· 6 years ago · Nov 06, 2019, 01:30 AM
1# WELCOME TO SQUID 3.4.8
2# ----------------------------
3#
4# This is the documentation for the Squid configuration file.
5# This documentation can also be found online at:
6# http://www.squid-cache.org/Doc/config/
7#
8# You may wish to look at the Squid home page and wiki for the
9# FAQ and other documentation:
10# http://www.squid-cache.org/
11# http://wiki.squid-cache.org/SquidFaq
12# http://wiki.squid-cache.org/ConfigExamples
13#
14# This documentation shows what the defaults for various directives
15# happen to be. If you don't need to change the default, you should
16# leave the line out of your squid.conf in most cases.
17#
18# In some cases "none" refers to no default setting at all,
19# while in other cases it refers to the value of the option
20# - the comments for that keyword indicate if this is the case.
21#
22
23# Configuration options can be included using the "include" directive.
24# Include takes a list of files to include. Quoting and wildcards are
25# supported.
26#
27# For example,
28#
29# include /path/to/included/file/squid.acl.config
30#
31# Includes can be nested up to a hard-coded depth of 16 levels.
32# This arbitrary restriction is to prevent recursive include references
33# from causing Squid entering an infinite loop whilst trying to load
34# configuration files.
35#
36# Values with byte units
37#
38# Squid accepts size units on some size related directives. All
39# such directives are documented with a default value displaying
40# a unit.
41#
42# Units accepted by Squid are:
43# bytes - byte
44# KB - Kilobyte (1024 bytes)
45# MB - Megabyte
46# GB - Gigabyte
47#
48# Values with spaces, quotes, and other special characters
49#
50# Squid supports directive parameters with spaces, quotes, and other
51# special characters. Surround such parameters with "double quotes". Use
52# the configuration_includes_quoted_values directive to enable or
53# disable that support.
54#
55# For example;
56#
57# configuration_includes_quoted_values on
58# acl group external groupCheck Administrators "Internet Users" Guest
59# configuration_includes_quoted_values off
60#
61#
62# Conditional configuration
63#
64# If-statements can be used to make configuration directives
65# depend on conditions:
66#
67# if <CONDITION>
68# ... regular configuration directives ...
69# [else
70# ... regular configuration directives ...]
71# endif
72#
73# The else part is optional. The keywords "if", "else", and "endif"
74# must be typed on their own lines, as if they were regular
75# configuration directives.
76#
77# NOTE: An else-if condition is not supported.
78#
79# These individual conditions types are supported:
80#
81# true
82# Always evaluates to true.
83# false
84# Always evaluates to false.
85# <integer> = <integer>
86# Equality comparison of two integer numbers.
87#
88#
89# SMP-Related Macros
90#
91# The following SMP-related preprocessor macros can be used.
92#
93# ${process_name} expands to the current Squid process "name"
94# (e.g., squid1, squid2, or cache1).
95#
96# ${process_number} expands to the current Squid process
97# identifier, which is an integer number (e.g., 1, 2, 3) unique
98# across all Squid processes.
99
100# TAG: broken_vary_encoding
101# This option is not yet supported by Squid-3.
102#Default:
103# none
104
105# TAG: cache_vary
106# This option is not yet supported by Squid-3.
107#Default:
108# none
109
110# TAG: collapsed_forwarding
111# This option is not yet supported by Squid-3. see http://bugs.squid-cache.org/show_bug.cgi?id=3495
112#Default:
113# none
114
115# TAG: error_map
116# This option is not yet supported by Squid-3.
117#Default:
118# none
119
120# TAG: external_refresh_check
121# This option is not yet supported by Squid-3.
122#Default:
123# none
124
125# TAG: location_rewrite_program
126# This option is not yet supported by Squid-3.
127#Default:
128# none
129
130# TAG: refresh_stale_hit
131# This option is not yet supported by Squid-3.
132#Default:
133# none
134
135# TAG: ignore_ims_on_miss
136# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'.
137#Default:
138# none
139
140# TAG: ignore_expect_100
141# Remove this line. The HTTP/1.1 feature is now fully supported by default.
142#Default:
143# none
144
145# TAG: dns_v4_fallback
146# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
147#Default:
148# none
149
150# TAG: ftp_list_width
151# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
152#Default:
153# none
154
155# TAG: maximum_single_addr_tries
156# Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
157#Default:
158# none
159
160# TAG: update_headers
161# Remove this line. The feature is supported by default in storage types where update is implemented.
162#Default:
163# none
164
165# TAG: url_rewrite_concurrency
166# Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
167#Default:
168# none
169
170# TAG: dns_testnames
171# Remove this line. DNS is no longer tested on startup.
172#Default:
173# none
174
175# TAG: extension_methods
176# Remove this line. All valid methods for HTTP are accepted by default.
177#Default:
178# none
179
180# TAG: zero_buffers
181#Default:
182# none
183
184# TAG: incoming_rate
185#Default:
186# none
187
188# TAG: server_http11
189# Remove this line. HTTP/1.1 is supported by default.
190#Default:
191# none
192
193# TAG: upgrade_http0.9
194# Remove this line. ICY/1.0 streaming protocol is supported by default.
195#Default:
196# none
197
198# TAG: zph_local
199# Alter these entries. Use the qos_flows directive instead.
200#Default:
201# none
202
203# TAG: header_access
204# Since squid-3.0 replace with request_header_access or reply_header_access
205# depending on whether you wish to match client requests or server replies.
206#Default:
207# none
208
209# TAG: httpd_accel_no_pmtu_disc
210# Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
211#Default:
212# none
213
214# TAG: wais_relay_host
215# Replace this line with 'cache_peer' configuration.
216#Default:
217# none
218
219# TAG: wais_relay_port
220# Replace this line with 'cache_peer' configuration.
221#Default:
222# none
223
224# OPTIONS FOR AUTHENTICATION
225# -----------------------------------------------------------------------------
226
227# TAG: auth_param
228# This is used to define parameters for the various authentication
229# schemes supported by Squid.
230#
231# format: auth_param scheme parameter [setting]
232#
233# The order in which authentication schemes are presented to the client is
234# dependent on the order the scheme first appears in config file. IE
235# has a bug (it's not RFC 2617 compliant) in that it will use the basic
236# scheme if basic is the first entry presented, even if more secure
237# schemes are presented. For now use the order in the recommended
238# settings section below. If other browsers have difficulties (don't
239# recognize the schemes offered even if you are using basic) either
240# put basic first, or disable the other schemes (by commenting out their
241# program entry).
242#
243# Once an authentication scheme is fully configured, it can only be
244# shutdown by shutting squid down and restarting. Changes can be made on
245# the fly and activated with a reconfigure. I.E. You can change to a
246# different helper, but not unconfigure the helper completely.
247#
248# Please note that while this directive defines how Squid processes
249# authentication it does not automatically activate authentication.
250# To use authentication you must in addition make use of ACLs based
251# on login name in http_access (proxy_auth, proxy_auth_regex or
252# external with %LOGIN used in the format tag). The browser will be
253# challenged for authentication on the first such acl encountered
254# in http_access processing and will also be re-challenged for new
255# login credentials if the request is being denied by a proxy_auth
256# type acl.
257#
258# WARNING: authentication can't be used in a transparently intercepting
259# proxy as the client then thinks it is talking to an origin server and
260# not the proxy. This is a limitation of bending the TCP/IP protocol to
261# transparently intercepting port 80, not a limitation in Squid.
262# Ports flagged 'transparent', 'intercept', or 'tproxy' have
263# authentication disabled.
264#
265# === Parameters for the basic scheme follow. ===
266#
267# "program" cmdline
268# Specify the command for the external authenticator. Such a program
269# reads a line containing "username password" and replies with one of
270# three results:
271#
272# OK
273# the user exists.
274#
275# ERR
276# the user does not exist.
277#
278# BH
279# An internal error occurred in the helper, preventing
280# a result being identified.
281#
282# "ERR" and "BH" results may optionally be followed by message="..."
283# containing a description available as %m in the returned error page.
284#
285# If you use an authenticator, make sure you have 1 acl of type
286# proxy_auth.
287#
288# By default, the basic authentication scheme is not used unless a
289# program is specified.
290#
291# If you want to use the traditional NCSA proxy authentication, set
292# this line to something like
293#
294# auth_param basic program /usr/lib/squid3/basic_ncsa_auth /usr/etc/passwd
295#
296# "utf8" on|off
297# HTTP uses iso-latin-1 as character set, while some authentication
298# backends such as LDAP expects UTF-8. If this is set to on Squid will
299# translate the HTTP iso-latin-1 charset to UTF-8 before sending the
300# username & password to the helper.
301#
302# "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
303# The maximum number of authenticator processes to spawn. If you start too few
304# Squid will have to wait for them to process a backlog of credential
305# verifications, slowing it down. When password verifications are
306# done via a (slow) network you are likely to need lots of
307# authenticator processes.
308#
309# The startup= and idle= options permit some skew in the exact amount
310# run. A minimum of startup=N will begin during startup and reconfigure.
311# Squid will start more in groups of up to idle=N in an attempt to meet
312# traffic needs and to keep idle=N free above those traffic needs up to
313# the maximum.
314#
315# The concurrency= option sets the number of concurrent requests the
316# helper can process. The default of 0 is used for helpers who only
317# supports one request at a time. Setting this to a number greater than
318# 0 changes the protocol used to include a channel number first on the
319# request/response line, allowing multiple requests to be sent to the
320# same helper in parallel without waiting for the response.
321# Must not be set unless it's known the helper supports this.
322#
323# auth_param basic children 20 startup=0 idle=1
324#
325# "realm" realmstring
326# Specifies the realm name which is to be reported to the
327# client for the basic proxy authentication scheme (part of
328# the text the user will see when prompted their username and
329# password). There is no default.
330# auth_param basic realm Squid proxy-caching web server
331#
332# "credentialsttl" timetolive
333# Specifies how long squid assumes an externally validated
334# username:password pair is valid for - in other words how
335# often the helper program is called for that user. Set this
336# low to force revalidation with short lived passwords. Note
337# setting this high does not impact your susceptibility
338# to replay attacks unless you are using an one-time password
339# system (such as SecureID). If you are using such a system,
340# you will be vulnerable to replay attacks unless you also
341# use the max_user_ip ACL in an http_access rule.
342#
343# "casesensitive" on|off
344# Specifies if usernames are case sensitive. Most user databases are
345# case insensitive allowing the same username to be spelled using both
346# lower and upper case letters, but some are case sensitive. This
347# makes a big difference for user_max_ip ACL processing and similar.
348# auth_param basic casesensitive off
349#
350# === Parameters for the digest scheme follow ===
351#
352# "program" cmdline
353# Specify the command for the external authenticator. Such
354# a program reads a line containing "username":"realm" and
355# replies with one of three results:
356#
357# OK ha1="..."
358# the user exists. The ha1= key is mandatory and
359# contains the appropriate H(A1) value, hex encoded.
360# See rfc 2616 for the definition of H(A1).
361#
362# ERR
363# the user does not exist.
364#
365# BH
366# An internal error occurred in the helper, preventing
367# a result being identified.
368#
369# "ERR" and "BH" results may optionally be followed by message="..."
370# containing a description available as %m in the returned error page.
371#
372# By default, the digest authentication scheme is not used unless a
373# program is specified.
374#
375# If you want to use a digest authenticator, set this line to
376# something like
377#
378# auth_param digest program /usr/lib/squid3/digest_pw_auth /usr/etc/digpass
379#
380# "utf8" on|off
381# HTTP uses iso-latin-1 as character set, while some authentication
382# backends such as LDAP expects UTF-8. If this is set to on Squid will
383# translate the HTTP iso-latin-1 charset to UTF-8 before sending the
384# username & password to the helper.
385#
386# "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
387# The maximum number of authenticator processes to spawn (default 5).
388# If you start too few Squid will have to wait for them to
389# process a backlog of H(A1) calculations, slowing it down.
390# When the H(A1) calculations are done via a (slow) network
391# you are likely to need lots of authenticator processes.
392#
393# The startup= and idle= options permit some skew in the exact amount
394# run. A minimum of startup=N will begin during startup and reconfigure.
395# Squid will start more in groups of up to idle=N in an attempt to meet
396# traffic needs and to keep idle=N free above those traffic needs up to
397# the maximum.
398#
399# The concurrency= option sets the number of concurrent requests the
400# helper can process. The default of 0 is used for helpers who only
401# supports one request at a time. Setting this to a number greater than
402# 0 changes the protocol used to include a channel number first on the
403# request/response line, allowing multiple requests to be sent to the
404# same helper in parallel without waiting for the response.
405# Must not be set unless it's known the helper supports this.
406#
407# auth_param digest children 20 startup=0 idle=1
408#
409# "realm" realmstring
410# Specifies the realm name which is to be reported to the
411# client for the digest proxy authentication scheme (part of
412# the text the user will see when prompted their username and
413# password). There is no default.
414# auth_param digest realm Squid proxy-caching web server
415#
416# "nonce_garbage_interval" timeinterval
417# Specifies the interval that nonces that have been issued
418# to client_agent's are checked for validity.
419#
420# "nonce_max_duration" timeinterval
421# Specifies the maximum length of time a given nonce will be
422# valid for.
423#
424# "nonce_max_count" number
425# Specifies the maximum number of times a given nonce can be
426# used.
427#
428# "nonce_strictness" on|off
429# Determines if squid requires strict increment-by-1 behavior
430# for nonce counts, or just incrementing (off - for use when
431# user agents generate nonce counts that occasionally miss 1
432# (ie, 1,2,4,6)). Default off.
433#
434# "check_nonce_count" on|off
435# This directive if set to off can disable the nonce count check
436# completely to work around buggy digest qop implementations in
437# certain mainstream browser versions. Default on to check the
438# nonce count to protect from authentication replay attacks.
439#
440# "post_workaround" on|off
441# This is a workaround to certain buggy browsers who sends
442# an incorrect request digest in POST requests when reusing
443# the same nonce as acquired earlier on a GET request.
444#
445# === NTLM scheme options follow ===
446#
447# "program" cmdline
448# Specify the command for the external NTLM authenticator.
449# Such a program reads exchanged NTLMSSP packets with
450# the browser via Squid until authentication is completed.
451# If you use an NTLM authenticator, make sure you have 1 acl
452# of type proxy_auth. By default, the NTLM authenticator program
453# is not used.
454#
455# NOTE: In Debian the ntlm_auth program is distributed in the winbindd package
456# which is required for this auth scheme to work
457#
458# auth_param ntlm program /usr/bin/ntlm_auth
459#
460# "children" numberofchildren [startup=N] [idle=N]
461# The maximum number of authenticator processes to spawn (default 5).
462# If you start too few Squid will have to wait for them to
463# process a backlog of credential verifications, slowing it
464# down. When credential verifications are done via a (slow)
465# network you are likely to need lots of authenticator
466# processes.
467#
468# The startup= and idle= options permit some skew in the exact amount
469# run. A minimum of startup=N will begin during startup and reconfigure.
470# Squid will start more in groups of up to idle=N in an attempt to meet
471# traffic needs and to keep idle=N free above those traffic needs up to
472# the maximum.
473#
474# auth_param ntlm children 20 startup=0 idle=1
475#
476# "keep_alive" on|off
477# If you experience problems with PUT/POST requests when using the
478# Negotiate authentication scheme then you can try setting this to
479# off. This will cause Squid to forcibly close the connection on
480# the initial requests where the browser asks which schemes are
481# supported by the proxy.
482#
483# auth_param ntlm keep_alive on
484#
485# === Options for configuring the NEGOTIATE auth-scheme follow ===
486#
487# "program" cmdline
488# Specify the command for the external Negotiate authenticator.
489# This protocol is used in Microsoft Active-Directory enabled setups with
490# the Microsoft Internet Explorer or Mozilla Firefox browsers.
491# Its main purpose is to exchange credentials with the Squid proxy
492# using the Kerberos mechanisms.
493# If you use a Negotiate authenticator, make sure you have at least
494# one acl of type proxy_auth active. By default, the negotiate
495# authenticator program is not used.
496# The only supported program for this role is the ntlm_auth
497# program distributed as part of Samba, version 4 or later.
498#
499# NOTE: In Debian the ntlm_auth program is distributed in the winbindd package
500# which is required for this auth scheme to work
501#
502# auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego
503#
504# "children" numberofchildren [startup=N] [idle=N]
505# The maximum number of authenticator processes to spawn (default 5).
506# If you start too few Squid will have to wait for them to
507# process a backlog of credential verifications, slowing it
508# down. When credential verifications are done via a (slow)
509# network you are likely to need lots of authenticator
510# processes.
511#
512# The startup= and idle= options permit some skew in the exact amount
513# run. A minimum of startup=N will begin during startup and reconfigure.
514# Squid will start more in groups of up to idle=N in an attempt to meet
515# traffic needs and to keep idle=N free above those traffic needs up to
516# the maximum.
517#
518# auth_param negotiate children 20 startup=0 idle=1
519#
520# "keep_alive" on|off
521# If you experience problems with PUT/POST requests when using the
522# Negotiate authentication scheme then you can try setting this to
523# off. This will cause Squid to forcibly close the connection on
524# the initial requests where the browser asks which schemes are
525# supported by the proxy.
526#
527# auth_param negotiate keep_alive on
528#
529#
530# Examples:
531#
532##Recommended minimum configuration per scheme:
533##auth_param negotiate program <uncomment and complete this line to activate>
534##auth_param negotiate children 20 startup=0 idle=1
535##auth_param negotiate keep_alive on
536##
537##auth_param ntlm program <uncomment and complete this line to activate>
538##auth_param ntlm children 20 startup=0 idle=1
539##auth_param ntlm keep_alive on
540##
541##auth_param digest program <uncomment and complete this line>
542##auth_param digest children 20 startup=0 idle=1
543##auth_param digest realm Squid proxy-caching web server
544##auth_param digest nonce_garbage_interval 5 minutes
545##auth_param digest nonce_max_duration 30 minutes
546##auth_param digest nonce_max_count 50
547##
548##auth_param basic program <uncomment and complete this line>
549##auth_param basic children 5 startup=5 idle=1
550##auth_param basic realm Squid proxy-caching web server
551##auth_param basic credentialsttl 2 hours
552#Default:
553# none
554
555# TAG: authenticate_cache_garbage_interval
556# The time period between garbage collection across the username cache.
557# This is a trade-off between memory utilization (long intervals - say
558# 2 days) and CPU (short intervals - say 1 minute). Only change if you
559# have good reason to.
560#Default:
561# authenticate_cache_garbage_interval 1 hour
562
563# TAG: authenticate_ttl
564# The time a user & their credentials stay in the logged in
565# user cache since their last request. When the garbage
566# interval passes, all user credentials that have passed their
567# TTL are removed from memory.
568#Default:
569# authenticate_ttl 1 hour
570
571# TAG: authenticate_ip_ttl
572# If you use proxy authentication and the 'max_user_ip' ACL,
573# this directive controls how long Squid remembers the IP
574# addresses associated with each user. Use a small value
575# (e.g., 60 seconds) if your users might change addresses
576# quickly, as is the case with dialup. You might be safe
577# using a larger value (e.g., 2 hours) in a corporate LAN
578# environment with relatively static address assignments.
579#Default:
580# authenticate_ip_ttl 1 second
581
582# ACCESS CONTROLS
583# -----------------------------------------------------------------------------
584
585# TAG: external_acl_type
586# This option defines external acl classes using a helper program
587# to look up the status
588#
589# external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
590#
591# Options:
592#
593# ttl=n TTL in seconds for cached results (defaults to 3600
594# for 1 hour)
595# negative_ttl=n
596# TTL for cached negative lookups (default same
597# as ttl)
598# children-max=n
599# Maximum number of acl helper processes spawned to service
600# external acl lookups of this type. (default 20)
601# children-startup=n
602# Minimum number of acl helper processes to spawn during
603# startup and reconfigure to service external acl lookups
604# of this type. (default 0)
605# children-idle=n
606# Number of acl helper processes to keep ahead of traffic
607# loads. Squid will spawn this many at once whenever load
608# rises above the capabilities of existing processes.
609# Up to the value of children-max. (default 1)
610# concurrency=n concurrency level per process. Only used with helpers
611# capable of processing more than one query at a time.
612# cache=n limit the result cache size, default is 262144.
613# grace=n Percentage remaining of TTL where a refresh of a
614# cached entry should be initiated without needing to
615# wait for a new reply. (default is for no grace period)
616# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
617# ipv4 / ipv6 IP protocol used to communicate with this helper.
618# The default is to auto-detect IPv6 and use it when available.
619#
620# FORMAT specifications
621#
622# %LOGIN Authenticated user login name
623# %EXT_USER Username from previous external acl
624# %EXT_LOG Log details from previous external acl
625# %EXT_TAG Tag from previous external acl
626# %IDENT Ident user name
627# %SRC Client IP
628# %SRCPORT Client source port
629# %URI Requested URI
630# %DST Requested host
631# %PROTO Requested protocol
632# %PORT Requested port
633# %PATH Requested URL path
634# %METHOD Request method
635# %MYADDR Squid interface address
636# %MYPORT Squid http_port number
637# %PATH Requested URL-path (including query-string if any)
638# %USER_CERT SSL User certificate in PEM format
639# %USER_CERTCHAIN SSL User certificate chain in PEM format
640# %USER_CERT_xx SSL User certificate subject attribute xx
641# %USER_CA_CERT_xx SSL User certificate issuer attribute xx
642#
643# %>{Header} HTTP request header "Header"
644# %>{Hdr:member}
645# HTTP request header "Hdr" list member "member"
646# %>{Hdr:;member}
647# HTTP request header list member using ; as
648# list separator. ; can be any non-alphanumeric
649# character.
650#
651# %<{Header} HTTP reply header "Header"
652# %<{Hdr:member}
653# HTTP reply header "Hdr" list member "member"
654# %<{Hdr:;member}
655# HTTP reply header list member using ; as
656# list separator. ; can be any non-alphanumeric
657# character.
658#
659# %ACL The name of the ACL being tested.
660# %DATA The ACL arguments. If not used then any arguments
661# is automatically added at the end of the line
662# sent to the helper.
663# NOTE: this will encode the arguments as one token,
664# whereas the default will pass each separately.
665#
666# %% The percent sign. Useful for helpers which need
667# an unchanging input format.
668#
669#
670# General request syntax:
671#
672# [channel-ID] FORMAT-values [acl-values ...]
673#
674#
675# FORMAT-values consists of transaction details expanded with
676# whitespace separation per the config file FORMAT specification
677# using the FORMAT macros listed above.
678#
679# acl-values consists of any string specified in the referencing
680# config 'acl ... external' line. see the "acl external" directive.
681#
682# Request values sent to the helper are URL escaped to protect
683# each value in requests against whitespaces.
684#
685# If using protocol=2.5 then the request sent to the helper is not
686# URL escaped to protect against whitespace.
687#
688# NOTE: protocol=3.0 is deprecated as no longer necessary.
689#
690# When using the concurrency= option the protocol is changed by
691# introducing a query channel tag in front of the request/response.
692# The query channel tag is a number between 0 and concurrency-1.
693# This value must be echoed back unchanged to Squid as the first part
694# of the response relating to its request.
695#
696#
697# The helper receives lines expanded per the above format specification
698# and for each input line returns 1 line starting with OK/ERR/BH result
699# code and optionally followed by additional keywords with more details.
700#
701#
702# General result syntax:
703#
704# [channel-ID] result keyword=value ...
705#
706# Result consists of one of the codes:
707#
708# OK
709# the ACL test produced a match.
710#
711# ERR
712# the ACL test does not produce a match.
713#
714# BH
715# An internal error occurred in the helper, preventing
716# a result being identified.
717#
718# The meaning of 'a match' is determined by your squid.conf
719# access control configuration. See the Squid wiki for details.
720#
721# Defined keywords:
722#
723# user= The users name (login)
724#
725# password= The users password (for login= cache_peer option)
726#
727# message= Message describing the reason for this response.
728# Available as %o in error pages.
729# Useful on (ERR and BH results).
730#
731# tag= Apply a tag to a request. Only sets a tag once,
732# does not alter existing tags.
733#
734# log= String to be logged in access.log. Available as
735# %ea in logformat specifications.
736#
737# Any keywords may be sent on any response whether OK, ERR or BH.
738#
739 All response keyword values need to be a single token with URL
740# escaping, or enclosed in double quotes (") and escaped using \ on
741# any double quotes or \ characters within the value. The wrapping
742# double quotes are removed before the value is interpreted by Squid.
743# \r and \n are also replace by CR and LF.
744#
745# Some example key values:
746#
747# user=John%20Smith
748# user="John Smith"
749# user="J. \"Bob\" Smith"
750#Default:
751# none
752
753# TAG: acl
754# Defining an Access List
755#
756# Every access list definition must begin with an aclname and acltype,
757# followed by either type-specific arguments or a quoted filename that
758# they are read from.
759#
760# acl aclname acltype argument ...
761# acl aclname acltype "file" ...
762#
763# When using "file", the file should contain one item per line.
764#
765# Some acl types supports options which changes their default behaviour.
766# The available options are:
767#
768# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them
769# case-insensitive, use the -i option. To return case-sensitive
770# use the +i option between patterns, or make a new ACL line
771# without -i.
772#
773# -n Disable lookups and address type conversions. If lookup or
774# conversion is required because the parameter type (IP or
775# domain name) does not match the message address type (domain
776# name or IP), then the ACL would immediately declare a mismatch
777# without any warnings or lookups.
778#
779# -- Used to stop processing all options, in the case the first acl
780# value has '-' character as first character (for example the '-'
781# is a valid domain name)
782#
783# Some acl types require suspending the current request in order
784# to access some external data source.
785# Those which do are marked with the tag [slow], those which
786# don't are marked as [fast].
787# See http://wiki.squid-cache.org/SquidFaq/SquidAcl
788# for further information
789#
790# ***** ACL TYPES AVAILABLE *****
791#
792# acl aclname src ip-address/mask ... # clients IP address [fast]
793# acl aclname src addr1-addr2/mask ... # range of addresses [fast]
794# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow]
795# acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
796#
797# acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
798# # The arp ACL requires the special configure option --enable-arp-acl.
799# # Furthermore, the ARP ACL code is not portable to all operating systems.
800# # It works on Linux, Solaris, Windows, FreeBSD, and some
801# # other *BSD variants.
802# # [fast]
803# #
804# # NOTE: Squid can only determine the MAC address for clients that are on
805# # the same subnet. If the client is on a different subnet,
806# # then Squid cannot find out its MAC address.
807#
808# acl aclname srcdomain .foo.com ...
809# # reverse lookup, from client IP [slow]
810# acl aclname dstdomain [-n] .foo.com ...
811# # Destination server from URL [fast]
812# acl aclname srcdom_regex [-i] \.foo\.com ...
813# # regex matching client name [slow]
814# acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
815# # regex matching server [fast]
816# #
817# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
818# # based URL is used and no match is found. The name "none" is used
819# # if the reverse lookup fails.
820#
821# acl aclname src_as number ...
822# acl aclname dst_as number ...
823# # [fast]
824# # Except for access control, AS numbers can be used for
825# # routing of requests to specific caches. Here's an
826# # example for routing all requests for AS#1241 and only
827# # those to mycache.mydomain.net:
828# # acl asexample dst_as 1241
829# # cache_peer_access mycache.mydomain.net allow asexample
830# # cache_peer_access mycache_mydomain.net deny all
831#
832# acl aclname peername myPeer ...
833# # [fast]
834# # match against a named cache_peer entry
835# # set unique name= on cache_peer lines for reliable use.
836#
837# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
838# # [fast]
839# # day-abbrevs:
840# # S - Sunday
841# # M - Monday
842# # T - Tuesday
843# # W - Wednesday
844# # H - Thursday
845# # F - Friday
846# # A - Saturday
847# # h1:m1 must be less than h2:m2
848#
849# acl aclname url_regex [-i] ^http:// ...
850# # regex matching on whole URL [fast]
851# acl aclname urllogin [-i] [^a-zA-Z0-9] ...
852# # regex matching on URL login field
853# acl aclname urlpath_regex [-i] \.gif$ ...
854# # regex matching on URL path [fast]
855#
856# acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
857# # ranges are alloed
858# acl aclname localport 3128 ... # TCP port the client connected to [fast]
859# # NP: for interception mode this is usually '80'
860#
861# acl aclname myportname 3128 ... # http(s)_port name [fast]
862#
863# acl aclname proto HTTP FTP ... # request protocol [fast]
864#
865# acl aclname method GET POST ... # HTTP request method [fast]
866#
867# acl aclname http_status 200 301 500- 400-403 ...
868# # status code in reply [fast]
869#
870# acl aclname browser [-i] regexp ...
871# # pattern match on User-Agent header (see also req_header below) [fast]
872#
873# acl aclname referer_regex [-i] regexp ...
874# # pattern match on Referer header [fast]
875# # Referer is highly unreliable, so use with care
876#
877# acl aclname ident username ...
878# acl aclname ident_regex [-i] pattern ...
879# # string match on ident output [slow]
880# # use REQUIRED to accept any non-null ident.
881#
882# acl aclname proxy_auth [-i] username ...
883# acl aclname proxy_auth_regex [-i] pattern ...
884# # perform http authentication challenge to the client and match against
885# # supplied credentials [slow]
886# #
887# # takes a list of allowed usernames.
888# # use REQUIRED to accept any valid username.
889# #
890# # Will use proxy authentication in forward-proxy scenarios, and plain
891# # http authenticaiton in reverse-proxy scenarios
892# #
893# # NOTE: when a Proxy-Authentication header is sent but it is not
894# # needed during ACL checking the username is NOT logged
895# # in access.log.
896# #
897# # NOTE: proxy_auth requires a EXTERNAL authentication program
898# # to check username/password combinations (see
899# # auth_param directive).
900# #
901# # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
902# # as the browser needs to be configured for using a proxy in order
903# # to respond to proxy authentication.
904#
905# acl aclname snmp_community string ...
906# # A community string to limit access to your SNMP Agent [fast]
907# # Example:
908# #
909# # acl snmppublic snmp_community public
910#
911# acl aclname maxconn number
912# # This will be matched when the client's IP address has
913# # more than <number> TCP connections established. [fast]
914# # NOTE: This only measures direct TCP links so X-Forwarded-For
915# # indirect clients are not counted.
916#
917# acl aclname max_user_ip [-s] number
918# # This will be matched when the user attempts to log in from more
919# # than <number> different ip addresses. The authenticate_ip_ttl
920# # parameter controls the timeout on the ip entries. [fast]
921# # If -s is specified the limit is strict, denying browsing
922# # from any further IP addresses until the ttl has expired. Without
923# # -s Squid will just annoy the user by "randomly" denying requests.
924# # (the counter is reset each time the limit is reached and a
925# # request is denied)
926# # NOTE: in acceleration mode or where there is mesh of child proxies,
927# # clients may appear to come from multiple addresses if they are
928# # going through proxy farms, so a limit of 1 may cause user problems.
929#
930# acl aclname random probability
931# # Pseudo-randomly match requests. Based on the probability given.
932# # Probability may be written as a decimal (0.333), fraction (1/3)
933# # or ratio of matches:non-matches (3:5).
934#
935# acl aclname req_mime_type [-i] mime-type ...
936# # regex match against the mime type of the request generated
937# # by the client. Can be used to detect file upload or some
938# # types HTTP tunneling requests [fast]
939# # NOTE: This does NOT match the reply. You cannot use this
940# # to match the returned file type.
941#
942# acl aclname req_header header-name [-i] any\.regex\.here
943# # regex match against any of the known request headers. May be
944# # thought of as a superset of "browser", "referer" and "mime-type"
945# # ACL [fast]
946#
947# acl aclname rep_mime_type [-i] mime-type ...
948# # regex match against the mime type of the reply received by
949# # squid. Can be used to detect file download or some
950# # types HTTP tunneling requests. [fast]
951# # NOTE: This has no effect in http_access rules. It only has
952# # effect in rules that affect the reply data stream such as
953# # http_reply_access.
954#
955# acl aclname rep_header header-name [-i] any\.regex\.here
956# # regex match against any of the known reply headers. May be
957# # thought of as a superset of "browser", "referer" and "mime-type"
958# # ACLs [fast]
959#
960# acl aclname external class_name [arguments...]
961# # external ACL lookup via a helper class defined by the
962# # external_acl_type directive [slow]
963#
964# acl aclname user_cert attribute values...
965# # match against attributes in a user SSL certificate
966# # attribute is one of DN/C/O/CN/L/ST [fast]
967#
968# acl aclname ca_cert attribute values...
969# # match against attributes a users issuing CA SSL certificate
970# # attribute is one of DN/C/O/CN/L/ST [fast]
971#
972# acl aclname ext_user username ...
973# acl aclname ext_user_regex [-i] pattern ...
974# # string match on username returned by external acl helper [slow]
975# # use REQUIRED to accept any non-null user name.
976#
977# acl aclname tag tagvalue ...
978# # string match on tag returned by external acl helper [slow]
979#
980# acl aclname hier_code codename ...
981# # string match against squid hierarchy code(s); [fast]
982# # e.g., DIRECT, PARENT_HIT, NONE, etc.
983# #
984# # NOTE: This has no effect in http_access rules. It only has
985# # effect in rules that affect the reply data stream such as
986# # http_reply_access.
987#
988# acl aclname note name [value ...]
989# # match transaction annotation [fast]
990# # Without values, matches any annotation with a given name.
991# # With value(s), matches any annotation with a given name that
992# # also has one of the given values.
993# # Names and values are compared using a string equality test.
994# # Annotation sources include note and adaptation_meta directives
995# # as well as helper and eCAP responses.
996#
997# acl aclname any-of acl1 acl2 ...
998# # match any one of the acls [fast or slow]
999# # The first matching ACL stops further ACL evaluation.
1000# #
1001# # ACLs from multiple any-of lines with the same name are ORed.
1002# # For example, A = (a1 or a2) or (a3 or a4) can be written as
1003# # acl A any-of a1 a2
1004# # acl A any-of a3 a4
1005# #
1006# # This group ACL is fast if all evaluated ACLs in the group are fast
1007# # and slow otherwise.
1008#
1009# acl aclname all-of acl1 acl2 ...
