916. # # also has one of the given values.
  917. # # Names and values are compared using a string equality test.
  918. # # Annotation sources include note and adaptation_meta directives
  919. # # as well as helper and eCAP responses.
  920. #
  921. # acl aclname adaptation_service service ...
  922. # # Matches the name of any icap_service, ecap_service,
  923. # # adaptation_service_set, or adaptation_service_chain that Squid
  924. # # has used (or attempted to use) for the master transaction.
  925. # # This ACL must be defined after the corresponding adaptation
  926. # # service is named in squid.conf. This ACL is usable with
  927. # # adaptation_meta because it starts matching immediately after
  928. # # the service has been selected for adaptation.
  929. #
  930. # acl aclname any-of acl1 acl2 ...
  931. # # match any one of the acls [fast or slow]
  932. # # The first matching ACL stops further ACL evaluation.
  933. # #
  934. # # ACLs from multiple any-of lines with the same name are ORed.
  935. # # For example, A = (a1 or a2) or (a3 or a4) can be written as
  936. # # acl A any-of a1 a2
  937. # # acl A any-of a3 a4
  938. # #
  939. # # This group ACL is fast if all evaluated ACLs in the group are fast
  940. # # and slow otherwise.
  941. #
  942. # acl aclname all-of acl1 acl2 ...
  943. # # match all of the acls [fast or slow]
  944. # # The first mismatching ACL stops further ACL evaluation.
  945. # #
  946. # # ACLs from multiple all-of lines with the same name are ORed.
  947. # # For example, B = (b1 and b2) or (b3 and b4) can be written as
  948. # # acl B all-of b1 b2
  949. # # acl B all-of b3 b4
  950. # #
  951. # # This group ACL is fast if all evaluated ACLs in the group are fast
  952. # # and slow otherwise.
  953. #
  954. # Examples:
  955. # acl macaddress arp 09:00:2b:23:45:67
  956. # acl myexample dst_as 1241
  957. # acl password proxy_auth REQUIRED
  958. # acl fileupload req_mime_type -i ^multipart/form-data$
  959. # acl javascript rep_mime_type -i ^application/x-javascript$
  960. #
  961. #Default:
  962. # ACLs all, manager, localhost, and to_localhost are predefined.
  963. #
  964. #
  965. # Recommended minimum configuration:
  966. #
  967.  
  968. # Example rule allowing access from your local networks.
  969. # Adapt to list your (internal) IP networks from where browsing
  970. # should be allowed
  971. #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
  972. #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
  973. #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
  974. #acl localnet src fc00::/7 # RFC 4193 local private network range
  975. #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
  976.  
  977. acl SSL_ports port 443
  978. acl Safe_ports port 80 # http
  979. acl Safe_ports port 21 # ftp
  980. acl Safe_ports port 443 # https
  981. acl Safe_ports port 70 # gopher
  982. acl Safe_ports port 210 # wais
  983. acl Safe_ports port 1025-65535 # unregistered ports
  984. acl Safe_ports port 280 # http-mgmt
  985. acl Safe_ports port 488 # gss-http
  986. acl Safe_ports port 591 # filemaker
  987. acl Safe_ports port 777 # multiling http
  988. acl CONNECT method CONNECT
  989.  
  990. # TAG: proxy_protocol_access
  991. # Determine which client proxies can be trusted to provide correct
  992. # information regarding real client IP address using PROXY protocol.
  993. #
  994. # Requests may pass through a chain of several other proxies
  995. # before reaching us. The original source details may by sent in:
  996. # * HTTP message Forwarded header, or
  997. # * HTTP message X-Forwarded-For header, or
  998. # * PROXY protocol connection header.
  999. #
  1000. # This directive is solely for validating new PROXY protocol
  1001. # connections received from a port flagged with require-proxy-header.
  1002. # It is checked only once after TCP connection setup.
  1003. #
  1004. # A deny match results in TCP connection closure.
  1005. #
  1006. # An allow match is required for Squid to permit the corresponding
  1007. # TCP connection, before Squid even looks for HTTP request headers.
  1008. # If there is an allow match, Squid starts using PROXY header information
  1009. # to determine the source address of the connection for all future ACL
  1010. # checks, logging, etc.
  1011. #
  1012. # SECURITY CONSIDERATIONS:
  1013. #
  1014. # Any host from which we accept client IP details can place
  1015. # incorrect information in the relevant header, and Squid
  1016. # will use the incorrect information as if it were the
  1017. # source address of the request. This may enable remote
  1018. # hosts to bypass any access control restrictions that are
  1019. # based on the client's source addresses.
  1020. #
  1021. # This clause only supports fast acl types.
  1022. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1023. #Default:
  1024. # all TCP connections to ports with require-proxy-header will be denied
  1025.  
  1026. # TAG: follow_x_forwarded_for
  1027. # Determine which client proxies can be trusted to provide correct
  1028. # information regarding real client IP address.
  1029. #
  1030. # Requests may pass through a chain of several other proxies
  1031. # before reaching us. The original source details may by sent in:
  1032. # * HTTP message Forwarded header, or
  1033. # * HTTP message X-Forwarded-For header, or
  1034. # * PROXY protocol connection header.
  1035. #
  1036. # PROXY protocol connections are controlled by the proxy_protocol_access
  1037. # directive which is checked before this.
  1038. #
  1039. # If a request reaches us from a source that is allowed by this
  1040. # directive, then we trust the information it provides regarding
  1041. # the IP of the client it received from (if any).
  1042. #
  1043. # For the purpose of ACLs used in this directive the src ACL type always
  1044. # matches the address we are testing and srcdomain matches its rDNS.
  1045. #
  1046. # On each HTTP request Squid checks for X-Forwarded-For header fields.
  1047. # If found the header values are iterated in reverse order and an allow
  1048. # match is required for Squid to continue on to the next value.
  1049. # The verification ends when a value receives a deny match, cannot be
  1050. # tested, or there are no more values to test.
  1051. # NOTE: Squid does not yet follow the Forwarded HTTP header.
  1052. #
  1053. # The end result of this process is an IP address that we will
  1054. # refer to as the indirect client address. This address may
  1055. # be treated as the client address for access control, ICAP, delay
  1056. # pools and logging, depending on the acl_uses_indirect_client,
  1057. # icap_uses_indirect_client, delay_pool_uses_indirect_client,
  1058. # log_uses_indirect_client and tproxy_uses_indirect_client options.
  1059. #
  1060. # This clause only supports fast acl types.
  1061. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1062. #
  1063. # SECURITY CONSIDERATIONS:
  1064. #
  1065. # Any host from which we accept client IP details can place
  1066. # incorrect information in the relevant header, and Squid
  1067. # will use the incorrect information as if it were the
  1068. # source address of the request. This may enable remote
  1069. # hosts to bypass any access control restrictions that are
  1070. # based on the client's source addresses.
  1071. #
  1072. # For example:
  1073. #
  1074. # acl localhost src 127.0.0.1
  1075. # acl my_other_proxy srcdomain .proxy.example.com
  1076. # follow_x_forwarded_for allow localhost
  1077. # follow_x_forwarded_for allow my_other_proxy
  1078. #Default:
  1079. # X-Forwarded-For header will be ignored.
  1080.  
  1081. # TAG: acl_uses_indirect_client on|off
  1082. # Controls whether the indirect client address
  1083. # (see follow_x_forwarded_for) is used instead of the
  1084. # direct client address in acl matching.
  1085. #
  1086. # NOTE: maxconn ACL considers direct TCP links and indirect
  1087. # clients will always have zero. So no match.
  1088. #Default:
  1089. # acl_uses_indirect_client on
  1090.  
  1091. # TAG: delay_pool_uses_indirect_client on|off
  1092. # Controls whether the indirect client address
  1093. # (see follow_x_forwarded_for) is used instead of the
  1094. # direct client address in delay pools.
  1095. #Default:
  1096. # delay_pool_uses_indirect_client on
  1097.  
  1098. # TAG: log_uses_indirect_client on|off
  1099. # Controls whether the indirect client address
  1100. # (see follow_x_forwarded_for) is used instead of the
  1101. # direct client address in the access log.
  1102. #Default:
  1103. # log_uses_indirect_client on
  1104.  
  1105. # TAG: tproxy_uses_indirect_client on|off
  1106. # Controls whether the indirect client address
  1107. # (see follow_x_forwarded_for) is used instead of the
  1108. # direct client address when spoofing the outgoing client.
  1109. #
  1110. # This has no effect on requests arriving in non-tproxy
  1111. # mode ports.
  1112. #
  1113. # SECURITY WARNING: Usage of this option is dangerous
  1114. # and should not be used trivially. Correct configuration
  1115. # of follow_x_forwarded_for with a limited set of trusted
  1116. # sources is required to prevent abuse of your proxy.
  1117. #Default:
  1118. # tproxy_uses_indirect_client off
  1119.  
  1120. # TAG: spoof_client_ip
  1121. # Control client IP address spoofing of TPROXY traffic based on
  1122. # defined access lists.
  1123. #
  1124. # spoof_client_ip allow|deny [!]aclname ...
  1125. #
  1126. # If there are no "spoof_client_ip" lines present, the default
  1127. # is to "allow" spoofing of any suitable request.
  1128. #
  1129. # Note that the cache_peer "no-tproxy" option overrides this ACL.
  1130. #
  1131. # This clause supports fast acl types.
  1132. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1133. #Default:
  1134. # Allow spoofing on all TPROXY traffic.
  1135.  
  1136. # TAG: http_access
  1137. # Allowing or Denying access based on defined access lists
  1138. #
  1139. # To allow or deny a message received on an HTTP, HTTPS, or FTP port:
  1140. # http_access allow|deny [!]aclname ...
  1141. #
  1142. # NOTE on default values:
  1143. #
  1144. # If there are no "access" lines present, the default is to deny
  1145. # the request.
  1146. #
  1147. # If none of the "access" lines cause a match, the default is the
  1148. # opposite of the last line in the list. If the last line was
  1149. # deny, the default is allow. Conversely, if the last line
  1150. # is allow, the default will be deny. For these reasons, it is a
  1151. # good idea to have an "deny all" entry at the end of your access
  1152. # lists to avoid potential confusion.
  1153. #
  1154. # This clause supports both fast and slow acl types.
  1155. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1156. #
  1157. #Default:
  1158. # Deny, unless rules exist in squid.conf.
  1159. #
  1160.  
  1161. #
  1162. # Recommended minimum Access Permission configuration:
  1163. #
  1164. # Deny requests to certain unsafe ports
  1165. http_access deny !Safe_ports
  1166.  
  1167. # Deny CONNECT to other than secure SSL ports
  1168. http_access deny CONNECT !SSL_ports
  1169.  
  1170. # Only allow cachemgr access from localhost
  1171. http_access allow localhost manager
  1172. http_access deny manager
  1173.  
  1174. # We strongly recommend the following be uncommented to protect innocent
  1175. # web applications running on the proxy server who think the only
  1176. # one who can access services on "localhost" is a local user
  1177. #http_access deny to_localhost
  1178.  
  1179. #
  1180. # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
  1181. #
  1182.  
  1183. # Example rule allowing access from your local networks.
  1184. # Adapt localnet in the ACL section to list your (internal) IP networks
  1185. # from where browsing should be allowed
  1186. #http_access allow localnet
  1187. http_access allow localhost
  1188.  
  1189. # And finally deny all other access to this proxy
  1190. http_access deny all
  1191.  
  1192. # TAG: adapted_http_access
  1193. # Allowing or Denying access based on defined access lists
  1194. #
  1195. # Essentially identical to http_access, but runs after redirectors
  1196. # and ICAP/eCAP adaptation. Allowing access control based on their
  1197. # output.
  1198. #
  1199. # If not set then only http_access is used.
  1200. #Default:
  1201. # Allow, unless rules exist in squid.conf.
  1202.  
  1203. # TAG: http_reply_access
  1204. # Allow replies to client requests. This is complementary to http_access.
  1205. #
  1206. # http_reply_access allow|deny [!] aclname ...
  1207. #
  1208. # NOTE: if there are no access lines present, the default is to allow
  1209. # all replies.
  1210. #
  1211. # If none of the access lines cause a match the opposite of the
  1212. # last line will apply. Thus it is good practice to end the rules
  1213. # with an "allow all" or "deny all" entry.
  1214. #
  1215. # This clause supports both fast and slow acl types.
  1216. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1217. #Default:
  1218. # Allow, unless rules exist in squid.conf.
  1219.  
  1220. # TAG: icp_access
  1221. # Allowing or Denying access to the ICP port based on defined
  1222. # access lists
  1223. #
  1224. # icp_access allow|deny [!]aclname ...
  1225. #
  1226. # NOTE: The default if no icp_access lines are present is to
  1227. # deny all traffic. This default may cause problems with peers
  1228. # using ICP.
  1229. #
  1230. # This clause only supports fast acl types.
  1231. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1232. #
  1233. ## Allow ICP queries from local networks only
  1234. ##icp_access allow localnet
  1235. ##icp_access deny all
  1236. #Default:
  1237. # Deny, unless rules exist in squid.conf.
  1238.  
  1239. # TAG: htcp_access
  1240. # Allowing or Denying access to the HTCP port based on defined
  1241. # access lists
  1242. #
  1243. # htcp_access allow|deny [!]aclname ...
  1244. #
  1245. # See also htcp_clr_access for details on access control for
  1246. # cache purge (CLR) HTCP messages.
  1247. #
  1248. # NOTE: The default if no htcp_access lines are present is to
  1249. # deny all traffic. This default may cause problems with peers
  1250. # using the htcp option.
  1251. #
  1252. # This clause only supports fast acl types.
  1253. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1254. #
  1255. ## Allow HTCP queries from local networks only
  1256. ##htcp_access allow localnet
  1257. ##htcp_access deny all
  1258. #Default:
  1259. # Deny, unless rules exist in squid.conf.
  1260.  
  1261. # TAG: htcp_clr_access
  1262. # Allowing or Denying access to purge content using HTCP based
  1263. # on defined access lists.
  1264. # See htcp_access for details on general HTCP access control.
  1265. #
  1266. # htcp_clr_access allow|deny [!]aclname ...
  1267. #
  1268. # This clause only supports fast acl types.
  1269. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1270. #
  1271. ## Allow HTCP CLR requests from trusted peers
  1272. #acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
  1273. #htcp_clr_access allow htcp_clr_peer
  1274. #htcp_clr_access deny all
  1275. #Default:
  1276. # Deny, unless rules exist in squid.conf.
  1277.  
  1278. # TAG: miss_access
  1279. # Determines whether network access is permitted when satisfying a request.
  1280. #
  1281. # For example;
  1282. # to force your neighbors to use you as a sibling instead of
  1283. # a parent.
  1284. #
  1285. # acl localclients src 192.0.2.0/24 2001:DB8::a:0/64
  1286. # miss_access deny !localclients
  1287. # miss_access allow all
  1288. #
  1289. # This means only your local clients are allowed to fetch relayed/MISS
  1290. # replies from the network and all other clients can only fetch cached
  1291. # objects (HITs).
  1292. #
  1293. # The default for this setting allows all clients who passed the
  1294. # http_access rules to relay via this proxy.
  1295. #
  1296. # This clause only supports fast acl types.
  1297. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1298. #Default:
  1299. # Allow, unless rules exist in squid.conf.
  1300.  
  1301. # TAG: ident_lookup_access
  1302. # A list of ACL elements which, if matched, cause an ident
  1303. # (RFC 931) lookup to be performed for this request. For
  1304. # example, you might choose to always perform ident lookups
  1305. # for your main multi-user Unix boxes, but not for your Macs
  1306. # and PCs. By default, ident lookups are not performed for
  1307. # any requests.
  1308. #
  1309. # To enable ident lookups for specific client addresses, you
  1310. # can follow this example:
  1311. #
  1312. # acl ident_aware_hosts src 198.168.1.0/24
  1313. # ident_lookup_access allow ident_aware_hosts
  1314. # ident_lookup_access deny all
  1315. #
  1316. # Only src type ACL checks are fully supported. A srcdomain
  1317. # ACL might work at times, but it will not always provide
  1318. # the correct result.
  1319. #
  1320. # This clause only supports fast acl types.
  1321. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1322. #Default:
  1323. # Unless rules exist in squid.conf, IDENT is not fetched.
  1324.  
  1325. # TAG: reply_body_max_size size [acl acl...]
  1326. # This option specifies the maximum size of a reply body. It can be
  1327. # used to prevent users from downloading very large files, such as
  1328. # MP3's and movies. When the reply headers are received, the
  1329. # reply_body_max_size lines are processed, and the first line where
  1330. # all (if any) listed ACLs are true is used as the maximum body size
  1331. # for this reply.
  1332. #
  1333. # This size is checked twice. First when we get the reply headers,
  1334. # we check the content-length value. If the content length value exists
  1335. # and is larger than the allowed size, the request is denied and the
  1336. # user receives an error message that says "the request or reply
  1337. # is too large." If there is no content-length, and the reply
  1338. # size exceeds this limit, the client's connection is just closed
  1339. # and they will receive a partial reply.
  1340. #
  1341. # WARNING: downstream caches probably can not detect a partial reply
  1342. # if there is no content-length header, so they will cache
  1343. # partial responses and give them out as hits. You should NOT
  1344. # use this option if you have downstream caches.
  1345. #
  1346. # WARNING: A maximum size smaller than the size of squid's error messages
  1347. # will cause an infinite loop and crash squid. Ensure that the smallest
  1348. # non-zero value you use is greater that the maximum header size plus
  1349. # the size of your largest error page.
  1350. #
  1351. # If you set this parameter none (the default), there will be
  1352. # no limit imposed.
  1353. #
  1354. # Configuration Format is:
  1355. # reply_body_max_size SIZE UNITS [acl ...]
  1356. # ie.
  1357. # reply_body_max_size 10 MB
  1358. #
  1359. #Default:
  1360. # No limit is applied.
  1361.  
  1362. # NETWORK OPTIONS
  1363. # -----------------------------------------------------------------------------
  1364.  
  1365. # TAG: http_port
  1366. # Usage: port [mode] [options]
  1367. # hostname:port [mode] [options]
  1368. # 1.2.3.4:port [mode] [options]
  1369. #
  1370. # The socket addresses where Squid will listen for HTTP client
  1371. # requests. You may specify multiple socket addresses.
  1372. # There are three forms: port alone, hostname with port, and
  1373. # IP address with port. If you specify a hostname or IP
  1374. # address, Squid binds the socket to that specific
  1375. # address. Most likely, you do not need to bind to a specific
  1376. # address, so you can use the port number alone.
  1377. #
  1378. # If you are running Squid in accelerator mode, you
  1379. # probably want to listen on port 80 also, or instead.
  1380. #
  1381. # The -a command line option may be used to specify additional
  1382. # port(s) where Squid listens for proxy request. Such ports will
  1383. # be plain proxy ports with no options.
  1384. #
  1385. # You may specify multiple socket addresses on multiple lines.
  1386. #
  1387. # Modes:
  1388. #
  1389. # intercept Support for IP-Layer NAT interception delivering
  1390. # traffic to this Squid port.
  1391. # NP: disables authentication on the port.
  1392. #
  1393. # tproxy Support Linux TPROXY (or BSD divert-to) with spoofing
  1394. # of outgoing connections using the client IP address.
  1395. # NP: disables authentication on the port.
  1396. #
  1397. # accel Accelerator / reverse proxy mode
  1398. #
  1399. # ssl-bump For each CONNECT request allowed by ssl_bump ACLs,
  1400. # establish secure connection with the client and with
  1401. # the server, decrypt HTTPS messages as they pass through
  1402. # Squid, and treat them as unencrypted HTTP messages,
  1403. # becoming the man-in-the-middle.
  1404. #
  1405. # The ssl_bump option is required to fully enable
  1406. # bumping of CONNECT requests.
  1407. #
  1408. # Omitting the mode flag causes default forward proxy mode to be used.
  1409. #
  1410. #
  1411. # Accelerator Mode Options:
  1412. #
  1413. # defaultsite=domainname
  1414. # What to use for the Host: header if it is not present
  1415. # in a request. Determines what site (not origin server)
  1416. # accelerators should consider the default.
  1417. #
  1418. # no-vhost Disable using HTTP/1.1 Host header for virtual domain support.
  1419. #
  1420. # protocol= Protocol to reconstruct accelerated and intercepted
  1421. # requests with. Defaults to HTTP/1.1 for http_port and
  1422. # HTTPS/1.1 for https_port.
  1423. # When an unsupported value is configured Squid will
  1424. # produce a FATAL error.
  1425. # Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1
  1426. #
  1427. # vport Virtual host port support. Using the http_port number
  1428. # instead of the port passed on Host: headers.
  1429. #
  1430. # vport=NN Virtual host port support. Using the specified port
  1431. # number instead of the port passed on Host: headers.
  1432. #
  1433. # act-as-origin
  1434. # Act as if this Squid is the origin server.
  1435. # This currently means generate new Date: and Expires:
  1436. # headers on HIT instead of adding Age:.
  1437. #
  1438. # ignore-cc Ignore request Cache-Control headers.
  1439. #
  1440. # WARNING: This option violates HTTP specifications if
  1441. # used in non-accelerator setups.
  1442. #
  1443. # allow-direct Allow direct forwarding in accelerator mode. Normally
  1444. # accelerated requests are denied direct forwarding as if
  1445. # never_direct was used.
  1446. #
  1447. # WARNING: this option opens accelerator mode to security
  1448. # vulnerabilities usually only affecting in interception
  1449. # mode. Make sure to protect forwarding with suitable
  1450. # http_access rules when using this.
  1451. #
  1452. #
  1453. # SSL Bump Mode Options:
  1454. # In addition to these options ssl-bump requires TLS/SSL options.
  1455. #
  1456. # generate-host-certificates[=<on|off>]
  1457. # Dynamically create SSL server certificates for the
  1458. # destination hosts of bumped CONNECT requests.When
  1459. # enabled, the cert and key options are used to sign
  1460. # generated certificates. Otherwise generated
  1461. # certificate will be selfsigned.
  1462. # If there is a CA certificate lifetime of the generated
  1463. # certificate equals lifetime of the CA certificate. If
  1464. # generated certificate is selfsigned lifetime is three
  1465. # years.
  1466. # This option is enabled by default when ssl-bump is used.
  1467. # See the ssl-bump option above for more information.
  1468. #
  1469. # dynamic_cert_mem_cache_size=SIZE
  1470. # Approximate total RAM size spent on cached generated
  1471. # certificates. If set to zero, caching is disabled. The
  1472. # default value is 4MB.
  1473. #
  1474. # TLS / SSL Options:
  1475. #
  1476. # cert= Path to SSL certificate (PEM format).
  1477. #
  1478. # key= Path to SSL private key file (PEM format)
  1479. # if not specified, the certificate file is
  1480. # assumed to be a combined certificate and
  1481. # key file.
  1482. #
  1483. # version= The version of SSL/TLS supported
  1484. # 1 automatic (default)
  1485. # 2 SSLv2 only
  1486. # 3 SSLv3 only
  1487. # 4 TLSv1.0 only
  1488. # 5 TLSv1.1 only
  1489. # 6 TLSv1.2 only
  1490. #
  1491. # cipher= Colon separated list of supported ciphers.
  1492. # NOTE: some ciphers such as EDH ciphers depend on
  1493. # additional settings. If those settings are
  1494. # omitted the ciphers may be silently ignored
  1495. # by the OpenSSL library.
  1496. #
  1497. # options= Various SSL implementation options. The most important
  1498. # being:
  1499. # NO_SSLv2 Disallow the use of SSLv2
  1500. # NO_SSLv3 Disallow the use of SSLv3
  1501. # NO_TLSv1 Disallow the use of TLSv1.0
  1502. # NO_TLSv1_1 Disallow the use of TLSv1.1
  1503. # NO_TLSv1_2 Disallow the use of TLSv1.2
  1504. # SINGLE_DH_USE Always create a new key when using
  1505. # temporary/ephemeral DH key exchanges
  1506. # NO_TICKET Disables TLS tickets extension
  1507. # ALL Enable various bug workarounds
  1508. # suggested as "harmless" by OpenSSL
  1509. # Be warned that this reduces SSL/TLS
  1510. # strength to some attacks.
  1511. # See OpenSSL SSL_CTX_set_options documentation for a
  1512. # complete list of options.
  1513. #
  1514. # clientca= File containing the list of CAs to use when
  1515. # requesting a client certificate.
  1516. #
  1517. # cafile= File containing additional CA certificates to
  1518. # use when verifying client certificates. If unset
  1519. # clientca will be used.
  1520. #
  1521. # capath= Directory containing additional CA certificates
  1522. # and CRL lists to use when verifying client certificates.
  1523. #
  1524. # crlfile= File of additional CRL lists to use when verifying
  1525. # the client certificate, in addition to CRLs stored in
  1526. # the capath. Implies VERIFY_CRL flag below.
  1527. #
  1528. # dhparams= File containing DH parameters for temporary/ephemeral
  1529. # DH key exchanges. See OpenSSL documentation for details
  1530. # on how to create this file.
  1531. # WARNING: EDH ciphers will be silently disabled if this
  1532. # option is not set.
  1533. #
  1534. # sslflags= Various flags modifying the use of SSL:
  1535. # DELAYED_AUTH
  1536. # Don't request client certificates
  1537. # immediately, but wait until acl processing
  1538. # requires a certificate (not yet implemented).
  1539. # NO_DEFAULT_CA
  1540. # Don't use the default CA lists built in
  1541. # to OpenSSL.
  1542. # NO_SESSION_REUSE
  1543. # Don't allow for session reuse. Each connection
  1544. # will result in a new SSL session.
  1545. # VERIFY_CRL
  1546. # Verify CRL lists when accepting client
  1547. # certificates.
  1548. # VERIFY_CRL_ALL
  1549. # Verify CRL lists for all certificates in the
  1550. # client certificate chain.
  1551. #
  1552. # sslcontext= SSL session ID context identifier.
  1553. #
  1554. # Other Options:
  1555. #
  1556. # connection-auth[=on|off]
  1557. # use connection-auth=off to tell Squid to prevent
  1558. # forwarding Microsoft connection oriented authentication
  1559. # (NTLM, Negotiate and Kerberos)
  1560. #
  1561. # disable-pmtu-discovery=
  1562. # Control Path-MTU discovery usage:
  1563. # off lets OS decide on what to do (default).
  1564. # transparent disable PMTU discovery when transparent
  1565. # support is enabled.
  1566. # always disable always PMTU discovery.
  1567. #
  1568. # In many setups of transparently intercepting proxies
  1569. # Path-MTU discovery can not work on traffic towards the
  1570. # clients. This is the case when the intercepting device
  1571. # does not fully track connections and fails to forward
  1572. # ICMP must fragment messages to the cache server. If you
  1573. # have such setup and experience that certain clients
  1574. # sporadically hang or never complete requests set
  1575. # disable-pmtu-discovery option to 'transparent'.
  1576. #
  1577. # name= Specifies a internal name for the port. Defaults to
  1578. # the port specification (port or addr:port)
  1579. #
  1580. # tcpkeepalive[=idle,interval,timeout]
  1581. # Enable TCP keepalive probes of idle connections.
  1582. # In seconds; idle is the initial time before TCP starts
  1583. # probing the connection, interval how often to probe, and
  1584. # timeout the time before giving up.
  1585. #
  1586. # require-proxy-header
  1587. # Require PROXY protocol version 1 or 2 connections.
  1588. # The proxy_protocol_access is required to whitelist
  1589. # downstream proxies which can be trusted.
  1590. #
  1591. # If you run Squid on a dual-homed machine with an internal
  1592. # and an external interface we recommend you to specify the
  1593. # internal address:port in http_port. This way Squid will only be
  1594. # visible on the internal address.
  1595. #
  1596. #
  1597.  
  1598. # Squid normally listens to port 3128
  1599. http_port 3128
  1600.  
  1601. # TAG: https_port
  1602. # Note: This option is only available if Squid is rebuilt with the
  1603. # --with-openssl
  1604. #
  1605. # Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...]
  1606. #
  1607. # The socket address where Squid will listen for client requests made
  1608. # over TLS or SSL connections. Commonly referred to as HTTPS.
  1609. #
  1610. # This is most useful for situations where you are running squid in
  1611. # accelerator mode and you want to do the SSL work at the accelerator level.
  1612. #
  1613. # You may specify multiple socket addresses on multiple lines,
  1614. # each with their own SSL certificate and/or options.
  1615. #
  1616. # Modes:
  1617. #
  1618. # accel Accelerator / reverse proxy mode
  1619. #
  1620. # intercept Support for IP-Layer interception of
  1621. # outgoing requests without browser settings.
  1622. # NP: disables authentication and IPv6 on the port.
  1623. #
  1624. # tproxy Support Linux TPROXY for spoofing outgoing
  1625. # connections using the client IP address.
  1626. # NP: disables authentication and maybe IPv6 on the port.
  1627. #
  1628. # ssl-bump For each intercepted connection allowed by ssl_bump
  1629. # ACLs, establish a secure connection with the client and with
  1630. # the server, decrypt HTTPS messages as they pass through
  1631. # Squid, and treat them as unencrypted HTTP messages,
  1632. # becoming the man-in-the-middle.
  1633. #
  1634. # An "ssl_bump server-first" match is required to
  1635. # fully enable bumping of intercepted SSL connections.
  1636. #
  1637. # Requires tproxy or intercept.
  1638. #
  1639. # Omitting the mode flag causes default forward proxy mode to be used.
  1640. #
  1641. #
  1642. # See http_port for a list of generic options
  1643. #
  1644. #
  1645. # SSL Options:
  1646. #
  1647. # cert= Path to SSL certificate (PEM format).
  1648. #
  1649. # key= Path to SSL private key file (PEM format)
  1650. # if not specified, the certificate file is
  1651. # assumed to be a combined certificate and
  1652. # key file.
  1653. #
  1654. # version= The version of SSL/TLS supported
  1655. # 1 automatic (default)
  1656. # 2 SSLv2 only
  1657. # 3 SSLv3 only
  1658. # 4 TLSv1 only
  1659. #
  1660. # cipher= Colon separated list of supported ciphers.
  1661. #
  1662. # options= Various SSL engine options. The most important
  1663. # being:
  1664. # NO_SSLv2 Disallow the use of SSLv2
  1665. # NO_SSLv3 Disallow the use of SSLv3
  1666. # NO_TLSv1 Disallow the use of TLSv1
  1667. # SINGLE_DH_USE Always create a new key when using
  1668. # temporary/ephemeral DH key exchanges
  1669. # See src/ssl_support.c or OpenSSL SSL_CTX_set_options
  1670. # documentation for a complete list of options.
  1671. #
  1672. # clientca= File containing the list of CAs to use when
  1673. # requesting a client certificate.
  1674. #
  1675. # cafile= File containing additional CA certificates to
  1676. # use when verifying client certificates. If unset
  1677. # clientca will be used.
  1678. #
  1679. # capath= Directory containing additional CA certificates
  1680. # and CRL lists to use when verifying client certificates.
  1681. #
  1682. # crlfile= File of additional CRL lists to use when verifying
  1683. # the client certificate, in addition to CRLs stored in
  1684. # the capath. Implies VERIFY_CRL flag below.
  1685. #
  1686. # dhparams= File containing DH parameters for temporary/ephemeral
  1687. # DH key exchanges.
  1688. #
  1689. # sslflags= Various flags modifying the use of SSL:
  1690. # DELAYED_AUTH
  1691. # Don't request client certificates
  1692. # immediately, but wait until acl processing
  1693. # requires a certificate (not yet implemented).
  1694. # NO_DEFAULT_CA
  1695. # Don't use the default CA lists built in
  1696. # to OpenSSL.
  1697. # NO_SESSION_REUSE
  1698. # Don't allow for session reuse. Each connection
  1699. # will result in a new SSL session.
  1700. # VERIFY_CRL
  1701. # Verify CRL lists when accepting client
  1702. # certificates.
  1703. # VERIFY_CRL_ALL
  1704. # Verify CRL lists for all certificates in the
  1705. # client certificate chain.
  1706. #
  1707. # sslcontext= SSL session ID context identifier.
  1708. #
  1709. # generate-host-certificates[=<on|off>]
  1710. # Dynamically create SSL server certificates for the
  1711. # destination hosts of bumped SSL requests.When
  1712. # enabled, the cert and key options are used to sign
  1713. # generated certificates. Otherwise generated
  1714. # certificate will be selfsigned.
  1715. # If there is CA certificate life time of generated
  1716. # certificate equals lifetime of CA certificate. If
  1717. # generated certificate is selfsigned lifetime is three
  1718. # years.
  1719. # This option is enabled by default when SslBump is used.
  1720. # See the sslBump option above for more information.
  1721. #
  1722. # dynamic_cert_mem_cache_size=SIZE
  1723. # Approximate total RAM size spent on cached generated
  1724. # certificates. If set to zero, caching is disabled. The
  1725. # default value is 4MB.
  1726. #
  1727. # See http_port for a list of available options.
  1728. #Default:
  1729. # none
  1730.  
  1731. # TAG: ftp_port
  1732. # Enables Native FTP proxy by specifying the socket address where Squid
  1733. # listens for FTP client requests. See http_port directive for various
  1734. # ways to specify the listening address and mode.
  1735. #
  1736. # Usage: ftp_port address [mode] [options]
  1737. #
  1738. # WARNING: This is a new, experimental, complex feature that has seen
  1739. # limited production exposure. Some Squid modules (e.g., caching) do not
  1740. # currently work with native FTP proxying, and many features have not
  1741. # even been tested for compatibility. Test well before deploying!
  1742. #
  1743. # Native FTP proxying differs substantially from proxying HTTP requests
  1744. # with ftp:// URIs because Squid works as an FTP server and receives
  1745. # actual FTP commands (rather than HTTP requests with FTP URLs).
  1746. #
  1747. # Native FTP commands accepted at ftp_port are internally converted or
  1748. # wrapped into HTTP-like messages. The same happens to Native FTP
  1749. # responses received from FTP origin servers. Those HTTP-like messages
  1750. # are shoveled through regular access control and adaptation layers
  1751. # between the FTP client and the FTP origin server. This allows Squid to
  1752. # examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP
  1753. # mechanisms when shoveling wrapped FTP messages. For example,
  1754. # http_access and adaptation_access directives are used.
  1755. #
  1756. # Modes:
  1757. #
  1758. # intercept Same as http_port intercept. The FTP origin address is
  1759. # determined based on the intended destination of the
  1760. # intercepted connection.
  1761. #
  1762. # tproxy Support Linux TPROXY for spoofing outgoing
  1763. # connections using the client IP address.
  1764. # NP: disables authentication and maybe IPv6 on the port.
  1765. #
  1766. # By default (i.e., without an explicit mode option), Squid extracts the
  1767. # FTP origin address from the login@origin parameter of the FTP USER
  1768. # command. Many popular FTP clients support such native FTP proxying.
  1769. #
  1770. # Options:
  1771. #
  1772. # name=token Specifies an internal name for the port. Defaults to
  1773. # the port address. Usable with myportname ACL.
  1774. #
  1775. # ftp-track-dirs
  1776. # Enables tracking of FTP directories by injecting extra
  1777. # PWD commands and adjusting Request-URI (in wrapping
  1778. # HTTP requests) to reflect the current FTP server
  1779. # directory. Tracking is disabled by default.
  1780. #
  1781. # protocol=FTP Protocol to reconstruct accelerated and intercepted
  1782. # requests with. Defaults to FTP. No other accepted
  1783. # values have been tested with. An unsupported value
  1784. # results in a FATAL error. Accepted values are FTP,
  1785. # HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1).
  1786. #
  1787. # Other http_port modes and options that are not specific to HTTP and
  1788. # HTTPS may also work.
  1789. #Default:
  1790. # none
  1791.  
  1792. # TAG: tcp_outgoing_tos
  1793. # Allows you to select a TOS/Diffserv value for packets outgoing
  1794. # on the server side, based on an ACL.
