· 6 years ago · Nov 04, 2019, 08:20 PM
1# WELCOME TO SQUID 3.1.19
2# ----------------------------
3#
4# This is the documentation for the Squid configuration file.
5# This documentation can also be found online at:
6# http://www.squid-cache.org/Doc/config/
7#
8# You may wish to look at the Squid home page and wiki for the
9# FAQ and other documentation:
10# http://www.squid-cache.org/
11# http://wiki.squid-cache.org/SquidFaq
12# http://wiki.squid-cache.org/ConfigExamples
13#
14# This documentation shows what the defaults for various directives
15# happen to be. If you don't need to change the default, you should
16# leave the line out of your squid.conf in most cases.
17#
18# In some cases "none" refers to no default setting at all,
19# while in other cases it refers to the value of the option
20# - the comments for that keyword indicate if this is the case.
21#
22
23# Configuration options can be included using the "include" directive.
24# Include takes a list of files to include. Quoting and wildcards are
25# supported.
26#
27# For example,
28#
29# include /path/to/included/file/squid.acl.config
30#
31# Includes can be nested up to a hard-coded depth of 16 levels.
32# This arbitrary restriction is to prevent recursive include references
33# from causing Squid entering an infinite loop whilst trying to load
34# configuration files.
35
36# TAG: dns_testnames
37# Remove this line. DNS is no longer tested on startup.
38#Default:
39# none
40
41# TAG: extension_methods
42# Remove this line. All valid methods for HTTP are accepted by default.
43#Default:
44# none
45
46# TAG: incoming_rate
47#Default:
48# none
49
50# TAG: server_http11
51# Remove this line. HTTP/1.1 is supported by default.
52#Default:
53# none
54
55# TAG: upgrade_http0.9
56# Remove this line. ICY/1.0 streaming protocol is supported by default.
57#Default:
58# none
59
60# TAG: zph_local
61# Alter these entries. Use the qos_flows directive instead.
62#Default:
63# none
64
65# TAG: header_access
66# Since squid-3.0 replace with request_header_access or reply_header_access
67# depending on whether you wish to match client requests or server replies.
68#Default:
69# none
70
71# TAG: httpd_accel_no_pmtu_disc
72# Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
73#Default:
74# none
75
76# OPTIONS FOR AUTHENTICATION
77# -----------------------------------------------------------------------------
78
79# TAG: auth_param
80# This is used to define parameters for the various authentication
81# schemes supported by Squid.
82#
83# format: auth_param scheme parameter [setting]
84#
85# The order in which authentication schemes are presented to the client is
86# dependent on the order the scheme first appears in config file. IE
87# has a bug (it's not RFC 2617 compliant) in that it will use the basic
88# scheme if basic is the first entry presented, even if more secure
89# schemes are presented. For now use the order in the recommended
90# settings section below. If other browsers have difficulties (don't
91# recognize the schemes offered even if you are using basic) either
92# put basic first, or disable the other schemes (by commenting out their
93# program entry).
94#
95# Once an authentication scheme is fully configured, it can only be
96# shutdown by shutting squid down and restarting. Changes can be made on
97# the fly and activated with a reconfigure. I.E. You can change to a
98# different helper, but not unconfigure the helper completely.
99#
100# Please note that while this directive defines how Squid processes
101# authentication it does not automatically activate authentication.
102# To use authentication you must in addition make use of ACLs based
103# on login name in http_access (proxy_auth, proxy_auth_regex or
104# external with %LOGIN used in the format tag). The browser will be
105# challenged for authentication on the first such acl encountered
106# in http_access processing and will also be re-challenged for new
107# login credentials if the request is being denied by a proxy_auth
108# type acl.
109#
110# WARNING: authentication can't be used in a transparently intercepting
111# proxy as the client then thinks it is talking to an origin server and
112# not the proxy. This is a limitation of bending the TCP/IP protocol to
113# transparently intercepting port 80, not a limitation in Squid.
114# Ports flagged 'transparent', 'intercept', or 'tproxy' have
115# authentication disabled.
116#
117# === Parameters for the basic scheme follow. ===
118#
119# "program" cmdline
120# Specify the command for the external authenticator. Such a program
121# reads a line containing "username password" and replies "OK" or
122# "ERR" in an endless loop. "ERR" responses may optionally be followed
123# by a error description available as %m in the returned error page.
124# If you use an authenticator, make sure you have 1 acl of type
125# proxy_auth.
126#
127# By default, the basic authentication scheme is not used unless a
128# program is specified.
129#
130# If you want to use the traditional NCSA proxy authentication, set
131# this line to something like
132#
133# auth_param basic program /usr/lib/squid3/ncsa_auth /usr/etc/passwd
134#
135# "utf8" on|off
136# HTTP uses iso-latin-1 as characterset, while some authentication
137# backends such as LDAP expects UTF-8. If this is set to on Squid will
138# translate the HTTP iso-latin-1 charset to UTF-8 before sending the
139# username & password to the helper.
140#
141# "children" numberofchildren
142# The number of authenticator processes to spawn. If you start too few
143# Squid will have to wait for them to process a backlog of credential
144# verifications, slowing it down. When password verifications are
145# done via a (slow) network you are likely to need lots of
146# authenticator processes.
147# auth_param basic children 5
148#
149# "concurrency" concurrency
150# The number of concurrent requests the helper can process.
151# The default of 0 is used for helpers who only supports
152# one request at a time. Setting this changes the protocol used to
153# include a channel number first on the request/response line, allowing
154# multiple requests to be sent to the same helper in parallell without
155# wating for the response.
156# Must not be set unless it's known the helper supports this.
157# auth_param basic concurrency 0
158#
159# "realm" realmstring
160# Specifies the realm name which is to be reported to the
161# client for the basic proxy authentication scheme (part of
162# the text the user will see when prompted their username and
163# password). There is no default.
164# auth_param basic realm Squid proxy-caching web server
165#
166# "credentialsttl" timetolive
167# Specifies how long squid assumes an externally validated
168# username:password pair is valid for - in other words how
169# often the helper program is called for that user. Set this
170# low to force revalidation with short lived passwords. Note
171# setting this high does not impact your susceptibility
172# to replay attacks unless you are using an one-time password
173# system (such as SecureID). If you are using such a system,
174# you will be vulnerable to replay attacks unless you also
175# use the max_user_ip ACL in an http_access rule.
176#
177# "casesensitive" on|off
178# Specifies if usernames are case sensitive. Most user databases are
179# case insensitive allowing the same username to be spelled using both
180# lower and upper case letters, but some are case sensitive. This
181# makes a big difference for user_max_ip ACL processing and similar.
182# auth_param basic casesensitive off
183#
184# === Parameters for the digest scheme follow ===
185#
186# "program" cmdline
187# Specify the command for the external authenticator. Such
188# a program reads a line containing "username":"realm" and
189# replies with the appropriate H(A1) value hex encoded or
190# ERR if the user (or his H(A1) hash) does not exists.
191# See rfc 2616 for the definition of H(A1).
192# "ERR" responses may optionally be followed by a error description
193# available as %m in the returned error page.
194#
195# By default, the digest authentication scheme is not used unless a
196# program is specified.
197#
198# If you want to use a digest authenticator, set this line to
199# something like
200#
201# auth_param digest program /usr/lib/squid3/digest_pw_auth /usr/etc/digpass
202#
203# "utf8" on|off
204# HTTP uses iso-latin-1 as characterset, while some authentication
205# backends such as LDAP expects UTF-8. If this is set to on Squid will
206# translate the HTTP iso-latin-1 charset to UTF-8 before sending the
207# username & password to the helper.
208#
209# "children" numberofchildren
210# The number of authenticator processes to spawn (no default).
211# If you start too few Squid will have to wait for them to
212# process a backlog of H(A1) calculations, slowing it down.
213# When the H(A1) calculations are done via a (slow) network
214# you are likely to need lots of authenticator processes.
215# auth_param digest children 5
216#
217# "realm" realmstring
218# Specifies the realm name which is to be reported to the
219# client for the digest proxy authentication scheme (part of
220# the text the user will see when prompted their username and
221# password). There is no default.
222# auth_param digest realm Squid proxy-caching web server
223#
224# "nonce_garbage_interval" timeinterval
225# Specifies the interval that nonces that have been issued
226# to client_agent's are checked for validity.
227#
228# "nonce_max_duration" timeinterval
229# Specifies the maximum length of time a given nonce will be
230# valid for.
231#
232# "nonce_max_count" number
233# Specifies the maximum number of times a given nonce can be
234# used.
235#
236# "nonce_strictness" on|off
237# Determines if squid requires strict increment-by-1 behavior
238# for nonce counts, or just incrementing (off - for use when
239# useragents generate nonce counts that occasionally miss 1
240# (ie, 1,2,4,6)). Default off.
241#
242# "check_nonce_count" on|off
243# This directive if set to off can disable the nonce count check
244# completely to work around buggy digest qop implementations in
245# certain mainstream browser versions. Default on to check the
246# nonce count to protect from authentication replay attacks.
247#
248# "post_workaround" on|off
249# This is a workaround to certain buggy browsers who sends
250# an incorrect request digest in POST requests when reusing
251# the same nonce as acquired earlier on a GET request.
252#
253# === NTLM scheme options follow ===
254#
255# "program" cmdline
256# Specify the command for the external NTLM authenticator.
257# Such a program reads exchanged NTLMSSP packets with
258# the browser via Squid until authentication is completed.
259# If you use an NTLM authenticator, make sure you have 1 acl
260# of type proxy_auth. By default, the NTLM authenticator_program
261# is not used.
262#
263# auth_param ntlm program /usr/lib/squid3/ntlm_auth
264#
265# "children" numberofchildren
266# The number of authenticator processes to spawn (no default).
267# If you start too few Squid will have to wait for them to
268# process a backlog of credential verifications, slowing it
269# down. When credential verifications are done via a (slow)
270# network you are likely to need lots of authenticator
271# processes.
272#
273# auth_param ntlm children 5
274#
275# "keep_alive" on|off
276# Whether to keep the connection open after the initial response where
277# Squid tells the browser which schemes are supported by the proxy.
278# Some browsers are known to present many login popups or to corrupt
279# POST/PUT requests transfer if the connection is not closed.
280# The default is currently OFF to avoid this, but may change.
281#
282# auth_param ntlm keep_alive on
283#
284# === Options for configuring the NEGOTIATE auth-scheme follow ===
285#
286# "program" cmdline
287# Specify the command for the external Negotiate authenticator.
288# This protocol is used in Microsoft Active-Directory enabled setups with
289# the Microsoft Internet Explorer or Mozilla Firefox browsers.
290# Its main purpose is to exchange credentials with the Squid proxy
291# using the Kerberos mechanisms.
292# If you use a Negotiate authenticator, make sure you have at least
293# one acl of type proxy_auth active. By default, the negotiate
294# authenticator_program is not used.
295# The only supported program for this role is the ntlm_auth
296# program distributed as part of Samba, version 4 or later.
297#
298# auth_param negotiate program /usr/lib/squid3/ntlm_auth --helper-protocol=gss-spnego
299#
300# "children" numberofchildren
301# The number of authenticator processes to spawn (no default).
302# If you start too few Squid will have to wait for them to
303# process a backlog of credential verifications, slowing it
304# down. When crendential verifications are done via a (slow)
305# network you are likely to need lots of authenticator
306# processes.
307# auth_param negotiate children 5
308#
309# "keep_alive" on|off
310# Whether to keep the connection open after the initial response where
311# Squid tells the browser which schemes are supported by the proxy.
312# Some browsers are known to present many login popups or to corrupt
313# POST/PUT requests transfer if the connection is not closed.
314# The default is currently OFF to avoid this, but may change.
315#
316# auth_param negotiate keep_alive on
317#
318#
319# Examples:
320#
321##Recommended minimum configuration per scheme:
322##auth_param negotiate program <uncomment and complete this line to activate>
323##auth_param negotiate children 5
324##auth_param negotiate keep_alive on
325##
326##auth_param ntlm program <uncomment and complete this line to activate>
327##auth_param ntlm children 5
328##auth_param ntlm keep_alive on
329##
330##auth_param digest program <uncomment and complete this line>
331##auth_param digest children 5
332##auth_param digest realm Squid proxy-caching web server
333##auth_param digest nonce_garbage_interval 5 minutes
334##auth_param digest nonce_max_duration 30 minutes
335##auth_param digest nonce_max_count 50
336##
337##auth_param basic program <uncomment and complete this line>
338##auth_param basic children 5
339##auth_param basic realm Squid proxy-caching web server
340##auth_param basic credentialsttl 2 hours
341#Default:
342# none
343
344# TAG: authenticate_cache_garbage_interval
345# The time period between garbage collection across the username cache.
346# This is a tradeoff between memory utilization (long intervals - say
347# 2 days) and CPU (short intervals - say 1 minute). Only change if you
348# have good reason to.
349#Default:
350# authenticate_cache_garbage_interval 1 hour
351
352# TAG: authenticate_ttl
353# The time a user & their credentials stay in the logged in
354# user cache since their last request. When the garbage
355# interval passes, all user credentials that have passed their
356# TTL are removed from memory.
357#Default:
358# authenticate_ttl 1 hour
359
360# TAG: authenticate_ip_ttl
361# If you use proxy authentication and the 'max_user_ip' ACL,
362# this directive controls how long Squid remembers the IP
363# addresses associated with each user. Use a small value
364# (e.g., 60 seconds) if your users might change addresses
365# quickly, as is the case with dialups. You might be safe
366# using a larger value (e.g., 2 hours) in a corporate LAN
367# environment with relatively static address assignments.
368#Default:
369# authenticate_ip_ttl 0 seconds
370
371# ACCESS CONTROLS
372# -----------------------------------------------------------------------------
373
374# TAG: external_acl_type
375# This option defines external acl classes using a helper program
376# to look up the status
377#
378# external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
379#
380# Options:
381#
382# ttl=n TTL in seconds for cached results (defaults to 3600
383# for 1 hour)
384# negative_ttl=n
385# TTL for cached negative lookups (default same
386# as ttl)
387# children=n Number of acl helper processes spawn to service
388# external acl lookups of this type. (default 5)
389# concurrency=n concurrency level per process. Only used with helpers
390# capable of processing more than one query at a time.
391# cache=n result cache size, 0 is unbounded (default)
392# grace=n Percentage remaining of TTL where a refresh of a
393# cached entry should be initiated without needing to
394# wait for a new reply. (default 0 for no grace period)
395# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
396# ipv4 / ipv6 IP-mode used to communicate to this helper.
397# For compatability with older configurations and helpers
398# the default is currently 'ipv4'.
399#
400# FORMAT specifications
401#
402# %LOGIN Authenticated user login name
403# %EXT_USER Username from external acl
404# %IDENT Ident user name
405# %SRC Client IP
406# %SRCPORT Client source port
407# %URI Requested URI
408# %DST Requested host
409# %PROTO Requested protocol
410# %PORT Requested port
411# %PATH Requested URL path
412# %METHOD Request method
413# %MYADDR Squid interface address
414# %MYPORT Squid http_port number
415# %PATH Requested URL-path (including query-string if any)
416# %USER_CERT SSL User certificate in PEM format
417# %USER_CERTCHAIN SSL User certificate chain in PEM format
418# %USER_CERT_xx SSL User certificate subject attribute xx
419# %USER_CA_xx SSL User certificate issuer attribute xx
420#
421# %>{Header} HTTP request header "Header"
422# %>{Hdr:member}
423# HTTP request header "Hdr" list member "member"
424# %>{Hdr:;member}
425# HTTP request header list member using ; as
426# list separator. ; can be any non-alphanumeric
427# character.
428#
429# %<{Header} HTTP reply header "Header"
430# %<{Hdr:member}
431# HTTP reply header "Hdr" list member "member"
432# %<{Hdr:;member}
433# HTTP reply header list member using ; as
434# list separator. ; can be any non-alphanumeric
435# character.
436#
437# %% The percent sign. Useful for helpers which need
438# an unchanging input format.
439#
440# In addition to the above, any string specified in the referencing
441# acl will also be included in the helper request line, after the
442# specified formats (see the "acl external" directive)
443#
444# The helper receives lines per the above format specification,
445# and returns lines starting with OK or ERR indicating the validity
446# of the request and optionally followed by additional keywords with
447# more details.
448#
449# General result syntax:
450#
451# OK/ERR keyword=value ...
452#
453# Defined keywords:
454#
455# user= The users name (login)
456# password= The users password (for login= cache_peer option)
457# message= Message describing the reason. Available as %o
458# in error pages
459# tag= Apply a tag to a request (for both ERR and OK results)
460# Only sets a tag, does not alter existing tags.
461# log= String to be logged in access.log. Available as
462# %ea in logformat specifications
463#
464# If protocol=3.0 (the default) then URL escaping is used to protect
465# each value in both requests and responses.
466#
467# If using protocol=2.5 then all values need to be enclosed in quotes
468# if they may contain whitespace, or the whitespace escaped using \.
469# And quotes or \ characters within the keyword value must be \ escaped.
470#
471# When using the concurrency= option the protocol is changed by
472# introducing a query channel tag infront of the request/response.
473# The query channel tag is a number between 0 and concurrency-1.
474#Default:
475# none
476
477# TAG: acl
478# Defining an Access List
479#
480# Every access list definition must begin with an aclname and acltype,
481# followed by either type-specific arguments or a quoted filename that
482# they are read from.
483#
484# acl aclname acltype argument ...
485# acl aclname acltype "file" ...
486#
487# When using "file", the file should contain one item per line.
488#
489# By default, regular expressions are CASE-SENSITIVE.
490# To make them case-insensitive, use the -i option. To return case-sensitive
491# use the +i option between patterns, or make a new ACL line without -i.
492#
493# Some acl types require suspending the current request in order
494# to access some external data source.
495# Those which do are marked with the tag [slow], those which
496# don't are marked as [fast].
497# See http://wiki.squid-cache.org/SquidFaq/SquidAcl
498# for further information
499#
500# ***** ACL TYPES AVAILABLE *****
501#
502# acl aclname src ip-address/netmask ... # clients IP address [fast]
503# acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
504# acl aclname dst ip-address/netmask ... # URL host's IP address [slow]
505# acl aclname myip ip-address/netmask ... # local socket IP address [fast]
506#
507# acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
508# # The arp ACL requires the special configure option --enable-arp-acl.
509# # Furthermore, the ARP ACL code is not portable to all operating systems.
510# # It works on Linux, Solaris, Windows, FreeBSD, and some
511# # other *BSD variants.
512# # [fast]
513# #
514# # NOTE: Squid can only determine the MAC address for clients that are on
515# # the same subnet. If the client is on a different subnet,
516# # then Squid cannot find out its MAC address.
517#
518# acl aclname srcdomain .foo.com ...
519# # reverse lookup, from client IP [slow]
520# acl aclname dstdomain .foo.com ...
521# # Destination server from URL [fast]
522# acl aclname srcdom_regex [-i] \.foo\.com ...
523# # regex matching client name [slow]
524# acl aclname dstdom_regex [-i] \.foo\.com ...
525# # regex matching server [fast]
526# #
527# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
528# # based URL is used and no match is found. The name "none" is used
529# # if the reverse lookup fails.
530#
531# acl aclname src_as number ...
532# acl aclname dst_as number ...
533# # [fast]
534# # Except for access control, AS numbers can be used for
535# # routing of requests to specific caches. Here's an
536# # example for routing all requests for AS#1241 and only
537# # those to mycache.mydomain.net:
538# # acl asexample dst_as 1241
539# # cache_peer_access mycache.mydomain.net allow asexample
540# # cache_peer_access mycache_mydomain.net deny all
541#
542# acl aclname peername myPeer ...
543# # [fast]
544# # match against a named cache_peer entry
545# # set unique name= on cache_peer lines for reliable use.
546#
547# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
548# # [fast]
549# # day-abbrevs:
550# # S - Sunday
551# # M - Monday
552# # T - Tuesday
553# # W - Wednesday
554# # H - Thursday
555# # F - Friday
556# # A - Saturday
557# # h1:m1 must be less than h2:m2
558#
559# acl aclname url_regex [-i] ^http:// ...
560# # regex matching on whole URL [fast]
561# acl aclname urlpath_regex [-i] \.gif$ ...
562# # regex matching on URL path [fast]
563#
564# acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
565# # ranges are alloed
566# acl aclname myport 3128 ... # local socket TCP port [fast]
567# acl aclname myportname 3128 ... # http(s)_port name [fast]
568#
569# acl aclname proto HTTP FTP ... # request protocol [fast]
570#
571# acl aclname method GET POST ... # HTTP request method [fast]
572#
573# acl aclname http_status 200 301 500- 400-403 ...
574# # status code in reply [fast]
575#
576# acl aclname browser [-i] regexp ...
577# # pattern match on User-Agent header (see also req_header below) [fast]
578#
579# acl aclname referer_regex [-i] regexp ...
580# # pattern match on Referer header [fast]
581# # Referer is highly unreliable, so use with care
582#
583# acl aclname ident username ...
584# acl aclname ident_regex [-i] pattern ...
585# # string match on ident output [slow]
586# # use REQUIRED to accept any non-null ident.
587#
588# acl aclname proxy_auth [-i] username ...
589# acl aclname proxy_auth_regex [-i] pattern ...
590# # perform http authentication challenge to the client and match against
591# # supplied credentials [slow]
592# #
593# # takes a list of allowed usernames.
594# # use REQUIRED to accept any valid username.
595# #
596# # Will use proxy authentication in forward-proxy scenarios, and plain
597# # http authenticaiton in reverse-proxy scenarios
598# #
599# # NOTE: when a Proxy-Authentication header is sent but it is not
600# # needed during ACL checking the username is NOT logged
601# # in access.log.
602# #
603# # NOTE: proxy_auth requires a EXTERNAL authentication program
604# # to check username/password combinations (see
605# # auth_param directive).
606# #
607# # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
608# # as the browser needs to be configured for using a proxy in order
609# # to respond to proxy authentication.
610#
611# acl aclname snmp_community string ...
612# # A community string to limit access to your SNMP Agent [fast]
613# # Example:
614# #
615# # acl snmppublic snmp_community public
616#
617# acl aclname maxconn number
618# # This will be matched when the client's IP address has
619# # more than <number> TCP connections established. [fast]
620# # NOTE: This only measures direct TCP links so X-Forwarded-For
621# # indirect clients are not counted.
622#
623# acl aclname max_user_ip [-s] number
624# # This will be matched when the user attempts to log in from more
625# # than <number> different ip addresses. The authenticate_ip_ttl
626# # parameter controls the timeout on the ip entries. [fast]
627# # If -s is specified the limit is strict, denying browsing
628# # from any further IP addresses until the ttl has expired. Without
629# # -s Squid will just annoy the user by "randomly" denying requests.
630# # (the counter is reset each time the limit is reached and a
631# # request is denied)
632# # NOTE: in acceleration mode or where there is mesh of child proxies,
633# # clients may appear to come from multiple addresses if they are
634# # going through proxy farms, so a limit of 1 may cause user problems.
635#
636# acl aclname req_mime_type [-i] mime-type ...
637# # regex match against the mime type of the request generated
638# # by the client. Can be used to detect file upload or some
639# # types HTTP tunneling requests [fast]
640# # NOTE: This does NOT match the reply. You cannot use this
641# # to match the returned file type.
642#
643# acl aclname req_header header-name [-i] any\.regex\.here
644# # regex match against any of the known request headers. May be
645# # thought of as a superset of "browser", "referer" and "mime-type"
646# # ACL [fast]
647#
648# acl aclname rep_mime_type [-i] mime-type ...