1010# # match all of the acls [fast or slow]
1011# # The first mismatching ACL stops further ACL evaluation.
1012# #
1013# # ACLs from multiple all-of lines with the same name are ORed.
1014# # For example, B = (b1 and b2) or (b3 and b4) can be written as
1015# # acl B all-of b1 b2
1016# # acl B all-of b3 b4
1017# #
1018# # This group ACL is fast if all evaluated ACLs in the group are fast
1019# # and slow otherwise.
1020#
1021# Examples:
1022# acl macaddress arp 09:00:2b:23:45:67
1023# acl myexample dst_as 1241
1024# acl password proxy_auth REQUIRED
1025# acl fileupload req_mime_type -i ^multipart/form-data$
1026# acl javascript rep_mime_type -i ^application/x-javascript$
1027#
1028#Default:
1029# ACLs all, manager, localhost, and to_localhost are predefined.
1030#
1031#
1032# Recommended minimum configuration:
1033#
1034
1035# Example rule allowing access from your local networks.
1036# Adapt to list your (internal) IP networks from where browsing
1037# should be allowed
1038#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
1039#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
1040#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
1041#acl localnet src fc00::/7 # RFC 4193 local private network range
1042#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
1043
1044acl SSL_ports port 443
1045acl Safe_ports port 80 # http
1046acl Safe_ports port 21 # ftp
1047acl Safe_ports port 443 # https
1048acl Safe_ports port 70 # gopher
1049acl Safe_ports port 210 # wais
1050acl Safe_ports port 1025-65535 # unregistered ports
1051acl Safe_ports port 280 # http-mgmt
1052acl Safe_ports port 488 # gss-http
1053acl Safe_ports port 591 # filemaker
1054acl Safe_ports port 777 # multiling http
1055acl CONNECT method CONNECT
1056
1057acl local src 192.168.1.168/29
1058acl blokir dstdomain "/etc/squid3/domain"
1059acl blokkey url_regex -i "/etc/squid3/kata"
1060acl download urlpath_regex \.mp3$ \.avi$ \.mkv$ \.3gp$ \.mp4$
1061
1062http_access deny blokir
1063http_access deny blokkey
1064http_access deny download
1065http_access allow local
1066
1067
1068# TAG: follow_x_forwarded_for
1069# Allowing or Denying the X-Forwarded-For header to be followed to
1070# find the original source of a request.
1071#
1072# Requests may pass through a chain of several other proxies
1073# before reaching us. The X-Forwarded-For header will contain a
1074# comma-separated list of the IP addresses in the chain, with the
1075# rightmost address being the most recent.
1076#
1077# If a request reaches us from a source that is allowed by this
1078# configuration item, then we consult the X-Forwarded-For header
1079# to see where that host received the request from. If the
1080# X-Forwarded-For header contains multiple addresses, we continue
1081# backtracking until we reach an address for which we are not allowed
1082# to follow the X-Forwarded-For header, or until we reach the first
1083# address in the list. For the purpose of ACL used in the
1084# follow_x_forwarded_for directive the src ACL type always matches
1085# the address we are testing and srcdomain matches its rDNS.
1086#
1087# The end result of this process is an IP address that we will
1088# refer to as the indirect client address. This address may
1089# be treated as the client address for access control, ICAP, delay
1090# pools and logging, depending on the acl_uses_indirect_client,
1091# icap_uses_indirect_client, delay_pool_uses_indirect_client,
1092# log_uses_indirect_client and tproxy_uses_indirect_client options.
1093#
1094# This clause only supports fast acl types.
1095# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1096#
1097# SECURITY CONSIDERATIONS:
1098#
1099# Any host for which we follow the X-Forwarded-For header
1100# can place incorrect information in the header, and Squid
1101# will use the incorrect information as if it were the
1102# source address of the request. This may enable remote
1103# hosts to bypass any access control restrictions that are
1104# based on the client's source addresses.
1105#
1106# For example:
1107#
1108# acl localhost src 127.0.0.1
1109# acl my_other_proxy srcdomain .proxy.example.com
1110# follow_x_forwarded_for allow localhost
1111# follow_x_forwarded_for allow my_other_proxy
1112#Default:
1113# X-Forwarded-For header will be ignored.
1114
1115# TAG: acl_uses_indirect_client on|off
1116# Controls whether the indirect client address
1117# (see follow_x_forwarded_for) is used instead of the
1118# direct client address in acl matching.
1119#
1120# NOTE: maxconn ACL considers direct TCP links and indirect
1121# clients will always have zero. So no match.
1122#Default:
1123# acl_uses_indirect_client on
1124
1125# TAG: delay_pool_uses_indirect_client on|off
1126# Controls whether the indirect client address
1127# (see follow_x_forwarded_for) is used instead of the
1128# direct client address in delay pools.
1129#Default:
1130# delay_pool_uses_indirect_client on
1131
1132# TAG: log_uses_indirect_client on|off
1133# Controls whether the indirect client address
1134# (see follow_x_forwarded_for) is used instead of the
1135# direct client address in the access log.
1136#Default:
1137# log_uses_indirect_client on
1138
1139# TAG: tproxy_uses_indirect_client on|off
1140# Controls whether the indirect client address
1141# (see follow_x_forwarded_for) is used instead of the
1142# direct client address when spoofing the outgoing client.
1143#
1144# This has no effect on requests arriving in non-tproxy
1145# mode ports.
1146#
1147# SECURITY WARNING: Usage of this option is dangerous
1148# and should not be used trivially. Correct configuration
1149# of follow_x_forewarded_for with a limited set of trusted
1150# sources is required to prevent abuse of your proxy.
1151#Default:
1152# tproxy_uses_indirect_client off
1153
1154# TAG: spoof_client_ip
1155# Control client IP address spoofing of TPROXY traffic based on
1156# defined access lists.
1157#
1158# spoof_client_ip allow|deny [!]aclname ...
1159#
1160# If there are no "spoof_client_ip" lines present, the default
1161# is to "allow" spoofing of any suitable request.
1162#
1163# Note that the cache_peer "no-tproxy" option overrides this ACL.
1164#
1165# This clause supports fast acl types.
1166# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1167#Default:
1168# Allow spoofing on all TPROXY traffic.
1169
1170# TAG: http_access
1171# Allowing or Denying access based on defined access lists
1172#
1173# Access to the HTTP port:
1174# http_access allow|deny [!]aclname ...
1175#
1176# NOTE on default values:
1177#
1178# If there are no "access" lines present, the default is to deny
1179# the request.
1180#
1181# If none of the "access" lines cause a match, the default is the
1182# opposite of the last line in the list. If the last line was
1183# deny, the default is allow. Conversely, if the last line
1184# is allow, the default will be deny. For these reasons, it is a
1185# good idea to have an "deny all" entry at the end of your access
1186# lists to avoid potential confusion.
1187#
1188# This clause supports both fast and slow acl types.
1189# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1190#
1191#Default:
1192# Deny, unless rules exist in squid.conf.
1193#
1194
1195#
1196# Recommended minimum Access Permission configuration:
1197#
1198# Deny requests to certain unsafe ports
1199http_access deny !Safe_ports
1200
1201# Deny CONNECT to other than secure SSL ports
1202http_access deny CONNECT !SSL_ports
1203
1204# Only allow cachemgr access from localhost
1205http_access allow localhost manager
1206http_access deny manager
1207
1208# We strongly recommend the following be uncommented to protect innocent
1209# web applications running on the proxy server who think the only
1210# one who can access services on "localhost" is a local user
1211#http_access deny to_localhost
1212
1213#
1214# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
1215#
1216
1217# Example rule allowing access from your local networks.
1218# Adapt localnet in the ACL section to list your (internal) IP networks
1219# from where browsing should be allowed
1220#http_access allow localnet
1221http_access allow localhost
1222
1223# And finally deny all other access to this proxy
1224#http_access deny all
1225
1226# TAG: adapted_http_access
1227# Allowing or Denying access based on defined access lists
1228#
1229# Essentially identical to http_access, but runs after redirectors
1230# and ICAP/eCAP adaptation. Allowing access control based on their
1231# output.
1232#
1233# If not set then only http_access is used.
1234#Default:
1235# Allow, unless rules exist in squid.conf.
1236
1237# TAG: http_reply_access
1238# Allow replies to client requests. This is complementary to http_access.
1239#
1240# http_reply_access allow|deny [!] aclname ...
1241#
1242# NOTE: if there are no access lines present, the default is to allow
1243# all replies.
1244#
1245# If none of the access lines cause a match the opposite of the
1246# last line will apply. Thus it is good practice to end the rules
1247# with an "allow all" or "deny all" entry.
1248#
1249# This clause supports both fast and slow acl types.
1250# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1251#Default:
1252# Allow, unless rules exist in squid.conf.
1253
1254# TAG: icp_access
1255# Allowing or Denying access to the ICP port based on defined
1256# access lists
1257#
1258# icp_access allow|deny [!]aclname ...
1259#
1260# NOTE: The default if no icp_access lines are present is to
1261# deny all traffic. This default may cause problems with peers
1262# using ICP.
1263#
1264# This clause only supports fast acl types.
1265# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1266#
1267## Allow ICP queries from local networks only
1268##icp_access allow localnet
1269##icp_access deny all
1270#Default:
1271# Deny, unless rules exist in squid.conf.
1272
1273# TAG: htcp_access
1274# Allowing or Denying access to the HTCP port based on defined
1275# access lists
1276#
1277# htcp_access allow|deny [!]aclname ...
1278#
1279# See also htcp_clr_access for details on access control for
1280# cache purge (CLR) HTCP messages.
1281#
1282# NOTE: The default if no htcp_access lines are present is to
1283# deny all traffic. This default may cause problems with peers
1284# using the htcp option.
1285#
1286# This clause only supports fast acl types.
1287# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1288#
1289## Allow HTCP queries from local networks only
1290##htcp_access allow localnet
1291##htcp_access deny all
1292#Default:
1293# Deny, unless rules exist in squid.conf.
1294
1295# TAG: htcp_clr_access
1296# Allowing or Denying access to purge content using HTCP based
1297# on defined access lists.
1298# See htcp_access for details on general HTCP access control.
1299#
1300# htcp_clr_access allow|deny [!]aclname ...
1301#
1302# This clause only supports fast acl types.
1303# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1304#
1305## Allow HTCP CLR requests from trusted peers
1306#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
1307#htcp_clr_access allow htcp_clr_peer
1308#htcp_clr_access deny all
1309#Default:
1310# Deny, unless rules exist in squid.conf.
1311
1312# TAG: miss_access
1313# Determins whether network access is permitted when satisfying a request.
1314#
1315# For example;
1316# to force your neighbors to use you as a sibling instead of
1317# a parent.
1318#
1319# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64
1320# miss_access deny !localclients
1321# miss_access allow all
1322#
1323# This means only your local clients are allowed to fetch relayed/MISS
1324# replies from the network and all other clients can only fetch cached
1325# objects (HITs).
1326#
1327# The default for this setting allows all clients who passed the
1328# http_access rules to relay via this proxy.
1329#
1330# This clause only supports fast acl types.
1331# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1332#Default:
1333# Allow, unless rules exist in squid.conf.
1334
1335# TAG: ident_lookup_access
1336# A list of ACL elements which, if matched, cause an ident
1337# (RFC 931) lookup to be performed for this request. For
1338# example, you might choose to always perform ident lookups
1339# for your main multi-user Unix boxes, but not for your Macs
1340# and PCs. By default, ident lookups are not performed for
1341# any requests.
1342#
1343# To enable ident lookups for specific client addresses, you
1344# can follow this example:
1345#
1346# acl ident_aware_hosts src 198.168.1.0/24
1347# ident_lookup_access allow ident_aware_hosts
1348# ident_lookup_access deny all
1349#
1350# Only src type ACL checks are fully supported. A srcdomain
1351# ACL might work at times, but it will not always provide
1352# the correct result.
1353#
1354# This clause only supports fast acl types.
1355# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1356#Default:
1357# Unless rules exist in squid.conf, IDENT is not fetched.
1358
1359# TAG: reply_body_max_size size [acl acl...]
1360# This option specifies the maximum size of a reply body. It can be
1361# used to prevent users from downloading very large files, such as
1362# MP3's and movies. When the reply headers are received, the
1363# reply_body_max_size lines are processed, and the first line where
1364# all (if any) listed ACLs are true is used as the maximum body size
1365# for this reply.
1366#
1367# This size is checked twice. First when we get the reply headers,
1368# we check the content-length value. If the content length value exists
1369# and is larger than the allowed size, the request is denied and the
1370# user receives an error message that says "the request or reply
1371# is too large." If there is no content-length, and the reply
1372# size exceeds this limit, the client's connection is just closed
1373# and they will receive a partial reply.
1374#
1375# WARNING: downstream caches probably can not detect a partial reply
1376# if there is no content-length header, so they will cache
1377# partial responses and give them out as hits. You should NOT
1378# use this option if you have downstream caches.
1379#
1380# WARNING: A maximum size smaller than the size of squid's error messages
1381# will cause an infinite loop and crash squid. Ensure that the smallest
1382# non-zero value you use is greater that the maximum header size plus
1383# the size of your largest error page.
1384#
1385# If you set this parameter none (the default), there will be
1386# no limit imposed.
1387#
1388# Configuration Format is:
1389# reply_body_max_size SIZE UNITS [acl ...]
1390# ie.
1391# reply_body_max_size 10 MB
1392#
1393#Default:
1394# No limit is applied.
1395
1396# NETWORK OPTIONS
1397# -----------------------------------------------------------------------------
1398
1399# TAG: http_port
1400# Usage: port [mode] [options]
1401# hostname:port [mode] [options]
1402# 1.2.3.4:port [mode] [options]
1403#
1404# The socket addresses where Squid will listen for HTTP client
1405# requests. You may specify multiple socket addresses.
1406# There are three forms: port alone, hostname with port, and
1407# IP address with port. If you specify a hostname or IP
1408# address, Squid binds the socket to that specific
1409# address. Most likely, you do not need to bind to a specific
1410# address, so you can use the port number alone.
1411#
1412# If you are running Squid in accelerator mode, you
1413# probably want to listen on port 80 also, or instead.
1414#
1415# The -a command line option may be used to specify additional
1416# port(s) where Squid listens for proxy request. Such ports will
1417# be plain proxy ports with no options.
1418#
1419# You may specify multiple socket addresses on multiple lines.
1420#
1421# Modes:
1422#
1423# intercept Support for IP-Layer interception of
1424# outgoing requests without browser settings.
1425# NP: disables authentication and IPv6 on the port.
1426#
1427# tproxy Support Linux TPROXY for spoofing outgoing
1428# connections using the client IP address.
1429# NP: disables authentication and maybe IPv6 on the port.
1430#
1431# accel Accelerator / reverse proxy mode
1432#
1433# ssl-bump For each CONNECT request allowed by ssl_bump ACLs,
1434# establish secure connection with the client and with
1435# the server, decrypt HTTPS messages as they pass through
1436# Squid, and treat them as unencrypted HTTP messages,
1437# becoming the man-in-the-middle.
1438#
1439# The ssl_bump option is required to fully enable
1440# bumping of CONNECT requests.
1441#
1442# Omitting the mode flag causes default forward proxy mode to be used.
1443#
1444#
1445# Accelerator Mode Options:
1446#
1447# defaultsite=domainname
1448# What to use for the Host: header if it is not present
1449# in a request. Determines what site (not origin server)
1450# accelerators should consider the default.
1451#
1452# no-vhost Disable using HTTP/1.1 Host header for virtual domain support.
1453#
1454# protocol= Protocol to reconstruct accelerated requests with.
1455# Defaults to http for http_port and https for
1456# https_port
1457#
1458# vport Virtual host port support. Using the http_port number
1459# instead of the port passed on Host: headers.
1460#
1461# vport=NN Virtual host port support. Using the specified port
1462# number instead of the port passed on Host: headers.
1463#
1464# act-as-origin
1465# Act as if this Squid is the origin server.
1466# This currently means generate new Date: and Expires:
1467# headers on HIT instead of adding Age:.
1468#
1469# ignore-cc Ignore request Cache-Control headers.
1470#
1471# WARNING: This option violates HTTP specifications if
1472# used in non-accelerator setups.
1473#
1474# allow-direct Allow direct forwarding in accelerator mode. Normally
1475# accelerated requests are denied direct forwarding as if
1476# never_direct was used.
1477#
1478# WARNING: this option opens accelerator mode to security
1479# vulnerabilities usually only affecting in interception
1480# mode. Make sure to protect forwarding with suitable
1481# http_access rules when using this.
1482#
1483#
1484# SSL Bump Mode Options:
1485# In addition to these options ssl-bump requires TLS/SSL options.
1486#
1487# generate-host-certificates[=<on|off>]
1488# Dynamically create SSL server certificates for the
1489# destination hosts of bumped CONNECT requests.When
1490# enabled, the cert and key options are used to sign
1491# generated certificates. Otherwise generated
1492# certificate will be selfsigned.
1493# If there is a CA certificate lifetime of the generated
1494# certificate equals lifetime of the CA certificate. If
1495# generated certificate is selfsigned lifetime is three
1496# years.
1497# This option is enabled by default when ssl-bump is used.
1498# See the ssl-bump option above for more information.
1499#
1500# dynamic_cert_mem_cache_size=SIZE
1501# Approximate total RAM size spent on cached generated
1502# certificates. If set to zero, caching is disabled. The
1503# default value is 4MB.
1504#
1505# TLS / SSL Options:
1506#
1507# cert= Path to SSL certificate (PEM format).
1508#
1509# key= Path to SSL private key file (PEM format)
1510# if not specified, the certificate file is
1511# assumed to be a combined certificate and
1512# key file.
1513#
1514# version= The version of SSL/TLS supported
1515# 1 automatic (default)
1516# 2 SSLv2 only
1517# 3 SSLv3 only
1518# 4 TLSv1.0 only
1519# 5 TLSv1.1 only
1520# 6 TLSv1.2 only
1521#
1522# cipher= Colon separated list of supported ciphers.
1523# NOTE: some ciphers such as EDH ciphers depend on
1524# additional settings. If those settings are
1525# omitted the ciphers may be silently ignored
1526# by the OpenSSL library.
1527#
1528# options= Various SSL implementation options. The most important
1529# being:
1530# NO_SSLv2 Disallow the use of SSLv2
1531# NO_SSLv3 Disallow the use of SSLv3
1532# NO_TLSv1 Disallow the use of TLSv1.0
1533# NO_TLSv1_1 Disallow the use of TLSv1.1
1534# NO_TLSv1_2 Disallow the use of TLSv1.2
1535# SINGLE_DH_USE Always create a new key when using
1536# temporary/ephemeral DH key exchanges
1537# ALL Enable various bug workarounds
1538# suggested as "harmless" by OpenSSL
1539# Be warned that this reduces SSL/TLS
1540# strength to some attacks.
1541# See OpenSSL SSL_CTX_set_options documentation for a
1542# complete list of options.
1543#
1544# clientca= File containing the list of CAs to use when
1545# requesting a client certificate.
1546#
1547# cafile= File containing additional CA certificates to
1548# use when verifying client certificates. If unset
1549# clientca will be used.
1550#
1551# capath= Directory containing additional CA certificates
1552# and CRL lists to use when verifying client certificates.
1553#
1554# crlfile= File of additional CRL lists to use when verifying
1555# the client certificate, in addition to CRLs stored in
1556# the capath. Implies VERIFY_CRL flag below.
1557#
1558# dhparams= File containing DH parameters for temporary/ephemeral
1559# DH key exchanges. See OpenSSL documentation for details
1560# on how to create this file.
1561# WARNING: EDH ciphers will be silently disabled if this
1562# option is not set.
1563#
1564# sslflags= Various flags modifying the use of SSL:
1565# DELAYED_AUTH
1566# Don't request client certificates
1567# immediately, but wait until acl processing
1568# requires a certificate (not yet implemented).
1569# NO_DEFAULT_CA
1570# Don't use the default CA lists built in
1571# to OpenSSL.
1572# NO_SESSION_REUSE
1573# Don't allow for session reuse. Each connection
1574# will result in a new SSL session.
1575# VERIFY_CRL
1576# Verify CRL lists when accepting client
1577# certificates.
1578# VERIFY_CRL_ALL
1579# Verify CRL lists for all certificates in the
1580# client certificate chain.
1581#
1582# sslcontext= SSL session ID context identifier.
1583#
1584# Other Options:
1585#
1586# connection-auth[=on|off]
1587# use connection-auth=off to tell Squid to prevent
1588# forwarding Microsoft connection oriented authentication
1589# (NTLM, Negotiate and Kerberos)
1590#
1591# disable-pmtu-discovery=
1592# Control Path-MTU discovery usage:
1593# off lets OS decide on what to do (default).
1594# transparent disable PMTU discovery when transparent
1595# support is enabled.
1596# always disable always PMTU discovery.
1597#
1598# In many setups of transparently intercepting proxies
1599# Path-MTU discovery can not work on traffic towards the
1600# clients. This is the case when the intercepting device
1601# does not fully track connections and fails to forward
1602# ICMP must fragment messages to the cache server. If you
1603# have such setup and experience that certain clients
1604# sporadically hang or never complete requests set
1605# disable-pmtu-discovery option to 'transparent'.
1606#
1607# name= Specifies a internal name for the port. Defaults to
1608# the port specification (port or addr:port)
1609#
1610# tcpkeepalive[=idle,interval,timeout]
1611# Enable TCP keepalive probes of idle connections.
1612# In seconds; idle is the initial time before TCP starts
1613# probing the connection, interval how often to probe, and
1614# timeout the time before giving up.
1615#
1616# If you run Squid on a dual-homed machine with an internal
1617# and an external interface we recommend you to specify the
1618# internal address:port in http_port. This way Squid will only be
1619# visible on the internal address.
1620#
1621#
1622
1623# Squid normally listens to port 3128
1624http_port 3128 transparent
1625cache_mem 32 MB
1626cache_mgr admin@sekolah.sch.id
1627visible_hostname sekolah.sch.id
1628
1629# TAG: https_port
1630# Note: This option is only available if Squid is rebuilt with the
1631# --enable-ssl
1632#
1633# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...]
1634#
1635# The socket address where Squid will listen for client requests made
1636# over TLS or SSL connections. Commonly referred to as HTTPS.
1637#
1638# This is most useful for situations where you are running squid in
1639# accelerator mode and you want to do the SSL work at the accelerator level.
1640#
1641# You may specify multiple socket addresses on multiple lines,
1642# each with their own SSL certificate and/or options.
1643#
1644# Modes:
1645#
1646# accel Accelerator / reverse proxy mode
1647#
1648# intercept Support for IP-Layer interception of
1649# outgoing requests without browser settings.
1650# NP: disables authentication and IPv6 on the port.
1651#
1652# tproxy Support Linux TPROXY for spoofing outgoing
1653# connections using the client IP address.
1654# NP: disables authentication and maybe IPv6 on the port.
1655#
1656# ssl-bump For each intercepted connection allowed by ssl_bump
1657# ACLs, establish a secure connection with the client and with
1658# the server, decrypt HTTPS messages as they pass through
1659# Squid, and treat them as unencrypted HTTP messages,
1660# becoming the man-in-the-middle.
1661#
1662# An "ssl_bump server-first" match is required to
1663# fully enable bumping of intercepted SSL connections.
1664#
1665# Requires tproxy or intercept.
1666#
1667# Omitting the mode flag causes default forward proxy mode to be used.
1668#
1669#
1670# See http_port for a list of generic options
1671#
1672#
1673# SSL Options:
1674#
1675# cert= Path to SSL certificate (PEM format).
1676#
1677# key= Path to SSL private key file (PEM format)
1678# if not specified, the certificate file is
1679# assumed to be a combined certificate and
1680# key file.
1681#
1682# version= The version of SSL/TLS supported
1683# 1 automatic (default)
1684# 2 SSLv2 only
1685# 3 SSLv3 only
1686# 4 TLSv1 only
1687#
1688# cipher= Colon separated list of supported ciphers.
1689#
1690# options= Various SSL engine options. The most important
1691# being:
1692# NO_SSLv2 Disallow the use of SSLv2
1693# NO_SSLv3 Disallow the use of SSLv3
1694# NO_TLSv1 Disallow the use of TLSv1
1695# SINGLE_DH_USE Always create a new key when using
1696# temporary/ephemeral DH key exchanges
1697# See src/ssl_support.c or OpenSSL SSL_CTX_set_options
1698# documentation for a complete list of options.
1699#
1700# clientca= File containing the list of CAs to use when
1701# requesting a client certificate.
1702#
1703# cafile= File containing additional CA certificates to
1704# use when verifying client certificates. If unset
1705# clientca will be used.
1706#
1707# capath= Directory containing additional CA certificates
1708# and CRL lists to use when verifying client certificates.
1709#
1710# crlfile= File of additional CRL lists to use when verifying
1711# the client certificate, in addition to CRLs stored in
1712# the capath. Implies VERIFY_CRL flag below.
1713#
1714# dhparams= File containing DH parameters for temporary/ephemeral
1715# DH key exchanges.
1716#
1717# sslflags= Various flags modifying the use of SSL:
1718# DELAYED_AUTH
1719# Don't request client certificates
1720# immediately, but wait until acl processing
1721# requires a certificate (not yet implemented).
1722# NO_DEFAULT_CA
1723# Don't use the default CA lists built in
1724# to OpenSSL.
1725# NO_SESSION_REUSE
1726# Don't allow for session reuse. Each connection
1727# will result in a new SSL session.
1728# VERIFY_CRL
1729# Verify CRL lists when accepting client
1730# certificates.
1731# VERIFY_CRL_ALL
1732# Verify CRL lists for all certificates in the
1733# client certificate chain.
1734#
1735# sslcontext= SSL session ID context identifier.
1736#
1737# generate-host-certificates[=<on|off>]
1738# Dynamically create SSL server certificates for the
1739# destination hosts of bumped SSL requests.When
1740# enabled, the cert and key options are used to sign
1741# generated certificates. Otherwise generated
1742# certificate will be selfsigned.
1743# If there is CA certificate life time of generated
1744# certificate equals lifetime of CA certificate. If
1745# generated certificate is selfsigned lifetime is three
1746# years.
1747# This option is enabled by default when SslBump is used.
1748# See the sslBump option above for more information.
1749#
1750# dynamic_cert_mem_cache_size=SIZE
1751# Approximate total RAM size spent on cached generated
1752# certificates. If set to zero, caching is disabled. The
1753# default value is 4MB.
1754#
1755# See http_port for a list of available options.
1756#Default:
1757# none
1758
1759# TAG: tcp_outgoing_tos
1760# Allows you to select a TOS/Diffserv value for packets outgoing
1761# on the server side, based on an ACL.
1762#
1763# tcp_outgoing_tos ds-field [!]aclname ...
1764#
1765# Example where normal_service_net uses the TOS value 0x00
1766# and good_service_net uses 0x20
1767#
1768# acl normal_service_net src 10.0.0.0/24
1769# acl good_service_net src 10.0.1.0/24
1770# tcp_outgoing_tos 0x00 normal_service_net
1771# tcp_outgoing_tos 0x20 good_service_net
1772#
1773# TOS/DSCP values really only have local significance - so you should
1774# know what you're specifying. For more information, see RFC2474,
1775# RFC2475, and RFC3260.
1776#
1777# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
1778# "default" to use whatever default your host has. Note that in
1779# practice often only multiples of 4 is usable as the two rightmost bits
1780# have been redefined for use by ECN (RFC 3168 section 23.1).
1781#
1782# Processing proceeds in the order specified, and stops at first fully
1783# matching line.
1784#Default:
1785# none
1786
1787# TAG: clientside_tos
1788# Allows you to select a TOS/Diffserv value for packets being transmitted
1789# on the client-side, based on an ACL.
1790#
1791# clientside_tos ds-field [!]aclname ...
1792#
1793# Example where normal_service_net uses the TOS value 0x00
1794# and good_service_net uses 0x20
1795#
1796# acl normal_service_net src 10.0.0.0/24
1797# acl good_service_net src 10.0.1.0/24
1798# clientside_tos 0x00 normal_service_net
1799# clientside_tos 0x20 good_service_net
1800#
1801# Note: This feature is incompatible with qos_flows. Any TOS values set here
1802# will be overwritten by TOS values in qos_flows.
1803#Default:
1804# none
1805
1806# TAG: tcp_outgoing_mark
1807# Note: This option is only available if Squid is rebuilt with the
1808# Packet MARK (Linux)
1809#
1810# Allows you to apply a Netfilter mark value to outgoing packets
1811# on the server side, based on an ACL.
1812#
1813# tcp_outgoing_mark mark-value [!]aclname ...
1814#
1815# Example where normal_service_net uses the mark value 0x00
1816# and good_service_net uses 0x20
1817#
1818# acl normal_service_net src 10.0.0.0/24
1819# acl good_service_net src 10.0.1.0/24
1820# tcp_outgoing_mark 0x00 normal_service_net
1821# tcp_outgoing_mark 0x20 good_service_net
1822#Default:
1823# none
1824
1825# TAG: clientside_mark
1826# Note: This option is only available if Squid is rebuilt with the
1827# Packet MARK (Linux)
1828#
1829# Allows you to apply a Netfilter mark value to packets being transmitted
1830# on the client-side, based on an ACL.
1831#
1832# clientside_mark mark-value [!]aclname ...
1833#
1834# Example where normal_service_net uses the mark value 0x00
1835# and good_service_net uses 0x20
1836#
1837# acl normal_service_net src 10.0.0.0/24
1838# acl good_service_net src 10.0.1.0/24
1839# clientside_mark 0x00 normal_service_net
1840# clientside_mark 0x20 good_service_net
1841#
1842# Note: This feature is incompatible with qos_flows. Any mark values set here
1843# will be overwritten by mark values in qos_flows.
1844#Default:
1845# none
1846
1847# TAG: qos_flows
1848# Allows you to select a TOS/DSCP value to mark outgoing
1849# connections to the client, based on where the reply was sourced.
1850# For platforms using netfilter, allows you to set a netfilter mark
1851# value instead of, or in addition to, a TOS value.
1852#
1853# By default this functionality is disabled. To enable it with the default
1854# settings simply use "qos_flows mark" or "qos_flows tos". Default
1855# settings will result in the netfilter mark or TOS value being copied
1856# from the upstream connection to the client. Note that it is the connection
1857# CONNMARK value not the packet MARK value that is copied.
1858#
1859# It is not currently possible to copy the mark or TOS value from the
1860# client to the upstream connection request.
1861#
1862# TOS values really only have local significance - so you should
1863# know what you're specifying. For more information, see RFC2474,
1864# RFC2475, and RFC3260.
1865#
1866# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. Note that
1867# in practice often only multiples of 4 is usable as the two rightmost bits
1868# have been redefined for use by ECN (RFC 3168 section 23.1).
1869#
1870# Mark values can be any unsigned 32-bit integer value.
1871#
1872# This setting is configured by setting the following values:
1873#
1874# tos|mark Whether to set TOS or netfilter mark values
1875#
1876# local-hit=0xFF Value to mark local cache hits.
1877#
1878# sibling-hit=0xFF Value to mark hits from sibling peers.
1879#
1880# parent-hit=0xFF Value to mark hits from parent peers.
1881#
1882# miss=0xFF[/mask] Value to mark cache misses. Takes precedence
1883# over the preserve-miss feature (see below), unless
1884# mask is specified, in which case only the bits
1885# specified in the mask are written.
1886#
1887# The TOS variant of the following features are only possible on Linux
1888# and require your kernel to be patched with the TOS preserving ZPH
1889# patch, available from http://zph.bratcheda.org
1890# No patch is needed to preserve the netfilter mark, which will work
1891# with all variants of netfilter.
1892#
1893# disable-preserve-miss
1894# This option disables the preservation of the TOS or netfilter
1895# mark. By default, the existing TOS or netfilter mark value of
1896# the response coming from the remote server will be retained
1897# and masked with miss-mark.
1898# NOTE: in the case of a netfilter mark, the mark must be set on
1899# the connection (using the CONNMARK target) not on the packet
1900# (MARK target).
1901#
1902# miss-mask=0xFF
1903# Allows you to mask certain bits in the TOS or mark value
1904# received from the remote server, before copying the value to
1905# the TOS sent towards clients.
1906# Default for tos: 0xFF (TOS from server is not changed).
1907# Default for mark: 0xFFFFFFFF (mark from server is not changed).
1908#
1909# All of these features require the --enable-zph-qos compilation flag
1910# (enabled by default). Netfilter marking also requires the
1911# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
1912# libcap 2.09+ (--with-libcap).
1913#
1914#Default:
1915# none
1916
1917# TAG: tcp_outgoing_address
1918# Allows you to map requests to different outgoing IP addresses
1919# based on the username or source address of the user making
1920# the request.
1921#
1922# tcp_outgoing_address ipaddr [[!]aclname] ...
1923#
1924# For example;
1925# Forwarding clients with dedicated IPs for certain subnets.
1926#
1927# acl normal_service_net src 10.0.0.0/24
1928# acl good_service_net src 10.0.2.0/24
1929#
1930# tcp_outgoing_address 2001:db8::c001 good_service_net
1931# tcp_outgoing_address 10.1.0.2 good_service_net
1932#
1933# tcp_outgoing_address 2001:db8::beef normal_service_net
1934# tcp_outgoing_address 10.1.0.1 normal_service_net
1935#
1936# tcp_outgoing_address 2001:db8::1
1937# tcp_outgoing_address 10.1.0.3
1938#
1939# Processing proceeds in the order specified, and stops at first fully
1940# matching line.
1941#
1942# Squid will add an implicit IP version test to each line.
1943# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
1944# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
1945#
1946#
1947# NOTE: The use of this directive using client dependent ACLs is
1948# incompatible with the use of server side persistent connections. To
1949# ensure correct results it is best to set server_persistent_connections
1950# to off when using this directive in such configurations.
1951#
1952# NOTE: The use of this directive to set a local IP on outgoing TCP links
1953# is incompatible with using TPROXY to set client IP out outbound TCP links.
1954# When needing to contact peers use the no-tproxy cache_peer option and the
1955# client_dst_passthru directive re-enable normal forwarding such as this.