  1795. #
  1796. # tcp_outgoing_tos ds-field [!]aclname ...
  1797. #
  1798. # Example where normal_service_net uses the TOS value 0x00
  1799. # and good_service_net uses 0x20
  1800. #
  1801. # acl normal_service_net src 10.0.0.0/24
  1802. # acl good_service_net src 10.0.1.0/24
  1803. # tcp_outgoing_tos 0x00 normal_service_net
  1804. # tcp_outgoing_tos 0x20 good_service_net
  1805. #
  1806. # TOS/DSCP values really only have local significance - so you should
  1807. # know what you're specifying. For more information, see RFC2474,
  1808. # RFC2475, and RFC3260.
  1809. #
  1810. # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
  1811. # "default" to use whatever default your host has.
  1812. # Note that only multiples of 4 are usable as the two rightmost bits have
  1813. # been redefined for use by ECN (RFC 3168 section 23.1).
  1814. # The squid parser will enforce this by masking away the ECN bits.
  1815. #
  1816. # Processing proceeds in the order specified, and stops at first fully
  1817. # matching line.
  1818. #
  1819. # Only fast ACLs are supported.
  1820. #Default:
  1821. # none
  1822.  
  1823. # TAG: clientside_tos
  1824. # Allows you to select a TOS/DSCP value for packets being transmitted
  1825. # on the client-side, based on an ACL.
  1826. #
  1827. # clientside_tos ds-field [!]aclname ...
  1828. #
  1829. # Example where normal_service_net uses the TOS value 0x00
  1830. # and good_service_net uses 0x20
  1831. #
  1832. # acl normal_service_net src 10.0.0.0/24
  1833. # acl good_service_net src 10.0.1.0/24
  1834. # clientside_tos 0x00 normal_service_net
  1835. # clientside_tos 0x20 good_service_net
  1836. #
  1837. # Note: This feature is incompatible with qos_flows. Any TOS values set here
  1838. # will be overwritten by TOS values in qos_flows.
  1839. #
  1840. # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
  1841. # "default" to use whatever default your host has.
  1842. # Note that only multiples of 4 are usable as the two rightmost bits have
  1843. # been redefined for use by ECN (RFC 3168 section 23.1).
  1844. # The squid parser will enforce this by masking away the ECN bits.
  1845. #
  1846. #Default:
  1847. # none
  1848.  
  1849. # TAG: tcp_outgoing_mark
  1850. # Note: This option is only available if Squid is rebuilt with the
  1851. # Packet MARK (Linux)
  1852. #
  1853. # Allows you to apply a Netfilter mark value to outgoing packets
  1854. # on the server side, based on an ACL.
  1855. #
  1856. # tcp_outgoing_mark mark-value [!]aclname ...
  1857. #
  1858. # Example where normal_service_net uses the mark value 0x00
  1859. # and good_service_net uses 0x20
  1860. #
  1861. # acl normal_service_net src 10.0.0.0/24
  1862. # acl good_service_net src 10.0.1.0/24
  1863. # tcp_outgoing_mark 0x00 normal_service_net
  1864. # tcp_outgoing_mark 0x20 good_service_net
  1865. #
  1866. # Only fast ACLs are supported.
  1867. #Default:
  1868. # none
  1869.  
  1870. # TAG: clientside_mark
  1871. # Note: This option is only available if Squid is rebuilt with the
  1872. # Packet MARK (Linux)
  1873. #
  1874. # Allows you to apply a Netfilter mark value to packets being transmitted
  1875. # on the client-side, based on an ACL.
  1876. #
  1877. # clientside_mark mark-value [!]aclname ...
  1878. #
  1879. # Example where normal_service_net uses the mark value 0x00
  1880. # and good_service_net uses 0x20
  1881. #
  1882. # acl normal_service_net src 10.0.0.0/24
  1883. # acl good_service_net src 10.0.1.0/24
  1884. # clientside_mark 0x00 normal_service_net
  1885. # clientside_mark 0x20 good_service_net
  1886. #
  1887. # Note: This feature is incompatible with qos_flows. Any mark values set here
  1888. # will be overwritten by mark values in qos_flows.
  1889. #Default:
  1890. # none
  1891.  
  1892. # TAG: qos_flows
  1893. # Allows you to select a TOS/DSCP value to mark outgoing
  1894. # connections to the client, based on where the reply was sourced.
  1895. # For platforms using netfilter, allows you to set a netfilter mark
  1896. # value instead of, or in addition to, a TOS value.
  1897. #
  1898. # By default this functionality is disabled. To enable it with the default
  1899. # settings simply use "qos_flows mark" or "qos_flows tos". Default
  1900. # settings will result in the netfilter mark or TOS value being copied
  1901. # from the upstream connection to the client. Note that it is the connection
  1902. # CONNMARK value not the packet MARK value that is copied.
  1903. #
  1904. # It is not currently possible to copy the mark or TOS value from the
  1905. # client to the upstream connection request.
  1906. #
  1907. # TOS values really only have local significance - so you should
  1908. # know what you're specifying. For more information, see RFC2474,
  1909. # RFC2475, and RFC3260.
  1910. #
  1911. # The TOS/DSCP byte must be exactly that - a octet value 0 - 255.
  1912. # Note that only multiples of 4 are usable as the two rightmost bits have
  1913. # been redefined for use by ECN (RFC 3168 section 23.1).
  1914. # The squid parser will enforce this by masking away the ECN bits.
  1915. #
  1916. # Mark values can be any unsigned 32-bit integer value.
  1917. #
  1918. # This setting is configured by setting the following values:
  1919. #
  1920. # tos|mark Whether to set TOS or netfilter mark values
  1921. #
  1922. # local-hit=0xFF Value to mark local cache hits.
  1923. #
  1924. # sibling-hit=0xFF Value to mark hits from sibling peers.
  1925. #
  1926. # parent-hit=0xFF Value to mark hits from parent peers.
  1927. #
  1928. # miss=0xFF[/mask] Value to mark cache misses. Takes precedence
  1929. # over the preserve-miss feature (see below), unless
  1930. # mask is specified, in which case only the bits
  1931. # specified in the mask are written.
  1932. #
  1933. # The TOS variant of the following features are only possible on Linux
  1934. # and require your kernel to be patched with the TOS preserving ZPH
  1935. # patch, available from http://zph.bratcheda.org
  1936. # No patch is needed to preserve the netfilter mark, which will work
  1937. # with all variants of netfilter.
  1938. #
  1939. # disable-preserve-miss
  1940. # This option disables the preservation of the TOS or netfilter
  1941. # mark. By default, the existing TOS or netfilter mark value of
  1942. # the response coming from the remote server will be retained
  1943. # and masked with miss-mark.
  1944. # NOTE: in the case of a netfilter mark, the mark must be set on
  1945. # the connection (using the CONNMARK target) not on the packet
  1946. # (MARK target).
  1947. #
  1948. # miss-mask=0xFF
  1949. # Allows you to mask certain bits in the TOS or mark value
  1950. # received from the remote server, before copying the value to
  1951. # the TOS sent towards clients.
  1952. # Default for tos: 0xFF (TOS from server is not changed).
  1953. # Default for mark: 0xFFFFFFFF (mark from server is not changed).
  1954. #
  1955. # All of these features require the --enable-zph-qos compilation flag
  1956. # (enabled by default). Netfilter marking also requires the
  1957. # libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
  1958. # libcap 2.09+ (--with-libcap).
  1959. #
  1960. #Default:
  1961. # none
  1962.  
  1963. # TAG: tcp_outgoing_address
  1964. # Allows you to map requests to different outgoing IP addresses
  1965. # based on the username or source address of the user making
  1966. # the request.
  1967. #
  1968. # tcp_outgoing_address ipaddr [[!]aclname] ...
  1969. #
  1970. # For example;
  1971. # Forwarding clients with dedicated IPs for certain subnets.
  1972. #
  1973. # acl normal_service_net src 10.0.0.0/24
  1974. # acl good_service_net src 10.0.2.0/24
  1975. #
  1976. # tcp_outgoing_address 2001:db8::c001 good_service_net
  1977. # tcp_outgoing_address 10.1.0.2 good_service_net
  1978. #
  1979. # tcp_outgoing_address 2001:db8::beef normal_service_net
  1980. # tcp_outgoing_address 10.1.0.1 normal_service_net
  1981. #
  1982. # tcp_outgoing_address 2001:db8::1
  1983. # tcp_outgoing_address 10.1.0.3
  1984. #
  1985. # Processing proceeds in the order specified, and stops at first fully
  1986. # matching line.
  1987. #
  1988. # Squid will add an implicit IP version test to each line.
  1989. # Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
  1990. # Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
  1991. #
  1992. #
  1993. # NOTE: The use of this directive using client dependent ACLs is
  1994. # incompatible with the use of server side persistent connections. To
  1995. # ensure correct results it is best to set server_persistent_connections
  1996. # to off when using this directive in such configurations.
  1997. #
  1998. # NOTE: The use of this directive to set a local IP on outgoing TCP links
  1999. # is incompatible with using TPROXY to set client IP out outbound TCP links.
  2000. # When needing to contact peers use the no-tproxy cache_peer option and the
  2001. # client_dst_passthru directive re-enable normal forwarding such as this.
  2002. #
  2003. #Default:
  2004. # Address selection is performed by the operating system.
  2005.  
  2006. # TAG: host_verify_strict
  2007. # Regardless of this option setting, when dealing with intercepted
  2008. # traffic, Squid always verifies that the destination IP address matches
  2009. # the Host header domain or IP (called 'authority form URL').
  2010. #
  2011. # This enforcement is performed to satisfy a MUST-level requirement in
  2012. # RFC 2616 section 14.23: "The Host field value MUST represent the naming
  2013. # authority of the origin server or gateway given by the original URL".
  2014. #
  2015. # When set to ON:
  2016. # Squid always responds with an HTTP 409 (Conflict) error
  2017. # page and logs a security warning if there is no match.
  2018. #
  2019. # Squid verifies that the destination IP address matches
  2020. # the Host header for forward-proxy and reverse-proxy traffic
  2021. # as well. For those traffic types, Squid also enables the
  2022. # following checks, comparing the corresponding Host header
  2023. # and Request-URI components:
  2024. #
  2025. # * The host names (domain or IP) must be identical,
  2026. # but valueless or missing Host header disables all checks.
  2027. # For the two host names to match, both must be either IP
  2028. # or FQDN.
  2029. #
  2030. # * Port numbers must be identical, but if a port is missing
  2031. # the scheme-default port is assumed.
  2032. #
  2033. #
  2034. # When set to OFF (the default):
  2035. # Squid allows suspicious requests to continue but logs a
  2036. # security warning and blocks caching of the response.
  2037. #
  2038. # * Forward-proxy traffic is not checked at all.
  2039. #
  2040. # * Reverse-proxy traffic is not checked at all.
  2041. #
  2042. # * Intercepted traffic which passes verification is handled
  2043. # according to client_dst_passthru.
  2044. #
  2045. # * Intercepted requests which fail verification are sent
  2046. # to the client original destination instead of DIRECT.
  2047. # This overrides 'client_dst_passthru off'.
  2048. #
  2049. # For now suspicious intercepted CONNECT requests are always
  2050. # responded to with an HTTP 409 (Conflict) error page.
  2051. #
  2052. #
  2053. # SECURITY NOTE:
  2054. #
  2055. # As described in CVE-2009-0801 when the Host: header alone is used
  2056. # to determine the destination of a request it becomes trivial for
  2057. # malicious scripts on remote websites to bypass browser same-origin
  2058. # security policy and sandboxing protections.
  2059. #
  2060. # The cause of this is that such applets are allowed to perform their
  2061. # own HTTP stack, in which case the same-origin policy of the browser
  2062. # sandbox only verifies that the applet tries to contact the same IP
  2063. # as from where it was loaded at the IP level. The Host: header may
  2064. # be different from the connected IP and approved origin.
  2065. #
  2066. #Default:
  2067. # host_verify_strict off
  2068.  
  2069. # TAG: client_dst_passthru
  2070. # With NAT or TPROXY intercepted traffic Squid may pass the request
  2071. # directly to the original client destination IP or seek a faster
  2072. # source using the HTTP Host header.
  2073. #
  2074. # Using Host to locate alternative servers can provide faster
  2075. # connectivity with a range of failure recovery options.
  2076. # But can also lead to connectivity trouble when the client and
  2077. # server are attempting stateful interactions unaware of the proxy.
  2078. #
  2079. # This option (on by default) prevents alternative DNS entries being
  2080. # located to send intercepted traffic DIRECT to an origin server.
  2081. # The clients original destination IP and port will be used instead.
  2082. #
  2083. # Regardless of this option setting, when dealing with intercepted
  2084. # traffic Squid will verify the Host: header and any traffic which
  2085. # fails Host verification will be treated as if this option were ON.
  2086. #
  2087. # see host_verify_strict for details on the verification process.
  2088. #Default:
  2089. # client_dst_passthru on
  2090.  
  2091. # SSL OPTIONS
  2092. # -----------------------------------------------------------------------------
  2093.  
  2094. # TAG: ssl_unclean_shutdown
  2095. # Note: This option is only available if Squid is rebuilt with the
  2096. # --with-openssl
  2097. #
  2098. # Some browsers (especially MSIE) bugs out on SSL shutdown
  2099. # messages.
  2100. #Default:
  2101. # ssl_unclean_shutdown off
  2102.  
  2103. # TAG: ssl_engine
  2104. # Note: This option is only available if Squid is rebuilt with the
  2105. # --with-openssl
  2106. #
  2107. # The OpenSSL engine to use. You will need to set this if you
  2108. # would like to use hardware SSL acceleration for example.
  2109. #Default:
  2110. # none
  2111.  
  2112. # TAG: sslproxy_client_certificate
  2113. # Note: This option is only available if Squid is rebuilt with the
  2114. # --with-openssl
  2115. #
  2116. # Client SSL Certificate to use when proxying https:// URLs
  2117. #Default:
  2118. # none
  2119.  
  2120. # TAG: sslproxy_client_key
  2121. # Note: This option is only available if Squid is rebuilt with the
  2122. # --with-openssl
  2123. #
  2124. # Client SSL Key to use when proxying https:// URLs
  2125. #Default:
  2126. # none
  2127.  
  2128. # TAG: sslproxy_version
  2129. # Note: This option is only available if Squid is rebuilt with the
  2130. # --with-openssl
  2131. #
  2132. # SSL version level to use when proxying https:// URLs
  2133. #
  2134. # The versions of SSL/TLS supported:
  2135. #
  2136. # 1 automatic (default)
  2137. # 2 SSLv2 only
  2138. # 3 SSLv3 only
  2139. # 4 TLSv1.0 only
  2140. # 5 TLSv1.1 only
  2141. # 6 TLSv1.2 only
  2142. #Default:
  2143. # automatic SSL/TLS version negotiation
  2144.  
  2145. # TAG: sslproxy_options
  2146. # Note: This option is only available if Squid is rebuilt with the
  2147. # --with-openssl
  2148. #
  2149. # Colon (:) or comma (,) separated list of SSL implementation options
  2150. # to use when proxying https:// URLs
  2151. #
  2152. # The most important being:
  2153. #
  2154. # NO_SSLv2 Disallow the use of SSLv2
  2155. # NO_SSLv3 Disallow the use of SSLv3
  2156. # NO_TLSv1 Disallow the use of TLSv1.0
  2157. # NO_TLSv1_1 Disallow the use of TLSv1.1
  2158. # NO_TLSv1_2 Disallow the use of TLSv1.2
  2159. # SINGLE_DH_USE
  2160. # Always create a new key when using temporary/ephemeral
  2161. # DH key exchanges
  2162. # SSL_OP_NO_TICKET
  2163. # Disable use of RFC5077 session tickets. Some servers
  2164. # may have problems understanding the TLS extension due
  2165. # to ambiguous specification in RFC4507.
  2166. # ALL Enable various bug workarounds suggested as "harmless"
  2167. # by OpenSSL. Be warned that this may reduce SSL/TLS
  2168. # strength to some attacks.
  2169. #
  2170. # See the OpenSSL SSL_CTX_set_options documentation for a
  2171. # complete list of possible options.
  2172. #
  2173. # WARNING: This directive takes a single token. If a space is used
  2174. # the value(s) after that space are SILENTLY IGNORED.
  2175. #Default:
  2176. # none
  2177.  
  2178. # TAG: sslproxy_cipher
  2179. # Note: This option is only available if Squid is rebuilt with the
  2180. # --with-openssl
  2181. #
  2182. # SSL cipher list to use when proxying https:// URLs
  2183. #
  2184. # Colon separated list of supported ciphers.
  2185. #Default:
  2186. # none
  2187.  
  2188. # TAG: sslproxy_cafile
  2189. # Note: This option is only available if Squid is rebuilt with the
  2190. # --with-openssl
  2191. #
  2192. # file containing CA certificates to use when verifying server
  2193. # certificates while proxying https:// URLs
  2194. #Default:
  2195. # none
  2196.  
  2197. # TAG: sslproxy_capath
  2198. # Note: This option is only available if Squid is rebuilt with the
  2199. # --with-openssl
  2200. #
  2201. # directory containing CA certificates to use when verifying
  2202. # server certificates while proxying https:// URLs
  2203. #Default:
  2204. # none
  2205.  
  2206. # TAG: sslproxy_session_ttl
  2207. # Note: This option is only available if Squid is rebuilt with the
  2208. # --with-openssl
  2209. #
  2210. # Sets the timeout value for SSL sessions
  2211. #Default:
  2212. # sslproxy_session_ttl 300
  2213.  
  2214. # TAG: sslproxy_session_cache_size
  2215. # Note: This option is only available if Squid is rebuilt with the
  2216. # --with-openssl
  2217. #
  2218. # Sets the cache size to use for ssl session
  2219. #Default:
  2220. # sslproxy_session_cache_size 2 MB
  2221.  
  2222. # TAG: sslproxy_cert_sign_hash
  2223. # Note: This option is only available if Squid is rebuilt with the
  2224. # --with-openssl
  2225. #
  2226. # Sets the hashing algorithm to use when signing generated certificates.
  2227. # Valid algorithm names depend on the OpenSSL library used. The following
  2228. # names are usually available: sha1, sha256, sha512, and md5. Please see
  2229. # your OpenSSL library manual for the available hashes. By default, Squids
  2230. # that support this option use sha256 hashes.
  2231. #
  2232. # Squid does not forcefully purge cached certificates that were generated
  2233. # with an algorithm other than the currently configured one. They remain
  2234. # in the cache, subject to the regular cache eviction policy, and become
  2235. # useful if the algorithm changes again.
  2236. #Default:
  2237. # none
  2238.  
  2239. # TAG: ssl_bump
  2240. # Note: This option is only available if Squid is rebuilt with the
  2241. # --with-openssl
  2242. #
  2243. # This option is consulted when a CONNECT request is received on
  2244. # an http_port (or a new connection is intercepted at an
  2245. # https_port), provided that port was configured with an ssl-bump
  2246. # flag. The subsequent data on the connection is either treated as
  2247. # HTTPS and decrypted OR tunneled at TCP level without decryption,
  2248. # depending on the first matching bumping "action".
  2249. #
  2250. # ssl_bump <action> [!]acl ...
  2251. #
  2252. # The following bumping actions are currently supported:
  2253. #
  2254. # splice
  2255. # Become a TCP tunnel without decrypting proxied traffic.
  2256. # This is the default action.
  2257. #
  2258. # bump
  2259. # Establish a secure connection with the server and, using a
  2260. # mimicked server certificate, with the client.
  2261. #
  2262. # peek
  2263. # Receive client (step SslBump1) or server (step SslBump2)
  2264. # certificate while preserving the possibility of splicing the
  2265. # connection. Peeking at the server certificate (during step 2)
  2266. # usually precludes bumping of the connection at step 3.
  2267. #
  2268. # stare
  2269. # Receive client (step SslBump1) or server (step SslBump2)
  2270. # certificate while preserving the possibility of bumping the
  2271. # connection. Staring at the server certificate (during step 2)
  2272. # usually precludes splicing of the connection at step 3.
  2273. #
  2274. # terminate
  2275. # Close client and server connections.
  2276. #
  2277. # Backward compatibility actions available at step SslBump1:
  2278. #
  2279. # client-first
  2280. # Bump the connection. Establish a secure connection with the
  2281. # client first, then connect to the server. This old mode does
  2282. # not allow Squid to mimic server SSL certificate and does not
  2283. # work with intercepted SSL connections.
  2284. #
  2285. # server-first
  2286. # Bump the connection. Establish a secure connection with the
  2287. # server first, then establish a secure connection with the
  2288. # client, using a mimicked server certificate. Works with both
  2289. # CONNECT requests and intercepted SSL connections, but does
  2290. # not allow to make decisions based on SSL handshake info.
  2291. #
  2292. # peek-and-splice
  2293. # Decide whether to bump or splice the connection based on
  2294. # client-to-squid and server-to-squid SSL hello messages.
  2295. # XXX: Remove.
  2296. #
  2297. # none
  2298. # Same as the "splice" action.
  2299. #
  2300. # All ssl_bump rules are evaluated at each of the supported bumping
  2301. # steps. Rules with actions that are impossible at the current step are
  2302. # ignored. The first matching ssl_bump action wins and is applied at the
  2303. # end of the current step. If no rules match, the splice action is used.
  2304. # See the at_step ACL for a list of the supported SslBump steps.
  2305. #
  2306. # This clause supports both fast and slow acl types.
  2307. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2308. #
  2309. # See also: http_port ssl-bump, https_port ssl-bump, and acl at_step.
  2310. #
  2311. #
  2312. # # Example: Bump all requests except those originating from
  2313. # # localhost or those going to example.com.
  2314. #
  2315. # acl broken_sites dstdomain .example.com
  2316. # ssl_bump splice localhost
  2317. # ssl_bump splice broken_sites
  2318. # ssl_bump bump all
  2319. #Default:
  2320. # Become a TCP tunnel without decrypting proxied traffic.
  2321.  
  2322. # TAG: sslproxy_flags
  2323. # Note: This option is only available if Squid is rebuilt with the
  2324. # --with-openssl
  2325. #
  2326. # Various flags modifying the use of SSL while proxying https:// URLs:
  2327. # DONT_VERIFY_PEER Accept certificates that fail verification.
  2328. # For refined control, see sslproxy_cert_error.
  2329. # NO_DEFAULT_CA Don't use the default CA list built in
  2330. # to OpenSSL.
  2331. #Default:
  2332. # none
  2333.  
  2334. # TAG: sslproxy_cert_error
  2335. # Note: This option is only available if Squid is rebuilt with the
  2336. # --with-openssl
  2337. #
  2338. # Use this ACL to bypass server certificate validation errors.
  2339. #
  2340. # For example, the following lines will bypass all validation errors
  2341. # when talking to servers for example.com. All other
  2342. # validation errors will result in ERR_SECURE_CONNECT_FAIL error.
  2343. #
  2344. # acl BrokenButTrustedServers dstdomain example.com
  2345. # sslproxy_cert_error allow BrokenButTrustedServers
  2346. # sslproxy_cert_error deny all
  2347. #
  2348. # This clause only supports fast acl types.
  2349. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2350. # Using slow acl types may result in server crashes
  2351. #
  2352. # Without this option, all server certificate validation errors
  2353. # terminate the transaction to protect Squid and the client.
  2354. #
  2355. # SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed
  2356. # but should not happen unless your OpenSSL library is buggy.
  2357. #
  2358. # SECURITY WARNING:
  2359. # Bypassing validation errors is dangerous because an
  2360. # error usually implies that the server cannot be trusted
  2361. # and the connection may be insecure.
  2362. #
  2363. # See also: sslproxy_flags and DONT_VERIFY_PEER.
  2364. #Default:
  2365. # Server certificate errors terminate the transaction.
  2366.  
  2367. # TAG: sslproxy_cert_sign
  2368. # Note: This option is only available if Squid is rebuilt with the
  2369. # --with-openssl
  2370. #
  2371. #
  2372. # sslproxy_cert_sign <signing algorithm> acl ...
  2373. #
  2374. # The following certificate signing algorithms are supported:
  2375. #
  2376. # signTrusted
  2377. # Sign using the configured CA certificate which is usually
  2378. # placed in and trusted by end-user browsers. This is the
  2379. # default for trusted origin server certificates.
  2380. #
  2381. # signUntrusted
  2382. # Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
  2383. # This is the default for untrusted origin server certificates
  2384. # that are not self-signed (see ssl::certUntrusted).
  2385. #
  2386. # signSelf
  2387. # Sign using a self-signed certificate with the right CN to
  2388. # generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
  2389. # browser. This is the default for self-signed origin server
  2390. # certificates (see ssl::certSelfSigned).
  2391. #
  2392. # This clause only supports fast acl types.
  2393. #
  2394. # When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
  2395. # signing algorithm to generate the certificate and ignores all
  2396. # subsequent sslproxy_cert_sign options (the first match wins). If no
  2397. # acl(s) match, the default signing algorithm is determined by errors
  2398. # detected when obtaining and validating the origin server certificate.
  2399. #
  2400. # WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
  2401. # be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
  2402. # CONNECT request that carries a domain name. In all other cases (CONNECT
  2403. # to an IP address or an intercepted SSL connection), Squid cannot detect
  2404. # the domain mismatch at certificate generation time when
  2405. # bump-server-first is used.
  2406. #Default:
  2407. # none
  2408.  
  2409. # TAG: sslproxy_cert_adapt
  2410. # Note: This option is only available if Squid is rebuilt with the
  2411. # --with-openssl
  2412. #
  2413. #
  2414. # sslproxy_cert_adapt <adaptation algorithm> acl ...
  2415. #
  2416. # The following certificate adaptation algorithms are supported:
  2417. #
  2418. # setValidAfter
  2419. # Sets the "Not After" property to the "Not After" property of
  2420. # the CA certificate used to sign generated certificates.
  2421. #
  2422. # setValidBefore
  2423. # Sets the "Not Before" property to the "Not Before" property of
  2424. # the CA certificate used to sign generated certificates.
  2425. #
  2426. # setCommonName or setCommonName{CN}
  2427. # Sets Subject.CN property to the host name specified as a
  2428. # CN parameter or, if no explicit CN parameter was specified,
  2429. # extracted from the CONNECT request. It is a misconfiguration
  2430. # to use setCommonName without an explicit parameter for
  2431. # intercepted or tproxied SSL connections.
  2432. #
  2433. # This clause only supports fast acl types.
  2434. #
  2435. # Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
  2436. # Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
  2437. # corresponding adaptation algorithm to generate the certificate and
  2438. # ignores all subsequent sslproxy_cert_adapt options in that algorithm's
  2439. # group (i.e., the first match wins within each algorithm group). If no
  2440. # acl(s) match, the default mimicking action takes place.
  2441. #
  2442. # WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
  2443. # be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
  2444. # CONNECT request that carries a domain name. In all other cases (CONNECT
  2445. # to an IP address or an intercepted SSL connection), Squid cannot detect
  2446. # the domain mismatch at certificate generation time when
  2447. # bump-server-first is used.
  2448. #Default:
  2449. # none
  2450.  
  2451. # TAG: sslpassword_program
  2452. # Note: This option is only available if Squid is rebuilt with the
  2453. # --with-openssl
  2454. #
  2455. # Specify a program used for entering SSL key passphrases
  2456. # when using encrypted SSL certificate keys. If not specified
  2457. # keys must either be unencrypted, or Squid started with the -N
  2458. # option to allow it to query interactively for the passphrase.
  2459. #
  2460. # The key file name is given as argument to the program allowing
  2461. # selection of the right password if you have multiple encrypted
  2462. # keys.
  2463. #Default:
  2464. # none
  2465.  
  2466. # OPTIONS RELATING TO EXTERNAL SSL_CRTD
  2467. # -----------------------------------------------------------------------------
  2468.  
  2469. # TAG: sslcrtd_program
  2470. # Note: This option is only available if Squid is rebuilt with the
  2471. # --enable-ssl-crtd
  2472. #
  2473. # Specify the location and options of the executable for ssl_crtd process.
  2474. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters
  2475. # For more information use:
  2476. # /usr/lib/squid/ssl_crtd -h
  2477. #Default:
  2478. # sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
  2479.  
  2480. # TAG: sslcrtd_children
  2481. # Note: This option is only available if Squid is rebuilt with the
  2482. # --enable-ssl-crtd
  2483. #
  2484. # The maximum number of processes spawn to service ssl server.
  2485. # The maximum this may be safely set to is 32.
  2486. #
  2487. # The startup= and idle= options allow some measure of skew in your
  2488. # tuning.
  2489. #
  2490. # startup=N
  2491. #
  2492. # Sets the minimum number of processes to spawn when Squid
  2493. # starts or reconfigures. When set to zero the first request will
  2494. # cause spawning of the first child process to handle it.
  2495. #
  2496. # Starting too few children temporary slows Squid under load while it
  2497. # tries to spawn enough additional processes to cope with traffic.
  2498. #
  2499. # idle=N
  2500. #
  2501. # Sets a minimum of how many processes Squid is to try and keep available
  2502. # at all times. When traffic begins to rise above what the existing
  2503. # processes can handle this many more will be spawned up to the maximum
  2504. # configured. A minimum setting of 1 is required.
  2505. #
  2506. # You must have at least one ssl_crtd process.
  2507. #Default:
  2508. # sslcrtd_children 32 startup=5 idle=1
  2509.  
  2510. # TAG: sslcrtvalidator_program
  2511. # Note: This option is only available if Squid is rebuilt with the
  2512. # --with-openssl
  2513. #
  2514. # Specify the location and options of the executable for ssl_crt_validator
  2515. # process.
  2516. #
  2517. # Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ...
  2518. #
  2519. # Options:
  2520. # ttl=n TTL in seconds for cached results. The default is 60 secs
  2521. # cache=n limit the result cache size. The default value is 2048
  2522. #Default:
  2523. # none
  2524.  
  2525. # TAG: sslcrtvalidator_children
  2526. # Note: This option is only available if Squid is rebuilt with the
  2527. # --with-openssl
  2528. #
  2529. # The maximum number of processes spawn to service SSL server.
  2530. # The maximum this may be safely set to is 32.
  2531. #
  2532. # The startup= and idle= options allow some measure of skew in your
  2533. # tuning.
  2534. #
  2535. # startup=N
  2536. #
  2537. # Sets the minimum number of processes to spawn when Squid
  2538. # starts or reconfigures. When set to zero the first request will
  2539. # cause spawning of the first child process to handle it.
  2540. #
  2541. # Starting too few children temporary slows Squid under load while it
  2542. # tries to spawn enough additional processes to cope with traffic.
  2543. #
  2544. # idle=N
  2545. #
  2546. # Sets a minimum of how many processes Squid is to try and keep available
  2547. # at all times. When traffic begins to rise above what the existing
  2548. # processes can handle this many more will be spawned up to the maximum
  2549. # configured. A minimum setting of 1 is required.
  2550. #
  2551. # concurrency=
  2552. #
  2553. # The number of requests each certificate validator helper can handle in
  2554. # parallel. A value of 0 indicates the certficate validator does not
  2555. # support concurrency. Defaults to 1.
  2556. #
  2557. # When this directive is set to a value >= 1 then the protocol
  2558. # used to communicate with the helper is modified to include
  2559. # a request ID in front of the request/response. The request
  2560. # ID from the request must be echoed back with the response
  2561. # to that request.
  2562. #
  2563. # You must have at least one ssl_crt_validator process.
  2564. #Default:
  2565. # sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1
  2566.  
  2567. # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
  2568. # -----------------------------------------------------------------------------
  2569.  
  2570. # TAG: cache_peer
  2571. # To specify other caches in a hierarchy, use the format:
  2572. #
  2573. # cache_peer hostname type http-port icp-port [options]
  2574. #
  2575. # For example,
  2576. #
  2577. # # proxy icp
  2578. # # hostname type port port options
  2579. # # -------------------- -------- ----- ----- -----------
  2580. # cache_peer parent.foo.net parent 3128 3130 default
  2581. # cache_peer sib1.foo.net sibling 3128 3130 proxy-only
  2582. # cache_peer sib2.foo.net sibling 3128 3130 proxy-only
  2583. # cache_peer example.com parent 80 0 default
  2584. # cache_peer cdn.example.com sibling 3128 0
  2585. #
  2586. # type: either 'parent', 'sibling', or 'multicast'.
  2587. #
  2588. # proxy-port: The port number where the peer accept HTTP requests.
  2589. # For other Squid proxies this is usually 3128
  2590. # For web servers this is usually 80
  2591. #
  2592. # icp-port: Used for querying neighbor caches about objects.
  2593. # Set to 0 if the peer does not support ICP or HTCP.
  2594. # See ICP and HTCP options below for additional details.
  2595. #
  2596. #
  2597. # ==== ICP OPTIONS ====
  2598. #
  2599. # You MUST also set icp_port and icp_access explicitly when using these options.
  2600. # The defaults will prevent peer traffic using ICP.
  2601. #
  2602. #
  2603. # no-query Disable ICP queries to this neighbor.
  2604. #
  2605. # multicast-responder
  2606. # Indicates the named peer is a member of a multicast group.
  2607. # ICP queries will not be sent directly to the peer, but ICP
  2608. # replies will be accepted from it.
  2609. #
  2610. # closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward
  2611. # CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
  2612. #
  2613. # background-ping
  2614. # To only send ICP queries to this neighbor infrequently.
  2615. # This is used to keep the neighbor round trip time updated
  2616. # and is usually used in conjunction with weighted-round-robin.
  2617. #
  2618. #
  2619. # ==== HTCP OPTIONS ====
  2620. #
  2621. # You MUST also set htcp_port and htcp_access explicitly when using these options.
  2622. # The defaults will prevent peer traffic using HTCP.
  2623. #
  2624. #
  2625. # htcp Send HTCP, instead of ICP, queries to the neighbor.
  2626. # You probably also want to set the "icp-port" to 4827
  2627. # instead of 3130. This directive accepts a comma separated
  2628. # list of options described below.
  2629. #
  2630. # htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier).
  2631. #
  2632. # htcp=no-clr Send HTCP to the neighbor but without
  2633. # sending any CLR requests. This cannot be used with
  2634. # only-clr.
  2635. #
  2636. # htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests.
  2637. # This cannot be used with no-clr.
  2638. #
  2639. # htcp=no-purge-clr
  2640. # Send HTCP to the neighbor including CLRs but only when
  2641. # they do not result from PURGE requests.
  2642. #
  2643. # htcp=forward-clr
  2644. # Forward any HTCP CLR requests this proxy receives to the peer.
  2645. #
  2646. #
  2647. # ==== PEER SELECTION METHODS ====
  2648. #
  2649. # The default peer selection method is ICP, with the first responding peer
  2650. # being used as source. These options can be used for better load balancing.
  2651. #
  2652. #
  2653. # default This is a parent cache which can be used as a "last-resort"
  2654. # if a peer cannot be located by any of the peer-selection methods.
  2655. # If specified more than once, only the first is used.
  2656. #
  2657. # round-robin Load-Balance parents which should be used in a round-robin
  2658. # fashion in the absence of any ICP queries.
  2659. # weight=N can be used to add bias.
  2660. #
  2661. # weighted-round-robin
  2662. # Load-Balance parents which should be used in a round-robin
  2663. # fashion with the frequency of each parent being based on the
  2664. # round trip time. Closer parents are used more often.
  2665. # Usually used for background-ping parents.
  2666. # weight=N can be used to add bias.
  2667. #
  2668. # carp Load-Balance parents which should be used as a CARP array.
  2669. # The requests will be distributed among the parents based on the
  2670. # CARP load balancing hash function based on their weight.
  2671. #
  2672. # userhash Load-balance parents based on the client proxy_auth or ident username.
  2673. #
  2674. # sourcehash Load-balance parents based on the client source IP.
  2675. #
  2676. # multicast-siblings
  2677. # To be used only for cache peers of type "multicast".