649# # regex match against the mime type of the reply received by
650# # squid. Can be used to detect file download or some
651# # types HTTP tunneling requests. [fast]
652# # NOTE: This has no effect in http_access rules. It only has
653# # effect in rules that affect the reply data stream such as
654# # http_reply_access.
655#
656# acl aclname rep_header header-name [-i] any\.regex\.here
657# # regex match against any of the known reply headers. May be
658# # thought of as a superset of "browser", "referer" and "mime-type"
659# # ACLs [fast]
660#
661# acl aclname external class_name [arguments...]
662# # external ACL lookup via a helper class defined by the
663# # external_acl_type directive [slow]
664#
665# acl aclname user_cert attribute values...
666# # match against attributes in a user SSL certificate
667# # attribute is one of DN/C/O/CN/L/ST [fast]
668#
669# acl aclname ca_cert attribute values...
670# # match against attributes a users issuing CA SSL certificate
671# # attribute is one of DN/C/O/CN/L/ST [fast]
672#
673# acl aclname ext_user username ...
674# acl aclname ext_user_regex [-i] pattern ...
675# # string match on username returned by external acl helper [slow]
676# # use REQUIRED to accept any non-null user name.
677#
678# acl aclname tag tagvalue ...
679# # string match on tag returned by external acl helper [slow]
680#
681# Examples:
682# acl macaddress arp 09:00:2b:23:45:67
683# acl myexample dst_as 1241
684# acl password proxy_auth REQUIRED
685# acl fileupload req_mime_type -i ^multipart/form-data$
686# acl javascript rep_mime_type -i ^application/x-javascript$
687#
688#Default:
689# acl all src all
690#
691#
692# Recommended minimum configuration:
693#
694acl manager proto cache_object
695acl localhost src 127.0.0.1/32 ::1
696acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
697
698# Example rule allowing access from your local networks.
699# Adapt to list your (internal) IP networks from where browsing
700# should be allowed
701#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
702#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
703acl localhost src 192.168.0.0/16
704#acl localnet src fc00::/7 # RFC 4193 local private network range
705#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
706
707acl SSL_ports port 443
708acl Safe_ports port 80 # http
709acl Safe_ports port 21 # ftp
710acl Safe_ports port 443 # https
711acl Safe_ports port 70 # gopher
712acl Safe_ports port 210 # wais
713acl Safe_ports port 1025-65535 # unregistered ports
714acl Safe_ports port 280 # http-mgmt
715acl Safe_ports port 488 # gss-http
716acl Safe_ports port 591 # filemaker
717acl Safe_ports port 777 # multiling http
718acl CONNECT method CONNECT
719
720# TAG: follow_x_forwarded_for
721# Allowing or Denying the X-Forwarded-For header to be followed to
722# find the original source of a request.
723#
724# Requests may pass through a chain of several other proxies
725# before reaching us. The X-Forwarded-For header will contain a
726# comma-separated list of the IP addresses in the chain, with the
727# rightmost address being the most recent.
728#
729# If a request reaches us from a source that is allowed by this
730# configuration item, then we consult the X-Forwarded-For header
731# to see where that host received the request from. If the
732# X-Forwarded-For header contains multiple addresses, we continue
733# backtracking until we reach an address for which we are not allowed
734# to follow the X-Forwarded-For header, or until we reach the first
735# address in the list. For the purpose of ACL used in the
736# follow_x_forwarded_for directive the src ACL type always matches
737# the address we are testing and srcdomain matches its rDNS.
738#
739# The end result of this process is an IP address that we will
740# refer to as the indirect client address. This address may
741# be treated as the client address for access control, ICAP, delay
742# pools and logging, depending on the acl_uses_indirect_client,
743# icap_uses_indirect_client, delay_pool_uses_indirect_client and
744# log_uses_indirect_client options.
745#
746# This clause only supports fast acl types.
747# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
748#
749# SECURITY CONSIDERATIONS:
750#
751# Any host for which we follow the X-Forwarded-For header
752# can place incorrect information in the header, and Squid
753# will use the incorrect information as if it were the
754# source address of the request. This may enable remote
755# hosts to bypass any access control restrictions that are
756# based on the client's source addresses.
757#
758# For example:
759#
760# acl localhost src 127.0.0.1
761# acl my_other_proxy srcdomain .proxy.example.com
762# follow_x_forwarded_for allow localhost
763# follow_x_forwarded_for allow my_other_proxy
764#Default:
765# follow_x_forwarded_for deny all
766
767# TAG: acl_uses_indirect_client on|off
768# Controls whether the indirect client address
769# (see follow_x_forwarded_for) is used instead of the
770# direct client address in acl matching.
771#
772# NOTE: maxconn ACL considers direct TCP links and indirect
773# clients will always have zero. So no match.
774#Default:
775# acl_uses_indirect_client on
776
777# TAG: delay_pool_uses_indirect_client on|off
778# Controls whether the indirect client address
779# (see follow_x_forwarded_for) is used instead of the
780# direct client address in delay pools.
781#Default:
782# delay_pool_uses_indirect_client on
783
784# TAG: log_uses_indirect_client on|off
785# Controls whether the indirect client address
786# (see follow_x_forwarded_for) is used instead of the
787# direct client address in the access log.
788#Default:
789# log_uses_indirect_client on
790
791# TAG: http_access
792# Allowing or Denying access based on defined access lists
793#
794# Access to the HTTP port:
795# http_access allow|deny [!]aclname ...
796#
797# NOTE on default values:
798#
799# If there are no "access" lines present, the default is to deny
800# the request.
801#
802# If none of the "access" lines cause a match, the default is the
803# opposite of the last line in the list. If the last line was
804# deny, the default is allow. Conversely, if the last line
805# is allow, the default will be deny. For these reasons, it is a
806# good idea to have an "deny all" entry at the end of your access
807# lists to avoid potential confusion.
808#
809# This clause supports both fast and slow acl types.
810# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
811#
812#Default:
813# http_access deny all
814#
815
816#
817# Recommended minimum Access Permission configuration:
818#
819# Only allow cachemgr access from localhost
820http_access allow manager localhost
821http_access deny manager
822
823# Deny requests to certain unsafe ports
824http_access deny !Safe_ports
825
826# Deny CONNECT to other than secure SSL ports
827http_access deny CONNECT !SSL_ports
828
829# We strongly recommend the following be uncommented to protect innocent
830# web applications running on the proxy server who think the only
831# one who can access services on "localhost" is a local user
832#http_access deny to_localhost
833
834#
835# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
836#
837
838# Example rule allowing access from your local networks.
839# Adapt localnet in the ACL section to list your (internal) IP networks
840# from where browsing should be allowed
841acl localnet src 192.168.0.0/16
842http_access allow localhost
843http_access allow localnet
844
845# And finally deny all other access to this proxy
846http_access deny all
847
848# TAG: adapted_http_access
849# Allowing or Denying access based on defined access lists
850#
851# Essentially identical to http_access, but runs after redirectors
852# and ICAP/eCAP adaptation. Allowing access control based on their
853# output.
854#
855# If not set then only http_access is used.
856#Default:
857# none
858
859# TAG: http_reply_access
860# Allow replies to client requests. This is complementary to http_access.
861#
862# http_reply_access allow|deny [!] aclname ...
863#
864# NOTE: if there are no access lines present, the default is to allow
865# all replies
866#
867# If none of the access lines cause a match the opposite of the
868# last line will apply. Thus it is good practice to end the rules
869# with an "allow all" or "deny all" entry.
870#
871# This clause supports both fast and slow acl types.
872# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
873#Default:
874# none
875
876# TAG: icp_access
877# Allowing or Denying access to the ICP port based on defined
878# access lists
879#
880# icp_access allow|deny [!]aclname ...
881#
882# See http_access for details
883#
884# This clause only supports fast acl types.
885# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
886#
887## Allow ICP queries from local networks only
888icp_access allow localnet
889##icp_access deny all
890#Default:
891# icp_access deny all
892
893# TAG: htcp_access
894# Allowing or Denying access to the HTCP port based on defined
895# access lists
896#
897# htcp_access allow|deny [!]aclname ...
898#
899# See http_access for details
900#
901# NOTE: The default if no htcp_access lines are present is to
902# deny all traffic. This default may cause problems with peers
903# using the htcp or htcp-oldsquid options.
904#
905# This clause only supports fast acl types.
906# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
907#
908## Allow HTCP queries from local networks only
909##htcp_access allow localnet
910##htcp_access deny all
911#Default:
912# htcp_access deny all
913
914# TAG: htcp_clr_access
915# Allowing or Denying access to purge content using HTCP based
916# on defined access lists
917#
918# htcp_clr_access allow|deny [!]aclname ...
919#
920# See http_access for details
921#
922# This clause only supports fast acl types.
923# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
924#
925## Allow HTCP CLR requests from trusted peers
926#acl htcp_clr_peer src 172.16.1.2
927#htcp_clr_access allow htcp_clr_peer
928#Default:
929# htcp_clr_access deny all
930
931# TAG: miss_access
932# Determins whether network access is permitted when satisfying a request.
933#
934# For example;
935# to force your neighbors to use you as a sibling instead of
936# a parent.
937#
938# acl localclients src 172.16.0.0/16
939# miss_access allow localclients
940# miss_access deny !localclients
941#
942# This means only your local clients are allowed to fetch relayed/MISS
943# replies from the network and all other clients can only fetch cached
944# objects (HITs).
945#
946#
947# The default for this setting allows all clients who passed the
948# http_access rules to relay via this proxy.
949#
950# This clause only supports fast acl types.
951# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
952#Default:
953# miss_access allow all
954
955# TAG: ident_lookup_access
956# A list of ACL elements which, if matched, cause an ident
957# (RFC 931) lookup to be performed for this request. For
958# example, you might choose to always perform ident lookups
959# for your main multi-user Unix boxes, but not for your Macs
960# and PCs. By default, ident lookups are not performed for
961# any requests.
962#
963# To enable ident lookups for specific client addresses, you
964# can follow this example:
965#
966# acl ident_aware_hosts src 198.168.1.0/24
967# ident_lookup_access allow ident_aware_hosts
968# ident_lookup_access deny all
969#
970# Only src type ACL checks are fully supported. A srcdomain
971# ACL might work at times, but it will not always provide
972# the correct result.
973#
974# This clause only supports fast acl types.
975# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
976#Default:
977# ident_lookup_access deny all
978
979# TAG: reply_body_max_size size [acl acl...]
980# This option specifies the maximum size of a reply body. It can be
981# used to prevent users from downloading very large files, such as
982# MP3's and movies. When the reply headers are received, the
983# reply_body_max_size lines are processed, and the first line where
984# all (if any) listed ACLs are true is used as the maximum body size
985# for this reply.
986#
987# This size is checked twice. First when we get the reply headers,
988# we check the content-length value. If the content length value exists
989# and is larger than the allowed size, the request is denied and the
990# user receives an error message that says "the request or reply
991# is too large." If there is no content-length, and the reply
992# size exceeds this limit, the client's connection is just closed
993# and they will receive a partial reply.
994#
995# WARNING: downstream caches probably can not detect a partial reply
996# if there is no content-length header, so they will cache
997# partial responses and give them out as hits. You should NOT
998# use this option if you have downstream caches.
999#
1000# WARNING: A maximum size smaller than the size of squid's error messages
1001# will cause an infinite loop and crash squid. Ensure that the smallest
1002# non-zero value you use is greater that the maximum header size plus
1003# the size of your largest error page.
1004#
1005# If you set this parameter none (the default), there will be
1006# no limit imposed.
1007#
1008# Configuration Format is:
1009# reply_body_max_size SIZE UNITS [acl ...]
1010# ie.
1011# reply_body_max_size 10 MB
1012#
1013#Default:
1014# none
1015
1016# NETWORK OPTIONS
1017# -----------------------------------------------------------------------------
1018
1019# TAG: http_port
1020# Usage: port [options]
1021# hostname:port [options]
1022# 1.2.3.4:port [options]
1023#
1024# The socket addresses where Squid will listen for HTTP client
1025# requests. You may specify multiple socket addresses.
1026# There are three forms: port alone, hostname with port, and
1027# IP address with port. If you specify a hostname or IP
1028# address, Squid binds the socket to that specific
1029# address. This replaces the old 'tcp_incoming_address'
1030# option. Most likely, you do not need to bind to a specific
1031# address, so you can use the port number alone.
1032#
1033# If you are running Squid in accelerator mode, you
1034# probably want to listen on port 80 also, or instead.
1035#
1036# The -a command line option may be used to specify additional
1037# port(s) where Squid listens for proxy request. Such ports will
1038# be plain proxy ports with no options.
1039#
1040# You may specify multiple socket addresses on multiple lines.
1041#
1042# Options:
1043#
1044# intercept Support for IP-Layer interception of
1045# outgoing requests without browser settings.
1046# NP: disables authentication and IPv6 on the port.
1047#
1048# tproxy Support Linux TPROXY for spoofing outgoing
1049# connections using the client IP address.
1050# NP: disables authentication and maybe IPv6 on the port.
1051#
1052# accel Accelerator mode. Also needs at least one of
1053# vhost / vport / defaultsite.
1054#
1055# allow-direct Allow direct forwarding in accelerator mode. Normally
1056# accelerated requests are denied direct forwarding as if
1057# never_direct was used.
1058#
1059# defaultsite=domainname
1060# What to use for the Host: header if it is not present
1061# in a request. Determines what site (not origin server)
1062# accelerators should consider the default.
1063# Implies accel.
1064#
1065# vhost Accelerator mode using Host header for virtual domain support.
1066# Also uses the port as specified in Host: header unless
1067# overridden by the vport option. Implies accel.
1068#
1069# vport Virtual host port support. Using the http_port number
1070# instead of the port passed on Host: headers. Implies accel.
1071#
1072# vport=NN Virtual host port support. Using the specified port
1073# number instead of the port passed on Host: headers.
1074# Implies accel.
1075#
1076# protocol= Protocol to reconstruct accelerated requests with.
1077# Defaults to http.
1078#
1079# ignore-cc Ignore request Cache-Control headers.
1080#
1081# Warning: This option violates HTTP specifications if
1082# used in non-accelerator setups.
1083#
1084# connection-auth[=on|off]
1085# use connection-auth=off to tell Squid to prevent
1086# forwarding Microsoft connection oriented authentication
1087# (NTLM, Negotiate and Kerberos)
1088#
1089# disable-pmtu-discovery=
1090# Control Path-MTU discovery usage:
1091# off lets OS decide on what to do (default).
1092# transparent disable PMTU discovery when transparent
1093# support is enabled.
1094# always disable always PMTU discovery.
1095#
1096# In many setups of transparently intercepting proxies
1097# Path-MTU discovery can not work on traffic towards the
1098# clients. This is the case when the intercepting device
1099# does not fully track connections and fails to forward
1100# ICMP must fragment messages to the cache server. If you
1101# have such setup and experience that certain clients
1102# sporadically hang or never complete requests set
1103# disable-pmtu-discovery option to 'transparent'.
1104#
1105# ssl-bump Intercept each CONNECT request matching ssl_bump ACL,
1106# establish secure connection with the client and with
1107# the server, decrypt HTTP messages as they pass through
1108# Squid, and treat them as unencrypted HTTP messages,
1109# becoming the man-in-the-middle.
1110#
1111# When this option is enabled, additional options become
1112# available to specify SSL-related properties of the
1113# client-side connection: cert, key, version, cipher,
1114# options, clientca, cafile, capath, crlfile, dhparams,
1115# sslflags, and sslcontext. See the https_port directive
1116# for more information on these options.
1117#
1118# The ssl_bump option is required to fully enable
1119# the SslBump feature.
1120#
1121# name= Specifies a internal name for the port. Defaults to
1122# the port specification (port or addr:port)
1123#
1124# tcpkeepalive[=idle,interval,timeout]
1125# Enable TCP keepalive probes of idle connections.
1126# In seconds; idle is the initial time before TCP starts
1127# probing the connection, interval how often to probe, and
1128# timeout the time before giving up.
1129#
1130# If you run Squid on a dual-homed machine with an internal
1131# and an external interface we recommend you to specify the
1132# internal address:port in http_port. This way Squid will only be
1133# visible on the internal address.
1134#
1135#
1136
1137# Squid normally listens to port 3128
1138http_port 3128
1139
1140# TAG: https_port
1141# Note: This option is only available if Squid is rebuilt with the
1142# --enable-ssl option
1143#
1144# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
1145#
1146# The socket address where Squid will listen for HTTPS client
1147# requests.
1148#
1149# This is really only useful for situations where you are running
1150# squid in accelerator mode and you want to do the SSL work at the
1151# accelerator level.
1152#
1153# You may specify multiple socket addresses on multiple lines,
1154# each with their own SSL certificate and/or options.
1155#
1156# Options:
1157#
1158# accel Accelerator mode. Also needs at least one of
1159# defaultsite or vhost.
1160#
1161# defaultsite= The name of the https site presented on
1162# this port. Implies accel.
1163#
1164# vhost Accelerator mode using Host header for virtual
1165# domain support. Requires a wildcard certificate
1166# or other certificate valid for more than one domain.
1167# Implies accel.
1168#
1169# protocol= Protocol to reconstruct accelerated requests with.
1170# Defaults to https.
1171#
1172# cert= Path to SSL certificate (PEM format).
1173#
1174# key= Path to SSL private key file (PEM format)
1175# if not specified, the certificate file is
1176# assumed to be a combined certificate and
1177# key file.
1178#
1179# version= The version of SSL/TLS supported
1180# 1 automatic (default)
1181# 2 SSLv2 only
1182# 3 SSLv3 only
1183# 4 TLSv1 only
1184#
1185# cipher= Colon separated list of supported ciphers.
1186# NOTE: some ciphers such as EDH ciphers depend on
1187# additional settings. If those settings are
1188# omitted the ciphers may be silently ignored
1189# by the OpenSSL library.
1190#
1191# options= Various SSL engine options. The most important
1192# being:
1193# NO_SSLv2 Disallow the use of SSLv2
1194# NO_SSLv3 Disallow the use of SSLv3
1195# NO_TLSv1 Disallow the use of TLSv1
1196# SINGLE_DH_USE Always create a new key when using
1197# temporary/ephemeral DH key exchanges
1198# See OpenSSL SSL_CTX_set_options documentation for a
1199# complete list of options.
1200#
1201# clientca= File containing the list of CAs to use when
1202# requesting a client certificate.
1203#
1204# cafile= File containing additional CA certificates to
1205# use when verifying client certificates. If unset
1206# clientca will be used.
1207#
1208# capath= Directory containing additional CA certificates
1209# and CRL lists to use when verifying client certificates.
1210#
1211# crlfile= File of additional CRL lists to use when verifying
1212# the client certificate, in addition to CRLs stored in
1213# the capath. Implies VERIFY_CRL flag below.
1214#
1215# dhparams= File containing DH parameters for temporary/ephemeral
1216# DH key exchanges. See OpenSSL documentation for details
1217# on how to create this file.
1218# WARNING: EDH ciphers will be silently disabled if this
1219# option is not set.
1220#
1221# sslflags= Various flags modifying the use of SSL:
1222# DELAYED_AUTH
1223# Don't request client certificates
1224# immediately, but wait until acl processing
1225# requires a certificate (not yet implemented).
1226# NO_DEFAULT_CA
1227# Don't use the default CA lists built in
1228# to OpenSSL.
1229# NO_SESSION_REUSE
1230# Don't allow for session reuse. Each connection
1231# will result in a new SSL session.
1232# VERIFY_CRL
1233# Verify CRL lists when accepting client
1234# certificates.
1235# VERIFY_CRL_ALL
1236# Verify CRL lists for all certificates in the
1237# client certificate chain.
1238#
1239# sslcontext= SSL session ID context identifier.
1240#
1241# generate-host-certificates[=<on|off>]
1242# Dynamically create SSL server certificates for the
1243# destination hosts of bumped CONNECT requests.When
1244# enabled, the cert and key options are used to sign
1245# generated certificates. Otherwise generated
1246# certificate will be selfsigned.
1247# If there is CA certificate life time of generated
1248# certificate equals lifetime of CA certificate. If
1249# generated certificate is selfsigned lifetime is three
1250# years.
1251# This option is enabled by default when SslBump is used.
1252# See the sslBump option above for more information.
1253#
1254# dynamic_cert_mem_cache_size=SIZE
1255# Approximate total RAM size spent on cached generated
1256# certificates. If set to zero, caching is disabled. The
1257# default value is 4MB. An average XXX-bit certificate
1258# consumes about XXX bytes of RAM.
1259#
1260# vport Accelerator with IP based virtual host support.
1261#
1262# vport=NN As above, but uses specified port number rather
1263# than the https_port number. Implies accel.
1264#
1265# name= Specifies a internal name for the port. Defaults to
1266# the port specification (port or addr:port)
1267#
1268#Default:
1269# none
1270
1271# TAG: tcp_outgoing_tos
1272# Allows you to select a TOS/Diffserv value to mark outgoing
1273# connections with, based on the username or source address
1274# making the request.
1275#
1276# tcp_outgoing_tos ds-field [!]aclname ...
1277#
1278# Example where normal_service_net uses the TOS value 0x00
1279# and good_service_net uses 0x20
1280#
1281# acl normal_service_net src 10.0.0.0/24
1282# acl good_service_net src 10.0.1.0/24
1283# tcp_outgoing_tos 0x00 normal_service_net
1284# tcp_outgoing_tos 0x20 good_service_net
1285#
1286# TOS/DSCP values really only have local significance - so you should
1287# know what you're specifying. For more information, see RFC2474,
1288# RFC2475, and RFC3260.
1289#
1290# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
1291# "default" to use whatever default your host has. Note that in
1292# practice often only multiples of 4 is usable as the two rightmost bits
1293# have been redefined for use by ECN (RFC 3168 section 23.1).
1294#
1295# Processing proceeds in the order specified, and stops at first fully
1296# matching line.
1297#
1298# Note: The use of this directive using client dependent ACLs is
1299# incompatible with the use of server side persistent connections. To
1300# ensure correct results it is best to set server_persisten_connections
1301# to off when using this directive in such configurations.
1302#Default:
1303# none
1304
1305# TAG: clientside_tos
1306# Allows you to select a TOS/Diffserv value to mark client-side
1307# connections with, based on the username or source address
1308# making the request.
1309#Default:
1310# none
1311
1312# TAG: qos_flows
1313# Allows you to select a TOS/DSCP value to mark outgoing
1314# connections with, based on where the reply was sourced.
1315#
1316# TOS values really only have local significance - so you should
1317# know what you're specifying. For more information, see RFC2474,
1318# RFC2475, and RFC3260.
1319#
1320# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF.
1321# Note that in practice often only values up to 0x3F are usable
1322# as the two highest bits have been redefined for use by ECN
1323# (RFC3168).
1324#
1325# This setting is configured by setting the source TOS values:
1326#
1327# local-hit=0xFF Value to mark local cache hits.
1328#
1329# sibling-hit=0xFF Value to mark hits from sibling peers.
1330#
1331# parent-hit=0xFF Value to mark hits from parent peers.
1332#
1333#
1334# NOTE: 'miss' preserve feature is only possible on Linux at this time.
1335#
1336# For the following to work correctly, you will need to patch your
1337# linux kernel with the TOS preserving ZPH patch.
1338# The kernel patch can be downloaded from http://zph.bratcheda.org
1339#
1340# disable-preserve-miss
1341# By default, the existing TOS value of the response coming
1342# from the remote server will be retained and masked with
1343# miss-mark. This option disables that feature.