1956#
1957#Default:
1958# Address selection is performed by the operating system.
1959
1960# TAG: host_verify_strict
1961# Regardless of this option setting, when dealing with intercepted
1962# traffic, Squid always verifies that the destination IP address matches
1963# the Host header domain or IP (called 'authority form URL').
1964#
1965# This enforcement is performed to satisfy a MUST-level requirement in
1966# RFC 2616 section 14.23: "The Host field value MUST represent the naming
1967# authority of the origin server or gateway given by the original URL".
1968#
1969# When set to ON:
1970# Squid always responds with an HTTP 409 (Conflict) error
1971# page and logs a security warning if there is no match.
1972#
1973# Squid verifies that the destination IP address matches
1974# the Host header for forward-proxy and reverse-proxy traffic
1975# as well. For those traffic types, Squid also enables the
1976# following checks, comparing the corresponding Host header
1977# and Request-URI components:
1978#
1979# * The host names (domain or IP) must be identical,
1980# but valueless or missing Host header disables all checks.
1981# For the two host names to match, both must be either IP
1982# or FQDN.
1983#
1984# * Port numbers must be identical, but if a port is missing
1985# the scheme-default port is assumed.
1986#
1987#
1988# When set to OFF (the default):
1989# Squid allows suspicious requests to continue but logs a
1990# security warning and blocks caching of the response.
1991#
1992# * Forward-proxy traffic is not checked at all.
1993#
1994# * Reverse-proxy traffic is not checked at all.
1995#
1996# * Intercepted traffic which passes verification is handled
1997# according to client_dst_passthru.
1998#
1999# * Intercepted requests which fail verification are sent
2000# to the client original destination instead of DIRECT.
2001# This overrides 'client_dst_passthru off'.
2002#
2003# For now suspicious intercepted CONNECT requests are always
2004# responded to with an HTTP 409 (Conflict) error page.
2005#
2006#
2007# SECURITY NOTE:
2008#
2009# As described in CVE-2009-0801 when the Host: header alone is used
2010# to determine the destination of a request it becomes trivial for
2011# malicious scripts on remote websites to bypass browser same-origin
2012# security policy and sandboxing protections.
2013#
2014# The cause of this is that such applets are allowed to perform their
2015# own HTTP stack, in which case the same-origin policy of the browser
2016# sandbox only verifies that the applet tries to contact the same IP
2017# as from where it was loaded at the IP level. The Host: header may
2018# be different from the connected IP and approved origin.
2019#
2020#Default:
2021# host_verify_strict off
2022
2023# TAG: client_dst_passthru
2024# With NAT or TPROXY intercepted traffic Squid may pass the request
2025# directly to the original client destination IP or seek a faster
2026# source using the HTTP Host header.
2027#
2028# Using Host to locate alternative servers can provide faster
2029# connectivity with a range of failure recovery options.
2030# But can also lead to connectivity trouble when the client and
2031# server are attempting stateful interactions unaware of the proxy.
2032#
2033# This option (on by default) prevents alternative DNS entries being
2034# located to send intercepted traffic DIRECT to an origin server.
2035# The clients original destination IP and port will be used instead.
2036#
2037# Regardless of this option setting, when dealing with intercepted
2038# traffic Squid will verify the Host: header and any traffic which
2039# fails Host verification will be treated as if this option were ON.
2040#
2041# see host_verify_strict for details on the verification process.
2042#Default:
2043# client_dst_passthru on
2044
2045# SSL OPTIONS
2046# -----------------------------------------------------------------------------
2047
2048# TAG: ssl_unclean_shutdown
2049# Note: This option is only available if Squid is rebuilt with the
2050# --enable-ssl
2051#
2052# Some browsers (especially MSIE) bugs out on SSL shutdown
2053# messages.
2054#Default:
2055# ssl_unclean_shutdown off
2056
2057# TAG: ssl_engine
2058# Note: This option is only available if Squid is rebuilt with the
2059# --enable-ssl
2060#
2061# The OpenSSL engine to use. You will need to set this if you
2062# would like to use hardware SSL acceleration for example.
2063#Default:
2064# none
2065
2066# TAG: sslproxy_client_certificate
2067# Note: This option is only available if Squid is rebuilt with the
2068# --enable-ssl
2069#
2070# Client SSL Certificate to use when proxying https:// URLs
2071#Default:
2072# none
2073
2074# TAG: sslproxy_client_key
2075# Note: This option is only available if Squid is rebuilt with the
2076# --enable-ssl
2077#
2078# Client SSL Key to use when proxying https:// URLs
2079#Default:
2080# none
2081
2082# TAG: sslproxy_version
2083# Note: This option is only available if Squid is rebuilt with the
2084# --enable-ssl
2085#
2086# SSL version level to use when proxying https:// URLs
2087#
2088# The versions of SSL/TLS supported:
2089#
2090# 1 automatic (default)
2091# 2 SSLv2 only
2092# 3 SSLv3 only
2093# 4 TLSv1.0 only
2094# 5 TLSv1.1 only
2095# 6 TLSv1.2 only
2096#Default:
2097# automatic SSL/TLS version negotiation
2098
2099# TAG: sslproxy_options
2100# Note: This option is only available if Squid is rebuilt with the
2101# --enable-ssl
2102#
2103# SSL implementation options to use when proxying https:// URLs
2104#
2105# The most important being:
2106#
2107# NO_SSLv2 Disallow the use of SSLv2
2108# NO_SSLv3 Disallow the use of SSLv3
2109# NO_TLSv1 Disallow the use of TLSv1.0
2110# NO_TLSv1_1 Disallow the use of TLSv1.1
2111# NO_TLSv1_2 Disallow the use of TLSv1.2
2112# SINGLE_DH_USE
2113# Always create a new key when using temporary/ephemeral
2114# DH key exchanges
2115# SSL_OP_NO_TICKET
2116# Disable use of RFC5077 session tickets. Some servers
2117# may have problems understanding the TLS extension due
2118# to ambiguous specification in RFC4507.
2119# ALL Enable various bug workarounds suggested as "harmless"
2120# by OpenSSL. Be warned that this may reduce SSL/TLS
2121# strength to some attacks.
2122#
2123# See the OpenSSL SSL_CTX_set_options documentation for a
2124# complete list of possible options.
2125#Default:
2126# none
2127
2128# TAG: sslproxy_cipher
2129# Note: This option is only available if Squid is rebuilt with the
2130# --enable-ssl
2131#
2132# SSL cipher list to use when proxying https:// URLs
2133#
2134# Colon separated list of supported ciphers.
2135#Default:
2136# none
2137
2138# TAG: sslproxy_cafile
2139# Note: This option is only available if Squid is rebuilt with the
2140# --enable-ssl
2141#
2142# file containing CA certificates to use when verifying server
2143# certificates while proxying https:// URLs
2144#Default:
2145# none
2146
2147# TAG: sslproxy_capath
2148# Note: This option is only available if Squid is rebuilt with the
2149# --enable-ssl
2150#
2151# directory containing CA certificates to use when verifying
2152# server certificates while proxying https:// URLs
2153#Default:
2154# none
2155
2156# TAG: ssl_bump
2157# Note: This option is only available if Squid is rebuilt with the
2158# --enable-ssl
2159#
2160# This option is consulted when a CONNECT request is received on
2161# an http_port (or a new connection is intercepted at an
2162# https_port), provided that port was configured with an ssl-bump
2163# flag. The subsequent data on the connection is either treated as
2164# HTTPS and decrypted OR tunneled at TCP level without decryption,
2165# depending on the first bumping "mode" which ACLs match.
2166#
2167# ssl_bump <mode> [!]acl ...
2168#
2169# The following bumping modes are supported:
2170#
2171# client-first
2172# Allow bumping of the connection. Establish a secure connection
2173# with the client first, then connect to the server. This old mode
2174# does not allow Squid to mimic server SSL certificate and does
2175# not work with intercepted SSL connections.
2176#
2177# server-first
2178# Allow bumping of the connection. Establish a secure connection
2179# with the server first, then establish a secure connection with
2180# the client, using a mimicked server certificate. Works with both
2181# CONNECT requests and intercepted SSL connections.
2182#
2183# none
2184# Become a TCP tunnel without decoding the connection.
2185# Works with both CONNECT requests and intercepted SSL
2186# connections. This is the default behavior when no
2187# ssl_bump option is given or no ssl_bump ACLs match.
2188#
2189# By default, no connections are bumped.
2190#
2191# The first matching ssl_bump option wins. If no ACLs match, the
2192# connection is not bumped. Unlike most allow/deny ACL lists, ssl_bump
2193# does not have an implicit "negate the last given option" rule. You
2194# must make that rule explicit if you convert old ssl_bump allow/deny
2195# rules that rely on such an implicit rule.
2196#
2197# This clause supports both fast and slow acl types.
2198# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
2199#
2200# See also: http_port ssl-bump, https_port ssl-bump
2201#
2202#
2203# # Example: Bump all requests except those originating from
2204# # localhost or those going to example.com.
2205#
2206# acl broken_sites dstdomain .example.com
2207# ssl_bump none localhost
2208# ssl_bump none broken_sites
2209# ssl_bump server-first all
2210#Default:
2211# Does not bump unless rules are present in squid.conf
2212
2213# TAG: sslproxy_flags
2214# Note: This option is only available if Squid is rebuilt with the
2215# --enable-ssl
2216#
2217# Various flags modifying the use of SSL while proxying https:// URLs:
2218# DONT_VERIFY_PEER Accept certificates that fail verification.
2219# For refined control, see sslproxy_cert_error.
2220# NO_DEFAULT_CA Don't use the default CA list built in
2221# to OpenSSL.
2222#Default:
2223# none
2224
2225# TAG: sslproxy_cert_error
2226# Note: This option is only available if Squid is rebuilt with the
2227# --enable-ssl
2228#
2229# Use this ACL to bypass server certificate validation errors.
2230#
2231# For example, the following lines will bypass all validation errors
2232# when talking to servers for example.com. All other
2233# validation errors will result in ERR_SECURE_CONNECT_FAIL error.
2234#
2235# acl BrokenButTrustedServers dstdomain example.com
2236# sslproxy_cert_error allow BrokenButTrustedServers
2237# sslproxy_cert_error deny all
2238#
2239# This clause only supports fast acl types.
2240# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
2241# Using slow acl types may result in server crashes
2242#
2243# Without this option, all server certificate validation errors
2244# terminate the transaction to protect Squid and the client.
2245#
2246# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed
2247# but should not happen unless your OpenSSL library is buggy.
2248#
2249# SECURITY WARNING:
2250# Bypassing validation errors is dangerous because an
2251# error usually implies that the server cannot be trusted
2252# and the connection may be insecure.
2253#
2254# See also: sslproxy_flags and DONT_VERIFY_PEER.
2255#Default:
2256# Server certificate errors terminate the transaction.
2257
2258# TAG: sslproxy_cert_sign
2259# Note: This option is only available if Squid is rebuilt with the
2260# --enable-ssl
2261#
2262#
2263# sslproxy_cert_sign <signing algorithm> acl ...
2264#
2265# The following certificate signing algorithms are supported:
2266#
2267# signTrusted
2268# Sign using the configured CA certificate which is usually
2269# placed in and trusted by end-user browsers. This is the
2270# default for trusted origin server certificates.
2271#
2272# signUntrusted
2273# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
2274# This is the default for untrusted origin server certificates
2275# that are not self-signed (see ssl::certUntrusted).
2276#
2277# signSelf
2278# Sign using a self-signed certificate with the right CN to
2279# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
2280# browser. This is the default for self-signed origin server
2281# certificates (see ssl::certSelfSigned).
2282#
2283# This clause only supports fast acl types.
2284#
2285# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
2286# signing algorithm to generate the certificate and ignores all
2287# subsequent sslproxy_cert_sign options (the first match wins). If no
2288# acl(s) match, the default signing algorithm is determined by errors
2289# detected when obtaining and validating the origin server certificate.
2290#
2291# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
2292# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
2293# CONNECT request that carries a domain name. In all other cases (CONNECT
2294# to an IP address or an intercepted SSL connection), Squid cannot detect
2295# the domain mismatch at certificate generation time when
2296# bump-server-first is used.
2297#Default:
2298# none
2299
2300# TAG: sslproxy_cert_adapt
2301# Note: This option is only available if Squid is rebuilt with the
2302# --enable-ssl
2303#
2304#
2305# sslproxy_cert_adapt <adaptation algorithm> acl ...
2306#
2307# The following certificate adaptation algorithms are supported:
2308#
2309# setValidAfter
2310# Sets the "Not After" property to the "Not After" property of
2311# the CA certificate used to sign generated certificates.
2312#
2313# setValidBefore
2314# Sets the "Not Before" property to the "Not Before" property of
2315# the CA certificate used to sign generated certificates.
2316#
2317# setCommonName or setCommonName{CN}
2318# Sets Subject.CN property to the host name specified as a
2319# CN parameter or, if no explicit CN parameter was specified,
2320# extracted from the CONNECT request. It is a misconfiguration
2321# to use setCommonName without an explicit parameter for
2322# intercepted or tproxied SSL connections.
2323#
2324# This clause only supports fast acl types.
2325#
2326# Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
2327# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
2328# corresponding adaptation algorithm to generate the certificate and
2329# ignores all subsequent sslproxy_cert_adapt options in that algorithm's
2330# group (i.e., the first match wins within each algorithm group). If no
2331# acl(s) match, the default mimicking action takes place.
2332#
2333# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
2334# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
2335# CONNECT request that carries a domain name. In all other cases (CONNECT
2336# to an IP address or an intercepted SSL connection), Squid cannot detect
2337# the domain mismatch at certificate generation time when
2338# bump-server-first is used.
2339#Default:
2340# none
2341
2342# TAG: sslpassword_program
2343# Note: This option is only available if Squid is rebuilt with the
2344# --enable-ssl
2345#
2346# Specify a program used for entering SSL key passphrases
2347# when using encrypted SSL certificate keys. If not specified
2348# keys must either be unencrypted, or Squid started with the -N
2349# option to allow it to query interactively for the passphrase.
2350#
2351# The key file name is given as argument to the program allowing
2352# selection of the right password if you have multiple encrypted
2353# keys.
2354#Default:
2355# none
2356
2357# OPTIONS RELATING TO EXTERNAL SSL_CRTD
2358# -----------------------------------------------------------------------------
2359
2360# TAG: sslcrtd_program
2361# Note: This option is only available if Squid is rebuilt with the
2362# --enable-ssl-crtd
2363#
2364# Specify the location and options of the executable for ssl_crtd process.
2365# /usr/lib/squid3/ssl_crtd program requires -s and -M parameters
2366# For more information use:
2367# /usr/lib/squid3/ssl_crtd -h
2368#Default:
2369# sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
2370
2371# TAG: sslcrtd_children
2372# Note: This option is only available if Squid is rebuilt with the
2373# --enable-ssl-crtd
2374#
2375# The maximum number of processes spawn to service ssl server.
2376# The maximum this may be safely set to is 32.
2377#
2378# The startup= and idle= options allow some measure of skew in your
2379# tuning.
2380#
2381# startup=N
2382#
2383# Sets the minimum number of processes to spawn when Squid
2384# starts or reconfigures. When set to zero the first request will
2385# cause spawning of the first child process to handle it.
2386#
2387# Starting too few children temporary slows Squid under load while it
2388# tries to spawn enough additional processes to cope with traffic.
2389#
2390# idle=N
2391#
2392# Sets a minimum of how many processes Squid is to try and keep available
2393# at all times. When traffic begins to rise above what the existing
2394# processes can handle this many more will be spawned up to the maximum
2395# configured. A minimum setting of 1 is required.
2396#
2397# You must have at least one ssl_crtd process.
2398#Default:
2399# sslcrtd_children 32 startup=5 idle=1
2400
2401# TAG: sslcrtvalidator_program
2402# Note: This option is only available if Squid is rebuilt with the
2403# --enable-ssl
2404#
2405# Specify the location and options of the executable for ssl_crt_validator
2406# process.
2407#
2408# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ...
2409#
2410# Options:
2411# ttl=n TTL in seconds for cached results. The default is 60 secs
2412# cache=n limit the result cache size. The default value is 2048
2413#Default:
2414# none
2415
2416# TAG: sslcrtvalidator_children
2417# Note: This option is only available if Squid is rebuilt with the
2418# --enable-ssl
2419#
2420# The maximum number of processes spawn to service SSL server.
2421# The maximum this may be safely set to is 32.
2422#
2423# The startup= and idle= options allow some measure of skew in your
2424# tuning.
2425#
2426# startup=N
2427#
2428# Sets the minimum number of processes to spawn when Squid
2429# starts or reconfigures. When set to zero the first request will
2430# cause spawning of the first child process to handle it.
2431#
2432# Starting too few children temporary slows Squid under load while it
2433# tries to spawn enough additional processes to cope with traffic.
2434#
2435# idle=N
2436#
2437# Sets a minimum of how many processes Squid is to try and keep available
2438# at all times. When traffic begins to rise above what the existing
2439# processes can handle this many more will be spawned up to the maximum
2440# configured. A minimum setting of 1 is required.
2441#
2442# concurrency=
2443#
2444# The number of requests each certificate validator helper can handle in
2445# parallel. A value of 0 indicates the certficate validator does not
2446# support concurrency. Defaults to 1.
2447#
2448# When this directive is set to a value >= 1 then the protocol
2449# used to communicate with the helper is modified to include
2450# a request ID in front of the request/response. The request
2451# ID from the request must be echoed back with the response
2452# to that request.
2453#
2454# You must have at least one ssl_crt_validator process.
2455#Default:
2456# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1
2457
2458# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
2459# -----------------------------------------------------------------------------
2460
2461# TAG: cache_peer
2462# To specify other caches in a hierarchy, use the format:
2463#
2464# cache_peer hostname type http-port icp-port [options]
2465#
2466# For example,
2467#
2468# # proxy icp
2469# # hostname type port port options
2470# # -------------------- -------- ----- ----- -----------
2471# cache_peer parent.foo.net parent 3128 3130 default
2472# cache_peer sib1.foo.net sibling 3128 3130 proxy-only
2473# cache_peer sib2.foo.net sibling 3128 3130 proxy-only
2474# cache_peer example.com parent 80 0 default
2475# cache_peer cdn.example.com sibling 3128 0
2476#
2477# type: either 'parent', 'sibling', or 'multicast'.
2478#
2479# proxy-port: The port number where the peer accept HTTP requests.
2480# For other Squid proxies this is usually 3128
2481# For web servers this is usually 80
2482#
2483# icp-port: Used for querying neighbor caches about objects.
2484# Set to 0 if the peer does not support ICP or HTCP.
2485# See ICP and HTCP options below for additional details.
2486#
2487#
2488# ==== ICP OPTIONS ====
2489#
2490# You MUST also set icp_port and icp_access explicitly when using these options.
2491# The defaults will prevent peer traffic using ICP.
2492#
2493#
2494# no-query Disable ICP queries to this neighbor.
2495#
2496# multicast-responder
2497# Indicates the named peer is a member of a multicast group.
2498# ICP queries will not be sent directly to the peer, but ICP
2499# replies will be accepted from it.
2500#
2501# closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward
2502# CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
2503#
2504# background-ping
2505# To only send ICP queries to this neighbor infrequently.
2506# This is used to keep the neighbor round trip time updated
2507# and is usually used in conjunction with weighted-round-robin.
2508#
2509#
2510# ==== HTCP OPTIONS ====
2511#
2512# You MUST also set htcp_port and htcp_access explicitly when using these options.
2513# The defaults will prevent peer traffic using HTCP.
2514#
2515#
2516# htcp Send HTCP, instead of ICP, queries to the neighbor.
2517# You probably also want to set the "icp-port" to 4827
2518# instead of 3130. This directive accepts a comma separated
2519# list of options described below.
2520#
2521# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier).
2522#
2523# htcp=no-clr Send HTCP to the neighbor but without
2524# sending any CLR requests. This cannot be used with
2525# only-clr.
2526#
2527# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests.
2528# This cannot be used with no-clr.
2529#
2530# htcp=no-purge-clr
2531# Send HTCP to the neighbor including CLRs but only when
2532# they do not result from PURGE requests.
2533#
2534# htcp=forward-clr
2535# Forward any HTCP CLR requests this proxy receives to the peer.
2536#
2537#
2538# ==== PEER SELECTION METHODS ====
2539#
2540# The default peer selection method is ICP, with the first responding peer
2541# being used as source. These options can be used for better load balancing.
2542#
2543#
2544# default This is a parent cache which can be used as a "last-resort"
2545# if a peer cannot be located by any of the peer-selection methods.
2546# If specified more than once, only the first is used.
2547#
2548# round-robin Load-Balance parents which should be used in a round-robin
2549# fashion in the absence of any ICP queries.
2550# weight=N can be used to add bias.
2551#
2552# weighted-round-robin
2553# Load-Balance parents which should be used in a round-robin
2554# fashion with the frequency of each parent being based on the
2555# round trip time. Closer parents are used more often.
2556# Usually used for background-ping parents.
2557# weight=N can be used to add bias.
2558#
2559# carp Load-Balance parents which should be used as a CARP array.
2560# The requests will be distributed among the parents based on the
2561# CARP load balancing hash function based on their weight.
2562#
2563# userhash Load-balance parents based on the client proxy_auth or ident username.
2564#
2565# sourcehash Load-balance parents based on the client source IP.
2566#
2567# multicast-siblings
2568# To be used only for cache peers of type "multicast".
2569# ALL members of this multicast group have "sibling"
2570# relationship with it, not "parent". This is to a multicast
2571# group when the requested object would be fetched only from
2572# a "parent" cache, anyway. It's useful, e.g., when
2573# configuring a pool of redundant Squid proxies, being
2574# members of the same multicast group.
2575#
2576#
2577# ==== PEER SELECTION OPTIONS ====
2578#
2579# weight=N use to affect the selection of a peer during any weighted
2580# peer-selection mechanisms.
2581# The weight must be an integer; default is 1,
2582# larger weights are favored more.
2583# This option does not affect parent selection if a peering
2584# protocol is not in use.
2585#
2586# basetime=N Specify a base amount to be subtracted from round trip
2587# times of parents.
2588# It is subtracted before division by weight in calculating
2589# which parent to fectch from. If the rtt is less than the
2590# base time the rtt is set to a minimal value.
2591#
2592# ttl=N Specify a TTL to use when sending multicast ICP queries
2593# to this address.
2594# Only useful when sending to a multicast group.
2595# Because we don't accept ICP replies from random
2596# hosts, you must configure other group members as
2597# peers with the 'multicast-responder' option.
2598#
2599# no-delay To prevent access to this neighbor from influencing the
2600# delay pools.
2601#
2602# digest-url=URL Tell Squid to fetch the cache digest (if digests are
2603# enabled) for this host from the specified URL rather
2604# than the Squid default location.
2605#
2606#
2607# ==== CARP OPTIONS ====
2608#
2609# carp-key=key-specification
2610# use a different key than the full URL to hash against the peer.
2611# the key-specification is a comma-separated list of the keywords
2612# scheme, host, port, path, params
2613# Order is not important.
2614#
2615# ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
2616#
2617# originserver Causes this parent to be contacted as an origin server.
2618# Meant to be used in accelerator setups when the peer
2619# is a web server.
2620#
2621# forceddomain=name
2622# Set the Host header of requests forwarded to this peer.
2623# Useful in accelerator setups where the server (peer)
2624# expects a certain domain name but clients may request
2625# others. ie example.com or www.example.com
2626#
2627# no-digest Disable request of cache digests.
2628#
2629# no-netdb-exchange
2630# Disables requesting ICMP RTT database (NetDB).
2631#
2632#
2633# ==== AUTHENTICATION OPTIONS ====
2634#
2635# login=user:password
2636# If this is a personal/workgroup proxy and your parent
2637# requires proxy authentication.
2638#
2639# Note: The string can include URL escapes (i.e. %20 for
2640# spaces). This also means % must be written as %%.
2641#
2642# login=PASSTHRU
2643# Send login details received from client to this peer.
2644# Both Proxy- and WWW-Authorization headers are passed
2645# without alteration to the peer.
2646# Authentication is not required by Squid for this to work.
2647#
2648# Note: This will pass any form of authentication but
2649# only Basic auth will work through a proxy unless the
2650# connection-auth options are also used.
2651#
2652# login=PASS Send login details received from client to this peer.
2653# Authentication is not required by this option.
2654#
2655# If there are no client-provided authentication headers
2656# to pass on, but username and password are available
2657# from an external ACL user= and password= result tags
2658# they may be sent instead.
2659#
2660# Note: To combine this with proxy_auth both proxies must
2661# share the same user database as HTTP only allows for
2662# a single login (one for proxy, one for origin server).
2663# Also be warned this will expose your users proxy
2664# password to the peer. USE WITH CAUTION
2665#
2666# login=*:password
2667# Send the username to the upstream cache, but with a
2668# fixed password. This is meant to be used when the peer
2669# is in another administrative domain, but it is still
2670# needed to identify each user.
2671# The star can optionally be followed by some extra
2672# information which is added to the username. This can
2673# be used to identify this proxy to the peer, similar to
2674# the login=username:password option above.
2675#
2676# login=NEGOTIATE
2677# If this is a personal/workgroup proxy and your parent
2678# requires a secure proxy authentication.
2679# The first principal from the default keytab or defined by
2680# the environment variable KRB5_KTNAME will be used.
2681#
2682# WARNING: The connection may transmit requests from multiple
2683# clients. Negotiate often assumes end-to-end authentication
2684# and a single-client. Which is not strictly true here.
2685#
2686# login=NEGOTIATE:principal_name
2687# If this is a personal/workgroup proxy and your parent
2688# requires a secure proxy authentication.
2689# The principal principal_name from the default keytab or
2690# defined by the environment variable KRB5_KTNAME will be
2691# used.
2692#
2693# WARNING: The connection may transmit requests from multiple
2694# clients. Negotiate often assumes end-to-end authentication
2695# and a single-client. Which is not strictly true here.
2696#
2697# connection-auth=on|off
2698# Tell Squid that this peer does or not support Microsoft
2699# connection oriented authentication, and any such
2700# challenges received from there should be ignored.
2701# Default is auto to automatically determine the status
2702# of the peer.
2703#
2704#
2705# ==== SSL / HTTPS / TLS OPTIONS ====
2706#
2707# ssl Encrypt connections to this peer with SSL/TLS.
2708#
2709# sslcert=/path/to/ssl/certificate
2710# A client SSL certificate to use when connecting to
2711# this peer.
2712#
2713# sslkey=/path/to/ssl/key
2714# The private SSL key corresponding to sslcert above.
2715# If 'sslkey' is not specified 'sslcert' is assumed to
2716# reference a combined file containing both the
2717# certificate and the key.
2718#
2719# sslversion=1|2|3|4|5|6
2720# The SSL version to use when connecting to this peer
2721# 1 = automatic (default)
2722# 2 = SSL v2 only
2723# 3 = SSL v3 only
2724# 4 = TLS v1.0 only
2725# 5 = TLS v1.1 only
2726# 6 = TLS v1.2 only
2727#
2728# sslcipher=... The list of valid SSL ciphers to use when connecting
2729# to this peer.
2730#
2731# ssloptions=... Specify various SSL implementation options:
2732#
2733# NO_SSLv2 Disallow the use of SSLv2
2734# NO_SSLv3 Disallow the use of SSLv3
2735# NO_TLSv1 Disallow the use of TLSv1.0
2736# NO_TLSv1_1 Disallow the use of TLSv1.1
2737# NO_TLSv1_2 Disallow the use of TLSv1.2
2738# SINGLE_DH_USE
2739# Always create a new key when using
2740# temporary/ephemeral DH key exchanges
2741# ALL Enable various bug workarounds
2742# suggested as "harmless" by OpenSSL
2743# Be warned that this reduces SSL/TLS
2744# strength to some attacks.
2745#
2746# See the OpenSSL SSL_CTX_set_options documentation for a
2747# more complete list.
2748#
2749# sslcafile=... A file containing additional CA certificates to use
2750# when verifying the peer certificate.
2751#
2752# sslcapath=... A directory containing additional CA certificates to
2753# use when verifying the peer certificate.
2754#
2755# sslcrlfile=... A certificate revocation list file to use when
2756# verifying the peer certificate.
2757#
2758# sslflags=... Specify various flags modifying the SSL implementation:
2759#
2760# DONT_VERIFY_PEER
2761# Accept certificates even if they fail to
2762# verify.
2763# NO_DEFAULT_CA
2764# Don't use the default CA list built in
2765# to OpenSSL.
2766# DONT_VERIFY_DOMAIN
2767# Don't verify the peer certificate
2768# matches the server name
2769#
2770# ssldomain= The peer name as advertised in it's certificate.
2771# Used for verifying the correctness of the received peer
2772# certificate. If not specified the peer hostname will be
2773# used.
2774#
2775# front-end-https
2776# Enable the "Front-End-Https: On" header needed when
2777# using Squid as a SSL frontend in front of Microsoft OWA.
2778# See MS KB document Q307347 for details on this header.
2779# If set to auto the header will only be added if the
2780# request is forwarded as a https:// URL.
2781#
2782#
2783# ==== GENERAL OPTIONS ====
2784#
2785# connect-timeout=N
2786# A peer-specific connect timeout.
2787# Also see the peer_connect_timeout directive.
2788#
2789# connect-fail-limit=N
2790# How many times connecting to a peer must fail before
2791# it is marked as down. Default is 10.
2792#
2793# allow-miss Disable Squid's use of only-if-cached when forwarding
2794# requests to siblings. This is primarily useful when
2795# icp_hit_stale is used by the sibling. To extensive use
2796# of this option may result in forwarding loops, and you
2797# should avoid having two-way peerings with this option.
2798# For example to deny peer usage on requests from peer
2799# by denying cache_peer_access if the source is a peer.
2800#
2801# max-conn=N Limit the amount of connections Squid may open to this
2802# peer. see also
2803#
2804# name=xxx Unique name for the peer.
2805# Required if you have multiple peers on the same host
2806# but different ports.
2807# This name can be used in cache_peer_access and similar
2808# directives to dentify the peer.
2809# Can be used by outgoing access controls through the
2810# peername ACL type.
2811#
2812# no-tproxy Do not use the client-spoof TPROXY support when forwarding
2813# requests to this peer. Use normal address selection instead.
2814# This overrides the spoof_client_ip ACL.
2815#
2816# proxy-only objects fetched from the peer will not be stored locally.
2817#
2818#Default:
2819# none
2820
2821# TAG: cache_peer_domain
2822# Use to limit the domains for which a neighbor cache will be
2823# queried.
2824#
2825# Usage:
2826# cache_peer_domain cache-host domain [domain ...]
2827# cache_peer_domain cache-host !domain
2828#
2829# For example, specifying
2830#
2831# cache_peer_domain parent.foo.net .edu
2832#
2833# has the effect such that UDP query packets are sent to
2834# 'bigserver' only when the requested object exists on a
2835# server in the .edu domain. Prefixing the domainname
2836# with '!' means the cache will be queried for objects
2837# NOT in that domain.
2838#
2839# NOTE: * Any number of domains may be given for a cache-host,
2840# either on the same or separate lines.
2841# * When multiple domains are given for a particular
2842# cache-host, the first matched domain is applied.
2843# * Cache hosts with no domain restrictions are queried
2844# for all requests.
2845# * There are no defaults.
2846# * There is also a 'cache_peer_access' tag in the ACL
2847# section.
2848#Default:
2849# none
2850
2851# TAG: cache_peer_access
2852# Similar to 'cache_peer_domain' but provides more flexibility by
2853# using ACL elements.
2854#
2855# Usage:
2856# cache_peer_access cache-host allow|deny [!]aclname ...
2857#
2858# The syntax is identical to 'http_access' and the other lists of
2859# ACL elements. See the comments for 'http_access' below, or
2860# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl).
2861#Default:
2862# none
2863
2864# TAG: neighbor_type_domain
2865# Modify the cache_peer neighbor type when passing requests
2866# about specific domains to the peer.
2867#
2868# Usage:
2869# neighbor_type_domain neighbor parent|sibling domain domain ...
2870#
2871# For example:
2872# cache_peer foo.example.com parent 3128 3130
2873# neighbor_type_domain foo.example.com sibling .au .de
2874#
2875# The above configuration treats all requests to foo.example.com as a
2876# parent proxy unless the request is for a .au or .de ccTLD domain name.
2877#Default:
2878# The peer type from cache_peer directive is used for all requests to that peer.
2879
2880# TAG: dead_peer_timeout (seconds)
2881# This controls how long Squid waits to declare a peer cache
2882# as "dead." If there are no ICP replies received in this
2883# amount of time, Squid will declare the peer dead and not
2884# expect to receive any further ICP replies. However, it
2885# continues to send ICP queries, and will mark the peer as
2886# alive upon receipt of the first subsequent ICP reply.
2887#
2888# This timeout also affects when Squid expects to receive ICP
2889# replies from peers. If more than 'dead_peer' seconds have
2890# passed since the last ICP reply was received, Squid will not
2891# expect to receive an ICP reply on the next query. Thus, if
2892# your time between requests is greater than this timeout, you
2893# will see a lot of requests sent DIRECT to origin servers
2894# instead of to your parents.
2895#Default:
2896# dead_peer_timeout 10 seconds
2897
2898# TAG: forward_max_tries
2899# Controls how many different forward paths Squid will try
2900# before giving up. See also forward_timeout.
2901#
2902# NOTE: connect_retries (default: none) can make each of these
2903# possible forwarding paths be tried multiple times.
2904#Default:
2905# forward_max_tries 10
2906
2907# TAG: hierarchy_stoplist
2908# A list of words which, if found in a URL, cause the object to
2909# be handled directly by this cache. In other words, use this
2910# to not query neighbor caches for certain objects. You may
2911# list this option multiple times.
2912#
2913# Example:
2914# hierarchy_stoplist cgi-bin ?
2915#
2916# Note: never_direct overrides this option.