  2678. # ALL members of this multicast group have "sibling"
  2679. # relationship with it, not "parent". This is to a multicast
  2680. # group when the requested object would be fetched only from
  2681. # a "parent" cache, anyway. It's useful, e.g., when
  2682. # configuring a pool of redundant Squid proxies, being
  2683. # members of the same multicast group.
  2684. #
  2685. #
  2686. # ==== PEER SELECTION OPTIONS ====
  2687. #
  2688. # weight=N use to affect the selection of a peer during any weighted
  2689. # peer-selection mechanisms.
  2690. # The weight must be an integer; default is 1,
  2691. # larger weights are favored more.
  2692. # This option does not affect parent selection if a peering
  2693. # protocol is not in use.
  2694. #
  2695. # basetime=N Specify a base amount to be subtracted from round trip
  2696. # times of parents.
  2697. # It is subtracted before division by weight in calculating
  2698. # which parent to fectch from. If the rtt is less than the
  2699. # base time the rtt is set to a minimal value.
  2700. #
  2701. # ttl=N Specify a TTL to use when sending multicast ICP queries
  2702. # to this address.
  2703. # Only useful when sending to a multicast group.
  2704. # Because we don't accept ICP replies from random
  2705. # hosts, you must configure other group members as
  2706. # peers with the 'multicast-responder' option.
  2707. #
  2708. # no-delay To prevent access to this neighbor from influencing the
  2709. # delay pools.
  2710. #
  2711. # digest-url=URL Tell Squid to fetch the cache digest (if digests are
  2712. # enabled) for this host from the specified URL rather
  2713. # than the Squid default location.
  2714. #
  2715. #
  2716. # ==== CARP OPTIONS ====
  2717. #
  2718. # carp-key=key-specification
  2719. # use a different key than the full URL to hash against the peer.
  2720. # the key-specification is a comma-separated list of the keywords
  2721. # scheme, host, port, path, params
  2722. # Order is not important.
  2723. #
  2724. # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
  2725. #
  2726. # originserver Causes this parent to be contacted as an origin server.
  2727. # Meant to be used in accelerator setups when the peer
  2728. # is a web server.
  2729. #
  2730. # forceddomain=name
  2731. # Set the Host header of requests forwarded to this peer.
  2732. # Useful in accelerator setups where the server (peer)
  2733. # expects a certain domain name but clients may request
  2734. # others. ie example.com or www.example.com
  2735. #
  2736. # no-digest Disable request of cache digests.
  2737. #
  2738. # no-netdb-exchange
  2739. # Disables requesting ICMP RTT database (NetDB).
  2740. #
  2741. #
  2742. # ==== AUTHENTICATION OPTIONS ====
  2743. #
  2744. # login=user:password
  2745. # If this is a personal/workgroup proxy and your parent
  2746. # requires proxy authentication.
  2747. #
  2748. # Note: The string can include URL escapes (i.e. %20 for
  2749. # spaces). This also means % must be written as %%.
  2750. #
  2751. # login=PASSTHRU
  2752. # Send login details received from client to this peer.
  2753. # Both Proxy- and WWW-Authorization headers are passed
  2754. # without alteration to the peer.
  2755. # Authentication is not required by Squid for this to work.
  2756. #
  2757. # Note: This will pass any form of authentication but
  2758. # only Basic auth will work through a proxy unless the
  2759. # connection-auth options are also used.
  2760. #
  2761. # login=PASS Send login details received from client to this peer.
  2762. # Authentication is not required by this option.
  2763. #
  2764. # If there are no client-provided authentication headers
  2765. # to pass on, but username and password are available
  2766. # from an external ACL user= and password= result tags
  2767. # they may be sent instead.
  2768. #
  2769. # Note: To combine this with proxy_auth both proxies must
  2770. # share the same user database as HTTP only allows for
  2771. # a single login (one for proxy, one for origin server).
  2772. # Also be warned this will expose your users proxy
  2773. # password to the peer. USE WITH CAUTION
  2774. #
  2775. # login=*:password
  2776. # Send the username to the upstream cache, but with a
  2777. # fixed password. This is meant to be used when the peer
  2778. # is in another administrative domain, but it is still
  2779. # needed to identify each user.
  2780. # The star can optionally be followed by some extra
  2781. # information which is added to the username. This can
  2782. # be used to identify this proxy to the peer, similar to
  2783. # the login=username:password option above.
  2784. #
  2785. # login=NEGOTIATE
  2786. # If this is a personal/workgroup proxy and your parent
  2787. # requires a secure proxy authentication.
  2788. # The first principal from the default keytab or defined by
  2789. # the environment variable KRB5_KTNAME will be used.
  2790. #
  2791. # WARNING: The connection may transmit requests from multiple
  2792. # clients. Negotiate often assumes end-to-end authentication
  2793. # and a single-client. Which is not strictly true here.
  2794. #
  2795. # login=NEGOTIATE:principal_name
  2796. # If this is a personal/workgroup proxy and your parent
  2797. # requires a secure proxy authentication.
  2798. # The principal principal_name from the default keytab or
  2799. # defined by the environment variable KRB5_KTNAME will be
  2800. # used.
  2801. #
  2802. # WARNING: The connection may transmit requests from multiple
  2803. # clients. Negotiate often assumes end-to-end authentication
  2804. # and a single-client. Which is not strictly true here.
  2805. #
  2806. # connection-auth=on|off
  2807. # Tell Squid that this peer does or not support Microsoft
  2808. # connection oriented authentication, and any such
  2809. # challenges received from there should be ignored.
  2810. # Default is auto to automatically determine the status
  2811. # of the peer.
  2812. #
  2813. #
  2814. # ==== SSL / HTTPS / TLS OPTIONS ====
  2815. #
  2816. # ssl Encrypt connections to this peer with SSL/TLS.
  2817. #
  2818. # sslcert=/path/to/ssl/certificate
  2819. # A client SSL certificate to use when connecting to
  2820. # this peer.
  2821. #
  2822. # sslkey=/path/to/ssl/key
  2823. # The private SSL key corresponding to sslcert above.
  2824. # If 'sslkey' is not specified 'sslcert' is assumed to
  2825. # reference a combined file containing both the
  2826. # certificate and the key.
  2827. #
  2828. # Notes:
  2829. #
  2830. # On Debian/Ubuntu systems a default snakeoil certificate is
  2831. # available in /etc/ssl and users can set:
  2832. #
  2833. # cert=/etc/ssl/certs/ssl-cert-snakeoil.pem
  2834. #
  2835. # and
  2836. #
  2837. # key=/etc/ssl/private/ssl-cert-snakeoil.key
  2838. #
  2839. # for testing.
  2840. #
  2841. # sslversion=1|2|3|4|5|6
  2842. # The SSL version to use when connecting to this peer
  2843. # 1 = automatic (default)
  2844. # 2 = SSL v2 only
  2845. # 3 = SSL v3 only
  2846. # 4 = TLS v1.0 only
  2847. # 5 = TLS v1.1 only
  2848. # 6 = TLS v1.2 only
  2849. #
  2850. # sslcipher=... The list of valid SSL ciphers to use when connecting
  2851. # to this peer.
  2852. #
  2853. # ssloptions=... Specify various SSL implementation options:
  2854. #
  2855. # NO_SSLv2 Disallow the use of SSLv2
  2856. # NO_SSLv3 Disallow the use of SSLv3
  2857. # NO_TLSv1 Disallow the use of TLSv1.0
  2858. # NO_TLSv1_1 Disallow the use of TLSv1.1
  2859. # NO_TLSv1_2 Disallow the use of TLSv1.2
  2860. # SINGLE_DH_USE
  2861. # Always create a new key when using
  2862. # temporary/ephemeral DH key exchanges
  2863. # ALL Enable various bug workarounds
  2864. # suggested as "harmless" by OpenSSL
  2865. # Be warned that this reduces SSL/TLS
  2866. # strength to some attacks.
  2867. #
  2868. # See the OpenSSL SSL_CTX_set_options documentation for a
  2869. # more complete list.
  2870. #
  2871. # sslcafile=... A file containing additional CA certificates to use
  2872. # when verifying the peer certificate.
  2873. #
  2874. # sslcapath=... A directory containing additional CA certificates to
  2875. # use when verifying the peer certificate.
  2876. #
  2877. # sslcrlfile=... A certificate revocation list file to use when
  2878. # verifying the peer certificate.
  2879. #
  2880. # sslflags=... Specify various flags modifying the SSL implementation:
  2881. #
  2882. # DONT_VERIFY_PEER
  2883. # Accept certificates even if they fail to
  2884. # verify.
  2885. # NO_DEFAULT_CA
  2886. # Don't use the default CA list built in
  2887. # to OpenSSL.
  2888. # DONT_VERIFY_DOMAIN
  2889. # Don't verify the peer certificate
  2890. # matches the server name
  2891. #
  2892. # ssldomain= The peer name as advertised in it's certificate.
  2893. # Used for verifying the correctness of the received peer
  2894. # certificate. If not specified the peer hostname will be
  2895. # used.
  2896. #
  2897. # front-end-https
  2898. # Enable the "Front-End-Https: On" header needed when
  2899. # using Squid as a SSL frontend in front of Microsoft OWA.
  2900. # See MS KB document Q307347 for details on this header.
  2901. # If set to auto the header will only be added if the
  2902. # request is forwarded as a https:// URL.
  2903. #
  2904. #
  2905. # ==== GENERAL OPTIONS ====
  2906. #
  2907. # connect-timeout=N
  2908. # A peer-specific connect timeout.
  2909. # Also see the peer_connect_timeout directive.
  2910. #
  2911. # connect-fail-limit=N
  2912. # How many times connecting to a peer must fail before
  2913. # it is marked as down. Standby connection failures
  2914. # count towards this limit. Default is 10.
  2915. #
  2916. # allow-miss Disable Squid's use of only-if-cached when forwarding
  2917. # requests to siblings. This is primarily useful when
  2918. # icp_hit_stale is used by the sibling. Excessive use
  2919. # of this option may result in forwarding loops. One way
  2920. # to prevent peering loops when using this option, is to
  2921. # deny cache peer usage on requests from a peer:
  2922. # acl fromPeer ...
  2923. # cache_peer_access peerName deny fromPeer
  2924. #
  2925. # max-conn=N Limit the number of concurrent connections the Squid
  2926. # may open to this peer, including already opened idle
  2927. # and standby connections. There is no peer-specific
  2928. # connection limit by default.
  2929. #
  2930. # A peer exceeding the limit is not used for new
  2931. # requests unless a standby connection is available.
  2932. #
  2933. # max-conn currently works poorly with idle persistent
  2934. # connections: When a peer reaches its max-conn limit,
  2935. # and there are idle persistent connections to the peer,
  2936. # the peer may not be selected because the limiting code
  2937. # does not know whether Squid can reuse those idle
  2938. # connections.
  2939. #
  2940. # standby=N Maintain a pool of N "hot standby" connections to an
  2941. # UP peer, available for requests when no idle
  2942. # persistent connection is available (or safe) to use.
  2943. # By default and with zero N, no such pool is maintained.
  2944. # N must not exceed the max-conn limit (if any).
  2945. #
  2946. # At start or after reconfiguration, Squid opens new TCP
  2947. # standby connections until there are N connections
  2948. # available and then replenishes the standby pool as
  2949. # opened connections are used up for requests. A used
  2950. # connection never goes back to the standby pool, but
  2951. # may go to the regular idle persistent connection pool
  2952. # shared by all peers and origin servers.
  2953. #
  2954. # Squid never opens multiple new standby connections
  2955. # concurrently. This one-at-a-time approach minimizes
  2956. # flooding-like effect on peers. Furthermore, just a few
  2957. # standby connections should be sufficient in most cases
  2958. # to supply most new requests with a ready-to-use
  2959. # connection.
  2960. #
  2961. # Standby connections obey server_idle_pconn_timeout.
  2962. # For the feature to work as intended, the peer must be
  2963. # configured to accept and keep them open longer than
  2964. # the idle timeout at the connecting Squid, to minimize
  2965. # race conditions typical to idle used persistent
  2966. # connections. Default request_timeout and
  2967. # server_idle_pconn_timeout values ensure such a
  2968. # configuration.
  2969. #
  2970. # name=xxx Unique name for the peer.
  2971. # Required if you have multiple peers on the same host
  2972. # but different ports.
  2973. # This name can be used in cache_peer_access and similar
  2974. # directives to identify the peer.
  2975. # Can be used by outgoing access controls through the
  2976. # peername ACL type.
  2977. #
  2978. # no-tproxy Do not use the client-spoof TPROXY support when forwarding
  2979. # requests to this peer. Use normal address selection instead.
  2980. # This overrides the spoof_client_ip ACL.
  2981. #
  2982. # proxy-only objects fetched from the peer will not be stored locally.
  2983. #
  2984. #Default:
  2985. # none
  2986.  
  2987. # TAG: cache_peer_domain
  2988. # Use to limit the domains for which a neighbor cache will be
  2989. # queried.
  2990. #
  2991. # Usage:
  2992. # cache_peer_domain cache-host domain [domain ...]
  2993. # cache_peer_domain cache-host !domain
  2994. #
  2995. # For example, specifying
  2996. #
  2997. # cache_peer_domain parent.foo.net .edu
  2998. #
  2999. # has the effect such that UDP query packets are sent to
  3000. # 'bigserver' only when the requested object exists on a
  3001. # server in the .edu domain. Prefixing the domainname
  3002. # with '!' means the cache will be queried for objects
  3003. # NOT in that domain.
  3004. #
  3005. # NOTE: * Any number of domains may be given for a cache-host,
  3006. # either on the same or separate lines.
  3007. # * When multiple domains are given for a particular
  3008. # cache-host, the first matched domain is applied.
  3009. # * Cache hosts with no domain restrictions are queried
  3010. # for all requests.
  3011. # * There are no defaults.
  3012. # * There is also a 'cache_peer_access' tag in the ACL
  3013. # section.
  3014. #Default:
  3015. # none
  3016.  
  3017. # TAG: cache_peer_access
  3018. # Restricts usage of cache_peer proxies.
  3019. #
  3020. # Usage:
  3021. # cache_peer_access peer-name allow|deny [!]aclname ...
  3022. #
  3023. # For the required peer-name parameter, use either the value of the
  3024. # cache_peer name=value parameter or, if name=value is missing, the
  3025. # cache_peer hostname parameter.
  3026. #
  3027. # This directive narrows down the selection of peering candidates, but
  3028. # does not determine the order in which the selected candidates are
  3029. # contacted. That order is determined by the peer selection algorithms
  3030. # (see PEER SELECTION sections in the cache_peer documentation).
  3031. #
  3032. # If a deny rule matches, the corresponding peer will not be contacted
  3033. # for the current transaction -- Squid will not send ICP queries and
  3034. # will not forward HTTP requests to that peer. An allow match leaves
  3035. # the corresponding peer in the selection. The first match for a given
  3036. # peer wins for that peer.
  3037. #
  3038. # The relative order of cache_peer_access directives for the same peer
  3039. # matters. The relative order of any two cache_peer_access directives
  3040. # for different peers does not matter. To ease interpretation, it is a
  3041. # good idea to group cache_peer_access directives for the same peer
  3042. # together.
  3043. #
  3044. # A single cache_peer_access directive may be evaluated multiple times
  3045. # for a given transaction because individual peer selection algorithms
  3046. # may check it independently from each other. These redundant checks
  3047. # may be optimized away in future Squid versions.
  3048. #
  3049. # This clause only supports fast acl types.
  3050. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  3051. #Default:
  3052. # No peer usage restrictions.
  3053.  
  3054. # TAG: neighbor_type_domain
  3055. # Modify the cache_peer neighbor type when passing requests
  3056. # about specific domains to the peer.
  3057. #
  3058. # Usage:
  3059. # neighbor_type_domain neighbor parent|sibling domain domain ...
  3060. #
  3061. # For example:
  3062. # cache_peer foo.example.com parent 3128 3130
  3063. # neighbor_type_domain foo.example.com sibling .au .de
  3064. #
  3065. # The above configuration treats all requests to foo.example.com as a
  3066. # parent proxy unless the request is for a .au or .de ccTLD domain name.
  3067. #Default:
  3068. # The peer type from cache_peer directive is used for all requests to that peer.
  3069.  
  3070. # TAG: dead_peer_timeout (seconds)
  3071. # This controls how long Squid waits to declare a peer cache
  3072. # as "dead." If there are no ICP replies received in this
  3073. # amount of time, Squid will declare the peer dead and not
  3074. # expect to receive any further ICP replies. However, it
  3075. # continues to send ICP queries, and will mark the peer as
  3076. # alive upon receipt of the first subsequent ICP reply.
  3077. #
  3078. # This timeout also affects when Squid expects to receive ICP
  3079. # replies from peers. If more than 'dead_peer' seconds have
  3080. # passed since the last ICP reply was received, Squid will not
  3081. # expect to receive an ICP reply on the next query. Thus, if
  3082. # your time between requests is greater than this timeout, you
  3083. # will see a lot of requests sent DIRECT to origin servers
  3084. # instead of to your parents.
  3085. #Default:
  3086. # dead_peer_timeout 10 seconds
  3087.  
  3088. # TAG: forward_max_tries
  3089. # Controls how many different forward paths Squid will try
  3090. # before giving up. See also forward_timeout.
  3091. #
  3092. # NOTE: connect_retries (default: none) can make each of these
  3093. # possible forwarding paths be tried multiple times.
  3094. #Default:
  3095. # forward_max_tries 25
  3096.  
  3097. # MEMORY CACHE OPTIONS
  3098. # -----------------------------------------------------------------------------
  3099.  
  3100. # TAG: cache_mem (bytes)
  3101. # NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
  3102. # IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
  3103. # USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
  3104. # THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
  3105. #
  3106. # 'cache_mem' specifies the ideal amount of memory to be used
  3107. # for:
  3108. # * In-Transit objects
  3109. # * Hot Objects
  3110. # * Negative-Cached objects
  3111. #
  3112. # Data for these objects are stored in 4 KB blocks. This
  3113. # parameter specifies the ideal upper limit on the total size of
  3114. # 4 KB blocks allocated. In-Transit objects take the highest
  3115. # priority.
  3116. #
  3117. # In-transit objects have priority over the others. When
  3118. # additional space is needed for incoming data, negative-cached
  3119. # and hot objects will be released. In other words, the
  3120. # negative-cached and hot objects will fill up any unused space
  3121. # not needed for in-transit objects.
  3122. #
  3123. # If circumstances require, this limit will be exceeded.
  3124. # Specifically, if your incoming request rate requires more than
  3125. # 'cache_mem' of memory to hold in-transit objects, Squid will
  3126. # exceed this limit to satisfy the new requests. When the load
  3127. # decreases, blocks will be freed until the high-water mark is
  3128. # reached. Thereafter, blocks will be used to store hot
  3129. # objects.
  3130. #
  3131. # If shared memory caching is enabled, Squid does not use the shared
  3132. # cache space for in-transit objects, but they still consume as much
  3133. # local memory as they need. For more details about the shared memory
  3134. # cache, see memory_cache_shared.
  3135. #Default:
  3136. # cache_mem 256 MB
  3137.  
  3138. # TAG: maximum_object_size_in_memory (bytes)
  3139. # Objects greater than this size will not be attempted to kept in
  3140. # the memory cache. This should be set high enough to keep objects
  3141. # accessed frequently in memory to improve performance whilst low
  3142. # enough to keep larger objects from hoarding cache_mem.
  3143. #Default:
  3144. # maximum_object_size_in_memory 512 KB
  3145.  
  3146. # TAG: memory_cache_shared on|off
  3147. # Controls whether the memory cache is shared among SMP workers.
  3148. #
  3149. # The shared memory cache is meant to occupy cache_mem bytes and replace
  3150. # the non-shared memory cache, although some entities may still be
  3151. # cached locally by workers for now (e.g., internal and in-transit
  3152. # objects may be served from a local memory cache even if shared memory
  3153. # caching is enabled).
  3154. #
  3155. # By default, the memory cache is shared if and only if all of the
  3156. # following conditions are satisfied: Squid runs in SMP mode with
  3157. # multiple workers, cache_mem is positive, and Squid environment
  3158. # supports required IPC primitives (e.g., POSIX shared memory segments
  3159. # and GCC-style atomic operations).
  3160. #
  3161. # To avoid blocking locks, shared memory uses opportunistic algorithms
  3162. # that do not guarantee that every cachable entity that could have been
  3163. # shared among SMP workers will actually be shared.
  3164. #
  3165. # Currently, entities exceeding 32KB in size cannot be shared.
  3166. #Default:
  3167. # "on" where supported if doing memory caching with multiple SMP workers.
  3168.  
  3169. # TAG: memory_cache_mode
  3170. # Controls which objects to keep in the memory cache (cache_mem)
  3171. #
  3172. # always Keep most recently fetched objects in memory (default)
  3173. #
  3174. # disk Only disk cache hits are kept in memory, which means
  3175. # an object must first be cached on disk and then hit
  3176. # a second time before cached in memory.
  3177. #
  3178. # network Only objects fetched from network is kept in memory
  3179. #Default:
  3180. # Keep the most recently fetched objects in memory
  3181.  
  3182. # TAG: memory_replacement_policy
  3183. # The memory replacement policy parameter determines which
  3184. # objects are purged from memory when memory space is needed.
  3185. #
  3186. # See cache_replacement_policy for details on algorithms.
  3187. #Default:
  3188. # memory_replacement_policy lru
  3189.  
  3190. # DISK CACHE OPTIONS
  3191. # -----------------------------------------------------------------------------
  3192.  
  3193. # TAG: cache_replacement_policy
  3194. # The cache replacement policy parameter determines which
  3195. # objects are evicted (replaced) when disk space is needed.
  3196. #
  3197. # lru : Squid's original list based LRU policy
  3198. # heap GDSF : Greedy-Dual Size Frequency
  3199. # heap LFUDA: Least Frequently Used with Dynamic Aging
  3200. # heap LRU : LRU policy implemented using a heap
  3201. #
  3202. # Applies to any cache_dir lines listed below this directive.
  3203. #
  3204. # The LRU policies keeps recently referenced objects.
  3205. #
  3206. # The heap GDSF policy optimizes object hit rate by keeping smaller
  3207. # popular objects in cache so it has a better chance of getting a
  3208. # hit. It achieves a lower byte hit rate than LFUDA though since
  3209. # it evicts larger (possibly popular) objects.
  3210. #
  3211. # The heap LFUDA policy keeps popular objects in cache regardless of
  3212. # their size and thus optimizes byte hit rate at the expense of
  3213. # hit rate since one large, popular object will prevent many
  3214. # smaller, slightly less popular objects from being cached.
  3215. #
  3216. # Both policies utilize a dynamic aging mechanism that prevents
  3217. # cache pollution that can otherwise occur with frequency-based
  3218. # replacement policies.
  3219. #
  3220. # NOTE: if using the LFUDA replacement policy you should increase
  3221. # the value of maximum_object_size above its default of 4 MB to
  3222. # to maximize the potential byte hit rate improvement of LFUDA.
  3223. #
  3224. # For more information about the GDSF and LFUDA cache replacement
  3225. # policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
  3226. # and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
  3227. #Default:
  3228. # cache_replacement_policy lru
  3229.  
  3230. # TAG: minimum_object_size (bytes)
  3231. # Objects smaller than this size will NOT be saved on disk. The
  3232. # value is specified in bytes, and the default is 0 KB, which
  3233. # means all responses can be stored.
  3234. #Default:
  3235. # no limit
  3236.  
  3237. # TAG: maximum_object_size (bytes)
  3238. # Set the default value for max-size parameter on any cache_dir.
  3239. # The value is specified in bytes, and the default is 4 MB.
  3240. #
  3241. # If you wish to get a high BYTES hit ratio, you should probably
  3242. # increase this (one 32 MB object hit counts for 3200 10KB
  3243. # hits).
  3244. #
  3245. # If you wish to increase hit ratio more than you want to
  3246. # save bandwidth you should leave this low.
  3247. #
  3248. # NOTE: if using the LFUDA replacement policy you should increase
  3249. # this value to maximize the byte hit rate improvement of LFUDA!
  3250. # See cache_replacement_policy for a discussion of this policy.
  3251. #Default:
  3252. # maximum_object_size 4 MB
  3253.  
  3254. # TAG: cache_dir
  3255. # Format:
  3256. # cache_dir Type Directory-Name Fs-specific-data [options]
  3257. #
  3258. # You can specify multiple cache_dir lines to spread the
  3259. # cache among different disk partitions.
  3260. #
  3261. # Type specifies the kind of storage system to use. Only "ufs"
  3262. # is built by default. To enable any of the other storage systems
  3263. # see the --enable-storeio configure option.
  3264. #
  3265. # 'Directory' is a top-level directory where cache swap
  3266. # files will be stored. If you want to use an entire disk
  3267. # for caching, this can be the mount-point directory.
  3268. # The directory must exist and be writable by the Squid
  3269. # process. Squid will NOT create this directory for you.
  3270. #
  3271. # In SMP configurations, cache_dir must not precede the workers option
  3272. # and should use configuration macros or conditionals to give each
  3273. # worker interested in disk caching a dedicated cache directory.
  3274. #
  3275. #
  3276. # ==== The ufs store type ====
  3277. #
  3278. # "ufs" is the old well-known Squid storage format that has always
  3279. # been there.
  3280. #
  3281. # Usage:
  3282. # cache_dir ufs Directory-Name Mbytes L1 L2 [options]
  3283. #
  3284. # 'Mbytes' is the amount of disk space (MB) to use under this
  3285. # directory. The default is 100 MB. Change this to suit your
  3286. # configuration. Do NOT put the size of your disk drive here.
  3287. # Instead, if you want Squid to use the entire disk drive,
  3288. # subtract 20% and use that value.
  3289. #
  3290. # 'L1' is the number of first-level subdirectories which
  3291. # will be created under the 'Directory'. The default is 16.
  3292. #
  3293. # 'L2' is the number of second-level subdirectories which
  3294. # will be created under each first-level directory. The default
  3295. # is 256.
  3296. #
  3297. #
  3298. # ==== The aufs store type ====
  3299. #
  3300. # "aufs" uses the same storage format as "ufs", utilizing
  3301. # POSIX-threads to avoid blocking the main Squid process on
  3302. # disk-I/O. This was formerly known in Squid as async-io.
  3303. #
  3304. # Usage:
  3305. # cache_dir aufs Directory-Name Mbytes L1 L2 [options]
  3306. #
  3307. # see argument descriptions under ufs above
  3308. #
  3309. #
  3310. # ==== The diskd store type ====
  3311. #
  3312. # "diskd" uses the same storage format as "ufs", utilizing a
  3313. # separate process to avoid blocking the main Squid process on
  3314. # disk-I/O.
  3315. #
  3316. # Usage:
  3317. # cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
  3318. #
  3319. # see argument descriptions under ufs above
  3320. #
  3321. # Q1 specifies the number of unacknowledged I/O requests when Squid
  3322. # stops opening new files. If this many messages are in the queues,
  3323. # Squid won't open new files. Default is 64
  3324. #
  3325. # Q2 specifies the number of unacknowledged messages when Squid
  3326. # starts blocking. If this many messages are in the queues,
  3327. # Squid blocks until it receives some replies. Default is 72
  3328. #
  3329. # When Q1 < Q2 (the default), the cache directory is optimized
  3330. # for lower response time at the expense of a decrease in hit
  3331. # ratio. If Q1 > Q2, the cache directory is optimized for
  3332. # higher hit ratio at the expense of an increase in response
  3333. # time.
  3334. #
  3335. #
  3336. # ==== The rock store type ====
  3337. #
  3338. # Usage:
  3339. # cache_dir rock Directory-Name Mbytes [options]
  3340. #
  3341. # The Rock Store type is a database-style storage. All cached
  3342. # entries are stored in a "database" file, using fixed-size slots.
  3343. # A single entry occupies one or more slots.
  3344. #
  3345. # If possible, Squid using Rock Store creates a dedicated kid
  3346. # process called "disker" to avoid blocking Squid worker(s) on disk
  3347. # I/O. One disker kid is created for each rock cache_dir. Diskers
  3348. # are created only when Squid, running in daemon mode, has support
  3349. # for the IpcIo disk I/O module.
  3350. #
  3351. # swap-timeout=msec: Squid will not start writing a miss to or
  3352. # reading a hit from disk if it estimates that the swap operation
  3353. # will take more than the specified number of milliseconds. By
  3354. # default and when set to zero, disables the disk I/O time limit
  3355. # enforcement. Ignored when using blocking I/O module because
  3356. # blocking synchronous I/O does not allow Squid to estimate the
  3357. # expected swap wait time.
  3358. #
  3359. # max-swap-rate=swaps/sec: Artificially limits disk access using
  3360. # the specified I/O rate limit. Swap out requests that
  3361. # would cause the average I/O rate to exceed the limit are
  3362. # delayed. Individual swap in requests (i.e., hits or reads) are
  3363. # not delayed, but they do contribute to measured swap rate and
  3364. # since they are placed in the same FIFO queue as swap out
  3365. # requests, they may wait longer if max-swap-rate is smaller.
  3366. # This is necessary on file systems that buffer "too
  3367. # many" writes and then start blocking Squid and other processes
  3368. # while committing those writes to disk. Usually used together
  3369. # with swap-timeout to avoid excessive delays and queue overflows
  3370. # when disk demand exceeds available disk "bandwidth". By default
  3371. # and when set to zero, disables the disk I/O rate limit
  3372. # enforcement. Currently supported by IpcIo module only.
  3373. #
  3374. # slot-size=bytes: The size of a database "record" used for
  3375. # storing cached responses. A cached response occupies at least
  3376. # one slot and all database I/O is done using individual slots so
  3377. # increasing this parameter leads to more disk space waste while
  3378. # decreasing it leads to more disk I/O overheads. Should be a
  3379. # multiple of your operating system I/O page size. Defaults to
  3380. # 16KBytes. A housekeeping header is stored with each slot and
  3381. # smaller slot-sizes will be rejected. The header is smaller than
  3382. # 100 bytes.
  3383. #
  3384. #
  3385. # ==== COMMON OPTIONS ====
  3386. #
  3387. # no-store no new objects should be stored to this cache_dir.
  3388. #
  3389. # min-size=n the minimum object size in bytes this cache_dir
  3390. # will accept. It's used to restrict a cache_dir
  3391. # to only store large objects (e.g. AUFS) while
  3392. # other stores are optimized for smaller objects
  3393. # (e.g. Rock).
  3394. # Defaults to 0.
  3395. #
  3396. # max-size=n the maximum object size in bytes this cache_dir
  3397. # supports.
  3398. # The value in maximum_object_size directive sets
  3399. # the default unless more specific details are
  3400. # available (ie a small store capacity).
  3401. #
  3402. # Note: To make optimal use of the max-size limits you should order
  3403. # the cache_dir lines with the smallest max-size value first.
  3404. #
  3405. #Default:
  3406. # No disk cache. Store cache ojects only in memory.
  3407. #
  3408.  
  3409. # Uncomment and adjust the following to add a disk cache directory.
  3410. #cache_dir ufs /var/spool/squid 100 16 256
  3411.  
  3412. # TAG: store_dir_select_algorithm
  3413. # How Squid selects which cache_dir to use when the response
  3414. # object will fit into more than one.
  3415. #
  3416. # Regardless of which algorithm is used the cache_dir min-size
  3417. # and max-size parameters are obeyed. As such they can affect
  3418. # the selection algorithm by limiting the set of considered
  3419. # cache_dir.
  3420. #
  3421. # Algorithms:
  3422. #
  3423. # least-load
  3424. #
  3425. # This algorithm is suited to caches with similar cache_dir
  3426. # sizes and disk speeds.
  3427. #
  3428. # The disk with the least I/O pending is selected.
  3429. # When there are multiple disks with the same I/O load ranking
  3430. # the cache_dir with most available capacity is selected.
  3431. #
  3432. # When a mix of cache_dir sizes are configured the faster disks
  3433. # have a naturally lower I/O loading and larger disks have more
  3434. # capacity. So space used to store objects and data throughput
  3435. # may be very unbalanced towards larger disks.
  3436. #
  3437. #
  3438. # round-robin
  3439. #
  3440. # This algorithm is suited to caches with unequal cache_dir
  3441. # disk sizes.
  3442. #
  3443. # Each cache_dir is selected in a rotation. The next suitable
  3444. # cache_dir is used.
  3445. #
  3446. # Available cache_dir capacity is only considered in relation
  3447. # to whether the object will fit and meets the min-size and
  3448. # max-size parameters.
  3449. #
  3450. # Disk I/O loading is only considered to prevent overload on slow
  3451. # disks. This algorithm does not spread objects by size, so any
  3452. # I/O loading per-disk may appear very unbalanced and volatile.
  3453. #
  3454. # If several cache_dirs use similar min-size, max-size, or other
  3455. # limits to to reject certain responses, then do not group such
  3456. # cache_dir lines together, to avoid round-robin selection bias
  3457. # towards the first cache_dir after the group. Instead, interleave
  3458. # cache_dir lines from different groups. For example:
  3459. #
  3460. # store_dir_select_algorithm round-robin
  3461. # cache_dir rock /hdd1 ... min-size=100000
  3462. # cache_dir rock /ssd1 ... max-size=99999
  3463. # cache_dir rock /hdd2 ... min-size=100000
  3464. # cache_dir rock /ssd2 ... max-size=99999
  3465. # cache_dir rock /hdd3 ... min-size=100000
  3466. # cache_dir rock /ssd3 ... max-size=99999
  3467. cache_dir ufs /var/spool/squid 100 16 256
  3468. cache_dir rock /hdd1 ... min-size=100000
  3469. cache_dir rock /ssd1 ... max-size=99999
  3470. cache_dir rock /hdd2 ... min-size=100000
  3471. cache_dir rock /ssd2 ... max-size=99999
  3472. cache_dir rock /hdd3 ... min-size=100000
  3473. cache_dir rock /ssd3 ... max-size=99999
  3474. #Default:
  3475. # store_dir_select_algorithm least-load
  3476.  
  3477. # TAG: max_open_disk_fds
  3478. # To avoid having disk as the I/O bottleneck Squid can optionally
  3479. # bypass the on-disk cache if more than this amount of disk file
  3480. # descriptors are open.
  3481. #
  3482. # A value of 0 indicates no limit.
  3483. #Default:
  3484. # no limit
  3485.  
  3486. # TAG: cache_swap_low (percent, 0-100)
  3487. # The low-water mark for AUFS/UFS/diskd cache object eviction by
  3488. # the cache_replacement_policy algorithm.
  3489. #
  3490. # Removal begins when the swap (disk) usage of a cache_dir is
  3491. # above this low-water mark and attempts to maintain utilization
  3492. # near the low-water mark.
  3493. #
  3494. # As swap utilization increases towards the high-water mark set
  3495. # by cache_swap_high object eviction becomes more agressive.
  3496. #
  3497. # The value difference in percentages between low- and high-water
  3498. # marks represent an eviction rate of 300 objects per second and
  3499. # the rate continues to scale in agressiveness by multiples of
  3500. # this above the high-water mark.
  3501. #
  3502. # Defaults are 90% and 95%. If you have a large cache, 5% could be
  3503. # hundreds of MB. If this is the case you may wish to set these
  3504. # numbers closer together.
  3505. #
  3506. # See also cache_swap_high and cache_replacement_policy
  3507. #Default:
  3508. # cache_swap_low 90
  3509.  
  3510. # TAG: cache_swap_high (percent, 0-100)
  3511. # The high-water mark for AUFS/UFS/diskd cache object eviction by
  3512. # the cache_replacement_policy algorithm.
  3513. #
  3514. # Removal begins when the swap (disk) usage of a cache_dir is
  3515. # above the low-water mark set by cache_swap_low and attempts to
  3516. # maintain utilization near the low-water mark.
  3517. #
  3518. # As swap utilization increases towards this high-water mark object
  3519. # eviction becomes more agressive.