1344#
1345# miss-mask=0xFF
1346# Allows you to mask certain bits in the TOS received from the
1347# remote server, before copying the value to the TOS sent
1348# towards clients.
1349# Default: 0xFF (TOS from server is not changed).
1350#
1351#Default:
1352# none
1353
1354# TAG: tcp_outgoing_address
1355# Allows you to map requests to different outgoing IP addresses
1356# based on the username or source address of the user making
1357# the request.
1358#
1359# tcp_outgoing_address ipaddr [[!]aclname] ...
1360#
1361# Example where requests from 10.0.0.0/24 will be forwarded
1362# with source address 10.1.0.1, 10.0.2.0/24 forwarded with
1363# source address 10.1.0.2 and the rest will be forwarded with
1364# source address 10.1.0.3.
1365#
1366# acl normal_service_net src 10.0.0.0/24
1367# acl good_service_net src 10.0.2.0/24
1368# tcp_outgoing_address 10.1.0.1 normal_service_net
1369# tcp_outgoing_address 10.1.0.2 good_service_net
1370# tcp_outgoing_address 10.1.0.3
1371#
1372# Processing proceeds in the order specified, and stops at first fully
1373# matching line.
1374#
1375# Note: The use of this directive using client dependent ACLs is
1376# incompatible with the use of server side persistent connections. To
1377# ensure correct results it is best to set server_persistent_connections
1378# to off when using this directive in such configurations.
1379#
1380#
1381# IPv6 Magic:
1382#
1383# Squid is built with a capability of bridging the IPv4 and IPv6
1384# internets.
1385# tcp_outgoing_address as exampled above breaks this bridging by forcing
1386# all outbound traffic through a certain IPv4 which may be on the wrong
1387# side of the IPv4/IPv6 boundary.
1388#
1389# To operate with tcp_outgoing_address and keep the bridging benefits
1390# an additional ACL needs to be used which ensures the IPv6-bound traffic
1391# is never forced or permitted out the IPv4 interface.
1392#
1393# # IPv6 destination test along with a dummy access control to perofrm the required DNS
1394# # This MUST be place before any ALLOW rules.
1395# acl to_ipv6 dst ipv6
1396# http_access deny ipv6 !all
1397#
1398# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6
1399# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
1400#
1401# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6
1402# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
1403#
1404# tcp_outgoing_address 2001:db8::1 to_ipv6
1405# tcp_outgoing_address 10.1.0.3 !to_ipv6
1406#
1407# WARNING:
1408# 'dst ipv6' bases its selection assuming DIRECT access.
1409# If peers are used the peername ACL are needed to select outgoing
1410# address which can link to the peer.
1411#
1412# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used
1413# previously in the http_access rules to locate the destination IP.
1414# Some more magic may be needed for that:
1415# http_access allow to_ipv6 !all
1416# (meaning, allow if to IPv6 but not from anywhere ;)
1417#
1418#Default:
1419# none
1420
1421# SSL OPTIONS
1422# -----------------------------------------------------------------------------
1423
1424# TAG: ssl_unclean_shutdown
1425# Note: This option is only available if Squid is rebuilt with the
1426# --enable-ssl option
1427#
1428# Some browsers (especially MSIE) bugs out on SSL shutdown
1429# messages.
1430#Default:
1431# ssl_unclean_shutdown off
1432
1433# TAG: ssl_engine
1434# Note: This option is only available if Squid is rebuilt with the
1435# --enable-ssl option
1436#
1437# The OpenSSL engine to use. You will need to set this if you
1438# would like to use hardware SSL acceleration for example.
1439#Default:
1440# none
1441
1442# TAG: sslproxy_client_certificate
1443# Note: This option is only available if Squid is rebuilt with the
1444# --enable-ssl option
1445#
1446# Client SSL Certificate to use when proxying https:// URLs
1447#Default:
1448# none
1449
1450# TAG: sslproxy_client_key
1451# Note: This option is only available if Squid is rebuilt with the
1452# --enable-ssl option
1453#
1454# Client SSL Key to use when proxying https:// URLs
1455#Default:
1456# none
1457
1458# TAG: sslproxy_version
1459# Note: This option is only available if Squid is rebuilt with the
1460# --enable-ssl option
1461#
1462# SSL version level to use when proxying https:// URLs
1463#Default:
1464# sslproxy_version 1
1465
1466# TAG: sslproxy_options
1467# Note: This option is only available if Squid is rebuilt with the
1468# --enable-ssl option
1469#
1470# SSL engine options to use when proxying https:// URLs
1471#
1472# The most important being:
1473#
1474# NO_SSLv2 Disallow the use of SSLv2
1475# NO_SSLv3 Disallow the use of SSLv3
1476# NO_TLSv1 Disallow the use of TLSv1
1477# SINGLE_DH_USE
1478# Always create a new key when using
1479# temporary/ephemeral DH key exchanges
1480#
1481# These options vary depending on your SSL engine.
1482# See the OpenSSL SSL_CTX_set_options documentation for a
1483# complete list of possible options.
1484#Default:
1485# none
1486
1487# TAG: sslproxy_cipher
1488# Note: This option is only available if Squid is rebuilt with the
1489# --enable-ssl option
1490#
1491# SSL cipher list to use when proxying https:// URLs
1492#
1493# Colon separated list of supported ciphers.
1494#Default:
1495# none
1496
1497# TAG: sslproxy_cafile
1498# Note: This option is only available if Squid is rebuilt with the
1499# --enable-ssl option
1500#
1501# file containing CA certificates to use when verifying server
1502# certificates while proxying https:// URLs
1503#Default:
1504# none
1505
1506# TAG: sslproxy_capath
1507# Note: This option is only available if Squid is rebuilt with the
1508# --enable-ssl option
1509#
1510# directory containing CA certificates to use when verifying
1511# server certificates while proxying https:// URLs
1512#Default:
1513# none
1514
1515# TAG: ssl_bump
1516# Note: This option is only available if Squid is rebuilt with the
1517# --enable-ssl option
1518#
1519# This ACL controls which CONNECT requests to an http_port
1520# marked with an sslBump flag are actually "bumped". Please
1521# see the sslBump flag of an http_port option for more details
1522# about decoding proxied SSL connections.
1523#
1524# By default, no requests are bumped.
1525#
1526# See also: http_port ssl-bump
1527#
1528# This clause supports both fast and slow acl types.
1529# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1530#
1531#
1532# # Example: Bump all requests except those originating from localhost and
1533# # those going to webax.com or example.com sites.
1534#
1535# acl localhost src 127.0.0.1/32
1536# acl broken_sites dstdomain .webax.com
1537# acl broken_sites dstdomain .example.com
1538# ssl_bump deny localhost
1539# ssl_bump deny broken_sites
1540# ssl_bump allow all
1541#Default:
1542# none
1543
1544# TAG: sslproxy_flags
1545# Note: This option is only available if Squid is rebuilt with the
1546# --enable-ssl option
1547#
1548# Various flags modifying the use of SSL while proxying https:// URLs:
1549# DONT_VERIFY_PEER Accept certificates that fail verification.
1550# For refined control, see sslproxy_cert_error.
1551# NO_DEFAULT_CA Don't use the default CA list built in
1552# to OpenSSL.
1553#Default:
1554# none
1555
1556# TAG: sslproxy_cert_error
1557# Note: This option is only available if Squid is rebuilt with the
1558# --enable-ssl option
1559#
1560# Use this ACL to bypass server certificate validation errors.
1561#
1562# For example, the following lines will bypass all validation errors
1563# when talking to servers located at 172.16.0.0/16. All other
1564# validation errors will result in ERR_SECURE_CONNECT_FAIL error.
1565#
1566# acl BrokenServersAtTrustedIP dst 172.16.0.0/16
1567# sslproxy_cert_error allow BrokenServersAtTrustedIP
1568# sslproxy_cert_error deny all
1569#
1570# This clause only supports fast acl types.
1571# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1572# Using slow acl types may result in server crashes
1573#
1574# Without this option, all server certificate validation errors
1575# terminate the transaction. Bypassing validation errors is dangerous
1576# because an error usually implies that the server cannot be trusted and
1577# the connection may be insecure.
1578#
1579# See also: sslproxy_flags and DONT_VERIFY_PEER.
1580#
1581# Default setting: sslproxy_cert_error deny all
1582#Default:
1583# none
1584
1585# TAG: sslpassword_program
1586# Note: This option is only available if Squid is rebuilt with the
1587# --enable-ssl option
1588#
1589# Specify a program used for entering SSL key passphrases
1590# when using encrypted SSL certificate keys. If not specified
1591# keys must either be unencrypted, or Squid started with the -N
1592# option to allow it to query interactively for the passphrase.
1593#
1594# The key file name is given as argument to the program allowing
1595# selection of the right password if you have multiple encrypted
1596# keys.
1597#Default:
1598# none
1599
1600#OPTIONS RELATING TO EXTERNAL SSL_CRTD
1601#-----------------------------------------------------------------------------
1602
1603# TAG: sslcrtd_program
1604# Note: This option is only available if Squid is rebuilt with the
1605# -DUSE_SSL_CRTD define
1606#
1607# Specify the location and options of the executable for ssl_crtd process.
1608# /usr/lib/squid3/ssl_crtd program requires -s and -M parameters
1609# For more information use:
1610# /usr/lib/squid3/ssl_crtd -h
1611#Default:
1612# sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
1613
1614# TAG: sslcrtd_children
1615# Note: This option is only available if Squid is rebuilt with the
1616# -DUSE_SSL_CRTD define
1617#
1618# The maximum number of processes spawn to service ssl server.
1619# The maximum this may be safely set to is 32.
1620#
1621# You must have at least one ssl_crtd process.
1622#Default:
1623# sslcrtd_children 5
1624
1625# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
1626# -----------------------------------------------------------------------------
1627
1628# TAG: cache_peer
1629# To specify other caches in a hierarchy, use the format:
1630#
1631# cache_peer hostname type http-port icp-port [options]
1632#
1633# For example,
1634#
1635# # proxy icp
1636# # hostname type port port options
1637# # -------------------- -------- ----- ----- -----------
1638# cache_peer parent.foo.net parent 3128 3130 default
1639# cache_peer sib1.foo.net sibling 3128 3130 proxy-only
1640# cache_peer sib2.foo.net sibling 3128 3130 proxy-only
1641# cache_peer example.com parent 80 0 default
1642# cache_peer cdn.example.com sibling 3128 0
1643#
1644# type: either 'parent', 'sibling', or 'multicast'.
1645#
1646# proxy-port: The port number where the peer accept HTTP requests.
1647# For other Squid proxies this is usually 3128
1648# For web servers this is usually 80
1649#
1650# icp-port: Used for querying neighbor caches about objects.
1651# Set to 0 if the peer does not support ICP or HTCP.
1652# See ICP and HTCP options below for additional details.
1653#
1654#
1655# ==== ICP OPTIONS ====
1656#
1657# You MUST also set icp_port and icp_access explicitly when using these options.
1658# The defaults will prevent peer traffic using ICP.
1659#
1660#
1661# no-query Disable ICP queries to this neighbor.
1662#
1663# multicast-responder
1664# Indicates the named peer is a member of a multicast group.
1665# ICP queries will not be sent directly to the peer, but ICP
1666# replies will be accepted from it.
1667#
1668# closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward
1669# CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
1670#
1671# background-ping
1672# To only send ICP queries to this neighbor infrequently.
1673# This is used to keep the neighbor round trip time updated
1674# and is usually used in conjunction with weighted-round-robin.
1675#
1676#
1677# ==== HTCP OPTIONS ====
1678#
1679# You MUST also set htcp_port and htcp_access explicitly when using these options.
1680# The defaults will prevent peer traffic using HTCP.
1681#
1682#
1683# htcp Send HTCP, instead of ICP, queries to the neighbor.
1684# You probably also want to set the "icp-port" to 4827
1685# instead of 3130.
1686#
1687# htcp-oldsquid Send HTCP to old Squid versions.
1688#
1689# htcp-no-clr Send HTCP to the neighbor but without
1690# sending any CLR requests. This cannot be used with
1691# htcp-only-clr.
1692#
1693# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests.
1694# This cannot be used with htcp-no-clr.
1695#
1696# htcp-no-purge-clr
1697# Send HTCP to the neighbor including CLRs but only when
1698# they do not result from PURGE requests.
1699#
1700# htcp-forward-clr
1701# Forward any HTCP CLR requests this proxy receives to the peer.
1702#
1703#
1704# ==== PEER SELECTION METHODS ====
1705#
1706# The default peer selection method is ICP, with the first responding peer
1707# being used as source. These options can be used for better load balancing.
1708#
1709#
1710# default This is a parent cache which can be used as a "last-resort"
1711# if a peer cannot be located by any of the peer-selection methods.
1712# If specified more than once, only the first is used.
1713#
1714# round-robin Load-Balance parents which should be used in a round-robin
1715# fashion in the absence of any ICP queries.
1716# weight=N can be used to add bias.
1717#
1718# weighted-round-robin
1719# Load-Balance parents which should be used in a round-robin
1720# fashion with the frequency of each parent being based on the
1721# round trip time. Closer parents are used more often.
1722# Usually used for background-ping parents.
1723# weight=N can be used to add bias.
1724#
1725# carp Load-Balance parents which should be used as a CARP array.
1726# The requests will be distributed among the parents based on the
1727# CARP load balancing hash function based on their weight.
1728#
1729# userhash Load-balance parents based on the client proxy_auth or ident username.
1730#
1731# sourcehash Load-balance parents based on the client source IP.
1732#
1733# multicast-siblings
1734# To be used only for cache peers of type "multicast".
1735# ALL members of this multicast group have "sibling"
1736# relationship with it, not "parent". This is to a multicast
1737# group when the requested object would be fetched only from
1738# a "parent" cache, anyway. It's useful, e.g., when
1739# configuring a pool of redundant Squid proxies, being
1740# members of the same multicast group.
1741#
1742#
1743# ==== PEER SELECTION OPTIONS ====
1744#
1745# weight=N use to affect the selection of a peer during any weighted
1746# peer-selection mechanisms.
1747# The weight must be an integer; default is 1,
1748# larger weights are favored more.
1749# This option does not affect parent selection if a peering
1750# protocol is not in use.
1751#
1752# basetime=N Specify a base amount to be subtracted from round trip
1753# times of parents.
1754# It is subtracted before division by weight in calculating
1755# which parent to fectch from. If the rtt is less than the
1756# base time the rtt is set to a minimal value.
1757#
1758# ttl=N Specify a TTL to use when sending multicast ICP queries
1759# to this address.
1760# Only useful when sending to a multicast group.
1761# Because we don't accept ICP replies from random
1762# hosts, you must configure other group members as
1763# peers with the 'multicast-responder' option.
1764#
1765# no-delay To prevent access to this neighbor from influencing the
1766# delay pools.
1767#
1768# digest-url=URL Tell Squid to fetch the cache digest (if digests are
1769# enabled) for this host from the specified URL rather
1770# than the Squid default location.
1771#
1772#
1773# ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
1774#
1775# originserver Causes this parent to be contacted as an origin server.
1776# Meant to be used in accelerator setups when the peer
1777# is a web server.
1778#
1779# forceddomain=name
1780# Set the Host header of requests forwarded to this peer.
1781# Useful in accelerator setups where the server (peer)
1782# expects a certain domain name but clients may request
1783# others. ie example.com or www.example.com
1784#
1785# no-digest Disable request of cache digests.
1786#
1787# no-netdb-exchange
1788# Disables requesting ICMP RTT database (NetDB).
1789#
1790#
1791# ==== AUTHENTICATION OPTIONS ====
1792#
1793# login=user:password
1794# If this is a personal/workgroup proxy and your parent
1795# requires proxy authentication.
1796#
1797# Note: The string can include URL escapes (i.e. %20 for
1798# spaces). This also means % must be written as %%.
1799#
1800# login=PROXYPASS
1801# Send login details received from client to this peer.
1802# Authentication is not required, nor changed.
1803#
1804# Note: This will pass any form of authentication but
1805# only Basic auth will work through a proxy unless the
1806# connection-auth options are also used.
1807#
1808# login=PASS Send login details received from client to this peer.
1809# Authentication is not required by this option.
1810# If there are no client-provided authentication headers
1811# to pass on, but username and password are available
1812# from either proxy login or an external ACL user= and
1813# password= result tags they may be sent instead.
1814#
1815# Note: To combine this with proxy_auth both proxies must
1816# share the same user database as HTTP only allows for
1817# a single login (one for proxy, one for origin server).
1818# Also be warned this will expose your users proxy
1819# password to the peer. USE WITH CAUTION
1820#
1821# login=*:password
1822# Send the username to the upstream cache, but with a
1823# fixed password. This is meant to be used when the peer
1824# is in another administrative domain, but it is still
1825# needed to identify each user.
1826# The star can optionally be followed by some extra
1827# information which is added to the username. This can
1828# be used to identify this proxy to the peer, similar to
1829# the login=username:password option above.
1830#
1831# connection-auth=on|off
1832# Tell Squid that this peer does or not support Microsoft
1833# connection oriented authentication, and any such
1834# challenges received from there should be ignored.
1835# Default is auto to automatically determine the status
1836# of the peer.
1837#
1838#
1839# ==== SSL / HTTPS / TLS OPTIONS ====
1840#
1841# ssl Encrypt connections to this peer with SSL/TLS.
1842#
1843# sslcert=/path/to/ssl/certificate
1844# A client SSL certificate to use when connecting to
1845# this peer.
1846#
1847# sslkey=/path/to/ssl/key
1848# The private SSL key corresponding to sslcert above.
1849# If 'sslkey' is not specified 'sslcert' is assumed to
1850# reference a combined file containing both the
1851# certificate and the key.
1852#
1853# Notes:
1854#
1855# On Debian/Ubuntu systems a default snakeoil certificate is
1856# available in /etc/ss and users can set:
1857#
1858# cert=/etc/ssl/certs/ssl-cert-snakeoil.pem
1859#
1860# and
1861#
1862# key=/etc/ssl/private/ssl-cert-snakeoil.key
1863#
1864# for testing.
1865#
1866# sslversion=1|2|3|4
1867# The SSL version to use when connecting to this peer
1868# 1 = automatic (default)
1869# 2 = SSL v2 only
1870# 3 = SSL v3 only
1871# 4 = TLS v1 only
1872#
1873# sslcipher=... The list of valid SSL ciphers to use when connecting
1874# to this peer.
1875#
1876# ssloptions=... Specify various SSL engine options:
1877# NO_SSLv2 Disallow the use of SSLv2
1878# NO_SSLv3 Disallow the use of SSLv3
1879# NO_TLSv1 Disallow the use of TLSv1
1880# See src/ssl_support.c or the OpenSSL documentation for
1881# a more complete list.
1882#
1883# sslcafile=... A file containing additional CA certificates to use
1884# when verifying the peer certificate.
1885#
1886# sslcapath=... A directory containing additional CA certificates to
1887# use when verifying the peer certificate.
1888#
1889# sslcrlfile=... A certificate revocation list file to use when
1890# verifying the peer certificate.
1891#
1892# sslflags=... Specify various flags modifying the SSL implementation:
1893#
1894# DONT_VERIFY_PEER
1895# Accept certificates even if they fail to
1896# verify.
1897# NO_DEFAULT_CA
1898# Don't use the default CA list built in
1899# to OpenSSL.
1900# DONT_VERIFY_DOMAIN
1901# Don't verify the peer certificate
1902# matches the server name
1903#
1904# ssldomain= The peer name as advertised in it's certificate.
1905# Used for verifying the correctness of the received peer
1906# certificate. If not specified the peer hostname will be
1907# used.
1908#
1909# front-end-https
1910# Enable the "Front-End-Https: On" header needed when
1911# using Squid as a SSL frontend in front of Microsoft OWA.
1912# See MS KB document Q307347 for details on this header.
1913# If set to auto the header will only be added if the
1914# request is forwarded as a https:// URL.
1915#
1916#
1917# ==== GENERAL OPTIONS ====
1918#
1919# connect-timeout=N
1920# A peer-specific connect timeout.
1921# Also see the peer_connect_timeout directive.
1922#
1923# connect-fail-limit=N
1924# How many times connecting to a peer must fail before
1925# it is marked as down. Default is 10.
1926#
1927# allow-miss Disable Squid's use of only-if-cached when forwarding
1928# requests to siblings. This is primarily useful when
1929# icp_hit_stale is used by the sibling. To extensive use
1930# of this option may result in forwarding loops, and you
1931# should avoid having two-way peerings with this option.
1932# For example to deny peer usage on requests from peer
1933# by denying cache_peer_access if the source is a peer.
1934#
1935# max-conn=N Limit the amount of connections Squid may open to this
1936# peer. see also
1937#
1938# name=xxx Unique name for the peer.
1939# Required if you have multiple peers on the same host
1940# but different ports.
1941# This name can be used in cache_peer_access and similar
1942# directives to dentify the peer.
1943# Can be used by outgoing access controls through the
1944# peername ACL type.
1945#
1946# no-tproxy Do not use the client-spoof TPROXY support when forwarding
1947# requests to this peer. Use normal address selection instead.
1948#
1949# proxy-only objects fetched from the peer will not be stored locally.
1950#
1951#Default:
1952# none
1953
1954# TAG: cache_peer_domain
1955# Use to limit the domains for which a neighbor cache will be
1956# queried. Usage:
1957#
1958# cache_peer_domain cache-host domain [domain ...]
1959# cache_peer_domain cache-host !domain
1960#
1961# For example, specifying
1962#
1963# cache_peer_domain parent.foo.net .edu
1964#
1965# has the effect such that UDP query packets are sent to
1966# 'bigserver' only when the requested object exists on a
1967# server in the .edu domain. Prefixing the domainname
1968# with '!' means the cache will be queried for objects
1969# NOT in that domain.
1970#
1971# NOTE: * Any number of domains may be given for a cache-host,
1972# either on the same or separate lines.
1973# * When multiple domains are given for a particular
1974# cache-host, the first matched domain is applied.
1975# * Cache hosts with no domain restrictions are queried
1976# for all requests.
1977# * There are no defaults.
1978# * There is also a 'cache_peer_access' tag in the ACL
1979# section.
1980#Default:
1981# none
1982
1983# TAG: cache_peer_access
1984# Similar to 'cache_peer_domain' but provides more flexibility by
1985# using ACL elements.
1986#
1987# cache_peer_access cache-host allow|deny [!]aclname ...
1988#
1989# The syntax is identical to 'http_access' and the other lists of
1990# ACL elements. See the comments for 'http_access' below, or
1991# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl).
1992#Default:
1993# none
1994
1995# TAG: neighbor_type_domain
1996# usage: neighbor_type_domain neighbor parent|sibling domain domain ...
1997#
1998# Modifying the neighbor type for specific domains is now
1999# possible. You can treat some domains differently than the the
2000# default neighbor type specified on the 'cache_peer' line.
2001# Normally it should only be necessary to list domains which
2002# should be treated differently because the default neighbor type
2003# applies for hostnames which do not match domains listed here.
2004#
2005#EXAMPLE:
2006# cache_peer cache.foo.org parent 3128 3130
2007# neighbor_type_domain cache.foo.org sibling .com .net
2008# neighbor_type_domain cache.foo.org sibling .au .de
2009#Default:
2010# none
2011
2012# TAG: dead_peer_timeout (seconds)
2013# This controls how long Squid waits to declare a peer cache
2014# as "dead." If there are no ICP replies received in this
2015# amount of time, Squid will declare the peer dead and not
2016# expect to receive any further ICP replies. However, it
2017# continues to send ICP queries, and will mark the peer as
2018# alive upon receipt of the first subsequent ICP reply.