2917#Default:
2918# none
2919
2920# MEMORY CACHE OPTIONS
2921# -----------------------------------------------------------------------------
2922
2923# TAG: cache_mem (bytes)
2924# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
2925# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
2926# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
2927# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
2928#
2929# 'cache_mem' specifies the ideal amount of memory to be used
2930# for:
2931# * In-Transit objects
2932# * Hot Objects
2933# * Negative-Cached objects
2934#
2935# Data for these objects are stored in 4 KB blocks. This
2936# parameter specifies the ideal upper limit on the total size of
2937# 4 KB blocks allocated. In-Transit objects take the highest
2938# priority.
2939#
2940# In-transit objects have priority over the others. When
2941# additional space is needed for incoming data, negative-cached
2942# and hot objects will be released. In other words, the
2943# negative-cached and hot objects will fill up any unused space
2944# not needed for in-transit objects.
2945#
2946# If circumstances require, this limit will be exceeded.
2947# Specifically, if your incoming request rate requires more than
2948# 'cache_mem' of memory to hold in-transit objects, Squid will
2949# exceed this limit to satisfy the new requests. When the load
2950# decreases, blocks will be freed until the high-water mark is
2951# reached. Thereafter, blocks will be used to store hot
2952# objects.
2953#
2954# If shared memory caching is enabled, Squid does not use the shared
2955# cache space for in-transit objects, but they still consume as much
2956# local memory as they need. For more details about the shared memory
2957# cache, see memory_cache_shared.
2958#Default:
2959# cache_mem 256 MB
2960
2961# TAG: maximum_object_size_in_memory (bytes)
2962# Objects greater than this size will not be attempted to kept in
2963# the memory cache. This should be set high enough to keep objects
2964# accessed frequently in memory to improve performance whilst low
2965# enough to keep larger objects from hoarding cache_mem.
2966#Default:
2967# maximum_object_size_in_memory 512 KB
2968
2969# TAG: memory_cache_shared on|off
2970# Controls whether the memory cache is shared among SMP workers.
2971#
2972# The shared memory cache is meant to occupy cache_mem bytes and replace
2973# the non-shared memory cache, although some entities may still be
2974# cached locally by workers for now (e.g., internal and in-transit
2975# objects may be served from a local memory cache even if shared memory
2976# caching is enabled).
2977#
2978# By default, the memory cache is shared if and only if all of the
2979# following conditions are satisfied: Squid runs in SMP mode with
2980# multiple workers, cache_mem is positive, and Squid environment
2981# supports required IPC primitives (e.g., POSIX shared memory segments
2982# and GCC-style atomic operations).
2983#
2984# To avoid blocking locks, shared memory uses opportunistic algorithms
2985# that do not guarantee that every cachable entity that could have been
2986# shared among SMP workers will actually be shared.
2987#
2988# Currently, entities exceeding 32KB in size cannot be shared.
2989#Default:
2990# "on" where supported if doing memory caching with multiple SMP workers.
2991
2992# TAG: memory_cache_mode
2993# Controls which objects to keep in the memory cache (cache_mem)
2994#
2995# always Keep most recently fetched objects in memory (default)
2996#
2997# disk Only disk cache hits are kept in memory, which means
2998# an object must first be cached on disk and then hit
2999# a second time before cached in memory.
3000#
3001# network Only objects fetched from network is kept in memory
3002#Default:
3003# Keep the most recently fetched objects in memory
3004
3005# TAG: memory_replacement_policy
3006# The memory replacement policy parameter determines which
3007# objects are purged from memory when memory space is needed.
3008#
3009# See cache_replacement_policy for details on algorithms.
3010#Default:
3011# memory_replacement_policy lru
3012
3013# DISK CACHE OPTIONS
3014# -----------------------------------------------------------------------------
3015
3016# TAG: cache_replacement_policy
3017# The cache replacement policy parameter determines which
3018# objects are evicted (replaced) when disk space is needed.
3019#
3020# lru : Squid's original list based LRU policy
3021# heap GDSF : Greedy-Dual Size Frequency
3022# heap LFUDA: Least Frequently Used with Dynamic Aging
3023# heap LRU : LRU policy implemented using a heap
3024#
3025# Applies to any cache_dir lines listed below this directive.
3026#
3027# The LRU policies keeps recently referenced objects.
3028#
3029# The heap GDSF policy optimizes object hit rate by keeping smaller
3030# popular objects in cache so it has a better chance of getting a
3031# hit. It achieves a lower byte hit rate than LFUDA though since
3032# it evicts larger (possibly popular) objects.
3033#
3034# The heap LFUDA policy keeps popular objects in cache regardless of
3035# their size and thus optimizes byte hit rate at the expense of
3036# hit rate since one large, popular object will prevent many
3037# smaller, slightly less popular objects from being cached.
3038#
3039# Both policies utilize a dynamic aging mechanism that prevents
3040# cache pollution that can otherwise occur with frequency-based
3041# replacement policies.
3042#
3043# NOTE: if using the LFUDA replacement policy you should increase
3044# the value of maximum_object_size above its default of 4 MB to
3045# to maximize the potential byte hit rate improvement of LFUDA.
3046#
3047# For more information about the GDSF and LFUDA cache replacement
3048# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
3049# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
3050#Default:
3051# cache_replacement_policy lru
3052
3053# TAG: minimum_object_size (bytes)
3054# Objects smaller than this size will NOT be saved on disk. The
3055# value is specified in bytes, and the default is 0 KB, which
3056# means all responses can be stored.
3057#Default:
3058# no limit
3059
3060# TAG: maximum_object_size (bytes)
3061# Set the default value for max-size parameter on any cache_dir.
3062# The value is specified in bytes, and the default is 4 MB.
3063#
3064# If you wish to get a high BYTES hit ratio, you should probably
3065# increase this (one 32 MB object hit counts for 3200 10KB
3066# hits).
3067#
3068# If you wish to increase hit ratio more than you want to
3069# save bandwidth you should leave this low.
3070#
3071# NOTE: if using the LFUDA replacement policy you should increase
3072# this value to maximize the byte hit rate improvement of LFUDA!
3073# See cache_replacement_policy for a discussion of this policy.
3074#Default:
3075# maximum_object_size 4 MB
3076
3077# TAG: cache_dir
3078# Format:
3079# cache_dir Type Directory-Name Fs-specific-data [options]
3080#
3081# You can specify multiple cache_dir lines to spread the
3082# cache among different disk partitions.
3083#
3084# Type specifies the kind of storage system to use. Only "ufs"
3085# is built by default. To enable any of the other storage systems
3086# see the --enable-storeio configure option.
3087#
3088# 'Directory' is a top-level directory where cache swap
3089# files will be stored. If you want to use an entire disk
3090# for caching, this can be the mount-point directory.
3091# The directory must exist and be writable by the Squid
3092# process. Squid will NOT create this directory for you.
3093#
3094# In SMP configurations, cache_dir must not precede the workers option
3095# and should use configuration macros or conditionals to give each
3096# worker interested in disk caching a dedicated cache directory.
3097#
3098#
3099# ==== The ufs store type ====
3100#
3101# "ufs" is the old well-known Squid storage format that has always
3102# been there.
3103#
3104# Usage:
3105# cache_dir ufs Directory-Name Mbytes L1 L2 [options]
3106#
3107# 'Mbytes' is the amount of disk space (MB) to use under this
3108# directory. The default is 100 MB. Change this to suit your
3109# configuration. Do NOT put the size of your disk drive here.
3110# Instead, if you want Squid to use the entire disk drive,
3111# subtract 20% and use that value.
3112#
3113# 'L1' is the number of first-level subdirectories which
3114# will be created under the 'Directory'. The default is 16.
3115#
3116# 'L2' is the number of second-level subdirectories which
3117# will be created under each first-level directory. The default
3118# is 256.
3119#
3120#
3121# ==== The aufs store type ====
3122#
3123# "aufs" uses the same storage format as "ufs", utilizing
3124# POSIX-threads to avoid blocking the main Squid process on
3125# disk-I/O. This was formerly known in Squid as async-io.
3126#
3127# Usage:
3128# cache_dir aufs Directory-Name Mbytes L1 L2 [options]
3129#
3130# see argument descriptions under ufs above
3131#
3132#
3133# ==== The diskd store type ====
3134#
3135# "diskd" uses the same storage format as "ufs", utilizing a
3136# separate process to avoid blocking the main Squid process on
3137# disk-I/O.
3138#
3139# Usage:
3140# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
3141#
3142# see argument descriptions under ufs above
3143#
3144# Q1 specifies the number of unacknowledged I/O requests when Squid
3145# stops opening new files. If this many messages are in the queues,
3146# Squid won't open new files. Default is 64
3147#
3148# Q2 specifies the number of unacknowledged messages when Squid
3149# starts blocking. If this many messages are in the queues,
3150# Squid blocks until it receives some replies. Default is 72
3151#
3152# When Q1 < Q2 (the default), the cache directory is optimized
3153# for lower response time at the expense of a decrease in hit
3154# ratio. If Q1 > Q2, the cache directory is optimized for
3155# higher hit ratio at the expense of an increase in response
3156# time.
3157#
3158#
3159# ==== The rock store type ====
3160#
3161# Usage:
3162# cache_dir rock Directory-Name Mbytes <max-size=bytes> [options]
3163#
3164# The Rock Store type is a database-style storage. All cached
3165# entries are stored in a "database" file, using fixed-size slots,
3166# one entry per slot. The database size is specified in MB. The
3167# slot size is specified in bytes using the max-size option. See
3168# below for more info on the max-size option.
3169#
3170# If possible, Squid using Rock Store creates a dedicated kid
3171# process called "disker" to avoid blocking Squid worker(s) on disk
3172# I/O. One disker kid is created for each rock cache_dir. Diskers
3173# are created only when Squid, running in daemon mode, has support
3174# for the IpcIo disk I/O module.
3175#
3176# swap-timeout=msec: Squid will not start writing a miss to or
3177# reading a hit from disk if it estimates that the swap operation
3178# will take more than the specified number of milliseconds. By
3179# default and when set to zero, disables the disk I/O time limit
3180# enforcement. Ignored when using blocking I/O module because
3181# blocking synchronous I/O does not allow Squid to estimate the
3182# expected swap wait time.
3183#
3184# max-swap-rate=swaps/sec: Artificially limits disk access using
3185# the specified I/O rate limit. Swap out requests that
3186# would cause the average I/O rate to exceed the limit are
3187# delayed. Individual swap in requests (i.e., hits or reads) are
3188# not delayed, but they do contribute to measured swap rate and
3189# since they are placed in the same FIFO queue as swap out
3190# requests, they may wait longer if max-swap-rate is smaller.
3191# This is necessary on file systems that buffer "too
3192# many" writes and then start blocking Squid and other processes
3193# while committing those writes to disk. Usually used together
3194# with swap-timeout to avoid excessive delays and queue overflows
3195# when disk demand exceeds available disk "bandwidth". By default
3196# and when set to zero, disables the disk I/O rate limit
3197# enforcement. Currently supported by IpcIo module only.
3198#
3199#
3200# ==== The coss store type ====
3201#
3202# NP: COSS filesystem in Squid-3 has been deemed too unstable for
3203# production use and has thus been removed from this release.
3204# We hope that it can be made usable again soon.
3205#
3206# block-size=n defines the "block size" for COSS cache_dir's.
3207# Squid uses file numbers as block numbers. Since file numbers
3208# are limited to 24 bits, the block size determines the maximum
3209# size of the COSS partition. The default is 512 bytes, which
3210# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
3211# you should not change the coss block size after Squid
3212# has written some objects to the cache_dir.
3213#
3214# The coss file store has changed from 2.5. Now it uses a file
3215# called 'stripe' in the directory names in the config - and
3216# this will be created by squid -z.
3217#
3218#
3219# ==== COMMON OPTIONS ====
3220#
3221# no-store no new objects should be stored to this cache_dir.
3222#
3223# min-size=n the minimum object size in bytes this cache_dir
3224# will accept. It's used to restrict a cache_dir
3225# to only store large objects (e.g. AUFS) while
3226# other stores are optimized for smaller objects
3227# (e.g. COSS).
3228# Defaults to 0.
3229#
3230# max-size=n the maximum object size in bytes this cache_dir
3231# supports.
3232# The value in maximum_object_size directive sets
3233# the default unless more specific details are
3234# available (ie a small store capacity).
3235#
3236# Note: To make optimal use of the max-size limits you should order
3237# the cache_dir lines with the smallest max-size value first.
3238#
3239# Note for coss, max-size must be less than COSS_MEMBUF_SZ,
3240# which can be changed with the --with-coss-membuf-size=N configure
3241# option.
3242#
3243#Default:
3244# No disk cache. Store cache ojects only in memory.
3245#
3246
3247# Uncomment and adjust the following to add a disk cache directory.
3248cache_dir ufs /var/spool/squid3 100 16 256
3249
3250# TAG: store_dir_select_algorithm
3251# How Squid selects which cache_dir to use when the response
3252# object will fit into more than one.
3253#
3254# Regardless of which algorithm is used the cache_dir min-size
3255# and max-size parameters are obeyed. As such they can affect
3256# the selection algorithm by limiting the set of considered
3257# cache_dir.
3258#
3259# Algorithms:
3260#
3261# least-load
3262#
3263# This algorithm is suited to caches with similar cache_dir
3264# sizes and disk speeds.
3265#
3266# The disk with the least I/O pending is selected.
3267# When there are multiple disks with the same I/O load ranking
3268# the cache_dir with most available capacity is selected.
3269#
3270# When a mix of cache_dir sizes are configured the faster disks
3271# have a naturally lower I/O loading and larger disks have more
3272# capacity. So space used to store objects and data throughput
3273# may be very unbalanced towards larger disks.
3274#
3275#
3276# round-robin
3277#
3278# This algorithm is suited to caches with unequal cache_dir
3279# disk sizes.
3280#
3281# Each cache_dir is selected in a rotation. The next suitable
3282# cache_dir is used.
3283#
3284# Available cache_dir capacity is only considered in relation
3285# to whether the object will fit and meets the min-size and
3286# max-size parameters.
3287#
3288# Disk I/O loading is only considered to prevent overload on slow
3289# disks. This algorithm does not spread objects by size, so any
3290# I/O loading per-disk may appear very unbalanced and volatile.
3291#
3292#Default:
3293# store_dir_select_algorithm least-load
3294
3295# TAG: max_open_disk_fds
3296# To avoid having disk as the I/O bottleneck Squid can optionally
3297# bypass the on-disk cache if more than this amount of disk file
3298# descriptors are open.
3299#
3300# A value of 0 indicates no limit.
3301#Default:
3302# no limit
3303
3304# TAG: cache_swap_low (percent, 0-100)
3305# The low-water mark for cache object replacement.
3306# Replacement begins when the swap (disk) usage is above the
3307# low-water mark and attempts to maintain utilization near the
3308# low-water mark. As swap utilization gets close to high-water
3309# mark object eviction becomes more aggressive. If utilization is
3310# close to the low-water mark less replacement is done each time.
3311#
3312# Defaults are 90% and 95%. If you have a large cache, 5% could be
3313# hundreds of MB. If this is the case you may wish to set these
3314# numbers closer together.
3315#
3316# See also cache_swap_high
3317#Default:
3318# cache_swap_low 90
3319
3320# TAG: cache_swap_high (percent, 0-100)
3321# The high-water mark for cache object replacement.
3322# Replacement begins when the swap (disk) usage is above the
3323# low-water mark and attempts to maintain utilization near the
3324# low-water mark. As swap utilization gets close to high-water
3325# mark object eviction becomes more aggressive. If utilization is
3326# close to the low-water mark less replacement is done each time.
3327#
3328# Defaults are 90% and 95%. If you have a large cache, 5% could be
3329# hundreds of MB. If this is the case you may wish to set these
3330# numbers closer together.
3331#
3332# See also cache_swap_low
3333#Default:
3334# cache_swap_high 95
3335
3336# LOGFILE OPTIONS
3337# -----------------------------------------------------------------------------
3338
3339# TAG: logformat
3340# Usage:
3341#
3342# logformat <name> <format specification>
3343#
3344# Defines an access log format.
3345#
3346# The <format specification> is a string with embedded % format codes
3347#
3348# % format codes all follow the same basic structure where all but
3349# the formatcode is optional. Output strings are automatically escaped
3350# as required according to their context and the output format
3351# modifiers are usually not needed, but can be specified if an explicit
3352# output format is desired.
3353#
3354# % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
3355#
3356# " output in quoted string format
3357# [ output in squid text log format as used by log_mime_hdrs
3358# # output in URL quoted format
3359# ' output as-is
3360#
3361# - left aligned
3362#
3363# width minimum and/or maximum field width:
3364# [width_min][.width_max]
3365# When minimum starts with 0, the field is zero-padded.
3366# String values exceeding maximum width are truncated.
3367#
3368# {arg} argument such as header name etc
3369#
3370# Format codes:
3371#
3372# % a literal % character
3373# sn Unique sequence number per log line entry
3374# err_code The ID of an error response served by Squid or
3375# a similar internal error identifier.
3376# err_detail Additional err_code-dependent error information.
3377# note The annotation specified by the argument. Also
3378# logs the adaptation meta headers set by the
3379# adaptation_meta configuration parameter.
3380# If no argument given all annotations logged.
3381# The argument may include a separator to use with
3382# annotation values:
3383# name[:separator]
3384# By default, multiple note values are separated with ","
3385# and multiple notes are separated with "\r\n".
3386# When logging named notes with %{name}note, the
3387# explicitly configured separator is used between note
3388# values. When logging all notes with %note, the
3389# explicitly configured separator is used between
3390# individual notes. There is currently no way to
3391# specify both value and notes separators when logging
3392# all notes with %note.
3393#
3394# Connection related format codes:
3395#
3396# >a Client source IP address
3397# >A Client FQDN
3398# >p Client source port
3399# >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
3400# >la Local IP address the client connected to
3401# >lp Local port number the client connected to
3402# >qos Client connection TOS/DSCP value set by Squid
3403# >nfmark Client connection netfilter mark set by Squid
3404#
3405# la Local listening IP address the client connection was connected to.
3406# lp Local listening port number the client connection was connected to.
3407#
3408# <a Server IP address of the last server or peer connection
3409# <A Server FQDN or peer name
3410# <p Server port number of the last server or peer connection
3411# <la Local IP address of the last server or peer connection
3412# <lp Local port number of the last server or peer connection
3413# <qos Server connection TOS/DSCP value set by Squid
3414# <nfmark Server connection netfilter mark set by Squid
3415#
3416# Time related format codes:
3417#
3418# ts Seconds since epoch
3419# tu subsecond time (milliseconds)
3420# tl Local time. Optional strftime format argument
3421# default %d/%b/%Y:%H:%M:%S %z
3422# tg GMT time. Optional strftime format argument
3423# default %d/%b/%Y:%H:%M:%S %z
3424# tr Response time (milliseconds)
3425# dt Total time spent making DNS lookups (milliseconds)
3426#
3427# Access Control related format codes:
3428#
3429# et Tag returned by external acl
3430# ea Log string returned by external acl
3431# un User name (any available)
3432# ul User name from authentication
3433# ue User name from external acl helper
3434# ui User name from ident
3435# us User name from SSL
3436#
3437# HTTP related format codes:
3438#
3439# [http::]>h Original received request header.
3440# Usually differs from the request header sent by
3441# Squid, although most fields are often preserved.
3442# Accepts optional header field name/value filter
3443# argument using name[:[separator]element] format.
3444# [http::]>ha Received request header after adaptation and
3445# redirection (pre-cache REQMOD vectoring point).
3446# Usually differs from the request header sent by
3447# Squid, although most fields are often preserved.
3448# Optional header name argument as for >h
3449# [http::]<h Reply header. Optional header name argument
3450# as for >h
3451# [http::]>Hs HTTP status code sent to the client
3452# [http::]<Hs HTTP status code received from the next hop
3453# [http::]<bs Number of HTTP-equivalent message body bytes
3454# received from the next hop, excluding chunked
3455# transfer encoding and control messages.
3456# Generated FTP/Gopher listings are treated as
3457# received bodies.
3458# [http::]mt MIME content type
3459# [http::]rm Request method (GET/POST etc)
3460# [http::]>rm Request method from client
3461# [http::]<rm Request method sent to server or peer
3462# [http::]ru Request URL from client (historic, filtered for logging)
3463# [http::]>ru Request URL from client
3464# [http::]<ru Request URL sent to server or peer
3465# [http::]rp Request URL-Path excluding hostname
3466# [http::]>rp Request URL-Path excluding hostname from client
3467# [http::]<rp Request URL-Path excluding hostname sento to server or peer
3468# [http::]rv Request protocol version
3469# [http::]>rv Request protocol version from client
3470# [http::]<rv Request protocol version sent to server or peer
3471# [http::]<st Sent reply size including HTTP headers
3472# [http::]>st Received request size including HTTP headers. In the
3473# case of chunked requests the chunked encoding metadata
3474# are not included
3475# [http::]>sh Received HTTP request headers size
3476# [http::]<sh Sent HTTP reply headers size
3477# [http::]st Request+Reply size including HTTP headers
3478# [http::]<sH Reply high offset sent
3479# [http::]<sS Upstream object size
3480# [http::]<pt Peer response time in milliseconds. The timer starts
3481# when the last request byte is sent to the next hop
3482# and stops when the last response byte is received.
3483# [http::]<tt Total server-side time in milliseconds. The timer
3484# starts with the first connect request (or write I/O)
3485# sent to the first selected peer. The timer stops
3486# with the last I/O with the last peer.
3487#
3488# Squid handling related format codes:
3489#
3490# Ss Squid request status (TCP_MISS etc)
3491# Sh Squid hierarchy status (DEFAULT_PARENT etc)
3492#
3493# SSL-related format codes:
3494#
3495# ssl::bump_mode SslBump decision for the transaction:
3496#
3497# For CONNECT requests that initiated bumping of
3498# a connection and for any request received on
3499# an already bumped connection, Squid logs the
3500# corresponding SslBump mode ("server-first" or
3501# "client-first"). See the ssl_bump option for
3502# more information about these modes.
3503#
3504# A "none" token is logged for requests that
3505# triggered "ssl_bump" ACL evaluation matching
3506# either a "none" rule or no rules at all.
3507#
3508# In all other cases, a single dash ("-") is
3509# logged.
3510#
3511# If ICAP is enabled, the following code becomes available (as
3512# well as ICAP log codes documented with the icap_log option):
3513#
3514# icap::tt Total ICAP processing time for the HTTP
3515# transaction. The timer ticks when ICAP
3516# ACLs are checked and when ICAP
3517# transaction is in progress.
3518#
3519# If adaptation is enabled the following three codes become available:
3520#
3521# adapt::<last_h The header of the last ICAP response or
3522# meta-information from the last eCAP
3523# transaction related to the HTTP transaction.
3524# Like <h, accepts an optional header name
3525# argument.
3526#
3527# adapt::sum_trs Summed adaptation transaction response
3528# times recorded as a comma-separated list in
3529# the order of transaction start time. Each time
3530# value is recorded as an integer number,
3531# representing response time of one or more
3532# adaptation (ICAP or eCAP) transaction in
3533# milliseconds. When a failed transaction is
3534# being retried or repeated, its time is not
3535# logged individually but added to the
3536# replacement (next) transaction. See also:
3537# adapt::all_trs.
3538#
3539# adapt::all_trs All adaptation transaction response times.
3540# Same as adaptation_strs but response times of
3541# individual transactions are never added
3542# together. Instead, all transaction response
3543# times are recorded individually.
3544#
3545# You can prefix adapt::*_trs format codes with adaptation
3546# service name in curly braces to record response time(s) specific
3547# to that service. For example: %{my_service}adapt::sum_trs
3548#
3549# If SSL is enabled, the following formating codes become available:
3550#
3551# %ssl::>cert_subject The Subject field of the received client
3552# SSL certificate or a dash ('-') if Squid has
3553# received an invalid/malformed certificate or
3554# no certificate at all. Consider encoding the
3555# logged value because Subject often has spaces.
3556#
3557# %ssl::>cert_issuer The Issuer field of the received client
3558# SSL certificate or a dash ('-') if Squid has
3559# received an invalid/malformed certificate or
3560# no certificate at all. Consider encoding the
3561# logged value because Issuer often has spaces.
3562#
3563# The default formats available (which do not need re-defining) are:
3564#
3565#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
3566#logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
3567#logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
3568#logformat referrer %ts.%03tu %>a %{Referer}>h %ru
3569#logformat useragent %>a [%tl] "%{User-Agent}>h"
3570#
3571# NOTE: When the log_mime_hdrs directive is set to ON.
3572# The squid, common and combined formats have a safely encoded copy
3573# of the mime headers appended to each line within a pair of brackets.
3574#
3575# NOTE: The common and combined formats are not quite true to the Apache definition.
3576# The logs from Squid contain an extra status and hierarchy code appended.
3577#
3578#Default:
3579# The format definitions squid, common, combined, referrer, useragent are built in.
3580
3581# TAG: access_log
3582# Configures whether and how Squid logs HTTP and ICP transactions.
3583# If access logging is enabled, a single line is logged for every
3584# matching HTTP or ICP request. The recommended directive formats are:
3585#
3586# access_log <module>:<place> [option ...] [acl acl ...]
3587# access_log none [acl acl ...]
3588#
3589# The following directive format is accepted but may be deprecated:
3590# access_log <module>:<place> [<logformat name> [acl acl ...]]
3591#
3592# In most cases, the first ACL name must not contain the '=' character
3593# and should not be equal to an existing logformat name. You can always
3594# start with an 'all' ACL to work around those restrictions.
3595#
3596# Will log to the specified module:place using the specified format (which
3597# must be defined in a logformat directive) those entries which match
3598# ALL the acl's specified (which must be defined in acl clauses).
3599# If no acl is specified, all requests will be logged to this destination.
3600#
3601# ===== Available options for the recommended directive format =====
3602#
3603# logformat=name Names log line format (either built-in or
3604# defined by a logformat directive). Defaults
3605# to 'squid'.
3606#
3607# buffer-size=64KB Defines approximate buffering limit for log
3608# records (see buffered_logs). Squid should not
3609# keep more than the specified size and, hence,
3610# should flush records before the buffer becomes
3611# full to avoid overflows under normal
3612# conditions (the exact flushing algorithm is
3613# module-dependent though). The on-error option
3614# controls overflow handling.
3615#
3616# on-error=die|drop Defines action on unrecoverable errors. The
3617# 'drop' action ignores (i.e., does not log)
3618# affected log records. The default 'die' action
3619# kills the affected worker. The drop action
3620# support has not been tested for modules other
3621# than tcp.
3622#
3623# ===== Modules Currently available =====
3624#
3625# none Do not log any requests matching these ACL.
3626# Do not specify Place or logformat name.
3627#
3628# stdio Write each log line to disk immediately at the completion of
3629# each request.
3630# Place: the filename and path to be written.
3631#
3632# daemon Very similar to stdio. But instead of writing to disk the log
3633# line is passed to a daemon helper for asychronous handling instead.
3634# Place: varies depending on the daemon.
3635#
3636# log_file_daemon Place: the file name and path to be written.
3637#
3638# syslog To log each request via syslog facility.
3639# Place: The syslog facility and priority level for these entries.
3640# Place Format: facility.priority
3641#
3642# where facility could be any of:
3643# authpriv, daemon, local0 ... local7 or user.
3644#
3645# And priority could be any of:
3646# err, warning, notice, info, debug.
3647#
3648# udp To send each log line as text data to a UDP receiver.
3649# Place: The destination host name or IP and port.
3650# Place Format: //host:port
3651#
3652# tcp To send each log line as text data to a TCP receiver.
3653# Lines may be accumulated before sending (see buffered_logs).
3654# Place: The destination host name or IP and port.
3655# Place Format: //host:port
3656#
3657# Default:
3658# access_log daemon:/var/log/squid3/access.log squid
3659#Default:
3660# access_log daemon:/var/log/squid3/access.log squid
3661
3662# TAG: icap_log
3663# ICAP log files record ICAP transaction summaries, one line per
3664# transaction.
3665#
3666# The icap_log option format is:
3667# icap_log <filepath> [<logformat name> [acl acl ...]]
3668# icap_log none [acl acl ...]]
3669#
3670# Please see access_log option documentation for details. The two
3671# kinds of logs share the overall configuration approach and many
3672# features.
3673#
3674# ICAP processing of a single HTTP message or transaction may
3675# require multiple ICAP transactions. In such cases, multiple
3676# ICAP transaction log lines will correspond to a single access
3677# log line.
3678#
3679# ICAP log uses logformat codes that make sense for an ICAP
3680# transaction. Header-related codes are applied to the HTTP header
3681# embedded in an ICAP server response, with the following caveats:
3682# For REQMOD, there is no HTTP response header unless the ICAP
3683# server performed request satisfaction. For RESPMOD, the HTTP
3684# request header is the header sent to the ICAP server. For
3685# OPTIONS, there are no HTTP headers.
3686#
3687# The following format codes are also available for ICAP logs:
3688#
3689# icap::<A ICAP server IP address. Similar to <A.
3690#
3691# icap::<service_name ICAP service name from the icap_service
3692# option in Squid configuration file.
3693#
3694# icap::ru ICAP Request-URI. Similar to ru.
3695#
3696# icap::rm ICAP request method (REQMOD, RESPMOD, or
3697# OPTIONS). Similar to existing rm.
3698#
3699# icap::>st Bytes sent to the ICAP server (TCP payload
3700# only; i.e., what Squid writes to the socket).
3701#
3702# icap::<st Bytes received from the ICAP server (TCP
3703# payload only; i.e., what Squid reads from
3704# the socket).
3705#
3706# icap::<bs Number of message body bytes received from the
3707# ICAP server. ICAP message body, if any, usually
3708# includes encapsulated HTTP message headers and
3709# possibly encapsulated HTTP message body. The
3710# HTTP body part is dechunked before its size is
3711# computed.
3712#
3713# icap::tr Transaction response time (in
3714# milliseconds). The timer starts when
3715# the ICAP transaction is created and
3716# stops when the transaction is completed.
3717# Similar to tr.
3718#
3719# icap::tio Transaction I/O time (in milliseconds). The
3720# timer starts when the first ICAP request
3721# byte is scheduled for sending. The timers
3722# stops when the last byte of the ICAP response
3723# is received.
3724#
3725# icap::to Transaction outcome: ICAP_ERR* for all
3726# transaction errors, ICAP_OPT for OPTION
3727# transactions, ICAP_ECHO for 204
3728# responses, ICAP_MOD for message
3729# modification, and ICAP_SAT for request
3730# satisfaction. Similar to Ss.
3731#
3732# icap::Hs ICAP response status code. Similar to Hs.
3733#
3734# icap::>h ICAP request header(s). Similar to >h.
3735#
3736# icap::<h ICAP response header(s). Similar to <h.
3737#
3738# The default ICAP log format, which can be used without an explicit
3739# definition, is called icap_squid:
3740#
3741#logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
3742#
3743# See also: logformat, log_icap, and %adapt::<last_h
3744#Default:
3745# none
3746
3747# TAG: logfile_daemon
3748# Specify the path to the logfile-writing daemon. This daemon is
3749# used to write the access and store logs, if configured.
3750#
3751# Squid sends a number of commands to the log daemon:
3752# L<data>\n - logfile data
3753# R\n - rotate file
3754# T\n - truncate file
3755# O\n - reopen file
3756# F\n - flush file
3757# r<n>\n - set rotate count to <n>
3758# b<n>\n - 1 = buffer output, 0 = don't buffer output
3759#
3760# No responses is expected.
3761#Default:
3762# logfile_daemon /usr/lib/squid3/log_file_daemon
3763
3764# TAG: log_access
3765# Remove this line. Use acls with access_log directives to control access logging
3766#Default:
3767# none
3768
3769# TAG: log_icap
3770# Remove this line. Use acls with icap_log directives to control icap logging
3771#Default:
3772# none
3773
3774# TAG: stats_collection allow|deny acl acl...
3775# This options allows you to control which requests gets accounted
3776# in performance counters.
3777#
3778# This clause only supports fast acl types.
3779# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3780#Default:
3781# Allow logging for all transactions.
3782
3783# TAG: cache_store_log
3784# Logs the activities of the storage manager. Shows which
3785# objects are ejected from the cache, and which objects are
3786# saved and for how long.
3787# There are not really utilities to analyze this data, so you can safely
3788# disable it (the default).
3789#
3790# Store log uses modular logging outputs. See access_log for the list
3791# of modules supported.
3792#
3793# Example:
3794# cache_store_log stdio:/var/log/squid3/store.log
3795# cache_store_log daemon:/var/log/squid3/store.log
3796#Default:
3797# none
3798
3799# TAG: cache_swap_state
3800# Location for the cache "swap.state" file. This index file holds
3801# the metadata of objects saved on disk. It is used to rebuild
3802# the cache during startup. Normally this file resides in each
3803# 'cache_dir' directory, but you may specify an alternate
3804# pathname here. Note you must give a full filename, not just
3805# a directory. Since this is the index for the whole object
3806# list you CANNOT periodically rotate it!
3807#
3808# If %s can be used in the file name it will be replaced with a
3809# a representation of the cache_dir name where each / is replaced
3810# with '.'. This is needed to allow adding/removing cache_dir
3811# lines when cache_swap_log is being used.
3812#
3813# If have more than one 'cache_dir', and %s is not used in the name
3814# these swap logs will have names such as:
3815#
3816# cache_swap_log.00
3817# cache_swap_log.01
3818# cache_swap_log.02
3819#
3820# The numbered extension (which is added automatically)
3821# corresponds to the order of the 'cache_dir' lines in this
3822# configuration file. If you change the order of the 'cache_dir'
3823# lines in this file, these index files will NOT correspond to
3824# the correct 'cache_dir' entry (unless you manually rename
3825# them). We recommend you do NOT use this option. It is
3826# better to keep these index files in each 'cache_dir' directory.
3827#Default:
3828# Store the journal inside its cache_dir
3829
3830# TAG: logfile_rotate
3831# Specifies the number of logfile rotations to make when you
3832# type 'squid -k rotate'. The default is 10, which will rotate
3833# with extensions 0 through 9. Setting logfile_rotate to 0 will
3834# disable the file name rotation, but the logfiles are still closed
3835# and re-opened. This will enable you to rename the logfiles
3836# yourself just before sending the rotate signal.