  3520. #
  3521. # The value difference in percentages between low- and high-water
  3522. # marks represent an eviction rate of 300 objects per second and
  3523. # the rate continues to scale in agressiveness by multiples of
  3524. # this above the high-water mark.
  3525. #
  3526. # Defaults are 90% and 95%. If you have a large cache, 5% could be
  3527. # hundreds of MB. If this is the case you may wish to set these
  3528. # numbers closer together.
  3529. #
  3530. # See also cache_swap_low and cache_replacement_policy
  3531. #Default:
  3532. # cache_swap_high 95
  3533.  
  3534. # LOGFILE OPTIONS
  3535. # -----------------------------------------------------------------------------
  3536.  
  3537. # TAG: logformat
  3538. # Usage:
  3539. #
  3540. # logformat <name> <format specification>
  3541. #
  3542. # Defines an access log format.
  3543. #
  3544. # The <format specification> is a string with embedded % format codes
  3545. #
  3546. # % format codes all follow the same basic structure where all but
  3547. # the formatcode is optional. Output strings are automatically escaped
  3548. # as required according to their context and the output format
  3549. # modifiers are usually not needed, but can be specified if an explicit
  3550. # output format is desired.
  3551. #
  3552. # % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
  3553. #
  3554. # " output in quoted string format
  3555. # [ output in squid text log format as used by log_mime_hdrs
  3556. # # output in URL quoted format
  3557. # ' output as-is
  3558. #
  3559. # - left aligned
  3560. #
  3561. # width minimum and/or maximum field width:
  3562. # [width_min][.width_max]
  3563. # When minimum starts with 0, the field is zero-padded.
  3564. # String values exceeding maximum width are truncated.
  3565. #
  3566. # {arg} argument such as header name etc
  3567. #
  3568. # Format codes:
  3569. #
  3570. # % a literal % character
  3571. # sn Unique sequence number per log line entry
  3572. # err_code The ID of an error response served by Squid or
  3573. # a similar internal error identifier.
  3574. # err_detail Additional err_code-dependent error information.
  3575. # note The annotation specified by the argument. Also
  3576. # logs the adaptation meta headers set by the
  3577. # adaptation_meta configuration parameter.
  3578. # If no argument given all annotations logged.
  3579. # The argument may include a separator to use with
  3580. # annotation values:
  3581. # name[:separator]
  3582. # By default, multiple note values are separated with ","
  3583. # and multiple notes are separated with "\r\n".
  3584. # When logging named notes with %{name}note, the
  3585. # explicitly configured separator is used between note
  3586. # values. When logging all notes with %note, the
  3587. # explicitly configured separator is used between
  3588. # individual notes. There is currently no way to
  3589. # specify both value and notes separators when logging
  3590. # all notes with %note.
  3591. #
  3592. # Connection related format codes:
  3593. #
  3594. # >a Client source IP address
  3595. # >A Client FQDN
  3596. # >p Client source port
  3597. # >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
  3598. # >la Local IP address the client connected to
  3599. # >lp Local port number the client connected to
  3600. # >qos Client connection TOS/DSCP value set by Squid
  3601. # >nfmark Client connection netfilter mark set by Squid
  3602. #
  3603. # la Local listening IP address the client connection was connected to.
  3604. # lp Local listening port number the client connection was connected to.
  3605. #
  3606. # <a Server IP address of the last server or peer connection
  3607. # <A Server FQDN or peer name
  3608. # <p Server port number of the last server or peer connection
  3609. # <la Local IP address of the last server or peer connection
  3610. # <lp Local port number of the last server or peer connection
  3611. # <qos Server connection TOS/DSCP value set by Squid
  3612. # <nfmark Server connection netfilter mark set by Squid
  3613. #
  3614. # Time related format codes:
  3615. #
  3616. # ts Seconds since epoch
  3617. # tu subsecond time (milliseconds)
  3618. # tl Local time. Optional strftime format argument
  3619. # default %d/%b/%Y:%H:%M:%S %z
  3620. # tg GMT time. Optional strftime format argument
  3621. # default %d/%b/%Y:%H:%M:%S %z
  3622. # tr Response time (milliseconds)
  3623. # dt Total time spent making DNS lookups (milliseconds)
  3624. # tS Approximate master transaction start time in
  3625. # <full seconds since epoch>.<fractional seconds> format.
  3626. # Currently, Squid considers the master transaction
  3627. # started when a complete HTTP request header initiating
  3628. # the transaction is received from the client. This is
  3629. # the same value that Squid uses to calculate transaction
  3630. # response time when logging %tr to access.log. Currently,
  3631. # Squid uses millisecond resolution for %tS values,
  3632. # similar to the default access.log "current time" field
  3633. # (%ts.%03tu).
  3634. #
  3635. # Access Control related format codes:
  3636. #
  3637. # et Tag returned by external acl
  3638. # ea Log string returned by external acl
  3639. # un User name (any available)
  3640. # ul User name from authentication
  3641. # ue User name from external acl helper
  3642. # ui User name from ident
  3643. # un A user name. Expands to the first available name
  3644. # from the following list of information sources:
  3645. # - authenticated user name, like %ul
  3646. # - user name supplied by an external ACL, like %ue
  3647. # - SSL client name, like %us
  3648. # - ident user name, like %ui
  3649. # credentials Client credentials. The exact meaning depends on
  3650. # the authentication scheme: For Basic authentication,
  3651. # it is the password; for Digest, the realm sent by the
  3652. # client; for NTLM and Negotiate, the client challenge
  3653. # or client credentials prefixed with "YR " or "KK ".
  3654. #
  3655. # HTTP related format codes:
  3656. #
  3657. # REQUEST
  3658. #
  3659. # [http::]rm Request method (GET/POST etc)
  3660. # [http::]>rm Request method from client
  3661. # [http::]<rm Request method sent to server or peer
  3662. # [http::]ru Request URL from client (historic, filtered for logging)
  3663. # [http::]>ru Request URL from client
  3664. # [http::]<ru Request URL sent to server or peer
  3665. # [http::]>rs Request URL scheme from client
  3666. # [http::]<rs Request URL scheme sent to server or peer
  3667. # [http::]>rd Request URL domain from client
  3668. # [http::]<rd Request URL domain sent to server or peer
  3669. # [http::]>rP Request URL port from client
  3670. # [http::]<rP Request URL port sent to server or peer
  3671. # [http::]rp Request URL path excluding hostname
  3672. # [http::]>rp Request URL path excluding hostname from client
  3673. # [http::]<rp Request URL path excluding hostname sent to server or peer
  3674. # [http::]rv Request protocol version
  3675. # [http::]>rv Request protocol version from client
  3676. # [http::]<rv Request protocol version sent to server or peer
  3677. #
  3678. # [http::]>h Original received request header.
  3679. # Usually differs from the request header sent by
  3680. # Squid, although most fields are often preserved.
  3681. # Accepts optional header field name/value filter
  3682. # argument using name[:[separator]element] format.
  3683. # [http::]>ha Received request header after adaptation and
  3684. # redirection (pre-cache REQMOD vectoring point).
  3685. # Usually differs from the request header sent by
  3686. # Squid, although most fields are often preserved.
  3687. # Optional header name argument as for >h
  3688. #
  3689. #
  3690. # RESPONSE
  3691. #
  3692. # [http::]<Hs HTTP status code received from the next hop
  3693. # [http::]>Hs HTTP status code sent to the client
  3694. #
  3695. # [http::]<h Reply header. Optional header name argument
  3696. # as for >h
  3697. #
  3698. # [http::]mt MIME content type
  3699. #
  3700. #
  3701. # SIZE COUNTERS
  3702. #
  3703. # [http::]st Total size of request + reply traffic with client
  3704. # [http::]>st Total size of request received from client.
  3705. # Excluding chunked encoding bytes.
  3706. # [http::]<st Total size of reply sent to client (after adaptation)
  3707. #
  3708. # [http::]>sh Size of request headers received from client
  3709. # [http::]<sh Size of reply headers sent to client (after adaptation)
  3710. #
  3711. # [http::]<sH Reply high offset sent
  3712. # [http::]<sS Upstream object size
  3713. #
  3714. # [http::]<bs Number of HTTP-equivalent message body bytes
  3715. # received from the next hop, excluding chunked
  3716. # transfer encoding and control messages.
  3717. # Generated FTP/Gopher listings are treated as
  3718. # received bodies.
  3719. #
  3720. #
  3721. # TIMING
  3722. #
  3723. # [http::]<pt Peer response time in milliseconds. The timer starts
  3724. # when the last request byte is sent to the next hop
  3725. # and stops when the last response byte is received.
  3726. # [http::]<tt Total time in milliseconds. The timer
  3727. # starts with the first connect request (or write I/O)
  3728. # sent to the first selected peer. The timer stops
  3729. # with the last I/O with the last peer.
  3730. #
  3731. # Squid handling related format codes:
  3732. #
  3733. # Ss Squid request status (TCP_MISS etc)
  3734. # Sh Squid hierarchy status (DEFAULT_PARENT etc)
  3735. #
  3736. # SSL-related format codes:
  3737. #
  3738. # ssl::bump_mode SslBump decision for the transaction:
  3739. #
  3740. # For CONNECT requests that initiated bumping of
  3741. # a connection and for any request received on
  3742. # an already bumped connection, Squid logs the
  3743. # corresponding SslBump mode ("server-first" or
  3744. # "client-first"). See the ssl_bump option for
  3745. # more information about these modes.
  3746. #
  3747. # A "none" token is logged for requests that
  3748. # triggered "ssl_bump" ACL evaluation matching
  3749. # either a "none" rule or no rules at all.
  3750. #
  3751. # In all other cases, a single dash ("-") is
  3752. # logged.
  3753. #
  3754. # ssl::>sni SSL client SNI sent to Squid. Available only
  3755. # after the peek, stare, or splice SSL bumping
  3756. # actions.
  3757. #
  3758. # If ICAP is enabled, the following code becomes available (as
  3759. # well as ICAP log codes documented with the icap_log option):
  3760. #
  3761. # icap::tt Total ICAP processing time for the HTTP
  3762. # transaction. The timer ticks when ICAP
  3763. # ACLs are checked and when ICAP
  3764. # transaction is in progress.
  3765. #
  3766. # If adaptation is enabled the following three codes become available:
  3767. #
  3768. # adapt::<last_h The header of the last ICAP response or
  3769. # meta-information from the last eCAP
  3770. # transaction related to the HTTP transaction.
  3771. # Like <h, accepts an optional header name
  3772. # argument.
  3773. #
  3774. # adapt::sum_trs Summed adaptation transaction response
  3775. # times recorded as a comma-separated list in
  3776. # the order of transaction start time. Each time
  3777. # value is recorded as an integer number,
  3778. # representing response time of one or more
  3779. # adaptation (ICAP or eCAP) transaction in
  3780. # milliseconds. When a failed transaction is
  3781. # being retried or repeated, its time is not
  3782. # logged individually but added to the
  3783. # replacement (next) transaction. See also:
  3784. # adapt::all_trs.
  3785. #
  3786. # adapt::all_trs All adaptation transaction response times.
  3787. # Same as adaptation_strs but response times of
  3788. # individual transactions are never added
  3789. # together. Instead, all transaction response
  3790. # times are recorded individually.
  3791. #
  3792. # You can prefix adapt::*_trs format codes with adaptation
  3793. # service name in curly braces to record response time(s) specific
  3794. # to that service. For example: %{my_service}adapt::sum_trs
  3795. #
  3796. # If SSL is enabled, the following formating codes become available:
  3797. #
  3798. # %ssl::>cert_subject The Subject field of the received client
  3799. # SSL certificate or a dash ('-') if Squid has
  3800. # received an invalid/malformed certificate or
  3801. # no certificate at all. Consider encoding the
  3802. # logged value because Subject often has spaces.
  3803. #
  3804. # %ssl::>cert_issuer The Issuer field of the received client
  3805. # SSL certificate or a dash ('-') if Squid has
  3806. # received an invalid/malformed certificate or
  3807. # no certificate at all. Consider encoding the
  3808. # logged value because Issuer often has spaces.
  3809. #
  3810. # The default formats available (which do not need re-defining) are:
  3811. #
  3812. #logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
  3813. #logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
  3814. #logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
  3815. #logformat referrer %ts.%03tu %>a %{Referer}>h %ru
  3816. #logformat useragent %>a [%tl] "%{User-Agent}>h"
  3817. #
  3818. # NOTE: When the log_mime_hdrs directive is set to ON.
  3819. # The squid, common and combined formats have a safely encoded copy
  3820. # of the mime headers appended to each line within a pair of brackets.
  3821. #
  3822. # NOTE: The common and combined formats are not quite true to the Apache definition.
  3823. # The logs from Squid contain an extra status and hierarchy code appended.
  3824. #
  3825. #Default:
  3826. # The format definitions squid, common, combined, referrer, useragent are built in.
  3827.  
  3828. # TAG: access_log
  3829. # Configures whether and how Squid logs HTTP and ICP transactions.
  3830. # If access logging is enabled, a single line is logged for every
  3831. # matching HTTP or ICP request. The recommended directive formats are:
  3832. #
  3833. # access_log <module>:<place> [option ...] [acl acl ...]
  3834. # access_log none [acl acl ...]
  3835. #
  3836. # The following directive format is accepted but may be deprecated:
  3837. # access_log <module>:<place> [<logformat name> [acl acl ...]]
  3838. #
  3839. # In most cases, the first ACL name must not contain the '=' character
  3840. # and should not be equal to an existing logformat name. You can always
  3841. # start with an 'all' ACL to work around those restrictions.
  3842. #
  3843. # Will log to the specified module:place using the specified format (which
  3844. # must be defined in a logformat directive) those entries which match
  3845. # ALL the acl's specified (which must be defined in acl clauses).
  3846. # If no acl is specified, all requests will be logged to this destination.
  3847. #
  3848. # ===== Available options for the recommended directive format =====
  3849. #
  3850. # logformat=name Names log line format (either built-in or
  3851. # defined by a logformat directive). Defaults
  3852. # to 'squid'.
  3853. #
  3854. # buffer-size=64KB Defines approximate buffering limit for log
  3855. # records (see buffered_logs). Squid should not
  3856. # keep more than the specified size and, hence,
  3857. # should flush records before the buffer becomes
  3858. # full to avoid overflows under normal
  3859. # conditions (the exact flushing algorithm is
  3860. # module-dependent though). The on-error option
  3861. # controls overflow handling.
  3862. #
  3863. # on-error=die|drop Defines action on unrecoverable errors. The
  3864. # 'drop' action ignores (i.e., does not log)
  3865. # affected log records. The default 'die' action
  3866. # kills the affected worker. The drop action
  3867. # support has not been tested for modules other
  3868. # than tcp.
  3869. #
  3870. # ===== Modules Currently available =====
  3871. #
  3872. # none Do not log any requests matching these ACL.
  3873. # Do not specify Place or logformat name.
  3874. #
  3875. # stdio Write each log line to disk immediately at the completion of
  3876. # each request.
  3877. # Place: the filename and path to be written.
  3878. #
  3879. # daemon Very similar to stdio. But instead of writing to disk the log
  3880. # line is passed to a daemon helper for asychronous handling instead.
  3881. # Place: varies depending on the daemon.
  3882. #
  3883. # log_file_daemon Place: the file name and path to be written.
  3884. #
  3885. # syslog To log each request via syslog facility.
  3886. # Place: The syslog facility and priority level for these entries.
  3887. # Place Format: facility.priority
  3888. #
  3889. # where facility could be any of:
  3890. # authpriv, daemon, local0 ... local7 or user.
  3891. #
  3892. # And priority could be any of:
  3893. # err, warning, notice, info, debug.
  3894. #
  3895. # udp To send each log line as text data to a UDP receiver.
  3896. # Place: The destination host name or IP and port.
  3897. # Place Format: //host:port
  3898. #
  3899. # tcp To send each log line as text data to a TCP receiver.
  3900. # Lines may be accumulated before sending (see buffered_logs).
  3901. # Place: The destination host name or IP and port.
  3902. # Place Format: //host:port
  3903. #
  3904. # Default:
  3905. # access_log daemon:/var/log/squid/access.log squid
  3906. #Default:
  3907. # access_log daemon:/var/log/squid/access.log squid
  3908.  
  3909. # TAG: icap_log
  3910. # ICAP log files record ICAP transaction summaries, one line per
  3911. # transaction.
  3912. #
  3913. # The icap_log option format is:
  3914. # icap_log <filepath> [<logformat name> [acl acl ...]]
  3915. # icap_log none [acl acl ...]]
  3916. #
  3917. # Please see access_log option documentation for details. The two
  3918. # kinds of logs share the overall configuration approach and many
  3919. # features.
  3920. #
  3921. # ICAP processing of a single HTTP message or transaction may
  3922. # require multiple ICAP transactions. In such cases, multiple
  3923. # ICAP transaction log lines will correspond to a single access
  3924. # log line.
  3925. #
  3926. # ICAP log uses logformat codes that make sense for an ICAP
  3927. # transaction. Header-related codes are applied to the HTTP header
  3928. # embedded in an ICAP server response, with the following caveats:
  3929. # For REQMOD, there is no HTTP response header unless the ICAP
  3930. # server performed request satisfaction. For RESPMOD, the HTTP
  3931. # request header is the header sent to the ICAP server. For
  3932. # OPTIONS, there are no HTTP headers.
  3933. #
  3934. # The following format codes are also available for ICAP logs:
  3935. #
  3936. # icap::<A ICAP server IP address. Similar to <A.
  3937. #
  3938. # icap::<service_name ICAP service name from the icap_service
  3939. # option in Squid configuration file.
  3940. #
  3941. # icap::ru ICAP Request-URI. Similar to ru.
  3942. #
  3943. # icap::rm ICAP request method (REQMOD, RESPMOD, or
  3944. # OPTIONS). Similar to existing rm.
  3945. #
  3946. # icap::>st Bytes sent to the ICAP server (TCP payload
  3947. # only; i.e., what Squid writes to the socket).
  3948. #
  3949. # icap::<st Bytes received from the ICAP server (TCP
  3950. # payload only; i.e., what Squid reads from
  3951. # the socket).
  3952. #
  3953. # icap::<bs Number of message body bytes received from the
  3954. # ICAP server. ICAP message body, if any, usually
  3955. # includes encapsulated HTTP message headers and
  3956. # possibly encapsulated HTTP message body. The
  3957. # HTTP body part is dechunked before its size is
  3958. # computed.
  3959. #
  3960. # icap::tr Transaction response time (in
  3961. # milliseconds). The timer starts when
  3962. # the ICAP transaction is created and
  3963. # stops when the transaction is completed.
  3964. # Similar to tr.
  3965. #
  3966. # icap::tio Transaction I/O time (in milliseconds). The
  3967. # timer starts when the first ICAP request
  3968. # byte is scheduled for sending. The timers
  3969. # stops when the last byte of the ICAP response
  3970. # is received.
  3971. #
  3972. # icap::to Transaction outcome: ICAP_ERR* for all
  3973. # transaction errors, ICAP_OPT for OPTION
  3974. # transactions, ICAP_ECHO for 204
  3975. # responses, ICAP_MOD for message
  3976. # modification, and ICAP_SAT for request
  3977. # satisfaction. Similar to Ss.
  3978. #
  3979. # icap::Hs ICAP response status code. Similar to Hs.
  3980. #
  3981. # icap::>h ICAP request header(s). Similar to >h.
  3982. #
  3983. # icap::<h ICAP response header(s). Similar to <h.
  3984. #
  3985. # The default ICAP log format, which can be used without an explicit
  3986. # definition, is called icap_squid:
  3987. #
  3988. #logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
  3989. #
  3990. # See also: logformat, log_icap, and %adapt::<last_h
  3991. #Default:
  3992. # none
  3993.  
  3994. # TAG: logfile_daemon
  3995. # Specify the path to the logfile-writing daemon. This daemon is
  3996. # used to write the access and store logs, if configured.
  3997. #
  3998. # Squid sends a number of commands to the log daemon:
  3999. # L<data>\n - logfile data
  4000. # R\n - rotate file
  4001. # T\n - truncate file
  4002. # O\n - reopen file
  4003. # F\n - flush file
  4004. # r<n>\n - set rotate count to <n>
  4005. # b<n>\n - 1 = buffer output, 0 = don't buffer output
  4006. #
  4007. # No responses is expected.
  4008. #Default:
  4009. # logfile_daemon /usr/lib/squid/log_file_daemon
  4010.  
  4011. # TAG: stats_collection allow|deny acl acl...
  4012. # This options allows you to control which requests gets accounted
  4013. # in performance counters.
  4014. #
  4015. # This clause only supports fast acl types.
  4016. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4017. #Default:
  4018. # Allow logging for all transactions.
  4019.  
  4020. # TAG: cache_store_log
  4021. # Logs the activities of the storage manager. Shows which
  4022. # objects are ejected from the cache, and which objects are
  4023. # saved and for how long.
  4024. # There are not really utilities to analyze this data, so you can safely
  4025. # disable it (the default).
  4026. #
  4027. # Store log uses modular logging outputs. See access_log for the list
  4028. # of modules supported.
  4029. #
  4030. # Example:
  4031. # cache_store_log stdio:/var/log/squid/store.log
  4032. # cache_store_log daemon:/var/log/squid/store.log
  4033. #Default:
  4034. # none
  4035.  
  4036. # TAG: cache_swap_state
  4037. # Location for the cache "swap.state" file. This index file holds
  4038. # the metadata of objects saved on disk. It is used to rebuild
  4039. # the cache during startup. Normally this file resides in each
  4040. # 'cache_dir' directory, but you may specify an alternate
  4041. # pathname here. Note you must give a full filename, not just
  4042. # a directory. Since this is the index for the whole object
  4043. # list you CANNOT periodically rotate it!
  4044. #
  4045. # If %s can be used in the file name it will be replaced with a
  4046. # a representation of the cache_dir name where each / is replaced
  4047. # with '.'. This is needed to allow adding/removing cache_dir
  4048. # lines when cache_swap_log is being used.
  4049. #
  4050. # If have more than one 'cache_dir', and %s is not used in the name
  4051. # these swap logs will have names such as:
  4052. #
  4053. # cache_swap_log.00
  4054. # cache_swap_log.01
  4055. # cache_swap_log.02
  4056. #
  4057. # The numbered extension (which is added automatically)
  4058. # corresponds to the order of the 'cache_dir' lines in this
  4059. # configuration file. If you change the order of the 'cache_dir'
  4060. # lines in this file, these index files will NOT correspond to
  4061. # the correct 'cache_dir' entry (unless you manually rename
  4062. # them). We recommend you do NOT use this option. It is
  4063. # better to keep these index files in each 'cache_dir' directory.
  4064. #Default:
  4065. # Store the journal inside its cache_dir
  4066.  
  4067. # TAG: logfile_rotate
  4068. # Specifies the number of logfile rotations to make when you
  4069. # type 'squid -k rotate'. The default is 10, which will rotate
  4070. # with extensions 0 through 9. Setting logfile_rotate to 0 will
  4071. # disable the file name rotation, but the logfiles are still closed
  4072. # and re-opened. This will enable you to rename the logfiles
  4073. # yourself just before sending the rotate signal.
  4074. #
  4075. # Note, the 'squid -k rotate' command normally sends a USR1
  4076. # signal to the running squid process. In certain situations
  4077. # (e.g. on Linux with Async I/O), USR1 is used for other
  4078. # purposes, so -k rotate uses another signal. It is best to get
  4079. # in the habit of using 'squid -k rotate' instead of 'kill -USR1
  4080. # <pid>'.
  4081. #
  4082. # Note, from Squid-3.1 this option is only a default for cache.log,
  4083. # that log can be rotated separately by using debug_options.
  4084. #
  4085. # Note2, for Debian/Linux the default of logfile_rotate is
  4086. # zero, since it includes external logfile-rotation methods.
  4087. #Default:
  4088. # logfile_rotate 0
  4089.  
  4090. # TAG: mime_table
  4091. # Path to Squid's icon configuration file.
  4092. #
  4093. # You shouldn't need to change this, but the default file contains
  4094. # examples and formatting information if you do.
  4095. #Default:
  4096. # mime_table /usr/share/squid/mime.conf
  4097.  
  4098. # TAG: log_mime_hdrs on|off
  4099. # The Cache can record both the request and the response MIME
  4100. # headers for each HTTP transaction. The headers are encoded
  4101. # safely and will appear as two bracketed fields at the end of
  4102. # the access log (for either the native or httpd-emulated log
  4103. # formats). To enable this logging set log_mime_hdrs to 'on'.
  4104. #Default:
  4105. # log_mime_hdrs off
  4106.  
  4107. # TAG: pid_filename
  4108. # A filename to write the process-id to. To disable, enter "none".
  4109. #Default:
  4110. # pid_filename /var/run/squid.pid
  4111.  
  4112. # TAG: client_netmask
  4113. # A netmask for client addresses in logfiles and cachemgr output.
  4114. # Change this to protect the privacy of your cache clients.
  4115. # A netmask of 255.255.255.0 will log all IP's in that range with
  4116. # the last digit set to '0'.
  4117. #Default:
  4118. # Log full client IP address
  4119.  
  4120. # TAG: strip_query_terms
  4121. # By default, Squid strips query terms from requested URLs before
  4122. # logging. This protects your user's privacy and reduces log size.
  4123. #
  4124. # When investigating HIT/MISS or other caching behaviour you
  4125. # will need to disable this to see the full URL used by Squid.
  4126. #Default:
  4127. # strip_query_terms on
  4128.  
  4129. # TAG: buffered_logs on|off
  4130. # Whether to write/send access_log records ASAP or accumulate them and
  4131. # then write/send them in larger chunks. Buffering may improve
  4132. # performance because it decreases the number of I/Os. However,
  4133. # buffering increases the delay before log records become available to
  4134. # the final recipient (e.g., a disk file or logging daemon) and,
  4135. # hence, increases the risk of log records loss.
  4136. #
  4137. # Note that even when buffered_logs are off, Squid may have to buffer
  4138. # records if it cannot write/send them immediately due to pending I/Os
  4139. # (e.g., the I/O writing the previous log record) or connectivity loss.
  4140. #
  4141. # Currently honored by 'daemon' and 'tcp' access_log modules only.
  4142. #Default:
  4143. # buffered_logs off
  4144.  
  4145. # TAG: netdb_filename
  4146. # Where Squid stores it's netdb journal.
  4147. # When enabled this journal preserves netdb state between restarts.
  4148. #
  4149. # To disable, enter "none".
  4150. #Default:
  4151. # netdb_filename stdio:/var/log/squid/netdb.state
  4152.  
  4153. # OPTIONS FOR TROUBLESHOOTING
  4154. # -----------------------------------------------------------------------------
  4155.  
  4156. # TAG: cache_log
  4157. # Squid administrative logging file.
  4158. #
  4159. # This is where general information about Squid behavior goes. You can
  4160. # increase the amount of data logged to this file and how often it is
  4161. # rotated with "debug_options"
  4162. #Default:
  4163. # cache_log /var/log/squid/cache.log
  4164.  
  4165. # TAG: debug_options
  4166. # Logging options are set as section,level where each source file
  4167. # is assigned a unique section. Lower levels result in less
  4168. # output, Full debugging (level 9) can result in a very large
  4169. # log file, so be careful.
  4170. #
  4171. # The magic word "ALL" sets debugging levels for all sections.
  4172. # The default is to run with "ALL,1" to record important warnings.
  4173. #
  4174. # The rotate=N option can be used to keep more or less of these logs
  4175. # than would otherwise be kept by logfile_rotate.
  4176. # For most uses a single log should be enough to monitor current
  4177. # events affecting Squid.
  4178. #Default:
  4179. # Log all critical and important messages.
  4180.  
  4181. # TAG: coredump_dir
  4182. # By default Squid leaves core files in the directory from where
  4183. # it was started. If you set 'coredump_dir' to a directory
  4184. # that exists, Squid will chdir() to that directory at startup
  4185. # and coredump files will be left there.
  4186. #
  4187. #Default:
  4188. # Use the directory from where Squid was started.
  4189. #
  4190.  
  4191. # Leave coredumps in the first cache dir
  4192. coredump_dir /var/spool/squid
  4193.  
  4194. # OPTIONS FOR FTP GATEWAYING
  4195. # -----------------------------------------------------------------------------
  4196.  
  4197. # TAG: ftp_user
  4198. # If you want the anonymous login password to be more informative
  4199. # (and enable the use of picky FTP servers), set this to something
  4200. # reasonable for your domain, like wwwuser@somewhere.net
  4201. #
  4202. # The reason why this is domainless by default is the
  4203. # request can be made on the behalf of a user in any domain,
  4204. # depending on how the cache is used.
  4205. # Some FTP server also validate the email address is valid
  4206. # (for example perl.com).
  4207. #Default:
  4208. # ftp_user Squid@
  4209.  
  4210. # TAG: ftp_passive
  4211. # If your firewall does not allow Squid to use passive
  4212. # connections, turn off this option.
  4213. #
  4214. # Use of ftp_epsv_all option requires this to be ON.
  4215. #Default:
  4216. # ftp_passive on
  4217.  
  4218. # TAG: ftp_epsv_all
  4219. # FTP Protocol extensions permit the use of a special "EPSV ALL" command.
  4220. #
  4221. # NATs may be able to put the connection on a "fast path" through the
  4222. # translator, as the EPRT command will never be used and therefore,
  4223. # translation of the data portion of the segments will never be needed.
  4224. #
  4225. # When a client only expects to do two-way FTP transfers this may be
  4226. # useful.
  4227. # If squid finds that it must do a three-way FTP transfer after issuing
  4228. # an EPSV ALL command, the FTP session will fail.
  4229. #
  4230. # If you have any doubts about this option do not use it.
  4231. # Squid will nicely attempt all other connection methods.
  4232. #
  4233. # Requires ftp_passive to be ON (default) for any effect.
  4234. #Default:
  4235. # ftp_epsv_all off
  4236.  
  4237. # TAG: ftp_epsv
  4238. # FTP Protocol extensions permit the use of a special "EPSV" command.
  4239. #
  4240. # NATs may be able to put the connection on a "fast path" through the
  4241. # translator using EPSV, as the EPRT command will never be used
  4242. # and therefore, translation of the data portion of the segments
  4243. # will never be needed.
  4244. #
  4245. # EPSV is often required to interoperate with FTP servers on IPv6
  4246. # networks. On the other hand, it may break some IPv4 servers.
  4247. #
  4248. # By default, EPSV may try EPSV with any FTP server. To fine tune
  4249. # that decision, you may restrict EPSV to certain clients or servers
  4250. # using ACLs:
  4251. #
  4252. # ftp_epsv allow|deny al1 acl2 ...
  4253. #
  4254. # WARNING: Disabling EPSV may cause problems with external NAT and IPv6.
  4255. #
  4256. # Only fast ACLs are supported.
  4257. # Requires ftp_passive to be ON (default) for any effect.
  4258. #Default:
  4259. # none
  4260.  
  4261. # TAG: ftp_eprt
  4262. # FTP Protocol extensions permit the use of a special "EPRT" command.
  4263. #
  4264. # This extension provides a protocol neutral alternative to the
  4265. # IPv4-only PORT command. When supported it enables active FTP data
  4266. # channels over IPv6 and efficient NAT handling.
  4267. #
  4268. # Turning this OFF will prevent EPRT being attempted and will skip
  4269. # straight to using PORT for IPv4 servers.
  4270. #
  4271. # Some devices are known to not handle this extension correctly and
  4272. # may result in crashes. Devices which suport EPRT enough to fail
  4273. # cleanly will result in Squid attempting PORT anyway. This directive
  4274. # should only be disabled when EPRT results in device failures.
  4275. #
  4276. # WARNING: Doing so will convert Squid back to the old behavior with all
  4277. # the related problems with external NAT devices/layers and IPv4-only FTP.
  4278. #Default:
  4279. # ftp_eprt on
  4280.  
  4281. # TAG: ftp_sanitycheck
  4282. # For security and data integrity reasons Squid by default performs
  4283. # sanity checks of the addresses of FTP data connections ensure the
  4284. # data connection is to the requested server. If you need to allow
  4285. # FTP connections to servers using another IP address for the data
  4286. # connection turn this off.
  4287. #Default:
  4288. # ftp_sanitycheck on
  4289.  
  4290. # TAG: ftp_telnet_protocol
  4291. # The FTP protocol is officially defined to use the telnet protocol
  4292. # as transport channel for the control connection. However, many
  4293. # implementations are broken and does not respect this aspect of
  4294. # the FTP protocol.
  4295. #
  4296. # If you have trouble accessing files with ASCII code 255 in the
  4297. # path or similar problems involving this ASCII code you can
  4298. # try setting this directive to off. If that helps, report to the
  4299. # operator of the FTP server in question that their FTP server
  4300. # is broken and does not follow the FTP standard.
  4301. #Default:
  4302. # ftp_telnet_protocol on
  4303.  
  4304. # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
  4305. # -----------------------------------------------------------------------------
  4306.  
  4307. # TAG: diskd_program
  4308. # Specify the location of the diskd executable.
  4309. # Note this is only useful if you have compiled in
  4310. # diskd as one of the store io modules.
  4311. #Default:
  4312. # diskd_program /usr/lib/squid/diskd
  4313.  
  4314. # TAG: unlinkd_program
  4315. # Specify the location of the executable for file deletion process.
  4316. #Default:
  4317. # unlinkd_program /usr/lib/squid/unlinkd
  4318.  
  4319. # TAG: pinger_program
  4320. # Specify the location of the executable for the pinger process.
  4321. #Default:
  4322. # pinger_program /usr/lib/squid/pinger
  4323.  
  4324. # TAG: pinger_enable
  4325. # Control whether the pinger is active at run-time.
  4326. # Enables turning ICMP pinger on and off with a simple
  4327. # squid -k reconfigure.
  4328. #Default:
  4329. # pinger_enable on
  4330.  
  4331. # OPTIONS FOR URL REWRITING
  4332. # -----------------------------------------------------------------------------
  4333.  
  4334. # TAG: url_rewrite_program
  4335. # Specify the location of the executable URL rewriter to use.
  4336. # Since they can perform almost any function there isn't one included.
  4337. #
  4338. # For each requested URL, the rewriter will receive on line with the format
  4339. #
  4340. # [channel-ID <SP>] URL [<SP> extras]<NL>
  4341. #
  4342. # See url_rewrite_extras on how to send "extras" with optional values to
  4343. # the helper.
  4344. # After processing the request the helper must reply using the following format:
  4345. #
  4346. # [channel-ID <SP>] result [<SP> kv-pairs]
  4347. #
  4348. # The result code can be:
  4349. #
  4350. # OK status=30N url="..."
  4351. # Redirect the URL to the one supplied in 'url='.
  4352. # 'status=' is optional and contains the status code to send
  4353. # the client in Squids HTTP response. It must be one of the
  4354. # HTTP redirect status codes: 301, 302, 303, 307, 308.
  4355. # When no status is given Squid will use 302.
  4356. #
  4357. # OK rewrite-url="..."
  4358. # Rewrite the URL to the one supplied in 'rewrite-url='.
  4359. # The new URL is fetched directly by Squid and returned to
  4360. # the client as the response to its request.
  4361. #
  4362. # OK
  4363. # When neither of url= and rewrite-url= are sent Squid does
  4364. # not change the URL.
  4365. #
  4366. # ERR
  4367. # Do not change the URL.
  4368. #
  4369. # BH
  4370. # An internal error occurred in the helper, preventing
  4371. # a result being identified. The 'message=' key name is
  4372. # reserved for delivering a log message.
  4373. #
  4374. #
  4375. # In addition to the above kv-pairs Squid also understands the following
  4376. # optional kv-pairs received from URL rewriters:
  4377. # clt_conn_tag=TAG
  4378. # Associates a TAG with the client TCP connection.
  4379. # The TAG is treated as a regular annotation but persists across
  4380. # future requests on the client connection rather than just the
  4381. # current request. A helper may update the TAG during subsequent
  4382. # requests be returning a new kv-pair.