2019#
2020# This timeout also affects when Squid expects to receive ICP
2021# replies from peers. If more than 'dead_peer' seconds have
2022# passed since the last ICP reply was received, Squid will not
2023# expect to receive an ICP reply on the next query. Thus, if
2024# your time between requests is greater than this timeout, you
2025# will see a lot of requests sent DIRECT to origin servers
2026# instead of to your parents.
2027#Default:
2028# dead_peer_timeout 10 seconds
2029
2030# TAG: forward_max_tries
2031# Controls how many different forward paths Squid will try
2032# before giving up. See also forward_timeout.
2033#Default:
2034# forward_max_tries 25
2035
2036# TAG: hierarchy_stoplist
2037# A list of words which, if found in a URL, cause the object to
2038# be handled directly by this cache. In other words, use this
2039# to not query neighbor caches for certain objects. You may
2040# list this option multiple times.
2041#
2042# Example:
2043# hierarchy_stoplist cgi-bin ?
2044#
2045# Note: never_direct overrides this option.
2046#Default:
2047# none
2048
2049# MEMORY CACHE OPTIONS
2050# -----------------------------------------------------------------------------
2051
2052# TAG: cache_mem (bytes)
2053# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
2054# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
2055# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
2056# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
2057#
2058# 'cache_mem' specifies the ideal amount of memory to be used
2059# for:
2060# * In-Transit objects
2061# * Hot Objects
2062# * Negative-Cached objects
2063#
2064# Data for these objects are stored in 4 KB blocks. This
2065# parameter specifies the ideal upper limit on the total size of
2066# 4 KB blocks allocated. In-Transit objects take the highest
2067# priority.
2068#
2069# In-transit objects have priority over the others. When
2070# additional space is needed for incoming data, negative-cached
2071# and hot objects will be released. In other words, the
2072# negative-cached and hot objects will fill up any unused space
2073# not needed for in-transit objects.
2074#
2075# If circumstances require, this limit will be exceeded.
2076# Specifically, if your incoming request rate requires more than
2077# 'cache_mem' of memory to hold in-transit objects, Squid will
2078# exceed this limit to satisfy the new requests. When the load
2079# decreases, blocks will be freed until the high-water mark is
2080# reached. Thereafter, blocks will be used to store hot
2081# objects.
2082#Default:
2083# cache_mem 256 MB
2084
2085# TAG: maximum_object_size_in_memory (bytes)
2086# Objects greater than this size will not be attempted to kept in
2087# the memory cache. This should be set high enough to keep objects
2088# accessed frequently in memory to improve performance whilst low
2089# enough to keep larger objects from hoarding cache_mem.
2090#Default:
2091# maximum_object_size_in_memory 512 KB
2092
2093# TAG: memory_replacement_policy
2094# The memory replacement policy parameter determines which
2095# objects are purged from memory when memory space is needed.
2096#
2097# See cache_replacement_policy for details.
2098#Default:
2099# memory_replacement_policy lru
2100
2101# DISK CACHE OPTIONS
2102# -----------------------------------------------------------------------------
2103
2104# TAG: cache_replacement_policy
2105# The cache replacement policy parameter determines which
2106# objects are evicted (replaced) when disk space is needed.
2107#
2108# lru : Squid's original list based LRU policy
2109# heap GDSF : Greedy-Dual Size Frequency
2110# heap LFUDA: Least Frequently Used with Dynamic Aging
2111# heap LRU : LRU policy implemented using a heap
2112#
2113# Applies to any cache_dir lines listed below this.
2114#
2115# The LRU policies keeps recently referenced objects.
2116#
2117# The heap GDSF policy optimizes object hit rate by keeping smaller
2118# popular objects in cache so it has a better chance of getting a
2119# hit. It achieves a lower byte hit rate than LFUDA though since
2120# it evicts larger (possibly popular) objects.
2121#
2122# The heap LFUDA policy keeps popular objects in cache regardless of
2123# their size and thus optimizes byte hit rate at the expense of
2124# hit rate since one large, popular object will prevent many
2125# smaller, slightly less popular objects from being cached.
2126#
2127# Both policies utilize a dynamic aging mechanism that prevents
2128# cache pollution that can otherwise occur with frequency-based
2129# replacement policies.
2130#
2131# NOTE: if using the LFUDA replacement policy you should increase
2132# the value of maximum_object_size above its default of 4096 KB to
2133# to maximize the potential byte hit rate improvement of LFUDA.
2134#
2135# For more information about the GDSF and LFUDA cache replacement
2136# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
2137# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
2138#Default:
2139# cache_replacement_policy lru
2140
2141# TAG: cache_dir
2142# Usage:
2143#
2144# cache_dir Type Directory-Name Fs-specific-data [options]
2145#
2146# You can specify multiple cache_dir lines to spread the
2147# cache among different disk partitions.
2148#
2149# Type specifies the kind of storage system to use. Only "ufs"
2150# is built by default. To enable any of the other storage systems
2151# see the --enable-storeio configure option.
2152#
2153# 'Directory' is a top-level directory where cache swap
2154# files will be stored. If you want to use an entire disk
2155# for caching, this can be the mount-point directory.
2156# The directory must exist and be writable by the Squid
2157# process. Squid will NOT create this directory for you.
2158#
2159# The ufs store type:
2160#
2161# "ufs" is the old well-known Squid storage format that has always
2162# been there.
2163#
2164# cache_dir ufs Directory-Name Mbytes L1 L2 [options]
2165#
2166# 'Mbytes' is the amount of disk space (MB) to use under this
2167# directory. The default is 100 MB. Change this to suit your
2168# configuration. Do NOT put the size of your disk drive here.
2169# Instead, if you want Squid to use the entire disk drive,
2170# subtract 20% and use that value.
2171#
2172# 'L1' is the number of first-level subdirectories which
2173# will be created under the 'Directory'. The default is 16.
2174#
2175# 'L2' is the number of second-level subdirectories which
2176# will be created under each first-level directory. The default
2177# is 256.
2178#
2179# The aufs store type:
2180#
2181# "aufs" uses the same storage format as "ufs", utilizing
2182# POSIX-threads to avoid blocking the main Squid process on
2183# disk-I/O. This was formerly known in Squid as async-io.
2184#
2185# cache_dir aufs Directory-Name Mbytes L1 L2 [options]
2186#
2187# see argument descriptions under ufs above
2188#
2189# The diskd store type:
2190#
2191# "diskd" uses the same storage format as "ufs", utilizing a
2192# separate process to avoid blocking the main Squid process on
2193# disk-I/O.
2194#
2195# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
2196#
2197# see argument descriptions under ufs above
2198#
2199# Q1 specifies the number of unacknowledged I/O requests when Squid
2200# stops opening new files. If this many messages are in the queues,
2201# Squid won't open new files. Default is 64
2202#
2203# Q2 specifies the number of unacknowledged messages when Squid
2204# starts blocking. If this many messages are in the queues,
2205# Squid blocks until it receives some replies. Default is 72
2206#
2207# When Q1 < Q2 (the default), the cache directory is optimized
2208# for lower response time at the expense of a decrease in hit
2209# ratio. If Q1 > Q2, the cache directory is optimized for
2210# higher hit ratio at the expense of an increase in response
2211# time.
2212#
2213# The coss store type:
2214#
2215# NP: COSS filesystem in Squid-3 has been deemed too unstable for
2216# production use and has thus been removed from this release.
2217# We hope that it can be made usable again soon.
2218#
2219# block-size=n defines the "block size" for COSS cache_dir's.
2220# Squid uses file numbers as block numbers. Since file numbers
2221# are limited to 24 bits, the block size determines the maximum
2222# size of the COSS partition. The default is 512 bytes, which
2223# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
2224# you should not change the coss block size after Squid
2225# has written some objects to the cache_dir.
2226#
2227# The coss file store has changed from 2.5. Now it uses a file
2228# called 'stripe' in the directory names in the config - and
2229# this will be created by squid -z.
2230#
2231# Common options:
2232#
2233# no-store, no new objects should be stored to this cache_dir
2234#
2235# max-size=n, refers to the max object size in bytes this cache_dir
2236# supports. It is used to select the cache_dir to store the object.
2237# Note: To make optimal use of the max-size limits you should order
2238# the cache_dir lines with the smallest max-size value first and the
2239# ones with no max-size specification last.
2240#
2241# Note for coss, max-size must be less than COSS_MEMBUF_SZ,
2242# which can be changed with the --with-coss-membuf-size=N configure
2243# option.
2244#
2245
2246# Uncomment and adjust the following to add a disk cache directory.
2247#cache_dir ufs /var/spool/squid3 100 16 256
2248
2249# TAG: store_dir_select_algorithm
2250# Set this to 'round-robin' as an alternative.
2251#Default:
2252# store_dir_select_algorithm least-load
2253
2254# TAG: max_open_disk_fds
2255# To avoid having disk as the I/O bottleneck Squid can optionally
2256# bypass the on-disk cache if more than this amount of disk file
2257# descriptors are open.
2258#
2259# A value of 0 indicates no limit.
2260#Default:
2261# max_open_disk_fds 0
2262
2263# TAG: minimum_object_size (bytes)
2264# Objects smaller than this size will NOT be saved on disk. The
2265# value is specified in kilobytes, and the default is 0 KB, which
2266# means there is no minimum.
2267#Default:
2268# minimum_object_size 0 KB
2269
2270# TAG: maximum_object_size (bytes)
2271# Objects larger than this size will NOT be saved on disk. The
2272# value is specified in kilobytes, and the default is 4MB. If
2273# you wish to get a high BYTES hit ratio, you should probably
2274# increase this (one 32 MB object hit counts for 3200 10KB
2275# hits). If you wish to increase speed more than your want to
2276# save bandwidth you should leave this low.
2277#
2278# NOTE: if using the LFUDA replacement policy you should increase
2279# this value to maximize the byte hit rate improvement of LFUDA!
2280# See replacement_policy below for a discussion of this policy.
2281#Default:
2282# maximum_object_size 4096 KB
2283
2284# TAG: cache_swap_low (percent, 0-100)
2285#Default:
2286# cache_swap_low 90
2287
2288# TAG: cache_swap_high (percent, 0-100)
2289#
2290# The low- and high-water marks for cache object replacement.
2291# Replacement begins when the swap (disk) usage is above the
2292# low-water mark and attempts to maintain utilization near the
2293# low-water mark. As swap utilization gets close to high-water
2294# mark object eviction becomes more aggressive. If utilization is
2295# close to the low-water mark less replacement is done each time.
2296#
2297# Defaults are 90% and 95%. If you have a large cache, 5% could be
2298# hundreds of MB. If this is the case you may wish to set these
2299# numbers closer together.
2300#Default:
2301# cache_swap_high 95
2302
2303# LOGFILE OPTIONS
2304# -----------------------------------------------------------------------------
2305
2306# TAG: logformat
2307# Usage:
2308#
2309# logformat <name> <format specification>
2310#
2311# Defines an access log format.
2312#
2313# The <format specification> is a string with embedded % format codes
2314#
2315# % format codes all follow the same basic structure where all but
2316# the formatcode is optional. Output strings are automatically escaped
2317# as required according to their context and the output format
2318# modifiers are usually not needed, but can be specified if an explicit
2319# output format is desired.
2320#
2321# % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
2322#
2323# " output in quoted string format
2324# [ output in squid text log format as used by log_mime_hdrs
2325# # output in URL quoted format
2326# ' output as-is
2327#
2328# - left aligned
2329# width field width. If starting with 0 the
2330# output is zero padded
2331# {arg} argument such as header name etc
2332#
2333# Format codes:
2334#
2335# % a literal % character
2336# >a Client source IP address
2337# >A Client FQDN
2338# >p Client source port
2339# <A Server IP address or peer name
2340# la Local IP address (http_port)
2341# lp Local port number (http_port)
2342# <la Local IP address of the last server or peer connection
2343# <lp Local port number of the last server or peer connection
2344# ts Seconds since epoch
2345# tu subsecond time (milliseconds)
2346# tl Local time. Optional strftime format argument
2347# default %d/%b/%Y:%H:%M:%S %z
2348# tg GMT time. Optional strftime format argument
2349# default %d/%b/%Y:%H:%M:%S %z
2350# tr Response time (milliseconds)
2351# dt Total time spent making DNS lookups (milliseconds)
2352#
2353# HTTP cache related format codes:
2354#
2355# [http::]>h Original request header. Optional header name argument
2356# on the format header[:[separator]element]
2357# [http::]>ha The HTTP request headers after adaptation and redirection.
2358# Optional header name argument as for >h
2359# [http::]<h Reply header. Optional header name argument
2360# as for >h
2361# [http::]un User name
2362# [http::]ul User name from authentication
2363# [http::]ui User name from ident
2364# [http::]us User name from SSL
2365# [http::]ue User name from external acl helper
2366# [http::]>Hs HTTP status code sent to the client
2367# [http::]<Hs HTTP status code received from the next hop
2368# [http::]Ss Squid request status (TCP_MISS etc)
2369# [http::]Sh Squid hierarchy status (DEFAULT_PARENT etc)
2370# [http::]mt MIME content type
2371# [http::]rm Request method (GET/POST etc)
2372# [http::]ru Request URL
2373# [http::]rp Request URL-Path excluding hostname
2374# [http::]rv Request protocol version
2375# [http::]et Tag returned by external acl
2376# [http::]ea Log string returned by external acl
2377# [http::]<st Sent reply size including HTTP headers
2378# [http::]>st Received request size including HTTP headers. In the
2379# case of chunked requests the chunked encoding metadata
2380# are not included
2381# [http::]>sh Received HTTP request headers size
2382# [http::]<sh Sent HTTP reply headers size
2383# [http::]st Request+Reply size including HTTP headers
2384# [http::]<sH Reply high offset sent
2385# [http::]<sS Upstream object size
2386# [http::]<pt Peer response time in milliseconds. The timer starts
2387# when the last request byte is sent to the next hop
2388# and stops when the last response byte is received.
2389# [http::]<tt Total server-side time in milliseconds. The timer
2390# starts with the first connect request (or write I/O)
2391# sent to the first selected peer. The timer stops
2392# with the last I/O with the last peer.
2393#
2394# If ICAP is enabled, the following two codes become available (as
2395# well as ICAP log codes documented with the icap_log option):
2396#
2397# icap::tt Total ICAP processing time for the HTTP
2398# transaction. The timer ticks when ICAP
2399# ACLs are checked and when ICAP
2400# transaction is in progress.
2401#
2402# icap::<last_h The header of the last ICAP response
2403# related to the HTTP transaction. Like
2404# <h, accepts an optional header name
2405# argument. Will not change semantics
2406# when multiple ICAP transactions per HTTP
2407# transaction are supported.
2408#
2409# If adaptation is enabled the following two codes become available:
2410#
2411# adapt::sum_trs Summed adaptation transaction response
2412# times recorded as a comma-separated list in
2413# the order of transaction start time. Each time
2414# value is recorded as an integer number,
2415# representing response time of one or more
2416# adaptation (ICAP or eCAP) transaction in
2417# milliseconds. When a failed transaction is
2418# being retried or repeated, its time is not
2419# logged individually but added to the
2420# replacement (next) transaction. See also:
2421# adapt::all_trs.
2422#
2423# adapt::all_trs All adaptation transaction response times.
2424# Same as adaptation_strs but response times of
2425# individual transactions are never added
2426# together. Instead, all transaction response
2427# times are recorded individually.
2428#
2429# You can prefix adapt::*_trs format codes with adaptation
2430# service name in curly braces to record response time(s) specific
2431# to that service. For example: %{my_service}adapt::sum_trs
2432#
2433# The default formats available (which do not need re-defining) are:
2434#
2435#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
2436#logformat squidmime %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
2437#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
2438#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
2439#Default:
2440# none
2441
2442# TAG: access_log
2443# These files log client request activities. Has a line every HTTP or
2444# ICP request. The format is:
2445# access_log <filepath> [<logformat name> [acl acl ...]]
2446# access_log none [acl acl ...]]
2447#
2448# Will log to the specified file using the specified format (which
2449# must be defined in a logformat directive) those entries which match
2450# ALL the acl's specified (which must be defined in acl clauses).
2451#
2452# If no acl is specified, all requests will be logged to this file.
2453#
2454# To disable logging of a request use the filepath "none", in which case
2455# a logformat name should not be specified.
2456#
2457# To log the request via syslog specify a filepath of "syslog":
2458#
2459# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]]
2460# where facility could be any of:
2461# authpriv, daemon, local0 .. local7 or user.
2462#
2463# And priority could be any of:
2464# err, warning, notice, info, debug.
2465#
2466# Default:
2467# access_log /var/log/squid3/access.log squid
2468#Default:
2469# access_log /var/log/squid3/access.log squid
2470
2471# TAG: icap_log
2472# ICAP log files record ICAP transaction summaries, one line per
2473# transaction.
2474#
2475# The icap_log option format is:
2476# icap_log <filepath> [<logformat name> [acl acl ...]]
2477# icap_log none [acl acl ...]]
2478#
2479# Please see access_log option documentation for details. The two
2480# kinds of logs share the overall configuration approach and many
2481# features.
2482#
2483# ICAP processing of a single HTTP message or transaction may
2484# require multiple ICAP transactions. In such cases, multiple
2485# ICAP transaction log lines will correspond to a single access
2486# log line.
2487#
2488# ICAP log uses logformat codes that make sense for an ICAP
2489# transaction. Header-related codes are applied to the HTTP header
2490# embedded in an ICAP server response, with the following caveats:
2491# For REQMOD, there is no HTTP response header unless the ICAP
2492# server performed request satisfaction. For RESPMOD, the HTTP
2493# request header is the header sent to the ICAP server. For
2494# OPTIONS, there are no HTTP headers.
2495#
2496# The following format codes are also available for ICAP logs:
2497#
2498# icap::<A ICAP server IP address. Similar to <A.
2499#
2500# icap::<service_name ICAP service name from the icap_service
2501# option in Squid configuration file.
2502#
2503# icap::ru ICAP Request-URI. Similar to ru.
2504#
2505# icap::rm ICAP request method (REQMOD, RESPMOD, or
2506# OPTIONS). Similar to existing rm.
2507#
2508# icap::>st Bytes sent to the ICAP server (TCP payload
2509# only; i.e., what Squid writes to the socket).
2510#
2511# icap::<st Bytes received from the ICAP server (TCP
2512# payload only; i.e., what Squid reads from
2513# the socket).
2514#
2515# icap::tr Transaction response time (in
2516# milliseconds). The timer starts when
2517# the ICAP transaction is created and
2518# stops when the transaction is completed.
2519# Similar to tr.
2520#
2521# icap::tio Transaction I/O time (in milliseconds). The
2522# timer starts when the first ICAP request
2523# byte is scheduled for sending. The timers
2524# stops when the last byte of the ICAP response
2525# is received.
2526#
2527# icap::to Transaction outcome: ICAP_ERR* for all
2528# transaction errors, ICAP_OPT for OPTION
2529# transactions, ICAP_ECHO for 204
2530# responses, ICAP_MOD for message
2531# modification, and ICAP_SAT for request
2532# satisfaction. Similar to Ss.
2533#
2534# icap::Hs ICAP response status code. Similar to Hs.
2535#
2536# icap::>h ICAP request header(s). Similar to >h.
2537#
2538# icap::<h ICAP response header(s). Similar to <h.
2539#
2540# The default ICAP log format, which can be used without an explicit
2541# definition, is called icap_squid:
2542#
2543#logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
2544#
2545# See also: logformat, log_icap, and %icap::<last_h
2546#Default:
2547# none
2548
2549# TAG: log_access allow|deny acl acl...
2550# This options allows you to control which requests gets logged
2551# to access.log (see access_log directive). Requests denied for
2552# logging will also not be accounted for in performance counters.
2553#
2554# This clause only supports fast acl types.
2555# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
2556#Default:
2557# none
2558
2559# TAG: log_icap
2560# This options allows you to control which requests get logged
2561# to icap.log. See the icap_log directive for ICAP log details.
2562#Default:
2563# none
2564
2565# TAG: cache_store_log
2566# Logs the activities of the storage manager. Shows which
2567# objects are ejected from the cache, and which objects are
2568# saved and for how long. To disable, enter "none" or remove the line.
2569# There are not really utilities to analyze this data, so you can safely
2570# disable it.
2571#
2572# Example:
2573# cache_store_log /var/log/squid3/store.log
2574#Default:
2575# none
2576
2577# TAG: cache_swap_state
2578# Location for the cache "swap.state" file. This index file holds
2579# the metadata of objects saved on disk. It is used to rebuild
2580# the cache during startup. Normally this file resides in each
2581# 'cache_dir' directory, but you may specify an alternate
2582# pathname here. Note you must give a full filename, not just
2583# a directory. Since this is the index for the whole object
2584# list you CANNOT periodically rotate it!
2585#
2586# If %s can be used in the file name it will be replaced with a
2587# a representation of the cache_dir name where each / is replaced
2588# with '.'. This is needed to allow adding/removing cache_dir
2589# lines when cache_swap_log is being used.
2590#
2591# If have more than one 'cache_dir', and %s is not used in the name
2592# these swap logs will have names such as:
2593#
2594# cache_swap_log.00
2595# cache_swap_log.01
2596# cache_swap_log.02
2597#
2598# The numbered extension (which is added automatically)
2599# corresponds to the order of the 'cache_dir' lines in this
2600# configuration file. If you change the order of the 'cache_dir'
2601# lines in this file, these index files will NOT correspond to
2602# the correct 'cache_dir' entry (unless you manually rename
2603# them). We recommend you do NOT use this option. It is
2604# better to keep these index files in each 'cache_dir' directory.
2605#Default:
2606# none
2607
2608# TAG: logfile_rotate
2609# Specifies the number of logfile rotations to make when you
2610# type 'squid -k rotate'. The default is 10, which will rotate
2611# with extensions 0 through 9. Setting logfile_rotate to 0 will
2612# disable the file name rotation, but the logfiles are still closed
2613# and re-opened. This will enable you to rename the logfiles
2614# yourself just before sending the rotate signal.
2615#
2616# Note, the 'squid -k rotate' command normally sends a USR1
2617# signal to the running squid process. In certain situations
2618# (e.g. on Linux with Async I/O), USR1 is used for other
2619# purposes, so -k rotate uses another signal. It is best to get
2620# in the habit of using 'squid -k rotate' instead of 'kill -USR1
2621# <pid>'.
2622#
2623# Note, from Squid-3.1 this option has no effect on the cache.log,
2624# that log can be rotated separately by using debug_options
2625#
2626# Note2, for Debian/Linux the default of logfile_rotate is
2627# zero, since it includes external logfile-rotation methods.
2628#Default:
2629# logfile_rotate 0
2630
2631# TAG: emulate_httpd_log on|off
2632# The Cache can emulate the log file format which many 'httpd'
2633# programs use. To disable/enable this emulation, set
2634# emulate_httpd_log to 'off' or 'on'. The default
2635# is to use the native log format since it includes useful
2636# information Squid-specific log analyzers use.
2637#Default:
2638# emulate_httpd_log off
2639
2640# TAG: log_ip_on_direct on|off
2641# Log the destination IP address in the hierarchy log tag when going
2642# direct. Earlier Squid versions logged the hostname here. If you
2643# prefer the old way set this to off.
2644#Default:
2645# log_ip_on_direct on
2646
2647# TAG: mime_table
2648# Pathname to Squid's MIME table. You shouldn't need to change
2649# this, but the default file contains examples and formatting
2650# information if you do.