3837#
3838# Note, the 'squid -k rotate' command normally sends a USR1
3839# signal to the running squid process. In certain situations
3840# (e.g. on Linux with Async I/O), USR1 is used for other
3841# purposes, so -k rotate uses another signal. It is best to get
3842# in the habit of using 'squid -k rotate' instead of 'kill -USR1
3843# <pid>'.
3844#
3845# Note, from Squid-3.1 this option is only a default for cache.log,
3846# that log can be rotated separately by using debug_options.
3847#
3848# Note2, for Debian/Linux the default of logfile_rotate is
3849# zero, since it includes external logfile-rotation methods.
3850#Default:
3851# logfile_rotate 0
3852
3853# TAG: emulate_httpd_log
3854# Replace this with an access_log directive using the format 'common' or 'combined'.
3855#Default:
3856# none
3857
3858# TAG: log_ip_on_direct
3859# Remove this option from your config. To log server or peer names use %<A in the log format.
3860#Default:
3861# none
3862
3863# TAG: mime_table
3864# Path to Squid's icon configuration file.
3865#
3866# You shouldn't need to change this, but the default file contains
3867# examples and formatting information if you do.
3868#Default:
3869# mime_table /usr/share/squid3/mime.conf
3870
3871# TAG: log_mime_hdrs on|off
3872# The Cache can record both the request and the response MIME
3873# headers for each HTTP transaction. The headers are encoded
3874# safely and will appear as two bracketed fields at the end of
3875# the access log (for either the native or httpd-emulated log
3876# formats). To enable this logging set log_mime_hdrs to 'on'.
3877#Default:
3878# log_mime_hdrs off
3879
3880# TAG: useragent_log
3881# Replace this with an access_log directive using the format 'useragent'.
3882#Default:
3883# none
3884
3885# TAG: referer_log
3886# Replace this with an access_log directive using the format 'referrer'.
3887#Default:
3888# none
3889
3890# TAG: pid_filename
3891# A filename to write the process-id to. To disable, enter "none".
3892#Default:
3893# pid_filename /var/run/squid3.pid
3894
3895# TAG: log_fqdn
3896# Remove this option from your config. To log FQDN use %>A in the log format.
3897#Default:
3898# none
3899
3900# TAG: client_netmask
3901# A netmask for client addresses in logfiles and cachemgr output.
3902# Change this to protect the privacy of your cache clients.
3903# A netmask of 255.255.255.0 will log all IP's in that range with
3904# the last digit set to '0'.
3905#Default:
3906# Log full client IP address
3907
3908# TAG: forward_log
3909# Use a regular access.log with ACL limiting it to MISS events.
3910#Default:
3911# none
3912
3913# TAG: strip_query_terms
3914# By default, Squid strips query terms from requested URLs before
3915# logging. This protects your user's privacy and reduces log size.
3916#
3917# When investigating HIT/MISS or other caching behaviour you
3918# will need to disable this to see the full URL used by Squid.
3919#Default:
3920# strip_query_terms on
3921
3922# TAG: buffered_logs on|off
3923# Whether to write/send access_log records ASAP or accumulate them and
3924# then write/send them in larger chunks. Buffering may improve
3925# performance because it decreases the number of I/Os. However,
3926# buffering increases the delay before log records become available to
3927# the final recipient (e.g., a disk file or logging daemon) and,
3928# hence, increases the risk of log records loss.
3929#
3930# Note that even when buffered_logs are off, Squid may have to buffer
3931# records if it cannot write/send them immediately due to pending I/Os
3932# (e.g., the I/O writing the previous log record) or connectivity loss.
3933#
3934# Currently honored by 'daemon' and 'tcp' access_log modules only.
3935#Default:
3936# buffered_logs off
3937
3938# TAG: netdb_filename
3939# Where Squid stores it's netdb journal.
3940# When enabled this journal preserves netdb state between restarts.
3941#
3942# To disable, enter "none".
3943#Default:
3944# netdb_filename stdio:/var/log/squid3/netdb.state
3945
3946# OPTIONS FOR TROUBLESHOOTING
3947# -----------------------------------------------------------------------------
3948
3949# TAG: cache_log
3950# Squid administrative logging file.
3951#
3952# This is where general information about Squid behavior goes. You can
3953# increase the amount of data logged to this file and how often it is
3954# rotated with "debug_options"
3955#Default:
3956# cache_log /var/log/squid3/cache.log
3957
3958# TAG: debug_options
3959# Logging options are set as section,level where each source file
3960# is assigned a unique section. Lower levels result in less
3961# output, Full debugging (level 9) can result in a very large
3962# log file, so be careful.
3963#
3964# The magic word "ALL" sets debugging levels for all sections.
3965# The default is to run with "ALL,1" to record important warnings.
3966#
3967# The rotate=N option can be used to keep more or less of these logs
3968# than would otherwise be kept by logfile_rotate.
3969# For most uses a single log should be enough to monitor current
3970# events affecting Squid.
3971#Default:
3972# Log all critical and important messages.
3973
3974# TAG: coredump_dir
3975# By default Squid leaves core files in the directory from where
3976# it was started. If you set 'coredump_dir' to a directory
3977# that exists, Squid will chdir() to that directory at startup
3978# and coredump files will be left there.
3979#
3980#Default:
3981# Use the directory from where Squid was started.
3982#
3983
3984# Leave coredumps in the first cache dir
3985coredump_dir /var/spool/squid3
3986
3987# OPTIONS FOR FTP GATEWAYING
3988# -----------------------------------------------------------------------------
3989
3990# TAG: ftp_user
3991# If you want the anonymous login password to be more informative
3992# (and enable the use of picky FTP servers), set this to something
3993# reasonable for your domain, like wwwuser@somewhere.net
3994#
3995# The reason why this is domainless by default is the
3996# request can be made on the behalf of a user in any domain,
3997# depending on how the cache is used.
3998# Some FTP server also validate the email address is valid
3999# (for example perl.com).
4000#Default:
4001# ftp_user Squid@
4002
4003# TAG: ftp_passive
4004# If your firewall does not allow Squid to use passive
4005# connections, turn off this option.
4006#
4007# Use of ftp_epsv_all option requires this to be ON.
4008#Default:
4009# ftp_passive on
4010
4011# TAG: ftp_epsv_all
4012# FTP Protocol extensions permit the use of a special "EPSV ALL" command.
4013#
4014# NATs may be able to put the connection on a "fast path" through the
4015# translator, as the EPRT command will never be used and therefore,
4016# translation of the data portion of the segments will never be needed.
4017#
4018# When a client only expects to do two-way FTP transfers this may be
4019# useful.
4020# If squid finds that it must do a three-way FTP transfer after issuing
4021# an EPSV ALL command, the FTP session will fail.
4022#
4023# If you have any doubts about this option do not use it.
4024# Squid will nicely attempt all other connection methods.
4025#
4026# Requires ftp_passive to be ON (default) for any effect.
4027#Default:
4028# ftp_epsv_all off
4029
4030# TAG: ftp_epsv
4031# FTP Protocol extensions permit the use of a special "EPSV" command.
4032#
4033# NATs may be able to put the connection on a "fast path" through the
4034# translator using EPSV, as the EPRT command will never be used
4035# and therefore, translation of the data portion of the segments
4036# will never be needed.
4037#
4038# Turning this OFF will prevent EPSV being attempted.
4039# WARNING: Doing so will convert Squid back to the old behavior with all
4040# the related problems with external NAT devices/layers.
4041#
4042# Requires ftp_passive to be ON (default) for any effect.
4043#Default:
4044# ftp_epsv on
4045
4046# TAG: ftp_eprt
4047# FTP Protocol extensions permit the use of a special "EPRT" command.
4048#
4049# This extension provides a protocol neutral alternative to the
4050# IPv4-only PORT command. When supported it enables active FTP data
4051# channels over IPv6 and efficient NAT handling.
4052#
4053# Turning this OFF will prevent EPRT being attempted and will skip
4054# straight to using PORT for IPv4 servers.
4055#
4056# Some devices are known to not handle this extension correctly and
4057# may result in crashes. Devices which suport EPRT enough to fail
4058# cleanly will result in Squid attempting PORT anyway. This directive
4059# should only be disabled when EPRT results in device failures.
4060#
4061# WARNING: Doing so will convert Squid back to the old behavior with all
4062# the related problems with external NAT devices/layers and IPv4-only FTP.
4063#Default:
4064# ftp_eprt on
4065
4066# TAG: ftp_sanitycheck
4067# For security and data integrity reasons Squid by default performs
4068# sanity checks of the addresses of FTP data connections ensure the
4069# data connection is to the requested server. If you need to allow
4070# FTP connections to servers using another IP address for the data
4071# connection turn this off.
4072#Default:
4073# ftp_sanitycheck on
4074
4075# TAG: ftp_telnet_protocol
4076# The FTP protocol is officially defined to use the telnet protocol
4077# as transport channel for the control connection. However, many
4078# implementations are broken and does not respect this aspect of
4079# the FTP protocol.
4080#
4081# If you have trouble accessing files with ASCII code 255 in the
4082# path or similar problems involving this ASCII code you can
4083# try setting this directive to off. If that helps, report to the
4084# operator of the FTP server in question that their FTP server
4085# is broken and does not follow the FTP standard.
4086#Default:
4087# ftp_telnet_protocol on
4088
4089# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
4090# -----------------------------------------------------------------------------
4091
4092# TAG: diskd_program
4093# Specify the location of the diskd executable.
4094# Note this is only useful if you have compiled in
4095# diskd as one of the store io modules.
4096#Default:
4097# diskd_program /usr/lib/squid3/diskd
4098
4099# TAG: unlinkd_program
4100# Specify the location of the executable for file deletion process.
4101#Default:
4102# unlinkd_program /usr/lib/squid3/unlinkd
4103
4104# TAG: pinger_program
4105# Specify the location of the executable for the pinger process.
4106#Default:
4107# pinger_program /usr/lib/squid3/pinger
4108
4109# TAG: pinger_enable
4110# Control whether the pinger is active at run-time.
4111# Enables turning ICMP pinger on and off with a simple
4112# squid -k reconfigure.
4113#Default:
4114# pinger_enable on
4115
4116# OPTIONS FOR URL REWRITING
4117# -----------------------------------------------------------------------------
4118
4119# TAG: url_rewrite_program
4120# Specify the location of the executable URL rewriter to use.
4121# Since they can perform almost any function there isn't one included.
4122#
4123# For each requested URL, the rewriter will receive on line with the format
4124#
4125# [channel-ID <SP>] URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kv-pairs]<NL>
4126#
4127#
4128# After processing the request the helper must reply using the following format:
4129#
4130# [channel-ID <SP>] result [<SP> kv-pairs]
4131#
4132# The result code can be:
4133#
4134# OK status=30N url="..."
4135# Redirect the URL to the one supplied in 'url='.
4136# 'status=' is optional and contains the status code to send
4137# the client in Squids HTTP response. It must be one of the
4138# HTTP redirect status codes: 301, 302, 303, 307, 308.
4139# When no status is given Squid will use 302.
4140#
4141# OK rewrite-url="..."
4142# Rewrite the URL to the one supplied in 'rewrite-url='.
4143# The new URL is fetched directly by Squid and returned to
4144# the client as the response to its request.
4145#
4146# OK
4147# When neither of url= and rewrite-url= are sent Squid does
4148# not change the URL.
4149#
4150# ERR
4151# Do not change the URL.
4152#
4153# BH
4154# An internal error occurred in the helper, preventing
4155# a result being identified. The 'message=' key name is
4156# reserved for delivering a log message.
4157#
4158#
4159# In the future, the interface protocol will be extended with
4160# key=value pairs ("kv-pairs" shown above). Helper programs
4161# should be prepared to receive and possibly ignore additional
4162# whitespace-separated tokens on each input line.
4163#
4164# When using the concurrency= option the protocol is changed by
4165# introducing a query channel tag in front of the request/response.
4166# The query channel tag is a number between 0 and concurrency-1.
4167# This value must be echoed back unchanged to Squid as the first part
4168# of the response relating to its request.
4169#
4170# WARNING: URL re-writing ability should be avoided whenever possible.
4171# Use the URL redirect form of response instead.
4172#
4173# Re-write creates a difference in the state held by the client
4174# and server. Possibly causing confusion when the server response
4175# contains snippets of its view state. Embeded URLs, response
4176# and content Location headers, etc. are not re-written by this
4177# interface.
4178#
4179# By default, a URL rewriter is not used.
4180#Default:
4181# none
4182
4183# TAG: url_rewrite_children
4184# The maximum number of redirector processes to spawn. If you limit
4185# it too few Squid will have to wait for them to process a backlog of
4186# URLs, slowing it down. If you allow too many they will use RAM
4187# and other system resources noticably.
4188#
4189# The startup= and idle= options allow some measure of skew in your
4190# tuning.
4191#
4192# startup=
4193#
4194# Sets a minimum of how many processes are to be spawned when Squid
4195# starts or reconfigures. When set to zero the first request will
4196# cause spawning of the first child process to handle it.
4197#
4198# Starting too few will cause an initial slowdown in traffic as Squid
4199# attempts to simultaneously spawn enough processes to cope.
4200#
4201# idle=
4202#
4203# Sets a minimum of how many processes Squid is to try and keep available
4204# at all times. When traffic begins to rise above what the existing
4205# processes can handle this many more will be spawned up to the maximum
4206# configured. A minimum setting of 1 is required.
4207#
4208# concurrency=
4209#
4210# The number of requests each redirector helper can handle in
4211# parallel. Defaults to 0 which indicates the redirector
4212# is a old-style single threaded redirector.
4213#
4214# When this directive is set to a value >= 1 then the protocol
4215# used to communicate with the helper is modified to include
4216# an ID in front of the request/response. The ID from the request
4217# must be echoed back with the response to that request.
4218#Default:
4219# url_rewrite_children 20 startup=0 idle=1 concurrency=0
4220
4221# TAG: url_rewrite_host_header
4222# To preserve same-origin security policies in browsers and
4223# prevent Host: header forgery by redirectors Squid rewrites
4224# any Host: header in redirected requests.
4225#
4226# If you are running an accelerator this may not be a wanted
4227# effect of a redirector. This directive enables you disable
4228# Host: alteration in reverse-proxy traffic.
4229#
4230# WARNING: Entries are cached on the result of the URL rewriting
4231# process, so be careful if you have domain-virtual hosts.
4232#
4233# WARNING: Squid and other software verifies the URL and Host
4234# are matching, so be careful not to relay through other proxies
4235# or inspecting firewalls with this disabled.
4236#Default:
4237# url_rewrite_host_header on
4238
4239# TAG: url_rewrite_access
4240# If defined, this access list specifies which requests are
4241# sent to the redirector processes.
4242#
4243# This clause supports both fast and slow acl types.
4244# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
4245#Default:
4246# Allow, unless rules exist in squid.conf.
4247
4248# TAG: url_rewrite_bypass
4249# When this is 'on', a request will not go through the
4250# redirector if all the helpers are busy. If this is 'off'
4251# and the redirector queue grows too large, Squid will exit
4252# with a FATAL error and ask you to increase the number of
4253# redirectors. You should only enable this if the redirectors
4254# are not critical to your caching system. If you use
4255# redirectors for access control, and you enable this option,
4256# users may have access to pages they should not
4257# be allowed to request.
4258#Default:
4259# url_rewrite_bypass off
4260
4261# OPTIONS FOR STORE ID
4262# -----------------------------------------------------------------------------
4263
4264# TAG: store_id_program
4265# Specify the location of the executable StoreID helper to use.
4266# Since they can perform almost any function there isn't one included.
4267#
4268# For each requested URL, the helper will receive one line with the format
4269#
4270# [channel-ID <SP>] URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kv-pairs]<NL>
4271#
4272#
4273# After processing the request the helper must reply using the following format:
4274#
4275# [channel-ID <SP>] result [<SP> kv-pairs]
4276#
4277# The result code can be:
4278#
4279# OK store-id="..."
4280# Use the StoreID supplied in 'store-id='.
4281#
4282# ERR
4283# The default is to use HTTP request URL as the store ID.
4284#
4285# BH
4286# An internal error occured in the helper, preventing
4287# a result being identified.
4288#
4289#
4290# Helper programs should be prepared to receive and possibly ignore additional
4291# kv-pairs with keys they do not support.
4292#
4293# When using the concurrency= option the protocol is changed by
4294# introducing a query channel tag in front of the request/response.
4295# The query channel tag is a number between 0 and concurrency-1.
4296# This value must be echoed back unchanged to Squid as the first part
4297# of the response relating to its request.
4298#
4299# NOTE: when using StoreID refresh_pattern will apply to the StoreID
4300# returned from the helper and not the URL.
4301#
4302# WARNING: Wrong StoreID value returned by a careless helper may result
4303# in the wrong cached response returned to the user.
4304#
4305# By default, a StoreID helper is not used.
4306#Default:
4307# none
4308
4309# TAG: store_id_children
4310# The maximum number of StoreID helper processes to spawn. If you limit
4311# it too few Squid will have to wait for them to process a backlog of
4312# requests, slowing it down. If you allow too many they will use RAM
4313# and other system resources noticably.
4314#
4315# The startup= and idle= options allow some measure of skew in your
4316# tuning.
4317#
4318# startup=
4319#
4320# Sets a minimum of how many processes are to be spawned when Squid
4321# starts or reconfigures. When set to zero the first request will
4322# cause spawning of the first child process to handle it.
4323#
4324# Starting too few will cause an initial slowdown in traffic as Squid
4325# attempts to simultaneously spawn enough processes to cope.
4326#
4327# idle=
4328#
4329# Sets a minimum of how many processes Squid is to try and keep available
4330# at all times. When traffic begins to rise above what the existing
4331# processes can handle this many more will be spawned up to the maximum
4332# configured. A minimum setting of 1 is required.
4333#
4334# concurrency=
4335#
4336# The number of requests each storeID helper can handle in
4337# parallel. Defaults to 0 which indicates the helper
4338# is a old-style single threaded program.
4339#
4340# When this directive is set to a value >= 1 then the protocol
4341# used to communicate with the helper is modified to include
4342# an ID in front of the request/response. The ID from the request
4343# must be echoed back with the response to that request.
4344#Default:
4345# store_id_children 20 startup=0 idle=1 concurrency=0
4346
4347# TAG: store_id_access
4348# If defined, this access list specifies which requests are
4349# sent to the StoreID processes. By default all requests
4350# are sent.
4351#
4352# This clause supports both fast and slow acl types.
4353# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
4354#Default:
4355# Allow, unless rules exist in squid.conf.
4356
4357# TAG: store_id_bypass
4358# When this is 'on', a request will not go through the
4359# helper if all helpers are busy. If this is 'off'
4360# and the helper queue grows too large, Squid will exit
4361# with a FATAL error and ask you to increase the number of
4362# helpers. You should only enable this if the helperss
4363# are not critical to your caching system. If you use
4364# helpers for critical caching components, and you enable this
4365# option, users may not get objects from cache.
4366#Default:
4367# store_id_bypass on
4368
4369# OPTIONS FOR TUNING THE CACHE
4370# -----------------------------------------------------------------------------
4371
4372# TAG: cache
4373# A list of ACL elements which, if matched and denied, cause the request to
4374# not be satisfied from the cache and the reply to not be cached.
4375# In other words, use this to force certain objects to never be cached.
4376#
4377# You must use the words 'allow' or 'deny' to indicate whether items
4378# matching the ACL should be allowed or denied into the cache.
4379#
4380# This clause supports both fast and slow acl types.
4381# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
4382#Default:
4383# Allow caching, unless rules exist in squid.conf.
4384
4385# TAG: max_stale time-units
4386# This option puts an upper limit on how stale content Squid
4387# will serve from the cache if cache validation fails.
4388# Can be overriden by the refresh_pattern max-stale option.
4389#Default:
4390# max_stale 1 week
4391
4392# TAG: refresh_pattern
4393# usage: refresh_pattern [-i] regex min percent max [options]
4394#
4395# By default, regular expressions are CASE-SENSITIVE. To make
4396# them case-insensitive, use the -i option.
4397#
4398# 'Min' is the time (in minutes) an object without an explicit
4399# expiry time should be considered fresh. The recommended
4400# value is 0, any higher values may cause dynamic applications
4401# to be erroneously cached unless the application designer
4402# has taken the appropriate actions.
4403#
4404# 'Percent' is a percentage of the objects age (time since last
4405# modification age) an object without explicit expiry time
4406# will be considered fresh.
4407#
4408# 'Max' is an upper limit on how long objects without an explicit
4409# expiry time will be considered fresh.
4410#
4411# options: override-expire
4412# override-lastmod
4413# reload-into-ims
4414# ignore-reload
4415# ignore-no-store
4416# ignore-must-revalidate
4417# ignore-private
4418# ignore-auth
4419# max-stale=NN
4420# refresh-ims
4421# store-stale
4422#
4423# override-expire enforces min age even if the server
4424# sent an explicit expiry time (e.g., with the
4425# Expires: header or Cache-Control: max-age). Doing this
4426# VIOLATES the HTTP standard. Enabling this feature
4427# could make you liable for problems which it causes.
4428#
4429# Note: override-expire does not enforce staleness - it only extends
4430# freshness / min. If the server returns a Expires time which
4431# is longer than your max time, Squid will still consider
4432# the object fresh for that period of time.
4433#
4434# override-lastmod enforces min age even on objects
4435# that were modified recently.
4436#
4437# reload-into-ims changes a client no-cache or ``reload''
4438# request for a cached entry into a conditional request using
4439# If-Modified-Since and/or If-None-Match headers, provided the
4440# cached entry has a Last-Modified and/or a strong ETag header.
4441# Doing this VIOLATES the HTTP standard. Enabling this feature
4442# could make you liable for problems which it causes.
4443#
4444# ignore-reload ignores a client no-cache or ``reload''
4445# header. Doing this VIOLATES the HTTP standard. Enabling
4446# this feature could make you liable for problems which
4447# it causes.
4448#
4449# ignore-no-store ignores any ``Cache-control: no-store''
4450# headers received from a server. Doing this VIOLATES
4451# the HTTP standard. Enabling this feature could make you
4452# liable for problems which it causes.
4453#
4454# ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
4455# headers received from a server. Doing this VIOLATES
4456# the HTTP standard. Enabling this feature could make you
4457# liable for problems which it causes.
4458#
4459# ignore-private ignores any ``Cache-control: private''
4460# headers received from a server. Doing this VIOLATES
4461# the HTTP standard. Enabling this feature could make you
4462# liable for problems which it causes.
4463#
4464# ignore-auth caches responses to requests with authorization,
4465# as if the originserver had sent ``Cache-control: public''
4466# in the response header. Doing this VIOLATES the HTTP standard.
4467# Enabling this feature could make you liable for problems which
4468# it causes.
4469#
4470# refresh-ims causes squid to contact the origin server
4471# when a client issues an If-Modified-Since request. This
4472# ensures that the client will receive an updated version
4473# if one is available.
4474#
4475# store-stale stores responses even if they don't have explicit
4476# freshness or a validator (i.e., Last-Modified or an ETag)
4477# present, or if they're already stale. By default, Squid will
4478# not cache such responses because they usually can't be
4479# reused. Note that such responses will be stale by default.
4480#
4481# max-stale=NN provide a maximum staleness factor. Squid won't
4482# serve objects more stale than this even if it failed to
4483# validate the object. Default: use the max_stale global limit.
4484#
4485# Basically a cached object is:
4486#
4487# FRESH if expires < now, else STALE
4488# STALE if age > max
4489# FRESH if lm-factor < percent, else STALE
4490# FRESH if age < min
4491# else STALE
4492#
4493# The refresh_pattern lines are checked in the order listed here.
4494# The first entry which matches is used. If none of the entries
4495# match the default will be used.
4496#
4497# Note, you must uncomment all the default lines if you want
4498# to change one. The default setting is only active if none is
4499# used.
4500#
4501#
4502
4503#
4504# Add any of your own refresh_pattern entries above these.
4505#
4506refresh_pattern ^ftp: 1440 20% 10080
4507refresh_pattern ^gopher: 1440 0% 1440
4508refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
4509refresh_pattern . 0 20% 4320
4510
4511# TAG: quick_abort_min (KB)
4512#Default:
4513# quick_abort_min 16 KB
4514
4515# TAG: quick_abort_max (KB)
4516#Default:
4517# quick_abort_max 16 KB
4518
4519# TAG: quick_abort_pct (percent)
4520# The cache by default continues downloading aborted requests
4521# which are almost completed (less than 16 KB remaining). This
4522# may be undesirable on slow (e.g. SLIP) links and/or very busy
4523# caches. Impatient users may tie up file descriptors and
4524# bandwidth by repeatedly requesting and immediately aborting
4525# downloads.
4526#
4527# When the user aborts a request, Squid will check the
4528# quick_abort values to the amount of data transferred until
4529# then.
4530#
4531# If the transfer has less than 'quick_abort_min' KB remaining,
4532# it will finish the retrieval.
4533#
4534# If the transfer has more than 'quick_abort_max' KB remaining,
4535# it will abort the retrieval.
4536#
4537# If more than 'quick_abort_pct' of the transfer has completed,
4538# it will finish the retrieval.
4539#
4540# If you do not want any retrieval to continue after the client
4541# has aborted, set both 'quick_abort_min' and 'quick_abort_max'
4542# to '0 KB'.
4543#
4544# If you want retrievals to always continue if they are being
4545# cached set 'quick_abort_min' to '-1 KB'.
4546#Default:
4547# quick_abort_pct 95
4548
4549# TAG: read_ahead_gap buffer-size
4550# The amount of data the cache will buffer ahead of what has been
4551# sent to the client when retrieving an object from another server.
4552#Default:
4553# read_ahead_gap 16 KB
4554
4555# TAG: negative_ttl time-units
4556# Set the Default Time-to-Live (TTL) for failed requests.
4557# Certain types of failures (such as "connection refused" and
4558# "404 Not Found") are able to be negatively-cached for a short time.
4559# Modern web servers should provide Expires: header, however if they
4560# do not this can provide a minimum TTL.
4561# The default is not to cache errors with unknown expiry details.
4562#
4563# Note that this is different from negative caching of DNS lookups.
4564#
4565# WARNING: Doing this VIOLATES the HTTP standard. Enabling
4566# this feature could make you liable for problems which it
4567# causes.
4568#Default:
4569# negative_ttl 0 seconds
4570
4571# TAG: positive_dns_ttl time-units
4572# Upper limit on how long Squid will cache positive DNS responses.
4573# Default is 6 hours (360 minutes). This directive must be set
4574# larger than negative_dns_ttl.
4575#Default:
4576# positive_dns_ttl 6 hours
4577
4578# TAG: negative_dns_ttl time-units
4579# Time-to-Live (TTL) for negative caching of failed DNS lookups.
4580# This also sets the lower cache limit on positive lookups.
4581# Minimum value is 1 second, and it is not recommendable to go
4582# much below 10 seconds.
4583#Default:
4584# negative_dns_ttl 1 minutes
4585
4586# TAG: range_offset_limit size [acl acl...]
4587# usage: (size) [units] [[!]aclname]
4588#
4589# Sets an upper limit on how far (number of bytes) into the file
4590# a Range request may be to cause Squid to prefetch the whole file.
4591# If beyond this limit, Squid forwards the Range request as it is and
4592# the result is NOT cached.
4593#
4594# This is to stop a far ahead range request (lets say start at 17MB)
4595# from making Squid fetch the whole object up to that point before
4596# sending anything to the client.
4597#
4598# Multiple range_offset_limit lines may be specified, and they will
4599# be searched from top to bottom on each request until a match is found.
4600# The first match found will be used. If no line matches a request, the
4601# default limit of 0 bytes will be used.
4602#
4603# 'size' is the limit specified as a number of units.
4604#
4605# 'units' specifies whether to use bytes, KB, MB, etc.
4606# If no units are specified bytes are assumed.
4607#
4608# A size of 0 causes Squid to never fetch more than the
4609# client requested. (default)
4610#
4611# A size of 'none' causes Squid to always fetch the object from the
4612# beginning so it may cache the result. (2.0 style)
4613#
4614# 'aclname' is the name of a defined ACL.
4615#
4616# NP: Using 'none' as the byte value here will override any quick_abort settings
4617# that may otherwise apply to the range request. The range request will
4618# be fully fetched from start to finish regardless of the client
4619# actions. This affects bandwidth usage.
4620#Default:
4621# none
4622
4623# TAG: minimum_expiry_time (seconds)
4624# The minimum caching time according to (Expires - Date)
4625# headers Squid honors if the object can't be revalidated.
4626# The default is 60 seconds.
4627#
4628# In reverse proxy environments it might be desirable to honor
4629# shorter object lifetimes. It is most likely better to make
4630# your server return a meaningful Last-Modified header however.
4631#
4632# In ESI environments where page fragments often have short
4633# lifetimes, this will often be best set to 0.
4634#Default:
4635# minimum_expiry_time 60 seconds
4636
4637# TAG: store_avg_object_size (bytes)
4638# Average object size, used to estimate number of objects your
4639# cache can hold. The default is 13 KB.
4640#
4641# This is used to pre-seed the cache index memory allocation to
4642# reduce expensive reallocate operations while handling clients
4643# traffic. Too-large values may result in memory allocation during
4644# peak traffic, too-small values will result in wasted memory.
4645#
4646# Check the cache manager 'info' report metrics for the real
4647# object sizes seen by your Squid before tuning this.
4648#Default:
4649# store_avg_object_size 13 KB
4650
4651# TAG: store_objects_per_bucket
4652# Target number of objects per bucket in the store hash table.
4653# Lowering this value increases the total number of buckets and
4654# also the storage maintenance rate. The default is 20.
4655#Default:
4656# store_objects_per_bucket 20
4657
4658# HTTP OPTIONS
4659# -----------------------------------------------------------------------------
4660
4661# TAG: request_header_max_size (KB)
4662# This specifies the maximum size for HTTP headers in a request.
4663# Request headers are usually relatively small (about 512 bytes).
4664# Placing a limit on the request header size will catch certain
4665# bugs (for example with persistent connections) and possibly
4666# buffer-overflow or denial-of-service attacks.
4667#Default:
4668# request_header_max_size 64 KB
4669
4670# TAG: reply_header_max_size (KB)
4671# This specifies the maximum size for HTTP headers in a reply.
4672# Reply headers are usually relatively small (about 512 bytes).
4673# Placing a limit on the reply header size will catch certain
4674# bugs (for example with persistent connections) and possibly
4675# buffer-overflow or denial-of-service attacks.
4676#Default:
4677# reply_header_max_size 64 KB
4678
4679# TAG: request_body_max_size (bytes)
4680# This specifies the maximum size for an HTTP request body.
4681# In other words, the maximum size of a PUT/POST request.
4682# A user who attempts to send a request with a body larger
4683# than this limit receives an "Invalid Request" error message.
4684# If you set this parameter to a zero (the default), there will
4685# be no limit imposed.
4686#
4687# See also client_request_buffer_max_size for an alternative
4688# limitation on client uploads which can be configured.
4689#Default:
4690# No limit.
4691
4692# TAG: client_request_buffer_max_size (bytes)
4693# This specifies the maximum buffer size of a client request.
4694# It prevents squid eating too much memory when somebody uploads
4695# a large file.
4696#Default:
4697# client_request_buffer_max_size 512 KB
4698
4699# TAG: chunked_request_body_max_size (bytes)
4700# A broken or confused HTTP/1.1 client may send a chunked HTTP
4701# request to Squid. Squid does not have full support for that
4702# feature yet. To cope with such requests, Squid buffers the
4703# entire request and then dechunks request body to create a
4704# plain HTTP/1.0 request with a known content length. The plain
4705# request is then used by the rest of Squid code as usual.
4706#
4707# The option value specifies the maximum size of the buffer used
4708# to hold the request before the conversion. If the chunked
4709# request size exceeds the specified limit, the conversion
4710# fails, and the client receives an "unsupported request" error,
4711# as if dechunking was disabled.
4712#
4713# Dechunking is enabled by default. To disable conversion of
4714# chunked requests, set the maximum to zero.
4715#
4716# Request dechunking feature and this option in particular are a
4717# temporary hack. When chunking requests and responses are fully
4718# supported, there will be no need to buffer a chunked request.
4719#Default:
4720# chunked_request_body_max_size 64 KB
4721
4722# TAG: broken_posts
4723# A list of ACL elements which, if matched, causes Squid to send
4724# an extra CRLF pair after the body of a PUT/POST request.
4725#
4726# Some HTTP servers has broken implementations of PUT/POST,
4727# and rely on an extra CRLF pair sent by some WWW clients.
4728#
4729# Quote from RFC2616 section 4.1 on this matter:
4730#
4731# Note: certain buggy HTTP/1.0 client implementations generate an
4732# extra CRLF's after a POST request. To restate what is explicitly
4733# forbidden by the BNF, an HTTP/1.1 client must not preface or follow
4734# a request with an extra CRLF.
4735#
4736# This clause only supports fast acl types.
4737# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
4738#
4739#Example:
4740# acl buggy_server url_regex ^http://....
4741# broken_posts allow buggy_server
4742#Default:
4743# Obey RFC 2616.
4744
4745# TAG: adaptation_uses_indirect_client on|off
4746# Controls whether the indirect client IP address (instead of the direct
4747# client IP address) is passed to adaptation services.
4748#
4749# See also: follow_x_forwarded_for adaptation_send_client_ip
4750#Default:
4751# adaptation_uses_indirect_client on
4752
4753# TAG: via on|off
4754# If set (default), Squid will include a Via header in requests and
4755# replies as required by RFC2616.
4756#Default:
4757# via on
4758
4759# TAG: ie_refresh on|off
4760# Microsoft Internet Explorer up until version 5.5 Service
4761# Pack 1 has an issue with transparent proxies, wherein it
4762# is impossible to force a refresh. Turning this on provides
4763# a partial fix to the problem, by causing all IMS-REFRESH
4764# requests from older IE versions to check the origin server
4765# for fresh content. This reduces hit ratio by some amount
4766# (~10% in my experience), but allows users to actually get
4767# fresh content when they want it. Note because Squid
4768# cannot tell if the user is using 5.5 or 5.5SP1, the behavior
4769# of 5.5 is unchanged from old versions of Squid (i.e. a
4770# forced refresh is impossible). Newer versions of IE will,
4771# hopefully, continue to have the new behavior and will be
4772# handled based on that assumption. This option defaults to
4773# the old Squid behavior, which is better for hit ratios but
4774# worse for clients using IE, if they need to be able to
4775# force fresh content.