  4383. #
  4384. # When using the concurrency= option the protocol is changed by
  4385. # introducing a query channel tag in front of the request/response.
  4386. # The query channel tag is a number between 0 and concurrency-1.
  4387. # This value must be echoed back unchanged to Squid as the first part
  4388. # of the response relating to its request.
  4389. #
  4390. # WARNING: URL re-writing ability should be avoided whenever possible.
  4391. # Use the URL redirect form of response instead.
  4392. #
  4393. # Re-write creates a difference in the state held by the client
  4394. # and server. Possibly causing confusion when the server response
  4395. # contains snippets of its view state. Embeded URLs, response
  4396. # and content Location headers, etc. are not re-written by this
  4397. # interface.
  4398. #
  4399. # By default, a URL rewriter is not used.
  4400. #Default:
  4401. # none
  4402.  
  4403. # TAG: url_rewrite_children
  4404. # The maximum number of redirector processes to spawn. If you limit
  4405. # it too few Squid will have to wait for them to process a backlog of
  4406. # URLs, slowing it down. If you allow too many they will use RAM
  4407. # and other system resources noticably.
  4408. #
  4409. # The startup= and idle= options allow some measure of skew in your
  4410. # tuning.
  4411. #
  4412. # startup=
  4413. #
  4414. # Sets a minimum of how many processes are to be spawned when Squid
  4415. # starts or reconfigures. When set to zero the first request will
  4416. # cause spawning of the first child process to handle it.
  4417. #
  4418. # Starting too few will cause an initial slowdown in traffic as Squid
  4419. # attempts to simultaneously spawn enough processes to cope.
  4420. #
  4421. # idle=
  4422. #
  4423. # Sets a minimum of how many processes Squid is to try and keep available
  4424. # at all times. When traffic begins to rise above what the existing
  4425. # processes can handle this many more will be spawned up to the maximum
  4426. # configured. A minimum setting of 1 is required.
  4427. #
  4428. # concurrency=
  4429. #
  4430. # The number of requests each redirector helper can handle in
  4431. # parallel. Defaults to 0 which indicates the redirector
  4432. # is a old-style single threaded redirector.
  4433. #
  4434. # When this directive is set to a value >= 1 then the protocol
  4435. # used to communicate with the helper is modified to include
  4436. # an ID in front of the request/response. The ID from the request
  4437. # must be echoed back with the response to that request.
  4438. #Default:
  4439. # url_rewrite_children 20 startup=0 idle=1 concurrency=0
  4440.  
  4441. # TAG: url_rewrite_host_header
  4442. # To preserve same-origin security policies in browsers and
  4443. # prevent Host: header forgery by redirectors Squid rewrites
  4444. # any Host: header in redirected requests.
  4445. #
  4446. # If you are running an accelerator this may not be a wanted
  4447. # effect of a redirector. This directive enables you disable
  4448. # Host: alteration in reverse-proxy traffic.
  4449. #
  4450. # WARNING: Entries are cached on the result of the URL rewriting
  4451. # process, so be careful if you have domain-virtual hosts.
  4452. #
  4453. # WARNING: Squid and other software verifies the URL and Host
  4454. # are matching, so be careful not to relay through other proxies
  4455. # or inspecting firewalls with this disabled.
  4456. #Default:
  4457. # url_rewrite_host_header on
  4458.  
  4459. # TAG: url_rewrite_access
  4460. # If defined, this access list specifies which requests are
  4461. # sent to the redirector processes.
  4462. #
  4463. # This clause supports both fast and slow acl types.
  4464. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4465. #Default:
  4466. # Allow, unless rules exist in squid.conf.
  4467.  
  4468. # TAG: url_rewrite_bypass
  4469. # When this is 'on', a request will not go through the
  4470. # redirector if all the helpers are busy. If this is 'off'
  4471. # and the redirector queue grows too large, Squid will exit
  4472. # with a FATAL error and ask you to increase the number of
  4473. # redirectors. You should only enable this if the redirectors
  4474. # are not critical to your caching system. If you use
  4475. # redirectors for access control, and you enable this option,
  4476. # users may have access to pages they should not
  4477. # be allowed to request.
  4478. #Default:
  4479. # url_rewrite_bypass off
  4480.  
  4481. # TAG: url_rewrite_extras
  4482. # Specifies a string to be append to request line format for the
  4483. # rewriter helper. "Quoted" format values may contain spaces and
  4484. # logformat %macros. In theory, any logformat %macro can be used.
  4485. # In practice, a %macro expands as a dash (-) if the helper request is
  4486. # sent before the required macro information is available to Squid.
  4487. #Default:
  4488. # url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
  4489.  
  4490. # OPTIONS FOR STORE ID
  4491. # -----------------------------------------------------------------------------
  4492.  
  4493. # TAG: store_id_program
  4494. # Specify the location of the executable StoreID helper to use.
  4495. # Since they can perform almost any function there isn't one included.
  4496. #
  4497. # For each requested URL, the helper will receive one line with the format
  4498. #
  4499. # [channel-ID <SP>] URL [<SP> extras]<NL>
  4500. #
  4501. #
  4502. # After processing the request the helper must reply using the following format:
  4503. #
  4504. # [channel-ID <SP>] result [<SP> kv-pairs]
  4505. #
  4506. # The result code can be:
  4507. #
  4508. # OK store-id="..."
  4509. # Use the StoreID supplied in 'store-id='.
  4510. #
  4511. # ERR
  4512. # The default is to use HTTP request URL as the store ID.
  4513. #
  4514. # BH
  4515. # An internal error occured in the helper, preventing
  4516. # a result being identified.
  4517. #
  4518. # In addition to the above kv-pairs Squid also understands the following
  4519. # optional kv-pairs received from URL rewriters:
  4520. # clt_conn_tag=TAG
  4521. # Associates a TAG with the client TCP connection.
  4522. # Please see url_rewrite_program related documentation for this
  4523. # kv-pair
  4524. #
  4525. # Helper programs should be prepared to receive and possibly ignore
  4526. # additional whitespace-separated tokens on each input line.
  4527. #
  4528. # When using the concurrency= option the protocol is changed by
  4529. # introducing a query channel tag in front of the request/response.
  4530. # The query channel tag is a number between 0 and concurrency-1.
  4531. # This value must be echoed back unchanged to Squid as the first part
  4532. # of the response relating to its request.
  4533. #
  4534. # NOTE: when using StoreID refresh_pattern will apply to the StoreID
  4535. # returned from the helper and not the URL.
  4536. #
  4537. # WARNING: Wrong StoreID value returned by a careless helper may result
  4538. # in the wrong cached response returned to the user.
  4539. #
  4540. # By default, a StoreID helper is not used.
  4541. #Default:
  4542. # none
  4543.  
  4544. # TAG: store_id_extras
  4545. # Specifies a string to be append to request line format for the
  4546. # StoreId helper. "Quoted" format values may contain spaces and
  4547. # logformat %macros. In theory, any logformat %macro can be used.
  4548. # In practice, a %macro expands as a dash (-) if the helper request is
  4549. # sent before the required macro information is available to Squid.
  4550. #Default:
  4551. # store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
  4552.  
  4553. # TAG: store_id_children
  4554. # The maximum number of StoreID helper processes to spawn. If you limit
  4555. # it too few Squid will have to wait for them to process a backlog of
  4556. # requests, slowing it down. If you allow too many they will use RAM
  4557. # and other system resources noticably.
  4558. #
  4559. # The startup= and idle= options allow some measure of skew in your
  4560. # tuning.
  4561. #
  4562. # startup=
  4563. #
  4564. # Sets a minimum of how many processes are to be spawned when Squid
  4565. # starts or reconfigures. When set to zero the first request will
  4566. # cause spawning of the first child process to handle it.
  4567. #
  4568. # Starting too few will cause an initial slowdown in traffic as Squid
  4569. # attempts to simultaneously spawn enough processes to cope.
  4570. #
  4571. # idle=
  4572. #
  4573. # Sets a minimum of how many processes Squid is to try and keep available
  4574. # at all times. When traffic begins to rise above what the existing
  4575. # processes can handle this many more will be spawned up to the maximum
  4576. # configured. A minimum setting of 1 is required.
  4577. #
  4578. # concurrency=
  4579. #
  4580. # The number of requests each storeID helper can handle in
  4581. # parallel. Defaults to 0 which indicates the helper
  4582. # is a old-style single threaded program.
  4583. #
  4584. # When this directive is set to a value >= 1 then the protocol
  4585. # used to communicate with the helper is modified to include
  4586. # an ID in front of the request/response. The ID from the request
  4587. # must be echoed back with the response to that request.
  4588. #Default:
  4589. # store_id_children 20 startup=0 idle=1 concurrency=0
  4590.  
  4591. # TAG: store_id_access
  4592. # If defined, this access list specifies which requests are
  4593. # sent to the StoreID processes. By default all requests
  4594. # are sent.
  4595. #
  4596. # This clause supports both fast and slow acl types.
  4597. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4598. #Default:
  4599. # Allow, unless rules exist in squid.conf.
  4600.  
  4601. # TAG: store_id_bypass
  4602. # When this is 'on', a request will not go through the
  4603. # helper if all helpers are busy. If this is 'off'
  4604. # and the helper queue grows too large, Squid will exit
  4605. # with a FATAL error and ask you to increase the number of
  4606. # helpers. You should only enable this if the helperss
  4607. # are not critical to your caching system. If you use
  4608. # helpers for critical caching components, and you enable this
  4609. # option, users may not get objects from cache.
  4610. #Default:
  4611. # store_id_bypass on
  4612.  
  4613. # OPTIONS FOR TUNING THE CACHE
  4614. # -----------------------------------------------------------------------------
  4615.  
  4616. # TAG: cache
  4617. # Requests denied by this directive will not be served from the cache
  4618. # and their responses will not be stored in the cache. This directive
  4619. # has no effect on other transactions and on already cached responses.
  4620. #
  4621. # This clause supports both fast and slow acl types.
  4622. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4623. #
  4624. # This and the two other similar caching directives listed below are
  4625. # checked at different transaction processing stages, have different
  4626. # access to response information, affect different cache operations,
  4627. # and differ in slow ACLs support:
  4628. #
  4629. # * cache: Checked before Squid makes a hit/miss determination.
  4630. # No access to reply information!
  4631. # Denies both serving a hit and storing a miss.
  4632. # Supports both fast and slow ACLs.
  4633. # * send_hit: Checked after a hit was detected.
  4634. # Has access to reply (hit) information.
  4635. # Denies serving a hit only.
  4636. # Supports fast ACLs only.
  4637. # * store_miss: Checked before storing a cachable miss.
  4638. # Has access to reply (miss) information.
  4639. # Denies storing a miss only.
  4640. # Supports fast ACLs only.
  4641. #
  4642. # If you are not sure which of the three directives to use, apply the
  4643. # following decision logic:
  4644. #
  4645. # * If your ACL(s) are of slow type _and_ need response info, redesign.
  4646. # Squid does not support that particular combination at this time.
  4647. # Otherwise:
  4648. # * If your directive ACL(s) are of slow type, use "cache"; and/or
  4649. # * if your directive ACL(s) need no response info, use "cache".
  4650. # Otherwise:
  4651. # * If you do not want the response cached, use store_miss; and/or
  4652. # * if you do not want a hit on a cached response, use send_hit.
  4653. #Default:
  4654. # By default, this directive is unused and has no effect.
  4655.  
  4656. # TAG: send_hit
  4657. # Responses denied by this directive will not be served from the cache
  4658. # (but may still be cached, see store_miss). This directive has no
  4659. # effect on the responses it allows and on the cached objects.
  4660. #
  4661. # Please see the "cache" directive for a summary of differences among
  4662. # store_miss, send_hit, and cache directives.
  4663. #
  4664. # Unlike the "cache" directive, send_hit only supports fast acl
  4665. # types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4666. #
  4667. # For example:
  4668. #
  4669. # # apply custom Store ID mapping to some URLs
  4670. # acl MapMe dstdomain .c.example.com
  4671. # store_id_program ...
  4672. # store_id_access allow MapMe
  4673. #
  4674. # # but prevent caching of special responses
  4675. # # such as 302 redirects that cause StoreID loops
  4676. # acl Ordinary http_status 200-299
  4677. # store_miss deny MapMe !Ordinary
  4678. #
  4679. # # and do not serve any previously stored special responses
  4680. # # from the cache (in case they were already cached before
  4681. # # the above store_miss rule was in effect).
  4682. # send_hit deny MapMe !Ordinary
  4683. #Default:
  4684. # By default, this directive is unused and has no effect.
  4685.  
  4686. # TAG: store_miss
  4687. # Responses denied by this directive will not be cached (but may still
  4688. # be served from the cache, see send_hit). This directive has no
  4689. # effect on the responses it allows and on the already cached responses.
  4690. #
  4691. # Please see the "cache" directive for a summary of differences among
  4692. # store_miss, send_hit, and cache directives. See the
  4693. # send_hit directive for a usage example.
  4694. #
  4695. # Unlike the "cache" directive, store_miss only supports fast acl
  4696. # types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4697. #Default:
  4698. # By default, this directive is unused and has no effect.
  4699.  
  4700. # TAG: max_stale time-units
  4701. # This option puts an upper limit on how stale content Squid
  4702. # will serve from the cache if cache validation fails.
  4703. # Can be overriden by the refresh_pattern max-stale option.
  4704. #Default:
  4705. # max_stale 1 week
  4706.  
  4707. # TAG: refresh_pattern
  4708. # usage: refresh_pattern [-i] regex min percent max [options]
  4709. #
  4710. # By default, regular expressions are CASE-SENSITIVE. To make
  4711. # them case-insensitive, use the -i option.
  4712. #
  4713. # 'Min' is the time (in minutes) an object without an explicit
  4714. # expiry time should be considered fresh. The recommended
  4715. # value is 0, any higher values may cause dynamic applications
  4716. # to be erroneously cached unless the application designer
  4717. # has taken the appropriate actions.
  4718. #
  4719. # 'Percent' is a percentage of the objects age (time since last
  4720. # modification age) an object without explicit expiry time
  4721. # will be considered fresh.
  4722. #
  4723. # 'Max' is an upper limit on how long objects without an explicit
  4724. # expiry time will be considered fresh.
  4725. #
  4726. # options: override-expire
  4727. # override-lastmod
  4728. # reload-into-ims
  4729. # ignore-reload
  4730. # ignore-no-store
  4731. # ignore-must-revalidate
  4732. # ignore-private
  4733. # ignore-auth
  4734. # max-stale=NN
  4735. # refresh-ims
  4736. # store-stale
  4737. #
  4738. # override-expire enforces min age even if the server
  4739. # sent an explicit expiry time (e.g., with the
  4740. # Expires: header or Cache-Control: max-age). Doing this
  4741. # VIOLATES the HTTP standard. Enabling this feature
  4742. # could make you liable for problems which it causes.
  4743. #
  4744. # Note: override-expire does not enforce staleness - it only extends
  4745. # freshness / min. If the server returns a Expires time which
  4746. # is longer than your max time, Squid will still consider
  4747. # the object fresh for that period of time.
  4748. #
  4749. # override-lastmod enforces min age even on objects
  4750. # that were modified recently.
  4751. #
  4752. # reload-into-ims changes a client no-cache or ``reload''
  4753. # request for a cached entry into a conditional request using
  4754. # If-Modified-Since and/or If-None-Match headers, provided the
  4755. # cached entry has a Last-Modified and/or a strong ETag header.
  4756. # Doing this VIOLATES the HTTP standard. Enabling this feature
  4757. # could make you liable for problems which it causes.
  4758. #
  4759. # ignore-reload ignores a client no-cache or ``reload''
  4760. # header. Doing this VIOLATES the HTTP standard. Enabling
  4761. # this feature could make you liable for problems which
  4762. # it causes.
  4763. #
  4764. # ignore-no-store ignores any ``Cache-control: no-store''
  4765. # headers received from a server. Doing this VIOLATES
  4766. # the HTTP standard. Enabling this feature could make you
  4767. # liable for problems which it causes.
  4768. #
  4769. # ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
  4770. # headers received from a server. Doing this VIOLATES
  4771. # the HTTP standard. Enabling this feature could make you
  4772. # liable for problems which it causes.
  4773. #
  4774. # ignore-private ignores any ``Cache-control: private''
  4775. # headers received from a server. Doing this VIOLATES
  4776. # the HTTP standard. Enabling this feature could make you
  4777. # liable for problems which it causes.
  4778. #
  4779. # ignore-auth caches responses to requests with authorization,
  4780. # as if the originserver had sent ``Cache-control: public''
  4781. # in the response header. Doing this VIOLATES the HTTP standard.
  4782. # Enabling this feature could make you liable for problems which
  4783. # it causes.
  4784. #
  4785. # refresh-ims causes squid to contact the origin server
  4786. # when a client issues an If-Modified-Since request. This
  4787. # ensures that the client will receive an updated version
  4788. # if one is available.
  4789. #
  4790. # store-stale stores responses even if they don't have explicit
  4791. # freshness or a validator (i.e., Last-Modified or an ETag)
  4792. # present, or if they're already stale. By default, Squid will
  4793. # not cache such responses because they usually can't be
  4794. # reused. Note that such responses will be stale by default.
  4795. #
  4796. # max-stale=NN provide a maximum staleness factor. Squid won't
  4797. # serve objects more stale than this even if it failed to
  4798. # validate the object. Default: use the max_stale global limit.
  4799. #
  4800. # Basically a cached object is:
  4801. #
  4802. # FRESH if expire > now, else STALE
  4803. # STALE if age > max
  4804. # FRESH if lm-factor < percent, else STALE
  4805. # FRESH if age < min
  4806. # else STALE
  4807. #
  4808. # The refresh_pattern lines are checked in the order listed here.
  4809. # The first entry which matches is used. If none of the entries
  4810. # match the default will be used.
  4811. #
  4812. # Note, you must uncomment all the default lines if you want
  4813. # to change one. The default setting is only active if none is
  4814. # used.
  4815. #
  4816. #
  4817.  
  4818. #
  4819. # Add any of your own refresh_pattern entries above these.
  4820. #
  4821. refresh_pattern ^ftp: 1440 20% 10080
  4822. refresh_pattern ^gopher: 1440 0% 1440
  4823. refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
  4824. refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
  4825. # example lin deb packages
  4826. #refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
  4827. refresh_pattern . 0 20% 4320
  4828.  
  4829. # TAG: quick_abort_min (KB)
  4830. #Default:
  4831. # quick_abort_min 16 KB
  4832.  
  4833. # TAG: quick_abort_max (KB)
  4834. #Default:
  4835. # quick_abort_max 16 KB
  4836.  
  4837. # TAG: quick_abort_pct (percent)
  4838. # The cache by default continues downloading aborted requests
  4839. # which are almost completed (less than 16 KB remaining). This
  4840. # may be undesirable on slow (e.g. SLIP) links and/or very busy
  4841. # caches. Impatient users may tie up file descriptors and
  4842. # bandwidth by repeatedly requesting and immediately aborting
  4843. # downloads.
  4844. #
  4845. # When the user aborts a request, Squid will check the
  4846. # quick_abort values to the amount of data transferred until
  4847. # then.
  4848. #
  4849. # If the transfer has less than 'quick_abort_min' KB remaining,
  4850. # it will finish the retrieval.
  4851. #
  4852. # If the transfer has more than 'quick_abort_max' KB remaining,
  4853. # it will abort the retrieval.
  4854. #
  4855. # If more than 'quick_abort_pct' of the transfer has completed,
  4856. # it will finish the retrieval.
  4857. #
  4858. # If you do not want any retrieval to continue after the client
  4859. # has aborted, set both 'quick_abort_min' and 'quick_abort_max'
  4860. # to '0 KB'.
  4861. #
  4862. # If you want retrievals to always continue if they are being
  4863. # cached set 'quick_abort_min' to '-1 KB'.
  4864. #Default:
  4865. # quick_abort_pct 95
  4866.  
  4867. # TAG: read_ahead_gap buffer-size
  4868. # The amount of data the cache will buffer ahead of what has been
  4869. # sent to the client when retrieving an object from another server.
  4870. #Default:
  4871. # read_ahead_gap 16 KB
  4872.  
  4873. # TAG: negative_ttl time-units
  4874. # Set the Default Time-to-Live (TTL) for failed requests.
  4875. # Certain types of failures (such as "connection refused" and
  4876. # "404 Not Found") are able to be negatively-cached for a short time.
  4877. # Modern web servers should provide Expires: header, however if they
  4878. # do not this can provide a minimum TTL.
  4879. # The default is not to cache errors with unknown expiry details.
  4880. #
  4881. # Note that this is different from negative caching of DNS lookups.
  4882. #
  4883. # WARNING: Doing this VIOLATES the HTTP standard. Enabling
  4884. # this feature could make you liable for problems which it
  4885. # causes.
  4886. #Default:
  4887. # negative_ttl 0 seconds
  4888.  
  4889. # TAG: positive_dns_ttl time-units
  4890. # Upper limit on how long Squid will cache positive DNS responses.
  4891. # Default is 6 hours (360 minutes). This directive must be set
  4892. # larger than negative_dns_ttl.
  4893. #Default:
  4894. # positive_dns_ttl 6 hours
  4895.  
  4896. # TAG: negative_dns_ttl time-units
  4897. # Time-to-Live (TTL) for negative caching of failed DNS lookups.
  4898. # This also sets the lower cache limit on positive lookups.
  4899. # Minimum value is 1 second, and it is not recommendable to go
  4900. # much below 10 seconds.
  4901. #Default:
  4902. # negative_dns_ttl 1 minutes
  4903.  
  4904. # TAG: range_offset_limit size [acl acl...]
  4905. # usage: (size) [units] [[!]aclname]
  4906. #
  4907. # Sets an upper limit on how far (number of bytes) into the file
  4908. # a Range request may be to cause Squid to prefetch the whole file.
  4909. # If beyond this limit, Squid forwards the Range request as it is and
  4910. # the result is NOT cached.
  4911. #
  4912. # This is to stop a far ahead range request (lets say start at 17MB)
  4913. # from making Squid fetch the whole object up to that point before
  4914. # sending anything to the client.
  4915. #
  4916. # Multiple range_offset_limit lines may be specified, and they will
  4917. # be searched from top to bottom on each request until a match is found.
  4918. # The first match found will be used. If no line matches a request, the
  4919. # default limit of 0 bytes will be used.
  4920. #
  4921. # 'size' is the limit specified as a number of units.
  4922. #
  4923. # 'units' specifies whether to use bytes, KB, MB, etc.
  4924. # If no units are specified bytes are assumed.
  4925. #
  4926. # A size of 0 causes Squid to never fetch more than the
  4927. # client requested. (default)
  4928. #
  4929. # A size of 'none' causes Squid to always fetch the object from the
  4930. # beginning so it may cache the result. (2.0 style)
  4931. #
  4932. # 'aclname' is the name of a defined ACL.
  4933. #
  4934. # NP: Using 'none' as the byte value here will override any quick_abort settings
  4935. # that may otherwise apply to the range request. The range request will
  4936. # be fully fetched from start to finish regardless of the client
  4937. # actions. This affects bandwidth usage.
  4938. #Default:
  4939. # none
  4940.  
  4941. # TAG: minimum_expiry_time (seconds)
  4942. # The minimum caching time according to (Expires - Date)
  4943. # headers Squid honors if the object can't be revalidated.
  4944. # The default is 60 seconds.
  4945. #
  4946. # In reverse proxy environments it might be desirable to honor
  4947. # shorter object lifetimes. It is most likely better to make
  4948. # your server return a meaningful Last-Modified header however.
  4949. #
  4950. # In ESI environments where page fragments often have short
  4951. # lifetimes, this will often be best set to 0.
  4952. #Default:
  4953. # minimum_expiry_time 60 seconds
  4954.  
  4955. # TAG: store_avg_object_size (bytes)
  4956. # Average object size, used to estimate number of objects your
  4957. # cache can hold. The default is 13 KB.
  4958. #
  4959. # This is used to pre-seed the cache index memory allocation to
  4960. # reduce expensive reallocate operations while handling clients
  4961. # traffic. Too-large values may result in memory allocation during
  4962. # peak traffic, too-small values will result in wasted memory.
  4963. #
  4964. # Check the cache manager 'info' report metrics for the real
  4965. # object sizes seen by your Squid before tuning this.
  4966. #Default:
  4967. # store_avg_object_size 13 KB
  4968.  
  4969. # TAG: store_objects_per_bucket
  4970. # Target number of objects per bucket in the store hash table.
  4971. # Lowering this value increases the total number of buckets and
  4972. # also the storage maintenance rate. The default is 20.
  4973. #Default:
  4974. # store_objects_per_bucket 20
  4975.  
  4976. # HTTP OPTIONS
  4977. # -----------------------------------------------------------------------------
  4978.  
  4979. # TAG: request_header_max_size (KB)
  4980. # This specifies the maximum size for HTTP headers in a request.
  4981. # Request headers are usually relatively small (about 512 bytes).
  4982. # Placing a limit on the request header size will catch certain
  4983. # bugs (for example with persistent connections) and possibly
  4984. # buffer-overflow or denial-of-service attacks.
  4985. #Default:
  4986. # request_header_max_size 64 KB
  4987.  
  4988. # TAG: reply_header_max_size (KB)
  4989. # This specifies the maximum size for HTTP headers in a reply.
  4990. # Reply headers are usually relatively small (about 512 bytes).
  4991. # Placing a limit on the reply header size will catch certain
  4992. # bugs (for example with persistent connections) and possibly
  4993. # buffer-overflow or denial-of-service attacks.
  4994. #Default:
  4995. # reply_header_max_size 64 KB
  4996.  
  4997. # TAG: request_body_max_size (bytes)
  4998. # This specifies the maximum size for an HTTP request body.
  4999. # In other words, the maximum size of a PUT/POST request.
  5000. # A user who attempts to send a request with a body larger
  5001. # than this limit receives an "Invalid Request" error message.
  5002. # If you set this parameter to a zero (the default), there will
  5003. # be no limit imposed.
  5004. #
  5005. # See also client_request_buffer_max_size for an alternative
  5006. # limitation on client uploads which can be configured.
  5007. #Default:
  5008. # No limit.
  5009.  
  5010. # TAG: client_request_buffer_max_size (bytes)
  5011. # This specifies the maximum buffer size of a client request.
  5012. # It prevents squid eating too much memory when somebody uploads
  5013. # a large file.
  5014. #Default:
  5015. # client_request_buffer_max_size 512 KB
  5016.  
  5017. # TAG: broken_posts
  5018. # A list of ACL elements which, if matched, causes Squid to send
  5019. # an extra CRLF pair after the body of a PUT/POST request.
  5020. #
  5021. # Some HTTP servers has broken implementations of PUT/POST,
  5022. # and rely on an extra CRLF pair sent by some WWW clients.
  5023. #
  5024. # Quote from RFC2616 section 4.1 on this matter:
  5025. #
  5026. # Note: certain buggy HTTP/1.0 client implementations generate an
  5027. # extra CRLF's after a POST request. To restate what is explicitly
  5028. # forbidden by the BNF, an HTTP/1.1 client must not preface or follow
  5029. # a request with an extra CRLF.
  5030. #
  5031. # This clause only supports fast acl types.
  5032. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5033. #
  5034. #Example:
  5035. # acl buggy_server url_regex ^http://....
  5036. # broken_posts allow buggy_server
  5037. #Default:
  5038. # Obey RFC 2616.
  5039.  
  5040. # TAG: adaptation_uses_indirect_client on|off
  5041. # Controls whether the indirect client IP address (instead of the direct
  5042. # client IP address) is passed to adaptation services.
  5043. #
  5044. # See also: follow_x_forwarded_for adaptation_send_client_ip
  5045. #Default:
  5046. # adaptation_uses_indirect_client on
  5047.  
  5048. # TAG: via on|off
  5049. # If set (default), Squid will include a Via header in requests and
  5050. # replies as required by RFC2616.
  5051. #Default:
  5052. # via on
  5053.  
  5054. # TAG: ie_refresh on|off
  5055. # Microsoft Internet Explorer up until version 5.5 Service
  5056. # Pack 1 has an issue with transparent proxies, wherein it
  5057. # is impossible to force a refresh. Turning this on provides
  5058. # a partial fix to the problem, by causing all IMS-REFRESH
  5059. # requests from older IE versions to check the origin server
  5060. # for fresh content. This reduces hit ratio by some amount
  5061. # (~10% in my experience), but allows users to actually get
  5062. # fresh content when they want it. Note because Squid
  5063. # cannot tell if the user is using 5.5 or 5.5SP1, the behavior
  5064. # of 5.5 is unchanged from old versions of Squid (i.e. a
  5065. # forced refresh is impossible). Newer versions of IE will,
  5066. # hopefully, continue to have the new behavior and will be
  5067. # handled based on that assumption. This option defaults to
  5068. # the old Squid behavior, which is better for hit ratios but
  5069. # worse for clients using IE, if they need to be able to
  5070. # force fresh content.
  5071. #Default:
  5072. # ie_refresh off
  5073.  
  5074. # TAG: vary_ignore_expire on|off
  5075. # Many HTTP servers supporting Vary gives such objects
  5076. # immediate expiry time with no cache-control header
  5077. # when requested by a HTTP/1.0 client. This option
  5078. # enables Squid to ignore such expiry times until
  5079. # HTTP/1.1 is fully implemented.
  5080. #
  5081. # WARNING: If turned on this may eventually cause some
  5082. # varying objects not intended for caching to get cached.
  5083. #Default:
  5084. # vary_ignore_expire off
  5085.  
  5086. # TAG: request_entities
  5087. # Squid defaults to deny GET and HEAD requests with request entities,
  5088. # as the meaning of such requests are undefined in the HTTP standard
  5089. # even if not explicitly forbidden.
  5090. #
  5091. # Set this directive to on if you have clients which insists
  5092. # on sending request entities in GET or HEAD requests. But be warned
  5093. # that there is server software (both proxies and web servers) which
  5094. # can fail to properly process this kind of request which may make you
  5095. # vulnerable to cache pollution attacks if enabled.
  5096. #Default:
  5097. # request_entities off
  5098.  
  5099. # TAG: request_header_access
  5100. # Usage: request_header_access header_name allow|deny [!]aclname ...
  5101. #
  5102. # WARNING: Doing this VIOLATES the HTTP standard. Enabling
  5103. # this feature could make you liable for problems which it
  5104. # causes.
  5105. #
  5106. # This option replaces the old 'anonymize_headers' and the
  5107. # older 'http_anonymizer' option with something that is much
  5108. # more configurable. A list of ACLs for each header name allows
  5109. # removal of specific header fields under specific conditions.
  5110. #
  5111. # This option only applies to outgoing HTTP request headers (i.e.,
  5112. # headers sent by Squid to the next HTTP hop such as a cache peer
  5113. # or an origin server). The option has no effect during cache hit
  5114. # detection. The equivalent adaptation vectoring point in ICAP
  5115. # terminology is post-cache REQMOD.
  5116. #
  5117. # The option is applied to individual outgoing request header
  5118. # fields. For each request header field F, Squid uses the first
  5119. # qualifying sets of request_header_access rules:
  5120. #
  5121. # 1. Rules with header_name equal to F's name.
  5122. # 2. Rules with header_name 'Other', provided F's name is not
  5123. # on the hard-coded list of commonly used HTTP header names.
  5124. # 3. Rules with header_name 'All'.
  5125. #
  5126. # Within that qualifying rule set, rule ACLs are checked as usual.
  5127. # If ACLs of an "allow" rule match, the header field is allowed to
  5128. # go through as is. If ACLs of a "deny" rule match, the header is
  5129. # removed and request_header_replace is then checked to identify
  5130. # if the removed header has a replacement. If no rules within the
  5131. # set have matching ACLs, the header field is left as is.
  5132. #
  5133. # For example, to achieve the same behavior as the old
  5134. # 'http_anonymizer standard' option, you should use:
  5135. #
  5136. # request_header_access From deny all
  5137. # request_header_access Referer deny all
  5138. # request_header_access User-Agent deny all
  5139. #
  5140. # Or, to reproduce the old 'http_anonymizer paranoid' feature
  5141. # you should use:
  5142. #
  5143. # request_header_access Authorization allow all
  5144. # request_header_access Proxy-Authorization allow all
  5145. # request_header_access Cache-Control allow all
  5146. # request_header_access Content-Length allow all
  5147. # request_header_access Content-Type allow all
  5148. # request_header_access Date allow all
  5149. # request_header_access Host allow all
  5150. # request_header_access If-Modified-Since allow all
  5151. # request_header_access Pragma allow all
  5152. # request_header_access Accept allow all
  5153. # request_header_access Accept-Charset allow all
  5154. # request_header_access Accept-Encoding allow all
  5155. # request_header_access Accept-Language allow all
  5156. # request_header_access Connection allow all
  5157. # request_header_access All deny all
  5158. #
  5159. # HTTP reply headers are controlled with the reply_header_access directive.
  5160. #
  5161. # By default, all headers are allowed (no anonymizing is performed).
  5162. #Default:
  5163. # No limits.
  5164.  
  5165. # TAG: reply_header_access
  5166. # Usage: reply_header_access header_name allow|deny [!]aclname ...
  5167. #
  5168. # WARNING: Doing this VIOLATES the HTTP standard. Enabling
  5169. # this feature could make you liable for problems which it
  5170. # causes.
  5171. #
  5172. # This option only applies to reply headers, i.e., from the
  5173. # server to the client.
  5174. #
  5175. # This is the same as request_header_access, but in the other
  5176. # direction. Please see request_header_access for detailed
  5177. # documentation.
  5178. #
  5179. # For example, to achieve the same behavior as the old
  5180. # 'http_anonymizer standard' option, you should use:
  5181. #
  5182. # reply_header_access Server deny all
  5183. # reply_header_access WWW-Authenticate deny all
  5184. # reply_header_access Link deny all
  5185. #
  5186. # Or, to reproduce the old 'http_anonymizer paranoid' feature
  5187. # you should use:
  5188. #
  5189. # reply_header_access Allow allow all
  5190. # reply_header_access WWW-Authenticate allow all
  5191. # reply_header_access Proxy-Authenticate allow all
  5192. # reply_header_access Cache-Control allow all
  5193. # reply_header_access Content-Encoding allow all
  5194. # reply_header_access Content-Length allow all
  5195. # reply_header_access Content-Type allow all
  5196. # reply_header_access Date allow all
  5197. # reply_header_access Expires allow all
  5198. # reply_header_access Last-Modified allow all
  5199. # reply_header_access Location allow all
  5200. # reply_header_access Pragma allow all
  5201. # reply_header_access Content-Language allow all
  5202. # reply_header_access Retry-After allow all
  5203. # reply_header_access Title allow all
  5204. # reply_header_access Content-Disposition allow all
  5205. # reply_header_access Connection allow all
  5206. # reply_header_access All deny all
  5207. #
  5208. # HTTP request headers are controlled with the request_header_access directive.
  5209. #
  5210. # By default, all headers are allowed (no anonymizing is
  5211. # performed).
  5212. #Default:
  5213. # No limits.
  5214.  
  5215. # TAG: request_header_replace
  5216. # Usage: request_header_replace header_name message
  5217. # Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
  5218. #
  5219. # This option allows you to change the contents of headers
  5220. # denied with request_header_access above, by replacing them
  5221. # with some fixed string.
  5222. #
  5223. # This only applies to request headers, not reply headers.
  5224. #
  5225. # By default, headers are removed if denied.
  5226. #Default:
  5227. # none
  5228.  
  5229. # TAG: reply_header_replace
  5230. # Usage: reply_header_replace header_name message
  5231. # Example: reply_header_replace Server Foo/1.0
  5232. #
  5233. # This option allows you to change the contents of headers
  5234. # denied with reply_header_access above, by replacing them
  5235. # with some fixed string.
  5236. #
  5237. # This only applies to reply headers, not request headers.
  5238. #
  5239. # By default, headers are removed if denied.