2651#Default:
2652# mime_table /usr/share/squid3/mime.conf
2653
2654# TAG: log_mime_hdrs on|off
2655# The Cache can record both the request and the response MIME
2656# headers for each HTTP transaction. The headers are encoded
2657# safely and will appear as two bracketed fields at the end of
2658# the access log (for either the native or httpd-emulated log
2659# formats). To enable this logging set log_mime_hdrs to 'on'.
2660#Default:
2661# log_mime_hdrs off
2662
2663# TAG: useragent_log
2664# Note: This option is only available if Squid is rebuilt with the
2665# --enable-useragent-log option
2666#
2667# Squid will write the User-Agent field from HTTP requests
2668# to the filename specified here. By default useragent_log
2669# is disabled.
2670#Default:
2671# none
2672
2673# TAG: referer_log
2674# Note: This option is only available if Squid is rebuilt with the
2675# --enable-referer-log option
2676#
2677# Squid will write the Referer field from HTTP requests to the
2678# filename specified here. By default referer_log is disabled.
2679# Note that "referer" is actually a misspelling of "referrer"
2680# however the misspelt version has been accepted into the HTTP RFCs
2681# and we accept both.
2682#Default:
2683# none
2684
2685# TAG: pid_filename
2686# A filename to write the process-id to. To disable, enter "none".
2687#Default:
2688# pid_filename /var/run/squid3.pid
2689
2690# TAG: log_fqdn on|off
2691# Turn this on if you wish to log fully qualified domain names
2692# in the access.log. To do this Squid does a DNS lookup of all
2693# IP's connecting to it. This can (in some situations) increase
2694# latency, which makes your cache seem slower for interactive
2695# browsing.
2696#Default:
2697# log_fqdn off
2698
2699# TAG: client_netmask
2700# A netmask for client addresses in logfiles and cachemgr output.
2701# Change this to protect the privacy of your cache clients.
2702# A netmask of 255.255.255.0 will log all IP's in that range with
2703# the last digit set to '0'.
2704#Default:
2705# client_netmask no_addr
2706
2707# TAG: forward_log
2708# Note: This option is only available if Squid is rebuilt with the
2709# -DWIP_FWD_LOG define
2710#
2711# Logs the server-side requests.
2712#
2713# This is currently work in progress.
2714#Default:
2715# none
2716
2717# TAG: strip_query_terms
2718# By default, Squid strips query terms from requested URLs before
2719# logging. This protects your user's privacy.
2720#Default:
2721# strip_query_terms on
2722
2723# TAG: buffered_logs on|off
2724# cache.log log file is written with stdio functions, and as such
2725# it can be buffered or unbuffered. By default it will be unbuffered.
2726# Buffering it can speed up the writing slightly (though you are
2727# unlikely to need to worry unless you run with tons of debugging
2728# enabled in which case performance will suffer badly anyway..).
2729#Default:
2730# buffered_logs off
2731
2732# TAG: netdb_filename
2733# Note: This option is only available if Squid is rebuilt with the
2734# --enable-icmp option
2735#
2736# A filename where Squid stores it's netdb state between restarts.
2737# To disable, enter "none".
2738#Default:
2739# netdb_filename /var/log/squid3/netdb.state
2740
2741# OPTIONS FOR TROUBLESHOOTING
2742# -----------------------------------------------------------------------------
2743
2744# TAG: cache_log
2745# Cache logging file. This is where general information about
2746# your cache's behavior goes. You can increase the amount of data
2747# logged to this file and how often its rotated with "debug_options"
2748#Default:
2749# cache_log /var/log/squid3/cache.log
2750
2751# TAG: debug_options
2752# Logging options are set as section,level where each source file
2753# is assigned a unique section. Lower levels result in less
2754# output, Full debugging (level 9) can result in a very large
2755# log file, so be careful.
2756#
2757# The magic word "ALL" sets debugging levels for all sections.
2758# We recommend normally running with "ALL,1".
2759#
2760# The rotate=N option can be used to keep more or less of these logs
2761# than would otherwise be kept by logfile_rotate.
2762# For most uses a single log should be enough to monitor current
2763# events affecting Squid.
2764#Default:
2765# debug_options ALL,1
2766
2767# TAG: coredump_dir
2768# By default Squid leaves core files in the directory from where
2769# it was started. If you set 'coredump_dir' to a directory
2770# that exists, Squid will chdir() to that directory at startup
2771# and coredump files will be left there.
2772#
2773#Default:
2774# coredump_dir none
2775#
2776
2777# Leave coredumps in the first cache dir
2778coredump_dir /var/spool/squid3
2779
2780# OPTIONS FOR FTP GATEWAYING
2781# -----------------------------------------------------------------------------
2782
2783# TAG: ftp_user
2784# If you want the anonymous login password to be more informative
2785# (and enable the use of picky ftp servers), set this to something
2786# reasonable for your domain, like wwwuser@somewhere.net
2787#
2788# The reason why this is domainless by default is the
2789# request can be made on the behalf of a user in any domain,
2790# depending on how the cache is used.
2791# Some ftp server also validate the email address is valid
2792# (for example perl.com).
2793#Default:
2794# ftp_user Squid@
2795
2796# TAG: ftp_list_width
2797# Sets the width of ftp listings. This should be set to fit in
2798# the width of a standard browser. Setting this too small
2799# can cut off long filenames when browsing ftp sites.
2800#Default:
2801# ftp_list_width 32
2802
2803# TAG: ftp_passive
2804# If your firewall does not allow Squid to use passive
2805# connections, turn off this option.
2806#
2807# Use of ftp_epsv_all option requires this to be ON.
2808#Default:
2809# ftp_passive on
2810
2811# TAG: ftp_epsv_all
2812# FTP Protocol extensions permit the use of a special "EPSV ALL" command.
2813#
2814# NATs may be able to put the connection on a "fast path" through the
2815# translator, as the EPRT command will never be used and therefore,
2816# translation of the data portion of the segments will never be needed.
2817#
2818# When a client only expects to do two-way FTP transfers this may be
2819# useful.
2820# If squid finds that it must do a three-way FTP transfer after issuing
2821# an EPSV ALL command, the FTP session will fail.
2822#
2823# If you have any doubts about this option do not use it.
2824# Squid will nicely attempt all other connection methods.
2825#
2826# Requires ftp_passive to be ON (default) for any effect.
2827#Default:
2828# ftp_epsv_all off
2829
2830# TAG: ftp_epsv
2831# FTP Protocol extensions permit the use of a special "EPSV" command.
2832#
2833# NATs may be able to put the connection on a "fast path" through the
2834# translator using EPSV, as the EPRT command will never be used
2835# and therefore, translation of the data portion of the segments
2836# will never be needed.
2837#
2838# Turning this OFF will prevent EPSV being attempted.
2839# WARNING: Doing so will convert Squid back to the old behavior with all
2840# the related problems with external NAT devices/layers.
2841#
2842# Requires ftp_passive to be ON (default) for any effect.
2843#Default:
2844# ftp_epsv on
2845
2846# TAG: ftp_eprt
2847# FTP Protocol extensions permit the use of a special "EPRT" command.
2848#
2849# This extension provides a protocol neutral alternative to the
2850# IPv4-only PORT command. When supported it enables active FTP data
2851# channels over IPv6 and efficient NAT handling.
2852#
2853# Turning this OFF will prevent EPRT being attempted and will skip
2854# straight to using PORT for IPv4 servers.
2855#
2856# Some devices are known to not handle this extension correctly and
2857# may result in crashes. Devices which suport EPRT enough to fail
2858# cleanly will result in Squid attempting PORT anyway. This directive
2859# should only be disabled when EPRT results in device failures.
2860#
2861# WARNING: Doing so will convert Squid back to the old behavior with all
2862# the related problems with external NAT devices/layers and IPv4-only FTP.
2863#Default:
2864# ftp_eprt on
2865
2866# TAG: ftp_sanitycheck
2867# For security and data integrity reasons Squid by default performs
2868# sanity checks of the addresses of FTP data connections ensure the
2869# data connection is to the requested server. If you need to allow
2870# FTP connections to servers using another IP address for the data
2871# connection turn this off.
2872#Default:
2873# ftp_sanitycheck on
2874
2875# TAG: ftp_telnet_protocol
2876# The FTP protocol is officially defined to use the telnet protocol
2877# as transport channel for the control connection. However, many
2878# implementations are broken and does not respect this aspect of
2879# the FTP protocol.
2880#
2881# If you have trouble accessing files with ASCII code 255 in the
2882# path or similar problems involving this ASCII code you can
2883# try setting this directive to off. If that helps, report to the
2884# operator of the FTP server in question that their FTP server
2885# is broken and does not follow the FTP standard.
2886#Default:
2887# ftp_telnet_protocol on
2888
2889# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
2890# -----------------------------------------------------------------------------
2891
2892# TAG: diskd_program
2893# Specify the location of the diskd executable.
2894# Note this is only useful if you have compiled in
2895# diskd as one of the store io modules.
2896#Default:
2897# diskd_program /usr/lib/squid3/diskd
2898
2899# TAG: unlinkd_program
2900# Specify the location of the executable for file deletion process.
2901#Default:
2902# unlinkd_program /usr/lib/squid3/unlinkd
2903
2904# TAG: pinger_program
2905# Note: This option is only available if Squid is rebuilt with the
2906# --enable-icmp option
2907#
2908# Specify the location of the executable for the pinger process.
2909#Default:
2910# pinger_program /usr/lib/squid3/pinger
2911
2912# TAG: pinger_enable
2913# Note: This option is only available if Squid is rebuilt with the
2914# --enable-icmp option
2915#
2916# Control whether the pinger is active at run-time.
2917# Enables turning ICMP pinger on and off with a simple
2918# squid -k reconfigure.
2919#Default:
2920# pinger_enable off
2921
2922# OPTIONS FOR URL REWRITING
2923# -----------------------------------------------------------------------------
2924
2925# TAG: url_rewrite_program
2926# Specify the location of the executable URL rewriter to use.
2927# Since they can perform almost any function there isn't one included.
2928#
2929# For each requested URL, the rewriter will receive on line with the format
2930#
2931# URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
2932#
2933# In the future, the rewriter interface will be extended with
2934# key=value pairs ("kvpairs" shown above). Rewriter programs
2935# should be prepared to receive and possibly ignore additional
2936# whitespace-separated tokens on each input line.
2937#
2938# And the rewriter may return a rewritten URL. The other components of
2939# the request line does not need to be returned (ignored if they are).
2940#
2941# The rewriter can also indicate that a client-side redirect should
2942# be performed to the new URL. This is done by prefixing the returned
2943# URL with "301:" (moved permanently) or 302: (moved temporarily), etc.
2944#
2945# By default, a URL rewriter is not used.
2946#Default:
2947# none
2948
2949# TAG: url_rewrite_children
2950# The number of redirector processes to spawn. If you start
2951# too few Squid will have to wait for them to process a backlog of
2952# URLs, slowing it down. If you start too many they will use RAM
2953# and other system resources.
2954#Default:
2955# url_rewrite_children 5
2956
2957# TAG: url_rewrite_concurrency
2958# The number of requests each redirector helper can handle in
2959# parallel. Defaults to 0 which indicates the redirector
2960# is a old-style single threaded redirector.
2961#
2962# When this directive is set to a value >= 1 then the protocol
2963# used to communicate with the helper is modified to include
2964# a request ID in front of the request/response. The request
2965# ID from the request must be echoed back with the response
2966# to that request.
2967#Default:
2968# url_rewrite_concurrency 0
2969
2970# TAG: url_rewrite_host_header
2971# By default Squid rewrites any Host: header in redirected
2972# requests. If you are running an accelerator this may
2973# not be a wanted effect of a redirector.
2974#
2975# WARNING: Entries are cached on the result of the URL rewriting
2976# process, so be careful if you have domain-virtual hosts.
2977#Default:
2978# url_rewrite_host_header on
2979
2980# TAG: url_rewrite_access
2981# If defined, this access list specifies which requests are
2982# sent to the redirector processes. By default all requests
2983# are sent.
2984#
2985# This clause supports both fast and slow acl types.
2986# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
2987#Default:
2988# none
2989
2990# TAG: url_rewrite_bypass
2991# When this is 'on', a request will not go through the
2992# redirector if all redirectors are busy. If this is 'off'
2993# and the redirector queue grows too large, Squid will exit
2994# with a FATAL error and ask you to increase the number of
2995# redirectors. You should only enable this if the redirectors
2996# are not critical to your caching system. If you use
2997# redirectors for access control, and you enable this option,
2998# users may have access to pages they should not
2999# be allowed to request.
3000#Default:
3001# url_rewrite_bypass off
3002
3003# OPTIONS FOR TUNING THE CACHE
3004# -----------------------------------------------------------------------------
3005
3006# TAG: cache
3007# A list of ACL elements which, if matched and denied, cause the request to
3008# not be satisfied from the cache and the reply to not be cached.
3009# In other words, use this to force certain objects to never be cached.
3010#
3011# You must use the words 'allow' or 'deny' to indicate whether items
3012# matching the ACL should be allowed or denied into the cache.
3013#
3014# Default is to allow all to be cached.
3015#
3016# This clause supports both fast and slow acl types.
3017# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3018#Default:
3019# none
3020
3021# TAG: refresh_pattern
3022# usage: refresh_pattern [-i] regex min percent max [options]
3023#
3024# By default, regular expressions are CASE-SENSITIVE. To make
3025# them case-insensitive, use the -i option.
3026#
3027# 'Min' is the time (in minutes) an object without an explicit
3028# expiry time should be considered fresh. The recommended
3029# value is 0, any higher values may cause dynamic applications
3030# to be erroneously cached unless the application designer
3031# has taken the appropriate actions.
3032#
3033# 'Percent' is a percentage of the objects age (time since last
3034# modification age) an object without explicit expiry time
3035# will be considered fresh.
3036#
3037# 'Max' is an upper limit on how long objects without an explicit
3038# expiry time will be considered fresh.
3039#
3040# options: override-expire
3041# override-lastmod
3042# reload-into-ims
3043# ignore-reload
3044# ignore-no-cache
3045# ignore-no-store
3046# ignore-must-revalidate
3047# ignore-private
3048# ignore-auth
3049# refresh-ims
3050#
3051# override-expire enforces min age even if the server
3052# sent an explicit expiry time (e.g., with the
3053# Expires: header or Cache-Control: max-age). Doing this
3054# VIOLATES the HTTP standard. Enabling this feature
3055# could make you liable for problems which it causes.
3056#
3057# Note: override-expire does not enforce staleness - it only extends
3058# freshness / min. If the server returns a Expires time which
3059# is longer than your max time, Squid will still consider
3060# the object fresh for that period of time.
3061#
3062# override-lastmod enforces min age even on objects
3063# that were modified recently.
3064#
3065# reload-into-ims changes client no-cache or ``reload''
3066# to If-Modified-Since requests. Doing this VIOLATES the
3067# HTTP standard. Enabling this feature could make you
3068# liable for problems which it causes.
3069#
3070# ignore-reload ignores a client no-cache or ``reload''
3071# header. Doing this VIOLATES the HTTP standard. Enabling
3072# this feature could make you liable for problems which
3073# it causes.
3074#
3075# ignore-no-cache ignores any ``Pragma: no-cache'' and
3076# ``Cache-control: no-cache'' headers received from a server.
3077# The HTTP RFC never allows the use of this (Pragma) header
3078# from a server, only a client, though plenty of servers
3079# send it anyway.
3080#
3081# ignore-no-store ignores any ``Cache-control: no-store''
3082# headers received from a server. Doing this VIOLATES
3083# the HTTP standard. Enabling this feature could make you
3084# liable for problems which it causes.
3085#
3086# ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
3087# headers received from a server. Doing this VIOLATES
3088# the HTTP standard. Enabling this feature could make you
3089# liable for problems which it causes.
3090#
3091# ignore-private ignores any ``Cache-control: private''
3092# headers received from a server. Doing this VIOLATES
3093# the HTTP standard. Enabling this feature could make you
3094# liable for problems which it causes.
3095#
3096# ignore-auth caches responses to requests with authorization,
3097# as if the originserver had sent ``Cache-control: public''
3098# in the response header. Doing this VIOLATES the HTTP standard.
3099# Enabling this feature could make you liable for problems which
3100# it causes.
3101#
3102# refresh-ims causes squid to contact the origin server
3103# when a client issues an If-Modified-Since request. This
3104# ensures that the client will receive an updated version
3105# if one is available.
3106#
3107# Basically a cached object is:
3108#
3109# FRESH if expires < now, else STALE
3110# STALE if age > max
3111# FRESH if lm-factor < percent, else STALE
3112# FRESH if age < min
3113# else STALE
3114#
3115# The refresh_pattern lines are checked in the order listed here.
3116# The first entry which matches is used. If none of the entries
3117# match the default will be used.
3118#
3119# Note, you must uncomment all the default lines if you want
3120# to change one. The default setting is only active if none is
3121# used.
3122#
3123#
3124
3125# Add any of your own refresh_pattern entries above these.
3126refresh_pattern ^ftp: 1440 20% 10080
3127refresh_pattern ^gopher: 1440 0% 1440
3128refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
3129refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
3130# example lin deb packages
3131#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
3132refresh_pattern . 0 20% 4320
3133
3134# TAG: quick_abort_min (KB)
3135#Default:
3136# quick_abort_min 16 KB
3137
3138# TAG: quick_abort_max (KB)
3139#Default:
3140# quick_abort_max 16 KB
3141
3142# TAG: quick_abort_pct (percent)
3143# The cache by default continues downloading aborted requests
3144# which are almost completed (less than 16 KB remaining). This
3145# may be undesirable on slow (e.g. SLIP) links and/or very busy
3146# caches. Impatient users may tie up file descriptors and
3147# bandwidth by repeatedly requesting and immediately aborting
3148# downloads.
3149#
3150# When the user aborts a request, Squid will check the
3151# quick_abort values to the amount of data transfered until
3152# then.
3153#
3154# If the transfer has less than 'quick_abort_min' KB remaining,
3155# it will finish the retrieval.
3156#
3157# If the transfer has more than 'quick_abort_max' KB remaining,
3158# it will abort the retrieval.
3159#
3160# If more than 'quick_abort_pct' of the transfer has completed,
3161# it will finish the retrieval.
3162#
3163# If you do not want any retrieval to continue after the client
3164# has aborted, set both 'quick_abort_min' and 'quick_abort_max'
3165# to '0 KB'.
3166#
3167# If you want retrievals to always continue if they are being
3168# cached set 'quick_abort_min' to '-1 KB'.
3169#Default:
3170# quick_abort_pct 95
3171
3172# TAG: read_ahead_gap buffer-size
3173# The amount of data the cache will buffer ahead of what has been
3174# sent to the client when retrieving an object from another server.
3175#Default:
3176# read_ahead_gap 16 KB
3177
3178# TAG: negative_ttl time-units
3179# Set the Default Time-to-Live (TTL) for failed requests.
3180# Certain types of failures (such as "connection refused" and
3181# "404 Not Found") are able to be negatively-cached for a short time.
3182# Modern web servers should provide Expires: header, however if they
3183# do not this can provide a minimum TTL.
3184# The default is not to cache errors with unknown expiry details.
3185#
3186# Note that this is different from negative caching of DNS lookups.
3187#
3188# WARNING: Doing this VIOLATES the HTTP standard. Enabling
3189# this feature could make you liable for problems which it
3190# causes.
3191#Default:
3192# negative_ttl 0 seconds
3193
3194# TAG: positive_dns_ttl time-units
3195# Upper limit on how long Squid will cache positive DNS responses.
3196# Default is 6 hours (360 minutes). This directive must be set
3197# larger than negative_dns_ttl.
3198#Default:
3199# positive_dns_ttl 6 hours
3200
3201# TAG: negative_dns_ttl time-units
3202# Time-to-Live (TTL) for negative caching of failed DNS lookups.
3203# This also sets the lower cache limit on positive lookups.
3204# Minimum value is 1 second, and it is not recommendable to go
3205# much below 10 seconds.
3206#Default:
3207# negative_dns_ttl 1 minutes
3208
3209# TAG: range_offset_limit (bytes)
3210# Sets a upper limit on how far into the the file a Range request
3211# may be to cause Squid to prefetch the whole file. If beyond this
3212# limit Squid forwards the Range request as it is and the result
3213# is NOT cached.
3214#
3215# This is to stop a far ahead range request (lets say start at 17MB)
3216# from making Squid fetch the whole object up to that point before
3217# sending anything to the client.
3218#
3219# A value of 0 causes Squid to never fetch more than the
3220# client requested. (default)
3221#
3222# A value of -1 causes Squid to always fetch the object from the
3223# beginning so it may cache the result. (2.0 style)
3224#
3225# NP: Using -1 here will override any quick_abort settings that may
3226# otherwise apply to the range request. The range request will
3227# be fully fetched from start to finish regardless of the client
3228# actions. This affects bandwidth usage.
3229#Default:
3230# range_offset_limit 0 KB
3231
3232# TAG: minimum_expiry_time (seconds)
3233# The minimum caching time according to (Expires - Date)
3234# Headers Squid honors if the object can't be revalidated
3235# defaults to 60 seconds. In reverse proxy environments it
3236# might be desirable to honor shorter object lifetimes. It
3237# is most likely better to make your server return a
3238# meaningful Last-Modified header however. In ESI environments
3239# where page fragments often have short lifetimes, this will
3240# often be best set to 0.
3241#Default:
3242# minimum_expiry_time 60 seconds
3243
3244# TAG: store_avg_object_size (kbytes)
3245# Average object size, used to estimate number of objects your
3246# cache can hold. The default is 13 KB.
3247#Default:
3248# store_avg_object_size 13 KB
3249
3250# TAG: store_objects_per_bucket
3251# Target number of objects per bucket in the store hash table.
3252# Lowering this value increases the total number of buckets and
3253# also the storage maintenance rate. The default is 20.
3254#Default:
3255# store_objects_per_bucket 20
3256
3257# HTTP OPTIONS
3258# -----------------------------------------------------------------------------
3259
3260# TAG: request_header_max_size (KB)
3261# This specifies the maximum size for HTTP headers in a request.
3262# Request headers are usually relatively small (about 512 bytes).
3263# Placing a limit on the request header size will catch certain
3264# bugs (for example with persistent connections) and possibly
3265# buffer-overflow or denial-of-service attacks.
3266#Default:
3267# request_header_max_size 64 KB
3268
3269# TAG: reply_header_max_size (KB)
3270# This specifies the maximum size for HTTP headers in a reply.
3271# Reply headers are usually relatively small (about 512 bytes).
3272# Placing a limit on the reply header size will catch certain
3273# bugs (for example with persistent connections) and possibly
3274# buffer-overflow or denial-of-service attacks.
3275#Default:
3276# reply_header_max_size 64 KB
3277
3278# TAG: request_body_max_size (bytes)
3279# This specifies the maximum size for an HTTP request body.
3280# In other words, the maximum size of a PUT/POST request.
3281# A user who attempts to send a request with a body larger
3282# than this limit receives an "Invalid Request" error message.
3283# If you set this parameter to a zero (the default), there will
3284# be no limit imposed.
3285#Default:
3286# request_body_max_size 0 KB
3287
3288# TAG: client_request_buffer_max_size (bytes)
3289# This specifies the maximum buffer size of a client request.
3290# It prevents squid eating too much memory when somebody uploads
3291# a large file.