4776#Default:
4777# ie_refresh off
4778
4779# TAG: vary_ignore_expire on|off
4780# Many HTTP servers supporting Vary gives such objects
4781# immediate expiry time with no cache-control header
4782# when requested by a HTTP/1.0 client. This option
4783# enables Squid to ignore such expiry times until
4784# HTTP/1.1 is fully implemented.
4785#
4786# WARNING: If turned on this may eventually cause some
4787# varying objects not intended for caching to get cached.
4788#Default:
4789# vary_ignore_expire off
4790
4791# TAG: request_entities
4792# Squid defaults to deny GET and HEAD requests with request entities,
4793# as the meaning of such requests are undefined in the HTTP standard
4794# even if not explicitly forbidden.
4795#
4796# Set this directive to on if you have clients which insists
4797# on sending request entities in GET or HEAD requests. But be warned
4798# that there is server software (both proxies and web servers) which
4799# can fail to properly process this kind of request which may make you
4800# vulnerable to cache pollution attacks if enabled.
4801#Default:
4802# request_entities off
4803
4804# TAG: request_header_access
4805# Usage: request_header_access header_name allow|deny [!]aclname ...
4806#
4807# WARNING: Doing this VIOLATES the HTTP standard. Enabling
4808# this feature could make you liable for problems which it
4809# causes.
4810#
4811# This option replaces the old 'anonymize_headers' and the
4812# older 'http_anonymizer' option with something that is much
4813# more configurable. A list of ACLs for each header name allows
4814# removal of specific header fields under specific conditions.
4815#
4816# This option only applies to outgoing HTTP request headers (i.e.,
4817# headers sent by Squid to the next HTTP hop such as a cache peer
4818# or an origin server). The option has no effect during cache hit
4819# detection. The equivalent adaptation vectoring point in ICAP
4820# terminology is post-cache REQMOD.
4821#
4822# The option is applied to individual outgoing request header
4823# fields. For each request header field F, Squid uses the first
4824# qualifying sets of request_header_access rules:
4825#
4826# 1. Rules with header_name equal to F's name.
4827# 2. Rules with header_name 'Other', provided F's name is not
4828# on the hard-coded list of commonly used HTTP header names.
4829# 3. Rules with header_name 'All'.
4830#
4831# Within that qualifying rule set, rule ACLs are checked as usual.
4832# If ACLs of an "allow" rule match, the header field is allowed to
4833# go through as is. If ACLs of a "deny" rule match, the header is
4834# removed and request_header_replace is then checked to identify
4835# if the removed header has a replacement. If no rules within the
4836# set have matching ACLs, the header field is left as is.
4837#
4838# For example, to achieve the same behavior as the old
4839# 'http_anonymizer standard' option, you should use:
4840#
4841# request_header_access From deny all
4842# request_header_access Referer deny all
4843# request_header_access User-Agent deny all
4844#
4845# Or, to reproduce the old 'http_anonymizer paranoid' feature
4846# you should use:
4847#
4848# request_header_access Authorization allow all
4849# request_header_access Proxy-Authorization allow all
4850# request_header_access Cache-Control allow all
4851# request_header_access Content-Length allow all
4852# request_header_access Content-Type allow all
4853# request_header_access Date allow all
4854# request_header_access Host allow all
4855# request_header_access If-Modified-Since allow all
4856# request_header_access Pragma allow all
4857# request_header_access Accept allow all
4858# request_header_access Accept-Charset allow all
4859# request_header_access Accept-Encoding allow all
4860# request_header_access Accept-Language allow all
4861# request_header_access Connection allow all
4862# request_header_access All deny all
4863#
4864# HTTP reply headers are controlled with the reply_header_access directive.
4865#
4866# By default, all headers are allowed (no anonymizing is performed).
4867#Default:
4868# No limits.
4869
4870# TAG: reply_header_access
4871# Usage: reply_header_access header_name allow|deny [!]aclname ...
4872#
4873# WARNING: Doing this VIOLATES the HTTP standard. Enabling
4874# this feature could make you liable for problems which it
4875# causes.
4876#
4877# This option only applies to reply headers, i.e., from the
4878# server to the client.
4879#
4880# This is the same as request_header_access, but in the other
4881# direction. Please see request_header_access for detailed
4882# documentation.
4883#
4884# For example, to achieve the same behavior as the old
4885# 'http_anonymizer standard' option, you should use:
4886#
4887# reply_header_access Server deny all
4888# reply_header_access WWW-Authenticate deny all
4889# reply_header_access Link deny all
4890#
4891# Or, to reproduce the old 'http_anonymizer paranoid' feature
4892# you should use:
4893#
4894# reply_header_access Allow allow all
4895# reply_header_access WWW-Authenticate allow all
4896# reply_header_access Proxy-Authenticate allow all
4897# reply_header_access Cache-Control allow all
4898# reply_header_access Content-Encoding allow all
4899# reply_header_access Content-Length allow all
4900# reply_header_access Content-Type allow all
4901# reply_header_access Date allow all
4902# reply_header_access Expires allow all
4903# reply_header_access Last-Modified allow all
4904# reply_header_access Location allow all
4905# reply_header_access Pragma allow all
4906# reply_header_access Content-Language allow all
4907# reply_header_access Retry-After allow all
4908# reply_header_access Title allow all
4909# reply_header_access Content-Disposition allow all
4910# reply_header_access Connection allow all
4911# reply_header_access All deny all
4912#
4913# HTTP request headers are controlled with the request_header_access directive.
4914#
4915# By default, all headers are allowed (no anonymizing is
4916# performed).
4917#Default:
4918# No limits.
4919
4920# TAG: request_header_replace
4921# Usage: request_header_replace header_name message
4922# Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
4923#
4924# This option allows you to change the contents of headers
4925# denied with request_header_access above, by replacing them
4926# with some fixed string.
4927#
4928# This only applies to request headers, not reply headers.
4929#
4930# By default, headers are removed if denied.
4931#Default:
4932# none
4933
4934# TAG: reply_header_replace
4935# Usage: reply_header_replace header_name message
4936# Example: reply_header_replace Server Foo/1.0
4937#
4938# This option allows you to change the contents of headers
4939# denied with reply_header_access above, by replacing them
4940# with some fixed string.
4941#
4942# This only applies to reply headers, not request headers.
4943#
4944# By default, headers are removed if denied.
4945#Default:
4946# none
4947
4948# TAG: request_header_add
4949# Usage: request_header_add field-name field-value acl1 [acl2] ...
4950# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
4951#
4952# This option adds header fields to outgoing HTTP requests (i.e.,
4953# request headers sent by Squid to the next HTTP hop such as a
4954# cache peer or an origin server). The option has no effect during
4955# cache hit detection. The equivalent adaptation vectoring point
4956# in ICAP terminology is post-cache REQMOD.
4957#
4958# Field-name is a token specifying an HTTP header name. If a
4959# standard HTTP header name is used, Squid does not check whether
4960# the new header conflicts with any existing headers or violates
4961# HTTP rules. If the request to be modified already contains a
4962# field with the same name, the old field is preserved but the
4963# header field values are not merged.
4964#
4965# Field-value is either a token or a quoted string. If quoted
4966# string format is used, then the surrounding quotes are removed
4967# while escape sequences and %macros are processed.
4968#
4969# In theory, all of the logformat codes can be used as %macros.
4970# However, unlike logging (which happens at the very end of
4971# transaction lifetime), the transaction may not yet have enough
4972# information to expand a macro when the new header value is needed.
4973# And some information may already be available to Squid but not yet
4974# committed where the macro expansion code can access it (report
4975# such instances!). The macro will be expanded into a single dash
4976# ('-') in such cases. Not all macros have been tested.
4977#
4978# One or more Squid ACLs may be specified to restrict header
4979# injection to matching requests. As always in squid.conf, all
4980# ACLs in an option ACL list must be satisfied for the insertion
4981# to happen. The request_header_add option supports fast ACLs
4982# only.
4983#Default:
4984# none
4985
4986# TAG: note
4987# This option used to log custom information about the master
4988# transaction. For example, an admin may configure Squid to log
4989# which "user group" the transaction belongs to, where "user group"
4990# will be determined based on a set of ACLs and not [just]
4991# authentication information.
4992# Values of key/value pairs can be logged using %{key}note macros:
4993#
4994# note key value acl ...
4995# logformat myFormat ... %{key}note ...
4996#Default:
4997# none
4998
4999# TAG: relaxed_header_parser on|off|warn
5000# In the default "on" setting Squid accepts certain forms
5001# of non-compliant HTTP messages where it is unambiguous
5002# what the sending application intended even if the message
5003# is not correctly formatted. The messages is then normalized
5004# to the correct form when forwarded by Squid.
5005#
5006# If set to "warn" then a warning will be emitted in cache.log
5007# each time such HTTP error is encountered.
5008#
5009# If set to "off" then such HTTP errors will cause the request
5010# or response to be rejected.
5011#Default:
5012# relaxed_header_parser on
5013
5014# TIMEOUTS
5015# -----------------------------------------------------------------------------
5016
5017# TAG: forward_timeout time-units
5018# This parameter specifies how long Squid should at most attempt in
5019# finding a forwarding path for the request before giving up.
5020#Default:
5021# forward_timeout 4 minutes
5022
5023# TAG: connect_timeout time-units
5024# This parameter specifies how long to wait for the TCP connect to
5025# the requested server or peer to complete before Squid should
5026# attempt to find another path where to forward the request.
5027#Default:
5028# connect_timeout 1 minute
5029
5030# TAG: peer_connect_timeout time-units
5031# This parameter specifies how long to wait for a pending TCP
5032# connection to a peer cache. The default is 30 seconds. You
5033# may also set different timeout values for individual neighbors
5034# with the 'connect-timeout' option on a 'cache_peer' line.
5035#Default:
5036# peer_connect_timeout 30 seconds
5037
5038# TAG: read_timeout time-units
5039# The read_timeout is applied on server-side connections. After
5040# each successful read(), the timeout will be extended by this
5041# amount. If no data is read again after this amount of time,
5042# the request is aborted and logged with ERR_READ_TIMEOUT. The
5043# default is 15 minutes.
5044#Default:
5045# read_timeout 15 minutes
5046
5047# TAG: write_timeout time-units
5048# This timeout is tracked for all connections that have data
5049# available for writing and are waiting for the socket to become
5050# ready. After each successful write, the timeout is extended by
5051# the configured amount. If Squid has data to write but the
5052# connection is not ready for the configured duration, the
5053# transaction associated with the connection is terminated. The
5054# default is 15 minutes.
5055#Default:
5056# write_timeout 15 minutes
5057
5058# TAG: request_timeout
5059# How long to wait for complete HTTP request headers after initial
5060# connection establishment.
5061#Default:
5062# request_timeout 5 minutes
5063
5064# TAG: client_idle_pconn_timeout
5065# How long to wait for the next HTTP request on a persistent
5066# client connection after the previous request completes.
5067#Default:
5068# client_idle_pconn_timeout 2 minutes
5069
5070# TAG: client_lifetime time-units
5071# The maximum amount of time a client (browser) is allowed to
5072# remain connected to the cache process. This protects the Cache
5073# from having a lot of sockets (and hence file descriptors) tied up
5074# in a CLOSE_WAIT state from remote clients that go away without
5075# properly shutting down (either because of a network failure or
5076# because of a poor client implementation). The default is one
5077# day, 1440 minutes.
5078#
5079# NOTE: The default value is intended to be much larger than any
5080# client would ever need to be connected to your cache. You
5081# should probably change client_lifetime only as a last resort.
5082# If you seem to have many client connections tying up
5083# filedescriptors, we recommend first tuning the read_timeout,
5084# request_timeout, persistent_request_timeout and quick_abort values.
5085#Default:
5086# client_lifetime 1 day
5087
5088# TAG: half_closed_clients
5089# Some clients may shutdown the sending side of their TCP
5090# connections, while leaving their receiving sides open. Sometimes,
5091# Squid can not tell the difference between a half-closed and a
5092# fully-closed TCP connection.
5093#
5094# By default, Squid will immediately close client connections when
5095# read(2) returns "no more data to read."
5096#
5097# Change this option to 'on' and Squid will keep open connections
5098# until a read(2) or write(2) on the socket returns an error.
5099# This may show some benefits for reverse proxies. But if not
5100# it is recommended to leave OFF.
5101#Default:
5102# half_closed_clients off
5103
5104# TAG: server_idle_pconn_timeout
5105# Timeout for idle persistent connections to servers and other
5106# proxies.
5107#Default:
5108# server_idle_pconn_timeout 1 minute
5109
5110# TAG: ident_timeout
5111# Maximum time to wait for IDENT lookups to complete.
5112#
5113# If this is too high, and you enabled IDENT lookups from untrusted
5114# users, you might be susceptible to denial-of-service by having
5115# many ident requests going at once.
5116#Default:
5117# ident_timeout 10 seconds
5118
5119# TAG: shutdown_lifetime time-units
5120# When SIGTERM or SIGHUP is received, the cache is put into
5121# "shutdown pending" mode until all active sockets are closed.
5122# This value is the lifetime to set for all open descriptors
5123# during shutdown mode. Any active clients after this many
5124# seconds will receive a 'timeout' message.
5125#Default:
5126# shutdown_lifetime 30 seconds
5127
5128# ADMINISTRATIVE PARAMETERS
5129# -----------------------------------------------------------------------------
5130
5131# TAG: cache_mgr
5132# Email-address of local cache manager who will receive
5133# mail if the cache dies. The default is "webmaster".
5134#Default:
5135# cache_mgr webmaster
5136
5137# TAG: mail_from
5138# From: email-address for mail sent when the cache dies.
5139# The default is to use 'squid@unique_hostname'.
5140#
5141# See also: unique_hostname directive.
5142#Default:
5143# none
5144
5145# TAG: mail_program
5146# Email program used to send mail if the cache dies.
5147# The default is "mail". The specified program must comply
5148# with the standard Unix mail syntax:
5149# mail-program recipient < mailfile
5150#
5151# Optional command line options can be specified.
5152#Default:
5153# mail_program mail
5154
5155# TAG: cache_effective_user
5156# If you start Squid as root, it will change its effective/real
5157# UID/GID to the user specified below. The default is to change
5158# to UID of proxy.
5159# see also; cache_effective_group
5160#Default:
5161# cache_effective_user proxy
5162
5163# TAG: cache_effective_group
5164# Squid sets the GID to the effective user's default group ID
5165# (taken from the password file) and supplementary group list
5166# from the groups membership.
5167#
5168# If you want Squid to run with a specific GID regardless of
5169# the group memberships of the effective user then set this
5170# to the group (or GID) you want Squid to run as. When set
5171# all other group privileges of the effective user are ignored
5172# and only this GID is effective. If Squid is not started as
5173# root the user starting Squid MUST be member of the specified
5174# group.
5175#
5176# This option is not recommended by the Squid Team.
5177# Our preference is for administrators to configure a secure
5178# user account for squid with UID/GID matching system policies.
5179#Default:
5180# Use system group memberships of the cache_effective_user account
5181
5182# TAG: httpd_suppress_version_string on|off
5183# Suppress Squid version string info in HTTP headers and HTML error pages.
5184#Default:
5185# httpd_suppress_version_string off
5186
5187# TAG: visible_hostname
5188# If you want to present a special hostname in error messages, etc,
5189# define this. Otherwise, the return value of gethostname()
5190# will be used. If you have multiple caches in a cluster and
5191# get errors about IP-forwarding you must set them to have individual
5192# names with this setting.
5193#Default:
5194# Automatically detect the system host name
5195
5196# TAG: unique_hostname
5197# If you want to have multiple machines with the same
5198# 'visible_hostname' you must give each machine a different
5199# 'unique_hostname' so forwarding loops can be detected.
5200#Default:
5201# Copy the value from visible_hostname
5202
5203# TAG: hostname_aliases
5204# A list of other DNS names your cache has.
5205#Default:
5206# none
5207
5208# TAG: umask
5209# Minimum umask which should be enforced while the proxy
5210# is running, in addition to the umask set at startup.
5211#
5212# For a traditional octal representation of umasks, start
5213# your value with 0.
5214#Default:
5215# umask 027
5216
5217# OPTIONS FOR THE CACHE REGISTRATION SERVICE
5218# -----------------------------------------------------------------------------
5219#
5220# This section contains parameters for the (optional) cache
5221# announcement service. This service is provided to help
5222# cache administrators locate one another in order to join or
5223# create cache hierarchies.
5224#
5225# An 'announcement' message is sent (via UDP) to the registration
5226# service by Squid. By default, the announcement message is NOT
5227# SENT unless you enable it with 'announce_period' below.
5228#
5229# The announcement message includes your hostname, plus the
5230# following information from this configuration file:
5231#
5232# http_port
5233# icp_port
5234# cache_mgr
5235#
5236# All current information is processed regularly and made
5237# available on the Web at http://www.ircache.net/Cache/Tracker/.
5238
5239# TAG: announce_period
5240# This is how frequently to send cache announcements.
5241#
5242# To enable announcing your cache, just set an announce period.
5243#
5244# Example:
5245# announce_period 1 day
5246#Default:
5247# Announcement messages disabled.
5248
5249# TAG: announce_host
5250# Set the hostname where announce registration messages will be sent.
5251#
5252# See also announce_port and announce_file
5253#Default:
5254# announce_host tracker.ircache.net
5255
5256# TAG: announce_file
5257# The contents of this file will be included in the announce
5258# registration messages.
5259#Default:
5260# none
5261
5262# TAG: announce_port
5263# Set the port where announce registration messages will be sent.
5264#
5265# See also announce_host and announce_file
5266#Default:
5267# announce_port 3131
5268
5269# HTTPD-ACCELERATOR OPTIONS
5270# -----------------------------------------------------------------------------
5271
5272# TAG: httpd_accel_surrogate_id
5273# Surrogates (http://www.esi.org/architecture_spec_1.0.html)
5274# need an identification token to allow control targeting. Because
5275# a farm of surrogates may all perform the same tasks, they may share
5276# an identification token.
5277#Default:
5278# visible_hostname is used if no specific ID is set.
5279
5280# TAG: http_accel_surrogate_remote on|off
5281# Remote surrogates (such as those in a CDN) honour the header
5282# "Surrogate-Control: no-store-remote".
5283#
5284# Set this to on to have squid behave as a remote surrogate.
5285#Default:
5286# http_accel_surrogate_remote off
5287
5288# TAG: esi_parser libxml2|expat|custom
5289# ESI markup is not strictly XML compatible. The custom ESI parser
5290# will give higher performance, but cannot handle non ASCII character
5291# encodings.
5292#Default:
5293# esi_parser custom
5294
5295# DELAY POOL PARAMETERS
5296# -----------------------------------------------------------------------------
5297
5298# TAG: delay_pools
5299# This represents the number of delay pools to be used. For example,
5300# if you have one class 2 delay pool and one class 3 delays pool, you
5301# have a total of 2 delay pools.
5302#
5303# See also delay_parameters, delay_class, delay_access for pool
5304# configuration details.
5305#Default:
5306# delay_pools 0
5307
5308# TAG: delay_class
5309# This defines the class of each delay pool. There must be exactly one
5310# delay_class line for each delay pool. For example, to define two
5311# delay pools, one of class 2 and one of class 3, the settings above
5312# and here would be:
5313#
5314# Example:
5315# delay_pools 4 # 4 delay pools
5316# delay_class 1 2 # pool 1 is a class 2 pool
5317# delay_class 2 3 # pool 2 is a class 3 pool
5318# delay_class 3 4 # pool 3 is a class 4 pool
5319# delay_class 4 5 # pool 4 is a class 5 pool
5320#
5321# The delay pool classes are:
5322#
5323# class 1 Everything is limited by a single aggregate
5324# bucket.
5325#
5326# class 2 Everything is limited by a single aggregate
5327# bucket as well as an "individual" bucket chosen
5328# from bits 25 through 32 of the IPv4 address.
5329#
5330# class 3 Everything is limited by a single aggregate
5331# bucket as well as a "network" bucket chosen
5332# from bits 17 through 24 of the IP address and a
5333# "individual" bucket chosen from bits 17 through
5334# 32 of the IPv4 address.
5335#
5336# class 4 Everything in a class 3 delay pool, with an
5337# additional limit on a per user basis. This
5338# only takes effect if the username is established
5339# in advance - by forcing authentication in your
5340# http_access rules.
5341#
5342# class 5 Requests are grouped according their tag (see
5343# external_acl's tag= reply).
5344#
5345#
5346# Each pool also requires a delay_parameters directive to configure the pool size
5347# and speed limits used whenever the pool is applied to a request. Along with
5348# a set of delay_access directives to determine when it is used.
5349#
5350# NOTE: If an IP address is a.b.c.d
5351# -> bits 25 through 32 are "d"
5352# -> bits 17 through 24 are "c"
5353# -> bits 17 through 32 are "c * 256 + d"
5354#
5355# NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
5356# IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
5357#
5358# This clause only supports fast acl types.
5359# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5360#
5361# See also delay_parameters and delay_access.
5362#Default:
5363# none
5364
5365# TAG: delay_access
5366# This is used to determine which delay pool a request falls into.
5367#
5368# delay_access is sorted per pool and the matching starts with pool 1,
5369# then pool 2, ..., and finally pool N. The first delay pool where the
5370# request is allowed is selected for the request. If it does not allow
5371# the request to any pool then the request is not delayed (default).
5372#
5373# For example, if you want some_big_clients in delay
5374# pool 1 and lotsa_little_clients in delay pool 2:
5375#
5376# delay_access 1 allow some_big_clients
5377# delay_access 1 deny all
5378# delay_access 2 allow lotsa_little_clients
5379# delay_access 2 deny all
5380# delay_access 3 allow authenticated_clients
5381#
5382# See also delay_parameters and delay_class.
5383#
5384#Default:
5385# Deny using the pool, unless allow rules exist in squid.conf for the pool.
5386
5387# TAG: delay_parameters
5388# This defines the parameters for a delay pool. Each delay pool has
5389# a number of "buckets" associated with it, as explained in the
5390# description of delay_class.
5391#
5392# For a class 1 delay pool, the syntax is:
5393# delay_pools pool 1
5394# delay_parameters pool aggregate
5395#
5396# For a class 2 delay pool:
5397# delay_pools pool 2
5398# delay_parameters pool aggregate individual
5399#
5400# For a class 3 delay pool:
5401# delay_pools pool 3
5402# delay_parameters pool aggregate network individual
5403#
5404# For a class 4 delay pool:
5405# delay_pools pool 4
5406# delay_parameters pool aggregate network individual user
5407#
5408# For a class 5 delay pool:
5409# delay_pools pool 5
5410# delay_parameters pool tagrate
5411#
5412# The option variables are:
5413#
5414# pool a pool number - ie, a number between 1 and the
5415# number specified in delay_pools as used in
5416# delay_class lines.
5417#
5418# aggregate the speed limit parameters for the aggregate bucket
5419# (class 1, 2, 3).
5420#
5421# individual the speed limit parameters for the individual
5422# buckets (class 2, 3).
5423#
5424# network the speed limit parameters for the network buckets
5425# (class 3).
5426#
5427# user the speed limit parameters for the user buckets
5428# (class 4).
5429#
5430# tagrate the speed limit parameters for the tag buckets
5431# (class 5).
5432#
5433# A pair of delay parameters is written restore/maximum, where restore is
5434# the number of bytes (not bits - modem and network speeds are usually
5435# quoted in bits) per second placed into the bucket, and maximum is the
5436# maximum number of bytes which can be in the bucket at any time.
5437#
5438# There must be one delay_parameters line for each delay pool.
5439#
5440#
5441# For example, if delay pool number 1 is a class 2 delay pool as in the
5442# above example, and is being used to strictly limit each host to 64Kbit/sec
5443# (plus overheads), with no overall limit, the line is:
5444#
5445# delay_parameters 1 -1/-1 8000/8000
5446#
5447# Note that 8 x 8000 KByte/sec -> 64Kbit/sec.
5448#
5449# Note that the figure -1 is used to represent "unlimited".
5450#
5451#
5452# And, if delay pool number 2 is a class 3 delay pool as in the above
5453# example, and you want to limit it to a total of 256Kbit/sec (strict limit)
5454# with each 8-bit network permitted 64Kbit/sec (strict limit) and each
5455# individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
5456# to permit a decent web page to be downloaded at a decent speed
5457# (if the network is not being limited due to overuse) but slow down
5458# large downloads more significantly:
5459#
5460# delay_parameters 2 32000/32000 8000/8000 600/8000
5461#
5462# Note that 8 x 32000 KByte/sec -> 256Kbit/sec.
5463# 8 x 8000 KByte/sec -> 64Kbit/sec.
5464# 8 x 600 Byte/sec -> 4800bit/sec.
5465#
5466#
5467# Finally, for a class 4 delay pool as in the example - each user will
5468# be limited to 128Kbits/sec no matter how many workstations they are logged into.:
5469#
5470# delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
5471#
5472#
5473# See also delay_class and delay_access.
5474#
5475#Default:
5476# none
5477
5478# TAG: delay_initial_bucket_level (percent, 0-100)
5479# The initial bucket percentage is used to determine how much is put
5480# in each bucket when squid starts, is reconfigured, or first notices
5481# a host accessing it (in class 2 and class 3, individual hosts and
5482# networks only have buckets associated with them once they have been
5483# "seen" by squid).
5484#Default:
5485# delay_initial_bucket_level 50
5486
5487# CLIENT DELAY POOL PARAMETERS
5488# -----------------------------------------------------------------------------
5489
5490# TAG: client_delay_pools
5491# This option specifies the number of client delay pools used. It must
5492# preceed other client_delay_* options.
5493#
5494# Example:
5495# client_delay_pools 2
5496#
5497# See also client_delay_parameters and client_delay_access.
5498#Default:
5499# client_delay_pools 0
5500
5501# TAG: client_delay_initial_bucket_level (percent, 0-no_limit)
5502# This option determines the initial bucket size as a percentage of
5503# max_bucket_size from client_delay_parameters. Buckets are created
5504# at the time of the "first" connection from the matching IP. Idle
5505# buckets are periodically deleted up.
5506#
5507# You can specify more than 100 percent but note that such "oversized"
5508# buckets are not refilled until their size goes down to max_bucket_size
5509# from client_delay_parameters.
5510#
5511# Example:
5512# client_delay_initial_bucket_level 50
5513#Default:
5514# client_delay_initial_bucket_level 50
5515
5516# TAG: client_delay_parameters
5517#
5518# This option configures client-side bandwidth limits using the
5519# following format:
5520#
5521# client_delay_parameters pool speed_limit max_bucket_size
5522#
5523# pool is an integer ID used for client_delay_access matching.
5524#
5525# speed_limit is bytes added to the bucket per second.
5526#
5527# max_bucket_size is the maximum size of a bucket, enforced after any
5528# speed_limit additions.
5529#
5530# Please see the delay_parameters option for more information and
5531# examples.
5532#
5533# Example:
5534# client_delay_parameters 1 1024 2048
5535# client_delay_parameters 2 51200 16384
5536#
5537# See also client_delay_access.
5538#
5539#Default:
5540# none
5541
5542# TAG: client_delay_access
5543# This option determines the client-side delay pool for the
5544# request:
5545#
5546# client_delay_access pool_ID allow|deny acl_name
5547#
5548# All client_delay_access options are checked in their pool ID
5549# order, starting with pool 1. The first checked pool with allowed
5550# request is selected for the request. If no ACL matches or there
5551# are no client_delay_access options, the request bandwidth is not
5552# limited.
5553#
5554# The ACL-selected pool is then used to find the
5555# client_delay_parameters for the request. Client-side pools are
5556# not used to aggregate clients. Clients are always aggregated
5557# based on their source IP addresses (one bucket per source IP).
5558#
5559# This clause only supports fast acl types.
5560# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5561# Additionally, only the client TCP connection details are available.
5562# ACLs testing HTTP properties will not work.
5563#
5564# Please see delay_access for more examples.
5565#
5566# Example:
5567# client_delay_access 1 allow low_rate_network
5568# client_delay_access 2 allow vips_network
5569#
5570#
5571# See also client_delay_parameters and client_delay_pools.
5572#Default:
5573# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
5574
5575# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
5576# -----------------------------------------------------------------------------
5577
5578# TAG: wccp_router
5579# Use this option to define your WCCP ``home'' router for
5580# Squid.
5581#
5582# wccp_router supports a single WCCP(v1) router
5583#
5584# wccp2_router supports multiple WCCPv2 routers
5585#
5586# only one of the two may be used at the same time and defines
5587# which version of WCCP to use.
5588#Default:
5589# WCCP disabled.
5590
5591# TAG: wccp2_router
5592# Use this option to define your WCCP ``home'' router for
5593# Squid.
5594#
5595# wccp_router supports a single WCCP(v1) router
5596#
5597# wccp2_router supports multiple WCCPv2 routers
5598#
5599# only one of the two may be used at the same time and defines
5600# which version of WCCP to use.
5601#Default:
5602# WCCPv2 disabled.
5603
5604# TAG: wccp_version
5605# This directive is only relevant if you need to set up WCCP(v1)
5606# to some very old and end-of-life Cisco routers. In all other
5607# setups it must be left unset or at the default setting.
5608# It defines an internal version in the WCCP(v1) protocol,
5609# with version 4 being the officially documented protocol.
5610#
5611# According to some users, Cisco IOS 11.2 and earlier only
5612# support WCCP version 3. If you're using that or an earlier
5613# version of IOS, you may need to change this value to 3, otherwise
5614# do not specify this parameter.
5615#Default:
5616# wccp_version 4
5617
5618# TAG: wccp2_rebuild_wait
5619# If this is enabled Squid will wait for the cache dir rebuild to finish
5620# before sending the first wccp2 HereIAm packet
5621#Default:
5622# wccp2_rebuild_wait on
5623
5624# TAG: wccp2_forwarding_method
5625# WCCP2 allows the setting of forwarding methods between the
5626# router/switch and the cache. Valid values are as follows:
5627#
5628# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
5629# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
5630#
5631# Currently (as of IOS 12.4) cisco routers only support GRE.
5632# Cisco switches only support the L2 redirect assignment method.
5633#Default:
5634# wccp2_forwarding_method gre
5635
5636# TAG: wccp2_return_method
5637# WCCP2 allows the setting of return methods between the
5638# router/switch and the cache for packets that the cache
5639# decides not to handle. Valid values are as follows:
5640#
5641# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
5642# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
5643#
5644# Currently (as of IOS 12.4) cisco routers only support GRE.
5645# Cisco switches only support the L2 redirect assignment.
5646#
5647# If the "ip wccp redirect exclude in" command has been
5648# enabled on the cache interface, then it is still safe for
5649# the proxy server to use a l2 redirect method even if this
5650# option is set to GRE.
5651#Default:
5652# wccp2_return_method gre
5653
5654# TAG: wccp2_assignment_method
5655# WCCP2 allows the setting of methods to assign the WCCP hash
5656# Valid values are as follows:
5657#
5658# hash - Hash assignment
5659# mask - Mask assignment
5660#
5661# As a general rule, cisco routers support the hash assignment method
5662# and cisco switches support the mask assignment method.
5663#Default:
5664# wccp2_assignment_method hash
5665
5666# TAG: wccp2_service
5667# WCCP2 allows for multiple traffic services. There are two
5668# types: "standard" and "dynamic". The standard type defines
5669# one service id - http (id 0). The dynamic service ids can be from
5670# 51 to 255 inclusive. In order to use a dynamic service id
5671# one must define the type of traffic to be redirected; this is done
5672# using the wccp2_service_info option.
5673#
5674# The "standard" type does not require a wccp2_service_info option,
5675# just specifying the service id will suffice.
5676#
5677# MD5 service authentication can be enabled by adding
5678# "password=<password>" to the end of this service declaration.
5679#
5680# Examples:
5681#
5682# wccp2_service standard 0 # for the 'web-cache' standard service
5683# wccp2_service dynamic 80 # a dynamic service type which will be
5684# # fleshed out with subsequent options.
5685# wccp2_service standard 0 password=foo
5686#Default:
5687# Use the 'web-cache' standard service.
5688
5689# TAG: wccp2_service_info
5690# Dynamic WCCPv2 services require further information to define the
5691# traffic you wish to have diverted.
5692#
5693# The format is:
5694#
5695# wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
5696# priority=<priority> ports=<port>,<port>..
5697#
5698# The relevant WCCPv2 flags:
5699# + src_ip_hash, dst_ip_hash
5700# + source_port_hash, dst_port_hash
5701# + src_ip_alt_hash, dst_ip_alt_hash
5702# + src_port_alt_hash, dst_port_alt_hash
5703# + ports_source
5704#
5705# The port list can be one to eight entries.
5706#
5707# Example:
5708#
5709# wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
5710# priority=240 ports=80
5711#
5712# Note: the service id must have been defined by a previous
5713# 'wccp2_service dynamic <id>' entry.
5714#Default:
5715# none
5716
5717# TAG: wccp2_weight
5718# Each cache server gets assigned a set of the destination
5719# hash proportional to their weight.
5720#Default:
5721# wccp2_weight 10000
5722
5723# TAG: wccp_address
5724# Use this option if you require WCCPv2 to use a specific
5725# interface address.
5726#
5727# The default behavior is to not bind to any specific address.
5728#Default:
5729# Address selected by the operating system.
5730
5731# TAG: wccp2_address
5732# Use this option if you require WCCP to use a specific
5733# interface address.
5734#
5735# The default behavior is to not bind to any specific address.
5736#Default:
5737# Address selected by the operating system.
5738
5739# PERSISTENT CONNECTION HANDLING
5740# -----------------------------------------------------------------------------
5741#
5742# Also see "pconn_timeout" in the TIMEOUTS section
5743
5744# TAG: client_persistent_connections
5745# Persistent connection support for clients.
5746# Squid uses persistent connections (when allowed). You can use
5747# this option to disable persistent connections with clients.
5748#Default:
5749# client_persistent_connections on
5750
5751# TAG: server_persistent_connections
5752# Persistent connection support for servers.