  5240. #Default:
  5241. # none
  5242.  
  5243. # TAG: request_header_add
  5244. # Usage: request_header_add field-name field-value acl1 [acl2] ...
  5245. # Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
  5246. #
  5247. # This option adds header fields to outgoing HTTP requests (i.e.,
  5248. # request headers sent by Squid to the next HTTP hop such as a
  5249. # cache peer or an origin server). The option has no effect during
  5250. # cache hit detection. The equivalent adaptation vectoring point
  5251. # in ICAP terminology is post-cache REQMOD.
  5252. #
  5253. # Field-name is a token specifying an HTTP header name. If a
  5254. # standard HTTP header name is used, Squid does not check whether
  5255. # the new header conflicts with any existing headers or violates
  5256. # HTTP rules. If the request to be modified already contains a
  5257. # field with the same name, the old field is preserved but the
  5258. # header field values are not merged.
  5259. #
  5260. # Field-value is either a token or a quoted string. If quoted
  5261. # string format is used, then the surrounding quotes are removed
  5262. # while escape sequences and %macros are processed.
  5263. #
  5264. # In theory, all of the logformat codes can be used as %macros.
  5265. # However, unlike logging (which happens at the very end of
  5266. # transaction lifetime), the transaction may not yet have enough
  5267. # information to expand a macro when the new header value is needed.
  5268. # And some information may already be available to Squid but not yet
  5269. # committed where the macro expansion code can access it (report
  5270. # such instances!). The macro will be expanded into a single dash
  5271. # ('-') in such cases. Not all macros have been tested.
  5272. #
  5273. # One or more Squid ACLs may be specified to restrict header
  5274. # injection to matching requests. As always in squid.conf, all
  5275. # ACLs in an option ACL list must be satisfied for the insertion
  5276. # to happen. The request_header_add option supports fast ACLs
  5277. # only.
  5278. #Default:
  5279. # none
  5280.  
  5281. # TAG: note
  5282. # This option used to log custom information about the master
  5283. # transaction. For example, an admin may configure Squid to log
  5284. # which "user group" the transaction belongs to, where "user group"
  5285. # will be determined based on a set of ACLs and not [just]
  5286. # authentication information.
  5287. # Values of key/value pairs can be logged using %{key}note macros:
  5288. #
  5289. # note key value acl ...
  5290. # logformat myFormat ... %{key}note ...
  5291. #Default:
  5292. # none
  5293.  
  5294. # TAG: relaxed_header_parser on|off|warn
  5295. # In the default "on" setting Squid accepts certain forms
  5296. # of non-compliant HTTP messages where it is unambiguous
  5297. # what the sending application intended even if the message
  5298. # is not correctly formatted. The messages is then normalized
  5299. # to the correct form when forwarded by Squid.
  5300. #
  5301. # If set to "warn" then a warning will be emitted in cache.log
  5302. # each time such HTTP error is encountered.
  5303. #
  5304. # If set to "off" then such HTTP errors will cause the request
  5305. # or response to be rejected.
  5306. #Default:
  5307. # relaxed_header_parser on
  5308.  
  5309. # TAG: collapsed_forwarding (on|off)
  5310. # This option controls whether Squid is allowed to merge multiple
  5311. # potentially cachable requests for the same URI before Squid knows
  5312. # whether the response is going to be cachable.
  5313. #
  5314. # This feature is disabled by default: Enabling collapsed forwarding
  5315. # needlessly delays forwarding requests that look cachable (when they are
  5316. # collapsed) but then need to be forwarded individually anyway because
  5317. # they end up being for uncachable content. However, in some cases, such
  5318. # as accelleration of highly cachable content with periodic or groupped
  5319. # expiration times, the gains from collapsing [large volumes of
  5320. # simultenous refresh requests] outweigh losses from such delays.
  5321. #Default:
  5322. # collapsed_forwarding off
  5323.  
  5324. # TIMEOUTS
  5325. # -----------------------------------------------------------------------------
  5326.  
  5327. # TAG: forward_timeout time-units
  5328. # This parameter specifies how long Squid should at most attempt in
  5329. # finding a forwarding path for the request before giving up.
  5330. #Default:
  5331. # forward_timeout 4 minutes
  5332.  
  5333. # TAG: connect_timeout time-units
  5334. # This parameter specifies how long to wait for the TCP connect to
  5335. # the requested server or peer to complete before Squid should
  5336. # attempt to find another path where to forward the request.
  5337. #Default:
  5338. # connect_timeout 1 minute
  5339.  
  5340. # TAG: peer_connect_timeout time-units
  5341. # This parameter specifies how long to wait for a pending TCP
  5342. # connection to a peer cache. The default is 30 seconds. You
  5343. # may also set different timeout values for individual neighbors
  5344. # with the 'connect-timeout' option on a 'cache_peer' line.
  5345. #Default:
  5346. # peer_connect_timeout 30 seconds
  5347.  
  5348. # TAG: read_timeout time-units
  5349. # Applied on peer server connections.
  5350. #
  5351. # After each successful read(), the timeout will be extended by this
  5352. # amount. If no data is read again after this amount of time,
  5353. # the request is aborted and logged with ERR_READ_TIMEOUT.
  5354. #
  5355. # The default is 15 minutes.
  5356. #Default:
  5357. # read_timeout 15 minutes
  5358.  
  5359. # TAG: write_timeout time-units
  5360. # This timeout is tracked for all connections that have data
  5361. # available for writing and are waiting for the socket to become
  5362. # ready. After each successful write, the timeout is extended by
  5363. # the configured amount. If Squid has data to write but the
  5364. # connection is not ready for the configured duration, the
  5365. # transaction associated with the connection is terminated. The
  5366. # default is 15 minutes.
  5367. #Default:
  5368. # write_timeout 15 minutes
  5369.  
  5370. # TAG: request_timeout
  5371. # How long to wait for complete HTTP request headers after initial
  5372. # connection establishment.
  5373. #Default:
  5374. # request_timeout 5 minutes
  5375.  
  5376. # TAG: client_idle_pconn_timeout
  5377. # How long to wait for the next HTTP request on a persistent
  5378. # client connection after the previous request completes.
  5379. #Default:
  5380. # client_idle_pconn_timeout 2 minutes
  5381.  
  5382. # TAG: ftp_client_idle_timeout
  5383. # How long to wait for an FTP request on a connection to Squid ftp_port.
  5384. # Many FTP clients do not deal with idle connection closures well,
  5385. # necessitating a longer default timeout than client_idle_pconn_timeout
  5386. # used for incoming HTTP requests.
  5387. #Default:
  5388. # ftp_client_idle_timeout 30 minutes
  5389.  
  5390. # TAG: client_lifetime time-units
  5391. # The maximum amount of time a client (browser) is allowed to
  5392. # remain connected to the cache process. This protects the Cache
  5393. # from having a lot of sockets (and hence file descriptors) tied up
  5394. # in a CLOSE_WAIT state from remote clients that go away without
  5395. # properly shutting down (either because of a network failure or
  5396. # because of a poor client implementation). The default is one
  5397. # day, 1440 minutes.
  5398. #
  5399. # NOTE: The default value is intended to be much larger than any
  5400. # client would ever need to be connected to your cache. You
  5401. # should probably change client_lifetime only as a last resort.
  5402. # If you seem to have many client connections tying up
  5403. # filedescriptors, we recommend first tuning the read_timeout,
  5404. # request_timeout, persistent_request_timeout and quick_abort values.
  5405. #Default:
  5406. # client_lifetime 1 day
  5407.  
  5408. # TAG: half_closed_clients
  5409. # Some clients may shutdown the sending side of their TCP
  5410. # connections, while leaving their receiving sides open. Sometimes,
  5411. # Squid can not tell the difference between a half-closed and a
  5412. # fully-closed TCP connection.
  5413. #
  5414. # By default, Squid will immediately close client connections when
  5415. # read(2) returns "no more data to read."
  5416. #
  5417. # Change this option to 'on' and Squid will keep open connections
  5418. # until a read(2) or write(2) on the socket returns an error.
  5419. # This may show some benefits for reverse proxies. But if not
  5420. # it is recommended to leave OFF.
  5421. #Default:
  5422. # half_closed_clients off
  5423.  
  5424. # TAG: server_idle_pconn_timeout
  5425. # Timeout for idle persistent connections to servers and other
  5426. # proxies.
  5427. #Default:
  5428. # server_idle_pconn_timeout 1 minute
  5429.  
  5430. # TAG: ident_timeout
  5431. # Maximum time to wait for IDENT lookups to complete.
  5432. #
  5433. # If this is too high, and you enabled IDENT lookups from untrusted
  5434. # users, you might be susceptible to denial-of-service by having
  5435. # many ident requests going at once.
  5436. #Default:
  5437. # ident_timeout 10 seconds
  5438.  
  5439. # TAG: shutdown_lifetime time-units
  5440. # When SIGTERM or SIGHUP is received, the cache is put into
  5441. # "shutdown pending" mode until all active sockets are closed.
  5442. # This value is the lifetime to set for all open descriptors
  5443. # during shutdown mode. Any active clients after this many
  5444. # seconds will receive a 'timeout' message.
  5445. #Default:
  5446. # shutdown_lifetime 30 seconds
  5447.  
  5448. # ADMINISTRATIVE PARAMETERS
  5449. # -----------------------------------------------------------------------------
  5450.  
  5451. # TAG: cache_mgr
  5452. # Email-address of local cache manager who will receive
  5453. # mail if the cache dies. The default is "webmaster".
  5454. #Default:
  5455. # cache_mgr webmaster
  5456.  
  5457. # TAG: mail_from
  5458. # From: email-address for mail sent when the cache dies.
  5459. # The default is to use 'squid@unique_hostname'.
  5460. #
  5461. # See also: unique_hostname directive.
  5462. #Default:
  5463. # none
  5464.  
  5465. # TAG: mail_program
  5466. # Email program used to send mail if the cache dies.
  5467. # The default is "mail". The specified program must comply
  5468. # with the standard Unix mail syntax:
  5469. # mail-program recipient < mailfile
  5470. #
  5471. # Optional command line options can be specified.
  5472. #Default:
  5473. # mail_program mail
  5474.  
  5475. # TAG: cache_effective_user
  5476. # If you start Squid as root, it will change its effective/real
  5477. # UID/GID to the user specified below. The default is to change
  5478. # to UID of proxy.
  5479. # see also; cache_effective_group
  5480. #Default:
  5481. # cache_effective_user proxy
  5482. cache_effective_user proxy
  5483.  
  5484. # TAG: cache_effective_group
  5485. # Squid sets the GID to the effective user's default group ID
  5486. # (taken from the password file) and supplementary group list
  5487. # from the groups membership.
  5488. #
  5489. # If you want Squid to run with a specific GID regardless of
  5490. # the group memberships of the effective user then set this
  5491. # to the group (or GID) you want Squid to run as. When set
  5492. # all other group privileges of the effective user are ignored
  5493. # and only this GID is effective. If Squid is not started as
  5494. # root the user starting Squid MUST be member of the specified
  5495. # group.
  5496. #
  5497. # This option is not recommended by the Squid Team.
  5498. # Our preference is for administrators to configure a secure
  5499. # user account for squid with UID/GID matching system policies.
  5500. #Default:
  5501. # Use system group memberships of the cache_effective_user account
  5502.  
  5503. # TAG: httpd_suppress_version_string on|off
  5504. # Suppress Squid version string info in HTTP headers and HTML error pages.
  5505. #Default:
  5506. # httpd_suppress_version_string off
  5507.  
  5508. # TAG: visible_hostname
  5509. # If you want to present a special hostname in error messages, etc,
  5510. # define this. Otherwise, the return value of gethostname()
  5511. # will be used. If you have multiple caches in a cluster and
  5512. # get errors about IP-forwarding you must set them to have individual
  5513. # names with this setting.
  5514. #Default:
  5515. # Automatically detect the system host name
  5516.  
  5517. # TAG: unique_hostname
  5518. # If you want to have multiple machines with the same
  5519. # 'visible_hostname' you must give each machine a different
  5520. # 'unique_hostname' so forwarding loops can be detected.
  5521. #Default:
  5522. # Copy the value from visible_hostname
  5523.  
  5524. # TAG: hostname_aliases
  5525. # A list of other DNS names your cache has.
  5526. #Default:
  5527. # none
  5528.  
  5529. # TAG: umask
  5530. # Minimum umask which should be enforced while the proxy
  5531. # is running, in addition to the umask set at startup.
  5532. #
  5533. # For a traditional octal representation of umasks, start
  5534. # your value with 0.
  5535. #Default:
  5536. # umask 027
  5537.  
  5538. # OPTIONS FOR THE CACHE REGISTRATION SERVICE
  5539. # -----------------------------------------------------------------------------
  5540. #
  5541. # This section contains parameters for the (optional) cache
  5542. # announcement service. This service is provided to help
  5543. # cache administrators locate one another in order to join or
  5544. # create cache hierarchies.
  5545. #
  5546. # An 'announcement' message is sent (via UDP) to the registration
  5547. # service by Squid. By default, the announcement message is NOT
  5548. # SENT unless you enable it with 'announce_period' below.
  5549. #
  5550. # The announcement message includes your hostname, plus the
  5551. # following information from this configuration file:
  5552. #
  5553. # http_port
  5554. # icp_port
  5555. # cache_mgr
  5556. #
  5557. # All current information is processed regularly and made
  5558. # available on the Web at http://www.ircache.net/Cache/Tracker/.
  5559.  
  5560. # TAG: announce_period
  5561. # This is how frequently to send cache announcements.
  5562. #
  5563. # To enable announcing your cache, just set an announce period.
  5564. #
  5565. # Example:
  5566. # announce_period 1 day
  5567. #Default:
  5568. # Announcement messages disabled.
  5569.  
  5570. # TAG: announce_host
  5571. # Set the hostname where announce registration messages will be sent.
  5572. #
  5573. # See also announce_port and announce_file
  5574. #Default:
  5575. # announce_host tracker.ircache.net
  5576.  
  5577. # TAG: announce_file
  5578. # The contents of this file will be included in the announce
  5579. # registration messages.
  5580. #Default:
  5581. # none
  5582.  
  5583. # TAG: announce_port
  5584. # Set the port where announce registration messages will be sent.
  5585. #
  5586. # See also announce_host and announce_file
  5587. #Default:
  5588. # announce_port 3131
  5589.  
  5590. # HTTPD-ACCELERATOR OPTIONS
  5591. # -----------------------------------------------------------------------------
  5592.  
  5593. # TAG: httpd_accel_surrogate_id
  5594. # Surrogates (http://www.esi.org/architecture_spec_1.0.html)
  5595. # need an identification token to allow control targeting. Because
  5596. # a farm of surrogates may all perform the same tasks, they may share
  5597. # an identification token.
  5598. #Default:
  5599. # visible_hostname is used if no specific ID is set.
  5600.  
  5601. # TAG: http_accel_surrogate_remote on|off
  5602. # Remote surrogates (such as those in a CDN) honour the header
  5603. # "Surrogate-Control: no-store-remote".
  5604. #
  5605. # Set this to on to have squid behave as a remote surrogate.
  5606. #Default:
  5607. # http_accel_surrogate_remote off
  5608.  
  5609. # TAG: esi_parser libxml2|expat|custom
  5610. # ESI markup is not strictly XML compatible. The custom ESI parser
  5611. # will give higher performance, but cannot handle non ASCII character
  5612. # encodings.
  5613. #Default:
  5614. # esi_parser custom
  5615.  
  5616. # DELAY POOL PARAMETERS
  5617. # -----------------------------------------------------------------------------
  5618.  
  5619. # TAG: delay_pools
  5620. # This represents the number of delay pools to be used. For example,
  5621. # if you have one class 2 delay pool and one class 3 delays pool, you
  5622. # have a total of 2 delay pools.
  5623. #
  5624. # See also delay_parameters, delay_class, delay_access for pool
  5625. # configuration details.
  5626. #Default:
  5627. # delay_pools 0
  5628.  
  5629. # TAG: delay_class
  5630. # This defines the class of each delay pool. There must be exactly one
  5631. # delay_class line for each delay pool. For example, to define two
  5632. # delay pools, one of class 2 and one of class 3, the settings above
  5633. # and here would be:
  5634. #
  5635. # Example:
  5636. # delay_pools 4 # 4 delay pools
  5637. # delay_class 1 2 # pool 1 is a class 2 pool
  5638. # delay_class 2 3 # pool 2 is a class 3 pool
  5639. # delay_class 3 4 # pool 3 is a class 4 pool
  5640. # delay_class 4 5 # pool 4 is a class 5 pool
  5641. #
  5642. # The delay pool classes are:
  5643. #
  5644. # class 1 Everything is limited by a single aggregate
  5645. # bucket.
  5646. #
  5647. # class 2 Everything is limited by a single aggregate
  5648. # bucket as well as an "individual" bucket chosen
  5649. # from bits 25 through 32 of the IPv4 address.
  5650. #
  5651. # class 3 Everything is limited by a single aggregate
  5652. # bucket as well as a "network" bucket chosen
  5653. # from bits 17 through 24 of the IP address and a
  5654. # "individual" bucket chosen from bits 17 through
  5655. # 32 of the IPv4 address.
  5656. #
  5657. # class 4 Everything in a class 3 delay pool, with an
  5658. # additional limit on a per user basis. This
  5659. # only takes effect if the username is established
  5660. # in advance - by forcing authentication in your
  5661. # http_access rules.
  5662. #
  5663. # class 5 Requests are grouped according their tag (see
  5664. # external_acl's tag= reply).
  5665. #
  5666. #
  5667. # Each pool also requires a delay_parameters directive to configure the pool size
  5668. # and speed limits used whenever the pool is applied to a request. Along with
  5669. # a set of delay_access directives to determine when it is used.
  5670. #
  5671. # NOTE: If an IP address is a.b.c.d
  5672. # -> bits 25 through 32 are "d"
  5673. # -> bits 17 through 24 are "c"
  5674. # -> bits 17 through 32 are "c * 256 + d"
  5675. #
  5676. # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
  5677. # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
  5678. #
  5679. # This clause only supports fast acl types.
  5680. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5681. #
  5682. # See also delay_parameters and delay_access.
  5683. #Default:
  5684. # none
  5685.  
  5686. # TAG: delay_access
  5687. # This is used to determine which delay pool a request falls into.
  5688. #
  5689. # delay_access is sorted per pool and the matching starts with pool 1,
  5690. # then pool 2, ..., and finally pool N. The first delay pool where the
  5691. # request is allowed is selected for the request. If it does not allow
  5692. # the request to any pool then the request is not delayed (default).
  5693. #
  5694. # For example, if you want some_big_clients in delay
  5695. # pool 1 and lotsa_little_clients in delay pool 2:
  5696. #
  5697. # delay_access 1 allow some_big_clients
  5698. # delay_access 1 deny all
  5699. # delay_access 2 allow lotsa_little_clients
  5700. # delay_access 2 deny all
  5701. # delay_access 3 allow authenticated_clients
  5702. #
  5703. # See also delay_parameters and delay_class.
  5704. #
  5705. #Default:
  5706. # Deny using the pool, unless allow rules exist in squid.conf for the pool.
  5707.  
  5708. # TAG: delay_parameters
  5709. # This defines the parameters for a delay pool. Each delay pool has
  5710. # a number of "buckets" associated with it, as explained in the
  5711. # description of delay_class.
  5712. #
  5713. # For a class 1 delay pool, the syntax is:
  5714. # delay_class pool 1
  5715. # delay_parameters pool aggregate
  5716. #
  5717. # For a class 2 delay pool:
  5718. # delay_class pool 2
  5719. # delay_parameters pool aggregate individual
  5720. #
  5721. # For a class 3 delay pool:
  5722. # delay_class pool 3
  5723. # delay_parameters pool aggregate network individual
  5724. #
  5725. # For a class 4 delay pool:
  5726. # delay_class pool 4
  5727. # delay_parameters pool aggregate network individual user
  5728. #
  5729. # For a class 5 delay pool:
  5730. # delay_class pool 5
  5731. # delay_parameters pool tagrate
  5732. #
  5733. # The option variables are:
  5734. #
  5735. # pool a pool number - ie, a number between 1 and the
  5736. # number specified in delay_pools as used in
  5737. # delay_class lines.
  5738. #
  5739. # aggregate the speed limit parameters for the aggregate bucket
  5740. # (class 1, 2, 3).
  5741. #
  5742. # individual the speed limit parameters for the individual
  5743. # buckets (class 2, 3).
  5744. #
  5745. # network the speed limit parameters for the network buckets
  5746. # (class 3).
  5747. #
  5748. # user the speed limit parameters for the user buckets
  5749. # (class 4).
  5750. #
  5751. # tagrate the speed limit parameters for the tag buckets
  5752. # (class 5).
  5753. #
  5754. # A pair of delay parameters is written restore/maximum, where restore is
  5755. # the number of bytes (not bits - modem and network speeds are usually
  5756. # quoted in bits) per second placed into the bucket, and maximum is the
  5757. # maximum number of bytes which can be in the bucket at any time.
  5758. #
  5759. # There must be one delay_parameters line for each delay pool.
  5760. #
  5761. #
  5762. # For example, if delay pool number 1 is a class 2 delay pool as in the
  5763. # above example, and is being used to strictly limit each host to 64Kbit/sec
  5764. # (plus overheads), with no overall limit, the line is:
  5765. #
  5766. # delay_parameters 1 none 8000/8000
  5767. #
  5768. # Note that 8 x 8K Byte/sec -> 64K bit/sec.
  5769. #
  5770. # Note that the word 'none' is used to represent no limit.
  5771. #
  5772. #
  5773. # And, if delay pool number 2 is a class 3 delay pool as in the above
  5774. # example, and you want to limit it to a total of 256Kbit/sec (strict limit)
  5775. # with each 8-bit network permitted 64Kbit/sec (strict limit) and each
  5776. # individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
  5777. # to permit a decent web page to be downloaded at a decent speed
  5778. # (if the network is not being limited due to overuse) but slow down
  5779. # large downloads more significantly:
  5780. #
  5781. # delay_parameters 2 32000/32000 8000/8000 600/8000
  5782. #
  5783. # Note that 8 x 32K Byte/sec -> 256K bit/sec.
  5784. # 8 x 8K Byte/sec -> 64K bit/sec.
  5785. # 8 x 600 Byte/sec -> 4800 bit/sec.
  5786. #
  5787. #
  5788. # Finally, for a class 4 delay pool as in the example - each user will
  5789. # be limited to 128Kbits/sec no matter how many workstations they are logged into.:
  5790. #
  5791. # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
  5792. #
  5793. #
  5794. # See also delay_class and delay_access.
  5795. #
  5796. #Default:
  5797. # none
  5798.  
  5799. # TAG: delay_initial_bucket_level (percent, 0-100)
  5800. # The initial bucket percentage is used to determine how much is put
  5801. # in each bucket when squid starts, is reconfigured, or first notices
  5802. # a host accessing it (in class 2 and class 3, individual hosts and
  5803. # networks only have buckets associated with them once they have been
  5804. # "seen" by squid).
  5805. #Default:
  5806. # delay_initial_bucket_level 50
  5807.  
  5808. # CLIENT DELAY POOL PARAMETERS
  5809. # -----------------------------------------------------------------------------
  5810.  
  5811. # TAG: client_delay_pools
  5812. # This option specifies the number of client delay pools used. It must
  5813. # preceed other client_delay_* options.
  5814. #
  5815. # Example:
  5816. # client_delay_pools 2
  5817. #
  5818. # See also client_delay_parameters and client_delay_access.
  5819. #Default:
  5820. # client_delay_pools 0
  5821.  
  5822. # TAG: client_delay_initial_bucket_level (percent, 0-no_limit)
  5823. # This option determines the initial bucket size as a percentage of
  5824. # max_bucket_size from client_delay_parameters. Buckets are created
  5825. # at the time of the "first" connection from the matching IP. Idle
  5826. # buckets are periodically deleted up.
  5827. #
  5828. # You can specify more than 100 percent but note that such "oversized"
  5829. # buckets are not refilled until their size goes down to max_bucket_size
  5830. # from client_delay_parameters.
  5831. #
  5832. # Example:
  5833. # client_delay_initial_bucket_level 50
  5834. #Default:
  5835. # client_delay_initial_bucket_level 50
  5836.  
  5837. # TAG: client_delay_parameters
  5838. #
  5839. # This option configures client-side bandwidth limits using the
  5840. # following format:
  5841. #
  5842. # client_delay_parameters pool speed_limit max_bucket_size
  5843. #
  5844. # pool is an integer ID used for client_delay_access matching.
  5845. #
  5846. # speed_limit is bytes added to the bucket per second.
  5847. #
  5848. # max_bucket_size is the maximum size of a bucket, enforced after any
  5849. # speed_limit additions.
  5850. #
  5851. # Please see the delay_parameters option for more information and
  5852. # examples.
  5853. #
  5854. # Example:
  5855. # client_delay_parameters 1 1024 2048
  5856. # client_delay_parameters 2 51200 16384
  5857. #
  5858. # See also client_delay_access.
  5859. #
  5860. #Default:
  5861. # none
  5862.  
  5863. # TAG: client_delay_access
  5864. # This option determines the client-side delay pool for the
  5865. # request:
  5866. #
  5867. # client_delay_access pool_ID allow|deny acl_name
  5868. #
  5869. # All client_delay_access options are checked in their pool ID
  5870. # order, starting with pool 1. The first checked pool with allowed
  5871. # request is selected for the request. If no ACL matches or there
  5872. # are no client_delay_access options, the request bandwidth is not
  5873. # limited.
  5874. #
  5875. # The ACL-selected pool is then used to find the
  5876. # client_delay_parameters for the request. Client-side pools are
  5877. # not used to aggregate clients. Clients are always aggregated
  5878. # based on their source IP addresses (one bucket per source IP).
  5879. #
  5880. # This clause only supports fast acl types.
  5881. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5882. # Additionally, only the client TCP connection details are available.
  5883. # ACLs testing HTTP properties will not work.
  5884. #
  5885. # Please see delay_access for more examples.
  5886. #
  5887. # Example:
  5888. # client_delay_access 1 allow low_rate_network
  5889. # client_delay_access 2 allow vips_network
  5890. #
  5891. #
  5892. # See also client_delay_parameters and client_delay_pools.
  5893. #Default:
  5894. # Deny use of the pool, unless allow rules exist in squid.conf for the pool.
  5895.  
  5896. # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
  5897. # -----------------------------------------------------------------------------
  5898.  
  5899. # TAG: wccp_router
  5900. # Use this option to define your WCCP ``home'' router for
  5901. # Squid.
  5902. #
  5903. # wccp_router supports a single WCCP(v1) router
  5904. #
  5905. # wccp2_router supports multiple WCCPv2 routers
  5906. #
  5907. # only one of the two may be used at the same time and defines
  5908. # which version of WCCP to use.
  5909. #Default:
  5910. # WCCP disabled.
  5911.  
  5912. # TAG: wccp2_router
  5913. # Use this option to define your WCCP ``home'' router for
  5914. # Squid.
  5915. #
  5916. # wccp_router supports a single WCCP(v1) router
  5917. #
  5918. # wccp2_router supports multiple WCCPv2 routers
  5919. #
  5920. # only one of the two may be used at the same time and defines
  5921. # which version of WCCP to use.
  5922. #Default:
  5923. # WCCPv2 disabled.
  5924.  
  5925. # TAG: wccp_version
  5926. # This directive is only relevant if you need to set up WCCP(v1)
  5927. # to some very old and end-of-life Cisco routers. In all other
  5928. # setups it must be left unset or at the default setting.
  5929. # It defines an internal version in the WCCP(v1) protocol,
  5930. # with version 4 being the officially documented protocol.
  5931. #
  5932. # According to some users, Cisco IOS 11.2 and earlier only
  5933. # support WCCP version 3. If you're using that or an earlier
  5934. # version of IOS, you may need to change this value to 3, otherwise
  5935. # do not specify this parameter.
  5936. #Default:
  5937. # wccp_version 4
  5938.  
  5939. # TAG: wccp2_rebuild_wait
  5940. # If this is enabled Squid will wait for the cache dir rebuild to finish
  5941. # before sending the first wccp2 HereIAm packet
  5942. #Default:
  5943. # wccp2_rebuild_wait on
  5944.  
  5945. # TAG: wccp2_forwarding_method
  5946. # WCCP2 allows the setting of forwarding methods between the
  5947. # router/switch and the cache. Valid values are as follows:
  5948. #
  5949. # gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
  5950. # l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
  5951. #
  5952. # Currently (as of IOS 12.4) cisco routers only support GRE.
  5953. # Cisco switches only support the L2 redirect assignment method.
  5954. #Default:
  5955. # wccp2_forwarding_method gre
  5956.  
  5957. # TAG: wccp2_return_method
  5958. # WCCP2 allows the setting of return methods between the
  5959. # router/switch and the cache for packets that the cache
  5960. # decides not to handle. Valid values are as follows:
  5961. #
  5962. # gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
  5963. # l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
  5964. #
  5965. # Currently (as of IOS 12.4) cisco routers only support GRE.
  5966. # Cisco switches only support the L2 redirect assignment.
  5967. #
  5968. # If the "ip wccp redirect exclude in" command has been
  5969. # enabled on the cache interface, then it is still safe for
  5970. # the proxy server to use a l2 redirect method even if this
  5971. # option is set to GRE.
  5972. #Default:
  5973. # wccp2_return_method gre
  5974.  
  5975. # TAG: wccp2_assignment_method
  5976. # WCCP2 allows the setting of methods to assign the WCCP hash
  5977. # Valid values are as follows:
  5978. #
  5979. # hash - Hash assignment
  5980. # mask - Mask assignment
  5981. #
  5982. # As a general rule, cisco routers support the hash assignment method
  5983. # and cisco switches support the mask assignment method.
  5984. #Default:
  5985. # wccp2_assignment_method hash
  5986.  
  5987. # TAG: wccp2_service
  5988. # WCCP2 allows for multiple traffic services. There are two
  5989. # types: "standard" and "dynamic". The standard type defines
  5990. # one service id - http (id 0). The dynamic service ids can be from
  5991. # 51 to 255 inclusive. In order to use a dynamic service id
  5992. # one must define the type of traffic to be redirected; this is done
  5993. # using the wccp2_service_info option.
  5994. #
  5995. # The "standard" type does not require a wccp2_service_info option,
  5996. # just specifying the service id will suffice.
  5997. #
  5998. # MD5 service authentication can be enabled by adding
  5999. # "password=<password>" to the end of this service declaration.
  6000. #
  6001. # Examples:
  6002. #
  6003. # wccp2_service standard 0 # for the 'web-cache' standard service
  6004. # wccp2_service dynamic 80 # a dynamic service type which will be
  6005. # # fleshed out with subsequent options.
  6006. # wccp2_service standard 0 password=foo
  6007. #Default:
  6008. # Use the 'web-cache' standard service.
  6009.  
  6010. # TAG: wccp2_service_info
  6011. # Dynamic WCCPv2 services require further information to define the
  6012. # traffic you wish to have diverted.
  6013. #
  6014. # The format is:
  6015. #
  6016. # wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
  6017. # priority=<priority> ports=<port>,<port>..
  6018. #
  6019. # The relevant WCCPv2 flags:
  6020. # + src_ip_hash, dst_ip_hash
  6021. # + source_port_hash, dst_port_hash
  6022. # + src_ip_alt_hash, dst_ip_alt_hash
  6023. # + src_port_alt_hash, dst_port_alt_hash
  6024. # + ports_source
  6025. #
  6026. # The port list can be one to eight entries.
  6027. #
  6028. # Example:
  6029. #
  6030. # wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
  6031. # priority=240 ports=80
  6032. #
  6033. # Note: the service id must have been defined by a previous
  6034. # 'wccp2_service dynamic <id>' entry.
  6035. #Default:
  6036. # none
  6037.  
  6038. # TAG: wccp2_weight
  6039. # Each cache server gets assigned a set of the destination
  6040. # hash proportional to their weight.
  6041. #Default:
  6042. # wccp2_weight 10000
  6043.  
  6044. # TAG: wccp_address
  6045. # Use this option if you require WCCPv2 to use a specific
  6046. # interface address.
  6047. #
  6048. # The default behavior is to not bind to any specific address.
  6049. #Default:
  6050. # Address selected by the operating system.
  6051.  
  6052. # TAG: wccp2_address
  6053. # Use this option if you require WCCP to use a specific
  6054. # interface address.
  6055. #
  6056. # The default behavior is to not bind to any specific address.
  6057. #Default:
  6058. # Address selected by the operating system.
  6059.  
  6060. # PERSISTENT CONNECTION HANDLING
  6061. # -----------------------------------------------------------------------------
  6062. #
  6063. # Also see "pconn_timeout" in the TIMEOUTS section
  6064.  
  6065. # TAG: client_persistent_connections
  6066. # Persistent connection support for clients.
  6067. # Squid uses persistent connections (when allowed). You can use
  6068. # this option to disable persistent connections with clients.
  6069. #Default:
  6070. # client_persistent_connections on
  6071.  
  6072. # TAG: server_persistent_connections
  6073. # Persistent connection support for servers.
  6074. # Squid uses persistent connections (when allowed). You can use
  6075. # this option to disable persistent connections with servers.
  6076. #Default:
  6077. # server_persistent_connections on
  6078.  
  6079. # TAG: persistent_connection_after_error
  6080. # With this directive the use of persistent connections after
  6081. # HTTP errors can be disabled. Useful if you have clients
  6082. # who fail to handle errors on persistent connections proper.
  6083. #Default:
  6084. # persistent_connection_after_error on
  6085.  
  6086. # TAG: detect_broken_pconn
  6087. # Some servers have been found to incorrectly signal the use
  6088. # of HTTP/1.0 persistent connections even on replies not
  6089. # compatible, causing significant delays. This server problem
  6090. # has mostly been seen on redirects.
  6091. #
  6092. # By enabling this directive Squid attempts to detect such
  6093. # broken replies and automatically assume the reply is finished
  6094. # after 10 seconds timeout.
  6095. #Default:
  6096. # detect_broken_pconn off
  6097.  
  6098. # CACHE DIGEST OPTIONS
  6099. # -----------------------------------------------------------------------------
  6100.  
  6101. # TAG: digest_generation
  6102. # This controls whether the server will generate a Cache Digest
  6103. # of its contents. By default, Cache Digest generation is
  6104. # enabled if Squid is compiled with --enable-cache-digests defined.
  6105. #Default:
  6106. # digest_generation on
  6107.  
  6108. # TAG: digest_bits_per_entry
  6109. # This is the number of bits of the server's Cache Digest which
  6110. # will be associated with the Digest entry for a given HTTP
  6111. # Method and URL (public key) combination. The default is 5.
  6112. #Default:
  6113. # digest_bits_per_entry 5
  6114.  
  6115. # TAG: digest_rebuild_period (seconds)
  6116. # This is the wait time between Cache Digest rebuilds.
  6117. #Default:
  6118. # digest_rebuild_period 1 hour
  6119.  
  6120. # TAG: digest_rewrite_period (seconds)
  6121. # This is the wait time between Cache Digest writes to
  6122. # disk.
  6123. #Default:
  6124. # digest_rewrite_period 1 hour
  6125.  
  6126. # TAG: digest_swapout_chunk_size (bytes)
  6127. # This is the number of bytes of the Cache Digest to write to
  6128. # disk at a time. It defaults to 4096 bytes (4KB), the Squid
  6129. # default swap page.
  6130. #Default:
  6131. # digest_swapout_chunk_size 4096 bytes
  6132.  
  6133. # TAG: digest_rebuild_chunk_percentage (percent, 0-100)
  6134. # This is the percentage of the Cache Digest to be scanned at a
  6135. # time. By default it is set to 10% of the Cache Digest.
  6136. #Default:
  6137. # digest_rebuild_chunk_percentage 10
  6138.  
  6139. # SNMP OPTIONS
  6140. # -----------------------------------------------------------------------------
  6141.  