3292#Default:
3293# client_request_buffer_max_size 512 KB
3294
3295# TAG: chunked_request_body_max_size (bytes)
3296# A broken or confused HTTP/1.1 client may send a chunked HTTP
3297# request to Squid. Squid does not have full support for that
3298# feature yet. To cope with such requests, Squid buffers the
3299# entire request and then dechunks request body to create a
3300# plain HTTP/1.0 request with a known content length. The plain
3301# request is then used by the rest of Squid code as usual.
3302#
3303# The option value specifies the maximum size of the buffer used
3304# to hold the request before the conversion. If the chunked
3305# request size exceeds the specified limit, the conversion
3306# fails, and the client receives an "unsupported request" error,
3307# as if dechunking was disabled.
3308#
3309# Dechunking is enabled by default. To disable conversion of
3310# chunked requests, set the maximum to zero.
3311#
3312# Request dechunking feature and this option in particular are a
3313# temporary hack. When chunking requests and responses are fully
3314# supported, there will be no need to buffer a chunked request.
3315#Default:
3316# chunked_request_body_max_size 64 KB
3317
3318# TAG: broken_posts
3319# A list of ACL elements which, if matched, causes Squid to send
3320# an extra CRLF pair after the body of a PUT/POST request.
3321#
3322# Some HTTP servers has broken implementations of PUT/POST,
3323# and rely on an extra CRLF pair sent by some WWW clients.
3324#
3325# Quote from RFC2616 section 4.1 on this matter:
3326#
3327# Note: certain buggy HTTP/1.0 client implementations generate an
3328# extra CRLF's after a POST request. To restate what is explicitly
3329# forbidden by the BNF, an HTTP/1.1 client must not preface or follow
3330# a request with an extra CRLF.
3331#
3332# This clause only supports fast acl types.
3333# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3334#
3335#Example:
3336# acl buggy_server url_regex ^http://....
3337# broken_posts allow buggy_server
3338#Default:
3339# none
3340
3341# TAG: icap_uses_indirect_client on|off
3342# Controls whether the indirect client IP address (instead of the direct
3343# client IP address) is passed to adaptation services.
3344#
3345# See also: follow_x_forwarded_for adaptation_send_client_ip
3346#Default:
3347# icap_uses_indirect_client on
3348
3349# TAG: via on|off
3350# If set (default), Squid will include a Via header in requests and
3351# replies as required by RFC2616.
3352#Default:
3353# via on
3354
3355# TAG: ie_refresh on|off
3356# Microsoft Internet Explorer up until version 5.5 Service
3357# Pack 1 has an issue with transparent proxies, wherein it
3358# is impossible to force a refresh. Turning this on provides
3359# a partial fix to the problem, by causing all IMS-REFRESH
3360# requests from older IE versions to check the origin server
3361# for fresh content. This reduces hit ratio by some amount
3362# (~10% in my experience), but allows users to actually get
3363# fresh content when they want it. Note because Squid
3364# cannot tell if the user is using 5.5 or 5.5SP1, the behavior
3365# of 5.5 is unchanged from old versions of Squid (i.e. a
3366# forced refresh is impossible). Newer versions of IE will,
3367# hopefully, continue to have the new behavior and will be
3368# handled based on that assumption. This option defaults to
3369# the old Squid behavior, which is better for hit ratios but
3370# worse for clients using IE, if they need to be able to
3371# force fresh content.
3372#Default:
3373# ie_refresh off
3374
3375# TAG: vary_ignore_expire on|off
3376# Many HTTP servers supporting Vary gives such objects
3377# immediate expiry time with no cache-control header
3378# when requested by a HTTP/1.0 client. This option
3379# enables Squid to ignore such expiry times until
3380# HTTP/1.1 is fully implemented.
3381#
3382# WARNING: If turned on this may eventually cause some
3383# varying objects not intended for caching to get cached.
3384#Default:
3385# vary_ignore_expire off
3386
3387# TAG: request_entities
3388# Squid defaults to deny GET and HEAD requests with request entities,
3389# as the meaning of such requests are undefined in the HTTP standard
3390# even if not explicitly forbidden.
3391#
3392# Set this directive to on if you have clients which insists
3393# on sending request entities in GET or HEAD requests. But be warned
3394# that there is server software (both proxies and web servers) which
3395# can fail to properly process this kind of request which may make you
3396# vulnerable to cache pollution attacks if enabled.
3397#Default:
3398# request_entities off
3399
3400# TAG: request_header_access
3401# Usage: request_header_access header_name allow|deny [!]aclname ...
3402#
3403# WARNING: Doing this VIOLATES the HTTP standard. Enabling
3404# this feature could make you liable for problems which it
3405# causes.
3406#
3407# This option replaces the old 'anonymize_headers' and the
3408# older 'http_anonymizer' option with something that is much
3409# more configurable. This new method creates a list of ACLs
3410# for each header, allowing you very fine-tuned header
3411# mangling.
3412#
3413# This option only applies to request headers, i.e., from the
3414# client to the server.
3415#
3416# You can only specify known headers for the header name.
3417# Other headers are reclassified as 'Other'. You can also
3418# refer to all the headers with 'All'.
3419#
3420# For example, to achieve the same behavior as the old
3421# 'http_anonymizer standard' option, you should use:
3422#
3423# request_header_access From deny all
3424# request_header_access Referer deny all
3425# request_header_access Server deny all
3426# request_header_access User-Agent deny all
3427# request_header_access WWW-Authenticate deny all
3428# request_header_access Link deny all
3429#
3430# Or, to reproduce the old 'http_anonymizer paranoid' feature
3431# you should use:
3432#
3433# request_header_access Allow allow all
3434# request_header_access Authorization allow all
3435# request_header_access WWW-Authenticate allow all
3436# request_header_access Proxy-Authorization allow all
3437# request_header_access Proxy-Authenticate allow all
3438# request_header_access Cache-Control allow all
3439# request_header_access Content-Encoding allow all
3440# request_header_access Content-Length allow all
3441# request_header_access Content-Type allow all
3442# request_header_access Date allow all
3443# request_header_access Expires allow all
3444# request_header_access Host allow all
3445# request_header_access If-Modified-Since allow all
3446# request_header_access Last-Modified allow all
3447# request_header_access Location allow all
3448# request_header_access Pragma allow all
3449# request_header_access Accept allow all
3450# request_header_access Accept-Charset allow all
3451# request_header_access Accept-Encoding allow all
3452# request_header_access Accept-Language allow all
3453# request_header_access Content-Language allow all
3454# request_header_access Mime-Version allow all
3455# request_header_access Retry-After allow all
3456# request_header_access Title allow all
3457# request_header_access Connection allow all
3458# request_header_access All deny all
3459#
3460# although many of those are HTTP reply headers, and so should be
3461# controlled with the reply_header_access directive.
3462#
3463# By default, all headers are allowed (no anonymizing is
3464# performed).
3465#Default:
3466# none
3467
3468# TAG: reply_header_access
3469# Usage: reply_header_access header_name allow|deny [!]aclname ...
3470#
3471# WARNING: Doing this VIOLATES the HTTP standard. Enabling
3472# this feature could make you liable for problems which it
3473# causes.
3474#
3475# This option only applies to reply headers, i.e., from the
3476# server to the client.
3477#
3478# This is the same as request_header_access, but in the other
3479# direction.
3480#
3481# This option replaces the old 'anonymize_headers' and the
3482# older 'http_anonymizer' option with something that is much
3483# more configurable. This new method creates a list of ACLs
3484# for each header, allowing you very fine-tuned header
3485# mangling.
3486#
3487# You can only specify known headers for the header name.
3488# Other headers are reclassified as 'Other'. You can also
3489# refer to all the headers with 'All'.
3490#
3491# For example, to achieve the same behavior as the old
3492# 'http_anonymizer standard' option, you should use:
3493#
3494# reply_header_access From deny all
3495# reply_header_access Referer deny all
3496# reply_header_access Server deny all
3497# reply_header_access User-Agent deny all
3498# reply_header_access WWW-Authenticate deny all
3499# reply_header_access Link deny all
3500#
3501# Or, to reproduce the old 'http_anonymizer paranoid' feature
3502# you should use:
3503#
3504# reply_header_access Allow allow all
3505# reply_header_access Authorization allow all
3506# reply_header_access WWW-Authenticate allow all
3507# reply_header_access Proxy-Authorization allow all
3508# reply_header_access Proxy-Authenticate allow all
3509# reply_header_access Cache-Control allow all
3510# reply_header_access Content-Encoding allow all
3511# reply_header_access Content-Length allow all
3512# reply_header_access Content-Type allow all
3513# reply_header_access Date allow all
3514# reply_header_access Expires allow all
3515# reply_header_access Host allow all
3516# reply_header_access If-Modified-Since allow all
3517# reply_header_access Last-Modified allow all
3518# reply_header_access Location allow all
3519# reply_header_access Pragma allow all
3520# reply_header_access Accept allow all
3521# reply_header_access Accept-Charset allow all
3522# reply_header_access Accept-Encoding allow all
3523# reply_header_access Accept-Language allow all
3524# reply_header_access Content-Language allow all
3525# reply_header_access Mime-Version allow all
3526# reply_header_access Retry-After allow all
3527# reply_header_access Title allow all
3528# reply_header_access Connection allow all
3529# reply_header_access All deny all
3530#
3531# although the HTTP request headers won't be usefully controlled
3532# by this directive -- see request_header_access for details.
3533#
3534# By default, all headers are allowed (no anonymizing is
3535# performed).
3536#Default:
3537# none
3538
3539# TAG: request_header_replace
3540# Usage: request_header_replace header_name message
3541# Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
3542#
3543# This option allows you to change the contents of headers
3544# denied with request_header_access above, by replacing them
3545# with some fixed string. This replaces the old fake_user_agent
3546# option.
3547#
3548# This only applies to request headers, not reply headers.
3549#
3550# By default, headers are removed if denied.
3551#Default:
3552# none
3553
3554# TAG: reply_header_replace
3555# Usage: reply_header_replace header_name message
3556# Example: reply_header_replace Server Foo/1.0
3557#
3558# This option allows you to change the contents of headers
3559# denied with reply_header_access above, by replacing them
3560# with some fixed string.
3561#
3562# This only applies to reply headers, not request headers.
3563#
3564# By default, headers are removed if denied.
3565#Default:
3566# none
3567
3568# TAG: relaxed_header_parser on|off|warn
3569# In the default "on" setting Squid accepts certain forms
3570# of non-compliant HTTP messages where it is unambiguous
3571# what the sending application intended even if the message
3572# is not correctly formatted. The messages is then normalized
3573# to the correct form when forwarded by Squid.
3574#
3575# If set to "warn" then a warning will be emitted in cache.log
3576# each time such HTTP error is encountered.
3577#
3578# If set to "off" then such HTTP errors will cause the request
3579# or response to be rejected.
3580#Default:
3581# relaxed_header_parser on
3582
3583# TAG: ignore_expect_100 on|off
3584# This option makes Squid ignore any Expect: 100-continue header present
3585# in the request. RFC 2616 requires that Squid being unable to satisfy
3586# the response expectation MUST return a 417 error.
3587#
3588# Note: Enabling this is a HTTP protocol violation, but some clients may
3589# not handle it well..
3590#Default:
3591# ignore_expect_100 off
3592
3593# TIMEOUTS
3594# -----------------------------------------------------------------------------
3595
3596# TAG: forward_timeout time-units
3597# This parameter specifies how long Squid should at most attempt in
3598# finding a forwarding path for the request before giving up.
3599#Default:
3600# forward_timeout 4 minutes
3601
3602# TAG: connect_timeout time-units
3603# This parameter specifies how long to wait for the TCP connect to
3604# the requested server or peer to complete before Squid should
3605# attempt to find another path where to forward the request.
3606#Default:
3607# connect_timeout 1 minute
3608
3609# TAG: peer_connect_timeout time-units
3610# This parameter specifies how long to wait for a pending TCP
3611# connection to a peer cache. The default is 30 seconds. You
3612# may also set different timeout values for individual neighbors
3613# with the 'connect-timeout' option on a 'cache_peer' line.
3614#Default:
3615# peer_connect_timeout 30 seconds
3616
3617# TAG: read_timeout time-units
3618# The read_timeout is applied on server-side connections. After
3619# each successful read(), the timeout will be extended by this
3620# amount. If no data is read again after this amount of time,
3621# the request is aborted and logged with ERR_READ_TIMEOUT. The
3622# default is 15 minutes.
3623#Default:
3624# read_timeout 15 minutes
3625
3626# TAG: request_timeout
3627# How long to wait for an HTTP request after initial
3628# connection establishment.
3629#Default:
3630# request_timeout 5 minutes
3631
3632# TAG: persistent_request_timeout
3633# How long to wait for the next HTTP request on a persistent
3634# connection after the previous request completes.
3635#Default:
3636# persistent_request_timeout 2 minutes
3637
3638# TAG: client_lifetime time-units
3639# The maximum amount of time a client (browser) is allowed to
3640# remain connected to the cache process. This protects the Cache
3641# from having a lot of sockets (and hence file descriptors) tied up
3642# in a CLOSE_WAIT state from remote clients that go away without
3643# properly shutting down (either because of a network failure or
3644# because of a poor client implementation). The default is one
3645# day, 1440 minutes.
3646#
3647# NOTE: The default value is intended to be much larger than any
3648# client would ever need to be connected to your cache. You
3649# should probably change client_lifetime only as a last resort.
3650# If you seem to have many client connections tying up
3651# filedescriptors, we recommend first tuning the read_timeout,
3652# request_timeout, persistent_request_timeout and quick_abort values.
3653#Default:
3654# client_lifetime 1 day
3655
3656# TAG: half_closed_clients
3657# Some clients may shutdown the sending side of their TCP
3658# connections, while leaving their receiving sides open. Sometimes,
3659# Squid can not tell the difference between a half-closed and a
3660# fully-closed TCP connection.
3661#
3662# By default, Squid will immediately close client connections when
3663# read(2) returns "no more data to read."
3664#
3665# Change this option to 'on' and Squid will keep open connections
3666# until a read(2) or write(2) on the socket returns an error.
3667# This may show some benefits for reverse proxies. But if not
3668# it is recommended to leave OFF.
3669#Default:
3670# half_closed_clients off
3671
3672# TAG: pconn_timeout
3673# Timeout for idle persistent connections to servers and other
3674# proxies.
3675#Default:
3676# pconn_timeout 1 minute
3677
3678# TAG: ident_timeout
3679# Maximum time to wait for IDENT lookups to complete.
3680#
3681# If this is too high, and you enabled IDENT lookups from untrusted
3682# users, you might be susceptible to denial-of-service by having
3683# many ident requests going at once.
3684#Default:
3685# ident_timeout 10 seconds
3686
3687# TAG: shutdown_lifetime time-units
3688# When SIGTERM or SIGHUP is received, the cache is put into
3689# "shutdown pending" mode until all active sockets are closed.
3690# This value is the lifetime to set for all open descriptors
3691# during shutdown mode. Any active clients after this many
3692# seconds will receive a 'timeout' message.
3693#Default:
3694# shutdown_lifetime 30 seconds
3695
3696# ADMINISTRATIVE PARAMETERS
3697# -----------------------------------------------------------------------------
3698
3699# TAG: cache_mgr
3700# Email-address of local cache manager who will receive
3701# mail if the cache dies. The default is "webmaster."
3702#Default:
3703# cache_mgr webmaster
3704
3705# TAG: mail_from
3706# From: email-address for mail sent when the cache dies.
3707# The default is to use 'appname@unique_hostname'.
3708# Default appname value is "squid", can be changed into
3709# src/globals.h before building squid.
3710#Default:
3711# none
3712
3713# TAG: mail_program
3714# Email program used to send mail if the cache dies.
3715# The default is "mail". The specified program must comply
3716# with the standard Unix mail syntax:
3717# mail-program recipient < mailfile
3718#
3719# Optional command line options can be specified.
3720#Default:
3721# mail_program mail
3722
3723# TAG: cache_effective_user
3724# If you start Squid as root, it will change its effective/real
3725# UID/GID to the user specified below. The default is to change
3726# to UID of proxy.
3727# see also; cache_effective_group
3728#Default:
3729# cache_effective_user proxy
3730
3731# TAG: cache_effective_group
3732# Squid sets the GID to the effective user's default group ID
3733# (taken from the password file) and supplementary group list
3734# from the groups membership.
3735#
3736# If you want Squid to run with a specific GID regardless of
3737# the group memberships of the effective user then set this
3738# to the group (or GID) you want Squid to run as. When set
3739# all other group privileges of the effective user are ignored
3740# and only this GID is effective. If Squid is not started as
3741# root the user starting Squid MUST be member of the specified
3742# group.
3743#
3744# This option is not recommended by the Squid Team.
3745# Our preference is for administrators to configure a secure
3746# user account for squid with UID/GID matching system policies.
3747#Default:
3748# none
3749
3750# TAG: httpd_suppress_version_string on|off
3751# Suppress Squid version string info in HTTP headers and HTML error pages.
3752#Default:
3753# httpd_suppress_version_string off
3754
3755# TAG: visible_hostname
3756# If you want to present a special hostname in error messages, etc,
3757# define this. Otherwise, the return value of gethostname()
3758# will be used. If you have multiple caches in a cluster and
3759# get errors about IP-forwarding you must set them to have individual
3760# names with this setting.
3761#Default:
3762# visible_hostname localhost
3763
3764# TAG: unique_hostname
3765# If you want to have multiple machines with the same
3766# 'visible_hostname' you must give each machine a different
3767# 'unique_hostname' so forwarding loops can be detected.
3768#Default:
3769# none
3770
3771# TAG: hostname_aliases
3772# A list of other DNS names your cache has.
3773#Default:
3774# none
3775
3776# TAG: umask
3777# Minimum umask which should be enforced while the proxy
3778# is running, in addition to the umask set at startup.
3779#
3780# For a traditional octal representation of umasks, start
3781# your value with 0.
3782#Default:
3783# umask 027
3784
3785# OPTIONS FOR THE CACHE REGISTRATION SERVICE
3786# -----------------------------------------------------------------------------
3787#
3788# This section contains parameters for the (optional) cache
3789# announcement service. This service is provided to help
3790# cache administrators locate one another in order to join or
3791# create cache hierarchies.
3792#
3793# An 'announcement' message is sent (via UDP) to the registration
3794# service by Squid. By default, the announcement message is NOT
3795# SENT unless you enable it with 'announce_period' below.
3796#
3797# The announcement message includes your hostname, plus the
3798# following information from this configuration file:
3799#
3800# http_port
3801# icp_port
3802# cache_mgr
3803#
3804# All current information is processed regularly and made
3805# available on the Web at http://www.ircache.net/Cache/Tracker/.
3806
3807# TAG: announce_period
3808# This is how frequently to send cache announcements. The
3809# default is `0' which disables sending the announcement
3810# messages.
3811#
3812# To enable announcing your cache, just set an announce period.
3813#
3814# Example:
3815# announce_period 1 day
3816#Default:
3817# announce_period 0
3818
3819# TAG: announce_host
3820#Default:
3821# announce_host tracker.ircache.net
3822
3823# TAG: announce_file
3824#Default:
3825# none
3826
3827# TAG: announce_port
3828# announce_host and announce_port set the hostname and port
3829# number where the registration message will be sent.
3830#
3831# Hostname will default to 'tracker.ircache.net' and port will
3832# default default to 3131. If the 'filename' argument is given,
3833# the contents of that file will be included in the announce
3834# message.
3835#Default:
3836# announce_port 3131
3837
3838# HTTPD-ACCELERATOR OPTIONS
3839# -----------------------------------------------------------------------------
3840
3841# TAG: httpd_accel_surrogate_id
3842# Surrogates (http://www.esi.org/architecture_spec_1.0.html)
3843# need an identification token to allow control targeting. Because
3844# a farm of surrogates may all perform the same tasks, they may share
3845# an identification token.
3846#Default:
3847# httpd_accel_surrogate_id unset-id
3848
3849# TAG: http_accel_surrogate_remote on|off
3850# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
3851# Set this to on to have squid behave as a remote surrogate.
3852#Default:
3853# http_accel_surrogate_remote off
3854
3855# TAG: esi_parser libxml2|expat|custom
3856# ESI markup is not strictly XML compatible. The custom ESI parser
3857# will give higher performance, but cannot handle non ASCII character
3858# encodings.
3859#Default:
3860# esi_parser custom
3861
3862# DELAY POOL PARAMETERS
3863# -----------------------------------------------------------------------------
3864
3865# TAG: delay_pools
3866# This represents the number of delay pools to be used. For example,
3867# if you have one class 2 delay pool and one class 3 delays pool, you
3868# have a total of 2 delay pools.
3869#Default:
3870# delay_pools 0
3871
3872# TAG: delay_class
3873# This defines the class of each delay pool. There must be exactly one
3874# delay_class line for each delay pool. For example, to define two
3875# delay pools, one of class 2 and one of class 3, the settings above
3876# and here would be:
3877#
3878# Example:
3879# delay_pools 4 # 4 delay pools
3880# delay_class 1 2 # pool 1 is a class 2 pool
3881# delay_class 2 3 # pool 2 is a class 3 pool
3882# delay_class 3 4 # pool 3 is a class 4 pool
3883# delay_class 4 5 # pool 4 is a class 5 pool
3884#
3885# The delay pool classes are:
3886#
3887# class 1 Everything is limited by a single aggregate
3888# bucket.
3889#
3890# class 2 Everything is limited by a single aggregate
3891# bucket as well as an "individual" bucket chosen
3892# from bits 25 through 32 of the IPv4 address.
3893#
3894# class 3 Everything is limited by a single aggregate
3895# bucket as well as a "network" bucket chosen
3896# from bits 17 through 24 of the IP address and a
3897# "individual" bucket chosen from bits 17 through
3898# 32 of the IPv4 address.
3899#
3900# class 4 Everything in a class 3 delay pool, with an
3901# additional limit on a per user basis. This
3902# only takes effect if the username is established
3903# in advance - by forcing authentication in your
3904# http_access rules.
3905#
3906# class 5 Requests are grouped according their tag (see
3907# external_acl's tag= reply).
3908#
3909#
3910# Each pool also requires a delay_parameters directive to configure the pool size
3911# and speed limits used whenever the pool is applied to a request. Along with
3912# a set of delay_access directives to determine when it is used.
3913#
3914# NOTE: If an IP address is a.b.c.d
3915# -> bits 25 through 32 are "d"
3916# -> bits 17 through 24 are "c"
3917# -> bits 17 through 32 are "c * 256 + d"
3918#
3919# NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
3920# IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
3921#Default:
3922# none
3923
3924# TAG: delay_access
3925# This is used to determine which delay pool a request falls into.
3926#
3927# delay_access is sorted per pool and the matching starts with pool 1,
3928# then pool 2, ..., and finally pool N. The first delay pool where the
3929# request is allowed is selected for the request. If it does not allow
3930# the request to any pool then the request is not delayed (default).
3931#
3932# For example, if you want some_big_clients in delay
3933# pool 1 and lotsa_little_clients in delay pool 2:
3934#
3935#Example:
3936# delay_access 1 allow some_big_clients
3937# delay_access 1 deny all
3938# delay_access 2 allow lotsa_little_clients
3939# delay_access 2 deny all
3940# delay_access 3 allow authenticated_clients
3941#Default:
3942# none
3943
3944# TAG: delay_parameters
3945# This defines the parameters for a delay pool. Each delay pool has
3946# a number of "buckets" associated with it, as explained in the
3947# description of delay_class.