5753# Squid uses persistent connections (when allowed). You can use
5754# this option to disable persistent connections with servers.
5755#Default:
5756# server_persistent_connections on
5757
5758# TAG: persistent_connection_after_error
5759# With this directive the use of persistent connections after
5760# HTTP errors can be disabled. Useful if you have clients
5761# who fail to handle errors on persistent connections proper.
5762#Default:
5763# persistent_connection_after_error on
5764
5765# TAG: detect_broken_pconn
5766# Some servers have been found to incorrectly signal the use
5767# of HTTP/1.0 persistent connections even on replies not
5768# compatible, causing significant delays. This server problem
5769# has mostly been seen on redirects.
5770#
5771# By enabling this directive Squid attempts to detect such
5772# broken replies and automatically assume the reply is finished
5773# after 10 seconds timeout.
5774#Default:
5775# detect_broken_pconn off
5776
5777# CACHE DIGEST OPTIONS
5778# -----------------------------------------------------------------------------
5779
5780# TAG: digest_generation
5781# This controls whether the server will generate a Cache Digest
5782# of its contents. By default, Cache Digest generation is
5783# enabled if Squid is compiled with --enable-cache-digests defined.
5784#Default:
5785# digest_generation on
5786
5787# TAG: digest_bits_per_entry
5788# This is the number of bits of the server's Cache Digest which
5789# will be associated with the Digest entry for a given HTTP
5790# Method and URL (public key) combination. The default is 5.
5791#Default:
5792# digest_bits_per_entry 5
5793
5794# TAG: digest_rebuild_period (seconds)
5795# This is the wait time between Cache Digest rebuilds.
5796#Default:
5797# digest_rebuild_period 1 hour
5798
5799# TAG: digest_rewrite_period (seconds)
5800# This is the wait time between Cache Digest writes to
5801# disk.
5802#Default:
5803# digest_rewrite_period 1 hour
5804
5805# TAG: digest_swapout_chunk_size (bytes)
5806# This is the number of bytes of the Cache Digest to write to
5807# disk at a time. It defaults to 4096 bytes (4KB), the Squid
5808# default swap page.
5809#Default:
5810# digest_swapout_chunk_size 4096 bytes
5811
5812# TAG: digest_rebuild_chunk_percentage (percent, 0-100)
5813# This is the percentage of the Cache Digest to be scanned at a
5814# time. By default it is set to 10% of the Cache Digest.
5815#Default:
5816# digest_rebuild_chunk_percentage 10
5817
5818# SNMP OPTIONS
5819# -----------------------------------------------------------------------------
5820
5821# TAG: snmp_port
5822# The port number where Squid listens for SNMP requests. To enable
5823# SNMP support set this to a suitable port number. Port number
5824# 3401 is often used for the Squid SNMP agent. By default it's
5825# set to "0" (disabled)
5826#
5827# Example:
5828# snmp_port 3401
5829#Default:
5830# SNMP disabled.
5831
5832# TAG: snmp_access
5833# Allowing or denying access to the SNMP port.
5834#
5835# All access to the agent is denied by default.
5836# usage:
5837#
5838# snmp_access allow|deny [!]aclname ...
5839#
5840# This clause only supports fast acl types.
5841# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5842#
5843#Example:
5844# snmp_access allow snmppublic localhost
5845# snmp_access deny all
5846#Default:
5847# Deny, unless rules exist in squid.conf.
5848
5849# TAG: snmp_incoming_address
5850# Just like 'udp_incoming_address', but for the SNMP port.
5851#
5852# snmp_incoming_address is used for the SNMP socket receiving
5853# messages from SNMP agents.
5854#
5855# The default snmp_incoming_address is to listen on all
5856# available network interfaces.
5857#Default:
5858# Accept SNMP packets from all machine interfaces.
5859
5860# TAG: snmp_outgoing_address
5861# Just like 'udp_outgoing_address', but for the SNMP port.
5862#
5863# snmp_outgoing_address is used for SNMP packets returned to SNMP
5864# agents.
5865#
5866# If snmp_outgoing_address is not set it will use the same socket
5867# as snmp_incoming_address. Only change this if you want to have
5868# SNMP replies sent using another address than where this Squid
5869# listens for SNMP queries.
5870#
5871# NOTE, snmp_incoming_address and snmp_outgoing_address can not have
5872# the same value since they both use the same port.
5873#Default:
5874# Use snmp_incoming_address or an address selected by the operating system.
5875
5876# ICP OPTIONS
5877# -----------------------------------------------------------------------------
5878
5879# TAG: icp_port
5880# The port number where Squid sends and receives ICP queries to
5881# and from neighbor caches. The standard UDP port for ICP is 3130.
5882#
5883# Example:
5884# icp_port 3130
5885#Default:
5886# ICP disabled.
5887
5888# TAG: htcp_port
5889# The port number where Squid sends and receives HTCP queries to
5890# and from neighbor caches. To turn it on you want to set it to
5891# 4827.
5892#
5893# Example:
5894# htcp_port 4827
5895#Default:
5896# HTCP disabled.
5897
5898# TAG: log_icp_queries on|off
5899# If set, ICP queries are logged to access.log. You may wish
5900# do disable this if your ICP load is VERY high to speed things
5901# up or to simplify log analysis.
5902#Default:
5903# log_icp_queries on
5904
5905# TAG: udp_incoming_address
5906# udp_incoming_address is used for UDP packets received from other
5907# caches.
5908#
5909# The default behavior is to not bind to any specific address.
5910#
5911# Only change this if you want to have all UDP queries received on
5912# a specific interface/address.
5913#
5914# NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
5915# modules. Altering it will affect all of them in the same manner.
5916#
5917# see also; udp_outgoing_address
5918#
5919# NOTE, udp_incoming_address and udp_outgoing_address can not
5920# have the same value since they both use the same port.
5921#Default:
5922# Accept packets from all machine interfaces.
5923
5924# TAG: udp_outgoing_address
5925# udp_outgoing_address is used for UDP packets sent out to other
5926# caches.
5927#
5928# The default behavior is to not bind to any specific address.
5929#
5930# Instead it will use the same socket as udp_incoming_address.
5931# Only change this if you want to have UDP queries sent using another
5932# address than where this Squid listens for UDP queries from other
5933# caches.
5934#
5935# NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
5936# modules. Altering it will affect all of them in the same manner.
5937#
5938# see also; udp_incoming_address
5939#
5940# NOTE, udp_incoming_address and udp_outgoing_address can not
5941# have the same value since they both use the same port.
5942#Default:
5943# Use udp_incoming_address or an address selected by the operating system.
5944
5945# TAG: icp_hit_stale on|off
5946# If you want to return ICP_HIT for stale cache objects, set this
5947# option to 'on'. If you have sibling relationships with caches
5948# in other administrative domains, this should be 'off'. If you only
5949# have sibling relationships with caches under your control,
5950# it is probably okay to set this to 'on'.
5951# If set to 'on', your siblings should use the option "allow-miss"
5952# on their cache_peer lines for connecting to you.
5953#Default:
5954# icp_hit_stale off
5955
5956# TAG: minimum_direct_hops
5957# If using the ICMP pinging stuff, do direct fetches for sites
5958# which are no more than this many hops away.
5959#Default:
5960# minimum_direct_hops 4
5961
5962# TAG: minimum_direct_rtt (msec)
5963# If using the ICMP pinging stuff, do direct fetches for sites
5964# which are no more than this many rtt milliseconds away.
5965#Default:
5966# minimum_direct_rtt 400
5967
5968# TAG: netdb_low
5969# The low water mark for the ICMP measurement database.
5970#
5971# Note: high watermark controlled by netdb_high directive.
5972#
5973# These watermarks are counts, not percents. The defaults are
5974# (low) 900 and (high) 1000. When the high water mark is
5975# reached, database entries will be deleted until the low
5976# mark is reached.
5977#Default:
5978# netdb_low 900
5979
5980# TAG: netdb_high
5981# The high water mark for the ICMP measurement database.
5982#
5983# Note: low watermark controlled by netdb_low directive.
5984#
5985# These watermarks are counts, not percents. The defaults are
5986# (low) 900 and (high) 1000. When the high water mark is
5987# reached, database entries will be deleted until the low
5988# mark is reached.
5989#Default:
5990# netdb_high 1000
5991
5992# TAG: netdb_ping_period
5993# The minimum period for measuring a site. There will be at
5994# least this much delay between successive pings to the same
5995# network. The default is five minutes.
5996#Default:
5997# netdb_ping_period 5 minutes
5998
5999# TAG: query_icmp on|off
6000# If you want to ask your peers to include ICMP data in their ICP
6001# replies, enable this option.
6002#
6003# If your peer has configured Squid (during compilation) with
6004# '--enable-icmp' that peer will send ICMP pings to origin server
6005# sites of the URLs it receives. If you enable this option the
6006# ICP replies from that peer will include the ICMP data (if available).
6007# Then, when choosing a parent cache, Squid will choose the parent with
6008# the minimal RTT to the origin server. When this happens, the
6009# hierarchy field of the access.log will be
6010# "CLOSEST_PARENT_MISS". This option is off by default.
6011#Default:
6012# query_icmp off
6013
6014# TAG: test_reachability on|off
6015# When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
6016# instead of ICP_MISS if the target host is NOT in the ICMP
6017# database, or has a zero RTT.
6018#Default:
6019# test_reachability off
6020
6021# TAG: icp_query_timeout (msec)
6022# Normally Squid will automatically determine an optimal ICP
6023# query timeout value based on the round-trip-time of recent ICP
6024# queries. If you want to override the value determined by
6025# Squid, set this 'icp_query_timeout' to a non-zero value. This
6026# value is specified in MILLISECONDS, so, to use a 2-second
6027# timeout (the old default), you would write:
6028#
6029# icp_query_timeout 2000
6030#Default:
6031# Dynamic detection.
6032
6033# TAG: maximum_icp_query_timeout (msec)
6034# Normally the ICP query timeout is determined dynamically. But
6035# sometimes it can lead to very large values (say 5 seconds).
6036# Use this option to put an upper limit on the dynamic timeout
6037# value. Do NOT use this option to always use a fixed (instead
6038# of a dynamic) timeout value. To set a fixed timeout see the
6039# 'icp_query_timeout' directive.
6040#Default:
6041# maximum_icp_query_timeout 2000
6042
6043# TAG: minimum_icp_query_timeout (msec)
6044# Normally the ICP query timeout is determined dynamically. But
6045# sometimes it can lead to very small timeouts, even lower than
6046# the normal latency variance on your link due to traffic.
6047# Use this option to put an lower limit on the dynamic timeout
6048# value. Do NOT use this option to always use a fixed (instead
6049# of a dynamic) timeout value. To set a fixed timeout see the
6050# 'icp_query_timeout' directive.
6051#Default:
6052# minimum_icp_query_timeout 5
6053
6054# TAG: background_ping_rate time-units
6055# Controls how often the ICP pings are sent to siblings that
6056# have background-ping set.
6057#Default:
6058# background_ping_rate 10 seconds
6059
6060# MULTICAST ICP OPTIONS
6061# -----------------------------------------------------------------------------
6062
6063# TAG: mcast_groups
6064# This tag specifies a list of multicast groups which your server
6065# should join to receive multicasted ICP queries.
6066#
6067# NOTE! Be very careful what you put here! Be sure you
6068# understand the difference between an ICP _query_ and an ICP
6069# _reply_. This option is to be set only if you want to RECEIVE
6070# multicast queries. Do NOT set this option to SEND multicast
6071# ICP (use cache_peer for that). ICP replies are always sent via
6072# unicast, so this option does not affect whether or not you will
6073# receive replies from multicast group members.
6074#
6075# You must be very careful to NOT use a multicast address which
6076# is already in use by another group of caches.
6077#
6078# If you are unsure about multicast, please read the Multicast
6079# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
6080#
6081# Usage: mcast_groups 239.128.16.128 224.0.1.20
6082#
6083# By default, Squid doesn't listen on any multicast groups.
6084#Default:
6085# none
6086
6087# TAG: mcast_miss_addr
6088# Note: This option is only available if Squid is rebuilt with the
6089# -DMULTICAST_MISS_STREAM define
6090#
6091# If you enable this option, every "cache miss" URL will
6092# be sent out on the specified multicast address.
6093#
6094# Do not enable this option unless you are are absolutely
6095# certain you understand what you are doing.
6096#Default:
6097# disabled.
6098
6099# TAG: mcast_miss_ttl
6100# Note: This option is only available if Squid is rebuilt with the
6101# -DMULTICAST_MISS_STREAM define
6102#
6103# This is the time-to-live value for packets multicasted
6104# when multicasting off cache miss URLs is enabled. By
6105# default this is set to 'site scope', i.e. 16.
6106#Default:
6107# mcast_miss_ttl 16
6108
6109# TAG: mcast_miss_port
6110# Note: This option is only available if Squid is rebuilt with the
6111# -DMULTICAST_MISS_STREAM define
6112#
6113# This is the port number to be used in conjunction with
6114# 'mcast_miss_addr'.
6115#Default:
6116# mcast_miss_port 3135
6117
6118# TAG: mcast_miss_encode_key
6119# Note: This option is only available if Squid is rebuilt with the
6120# -DMULTICAST_MISS_STREAM define
6121#
6122# The URLs that are sent in the multicast miss stream are
6123# encrypted. This is the encryption key.
6124#Default:
6125# mcast_miss_encode_key XXXXXXXXXXXXXXXX
6126
6127# TAG: mcast_icp_query_timeout (msec)
6128# For multicast peers, Squid regularly sends out ICP "probes" to
6129# count how many other peers are listening on the given multicast
6130# address. This value specifies how long Squid should wait to
6131# count all the replies. The default is 2000 msec, or 2
6132# seconds.
6133#Default:
6134# mcast_icp_query_timeout 2000
6135
6136# INTERNAL ICON OPTIONS
6137# -----------------------------------------------------------------------------
6138
6139# TAG: icon_directory
6140# Where the icons are stored. These are normally kept in
6141# /usr/share/squid3/icons
6142#Default:
6143# icon_directory /usr/share/squid3/icons
6144
6145# TAG: global_internal_static
6146# This directive controls is Squid should intercept all requests for
6147# /squid-internal-static/ no matter which host the URL is requesting
6148# (default on setting), or if nothing special should be done for
6149# such URLs (off setting). The purpose of this directive is to make
6150# icons etc work better in complex cache hierarchies where it may
6151# not always be possible for all corners in the cache mesh to reach
6152# the server generating a directory listing.
6153#Default:
6154# global_internal_static on
6155
6156# TAG: short_icon_urls
6157# If this is enabled Squid will use short URLs for icons.
6158# If disabled it will revert to the old behavior of including
6159# it's own name and port in the URL.
6160#
6161# If you run a complex cache hierarchy with a mix of Squid and
6162# other proxies you may need to disable this directive.
6163#Default:
6164# short_icon_urls on
6165
6166# ERROR PAGE OPTIONS
6167# -----------------------------------------------------------------------------
6168
6169# TAG: error_directory
6170# If you wish to create your own versions of the default
6171# error files to customize them to suit your company copy
6172# the error/template files to another directory and point
6173# this tag at them.
6174#
6175# WARNING: This option will disable multi-language support
6176# on error pages if used.
6177#
6178# The squid developers are interested in making squid available in
6179# a wide variety of languages. If you are making translations for a
6180# language that Squid does not currently provide please consider
6181# contributing your translation back to the project.
6182# http://wiki.squid-cache.org/Translations
6183#
6184# The squid developers working on translations are happy to supply drop-in
6185# translated error files in exchange for any new language contributions.
6186#Default:
6187# Send error pages in the clients preferred language
6188
6189# TAG: error_default_language
6190# Set the default language which squid will send error pages in
6191# if no existing translation matches the clients language
6192# preferences.
6193#
6194# If unset (default) generic English will be used.
6195#
6196# The squid developers are interested in making squid available in
6197# a wide variety of languages. If you are interested in making
6198# translations for any language see the squid wiki for details.
6199# http://wiki.squid-cache.org/Translations
6200#Default:
6201# Generate English language pages.
6202
6203# TAG: error_log_languages
6204# Log to cache.log what languages users are attempting to
6205# auto-negotiate for translations.
6206#
6207# Successful negotiations are not logged. Only failures
6208# have meaning to indicate that Squid may need an upgrade
6209# of its error page translations.
6210#Default:
6211# error_log_languages on
6212
6213# TAG: err_page_stylesheet
6214# CSS Stylesheet to pattern the display of Squid default error pages.
6215#
6216# For information on CSS see http://www.w3.org/Style/CSS/
6217#Default:
6218# err_page_stylesheet /etc/squid3/errorpage.css
6219
6220# TAG: err_html_text
6221# HTML text to include in error messages. Make this a "mailto"
6222# URL to your admin address, or maybe just a link to your
6223# organizations Web page.
6224#
6225# To include this in your error messages, you must rewrite
6226# the error template files (found in the "errors" directory).
6227# Wherever you want the 'err_html_text' line to appear,
6228# insert a %L tag in the error template file.
6229#Default:
6230# none
6231
6232# TAG: email_err_data on|off
6233# If enabled, information about the occurred error will be
6234# included in the mailto links of the ERR pages (if %W is set)
6235# so that the email body contains the data.
6236# Syntax is <A HREF="mailto:%w%W">%w</A>
6237#Default:
6238# email_err_data on
6239
6240# TAG: deny_info
6241# Usage: deny_info err_page_name acl
6242# or deny_info http://... acl
6243# or deny_info TCP_RESET acl
6244#
6245# This can be used to return a ERR_ page for requests which
6246# do not pass the 'http_access' rules. Squid remembers the last
6247# acl it evaluated in http_access, and if a 'deny_info' line exists
6248# for that ACL Squid returns a corresponding error page.
6249#
6250# The acl is typically the last acl on the http_access deny line which
6251# denied access. The exceptions to this rule are:
6252# - When Squid needs to request authentication credentials. It's then
6253# the first authentication related acl encountered
6254# - When none of the http_access lines matches. It's then the last
6255# acl processed on the last http_access line.
6256# - When the decision to deny access was made by an adaptation service,
6257# the acl name is the corresponding eCAP or ICAP service_name.
6258#
6259# NP: If providing your own custom error pages with error_directory
6260# you may also specify them by your custom file name:
6261# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
6262#
6263# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
6264# may be specified by prefixing the file name with the code and a colon.
6265# e.g. 404:ERR_CUSTOM_ACCESS_DENIED
6266#
6267# Alternatively you can tell Squid to reset the TCP connection
6268# by specifying TCP_RESET.
6269#
6270# Or you can specify an error URL or URL pattern. The browsers will
6271# get redirected to the specified URL after formatting tags have
6272# been replaced. Redirect will be done with 302 or 307 according to
6273# HTTP/1.1 specs. A different 3xx code may be specified by prefixing
6274# the URL. e.g. 303:http://example.com/
6275#
6276# URL FORMAT TAGS:
6277# %a - username (if available. Password NOT included)
6278# %B - FTP path URL
6279# %e - Error number
6280# %E - Error description
6281# %h - Squid hostname
6282# %H - Request domain name
6283# %i - Client IP Address
6284# %M - Request Method
6285# %o - Message result from external ACL helper
6286# %p - Request Port number
6287# %P - Request Protocol name
6288# %R - Request URL path
6289# %T - Timestamp in RFC 1123 format
6290# %U - Full canonical URL from client
6291# (HTTPS URLs terminate with *)
6292# %u - Full canonical URL from client
6293# %w - Admin email from squid.conf
6294# %x - Error name
6295# %% - Literal percent (%) code
6296#
6297#Default:
6298# none
6299
6300# OPTIONS INFLUENCING REQUEST FORWARDING
6301# -----------------------------------------------------------------------------
6302
6303# TAG: nonhierarchical_direct
6304# By default, Squid will send any non-hierarchical requests
6305# (matching hierarchy_stoplist or not cacheable request type) direct
6306# to origin servers.
6307#
6308# When this is set to "off", Squid will prefer to send these
6309# requests to parents.
6310#
6311# Note that in most configurations, by turning this off you will only
6312# add latency to these request without any improvement in global hit
6313# ratio.
6314#
6315# This option only sets a preference. If the parent is unavailable a
6316# direct connection to the origin server may still be attempted. To
6317# completely prevent direct connections use never_direct.
6318#Default:
6319# nonhierarchical_direct on
6320
6321# TAG: prefer_direct
6322# Normally Squid tries to use parents for most requests. If you for some
6323# reason like it to first try going direct and only use a parent if
6324# going direct fails set this to on.
6325#
6326# By combining nonhierarchical_direct off and prefer_direct on you
6327# can set up Squid to use a parent as a backup path if going direct
6328# fails.
6329#
6330# Note: If you want Squid to use parents for all requests see
6331# the never_direct directive. prefer_direct only modifies how Squid
6332# acts on cacheable requests.
6333#Default:
6334# prefer_direct off
6335
6336# TAG: cache_miss_revalidate on|off
6337# RFC 7232 defines a conditional request mechanism to prevent
6338# response objects being unnecessarily transferred over the network.
6339# If that mechanism is used by the client and a cache MISS occurs
6340# it can prevent new cache entries being created.
6341#
6342# This option determines whether Squid on cache MISS will pass the
6343# client revalidation request to the server or tries to fetch new
6344# content for caching. It can be useful while the cache is mostly
6345# empty to more quickly have the cache populated by generating
6346# non-conditional GETs.
6347#
6348# When set to 'on' (default), Squid will pass all client If-* headers
6349# to the server. This permits server responses without a cacheable
6350# payload to be delivered and on MISS no new cache entry is created.
6351#
6352# When set to 'off' and if the request is cacheable, Squid will
6353# remove the clients If-Modified-Since and If-None-Match headers from
6354# the request sent to the server. This requests a 200 status response
6355# from the server to create a new cache entry with.
6356#Default:
6357# cache_miss_revalidate on
6358
6359# TAG: always_direct
6360# Usage: always_direct allow|deny [!]aclname ...
6361#
6362# Here you can use ACL elements to specify requests which should
6363# ALWAYS be forwarded by Squid to the origin servers without using
6364# any peers. For example, to always directly forward requests for
6365# local servers ignoring any parents or siblings you may have use
6366# something like:
6367#
6368# acl local-servers dstdomain my.domain.net
6369# always_direct allow local-servers
6370#
6371# To always forward FTP requests directly, use
6372#
6373# acl FTP proto FTP
6374# always_direct allow FTP
6375#
6376# NOTE: There is a similar, but opposite option named
6377# 'never_direct'. You need to be aware that "always_direct deny
6378# foo" is NOT the same thing as "never_direct allow foo". You
6379# may need to use a deny rule to exclude a more-specific case of
6380# some other rule. Example:
6381#
6382# acl local-external dstdomain external.foo.net
6383# acl local-servers dstdomain .foo.net
6384# always_direct deny local-external
6385# always_direct allow local-servers
6386#
6387# NOTE: If your goal is to make the client forward the request
6388# directly to the origin server bypassing Squid then this needs
6389# to be done in the client configuration. Squid configuration
6390# can only tell Squid how Squid should fetch the object.
6391#
6392# NOTE: This directive is not related to caching. The replies
6393# is cached as usual even if you use always_direct. To not cache
6394# the replies see the 'cache' directive.
6395#
6396# This clause supports both fast and slow acl types.
6397# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
6398#Default:
6399# Prevent any cache_peer being used for this request.
6400
6401# TAG: never_direct
6402# Usage: never_direct allow|deny [!]aclname ...
6403#
6404# never_direct is the opposite of always_direct. Please read
6405# the description for always_direct if you have not already.
6406#
6407# With 'never_direct' you can use ACL elements to specify
6408# requests which should NEVER be forwarded directly to origin
6409# servers. For example, to force the use of a proxy for all
6410# requests, except those in your local domain use something like:
6411#
6412# acl local-servers dstdomain .foo.net
6413# never_direct deny local-servers
6414# never_direct allow all
6415#
6416# or if Squid is inside a firewall and there are local intranet
6417# servers inside the firewall use something like:
6418#
6419# acl local-intranet dstdomain .foo.net
6420# acl local-external dstdomain external.foo.net
6421# always_direct deny local-external
6422# always_direct allow local-intranet
6423# never_direct allow all
6424#
6425# This clause supports both fast and slow acl types.
6426# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
6427#Default:
6428# Allow DNS results to be used for this request.
6429
6430# ADVANCED NETWORKING OPTIONS
6431# -----------------------------------------------------------------------------
6432
6433# TAG: incoming_udp_average
6434# Heavy voodoo here. I can't even believe you are reading this.
6435# Are you crazy? Don't even think about adjusting these unless
6436# you understand the algorithms in comm_select.c first!
6437#Default:
6438# incoming_udp_average 6
6439
6440# TAG: incoming_tcp_average
6441# Heavy voodoo here. I can't even believe you are reading this.
6442# Are you crazy? Don't even think about adjusting these unless
6443# you understand the algorithms in comm_select.c first!
6444#Default:
6445# incoming_tcp_average 4
6446
6447# TAG: incoming_dns_average
6448# Heavy voodoo here. I can't even believe you are reading this.
6449# Are you crazy? Don't even think about adjusting these unless
6450# you understand the algorithms in comm_select.c first!
6451#Default:
6452# incoming_dns_average 4
6453
6454# TAG: min_udp_poll_cnt
6455# Heavy voodoo here. I can't even believe you are reading this.
6456# Are you crazy? Don't even think about adjusting these unless
6457# you understand the algorithms in comm_select.c first!
6458#Default:
6459# min_udp_poll_cnt 8
6460
6461# TAG: min_dns_poll_cnt
6462# Heavy voodoo here. I can't even believe you are reading this.
6463# Are you crazy? Don't even think about adjusting these unless
6464# you understand the algorithms in comm_select.c first!
6465#Default:
6466# min_dns_poll_cnt 8
6467
6468# TAG: min_tcp_poll_cnt
6469# Heavy voodoo here. I can't even believe you are reading this.
6470# Are you crazy? Don't even think about adjusting these unless
6471# you understand the algorithms in comm_select.c first!
6472#Default:
6473# min_tcp_poll_cnt 8
6474
6475# TAG: accept_filter
6476# FreeBSD:
6477#
6478# The name of an accept(2) filter to install on Squid's
6479# listen socket(s). This feature is perhaps specific to
6480# FreeBSD and requires support in the kernel.
6481#
6482# The 'httpready' filter delays delivering new connections
6483# to Squid until a full HTTP request has been received.
6484# See the accf_http(9) man page for details.
6485#
6486# The 'dataready' filter delays delivering new connections
6487# to Squid until there is some data to process.
6488# See the accf_dataready(9) man page for details.
6489#
6490# Linux:
6491#
6492# The 'data' filter delays delivering of new connections
6493# to Squid until there is some data to process by TCP_ACCEPT_DEFER.
6494# You may optionally specify a number of seconds to wait by
6495# 'data=N' where N is the number of seconds. Defaults to 30
6496# if not specified. See the tcp(7) man page for details.
6497#EXAMPLE:
6498## FreeBSD
6499#accept_filter httpready
6500## Linux
6501#accept_filter data
6502#Default:
6503# none
6504
6505# TAG: client_ip_max_connections
6506# Set an absolute limit on the number of connections a single
6507# client IP can use. Any more than this and Squid will begin to drop
6508# new connections from the client until it closes some links.
6509#
6510# Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
6511# connections from the client. For finer control use the ACL access controls.
6512#
6513# Requires client_db to be enabled (the default).
6514#
6515# WARNING: This may noticably slow down traffic received via external proxies
6516# or NAT devices and cause them to rebound error messages back to their clients.
6517#Default:
6518# No limit.
6519
6520# TAG: tcp_recv_bufsize (bytes)
6521# Size of receive buffer to set for TCP sockets. Probably just
6522# as easy to change your kernel's default.
6523# Omit from squid.conf to use the default buffer size.
6524#Default:
6525# Use operating system TCP defaults.
6526
6527# ICAP OPTIONS
6528# -----------------------------------------------------------------------------
6529
6530# TAG: icap_enable on|off
6531# If you want to enable the ICAP module support, set this to on.
6532#Default:
6533# icap_enable off
6534
6535# TAG: icap_connect_timeout
6536# This parameter specifies how long to wait for the TCP connect to
6537# the requested ICAP server to complete before giving up and either
6538# terminating the HTTP transaction or bypassing the failure.
6539#
6540# The default for optional services is peer_connect_timeout.
6541# The default for essential services is connect_timeout.
6542# If this option is explicitly set, its value applies to all services.
6543#Default:
6544# none
6545
6546# TAG: icap_io_timeout time-units
6547# This parameter specifies how long to wait for an I/O activity on
6548# an established, active ICAP connection before giving up and
6549# either terminating the HTTP transaction or bypassing the
6550# failure.
6551#Default:
6552# Use read_timeout.
6553
6554# TAG: icap_service_failure_limit limit [in memory-depth time-units]
6555# The limit specifies the number of failures that Squid tolerates
6556# when establishing a new TCP connection with an ICAP service. If
6557# the number of failures exceeds the limit, the ICAP service is
6558# not used for new ICAP requests until it is time to refresh its
6559# OPTIONS.
6560#
6561# A negative value disables the limit. Without the limit, an ICAP
6562# service will not be considered down due to connectivity failures
6563# between ICAP OPTIONS requests.
6564#
6565# Squid forgets ICAP service failures older than the specified
6566# value of memory-depth. The memory fading algorithm
6567# is approximate because Squid does not remember individual
6568# errors but groups them instead, splitting the option
6569# value into ten time slots of equal length.
6570#
6571# When memory-depth is 0 and by default this option has no
6572# effect on service failure expiration.
6573#
6574# Squid always forgets failures when updating service settings
6575# using an ICAP OPTIONS transaction, regardless of this option
6576# setting.
6577#
6578# For example,
6579# # suspend service usage after 10 failures in 5 seconds:
6580# icap_service_failure_limit 10 in 5 seconds
6581#Default:
6582# icap_service_failure_limit 10
6583
6584# TAG: icap_service_revival_delay
6585# The delay specifies the number of seconds to wait after an ICAP
6586# OPTIONS request failure before requesting the options again. The
6587# failed ICAP service is considered "down" until fresh OPTIONS are
6588# fetched.
6589#
6590# The actual delay cannot be smaller than the hardcoded minimum
6591# delay of 30 seconds.
6592#Default:
6593# icap_service_revival_delay 180
6594
6595# TAG: icap_preview_enable on|off
6596# The ICAP Preview feature allows the ICAP server to handle the
6597# HTTP message by looking only at the beginning of the message body
6598# or even without receiving the body at all. In some environments,
6599# previews greatly speedup ICAP processing.
6600#
6601# During an ICAP OPTIONS transaction, the server may tell Squid what
6602# HTTP messages should be previewed and how big the preview should be.
6603# Squid will not use Preview if the server did not request one.
6604#
6605# To disable ICAP Preview for all ICAP services, regardless of
6606# individual ICAP server OPTIONS responses, set this option to "off".
6607#Example:
6608#icap_preview_enable off
6609#Default:
6610# icap_preview_enable on
6611
6612# TAG: icap_preview_size
6613# The default size of preview data to be sent to the ICAP server.
6614# This value might be overwritten on a per server basis by OPTIONS requests.
6615#Default:
6616# No preview sent.
6617
6618# TAG: icap_206_enable on|off
6619# 206 (Partial Content) responses is an ICAP extension that allows the
6620# ICAP agents to optionally combine adapted and original HTTP message
6621# content. The decision to combine is postponed until the end of the
6622# ICAP response. Squid supports Partial Content extension by default.
6623#
6624# Activation of the Partial Content extension is negotiated with each
6625# ICAP service during OPTIONS exchange. Most ICAP servers should handle
6626# negotation correctly even if they do not support the extension, but
6627# some might fail. To disable Partial Content support for all ICAP
6628# services and to avoid any negotiation, set this option to "off".
6629#
6630# Example:
6631# icap_206_enable off
6632#Default:
6633# icap_206_enable on
6634
6635# TAG: icap_default_options_ttl
6636# The default TTL value for ICAP OPTIONS responses that don't have
6637# an Options-TTL header.
6638#Default:
6639# icap_default_options_ttl 60
6640
6641# TAG: icap_persistent_connections on|off
6642# Whether or not Squid should use persistent connections to
6643# an ICAP server.
6644#Default:
6645# icap_persistent_connections on
6646
6647# TAG: adaptation_send_client_ip on|off
6648# If enabled, Squid shares HTTP client IP information with adaptation
6649# services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
6650# For eCAP, Squid sets the libecap::metaClientIp transaction option.
6651#
6652# See also: adaptation_uses_indirect_client
6653#Default:
6654# adaptation_send_client_ip off
6655
6656# TAG: adaptation_send_username on|off
6657# This sends authenticated HTTP client username (if available) to
6658# the adaptation service.
6659#
6660# For ICAP, the username value is encoded based on the
6661# icap_client_username_encode option and is sent using the header
6662# specified by the icap_client_username_header option.
6663#Default:
6664# adaptation_send_username off
6665
6666# TAG: icap_client_username_header
6667# ICAP request header name to use for adaptation_send_username.
6668#Default:
6669# icap_client_username_header X-Client-Username
6670
6671# TAG: icap_client_username_encode on|off
6672# Whether to base64 encode the authenticated client username.
6673#Default:
6674# icap_client_username_encode off
6675
6676# TAG: icap_service
6677# Defines a single ICAP service using the following format:
6678#
6679# icap_service id vectoring_point uri [option ...]
6680#
6681# id: ID
6682# an opaque identifier or name which is used to direct traffic to
6683# this specific service. Must be unique among all adaptation
6684# services in squid.conf.
6685#
6686# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
6687# This specifies at which point of transaction processing the
6688# ICAP service should be activated. *_postcache vectoring points
6689# are not yet supported.
6690#
6691# uri: icap://servername:port/servicepath
6692# ICAP server and service location.
6693#
6694# ICAP does not allow a single service to handle both REQMOD and RESPMOD
6695# transactions. Squid does not enforce that requirement. You can specify
6696# services with the same service_url and different vectoring_points. You
6697# can even specify multiple identical services as long as their
6698# service_names differ.