  6142. # TAG: snmp_port
  6143. # The port number where Squid listens for SNMP requests. To enable
  6144. # SNMP support set this to a suitable port number. Port number
  6145. # 3401 is often used for the Squid SNMP agent. By default it's
  6146. # set to "0" (disabled)
  6147. #
  6148. # Example:
  6149. # snmp_port 3401
  6150. #Default:
  6151. # SNMP disabled.
  6152.  
  6153. # TAG: snmp_access
  6154. # Allowing or denying access to the SNMP port.
  6155. #
  6156. # All access to the agent is denied by default.
  6157. # usage:
  6158. #
  6159. # snmp_access allow|deny [!]aclname ...
  6160. #
  6161. # This clause only supports fast acl types.
  6162. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  6163. #
  6164. #Example:
  6165. # snmp_access allow snmppublic localhost
  6166. # snmp_access deny all
  6167. #Default:
  6168. # Deny, unless rules exist in squid.conf.
  6169.  
  6170. # TAG: snmp_incoming_address
  6171. # Just like 'udp_incoming_address', but for the SNMP port.
  6172. #
  6173. # snmp_incoming_address is used for the SNMP socket receiving
  6174. # messages from SNMP agents.
  6175. #
  6176. # The default snmp_incoming_address is to listen on all
  6177. # available network interfaces.
  6178. #Default:
  6179. # Accept SNMP packets from all machine interfaces.
  6180.  
  6181. # TAG: snmp_outgoing_address
  6182. # Just like 'udp_outgoing_address', but for the SNMP port.
  6183. #
  6184. # snmp_outgoing_address is used for SNMP packets returned to SNMP
  6185. # agents.
  6186. #
  6187. # If snmp_outgoing_address is not set it will use the same socket
  6188. # as snmp_incoming_address. Only change this if you want to have
  6189. # SNMP replies sent using another address than where this Squid
  6190. # listens for SNMP queries.
  6191. #
  6192. # NOTE, snmp_incoming_address and snmp_outgoing_address can not have
  6193. # the same value since they both use the same port.
  6194. #Default:
  6195. # Use snmp_incoming_address or an address selected by the operating system.
  6196.  
  6197. # ICP OPTIONS
  6198. # -----------------------------------------------------------------------------
  6199.  
  6200. # TAG: icp_port
  6201. # The port number where Squid sends and receives ICP queries to
  6202. # and from neighbor caches. The standard UDP port for ICP is 3130.
  6203. #
  6204. # Example:
  6205. # icp_port 3130
  6206. #Default:
  6207. # ICP disabled.
  6208.  
  6209. # TAG: htcp_port
  6210. # The port number where Squid sends and receives HTCP queries to
  6211. # and from neighbor caches. To turn it on you want to set it to
  6212. # 4827.
  6213. #
  6214. # Example:
  6215. # htcp_port 4827
  6216. #Default:
  6217. # HTCP disabled.
  6218.  
  6219. # TAG: log_icp_queries on|off
  6220. # If set, ICP queries are logged to access.log. You may wish
  6221. # do disable this if your ICP load is VERY high to speed things
  6222. # up or to simplify log analysis.
  6223. #Default:
  6224. # log_icp_queries on
  6225.  
  6226. # TAG: udp_incoming_address
  6227. # udp_incoming_address is used for UDP packets received from other
  6228. # caches.
  6229. #
  6230. # The default behavior is to not bind to any specific address.
  6231. #
  6232. # Only change this if you want to have all UDP queries received on
  6233. # a specific interface/address.
  6234. #
  6235. # NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
  6236. # modules. Altering it will affect all of them in the same manner.
  6237. #
  6238. # see also; udp_outgoing_address
  6239. #
  6240. # NOTE, udp_incoming_address and udp_outgoing_address can not
  6241. # have the same value since they both use the same port.
  6242. #Default:
  6243. # Accept packets from all machine interfaces.
  6244.  
  6245. # TAG: udp_outgoing_address
  6246. # udp_outgoing_address is used for UDP packets sent out to other
  6247. # caches.
  6248. #
  6249. # The default behavior is to not bind to any specific address.
  6250. #
  6251. # Instead it will use the same socket as udp_incoming_address.
  6252. # Only change this if you want to have UDP queries sent using another
  6253. # address than where this Squid listens for UDP queries from other
  6254. # caches.
  6255. #
  6256. # NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
  6257. # modules. Altering it will affect all of them in the same manner.
  6258. #
  6259. # see also; udp_incoming_address
  6260. #
  6261. # NOTE, udp_incoming_address and udp_outgoing_address can not
  6262. # have the same value since they both use the same port.
  6263. #Default:
  6264. # Use udp_incoming_address or an address selected by the operating system.
  6265.  
  6266. # TAG: icp_hit_stale on|off
  6267. # If you want to return ICP_HIT for stale cache objects, set this
  6268. # option to 'on'. If you have sibling relationships with caches
  6269. # in other administrative domains, this should be 'off'. If you only
  6270. # have sibling relationships with caches under your control,
  6271. # it is probably okay to set this to 'on'.
  6272. # If set to 'on', your siblings should use the option "allow-miss"
  6273. # on their cache_peer lines for connecting to you.
  6274. #Default:
  6275. # icp_hit_stale off
  6276.  
  6277. # TAG: minimum_direct_hops
  6278. # If using the ICMP pinging stuff, do direct fetches for sites
  6279. # which are no more than this many hops away.
  6280. #Default:
  6281. # minimum_direct_hops 4
  6282.  
  6283. # TAG: minimum_direct_rtt (msec)
  6284. # If using the ICMP pinging stuff, do direct fetches for sites
  6285. # which are no more than this many rtt milliseconds away.
  6286. #Default:
  6287. # minimum_direct_rtt 400
  6288.  
  6289. # TAG: netdb_low
  6290. # The low water mark for the ICMP measurement database.
  6291. #
  6292. # Note: high watermark controlled by netdb_high directive.
  6293. #
  6294. # These watermarks are counts, not percents. The defaults are
  6295. # (low) 900 and (high) 1000. When the high water mark is
  6296. # reached, database entries will be deleted until the low
  6297. # mark is reached.
  6298. #Default:
  6299. # netdb_low 900
  6300.  
  6301. # TAG: netdb_high
  6302. # The high water mark for the ICMP measurement database.
  6303. #
  6304. # Note: low watermark controlled by netdb_low directive.
  6305. #
  6306. # These watermarks are counts, not percents. The defaults are
  6307. # (low) 900 and (high) 1000. When the high water mark is
  6308. # reached, database entries will be deleted until the low
  6309. # mark is reached.
  6310. #Default:
  6311. # netdb_high 1000
  6312.  
  6313. # TAG: netdb_ping_period
  6314. # The minimum period for measuring a site. There will be at
  6315. # least this much delay between successive pings to the same
  6316. # network. The default is five minutes.
  6317. #Default:
  6318. # netdb_ping_period 5 minutes
  6319.  
  6320. # TAG: query_icmp on|off
  6321. # If you want to ask your peers to include ICMP data in their ICP
  6322. # replies, enable this option.
  6323. #
  6324. # If your peer has configured Squid (during compilation) with
  6325. # '--enable-icmp' that peer will send ICMP pings to origin server
  6326. # sites of the URLs it receives. If you enable this option the
  6327. # ICP replies from that peer will include the ICMP data (if available).
  6328. # Then, when choosing a parent cache, Squid will choose the parent with
  6329. # the minimal RTT to the origin server. When this happens, the
  6330. # hierarchy field of the access.log will be
  6331. # "CLOSEST_PARENT_MISS". This option is off by default.
  6332. #Default:
  6333. # query_icmp off
  6334.  
  6335. # TAG: test_reachability on|off
  6336. # When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
  6337. # instead of ICP_MISS if the target host is NOT in the ICMP
  6338. # database, or has a zero RTT.
  6339. #Default:
  6340. # test_reachability off
  6341.  
  6342. # TAG: icp_query_timeout (msec)
  6343. # Normally Squid will automatically determine an optimal ICP
  6344. # query timeout value based on the round-trip-time of recent ICP
  6345. # queries. If you want to override the value determined by
  6346. # Squid, set this 'icp_query_timeout' to a non-zero value. This
  6347. # value is specified in MILLISECONDS, so, to use a 2-second
  6348. # timeout (the old default), you would write:
  6349. #
  6350. # icp_query_timeout 2000
  6351. #Default:
  6352. # Dynamic detection.
  6353.  
  6354. # TAG: maximum_icp_query_timeout (msec)
  6355. # Normally the ICP query timeout is determined dynamically. But
  6356. # sometimes it can lead to very large values (say 5 seconds).
  6357. # Use this option to put an upper limit on the dynamic timeout
  6358. # value. Do NOT use this option to always use a fixed (instead
  6359. # of a dynamic) timeout value. To set a fixed timeout see the
  6360. # 'icp_query_timeout' directive.
  6361. #Default:
  6362. # maximum_icp_query_timeout 2000
  6363.  
  6364. # TAG: minimum_icp_query_timeout (msec)
  6365. # Normally the ICP query timeout is determined dynamically. But
  6366. # sometimes it can lead to very small timeouts, even lower than
  6367. # the normal latency variance on your link due to traffic.
  6368. # Use this option to put an lower limit on the dynamic timeout
  6369. # value. Do NOT use this option to always use a fixed (instead
  6370. # of a dynamic) timeout value. To set a fixed timeout see the
  6371. # 'icp_query_timeout' directive.
  6372. #Default:
  6373. # minimum_icp_query_timeout 5
  6374.  
  6375. # TAG: background_ping_rate time-units
  6376. # Controls how often the ICP pings are sent to siblings that
  6377. # have background-ping set.
  6378. #Default:
  6379. # background_ping_rate 10 seconds
  6380.  
  6381. # MULTICAST ICP OPTIONS
  6382. # -----------------------------------------------------------------------------
  6383.  
  6384. # TAG: mcast_groups
  6385. # This tag specifies a list of multicast groups which your server
  6386. # should join to receive multicasted ICP queries.
  6387. #
  6388. # NOTE! Be very careful what you put here! Be sure you
  6389. # understand the difference between an ICP _query_ and an ICP
  6390. # _reply_. This option is to be set only if you want to RECEIVE
  6391. # multicast queries. Do NOT set this option to SEND multicast
  6392. # ICP (use cache_peer for that). ICP replies are always sent via
  6393. # unicast, so this option does not affect whether or not you will
  6394. # receive replies from multicast group members.
  6395. #
  6396. # You must be very careful to NOT use a multicast address which
  6397. # is already in use by another group of caches.
  6398. #
  6399. # If you are unsure about multicast, please read the Multicast
  6400. # chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
  6401. #
  6402. # Usage: mcast_groups 239.128.16.128 224.0.1.20
  6403. #
  6404. # By default, Squid doesn't listen on any multicast groups.
  6405. #Default:
  6406. # none
  6407.  
  6408. # TAG: mcast_miss_addr
  6409. # Note: This option is only available if Squid is rebuilt with the
  6410. # -DMULTICAST_MISS_STREAM define
  6411. #
  6412. # If you enable this option, every "cache miss" URL will
  6413. # be sent out on the specified multicast address.
  6414. #
  6415. # Do not enable this option unless you are are absolutely
  6416. # certain you understand what you are doing.
  6417. #Default:
  6418. # disabled.
  6419.  
  6420. # TAG: mcast_miss_ttl
  6421. # Note: This option is only available if Squid is rebuilt with the
  6422. # -DMULTICAST_MISS_STREAM define
  6423. #
  6424. # This is the time-to-live value for packets multicasted
  6425. # when multicasting off cache miss URLs is enabled. By
  6426. # default this is set to 'site scope', i.e. 16.
  6427. #Default:
  6428. # mcast_miss_ttl 16
  6429.  
  6430. # TAG: mcast_miss_port
  6431. # Note: This option is only available if Squid is rebuilt with the
  6432. # -DMULTICAST_MISS_STREAM define
  6433. #
  6434. # This is the port number to be used in conjunction with
  6435. # 'mcast_miss_addr'.
  6436. #Default:
  6437. # mcast_miss_port 3135
  6438.  
  6439. # TAG: mcast_miss_encode_key
  6440. # Note: This option is only available if Squid is rebuilt with the
  6441. # -DMULTICAST_MISS_STREAM define
  6442. #
  6443. # The URLs that are sent in the multicast miss stream are
  6444. # encrypted. This is the encryption key.
  6445. #Default:
  6446. # mcast_miss_encode_key XXXXXXXXXXXXXXXX
  6447.  
  6448. # TAG: mcast_icp_query_timeout (msec)
  6449. # For multicast peers, Squid regularly sends out ICP "probes" to
  6450. # count how many other peers are listening on the given multicast
  6451. # address. This value specifies how long Squid should wait to
  6452. # count all the replies. The default is 2000 msec, or 2
  6453. # seconds.
  6454. #Default:
  6455. # mcast_icp_query_timeout 2000
  6456.  
  6457. # INTERNAL ICON OPTIONS
  6458. # -----------------------------------------------------------------------------
  6459.  
  6460. # TAG: icon_directory
  6461. # Where the icons are stored. These are normally kept in
  6462. # /usr/share/squid/icons
  6463. #Default:
  6464. # icon_directory /usr/share/squid/icons
  6465.  
  6466. # TAG: global_internal_static
  6467. # This directive controls is Squid should intercept all requests for
  6468. # /squid-internal-static/ no matter which host the URL is requesting
  6469. # (default on setting), or if nothing special should be done for
  6470. # such URLs (off setting). The purpose of this directive is to make
  6471. # icons etc work better in complex cache hierarchies where it may
  6472. # not always be possible for all corners in the cache mesh to reach
  6473. # the server generating a directory listing.
  6474. #Default:
  6475. # global_internal_static on
  6476.  
  6477. # TAG: short_icon_urls
  6478. # If this is enabled Squid will use short URLs for icons.
  6479. # If disabled it will revert to the old behavior of including
  6480. # it's own name and port in the URL.
  6481. #
  6482. # If you run a complex cache hierarchy with a mix of Squid and
  6483. # other proxies you may need to disable this directive.
  6484. #Default:
  6485. # short_icon_urls on
  6486.  
  6487. # ERROR PAGE OPTIONS
  6488. # -----------------------------------------------------------------------------
  6489.  
  6490. # TAG: error_directory
  6491. # If you wish to create your own versions of the default
  6492. # error files to customize them to suit your company copy
  6493. # the error/template files to another directory and point
  6494. # this tag at them.
  6495. #
  6496. # WARNING: This option will disable multi-language support
  6497. # on error pages if used.
  6498. #
  6499. # The squid developers are interested in making squid available in
  6500. # a wide variety of languages. If you are making translations for a
  6501. # language that Squid does not currently provide please consider
  6502. # contributing your translation back to the project.
  6503. # http://wiki.squid-cache.org/Translations
  6504. #
  6505. # The squid developers working on translations are happy to supply drop-in
  6506. # translated error files in exchange for any new language contributions.
  6507. #Default:
  6508. # Send error pages in the clients preferred language
  6509.  
  6510. # TAG: error_default_language
  6511. # Set the default language which squid will send error pages in
  6512. # if no existing translation matches the clients language
  6513. # preferences.
  6514. #
  6515. # If unset (default) generic English will be used.
  6516. #
  6517. # The squid developers are interested in making squid available in
  6518. # a wide variety of languages. If you are interested in making
  6519. # translations for any language see the squid wiki for details.
  6520. # http://wiki.squid-cache.org/Translations
  6521. #Default:
  6522. # Generate English language pages.
  6523.  
  6524. # TAG: error_log_languages
  6525. # Log to cache.log what languages users are attempting to
  6526. # auto-negotiate for translations.
  6527. #
  6528. # Successful negotiations are not logged. Only failures
  6529. # have meaning to indicate that Squid may need an upgrade
  6530. # of its error page translations.
  6531. #Default:
  6532. # error_log_languages on
  6533.  
  6534. # TAG: err_page_stylesheet
  6535. # CSS Stylesheet to pattern the display of Squid default error pages.
  6536. #
  6537. # For information on CSS see http://www.w3.org/Style/CSS/
  6538. #Default:
  6539. # err_page_stylesheet /etc/squid/errorpage.css
  6540.  
  6541. # TAG: err_html_text
  6542. # HTML text to include in error messages. Make this a "mailto"
  6543. # URL to your admin address, or maybe just a link to your
  6544. # organizations Web page.
  6545. #
  6546. # To include this in your error messages, you must rewrite
  6547. # the error template files (found in the "errors" directory).
  6548. # Wherever you want the 'err_html_text' line to appear,
  6549. # insert a %L tag in the error template file.
  6550. #Default:
  6551. # none
  6552.  
  6553. # TAG: email_err_data on|off
  6554. # If enabled, information about the occurred error will be
  6555. # included in the mailto links of the ERR pages (if %W is set)
  6556. # so that the email body contains the data.
  6557. # Syntax is <A HREF="mailto:%w%W">%w</A>
  6558. #Default:
  6559. # email_err_data on
  6560.  
  6561. # TAG: deny_info
  6562. # Usage: deny_info err_page_name acl
  6563. # or deny_info http://... acl
  6564. # or deny_info TCP_RESET acl
  6565. #
  6566. # This can be used to return a ERR_ page for requests which
  6567. # do not pass the 'http_access' rules. Squid remembers the last
  6568. # acl it evaluated in http_access, and if a 'deny_info' line exists
  6569. # for that ACL Squid returns a corresponding error page.
  6570. #
  6571. # The acl is typically the last acl on the http_access deny line which
  6572. # denied access. The exceptions to this rule are:
  6573. # - When Squid needs to request authentication credentials. It's then
  6574. # the first authentication related acl encountered
  6575. # - When none of the http_access lines matches. It's then the last
  6576. # acl processed on the last http_access line.
  6577. # - When the decision to deny access was made by an adaptation service,
  6578. # the acl name is the corresponding eCAP or ICAP service_name.
  6579. #
  6580. # NP: If providing your own custom error pages with error_directory
  6581. # you may also specify them by your custom file name:
  6582. # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
  6583. #
  6584. # By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
  6585. # may be specified by prefixing the file name with the code and a colon.
  6586. # e.g. 404:ERR_CUSTOM_ACCESS_DENIED
  6587. #
  6588. # Alternatively you can tell Squid to reset the TCP connection
  6589. # by specifying TCP_RESET.
  6590. #
  6591. # Or you can specify an error URL or URL pattern. The browsers will
  6592. # get redirected to the specified URL after formatting tags have
  6593. # been replaced. Redirect will be done with 302 or 307 according to
  6594. # HTTP/1.1 specs. A different 3xx code may be specified by prefixing
  6595. # the URL. e.g. 303:http://example.com/
  6596. #
  6597. # URL FORMAT TAGS:
  6598. # %a - username (if available. Password NOT included)
  6599. # %B - FTP path URL
  6600. # %e - Error number
  6601. # %E - Error description
  6602. # %h - Squid hostname
  6603. # %H - Request domain name
  6604. # %i - Client IP Address
  6605. # %M - Request Method
  6606. # %o - Message result from external ACL helper
  6607. # %p - Request Port number
  6608. # %P - Request Protocol name
  6609. # %R - Request URL path
  6610. # %T - Timestamp in RFC 1123 format
  6611. # %U - Full canonical URL from client
  6612. # (HTTPS URLs terminate with *)
  6613. # %u - Full canonical URL from client
  6614. # %w - Admin email from squid.conf
  6615. # %x - Error name
  6616. # %% - Literal percent (%) code
  6617. #
  6618. #Default:
  6619. # none
  6620.  
  6621. # OPTIONS INFLUENCING REQUEST FORWARDING
  6622. # -----------------------------------------------------------------------------
  6623.  
  6624. # TAG: nonhierarchical_direct
  6625. # By default, Squid will send any non-hierarchical requests
  6626. # (not cacheable request type) direct to origin servers.
  6627. #
  6628. # When this is set to "off", Squid will prefer to send these
  6629. # requests to parents.
  6630. #
  6631. # Note that in most configurations, by turning this off you will only
  6632. # add latency to these request without any improvement in global hit
  6633. # ratio.
  6634. #
  6635. # This option only sets a preference. If the parent is unavailable a
  6636. # direct connection to the origin server may still be attempted. To
  6637. # completely prevent direct connections use never_direct.
  6638. #Default:
  6639. # nonhierarchical_direct on
  6640.  
  6641. # TAG: prefer_direct
  6642. # Normally Squid tries to use parents for most requests. If you for some
  6643. # reason like it to first try going direct and only use a parent if
  6644. # going direct fails set this to on.
  6645. #
  6646. # By combining nonhierarchical_direct off and prefer_direct on you
  6647. # can set up Squid to use a parent as a backup path if going direct
  6648. # fails.
  6649. #
  6650. # Note: If you want Squid to use parents for all requests see
  6651. # the never_direct directive. prefer_direct only modifies how Squid
  6652. # acts on cacheable requests.
  6653. #Default:
  6654. # prefer_direct off
  6655.  
  6656. # TAG: cache_miss_revalidate on|off
  6657. # RFC 7232 defines a conditional request mechanism to prevent
  6658. # response objects being unnecessarily transferred over the network.
  6659. # If that mechanism is used by the client and a cache MISS occurs
  6660. # it can prevent new cache entries being created.
  6661. #
  6662. # This option determines whether Squid on cache MISS will pass the
  6663. # client revalidation request to the server or tries to fetch new
  6664. # content for caching. It can be useful while the cache is mostly
  6665. # empty to more quickly have the cache populated by generating
  6666. # non-conditional GETs.
  6667. #
  6668. # When set to 'on' (default), Squid will pass all client If-* headers
  6669. # to the server. This permits server responses without a cacheable
  6670. # payload to be delivered and on MISS no new cache entry is created.
  6671. #
  6672. # When set to 'off' and if the request is cacheable, Squid will
  6673. # remove the clients If-Modified-Since and If-None-Match headers from
  6674. # the request sent to the server. This requests a 200 status response
  6675. # from the server to create a new cache entry with.
  6676. #Default:
  6677. # cache_miss_revalidate on
  6678.  
  6679. # TAG: always_direct
  6680. # Usage: always_direct allow|deny [!]aclname ...
  6681. #
  6682. # Here you can use ACL elements to specify requests which should
  6683. # ALWAYS be forwarded by Squid to the origin servers without using
  6684. # any peers. For example, to always directly forward requests for
  6685. # local servers ignoring any parents or siblings you may have use
  6686. # something like:
  6687. #
  6688. # acl local-servers dstdomain my.domain.net
  6689. # always_direct allow local-servers
  6690. #
  6691. # To always forward FTP requests directly, use
  6692. #
  6693. # acl FTP proto FTP
  6694. # always_direct allow FTP
  6695. #
  6696. # NOTE: There is a similar, but opposite option named
  6697. # 'never_direct'. You need to be aware that "always_direct deny
  6698. # foo" is NOT the same thing as "never_direct allow foo". You
  6699. # may need to use a deny rule to exclude a more-specific case of
  6700. # some other rule. Example:
  6701. #
  6702. # acl local-external dstdomain external.foo.net
  6703. # acl local-servers dstdomain .foo.net
  6704. # always_direct deny local-external
  6705. # always_direct allow local-servers
  6706. #
  6707. # NOTE: If your goal is to make the client forward the request
  6708. # directly to the origin server bypassing Squid then this needs
  6709. # to be done in the client configuration. Squid configuration
  6710. # can only tell Squid how Squid should fetch the object.
  6711. #
  6712. # NOTE: This directive is not related to caching. The replies
  6713. # is cached as usual even if you use always_direct. To not cache
  6714. # the replies see the 'cache' directive.
  6715. #
  6716. # This clause supports both fast and slow acl types.
  6717. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  6718. #Default:
  6719. # Prevent any cache_peer being used for this request.
  6720.  
  6721. # TAG: never_direct
  6722. # Usage: never_direct allow|deny [!]aclname ...
  6723. #
  6724. # never_direct is the opposite of always_direct. Please read
  6725. # the description for always_direct if you have not already.
  6726. #
  6727. # With 'never_direct' you can use ACL elements to specify
  6728. # requests which should NEVER be forwarded directly to origin
  6729. # servers. For example, to force the use of a proxy for all
  6730. # requests, except those in your local domain use something like:
  6731. #
  6732. # acl local-servers dstdomain .foo.net
  6733. # never_direct deny local-servers
  6734. # never_direct allow all
  6735. #
  6736. # or if Squid is inside a firewall and there are local intranet
  6737. # servers inside the firewall use something like:
  6738. #
  6739. # acl local-intranet dstdomain .foo.net
  6740. # acl local-external dstdomain external.foo.net
  6741. # always_direct deny local-external
  6742. # always_direct allow local-intranet
  6743. # never_direct allow all
  6744. #
  6745. # This clause supports both fast and slow acl types.
  6746. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  6747. #Default:
  6748. # Allow DNS results to be used for this request.
  6749.  
  6750. # ADVANCED NETWORKING OPTIONS
  6751. # -----------------------------------------------------------------------------
  6752.  
  6753. # TAG: incoming_udp_average
  6754. # Heavy voodoo here. I can't even believe you are reading this.
  6755. # Are you crazy? Don't even think about adjusting these unless
  6756. # you understand the algorithms in comm_select.c first!
  6757. #Default:
  6758. # incoming_udp_average 6
  6759.  
  6760. # TAG: incoming_tcp_average
  6761. # Heavy voodoo here. I can't even believe you are reading this.
  6762. # Are you crazy? Don't even think about adjusting these unless
  6763. # you understand the algorithms in comm_select.c first!
  6764. #Default:
  6765. # incoming_tcp_average 4
  6766.  
  6767. # TAG: incoming_dns_average
  6768. # Heavy voodoo here. I can't even believe you are reading this.
  6769. # Are you crazy? Don't even think about adjusting these unless
  6770. # you understand the algorithms in comm_select.c first!
  6771. #Default:
  6772. # incoming_dns_average 4
  6773.  
  6774. # TAG: min_udp_poll_cnt
  6775. # Heavy voodoo here. I can't even believe you are reading this.
  6776. # Are you crazy? Don't even think about adjusting these unless
  6777. # you understand the algorithms in comm_select.c first!
  6778. #Default:
  6779. # min_udp_poll_cnt 8
  6780.  
  6781. # TAG: min_dns_poll_cnt
  6782. # Heavy voodoo here. I can't even believe you are reading this.
  6783. # Are you crazy? Don't even think about adjusting these unless
  6784. # you understand the algorithms in comm_select.c first!
  6785. #Default:
  6786. # min_dns_poll_cnt 8
  6787.  
  6788. # TAG: min_tcp_poll_cnt
  6789. # Heavy voodoo here. I can't even believe you are reading this.
  6790. # Are you crazy? Don't even think about adjusting these unless
  6791. # you understand the algorithms in comm_select.c first!
  6792. #Default:
  6793. # min_tcp_poll_cnt 8
  6794.  
  6795. # TAG: accept_filter
  6796. # FreeBSD:
  6797. #
  6798. # The name of an accept(2) filter to install on Squid's
  6799. # listen socket(s). This feature is perhaps specific to
  6800. # FreeBSD and requires support in the kernel.
  6801. #
  6802. # The 'httpready' filter delays delivering new connections
  6803. # to Squid until a full HTTP request has been received.
  6804. # See the accf_http(9) man page for details.
  6805. #
  6806. # The 'dataready' filter delays delivering new connections
  6807. # to Squid until there is some data to process.
  6808. # See the accf_dataready(9) man page for details.
  6809. #
  6810. # Linux:
  6811. #
  6812. # The 'data' filter delays delivering of new connections
  6813. # to Squid until there is some data to process by TCP_ACCEPT_DEFER.
  6814. # You may optionally specify a number of seconds to wait by
  6815. # 'data=N' where N is the number of seconds. Defaults to 30
  6816. # if not specified. See the tcp(7) man page for details.
  6817. #EXAMPLE:
  6818. ## FreeBSD
  6819. #accept_filter httpready
  6820. ## Linux
  6821. #accept_filter data
  6822. #Default:
  6823. # none
  6824.  
  6825. # TAG: client_ip_max_connections
  6826. # Set an absolute limit on the number of connections a single
  6827. # client IP can use. Any more than this and Squid will begin to drop
  6828. # new connections from the client until it closes some links.
  6829. #
  6830. # Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
  6831. # connections from the client. For finer control use the ACL access controls.
  6832. #
  6833. # Requires client_db to be enabled (the default).
  6834. #
  6835. # WARNING: This may noticably slow down traffic received via external proxies
  6836. # or NAT devices and cause them to rebound error messages back to their clients.
  6837. #Default:
  6838. # No limit.
  6839.  
  6840. # TAG: tcp_recv_bufsize (bytes)
  6841. # Size of receive buffer to set for TCP sockets. Probably just
  6842. # as easy to change your kernel's default.
  6843. # Omit from squid.conf to use the default buffer size.
  6844. #Default:
  6845. # Use operating system TCP defaults.
  6846.  
  6847. # ICAP OPTIONS
  6848. # -----------------------------------------------------------------------------
  6849.  
  6850. # TAG: icap_enable on|off
  6851. # If you want to enable the ICAP module support, set this to on.
  6852. #Default:
  6853. # icap_enable off
  6854.  
  6855. # TAG: icap_connect_timeout
  6856. # This parameter specifies how long to wait for the TCP connect to
  6857. # the requested ICAP server to complete before giving up and either
  6858. # terminating the HTTP transaction or bypassing the failure.
  6859. #
  6860. # The default for optional services is peer_connect_timeout.
  6861. # The default for essential services is connect_timeout.
  6862. # If this option is explicitly set, its value applies to all services.
  6863. #Default:
  6864. # none
  6865.  
  6866. # TAG: icap_io_timeout time-units
  6867. # This parameter specifies how long to wait for an I/O activity on
  6868. # an established, active ICAP connection before giving up and
  6869. # either terminating the HTTP transaction or bypassing the
  6870. # failure.
  6871. #Default:
  6872. # Use read_timeout.
  6873.  
  6874. # TAG: icap_service_failure_limit limit [in memory-depth time-units]
  6875. # The limit specifies the number of failures that Squid tolerates
  6876. # when establishing a new TCP connection with an ICAP service. If
  6877. # the number of failures exceeds the limit, the ICAP service is
  6878. # not used for new ICAP requests until it is time to refresh its
  6879. # OPTIONS.
  6880. #
  6881. # A negative value disables the limit. Without the limit, an ICAP
  6882. # service will not be considered down due to connectivity failures
  6883. # between ICAP OPTIONS requests.
  6884. #
  6885. # Squid forgets ICAP service failures older than the specified
  6886. # value of memory-depth. The memory fading algorithm
  6887. # is approximate because Squid does not remember individual
  6888. # errors but groups them instead, splitting the option
  6889. # value into ten time slots of equal length.
  6890. #
  6891. # When memory-depth is 0 and by default this option has no
  6892. # effect on service failure expiration.
  6893. #
  6894. # Squid always forgets failures when updating service settings
  6895. # using an ICAP OPTIONS transaction, regardless of this option
  6896. # setting.
  6897. #
  6898. # For example,
  6899. # # suspend service usage after 10 failures in 5 seconds:
  6900. # icap_service_failure_limit 10 in 5 seconds
  6901. #Default:
  6902. # icap_service_failure_limit 10
  6903.  
  6904. # TAG: icap_service_revival_delay
  6905. # The delay specifies the number of seconds to wait after an ICAP
  6906. # OPTIONS request failure before requesting the options again. The
  6907. # failed ICAP service is considered "down" until fresh OPTIONS are
  6908. # fetched.
  6909. #
  6910. # The actual delay cannot be smaller than the hardcoded minimum
  6911. # delay of 30 seconds.
  6912. #Default:
  6913. # icap_service_revival_delay 180
  6914.  
  6915. # TAG: icap_preview_enable on|off
  6916. # The ICAP Preview feature allows the ICAP server to handle the
  6917. # HTTP message by looking only at the beginning of the message body
  6918. # or even without receiving the body at all. In some environments,
  6919. # previews greatly speedup ICAP processing.
  6920. #
  6921. # During an ICAP OPTIONS transaction, the server may tell Squid what
  6922. # HTTP messages should be previewed and how big the preview should be.
  6923. # Squid will not use Preview if the server did not request one.
  6924. #
  6925. # To disable ICAP Preview for all ICAP services, regardless of
  6926. # individual ICAP server OPTIONS responses, set this option to "off".
  6927. #Example:
  6928. #icap_preview_enable off
  6929. #Default:
  6930. # icap_preview_enable on
  6931.  
  6932. # TAG: icap_preview_size
  6933. # The default size of preview data to be sent to the ICAP server.
  6934. # This value might be overwritten on a per server basis by OPTIONS requests.
  6935. #Default:
  6936. # No preview sent.
  6937.  
  6938. # TAG: icap_206_enable on|off
  6939. # 206 (Partial Content) responses is an ICAP extension that allows the
  6940. # ICAP agents to optionally combine adapted and original HTTP message
  6941. # content. The decision to combine is postponed until the end of the
  6942. # ICAP response. Squid supports Partial Content extension by default.
  6943. #
  6944. # Activation of the Partial Content extension is negotiated with each
  6945. # ICAP service during OPTIONS exchange. Most ICAP servers should handle
  6946. # negotation correctly even if they do not support the extension, but
  6947. # some might fail. To disable Partial Content support for all ICAP
  6948. # services and to avoid any negotiation, set this option to "off".
  6949. #
  6950. # Example:
  6951. # icap_206_enable off
  6952. #Default:
  6953. # icap_206_enable on
  6954.  
  6955. # TAG: icap_default_options_ttl
  6956. # The default TTL value for ICAP OPTIONS responses that don't have
  6957. # an Options-TTL header.
  6958. #Default:
  6959. # icap_default_options_ttl 60
  6960.  
  6961. # TAG: icap_persistent_connections on|off
  6962. # Whether or not Squid should use persistent connections to
  6963. # an ICAP server.
  6964. #Default:
  6965. # icap_persistent_connections on
  6966.  
  6967. # TAG: adaptation_send_client_ip on|off
  6968. # If enabled, Squid shares HTTP client IP information with adaptation
  6969. # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
  6970. # For eCAP, Squid sets the libecap::metaClientIp transaction option.
  6971. #
  6972. # See also: adaptation_uses_indirect_client
  6973. #Default:
  6974. # adaptation_send_client_ip off
  6975.  
  6976. # TAG: adaptation_send_username on|off
  6977. # This sends authenticated HTTP client username (if available) to
  6978. # the adaptation service.
  6979. #
  6980. # For ICAP, the username value is encoded based on the
  6981. # icap_client_username_encode option and is sent using the header
  6982. # specified by the icap_client_username_header option.
  6983. #Default:
  6984. # adaptation_send_username off
  6985.  
  6986. # TAG: icap_client_username_header
  6987. # ICAP request header name to use for adaptation_send_username.
  6988. #Default:
  6989. # icap_client_username_header X-Client-Username
  6990.  
  6991. # TAG: icap_client_username_encode on|off
  6992. # Whether to base64 encode the authenticated client username.
  6993. #Default:
  6994. # icap_client_username_encode off
  6995.  
  6996. # TAG: icap_service
  6997. # Defines a single ICAP service using the following format:
  6998. #
  6999. # icap_service id vectoring_point uri [option ...]
  7000. #
  7001. # id: ID
  7002. # an opaque identifier or name which is used to direct traffic to
  7003. # this specific service. Must be unique among all adaptation
  7004. # services in squid.conf.
  7005. #
  7006. # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
  7007. # This specifies at which point of transaction processing the
  7008. # ICAP service should be activated. *_postcache vectoring points
  7009. # are not yet supported.
  7010. #
  7011. # uri: icap://servername:port/servicepath
  7012. # ICAP server and service location.
  7013. #
  7014. # ICAP does not allow a single service to handle both REQMOD and RESPMOD
  7015. # transactions. Squid does not enforce that requirement. You can specify
  7016. # services with the same service_url and different vectoring_points. You
  7017. # can even specify multiple identical services as long as their
  7018. # service_names differ.