3948#
3949# For a class 1 delay pool, the syntax is:
3950# delay_pools pool 1
3951# delay_parameters pool aggregate
3952#
3953# For a class 2 delay pool:
3954# delay_pools pool 2
3955# delay_parameters pool aggregate individual
3956#
3957# For a class 3 delay pool:
3958# delay_pools pool 3
3959# delay_parameters pool aggregate network individual
3960#
3961# For a class 4 delay pool:
3962# delay_pools pool 4
3963# delay_parameters pool aggregate network individual user
3964#
3965# For a class 5 delay pool:
3966# delay_pools pool 5
3967# delay_parameters pool tagrate
3968#
3969# The option variables are:
3970#
3971# pool a pool number - ie, a number between 1 and the
3972# number specified in delay_pools as used in
3973# delay_class lines.
3974#
3975# aggregate the speed limit parameters for the aggregate bucket
3976# (class 1, 2, 3).
3977#
3978# individual the speed limit parameters for the individual
3979# buckets (class 2, 3).
3980#
3981# network the speed limit parameters for the network buckets
3982# (class 3).
3983#
3984# user the speed limit parameters for the user buckets
3985# (class 4).
3986#
3987# tagrate the speed limit parameters for the tag buckets
3988# (class 5).
3989#
3990# A pair of delay parameters is written restore/maximum, where restore is
3991# the number of bytes (not bits - modem and network speeds are usually
3992# quoted in bits) per second placed into the bucket, and maximum is the
3993# maximum number of bytes which can be in the bucket at any time.
3994#
3995# There must be one delay_parameters line for each delay pool.
3996#
3997#
3998# For example, if delay pool number 1 is a class 2 delay pool as in the
3999# above example, and is being used to strictly limit each host to 64Kbit/sec
4000# (plus overheads), with no overall limit, the line is:
4001#
4002# delay_parameters 1 -1/-1 8000/8000
4003#
4004# Note that 8 x 8000 KByte/sec -> 64Kbit/sec.
4005#
4006# Note that the figure -1 is used to represent "unlimited".
4007#
4008#
4009# And, if delay pool number 2 is a class 3 delay pool as in the above
4010# example, and you want to limit it to a total of 256Kbit/sec (strict limit)
4011# with each 8-bit network permitted 64Kbit/sec (strict limit) and each
4012# individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
4013# to permit a decent web page to be downloaded at a decent speed
4014# (if the network is not being limited due to overuse) but slow down
4015# large downloads more significantly:
4016#
4017# delay_parameters 2 32000/32000 8000/8000 600/8000
4018#
4019# Note that 8 x 32000 KByte/sec -> 256Kbit/sec.
4020# 8 x 8000 KByte/sec -> 64Kbit/sec.
4021# 8 x 600 Byte/sec -> 4800bit/sec.
4022#
4023#
4024# Finally, for a class 4 delay pool as in the example - each user will
4025# be limited to 128Kbits/sec no matter how many workstations they are logged into.:
4026#
4027# delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
4028#Default:
4029# none
4030
4031# TAG: delay_initial_bucket_level (percent, 0-100)
4032# The initial bucket percentage is used to determine how much is put
4033# in each bucket when squid starts, is reconfigured, or first notices
4034# a host accessing it (in class 2 and class 3, individual hosts and
4035# networks only have buckets associated with them once they have been
4036# "seen" by squid).
4037#Default:
4038# delay_initial_bucket_level 50
4039
4040# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
4041# -----------------------------------------------------------------------------
4042
4043# TAG: wccp_router
4044# Use this option to define your WCCP ``home'' router for
4045# Squid.
4046#
4047# wccp_router supports a single WCCP(v1) router
4048#
4049# wccp2_router supports multiple WCCPv2 routers
4050#
4051# only one of the two may be used at the same time and defines
4052# which version of WCCP to use.
4053#Default:
4054# wccp_router any_addr
4055
4056# TAG: wccp2_router
4057# Use this option to define your WCCP ``home'' router for
4058# Squid.
4059#
4060# wccp_router supports a single WCCP(v1) router
4061#
4062# wccp2_router supports multiple WCCPv2 routers
4063#
4064# only one of the two may be used at the same time and defines
4065# which version of WCCP to use.
4066#Default:
4067# none
4068
4069# TAG: wccp_version
4070# This directive is only relevant if you need to set up WCCP(v1)
4071# to some very old and end-of-life Cisco routers. In all other
4072# setups it must be left unset or at the default setting.
4073# It defines an internal version in the WCCP(v1) protocol,
4074# with version 4 being the officially documented protocol.
4075#
4076# According to some users, Cisco IOS 11.2 and earlier only
4077# support WCCP version 3. If you're using that or an earlier
4078# version of IOS, you may need to change this value to 3, otherwise
4079# do not specify this parameter.
4080#Default:
4081# wccp_version 4
4082
4083# TAG: wccp2_rebuild_wait
4084# If this is enabled Squid will wait for the cache dir rebuild to finish
4085# before sending the first wccp2 HereIAm packet
4086#Default:
4087# wccp2_rebuild_wait on
4088
4089# TAG: wccp2_forwarding_method
4090# WCCP2 allows the setting of forwarding methods between the
4091# router/switch and the cache. Valid values are as follows:
4092#
4093# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4094# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
4095#
4096# Currently (as of IOS 12.4) cisco routers only support GRE.
4097# Cisco switches only support the L2 redirect assignment method.
4098#Default:
4099# wccp2_forwarding_method gre
4100
4101# TAG: wccp2_return_method
4102# WCCP2 allows the setting of return methods between the
4103# router/switch and the cache for packets that the cache
4104# decides not to handle. Valid values are as follows:
4105#
4106# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4107# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
4108#
4109# Currently (as of IOS 12.4) cisco routers only support GRE.
4110# Cisco switches only support the L2 redirect assignment.
4111#
4112# If the "ip wccp redirect exclude in" command has been
4113# enabled on the cache interface, then it is still safe for
4114# the proxy server to use a l2 redirect method even if this
4115# option is set to GRE.
4116#Default:
4117# wccp2_return_method gre
4118
4119# TAG: wccp2_assignment_method
4120# WCCP2 allows the setting of methods to assign the WCCP hash
4121# Valid values are as follows:
4122#
4123# hash - Hash assignment
4124# mask - Mask assignment
4125#
4126# As a general rule, cisco routers support the hash assignment method
4127# and cisco switches support the mask assignment method.
4128#Default:
4129# wccp2_assignment_method hash
4130
4131# TAG: wccp2_service
4132# WCCP2 allows for multiple traffic services. There are two
4133# types: "standard" and "dynamic". The standard type defines
4134# one service id - http (id 0). The dynamic service ids can be from
4135# 51 to 255 inclusive. In order to use a dynamic service id
4136# one must define the type of traffic to be redirected; this is done
4137# using the wccp2_service_info option.
4138#
4139# The "standard" type does not require a wccp2_service_info option,
4140# just specifying the service id will suffice.
4141#
4142# MD5 service authentication can be enabled by adding
4143# "password=<password>" to the end of this service declaration.
4144#
4145# Examples:
4146#
4147# wccp2_service standard 0 # for the 'web-cache' standard service
4148# wccp2_service dynamic 80 # a dynamic service type which will be
4149# # fleshed out with subsequent options.
4150# wccp2_service standard 0 password=foo
4151#Default:
4152# wccp2_service standard 0
4153
4154# TAG: wccp2_service_info
4155# Dynamic WCCPv2 services require further information to define the
4156# traffic you wish to have diverted.
4157#
4158# The format is:
4159#
4160# wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
4161# priority=<priority> ports=<port>,<port>..
4162#
4163# The relevant WCCPv2 flags:
4164# + src_ip_hash, dst_ip_hash
4165# + source_port_hash, dst_port_hash
4166# + src_ip_alt_hash, dst_ip_alt_hash
4167# + src_port_alt_hash, dst_port_alt_hash
4168# + ports_source
4169#
4170# The port list can be one to eight entries.
4171#
4172# Example:
4173#
4174# wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
4175# priority=240 ports=80
4176#
4177# Note: the service id must have been defined by a previous
4178# 'wccp2_service dynamic <id>' entry.
4179#Default:
4180# none
4181
4182# TAG: wccp2_weight
4183# Each cache server gets assigned a set of the destination
4184# hash proportional to their weight.
4185#Default:
4186# wccp2_weight 10000
4187
4188# TAG: wccp_address
4189#Default:
4190# wccp_address 0.0.0.0
4191
4192# TAG: wccp2_address
4193# Use this option if you require WCCP to use a specific
4194# interface address.
4195#
4196# The default behavior is to not bind to any specific address.
4197#Default:
4198# wccp2_address 0.0.0.0
4199
4200# PERSISTENT CONNECTION HANDLING
4201# -----------------------------------------------------------------------------
4202#
4203# Also see "pconn_timeout" in the TIMEOUTS section
4204
4205# TAG: client_persistent_connections
4206#Default:
4207# client_persistent_connections on
4208
4209# TAG: server_persistent_connections
4210# Persistent connection support for clients and servers. By
4211# default, Squid uses persistent connections (when allowed)
4212# with its clients and servers. You can use these options to
4213# disable persistent connections with clients and/or servers.
4214#Default:
4215# server_persistent_connections on
4216
4217# TAG: persistent_connection_after_error
4218# With this directive the use of persistent connections after
4219# HTTP errors can be disabled. Useful if you have clients
4220# who fail to handle errors on persistent connections proper.
4221#Default:
4222# persistent_connection_after_error on
4223
4224# TAG: detect_broken_pconn
4225# Some servers have been found to incorrectly signal the use
4226# of HTTP/1.0 persistent connections even on replies not
4227# compatible, causing significant delays. This server problem
4228# has mostly been seen on redirects.
4229#
4230# By enabling this directive Squid attempts to detect such
4231# broken replies and automatically assume the reply is finished
4232# after 10 seconds timeout.
4233#Default:
4234# detect_broken_pconn off
4235
4236# CACHE DIGEST OPTIONS
4237# -----------------------------------------------------------------------------
4238
4239# TAG: digest_generation
4240# This controls whether the server will generate a Cache Digest
4241# of its contents. By default, Cache Digest generation is
4242# enabled if Squid is compiled with --enable-cache-digests defined.
4243#Default:
4244# digest_generation on
4245
4246# TAG: digest_bits_per_entry
4247# This is the number of bits of the server's Cache Digest which
4248# will be associated with the Digest entry for a given HTTP
4249# Method and URL (public key) combination. The default is 5.
4250#Default:
4251# digest_bits_per_entry 5
4252
4253# TAG: digest_rebuild_period (seconds)
4254# This is the wait time between Cache Digest rebuilds.
4255#Default:
4256# digest_rebuild_period 1 hour
4257
4258# TAG: digest_rewrite_period (seconds)
4259# This is the wait time between Cache Digest writes to
4260# disk.
4261#Default:
4262# digest_rewrite_period 1 hour
4263
4264# TAG: digest_swapout_chunk_size (bytes)
4265# This is the number of bytes of the Cache Digest to write to
4266# disk at a time. It defaults to 4096 bytes (4KB), the Squid
4267# default swap page.
4268#Default:
4269# digest_swapout_chunk_size 4096 bytes
4270
4271# TAG: digest_rebuild_chunk_percentage (percent, 0-100)
4272# This is the percentage of the Cache Digest to be scanned at a
4273# time. By default it is set to 10% of the Cache Digest.
4274#Default:
4275# digest_rebuild_chunk_percentage 10
4276
4277# SNMP OPTIONS
4278# -----------------------------------------------------------------------------
4279
4280# TAG: snmp_port
4281# The port number where Squid listens for SNMP requests. To enable
4282# SNMP support set this to a suitable port number. Port number
4283# 3401 is often used for the Squid SNMP agent. By default it's
4284# set to "0" (disabled)
4285#
4286# Example:
4287# snmp_port 3401
4288#Default:
4289# snmp_port 0
4290
4291# TAG: snmp_access
4292# Allowing or denying access to the SNMP port.
4293#
4294# All access to the agent is denied by default.
4295# usage:
4296#
4297# snmp_access allow|deny [!]aclname ...
4298#
4299# This clause only supports fast acl types.
4300# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
4301#Example:
4302# snmp_access allow snmppublic localhost
4303# snmp_access deny all
4304#Default:
4305# snmp_access deny all
4306
4307# TAG: snmp_incoming_address
4308#Default:
4309# snmp_incoming_address any_addr
4310
4311# TAG: snmp_outgoing_address
4312# Just like 'udp_incoming_address', but for the SNMP port.
4313#
4314# snmp_incoming_address is used for the SNMP socket receiving
4315# messages from SNMP agents.
4316# snmp_outgoing_address is used for SNMP packets returned to SNMP
4317# agents.
4318#
4319# The default snmp_incoming_address is to listen on all
4320# available network interfaces.
4321#
4322# If snmp_outgoing_address is not set it will use the same socket
4323# as snmp_incoming_address. Only change this if you want to have
4324# SNMP replies sent using another address than where this Squid
4325# listens for SNMP queries.
4326#
4327# NOTE, snmp_incoming_address and snmp_outgoing_address can not have
4328# the same value since they both use port 3401.
4329#Default:
4330# snmp_outgoing_address no_addr
4331
4332# ICP OPTIONS
4333# -----------------------------------------------------------------------------
4334
4335# TAG: icp_port
4336# The port number where Squid sends and receives ICP queries to
4337# and from neighbor caches. The standard UDP port for ICP is 3130.
4338# Default is disabled (0).
4339#
4340# Example:
4341# icp_port 3130
4342#Default:
4343# icp_port 0
4344
4345# TAG: htcp_port
4346# The port number where Squid sends and receives HTCP queries to
4347# and from neighbor caches. To turn it on you want to set it to
4348# 4827. By default it is set to "0" (disabled).
4349#
4350# Example:
4351# htcp_port 4827
4352#Default:
4353# htcp_port 0
4354
4355# TAG: log_icp_queries on|off
4356# If set, ICP queries are logged to access.log. You may wish
4357# do disable this if your ICP load is VERY high to speed things
4358# up or to simplify log analysis.
4359#Default:
4360# log_icp_queries on
4361
4362# TAG: udp_incoming_address
4363# udp_incoming_address is used for UDP packets received from other
4364# caches.
4365#
4366# The default behavior is to not bind to any specific address.
4367#
4368# Only change this if you want to have all UDP queries received on
4369# a specific interface/address.
4370#
4371# NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
4372# modules. Altering it will affect all of them in the same manner.
4373#
4374# see also; udp_outgoing_address
4375#
4376# NOTE, udp_incoming_address and udp_outgoing_address can not
4377# have the same value since they both use the same port.
4378#Default:
4379# udp_incoming_address any_addr
4380
4381# TAG: udp_outgoing_address
4382# udp_outgoing_address is used for UDP packets sent out to other
4383# caches.
4384#
4385# The default behavior is to not bind to any specific address.
4386#
4387# Instead it will use the same socket as udp_incoming_address.
4388# Only change this if you want to have UDP queries sent using another
4389# address than where this Squid listens for UDP queries from other
4390# caches.
4391#
4392# NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
4393# modules. Altering it will affect all of them in the same manner.
4394#
4395# see also; udp_incoming_address
4396#
4397# NOTE, udp_incoming_address and udp_outgoing_address can not
4398# have the same value since they both use the same port.
4399#Default:
4400# udp_outgoing_address no_addr
4401
4402# TAG: icp_hit_stale on|off
4403# If you want to return ICP_HIT for stale cache objects, set this
4404# option to 'on'. If you have sibling relationships with caches
4405# in other administrative domains, this should be 'off'. If you only
4406# have sibling relationships with caches under your control,
4407# it is probably okay to set this to 'on'.
4408# If set to 'on', your siblings should use the option "allow-miss"
4409# on their cache_peer lines for connecting to you.
4410#Default:
4411# icp_hit_stale off
4412
4413# TAG: minimum_direct_hops
4414# If using the ICMP pinging stuff, do direct fetches for sites
4415# which are no more than this many hops away.
4416#Default:
4417# minimum_direct_hops 4
4418
4419# TAG: minimum_direct_rtt
4420# If using the ICMP pinging stuff, do direct fetches for sites
4421# which are no more than this many rtt milliseconds away.
4422#Default:
4423# minimum_direct_rtt 400
4424
4425# TAG: netdb_low
4426#Default:
4427# netdb_low 900
4428
4429# TAG: netdb_high
4430# The low and high water marks for the ICMP measurement
4431# database. These are counts, not percents. The defaults are
4432# 900 and 1000. When the high water mark is reached, database
4433# entries will be deleted until the low mark is reached.
4434#Default:
4435# netdb_high 1000
4436
4437# TAG: netdb_ping_period
4438# The minimum period for measuring a site. There will be at
4439# least this much delay between successive pings to the same
4440# network. The default is five minutes.
4441#Default:
4442# netdb_ping_period 5 minutes
4443
4444# TAG: query_icmp on|off
4445# If you want to ask your peers to include ICMP data in their ICP
4446# replies, enable this option.
4447#
4448# If your peer has configured Squid (during compilation) with
4449# '--enable-icmp' that peer will send ICMP pings to origin server
4450# sites of the URLs it receives. If you enable this option the
4451# ICP replies from that peer will include the ICMP data (if available).
4452# Then, when choosing a parent cache, Squid will choose the parent with
4453# the minimal RTT to the origin server. When this happens, the
4454# hierarchy field of the access.log will be
4455# "CLOSEST_PARENT_MISS". This option is off by default.
4456#Default:
4457# query_icmp off
4458
4459# TAG: test_reachability on|off
4460# When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
4461# instead of ICP_MISS if the target host is NOT in the ICMP
4462# database, or has a zero RTT.
4463#Default:
4464# test_reachability off
4465
4466# TAG: icp_query_timeout (msec)
4467# Normally Squid will automatically determine an optimal ICP
4468# query timeout value based on the round-trip-time of recent ICP
4469# queries. If you want to override the value determined by
4470# Squid, set this 'icp_query_timeout' to a non-zero value. This
4471# value is specified in MILLISECONDS, so, to use a 2-second
4472# timeout (the old default), you would write:
4473#
4474# icp_query_timeout 2000
4475#Default:
4476# icp_query_timeout 0
4477
4478# TAG: maximum_icp_query_timeout (msec)
4479# Normally the ICP query timeout is determined dynamically. But
4480# sometimes it can lead to very large values (say 5 seconds).
4481# Use this option to put an upper limit on the dynamic timeout
4482# value. Do NOT use this option to always use a fixed (instead
4483# of a dynamic) timeout value. To set a fixed timeout see the
4484# 'icp_query_timeout' directive.
4485#Default:
4486# maximum_icp_query_timeout 2000
4487
4488# TAG: minimum_icp_query_timeout (msec)
4489# Normally the ICP query timeout is determined dynamically. But
4490# sometimes it can lead to very small timeouts, even lower than
4491# the normal latency variance on your link due to traffic.
4492# Use this option to put an lower limit on the dynamic timeout
4493# value. Do NOT use this option to always use a fixed (instead
4494# of a dynamic) timeout value. To set a fixed timeout see the
4495# 'icp_query_timeout' directive.
4496#Default:
4497# minimum_icp_query_timeout 5
4498
4499# TAG: background_ping_rate time-units
4500# Controls how often the ICP pings are sent to siblings that
4501# have background-ping set.
4502#Default:
4503# background_ping_rate 10 seconds
4504
4505# MULTICAST ICP OPTIONS
4506# -----------------------------------------------------------------------------
4507
4508# TAG: mcast_groups
4509# This tag specifies a list of multicast groups which your server
4510# should join to receive multicasted ICP queries.
4511#
4512# NOTE! Be very careful what you put here! Be sure you
4513# understand the difference between an ICP _query_ and an ICP
4514# _reply_. This option is to be set only if you want to RECEIVE
4515# multicast queries. Do NOT set this option to SEND multicast
4516# ICP (use cache_peer for that). ICP replies are always sent via
4517# unicast, so this option does not affect whether or not you will
4518# receive replies from multicast group members.
4519#
4520# You must be very careful to NOT use a multicast address which
4521# is already in use by another group of caches.
4522#
4523# If you are unsure about multicast, please read the Multicast
4524# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
4525#
4526# Usage: mcast_groups 239.128.16.128 224.0.1.20
4527#
4528# By default, Squid doesn't listen on any multicast groups.
4529#Default:
4530# none
4531
4532# TAG: mcast_miss_addr
4533# Note: This option is only available if Squid is rebuilt with the
4534# -DMULTICAST_MISS_STREAM define
4535#
4536# If you enable this option, every "cache miss" URL will
4537# be sent out on the specified multicast address.
4538#
4539# Do not enable this option unless you are are absolutely
4540# certain you understand what you are doing.
4541#Default:
4542# mcast_miss_addr no_addr
4543
4544# TAG: mcast_miss_ttl
4545# Note: This option is only available if Squid is rebuilt with the
4546# -DMULTICAST_MISS_STREAM define
4547#
4548# This is the time-to-live value for packets multicasted
4549# when multicasting off cache miss URLs is enabled. By
4550# default this is set to 'site scope', i.e. 16.
4551#Default:
4552# mcast_miss_ttl 16
4553
4554# TAG: mcast_miss_port
4555# Note: This option is only available if Squid is rebuilt with the
4556# -DMULTICAST_MISS_STREAM define
4557#
4558# This is the port number to be used in conjunction with
4559# 'mcast_miss_addr'.
4560#Default:
4561# mcast_miss_port 3135
4562
4563# TAG: mcast_miss_encode_key
4564# Note: This option is only available if Squid is rebuilt with the
4565# -DMULTICAST_MISS_STREAM define
4566#
4567# The URLs that are sent in the multicast miss stream are
4568# encrypted. This is the encryption key.
4569#Default:
4570# mcast_miss_encode_key XXXXXXXXXXXXXXXX
4571
4572# TAG: mcast_icp_query_timeout (msec)
4573# For multicast peers, Squid regularly sends out ICP "probes" to
4574# count how many other peers are listening on the given multicast
4575# address. This value specifies how long Squid should wait to
4576# count all the replies. The default is 2000 msec, or 2
4577# seconds.
4578#Default:
4579# mcast_icp_query_timeout 2000
4580
4581# INTERNAL ICON OPTIONS
4582# -----------------------------------------------------------------------------
4583
4584# TAG: icon_directory
4585# Where the icons are stored. These are normally kept in
4586# /usr/share/squid3/icons
4587#Default:
4588# icon_directory /usr/share/squid3/icons
4589
4590# TAG: global_internal_static
4591# This directive controls is Squid should intercept all requests for
4592# /squid-internal-static/ no matter which host the URL is requesting
4593# (default on setting), or if nothing special should be done for
4594# such URLs (off setting). The purpose of this directive is to make
4595# icons etc work better in complex cache hierarchies where it may
4596# not always be possible for all corners in the cache mesh to reach
4597# the server generating a directory listing.
4598#Default:
4599# global_internal_static on
4600
4601# TAG: short_icon_urls
4602# If this is enabled Squid will use short URLs for icons.
4603# If disabled it will revert to the old behavior of including
4604# it's own name and port in the URL.
4605#
4606# If you run a complex cache hierarchy with a mix of Squid and
4607# other proxies you may need to disable this directive.
4608#Default:
4609# short_icon_urls on
4610
4611# ERROR PAGE OPTIONS
4612# -----------------------------------------------------------------------------
4613
4614# TAG: error_directory
4615# If you wish to create your own versions of the default
4616# error files to customize them to suit your company copy
4617# the error/template files to another directory and point
4618# this tag at them.
4619#
4620# WARNING: This option will disable multi-language support
4621# on error pages if used.
4622#
4623# The squid developers are interested in making squid available in
4624# a wide variety of languages. If you are making translations for a
4625# language that Squid does not currently provide please consider
4626# contributing your translation back to the project.