6699#
6700# To activate a service, use the adaptation_access directive. To group
6701# services, use adaptation_service_chain and adaptation_service_set.
6702#
6703# Service options are separated by white space. ICAP services support
6704# the following name=value options:
6705#
6706# bypass=on|off|1|0
6707# If set to 'on' or '1', the ICAP service is treated as
6708# optional. If the service cannot be reached or malfunctions,
6709# Squid will try to ignore any errors and process the message as
6710# if the service was not enabled. No all ICAP errors can be
6711# bypassed. If set to 0, the ICAP service is treated as
6712# essential and all ICAP errors will result in an error page
6713# returned to the HTTP client.
6714#
6715# Bypass is off by default: services are treated as essential.
6716#
6717# routing=on|off|1|0
6718# If set to 'on' or '1', the ICAP service is allowed to
6719# dynamically change the current message adaptation plan by
6720# returning a chain of services to be used next. The services
6721# are specified using the X-Next-Services ICAP response header
6722# value, formatted as a comma-separated list of service names.
6723# Each named service should be configured in squid.conf. Other
6724# services are ignored. An empty X-Next-Services value results
6725# in an empty plan which ends the current adaptation.
6726#
6727# Dynamic adaptation plan may cross or cover multiple supported
6728# vectoring points in their natural processing order.
6729#
6730# Routing is not allowed by default: the ICAP X-Next-Services
6731# response header is ignored.
6732#
6733# ipv6=on|off
6734# Only has effect on split-stack systems. The default on those systems
6735# is to use IPv4-only connections. When set to 'on' this option will
6736# make Squid use IPv6-only connections to contact this ICAP service.
6737#
6738# on-overload=block|bypass|wait|force
6739# If the service Max-Connections limit has been reached, do
6740# one of the following for each new ICAP transaction:
6741# * block: send an HTTP error response to the client
6742# * bypass: ignore the "over-connected" ICAP service
6743# * wait: wait (in a FIFO queue) for an ICAP connection slot
6744# * force: proceed, ignoring the Max-Connections limit
6745#
6746# In SMP mode with N workers, each worker assumes the service
6747# connection limit is Max-Connections/N, even though not all
6748# workers may use a given service.
6749#
6750# The default value is "bypass" if service is bypassable,
6751# otherwise it is set to "wait".
6752#
6753#
6754# max-conn=number
6755# Use the given number as the Max-Connections limit, regardless
6756# of the Max-Connections value given by the service, if any.
6757#
6758# Older icap_service format without optional named parameters is
6759# deprecated but supported for backward compatibility.
6760#
6761#Example:
6762#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0
6763#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on
6764#Default:
6765# none
6766
6767# TAG: icap_class
6768# This deprecated option was documented to define an ICAP service
6769# chain, even though it actually defined a set of similar, redundant
6770# services, and the chains were not supported.
6771#
6772# To define a set of redundant services, please use the
6773# adaptation_service_set directive. For service chains, use
6774# adaptation_service_chain.
6775#Default:
6776# none
6777
6778# TAG: icap_access
6779# This option is deprecated. Please use adaptation_access, which
6780# has the same ICAP functionality, but comes with better
6781# documentation, and eCAP support.
6782#Default:
6783# none
6784
6785# eCAP OPTIONS
6786# -----------------------------------------------------------------------------
6787
6788# TAG: ecap_enable on|off
6789# Controls whether eCAP support is enabled.
6790#Default:
6791# ecap_enable off
6792
6793# TAG: ecap_service
6794# Defines a single eCAP service
6795#
6796# ecap_service id vectoring_point uri [option ...]
6797#
6798# id: ID
6799# an opaque identifier or name which is used to direct traffic to
6800# this specific service. Must be unique among all adaptation
6801# services in squid.conf.
6802#
6803# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
6804# This specifies at which point of transaction processing the
6805# eCAP service should be activated. *_postcache vectoring points
6806# are not yet supported.
6807#
6808# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional
6809# Squid uses the eCAP service URI to match this configuration
6810# line with one of the dynamically loaded services. Each loaded
6811# eCAP service must have a unique URI. Obtain the right URI from
6812# the service provider.
6813#
6814# To activate a service, use the adaptation_access directive. To group
6815# services, use adaptation_service_chain and adaptation_service_set.
6816#
6817# Service options are separated by white space. eCAP services support
6818# the following name=value options:
6819#
6820# bypass=on|off|1|0
6821# If set to 'on' or '1', the eCAP service is treated as optional.
6822# If the service cannot be reached or malfunctions, Squid will try
6823# to ignore any errors and process the message as if the service
6824# was not enabled. No all eCAP errors can be bypassed.
6825# If set to 'off' or '0', the eCAP service is treated as essential
6826# and all eCAP errors will result in an error page returned to the
6827# HTTP client.
6828#
6829# Bypass is off by default: services are treated as essential.
6830#
6831# routing=on|off|1|0
6832# If set to 'on' or '1', the eCAP service is allowed to
6833# dynamically change the current message adaptation plan by
6834# returning a chain of services to be used next.
6835#
6836# Dynamic adaptation plan may cross or cover multiple supported
6837# vectoring points in their natural processing order.
6838#
6839# Routing is not allowed by default.
6840#
6841# Older ecap_service format without optional named parameters is
6842# deprecated but supported for backward compatibility.
6843#
6844#
6845#Example:
6846#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off
6847#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on
6848#Default:
6849# none
6850
6851# TAG: loadable_modules
6852# Instructs Squid to load the specified dynamic module(s) or activate
6853# preloaded module(s).
6854#Example:
6855#loadable_modules /usr/lib/MinimalAdapter.so
6856#Default:
6857# none
6858
6859# MESSAGE ADAPTATION OPTIONS
6860# -----------------------------------------------------------------------------
6861
6862# TAG: adaptation_service_set
6863#
6864# Configures an ordered set of similar, redundant services. This is
6865# useful when hot standby or backup adaptation servers are available.
6866#
6867# adaptation_service_set set_name service_name1 service_name2 ...
6868#
6869# The named services are used in the set declaration order. The first
6870# applicable adaptation service from the set is used first. The next
6871# applicable service is tried if and only if the transaction with the
6872# previous service fails and the message waiting to be adapted is still
6873# intact.
6874#
6875# When adaptation starts, broken services are ignored as if they were
6876# not a part of the set. A broken service is a down optional service.
6877#
6878# The services in a set must be attached to the same vectoring point
6879# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
6880#
6881# If all services in a set are optional then adaptation failures are
6882# bypassable. If all services in the set are essential, then a
6883# transaction failure with one service may still be retried using
6884# another service from the set, but when all services fail, the master
6885# transaction fails as well.
6886#
6887# A set may contain a mix of optional and essential services, but that
6888# is likely to lead to surprising results because broken services become
6889# ignored (see above), making previously bypassable failures fatal.
6890# Technically, it is the bypassability of the last failed service that
6891# matters.
6892#
6893# See also: adaptation_access adaptation_service_chain
6894#
6895#Example:
6896#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
6897#adaptation service_set svcLogger loggerLocal loggerRemote
6898#Default:
6899# none
6900
6901# TAG: adaptation_service_chain
6902#
6903# Configures a list of complementary services that will be applied
6904# one-by-one, forming an adaptation chain or pipeline. This is useful
6905# when Squid must perform different adaptations on the same message.
6906#
6907# adaptation_service_chain chain_name service_name1 svc_name2 ...
6908#
6909# The named services are used in the chain declaration order. The first
6910# applicable adaptation service from the chain is used first. The next
6911# applicable service is applied to the successful adaptation results of
6912# the previous service in the chain.
6913#
6914# When adaptation starts, broken services are ignored as if they were
6915# not a part of the chain. A broken service is a down optional service.
6916#
6917# Request satisfaction terminates the adaptation chain because Squid
6918# does not currently allow declaration of RESPMOD services at the
6919# "reqmod_precache" vectoring point (see icap_service or ecap_service).
6920#
6921# The services in a chain must be attached to the same vectoring point
6922# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
6923#
6924# A chain may contain a mix of optional and essential services. If an
6925# essential adaptation fails (or the failure cannot be bypassed for
6926# other reasons), the master transaction fails. Otherwise, the failure
6927# is bypassed as if the failed adaptation service was not in the chain.
6928#
6929# See also: adaptation_access adaptation_service_set
6930#
6931#Example:
6932#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
6933#Default:
6934# none
6935
6936# TAG: adaptation_access
6937# Sends an HTTP transaction to an ICAP or eCAP adaptation service.
6938#
6939# adaptation_access service_name allow|deny [!]aclname...
6940# adaptation_access set_name allow|deny [!]aclname...
6941#
6942# At each supported vectoring point, the adaptation_access
6943# statements are processed in the order they appear in this
6944# configuration file. Statements pointing to the following services
6945# are ignored (i.e., skipped without checking their ACL):
6946#
6947# - services serving different vectoring points
6948# - "broken-but-bypassable" services
6949# - "up" services configured to ignore such transactions
6950# (e.g., based on the ICAP Transfer-Ignore header).
6951#
6952# When a set_name is used, all services in the set are checked
6953# using the same rules, to find the first applicable one. See
6954# adaptation_service_set for details.
6955#
6956# If an access list is checked and there is a match, the
6957# processing stops: For an "allow" rule, the corresponding
6958# adaptation service is used for the transaction. For a "deny"
6959# rule, no adaptation service is activated.
6960#
6961# It is currently not possible to apply more than one adaptation
6962# service at the same vectoring point to the same HTTP transaction.
6963#
6964# See also: icap_service and ecap_service
6965#
6966#Example:
6967#adaptation_access service_1 allow all
6968#Default:
6969# Allow, unless rules exist in squid.conf.
6970
6971# TAG: adaptation_service_iteration_limit
6972# Limits the number of iterations allowed when applying adaptation
6973# services to a message. If your longest adaptation set or chain
6974# may have more than 16 services, increase the limit beyond its
6975# default value of 16. If detecting infinite iteration loops sooner
6976# is critical, make the iteration limit match the actual number
6977# of services in your longest adaptation set or chain.
6978#
6979# Infinite adaptation loops are most likely with routing services.
6980#
6981# See also: icap_service routing=1
6982#Default:
6983# adaptation_service_iteration_limit 16
6984
6985# TAG: adaptation_masterx_shared_names
6986# For each master transaction (i.e., the HTTP request and response
6987# sequence, including all related ICAP and eCAP exchanges), Squid
6988# maintains a table of metadata. The table entries are (name, value)
6989# pairs shared among eCAP and ICAP exchanges. The table is destroyed
6990# with the master transaction.
6991#
6992# This option specifies the table entry names that Squid must accept
6993# from and forward to the adaptation transactions.
6994#
6995# An ICAP REQMOD or RESPMOD transaction may set an entry in the
6996# shared table by returning an ICAP header field with a name
6997# specified in adaptation_masterx_shared_names.
6998#
6999# An eCAP REQMOD or RESPMOD transaction may set an entry in the
7000# shared table by implementing the libecap::visitEachOption() API
7001# to provide an option with a name specified in
7002# adaptation_masterx_shared_names.
7003#
7004# Squid will store and forward the set entry to subsequent adaptation
7005# transactions within the same master transaction scope.
7006#
7007# Only one shared entry name is supported at this time.
7008#
7009#Example:
7010## share authentication information among ICAP services
7011#adaptation_masterx_shared_names X-Subscriber-ID
7012#Default:
7013# none
7014
7015# TAG: adaptation_meta
7016# This option allows Squid administrator to add custom ICAP request
7017# headers or eCAP options to Squid ICAP requests or eCAP transactions.
7018# Use it to pass custom authentication tokens and other
7019# transaction-state related meta information to an ICAP/eCAP service.
7020#
7021# The addition of a meta header is ACL-driven:
7022# adaptation_meta name value [!]aclname ...
7023#
7024# Processing for a given header name stops after the first ACL list match.
7025# Thus, it is impossible to add two headers with the same name. If no ACL
7026# lists match for a given header name, no such header is added. For
7027# example:
7028#
7029# # do not debug transactions except for those that need debugging
7030# adaptation_meta X-Debug 1 needs_debugging
7031#
7032# # log all transactions except for those that must remain secret
7033# adaptation_meta X-Log 1 !keep_secret
7034#
7035# # mark transactions from users in the "G 1" group
7036# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1
7037#
7038# The "value" parameter may be a regular squid.conf token or a "double
7039# quoted string". Within the quoted string, use backslash (\) to escape
7040# any character, which is currently only useful for escaping backslashes
7041# and double quotes. For example,
7042# "this string has one backslash (\\) and two \"quotes\""
7043#
7044# Used adaptation_meta header values may be logged via %note
7045# logformat code. If multiple adaptation_meta headers with the same name
7046# are used during master transaction lifetime, the header values are
7047# logged in the order they were used and duplicate values are ignored
7048# (only the first repeated value will be logged).
7049#Default:
7050# none
7051
7052# TAG: icap_retry
7053# This ACL determines which retriable ICAP transactions are
7054# retried. Transactions that received a complete ICAP response
7055# and did not have to consume or produce HTTP bodies to receive
7056# that response are usually retriable.
7057#
7058# icap_retry allow|deny [!]aclname ...
7059#
7060# Squid automatically retries some ICAP I/O timeouts and errors
7061# due to persistent connection race conditions.
7062#
7063# See also: icap_retry_limit
7064#Default:
7065# icap_retry deny all
7066
7067# TAG: icap_retry_limit
7068# Limits the number of retries allowed.
7069#
7070# Communication errors due to persistent connection race
7071# conditions are unavoidable, automatically retried, and do not
7072# count against this limit.
7073#
7074# See also: icap_retry
7075#Default:
7076# No retries are allowed.
7077
7078# DNS OPTIONS
7079# -----------------------------------------------------------------------------
7080
7081# TAG: check_hostnames
7082# For security and stability reasons Squid can check
7083# hostnames for Internet standard RFC compliance. If you want
7084# Squid to perform these checks turn this directive on.
7085#Default:
7086# check_hostnames off
7087
7088# TAG: allow_underscore
7089# Underscore characters is not strictly allowed in Internet hostnames
7090# but nevertheless used by many sites. Set this to off if you want
7091# Squid to be strict about the standard.
7092# This check is performed only when check_hostnames is set to on.
7093#Default:
7094# allow_underscore on
7095
7096# TAG: cache_dns_program
7097# Note: This option is only available if Squid is rebuilt with the
7098# --disable-internal-dns
7099#
7100# Specify the location of the executable for dnslookup process.
7101#Default:
7102# cache_dns_program /usr/lib/squid3/dnsserver
7103
7104# TAG: dns_children
7105# Note: This option is only available if Squid is rebuilt with the
7106# --disable-internal-dns
7107#
7108# The maximum number of processes spawn to service DNS name lookups.
7109# If you limit it too few Squid will have to wait for them to process
7110# a backlog of requests, slowing it down. If you allow too many they
7111# will use RAM and other system resources noticably.
7112# The maximum this may be safely set to is 32.
7113#
7114# The startup= and idle= options allow some measure of skew in your
7115# tuning.
7116#
7117# startup=
7118#
7119# Sets a minimum of how many processes are to be spawned when Squid
7120# starts or reconfigures. When set to zero the first request will
7121# cause spawning of the first child process to handle it.
7122#
7123# Starting too few will cause an initial slowdown in traffic as Squid
7124# attempts to simultaneously spawn enough processes to cope.
7125#
7126# idle=
7127#
7128# Sets a minimum of how many processes Squid is to try and keep available
7129# at all times. When traffic begins to rise above what the existing
7130# processes can handle this many more will be spawned up to the maximum
7131# configured. A minimum setting of 1 is required.
7132#Default:
7133# dns_children 32 startup=1 idle=1
7134
7135# TAG: dns_retransmit_interval
7136# Initial retransmit interval for DNS queries. The interval is
7137# doubled each time all configured DNS servers have been tried.
7138#Default:
7139# dns_retransmit_interval 5 seconds
7140
7141# TAG: dns_timeout
7142# DNS Query timeout. If no response is received to a DNS query
7143# within this time all DNS servers for the queried domain
7144# are assumed to be unavailable.
7145#Default:
7146# dns_timeout 30 seconds
7147
7148# TAG: dns_packet_max
7149# Maximum number of bytes packet size to advertise via EDNS.
7150# Set to "none" to disable EDNS large packet support.
7151#
7152# For legacy reasons DNS UDP replies will default to 512 bytes which
7153# is too small for many responses. EDNS provides a means for Squid to
7154# negotiate receiving larger responses back immediately without having
7155# to failover with repeat requests. Responses larger than this limit
7156# will retain the old behaviour of failover to TCP DNS.
7157#
7158# Squid has no real fixed limit internally, but allowing packet sizes
7159# over 1500 bytes requires network jumbogram support and is usually not
7160# necessary.
7161#
7162# WARNING: The RFC also indicates that some older resolvers will reply
7163# with failure of the whole request if the extension is added. Some
7164# resolvers have already been identified which will reply with mangled
7165# EDNS response on occasion. Usually in response to many-KB jumbogram
7166# sizes being advertised by Squid.
7167# Squid will currently treat these both as an unable-to-resolve domain
7168# even if it would be resolvable without EDNS.
7169#Default:
7170# EDNS disabled
7171
7172# TAG: dns_defnames on|off
7173# Normally the RES_DEFNAMES resolver option is disabled
7174# (see res_init(3)). This prevents caches in a hierarchy
7175# from interpreting single-component hostnames locally. To allow
7176# Squid to handle single-component names, enable this option.
7177#Default:
7178# Search for single-label domain names is disabled.
7179
7180# TAG: dns_multicast_local on|off
7181# When set to on, Squid sends multicast DNS lookups on the local
7182# network for domains ending in .local and .arpa.
7183# This enables local servers and devices to be contacted in an
7184# ad-hoc or zero-configuration network environment.
7185#Default:
7186# Search for .local and .arpa names is disabled.
7187
7188# TAG: dns_nameservers
7189# Use this if you want to specify a list of DNS name servers
7190# (IP addresses) to use instead of those given in your
7191# /etc/resolv.conf file.
7192#
7193# On Windows platforms, if no value is specified here or in
7194# the /etc/resolv.conf file, the list of DNS name servers are
7195# taken from the Windows registry, both static and dynamic DHCP
7196# configurations are supported.
7197#
7198# Example: dns_nameservers 10.0.0.1 192.172.0.4
7199#Default:
7200# Use operating system definitions
7201
7202# TAG: hosts_file
7203# Location of the host-local IP name-address associations
7204# database. Most Operating Systems have such a file on different
7205# default locations:
7206# - Un*X & Linux: /etc/hosts
7207# - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
7208# (%SystemRoot% value install default is c:\winnt)
7209# - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
7210# (%SystemRoot% value install default is c:\windows)
7211# - Windows 9x/Me: %windir%\hosts
7212# (%windir% value is usually c:\windows)
7213# - Cygwin: /etc/hosts
7214#
7215# The file contains newline-separated definitions, in the
7216# form ip_address_in_dotted_form name [name ...] names are
7217# whitespace-separated. Lines beginning with an hash (#)
7218# character are comments.
7219#
7220# The file is checked at startup and upon configuration.
7221# If set to 'none', it won't be checked.
7222# If append_domain is used, that domain will be added to
7223# domain-local (i.e. not containing any dot character) host
7224# definitions.
7225#Default:
7226# hosts_file /etc/hosts
7227
7228# TAG: append_domain
7229# Appends local domain name to hostnames without any dots in
7230# them. append_domain must begin with a period.
7231#
7232# Be warned there are now Internet names with no dots in
7233# them using only top-domain names, so setting this may
7234# cause some Internet sites to become unavailable.
7235#
7236#Example:
7237# append_domain .yourdomain.com
7238#Default:
7239# Use operating system definitions
7240
7241# TAG: ignore_unknown_nameservers
7242# By default Squid checks that DNS responses are received
7243# from the same IP addresses they are sent to. If they
7244# don't match, Squid ignores the response and writes a warning
7245# message to cache.log. You can allow responses from unknown
7246# nameservers by setting this option to 'off'.
7247#Default:
7248# ignore_unknown_nameservers on
7249
7250# TAG: dns_v4_first
7251# With the IPv6 Internet being as fast or faster than IPv4 Internet
7252# for most networks Squid prefers to contact websites over IPv6.
7253#
7254# This option reverses the order of preference to make Squid contact
7255# dual-stack websites over IPv4 first. Squid will still perform both
7256# IPv6 and IPv4 DNS lookups before connecting.
7257#
7258# WARNING:
7259# This option will restrict the situations under which IPv6
7260# connectivity is used (and tested), potentially hiding network
7261# problems which would otherwise be detected and warned about.
7262#Default:
7263# dns_v4_first off
7264
7265# TAG: ipcache_size (number of entries)
7266# Maximum number of DNS IP cache entries.
7267#Default:
7268# ipcache_size 1024
7269
7270# TAG: ipcache_low (percent)
7271#Default:
7272# ipcache_low 90
7273
7274# TAG: ipcache_high (percent)
7275# The size, low-, and high-water marks for the IP cache.
7276#Default:
7277# ipcache_high 95
7278
7279# TAG: fqdncache_size (number of entries)
7280# Maximum number of FQDN cache entries.
7281#Default:
7282# fqdncache_size 1024
7283
7284# MISCELLANEOUS
7285# -----------------------------------------------------------------------------
7286
7287# TAG: configuration_includes_quoted_values on|off
7288# Previous Squid versions have defined "quoted/string" as syntax for
7289# ACL to signifiy the value is an included file containing values and
7290# has treated the " characters in other places of the configuration file
7291# as part of the parameter value it was used for.
7292#
7293# For compatibility with existing installations that behaviour
7294# remains the default.
7295#
7296# If this directive is set to 'on', Squid will start parsing each
7297# "quoted string" as a single configuration directive parameter. The
7298# quotes are stripped before the parameter value is interpreted or use.
7299#
7300# That will continue for all lines until this directive is set to 'off',
7301# where Squid will return to the default configuration parsing.
7302#
7303# For example;
7304#
7305# configuration_includes_quoted_values on
7306# acl group external groupCheck Administrators "Internet Users" Guest
7307# configuration_includes_quoted_values off
7308#
7309#Default:
7310# configuration_includes_quoted_values off
7311
7312# TAG: memory_pools on|off
7313# If set, Squid will keep pools of allocated (but unused) memory
7314# available for future use. If memory is a premium on your
7315# system and you believe your malloc library outperforms Squid
7316# routines, disable this.
7317#Default:
7318# memory_pools on
7319
7320# TAG: memory_pools_limit (bytes)
7321# Used only with memory_pools on:
7322# memory_pools_limit 50 MB
7323#
7324# If set to a non-zero value, Squid will keep at most the specified
7325# limit of allocated (but unused) memory in memory pools. All free()
7326# requests that exceed this limit will be handled by your malloc
7327# library. Squid does not pre-allocate any memory, just safe-keeps
7328# objects that otherwise would be free()d. Thus, it is safe to set
7329# memory_pools_limit to a reasonably high value even if your
7330# configuration will use less memory.
7331#
7332# If set to none, Squid will keep all memory it can. That is, there
7333# will be no limit on the total amount of memory used for safe-keeping.
7334#
7335# To disable memory allocation optimization, do not set
7336# memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
7337#
7338# An overhead for maintaining memory pools is not taken into account
7339# when the limit is checked. This overhead is close to four bytes per
7340# object kept. However, pools may actually _save_ memory because of
7341# reduced memory thrashing in your malloc library.
7342#Default:
7343# memory_pools_limit 5 MB
7344
7345# TAG: forwarded_for on|off|transparent|truncate|delete
7346# If set to "on", Squid will append your client's IP address
7347# in the HTTP requests it forwards. By default it looks like:
7348#
7349# X-Forwarded-For: 192.1.2.3
7350#
7351# If set to "off", it will appear as
7352#
7353# X-Forwarded-For: unknown
7354#
7355# If set to "transparent", Squid will not alter the
7356# X-Forwarded-For header in any way.
7357#
7358# If set to "delete", Squid will delete the entire
7359# X-Forwarded-For header.
7360#
7361# If set to "truncate", Squid will remove all existing
7362# X-Forwarded-For entries, and place the client IP as the sole entry.
7363#Default:
7364# forwarded_for on
7365
7366# TAG: cachemgr_passwd
7367# Specify passwords for cachemgr operations.
7368#
7369# Usage: cachemgr_passwd password action action ...
7370#
7371# Some valid actions are (see cache manager menu for a full list):
7372# 5min
7373# 60min
7374# asndb
7375# authenticator
7376# cbdata
7377# client_list
7378# comm_incoming
7379# config *
7380# counters
7381# delay
7382# digest_stats
7383# dns
7384# events
7385# filedescriptors
7386# fqdncache
7387# histograms
7388# http_headers
7389# info
7390# io
7391# ipcache
7392# mem
7393# menu
7394# netdb
7395# non_peers
7396# objects
7397# offline_toggle *
7398# pconn
7399# peer_select
7400# reconfigure *
7401# redirector
7402# refresh
7403# server_list
7404# shutdown *
7405# store_digest
7406# storedir
7407# utilization
7408# via_headers
7409# vm_objects
7410#
7411# * Indicates actions which will not be performed without a
7412# valid password, others can be performed if not listed here.
7413#
7414# To disable an action, set the password to "disable".
7415# To allow performing an action without a password, set the
7416# password to "none".
7417#
7418# Use the keyword "all" to set the same password for all actions.
7419#
7420#Example:
7421# cachemgr_passwd secret shutdown
7422# cachemgr_passwd lesssssssecret info stats/objects
7423# cachemgr_passwd disable all
7424#Default:
7425# No password. Actions which require password are denied.
7426
7427# TAG: client_db on|off
7428# If you want to disable collecting per-client statistics,
7429# turn off client_db here.
7430#Default:
7431# client_db on
7432
7433# TAG: refresh_all_ims on|off
7434# When you enable this option, squid will always check
7435# the origin server for an update when a client sends an
7436# If-Modified-Since request. Many browsers use IMS
7437# requests when the user requests a reload, and this
7438# ensures those clients receive the latest version.
7439#
7440# By default (off), squid may return a Not Modified response
7441# based on the age of the cached version.
7442#Default:
7443# refresh_all_ims off
7444
7445# TAG: reload_into_ims on|off
7446# When you enable this option, client no-cache or ``reload''
7447# requests will be changed to If-Modified-Since requests.
7448# Doing this VIOLATES the HTTP standard. Enabling this
7449# feature could make you liable for problems which it
7450# causes.
7451#
7452# see also refresh_pattern for a more selective approach.
7453#Default:
7454# reload_into_ims off
7455
7456# TAG: connect_retries
7457# This sets the maximum number of connection attempts made for each
7458# TCP connection. The connect_retries attempts must all still
7459# complete within the connection timeout period.
7460#
7461# The default is not to re-try if the first connection attempt fails.
7462# The (not recommended) maximum is 10 tries.
7463#
7464# A warning message will be generated if it is set to a too-high
7465# value and the configured value will be over-ridden.
7466#
7467# Note: These re-tries are in addition to forward_max_tries
7468# which limit how many different addresses may be tried to find
7469# a useful server.
7470#Default:
7471# Do not retry failed connections.
7472
7473# TAG: retry_on_error
7474# If set to ON Squid will automatically retry requests when
7475# receiving an error response with status 403 (Forbidden),
7476# 500 (Internal Error), 501 or 503 (Service not available).
7477# Status 502 and 504 (Gateway errors) are always retried.
7478#
7479# This is mainly useful if you are in a complex cache hierarchy to
7480# work around access control errors.
7481#
7482# NOTE: This retry will attempt to find another working destination.
7483# Which is different from the server which just failed.
7484#Default:
7485# retry_on_error off
7486
7487# TAG: as_whois_server
7488# WHOIS server to query for AS numbers. NOTE: AS numbers are
7489# queried only when Squid starts up, not for every request.
7490#Default:
7491# as_whois_server whois.ra.net
7492
7493# TAG: offline_mode
7494# Enable this option and Squid will never try to validate cached
7495# objects.
7496#Default:
7497# offline_mode off
7498
7499# TAG: uri_whitespace
7500# What to do with requests that have whitespace characters in the
7501# URI. Options:
7502#
7503# strip: The whitespace characters are stripped out of the URL.
7504# This is the behavior recommended by RFC2396 and RFC3986
7505# for tolerant handling of generic URI.
7506# NOTE: This is one difference between generic URI and HTTP URLs.
7507#
7508# deny: The request is denied. The user receives an "Invalid
7509# Request" message.
7510# This is the behaviour recommended by RFC2616 for safe
7511# handling of HTTP request URL.
7512#
7513# allow: The request is allowed and the URI is not changed. The
7514# whitespace characters remain in the URI. Note the
7515# whitespace is passed to redirector processes if they
7516# are in use.
7517# Note this may be considered a violation of RFC2616
7518# request parsing where whitespace is prohibited in the
7519# URL field.
7520#
7521# encode: The request is allowed and the whitespace characters are
7522# encoded according to RFC1738.
7523#
7524# chop: The request is allowed and the URI is chopped at the
7525# first whitespace.
7526#
7527#
7528# NOTE the current Squid implementation of encode and chop violates
7529# RFC2616 by not using a 301 redirect after altering the URL.
7530#Default:
7531# uri_whitespace strip
7532
7533# TAG: chroot
7534# Specifies a directory where Squid should do a chroot() while
7535# initializing. This also causes Squid to fully drop root
7536# privileges after initializing. This means, for example, if you
7537# use a HTTP port less than 1024 and try to reconfigure, you may
7538# get an error saying that Squid can not open the port.
7539#Default:
7540# none
7541
7542# TAG: balance_on_multiple_ip
7543# Modern IP resolvers in squid sort lookup results by preferred access.
7544# By default squid will use these IP in order and only rotates to
7545# the next listed when the most preffered fails.
7546#
7547# Some load balancing servers based on round robin DNS have been
7548# found not to preserve user session state across requests
7549# to different IP addresses.
7550#
7551# Enabling this directive Squid rotates IP's per request.
7552#Default:
7553# balance_on_multiple_ip off
7554
7555# TAG: pipeline_prefetch
7556# HTTP clients may send a pipeline of 1+N requests to Squid using a
7557# single connection, without waiting for Squid to respond to the first
7558# of those requests. This option limits the number of concurrent
7559# requests Squid will try to handle in parallel. If set to N, Squid
7560# will try to receive and process up to 1+N requests on the same
7561# connection concurrently.
7562#
7563# Defaults to 0 (off) for bandwidth management and access logging
7564# reasons.
7565#
7566# NOTE: pipelining requires persistent connections to clients.
7567#
7568# WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
7569#Default:
7570# Do not pre-parse pipelined requests.
7571
7572# TAG: high_response_time_warning (msec)
7573# If the one-minute median response time exceeds this value,
7574# Squid prints a WARNING with debug level 0 to get the
7575# administrators attention. The value is in milliseconds.
7576#Default:
7577# disabled.
7578
7579# TAG: high_page_fault_warning
7580# If the one-minute average page fault rate exceeds this
7581# value, Squid prints a WARNING with debug level 0 to get
7582# the administrators attention. The value is in page faults
7583# per second.
7584#Default:
7585# disabled.
7586
7587# TAG: high_memory_warning
7588# Note: This option is only available if Squid is rebuilt with the
7589# GNU Malloc with mstats()
7590#
7591# If the memory usage (as determined by mallinfo) exceeds
7592# this amount, Squid prints a WARNING with debug level 0 to get
7593# the administrators attention.
7594#Default:
7595# disabled.
7596
7597# TAG: sleep_after_fork (microseconds)
7598# When this is set to a non-zero value, the main Squid process
7599# sleeps the specified number of microseconds after a fork()
7600# system call. This sleep may help the situation where your
7601# system reports fork() failures due to lack of (virtual)
7602# memory. Note, however, if you have a lot of child
7603# processes, these sleep delays will add up and your
7604# Squid will not service requests for some amount of time
7605# until all the child processes have been started.
7606# On Windows value less then 1000 (1 milliseconds) are
7607# rounded to 1000.
7608#Default:
7609# sleep_after_fork 0
7610
7611# TAG: windows_ipaddrchangemonitor on|off
7612# Note: This option is only available if Squid is rebuilt with the
7613# MS Windows
7614#
7615# On Windows Squid by default will monitor IP address changes and will
7616# reconfigure itself after any detected event. This is very useful for
7617# proxies connected to internet with dial-up interfaces.
7618# In some cases (a Proxy server acting as VPN gateway is one) it could be
7619# desiderable to disable this behaviour setting this to 'off'.
7620# Note: after changing this, Squid service must be restarted.
7621#Default:
7622# windows_ipaddrchangemonitor on
7623
7624# TAG: eui_lookup
7625# Whether to lookup the EUI or MAC address of a connected client.
7626#Default:
7627# eui_lookup on
7628
7629# TAG: max_filedescriptors
7630# Reduce the maximum number of filedescriptors supported below
7631# the usual operating system defaults.
7632#
7633# Remove from squid.conf to inherit the current ulimit setting.
7634#
7635# Note: Changing this requires a restart of Squid. Also
7636# not all I/O types supports large values (eg on Windows).
7637#Default:
7638# Use operating system limits set by ulimit.
7639
7640# TAG: workers
7641# Number of main Squid processes or "workers" to fork and maintain.
7642# 0: "no daemon" mode, like running "squid -N ..."
7643# 1: "no SMP" mode, start one main Squid process daemon (default)
7644# N: start N main Squid process daemons (i.e., SMP mode)
7645#
7646# In SMP mode, each worker does nearly all what a single Squid daemon
7647# does (e.g., listen on http_port and forward HTTP requests).
7648#Default:
7649# SMP support disabled.
7650
7651# TAG: cpu_affinity_map
7652# Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
7653#
7654# Sets 1:1 mapping between Squid processes and CPU cores. For example,
7655#
7656# cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
7657#
7658# affects processes 1 through 4 only and places them on the first
7659# four even cores, starting with core #1.
7660#
7661# CPU cores are numbered starting from 1. Requires support for
7662# sched_getaffinity(2) and sched_setaffinity(2) system calls.
7663#
7664# Multiple cpu_affinity_map options are merged.
7665#
7666# See also: workers
7667#Default:
7668# Let operating system decide.