  7019. #
  7020. # To activate a service, use the adaptation_access directive. To group
  7021. # services, use adaptation_service_chain and adaptation_service_set.
  7022. #
  7023. # Service options are separated by white space. ICAP services support
  7024. # the following name=value options:
  7025. #
  7026. # bypass=on|off|1|0
  7027. # If set to 'on' or '1', the ICAP service is treated as
  7028. # optional. If the service cannot be reached or malfunctions,
  7029. # Squid will try to ignore any errors and process the message as
  7030. # if the service was not enabled. No all ICAP errors can be
  7031. # bypassed. If set to 0, the ICAP service is treated as
  7032. # essential and all ICAP errors will result in an error page
  7033. # returned to the HTTP client.
  7034. #
  7035. # Bypass is off by default: services are treated as essential.
  7036. #
  7037. # routing=on|off|1|0
  7038. # If set to 'on' or '1', the ICAP service is allowed to
  7039. # dynamically change the current message adaptation plan by
  7040. # returning a chain of services to be used next. The services
  7041. # are specified using the X-Next-Services ICAP response header
  7042. # value, formatted as a comma-separated list of service names.
  7043. # Each named service should be configured in squid.conf. Other
  7044. # services are ignored. An empty X-Next-Services value results
  7045. # in an empty plan which ends the current adaptation.
  7046. #
  7047. # Dynamic adaptation plan may cross or cover multiple supported
  7048. # vectoring points in their natural processing order.
  7049. #
  7050. # Routing is not allowed by default: the ICAP X-Next-Services
  7051. # response header is ignored.
  7052. #
  7053. # ipv6=on|off
  7054. # Only has effect on split-stack systems. The default on those systems
  7055. # is to use IPv4-only connections. When set to 'on' this option will
  7056. # make Squid use IPv6-only connections to contact this ICAP service.
  7057. #
  7058. # on-overload=block|bypass|wait|force
  7059. # If the service Max-Connections limit has been reached, do
  7060. # one of the following for each new ICAP transaction:
  7061. # * block: send an HTTP error response to the client
  7062. # * bypass: ignore the "over-connected" ICAP service
  7063. # * wait: wait (in a FIFO queue) for an ICAP connection slot
  7064. # * force: proceed, ignoring the Max-Connections limit
  7065. #
  7066. # In SMP mode with N workers, each worker assumes the service
  7067. # connection limit is Max-Connections/N, even though not all
  7068. # workers may use a given service.
  7069. #
  7070. # The default value is "bypass" if service is bypassable,
  7071. # otherwise it is set to "wait".
  7072. #
  7073. #
  7074. # max-conn=number
  7075. # Use the given number as the Max-Connections limit, regardless
  7076. # of the Max-Connections value given by the service, if any.
  7077. #
  7078. # Older icap_service format without optional named parameters is
  7079. # deprecated but supported for backward compatibility.
  7080. #
  7081. #Example:
  7082. #icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0
  7083. #icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on
  7084. #Default:
  7085. # none
  7086.  
  7087. # TAG: icap_class
  7088. # This deprecated option was documented to define an ICAP service
  7089. # chain, even though it actually defined a set of similar, redundant
  7090. # services, and the chains were not supported.
  7091. #
  7092. # To define a set of redundant services, please use the
  7093. # adaptation_service_set directive. For service chains, use
  7094. # adaptation_service_chain.
  7095. #Default:
  7096. # none
  7097.  
  7098. # TAG: icap_access
  7099. # This option is deprecated. Please use adaptation_access, which
  7100. # has the same ICAP functionality, but comes with better
  7101. # documentation, and eCAP support.
  7102. #Default:
  7103. # none
  7104.  
  7105. # eCAP OPTIONS
  7106. # -----------------------------------------------------------------------------
  7107.  
  7108. # TAG: ecap_enable on|off
  7109. # Controls whether eCAP support is enabled.
  7110. #Default:
  7111. # ecap_enable off
  7112.  
  7113. # TAG: ecap_service
  7114. # Defines a single eCAP service
  7115. #
  7116. # ecap_service id vectoring_point uri [option ...]
  7117. #
  7118. # id: ID
  7119. # an opaque identifier or name which is used to direct traffic to
  7120. # this specific service. Must be unique among all adaptation
  7121. # services in squid.conf.
  7122. #
  7123. # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
  7124. # This specifies at which point of transaction processing the
  7125. # eCAP service should be activated. *_postcache vectoring points
  7126. # are not yet supported.
  7127. #
  7128. # uri: ecap://vendor/service_name?custom&cgi=style&parameters=optional
  7129. # Squid uses the eCAP service URI to match this configuration
  7130. # line with one of the dynamically loaded services. Each loaded
  7131. # eCAP service must have a unique URI. Obtain the right URI from
  7132. # the service provider.
  7133. #
  7134. # To activate a service, use the adaptation_access directive. To group
  7135. # services, use adaptation_service_chain and adaptation_service_set.
  7136. #
  7137. # Service options are separated by white space. eCAP services support
  7138. # the following name=value options:
  7139. #
  7140. # bypass=on|off|1|0
  7141. # If set to 'on' or '1', the eCAP service is treated as optional.
  7142. # If the service cannot be reached or malfunctions, Squid will try
  7143. # to ignore any errors and process the message as if the service
  7144. # was not enabled. No all eCAP errors can be bypassed.
  7145. # If set to 'off' or '0', the eCAP service is treated as essential
  7146. # and all eCAP errors will result in an error page returned to the
  7147. # HTTP client.
  7148. #
  7149. # Bypass is off by default: services are treated as essential.
  7150. #
  7151. # routing=on|off|1|0
  7152. # If set to 'on' or '1', the eCAP service is allowed to
  7153. # dynamically change the current message adaptation plan by
  7154. # returning a chain of services to be used next.
  7155. #
  7156. # Dynamic adaptation plan may cross or cover multiple supported
  7157. # vectoring points in their natural processing order.
  7158. #
  7159. # Routing is not allowed by default.
  7160. #
  7161. # Older ecap_service format without optional named parameters is
  7162. # deprecated but supported for backward compatibility.
  7163. #
  7164. #
  7165. #Example:
  7166. #ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off
  7167. #ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on
  7168. #Default:
  7169. # none
  7170.  
  7171. # TAG: loadable_modules
  7172. # Instructs Squid to load the specified dynamic module(s) or activate
  7173. # preloaded module(s).
  7174. #Example:
  7175. #loadable_modules /usr/lib/MinimalAdapter.so
  7176. #Default:
  7177. # none
  7178.  
  7179. # MESSAGE ADAPTATION OPTIONS
  7180. # -----------------------------------------------------------------------------
  7181.  
  7182. # TAG: adaptation_service_set
  7183. #
  7184. # Configures an ordered set of similar, redundant services. This is
  7185. # useful when hot standby or backup adaptation servers are available.
  7186. #
  7187. # adaptation_service_set set_name service_name1 service_name2 ...
  7188. #
  7189. # The named services are used in the set declaration order. The first
  7190. # applicable adaptation service from the set is used first. The next
  7191. # applicable service is tried if and only if the transaction with the
  7192. # previous service fails and the message waiting to be adapted is still
  7193. # intact.
  7194. #
  7195. # When adaptation starts, broken services are ignored as if they were
  7196. # not a part of the set. A broken service is a down optional service.
  7197. #
  7198. # The services in a set must be attached to the same vectoring point
  7199. # (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
  7200. #
  7201. # If all services in a set are optional then adaptation failures are
  7202. # bypassable. If all services in the set are essential, then a
  7203. # transaction failure with one service may still be retried using
  7204. # another service from the set, but when all services fail, the master
  7205. # transaction fails as well.
  7206. #
  7207. # A set may contain a mix of optional and essential services, but that
  7208. # is likely to lead to surprising results because broken services become
  7209. # ignored (see above), making previously bypassable failures fatal.
  7210. # Technically, it is the bypassability of the last failed service that
  7211. # matters.
  7212. #
  7213. # See also: adaptation_access adaptation_service_chain
  7214. #
  7215. #Example:
  7216. #adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
  7217. #adaptation service_set svcLogger loggerLocal loggerRemote
  7218. #Default:
  7219. # none
  7220.  
  7221. # TAG: adaptation_service_chain
  7222. #
  7223. # Configures a list of complementary services that will be applied
  7224. # one-by-one, forming an adaptation chain or pipeline. This is useful
  7225. # when Squid must perform different adaptations on the same message.
  7226. #
  7227. # adaptation_service_chain chain_name service_name1 svc_name2 ...
  7228. #
  7229. # The named services are used in the chain declaration order. The first
  7230. # applicable adaptation service from the chain is used first. The next
  7231. # applicable service is applied to the successful adaptation results of
  7232. # the previous service in the chain.
  7233. #
  7234. # When adaptation starts, broken services are ignored as if they were
  7235. # not a part of the chain. A broken service is a down optional service.
  7236. #
  7237. # Request satisfaction terminates the adaptation chain because Squid
  7238. # does not currently allow declaration of RESPMOD services at the
  7239. # "reqmod_precache" vectoring point (see icap_service or ecap_service).
  7240. #
  7241. # The services in a chain must be attached to the same vectoring point
  7242. # (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
  7243. #
  7244. # A chain may contain a mix of optional and essential services. If an
  7245. # essential adaptation fails (or the failure cannot be bypassed for
  7246. # other reasons), the master transaction fails. Otherwise, the failure
  7247. # is bypassed as if the failed adaptation service was not in the chain.
  7248. #
  7249. # See also: adaptation_access adaptation_service_set
  7250. #
  7251. #Example:
  7252. #adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
  7253. #Default:
  7254. # none
  7255.  
  7256. # TAG: adaptation_access
  7257. # Sends an HTTP transaction to an ICAP or eCAP adaptation service.
  7258. #
  7259. # adaptation_access service_name allow|deny [!]aclname...
  7260. # adaptation_access set_name allow|deny [!]aclname...
  7261. #
  7262. # At each supported vectoring point, the adaptation_access
  7263. # statements are processed in the order they appear in this
  7264. # configuration file. Statements pointing to the following services
  7265. # are ignored (i.e., skipped without checking their ACL):
  7266. #
  7267. # - services serving different vectoring points
  7268. # - "broken-but-bypassable" services
  7269. # - "up" services configured to ignore such transactions
  7270. # (e.g., based on the ICAP Transfer-Ignore header).
  7271. #
  7272. # When a set_name is used, all services in the set are checked
  7273. # using the same rules, to find the first applicable one. See
  7274. # adaptation_service_set for details.
  7275. #
  7276. # If an access list is checked and there is a match, the
  7277. # processing stops: For an "allow" rule, the corresponding
  7278. # adaptation service is used for the transaction. For a "deny"
  7279. # rule, no adaptation service is activated.
  7280. #
  7281. # It is currently not possible to apply more than one adaptation
  7282. # service at the same vectoring point to the same HTTP transaction.
  7283. #
  7284. # See also: icap_service and ecap_service
  7285. #
  7286. #Example:
  7287. #adaptation_access service_1 allow all
  7288. #Default:
  7289. # Allow, unless rules exist in squid.conf.
  7290.  
  7291. # TAG: adaptation_service_iteration_limit
  7292. # Limits the number of iterations allowed when applying adaptation
  7293. # services to a message. If your longest adaptation set or chain
  7294. # may have more than 16 services, increase the limit beyond its
  7295. # default value of 16. If detecting infinite iteration loops sooner
  7296. # is critical, make the iteration limit match the actual number
  7297. # of services in your longest adaptation set or chain.
  7298. #
  7299. # Infinite adaptation loops are most likely with routing services.
  7300. #
  7301. # See also: icap_service routing=1
  7302. #Default:
  7303. # adaptation_service_iteration_limit 16
  7304.  
  7305. # TAG: adaptation_masterx_shared_names
  7306. # For each master transaction (i.e., the HTTP request and response
  7307. # sequence, including all related ICAP and eCAP exchanges), Squid
  7308. # maintains a table of metadata. The table entries are (name, value)
  7309. # pairs shared among eCAP and ICAP exchanges. The table is destroyed
  7310. # with the master transaction.
  7311. #
  7312. # This option specifies the table entry names that Squid must accept
  7313. # from and forward to the adaptation transactions.
  7314. #
  7315. # An ICAP REQMOD or RESPMOD transaction may set an entry in the
  7316. # shared table by returning an ICAP header field with a name
  7317. # specified in adaptation_masterx_shared_names.
  7318. #
  7319. # An eCAP REQMOD or RESPMOD transaction may set an entry in the
  7320. # shared table by implementing the libecap::visitEachOption() API
  7321. # to provide an option with a name specified in
  7322. # adaptation_masterx_shared_names.
  7323. #
  7324. # Squid will store and forward the set entry to subsequent adaptation
  7325. # transactions within the same master transaction scope.
  7326. #
  7327. # Only one shared entry name is supported at this time.
  7328. #
  7329. #Example:
  7330. ## share authentication information among ICAP services
  7331. #adaptation_masterx_shared_names X-Subscriber-ID
  7332. #Default:
  7333. # none
  7334.  
  7335. # TAG: adaptation_meta
  7336. # This option allows Squid administrator to add custom ICAP request
  7337. # headers or eCAP options to Squid ICAP requests or eCAP transactions.
  7338. # Use it to pass custom authentication tokens and other
  7339. # transaction-state related meta information to an ICAP/eCAP service.
  7340. #
  7341. # The addition of a meta header is ACL-driven:
  7342. # adaptation_meta name value [!]aclname ...
  7343. #
  7344. # Processing for a given header name stops after the first ACL list match.
  7345. # Thus, it is impossible to add two headers with the same name. If no ACL
  7346. # lists match for a given header name, no such header is added. For
  7347. # example:
  7348. #
  7349. # # do not debug transactions except for those that need debugging
  7350. # adaptation_meta X-Debug 1 needs_debugging
  7351. #
  7352. # # log all transactions except for those that must remain secret
  7353. # adaptation_meta X-Log 1 !keep_secret
  7354. #
  7355. # # mark transactions from users in the "G 1" group
  7356. # adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1
  7357. #
  7358. # The "value" parameter may be a regular squid.conf token or a "double
  7359. # quoted string". Within the quoted string, use backslash (\) to escape
  7360. # any character, which is currently only useful for escaping backslashes
  7361. # and double quotes. For example,
  7362. # "this string has one backslash (\\) and two \"quotes\""
  7363. #
  7364. # Used adaptation_meta header values may be logged via %note
  7365. # logformat code. If multiple adaptation_meta headers with the same name
  7366. # are used during master transaction lifetime, the header values are
  7367. # logged in the order they were used and duplicate values are ignored
  7368. # (only the first repeated value will be logged).
  7369. #Default:
  7370. # none
  7371.  
  7372. # TAG: icap_retry
  7373. # This ACL determines which retriable ICAP transactions are
  7374. # retried. Transactions that received a complete ICAP response
  7375. # and did not have to consume or produce HTTP bodies to receive
  7376. # that response are usually retriable.
  7377. #
  7378. # icap_retry allow|deny [!]aclname ...
  7379. #
  7380. # Squid automatically retries some ICAP I/O timeouts and errors
  7381. # due to persistent connection race conditions.
  7382. #
  7383. # See also: icap_retry_limit
  7384. #Default:
  7385. # icap_retry deny all
  7386.  
  7387. # TAG: icap_retry_limit
  7388. # Limits the number of retries allowed.
  7389. #
  7390. # Communication errors due to persistent connection race
  7391. # conditions are unavoidable, automatically retried, and do not
  7392. # count against this limit.
  7393. #
  7394. # See also: icap_retry
  7395. #Default:
  7396. # No retries are allowed.
  7397.  
  7398. # DNS OPTIONS
  7399. # -----------------------------------------------------------------------------
  7400.  
  7401. # TAG: check_hostnames
  7402. # For security and stability reasons Squid can check
  7403. # hostnames for Internet standard RFC compliance. If you want
  7404. # Squid to perform these checks turn this directive on.
  7405. #Default:
  7406. # check_hostnames off
  7407.  
  7408. # TAG: allow_underscore
  7409. # Underscore characters is not strictly allowed in Internet hostnames
  7410. # but nevertheless used by many sites. Set this to off if you want
  7411. # Squid to be strict about the standard.
  7412. # This check is performed only when check_hostnames is set to on.
  7413. #Default:
  7414. # allow_underscore on
  7415.  
  7416. # TAG: dns_retransmit_interval
  7417. # Initial retransmit interval for DNS queries. The interval is
  7418. # doubled each time all configured DNS servers have been tried.
  7419. #Default:
  7420. # dns_retransmit_interval 5 seconds
  7421.  
  7422. # TAG: dns_timeout
  7423. # DNS Query timeout. If no response is received to a DNS query
  7424. # within this time all DNS servers for the queried domain
  7425. # are assumed to be unavailable.
  7426. #Default:
  7427. # dns_timeout 30 seconds
  7428.  
  7429. # TAG: dns_packet_max
  7430. # Maximum number of bytes packet size to advertise via EDNS.
  7431. # Set to "none" to disable EDNS large packet support.
  7432. #
  7433. # For legacy reasons DNS UDP replies will default to 512 bytes which
  7434. # is too small for many responses. EDNS provides a means for Squid to
  7435. # negotiate receiving larger responses back immediately without having
  7436. # to failover with repeat requests. Responses larger than this limit
  7437. # will retain the old behaviour of failover to TCP DNS.
  7438. #
  7439. # Squid has no real fixed limit internally, but allowing packet sizes
  7440. # over 1500 bytes requires network jumbogram support and is usually not
  7441. # necessary.
  7442. #
  7443. # WARNING: The RFC also indicates that some older resolvers will reply
  7444. # with failure of the whole request if the extension is added. Some
  7445. # resolvers have already been identified which will reply with mangled
  7446. # EDNS response on occasion. Usually in response to many-KB jumbogram
  7447. # sizes being advertised by Squid.
  7448. # Squid will currently treat these both as an unable-to-resolve domain
  7449. # even if it would be resolvable without EDNS.
  7450. #Default:
  7451. # EDNS disabled
  7452.  
  7453. # TAG: dns_defnames on|off
  7454. # Normally the RES_DEFNAMES resolver option is disabled
  7455. # (see res_init(3)). This prevents caches in a hierarchy
  7456. # from interpreting single-component hostnames locally. To allow
  7457. # Squid to handle single-component names, enable this option.
  7458. #Default:
  7459. # Search for single-label domain names is disabled.
  7460.  
  7461. # TAG: dns_multicast_local on|off
  7462. # When set to on, Squid sends multicast DNS lookups on the local
  7463. # network for domains ending in .local and .arpa.
  7464. # This enables local servers and devices to be contacted in an
  7465. # ad-hoc or zero-configuration network environment.
  7466. #Default:
  7467. # Search for .local and .arpa names is disabled.
  7468.  
  7469. # TAG: dns_nameservers
  7470. # Use this if you want to specify a list of DNS name servers
  7471. # (IP addresses) to use instead of those given in your
  7472. # /etc/resolv.conf file.
  7473. #
  7474. # On Windows platforms, if no value is specified here or in
  7475. # the /etc/resolv.conf file, the list of DNS name servers are
  7476. # taken from the Windows registry, both static and dynamic DHCP
  7477. # configurations are supported.
  7478. #
  7479. # Example: dns_nameservers 10.0.0.1 192.172.0.4
  7480. #Default:
  7481. # Use operating system definitions
  7482.  
  7483. # TAG: hosts_file
  7484. # Location of the host-local IP name-address associations
  7485. # database. Most Operating Systems have such a file on different
  7486. # default locations:
  7487. # - Un*X & Linux: /etc/hosts
  7488. # - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
  7489. # (%SystemRoot% value install default is c:\winnt)
  7490. # - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
  7491. # (%SystemRoot% value install default is c:\windows)
  7492. # - Windows 9x/Me: %windir%\hosts
  7493. # (%windir% value is usually c:\windows)
  7494. # - Cygwin: /etc/hosts
  7495. #
  7496. # The file contains newline-separated definitions, in the
  7497. # form ip_address_in_dotted_form name [name ...] names are
  7498. # whitespace-separated. Lines beginning with an hash (#)
  7499. # character are comments.
  7500. #
  7501. # The file is checked at startup and upon configuration.
  7502. # If set to 'none', it won't be checked.
  7503. # If append_domain is used, that domain will be added to
  7504. # domain-local (i.e. not containing any dot character) host
  7505. # definitions.
  7506. #Default:
  7507. # hosts_file /etc/hosts
  7508.  
  7509. # TAG: append_domain
  7510. # Appends local domain name to hostnames without any dots in
  7511. # them. append_domain must begin with a period.
  7512. #
  7513. # Be warned there are now Internet names with no dots in
  7514. # them using only top-domain names, so setting this may
  7515. # cause some Internet sites to become unavailable.
  7516. #
  7517. #Example:
  7518. # append_domain .yourdomain.com
  7519. #Default:
  7520. # Use operating system definitions
  7521.  
  7522. # TAG: ignore_unknown_nameservers
  7523. # By default Squid checks that DNS responses are received
  7524. # from the same IP addresses they are sent to. If they
  7525. # don't match, Squid ignores the response and writes a warning
  7526. # message to cache.log. You can allow responses from unknown
  7527. # nameservers by setting this option to 'off'.
  7528. #Default:
  7529. # ignore_unknown_nameservers on
  7530.  
  7531. # TAG: dns_v4_first
  7532. # With the IPv6 Internet being as fast or faster than IPv4 Internet
  7533. # for most networks Squid prefers to contact websites over IPv6.
  7534. #
  7535. # This option reverses the order of preference to make Squid contact
  7536. # dual-stack websites over IPv4 first. Squid will still perform both
  7537. # IPv6 and IPv4 DNS lookups before connecting.
  7538. #
  7539. # WARNING:
  7540. # This option will restrict the situations under which IPv6
  7541. # connectivity is used (and tested), potentially hiding network
  7542. # problems which would otherwise be detected and warned about.
  7543. #Default:
  7544. # dns_v4_first off
  7545.  
  7546. # TAG: ipcache_size (number of entries)
  7547. # Maximum number of DNS IP cache entries.
  7548. #Default:
  7549. # ipcache_size 1024
  7550.  
  7551. # TAG: ipcache_low (percent)
  7552. #Default:
  7553. # ipcache_low 90
  7554.  
  7555. # TAG: ipcache_high (percent)
  7556. # The size, low-, and high-water marks for the IP cache.
  7557. #Default:
  7558. # ipcache_high 95
  7559.  
  7560. # TAG: fqdncache_size (number of entries)
  7561. # Maximum number of FQDN cache entries.
  7562. #Default:
  7563. # fqdncache_size 1024
  7564.  
  7565. # MISCELLANEOUS
  7566. # -----------------------------------------------------------------------------
  7567.  
  7568. # TAG: configuration_includes_quoted_values on|off
  7569. # If set, Squid will recognize each "quoted string" after a configuration
  7570. # directive as a single parameter. The quotes are stripped before the
  7571. # parameter value is interpreted or used.
  7572. # See "Values with spaces, quotes, and other special characters"
  7573. # section for more details.
  7574. #Default:
  7575. # configuration_includes_quoted_values off
  7576.  
  7577. # TAG: memory_pools on|off
  7578. # If set, Squid will keep pools of allocated (but unused) memory
  7579. # available for future use. If memory is a premium on your
  7580. # system and you believe your malloc library outperforms Squid
  7581. # routines, disable this.
  7582. #Default:
  7583. # memory_pools on
  7584.  
  7585. # TAG: memory_pools_limit (bytes)
  7586. # Used only with memory_pools on:
  7587. # memory_pools_limit 50 MB
  7588. #
  7589. # If set to a non-zero value, Squid will keep at most the specified
  7590. # limit of allocated (but unused) memory in memory pools. All free()
  7591. # requests that exceed this limit will be handled by your malloc
  7592. # library. Squid does not pre-allocate any memory, just safe-keeps
  7593. # objects that otherwise would be free()d. Thus, it is safe to set
  7594. # memory_pools_limit to a reasonably high value even if your
  7595. # configuration will use less memory.
  7596. #
  7597. # If set to none, Squid will keep all memory it can. That is, there
  7598. # will be no limit on the total amount of memory used for safe-keeping.
  7599. #
  7600. # To disable memory allocation optimization, do not set
  7601. # memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
  7602. #
  7603. # An overhead for maintaining memory pools is not taken into account
  7604. # when the limit is checked. This overhead is close to four bytes per
  7605. # object kept. However, pools may actually _save_ memory because of
  7606. # reduced memory thrashing in your malloc library.
  7607. #Default:
  7608. # memory_pools_limit 5 MB
  7609.  
  7610. # TAG: forwarded_for on|off|transparent|truncate|delete
  7611. # If set to "on", Squid will append your client's IP address
  7612. # in the HTTP requests it forwards. By default it looks like:
  7613. #
  7614. # X-Forwarded-For: 192.1.2.3
  7615. #
  7616. # If set to "off", it will appear as
  7617. #
  7618. # X-Forwarded-For: unknown
  7619. #
  7620. # If set to "transparent", Squid will not alter the
  7621. # X-Forwarded-For header in any way.
  7622. #
  7623. # If set to "delete", Squid will delete the entire
  7624. # X-Forwarded-For header.
  7625. #
  7626. # If set to "truncate", Squid will remove all existing
  7627. # X-Forwarded-For entries, and place the client IP as the sole entry.
  7628. #Default:
  7629. # forwarded_for on
  7630.  
  7631. # TAG: cachemgr_passwd
  7632. # Specify passwords for cachemgr operations.
  7633. #
  7634. # Usage: cachemgr_passwd password action action ...
  7635. #
  7636. # Some valid actions are (see cache manager menu for a full list):
  7637. # 5min
  7638. # 60min
  7639. # asndb
  7640. # authenticator
  7641. # cbdata
  7642. # client_list
  7643. # comm_incoming
  7644. # config *
  7645. # counters
  7646. # delay
  7647. # digest_stats
  7648. # dns
  7649. # events
  7650. # filedescriptors
  7651. # fqdncache
  7652. # histograms
  7653. # http_headers
  7654. # info
  7655. # io
  7656. # ipcache
  7657. # mem
  7658. # menu
  7659. # netdb
  7660. # non_peers
  7661. # objects
  7662. # offline_toggle *
  7663. # pconn
  7664. # peer_select
  7665. # reconfigure *
  7666. # redirector
  7667. # refresh
  7668. # server_list
  7669. # shutdown *
  7670. # store_digest
  7671. # storedir
  7672. # utilization
  7673. # via_headers
  7674. # vm_objects
  7675. #
  7676. # * Indicates actions which will not be performed without a
  7677. # valid password, others can be performed if not listed here.
  7678. #
  7679. # To disable an action, set the password to "disable".
  7680. # To allow performing an action without a password, set the
  7681. # password to "none".
  7682. #
  7683. # Use the keyword "all" to set the same password for all actions.
  7684. #
  7685. #Example:
  7686. # cachemgr_passwd secret shutdown
  7687. # cachemgr_passwd lesssssssecret info stats/objects
  7688. # cachemgr_passwd disable all
  7689. #Default:
  7690. # No password. Actions which require password are denied.
  7691.  
  7692. # TAG: client_db on|off
  7693. # If you want to disable collecting per-client statistics,
  7694. # turn off client_db here.
  7695. #Default:
  7696. # client_db on
  7697.  
  7698. # TAG: refresh_all_ims on|off
  7699. # When you enable this option, squid will always check
  7700. # the origin server for an update when a client sends an
  7701. # If-Modified-Since request. Many browsers use IMS
  7702. # requests when the user requests a reload, and this
  7703. # ensures those clients receive the latest version.
  7704. #
  7705. # By default (off), squid may return a Not Modified response
  7706. # based on the age of the cached version.
  7707. #Default:
  7708. # refresh_all_ims off
  7709.  
  7710. # TAG: reload_into_ims on|off
  7711. # When you enable this option, client no-cache or ``reload''
  7712. # requests will be changed to If-Modified-Since requests.
  7713. # Doing this VIOLATES the HTTP standard. Enabling this
  7714. # feature could make you liable for problems which it
  7715. # causes.
  7716. #
  7717. # see also refresh_pattern for a more selective approach.
  7718. #Default:
  7719. # reload_into_ims off
  7720.  
  7721. # TAG: connect_retries
  7722. # This sets the maximum number of connection attempts made for each
  7723. # TCP connection. The connect_retries attempts must all still
  7724. # complete within the connection timeout period.
  7725. #
  7726. # The default is not to re-try if the first connection attempt fails.
  7727. # The (not recommended) maximum is 10 tries.
  7728. #
  7729. # A warning message will be generated if it is set to a too-high
  7730. # value and the configured value will be over-ridden.
  7731. #
  7732. # Note: These re-tries are in addition to forward_max_tries
  7733. # which limit how many different addresses may be tried to find
  7734. # a useful server.
  7735. #Default:
  7736. # Do not retry failed connections.
  7737.  
  7738. # TAG: retry_on_error
  7739. # If set to ON Squid will automatically retry requests when
  7740. # receiving an error response with status 403 (Forbidden),
  7741. # 500 (Internal Error), 501 or 503 (Service not available).
  7742. # Status 502 and 504 (Gateway errors) are always retried.
  7743. #
  7744. # This is mainly useful if you are in a complex cache hierarchy to
  7745. # work around access control errors.
  7746. #
  7747. # NOTE: This retry will attempt to find another working destination.
  7748. # Which is different from the server which just failed.
  7749. #Default:
  7750. # retry_on_error off
  7751.  
  7752. # TAG: as_whois_server
  7753. # WHOIS server to query for AS numbers. NOTE: AS numbers are
  7754. # queried only when Squid starts up, not for every request.
  7755. #Default:
  7756. # as_whois_server whois.ra.net
  7757.  
  7758. # TAG: offline_mode
  7759. # Enable this option and Squid will never try to validate cached
  7760. # objects.
  7761. #Default:
  7762. # offline_mode off
  7763.  
  7764. # TAG: uri_whitespace
  7765. # What to do with requests that have whitespace characters in the
  7766. # URI. Options:
  7767. #
  7768. # strip: The whitespace characters are stripped out of the URL.
  7769. # This is the behavior recommended by RFC2396 and RFC3986
  7770. # for tolerant handling of generic URI.
  7771. # NOTE: This is one difference between generic URI and HTTP URLs.
  7772. #
  7773. # deny: The request is denied. The user receives an "Invalid
  7774. # Request" message.
  7775. # This is the behaviour recommended by RFC2616 for safe
  7776. # handling of HTTP request URL.
  7777. #
  7778. # allow: The request is allowed and the URI is not changed. The
  7779. # whitespace characters remain in the URI. Note the
  7780. # whitespace is passed to redirector processes if they
  7781. # are in use.
  7782. # Note this may be considered a violation of RFC2616
  7783. # request parsing where whitespace is prohibited in the
  7784. # URL field.
  7785. #
  7786. # encode: The request is allowed and the whitespace characters are
  7787. # encoded according to RFC1738.
  7788. #
  7789. # chop: The request is allowed and the URI is chopped at the
  7790. # first whitespace.
  7791. #
  7792. #
  7793. # NOTE the current Squid implementation of encode and chop violates
  7794. # RFC2616 by not using a 301 redirect after altering the URL.
  7795. #Default:
  7796. # uri_whitespace strip
  7797.  
  7798. # TAG: chroot
  7799. # Specifies a directory where Squid should do a chroot() while
  7800. # initializing. This also causes Squid to fully drop root
  7801. # privileges after initializing. This means, for example, if you
  7802. # use a HTTP port less than 1024 and try to reconfigure, you may
  7803. # get an error saying that Squid can not open the port.
  7804. #Default:
  7805. # none
  7806.  
  7807. # TAG: balance_on_multiple_ip
  7808. # Modern IP resolvers in squid sort lookup results by preferred access.
  7809. # By default squid will use these IP in order and only rotates to
  7810. # the next listed when the most preffered fails.
  7811. #
  7812. # Some load balancing servers based on round robin DNS have been
  7813. # found not to preserve user session state across requests
  7814. # to different IP addresses.
  7815. #
  7816. # Enabling this directive Squid rotates IP's per request.
  7817. #Default:
  7818. # balance_on_multiple_ip off
  7819.  
  7820. # TAG: pipeline_prefetch
  7821. # HTTP clients may send a pipeline of 1+N requests to Squid using a
  7822. # single connection, without waiting for Squid to respond to the first
  7823. # of those requests. This option limits the number of concurrent
  7824. # requests Squid will try to handle in parallel. If set to N, Squid
  7825. # will try to receive and process up to 1+N requests on the same
  7826. # connection concurrently.
  7827. #
  7828. # Defaults to 0 (off) for bandwidth management and access logging
  7829. # reasons.
  7830. #
  7831. # NOTE: pipelining requires persistent connections to clients.
  7832. #
  7833. # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
  7834. #Default:
  7835. # Do not pre-parse pipelined requests.
  7836.  
  7837. # TAG: high_response_time_warning (msec)
  7838. # If the one-minute median response time exceeds this value,
  7839. # Squid prints a WARNING with debug level 0 to get the
  7840. # administrators attention. The value is in milliseconds.
  7841. #Default:
  7842. # disabled.
  7843.  
  7844. # TAG: high_page_fault_warning
  7845. # If the one-minute average page fault rate exceeds this
  7846. # value, Squid prints a WARNING with debug level 0 to get
  7847. # the administrators attention. The value is in page faults
  7848. # per second.
  7849. #Default:
  7850. # disabled.
  7851.  
  7852. # TAG: high_memory_warning
  7853. # Note: This option is only available if Squid is rebuilt with the
  7854. # GNU Malloc with mstats()
  7855. #
  7856. # If the memory usage (as determined by gnumalloc, if available and used)
  7857. # exceeds this amount, Squid prints a WARNING with debug level 0 to get
  7858. # the administrators attention.
  7859. #Default:
  7860. # disabled.
  7861.  
  7862. # TAG: sleep_after_fork (microseconds)
  7863. # When this is set to a non-zero value, the main Squid process
  7864. # sleeps the specified number of microseconds after a fork()
  7865. # system call. This sleep may help the situation where your
  7866. # system reports fork() failures due to lack of (virtual)
  7867. # memory. Note, however, if you have a lot of child
  7868. # processes, these sleep delays will add up and your
  7869. # Squid will not service requests for some amount of time
  7870. # until all the child processes have been started.
  7871. # On Windows value less then 1000 (1 milliseconds) are
  7872. # rounded to 1000.
  7873. #Default:
  7874. # sleep_after_fork 0
  7875.  
  7876. # TAG: windows_ipaddrchangemonitor on|off
  7877. # Note: This option is only available if Squid is rebuilt with the
  7878. # MS Windows
  7879. #
  7880. # On Windows Squid by default will monitor IP address changes and will
  7881. # reconfigure itself after any detected event. This is very useful for
  7882. # proxies connected to internet with dial-up interfaces.
  7883. # In some cases (a Proxy server acting as VPN gateway is one) it could be
  7884. # desiderable to disable this behaviour setting this to 'off'.
  7885. # Note: after changing this, Squid service must be restarted.
  7886. #Default:
  7887. # windows_ipaddrchangemonitor on
  7888.  
  7889. # TAG: eui_lookup
  7890. # Whether to lookup the EUI or MAC address of a connected client.
  7891. #Default:
  7892. # eui_lookup on
  7893.  
  7894. # TAG: max_filedescriptors
  7895. # Reduce the maximum number of filedescriptors supported below
  7896. # the usual operating system defaults.
  7897. #
  7898. # Remove from squid.conf to inherit the current ulimit setting.
  7899. #
  7900. # Note: Changing this requires a restart of Squid. Also
  7901. # not all I/O types supports large values (eg on Windows).
  7902. #Default:
  7903. # Use operating system limits set by ulimit.
  7904.  
  7905. cache_effective_group proxy
Add Comment
Please, Sign In to add comment