4627# http://wiki.squid-cache.org/Translations
4628#
4629# The squid developers working on translations are happy to supply drop-in
4630# translated error files in exchange for any new language contributions.
4631#Default:
4632# none
4633
4634# TAG: error_default_language
4635# Set the default language which squid will send error pages in
4636# if no existing translation matches the clients language
4637# preferences.
4638#
4639# If unset (default) generic English will be used.
4640#
4641# The squid developers are interested in making squid available in
4642# a wide variety of languages. If you are interested in making
4643# translations for any language see the squid wiki for details.
4644# http://wiki.squid-cache.org/Translations
4645#Default:
4646# none
4647
4648# TAG: error_log_languages
4649# Log to cache.log what languages users are attempting to
4650# auto-negotiate for translations.
4651#
4652# Successful negotiations are not logged. Only failures
4653# have meaning to indicate that Squid may need an upgrade
4654# of its error page translations.
4655#Default:
4656# error_log_languages on
4657
4658# TAG: err_page_stylesheet
4659# CSS Stylesheet to pattern the display of Squid default error pages.
4660#
4661# For information on CSS see http://www.w3.org/Style/CSS/
4662#Default:
4663# err_page_stylesheet /etc/squid3/errorpage.css
4664
4665# TAG: err_html_text
4666# HTML text to include in error messages. Make this a "mailto"
4667# URL to your admin address, or maybe just a link to your
4668# organizations Web page.
4669#
4670# To include this in your error messages, you must rewrite
4671# the error template files (found in the "errors" directory).
4672# Wherever you want the 'err_html_text' line to appear,
4673# insert a %L tag in the error template file.
4674#Default:
4675# none
4676
4677# TAG: email_err_data on|off
4678# If enabled, information about the occurred error will be
4679# included in the mailto links of the ERR pages (if %W is set)
4680# so that the email body contains the data.
4681# Syntax is <A HREF="mailto:%w%W">%w</A>
4682#Default:
4683# email_err_data on
4684
4685# TAG: deny_info
4686# Usage: deny_info err_page_name acl
4687# or deny_info http://... acl
4688# or deny_info TCP_RESET acl
4689#
4690# This can be used to return a ERR_ page for requests which
4691# do not pass the 'http_access' rules. Squid remembers the last
4692# acl it evaluated in http_access, and if a 'deny_info' line exists
4693# for that ACL Squid returns a corresponding error page.
4694#
4695# The acl is typically the last acl on the http_access deny line which
4696# denied access. The exceptions to this rule are:
4697# - When Squid needs to request authentication credentials. It's then
4698# the first authentication related acl encountered
4699# - When none of the http_access lines matches. It's then the last
4700# acl processed on the last http_access line.
4701#
4702# NP: If providing your own custom error pages with error_directory
4703# you may also specify them by your custom file name:
4704# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
4705#
4706# Alternatively you can specify an error URL. The browsers will
4707# get redirected (302 or 307) to the specified URL. %s in the redirection
4708# URL will be replaced by the requested URL.
4709#
4710# Alternatively you can tell Squid to reset the TCP connection
4711# by specifying TCP_RESET.
4712#Default:
4713# none
4714
4715# OPTIONS INFLUENCING REQUEST FORWARDING
4716# -----------------------------------------------------------------------------
4717
4718# TAG: nonhierarchical_direct
4719# By default, Squid will send any non-hierarchical requests
4720# (matching hierarchy_stoplist or not cacheable request type) direct
4721# to origin servers.
4722#
4723# If you set this to off, Squid will prefer to send these
4724# requests to parents.
4725#
4726# Note that in most configurations, by turning this off you will only
4727# add latency to these request without any improvement in global hit
4728# ratio.
4729#
4730# If you are inside an firewall see never_direct instead of
4731# this directive.
4732#Default:
4733# nonhierarchical_direct on
4734
4735# TAG: prefer_direct
4736# Normally Squid tries to use parents for most requests. If you for some
4737# reason like it to first try going direct and only use a parent if
4738# going direct fails set this to on.
4739#
4740# By combining nonhierarchical_direct off and prefer_direct on you
4741# can set up Squid to use a parent as a backup path if going direct
4742# fails.
4743#
4744# Note: If you want Squid to use parents for all requests see
4745# the never_direct directive. prefer_direct only modifies how Squid
4746# acts on cacheable requests.
4747#Default:
4748# prefer_direct off
4749
4750# TAG: always_direct
4751# Usage: always_direct allow|deny [!]aclname ...
4752#
4753# Here you can use ACL elements to specify requests which should
4754# ALWAYS be forwarded by Squid to the origin servers without using
4755# any peers. For example, to always directly forward requests for
4756# local servers ignoring any parents or siblings you may have use
4757# something like:
4758#
4759# acl local-servers dstdomain my.domain.net
4760# always_direct allow local-servers
4761#
4762# To always forward FTP requests directly, use
4763#
4764# acl FTP proto FTP
4765# always_direct allow FTP
4766#
4767# NOTE: There is a similar, but opposite option named
4768# 'never_direct'. You need to be aware that "always_direct deny
4769# foo" is NOT the same thing as "never_direct allow foo". You
4770# may need to use a deny rule to exclude a more-specific case of
4771# some other rule. Example:
4772#
4773# acl local-external dstdomain external.foo.net
4774# acl local-servers dstdomain .foo.net
4775# always_direct deny local-external
4776# always_direct allow local-servers
4777#
4778# NOTE: If your goal is to make the client forward the request
4779# directly to the origin server bypassing Squid then this needs
4780# to be done in the client configuration. Squid configuration
4781# can only tell Squid how Squid should fetch the object.
4782#
4783# NOTE: This directive is not related to caching. The replies
4784# is cached as usual even if you use always_direct. To not cache
4785# the replies see the 'cache' directive.
4786#
4787# This clause supports both fast and slow acl types.
4788# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
4789#Default:
4790# none
4791
4792# TAG: never_direct
4793# Usage: never_direct allow|deny [!]aclname ...
4794#
4795# never_direct is the opposite of always_direct. Please read
4796# the description for always_direct if you have not already.
4797#
4798# With 'never_direct' you can use ACL elements to specify
4799# requests which should NEVER be forwarded directly to origin
4800# servers. For example, to force the use of a proxy for all
4801# requests, except those in your local domain use something like:
4802#
4803# acl local-servers dstdomain .foo.net
4804# never_direct deny local-servers
4805# never_direct allow all
4806#
4807# or if Squid is inside a firewall and there are local intranet
4808# servers inside the firewall use something like:
4809#
4810# acl local-intranet dstdomain .foo.net
4811# acl local-external dstdomain external.foo.net
4812# always_direct deny local-external
4813# always_direct allow local-intranet
4814# never_direct allow all
4815#
4816# This clause supports both fast and slow acl types.
4817# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
4818#Default:
4819# none
4820
4821# ADVANCED NETWORKING OPTIONS
4822# -----------------------------------------------------------------------------
4823
4824# TAG: incoming_icp_average
4825#Default:
4826# incoming_icp_average 6
4827
4828# TAG: incoming_http_average
4829#Default:
4830# incoming_http_average 4
4831
4832# TAG: incoming_dns_average
4833#Default:
4834# incoming_dns_average 4
4835
4836# TAG: min_icp_poll_cnt
4837#Default:
4838# min_icp_poll_cnt 8
4839
4840# TAG: min_dns_poll_cnt
4841#Default:
4842# min_dns_poll_cnt 8
4843
4844# TAG: min_http_poll_cnt
4845# Heavy voodoo here. I can't even believe you are reading this.
4846# Are you crazy? Don't even think about adjusting these unless
4847# you understand the algorithms in comm_select.c first!
4848#Default:
4849# min_http_poll_cnt 8
4850
4851# TAG: accept_filter
4852# FreeBSD:
4853#
4854# The name of an accept(2) filter to install on Squid's
4855# listen socket(s). This feature is perhaps specific to
4856# FreeBSD and requires support in the kernel.
4857#
4858# The 'httpready' filter delays delivering new connections
4859# to Squid until a full HTTP request has been received.
4860# See the accf_http(9) man page for details.
4861#
4862# The 'dataready' filter delays delivering new connections
4863# to Squid until there is some data to process.
4864# See the accf_dataready(9) man page for details.
4865#
4866# Linux:
4867#
4868# The 'data' filter delays delivering of new connections
4869# to Squid until there is some data to process by TCP_ACCEPT_DEFER.
4870# You may optionally specify a number of seconds to wait by
4871# 'data=N' where N is the number of seconds. Defaults to 30
4872# if not specified. See the tcp(7) man page for details.
4873#EXAMPLE:
4874## FreeBSD
4875#accept_filter httpready
4876## Linux
4877#accept_filter data
4878#Default:
4879# none
4880
4881# TAG: client_ip_max_connections
4882# Set an absolute limit on the number of connections a single
4883# client IP can use. Any more than this and Squid will begin to drop
4884# new connections from the client until it closes some links.
4885#
4886# Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
4887# connections from the client. For finer control use the ACL access controls.
4888#
4889# Requires client_db to be enabled (the default).
4890#
4891# WARNING: This may noticably slow down traffic received via external proxies
4892# or NAT devices and cause them to rebound error messages back to their clients.
4893#Default:
4894# client_ip_max_connections -1
4895
4896# TAG: tcp_recv_bufsize (bytes)
4897# Size of receive buffer to set for TCP sockets. Probably just
4898# as easy to change your kernel's default. Set to zero to use
4899# the default buffer size.
4900#Default:
4901# tcp_recv_bufsize 0 bytes
4902
4903# ICAP OPTIONS
4904# -----------------------------------------------------------------------------
4905
4906# TAG: icap_enable on|off
4907# If you want to enable the ICAP module support, set this to on.
4908#Default:
4909# icap_enable off
4910
4911# TAG: icap_connect_timeout
4912# This parameter specifies how long to wait for the TCP connect to
4913# the requested ICAP server to complete before giving up and either
4914# terminating the HTTP transaction or bypassing the failure.
4915#
4916# The default for optional services is peer_connect_timeout.
4917# The default for essential services is connect_timeout.
4918# If this option is explicitly set, its value applies to all services.
4919#Default:
4920# none
4921
4922# TAG: icap_io_timeout time-units
4923# This parameter specifies how long to wait for an I/O activity on
4924# an established, active ICAP connection before giving up and
4925# either terminating the HTTP transaction or bypassing the
4926# failure.
4927#
4928# The default is read_timeout.
4929#Default:
4930# none
4931
4932# TAG: icap_service_failure_limit
4933# The limit specifies the number of failures that Squid tolerates
4934# when establishing a new TCP connection with an ICAP service. If
4935# the number of failures exceeds the limit, the ICAP service is
4936# not used for new ICAP requests until it is time to refresh its
4937# OPTIONS. The per-service failure counter is reset to zero each
4938# time Squid fetches new service OPTIONS.
4939#
4940# A negative value disables the limit. Without the limit, an ICAP
4941# service will not be considered down due to connectivity failures
4942# between ICAP OPTIONS requests.
4943#Default:
4944# icap_service_failure_limit 10
4945
4946# TAG: icap_service_revival_delay
4947# The delay specifies the number of seconds to wait after an ICAP
4948# OPTIONS request failure before requesting the options again. The
4949# failed ICAP service is considered "down" until fresh OPTIONS are
4950# fetched.
4951#
4952# The actual delay cannot be smaller than the hardcoded minimum
4953# delay of 30 seconds.
4954#Default:
4955# icap_service_revival_delay 180
4956
4957# TAG: icap_preview_enable on|off
4958# The ICAP Preview feature allows the ICAP server to handle the
4959# HTTP message by looking only at the beginning of the message body
4960# or even without receiving the body at all. In some environments,
4961# previews greatly speedup ICAP processing.
4962#
4963# During an ICAP OPTIONS transaction, the server may tell Squid what
4964# HTTP messages should be previewed and how big the preview should be.
4965# Squid will not use Preview if the server did not request one.
4966#
4967# To disable ICAP Preview for all ICAP services, regardless of
4968# individual ICAP server OPTIONS responses, set this option to "off".
4969#Example:
4970#icap_preview_enable off
4971#Default:
4972# icap_preview_enable on
4973
4974# TAG: icap_preview_size
4975# The default size of preview data to be sent to the ICAP server.
4976# -1 means no preview. This value might be overwritten on a per server
4977# basis by OPTIONS requests.
4978#Default:
4979# icap_preview_size -1
4980
4981# TAG: icap_default_options_ttl
4982# The default TTL value for ICAP OPTIONS responses that don't have
4983# an Options-TTL header.
4984#Default:
4985# icap_default_options_ttl 60
4986
4987# TAG: icap_persistent_connections on|off
4988# Whether or not Squid should use persistent connections to
4989# an ICAP server.
4990#Default:
4991# icap_persistent_connections on
4992
4993# TAG: icap_send_client_ip on|off
4994# If enabled, Squid shares HTTP client IP information with adaptation
4995# services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
4996# For eCAP, Squid sets the libecap::metaClientIp transaction option.
4997#
4998# See also: adaptation_uses_indirect_client
4999#Default:
5000# icap_send_client_ip off
5001
5002# TAG: icap_send_client_username on|off
5003# This sends authenticated HTTP client username (if available) to
5004# the ICAP service. The username value is encoded based on the
5005# icap_client_username_encode option and is sent using the header
5006# specified by the icap_client_username_header option.
5007#Default:
5008# icap_send_client_username off
5009
5010# TAG: icap_client_username_header
5011# ICAP request header name to use for send_client_username.
5012#Default:
5013# icap_client_username_header X-Client-Username
5014
5015# TAG: icap_client_username_encode on|off
5016# Whether to base64 encode the authenticated client username.
5017#Default:
5018# icap_client_username_encode off
5019
5020# TAG: icap_service
5021# Defines a single ICAP service using the following format:
5022#
5023# icap_service service_name vectoring_point [options] service_url
5024#
5025# service_name: ID
5026# an opaque identifier which must be unique in squid.conf
5027#
5028# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
5029# This specifies at which point of transaction processing the
5030# ICAP service should be activated. *_postcache vectoring points
5031# are not yet supported.
5032#
5033# service_url: icap://servername:port/servicepath
5034# ICAP server and service location.
5035#
5036# ICAP does not allow a single service to handle both REQMOD and RESPMOD
5037# transactions. Squid does not enforce that requirement. You can specify
5038# services with the same service_url and different vectoring_points. You
5039# can even specify multiple identical services as long as their
5040# service_names differ.
5041#
5042#
5043# Service options are separated by white space. ICAP services support
5044# the following name=value options:
5045#
5046# bypass=on|off|1|0
5047# If set to 'on' or '1', the ICAP service is treated as
5048# optional. If the service cannot be reached or malfunctions,
5049# Squid will try to ignore any errors and process the message as
5050# if the service was not enabled. No all ICAP errors can be
5051# bypassed. If set to 0, the ICAP service is treated as
5052# essential and all ICAP errors will result in an error page
5053# returned to the HTTP client.
5054#
5055# Bypass is off by default: services are treated as essential.
5056#
5057# routing=on|off|1|0
5058# If set to 'on' or '1', the ICAP service is allowed to
5059# dynamically change the current message adaptation plan by
5060# returning a chain of services to be used next. The services
5061# are specified using the X-Next-Services ICAP response header
5062# value, formatted as a comma-separated list of service names.
5063# Each named service should be configured in squid.conf and
5064# should have the same method and vectoring point as the current
5065# ICAP transaction. Services violating these rules are ignored.
5066# An empty X-Next-Services value results in an empty plan which
5067# ends the current adaptation.
5068#
5069# Routing is not allowed by default: the ICAP X-Next-Services
5070# response header is ignored.
5071#
5072# ipv6=on|off
5073# Only has effect on split-stack systems. The default on those systems
5074# is to use IPv4-only connections. When set to 'on' this option will
5075# make Squid use IPv6-only connections to contact this ICAP service.
5076#
5077# Older icap_service format without optional named parameters is
5078# deprecated but supported for backward compatibility.
5079#
5080#Example:
5081#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod
5082#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod
5083#Default:
5084# none
5085
5086# TAG: icap_class
5087# This deprecated option was documented to define an ICAP service
5088# chain, even though it actually defined a set of similar, redundant
5089# services, and the chains were not supported.
5090#
5091# To define a set of redundant services, please use the
5092# adaptation_service_set directive. For service chains, use
5093# adaptation_service_chain.
5094#Default:
5095# none
5096
5097# TAG: icap_access
5098# This option is deprecated. Please use adaptation_access, which
5099# has the same ICAP functionality, but comes with better
5100# documentation, and eCAP support.
5101#Default:
5102# none
5103
5104# eCAP OPTIONS
5105# -----------------------------------------------------------------------------
5106
5107# TAG: ecap_enable on|off
5108# Note: This option is only available if Squid is rebuilt with the
5109# --enable-ecap option
5110#
5111# Controls whether eCAP support is enabled.
5112#Default:
5113# ecap_enable off
5114
5115# TAG: ecap_service
5116# Note: This option is only available if Squid is rebuilt with the
5117# --enable-ecap option
5118#
5119# Defines a single eCAP service
5120#
5121# ecap_service servicename vectoring_point bypass service_url
5122#
5123# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
5124# This specifies at which point of transaction processing the
5125# eCAP service should be activated. *_postcache vectoring points
5126# are not yet supported.
5127# bypass = 1|0
5128# If set to 1, the eCAP service is treated as optional. If the
5129# service cannot be reached or malfunctions, Squid will try to
5130# ignore any errors and process the message as if the service
5131# was not enabled. No all eCAP errors can be bypassed.
5132# If set to 0, the eCAP service is treated as essential and all
5133# eCAP errors will result in an error page returned to the
5134# HTTP client.
5135# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional
5136#
5137#Example:
5138#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
5139#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
5140#Default:
5141# none
5142
5143# TAG: loadable_modules
5144# Instructs Squid to load the specified dynamic module(s) or activate
5145# preloaded module(s).
5146#Example:
5147#loadable_modules /usr/lib/MinimalAdapter.so
5148#Default:
5149# none
5150
5151# MESSAGE ADAPTATION OPTIONS
5152# -----------------------------------------------------------------------------
5153
5154# TAG: adaptation_service_set
5155#
5156# Configures an ordered set of similar, redundant services. This is
5157# useful when hot standby or backup adaptation servers are available.
5158#
5159# adaptation_service_set set_name service_name1 service_name2 ...
5160#
5161# The named services are used in the set declaration order. The first
5162# applicable adaptation service from the set is used first. The next
5163# applicable service is tried if and only if the transaction with the
5164# previous service fails and the message waiting to be adapted is still
5165# intact.
5166#
5167# When adaptation starts, broken services are ignored as if they were
5168# not a part of the set. A broken service is a down optional service.
5169#
5170# The services in a set must be attached to the same vectoring point
5171# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
5172#
5173# If all services in a set are optional then adaptation failures are
5174# bypassable. If all services in the set are essential, then a
5175# transaction failure with one service may still be retried using
5176# another service from the set, but when all services fail, the master
5177# transaction fails as well.
5178#
5179# A set may contain a mix of optional and essential services, but that
5180# is likely to lead to surprising results because broken services become
5181# ignored (see above), making previously bypassable failures fatal.
5182# Technically, it is the bypassability of the last failed service that
5183# matters.
5184#
5185# See also: adaptation_access adaptation_service_chain
5186#
5187#Example:
5188#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
5189#adaptation service_set svcLogger loggerLocal loggerRemote
5190#Default:
5191# none
5192
5193# TAG: adaptation_service_chain
5194#
5195# Configures a list of complementary services that will be applied
5196# one-by-one, forming an adaptation chain or pipeline. This is useful
5197# when Squid must perform different adaptations on the same message.
5198#
5199# adaptation_service_chain chain_name service_name1 svc_name2 ...
5200#
5201# The named services are used in the chain declaration order. The first
5202# applicable adaptation service from the chain is used first. The next
5203# applicable service is applied to the successful adaptation results of
5204# the previous service in the chain.
5205#
5206# When adaptation starts, broken services are ignored as if they were
5207# not a part of the chain. A broken service is a down optional service.
5208#
5209# Request satisfaction terminates the adaptation chain because Squid
5210# does not currently allow declaration of RESPMOD services at the
5211# "reqmod_precache" vectoring point (see icap_service or ecap_service).
5212#
5213# The services in a chain must be attached to the same vectoring point
5214# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
5215#
5216# A chain may contain a mix of optional and essential services. If an
5217# essential adaptation fails (or the failure cannot be bypassed for
5218# other reasons), the master transaction fails. Otherwise, the failure
5219# is bypassed as if the failed adaptation service was not in the chain.
5220#
5221# See also: adaptation_access adaptation_service_set
5222#
5223#Example:
5224#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
5225#Default:
5226# none
5227
5228# TAG: adaptation_access
5229# Sends an HTTP transaction to an ICAP or eCAP adaptation service.
5230#
5231# adaptation_access service_name allow|deny [!]aclname...
5232# adaptation_access set_name allow|deny [!]aclname...
5233#
5234# At each supported vectoring point, the adaptation_access
5235# statements are processed in the order they appear in this
5236# configuration file. Statements pointing to the following services
5237# are ignored (i.e., skipped without checking their ACL):
5238#
5239# - services serving different vectoring points
5240# - "broken-but-bypassable" services
5241# - "up" services configured to ignore such transactions
5242# (e.g., based on the ICAP Transfer-Ignore header).
5243#
5244# When a set_name is used, all services in the set are checked
5245# using the same rules, to find the first applicable one. See
5246# adaptation_service_set for details.
5247#
5248# If an access list is checked and there is a match, the
5249# processing stops: For an "allow" rule, the corresponding
5250# adaptation service is used for the transaction. For a "deny"
5251# rule, no adaptation service is activated.
5252#
5253# It is currently not possible to apply more than one adaptation
5254# service at the same vectoring point to the same HTTP transaction.
5255#
5256# See also: icap_service and ecap_service
5257#
5258#Example:
5259#adaptation_access service_1 allow all
5260#Default:
5261# none
5262
5263# TAG: adaptation_service_iteration_limit
5264# Limits the number of iterations allowed when applying adaptation
5265# services to a message. If your longest adaptation set or chain
5266# may have more than 16 services, increase the limit beyond its
5267# default value of 16. If detecting infinite iteration loops sooner
5268# is critical, make the iteration limit match the actual number
5269# of services in your longest adaptation set or chain.
5270#
5271# Infinite adaptation loops are most likely with routing services.
5272#
5273# See also: icap_service routing=1
5274#Default:
5275# adaptation_service_iteration_limit 16
5276
5277# TAG: adaptation_masterx_shared_names
5278# For each master transaction (i.e., the HTTP request and response
5279# sequence, including all related ICAP and eCAP exchanges), Squid
5280# maintains a table of metadata. The table entries are (name, value)
5281# pairs shared among eCAP and ICAP exchanges. The table is destroyed
5282# with the master transaction.
5283#
5284# This option specifies the table entry names that Squid must accept
5285# from and forward to the adaptation transactions.
5286#
5287# An ICAP REQMOD or RESPMOD transaction may set an entry in the
5288# shared table by returning an ICAP header field with a name
5289# specified in adaptation_masterx_shared_names. Squid will store
5290# and forward that ICAP header field to subsequent ICAP
5291# transactions within the same master transaction scope.
5292#
5293# Only one shared entry name is supported at this time.
5294#
5295#Example:
5296## share authentication information among ICAP services
5297#adaptation_masterx_shared_names X-Subscriber-ID
5298#Default:
5299# none
5300
5301# TAG: icap_retry
5302# This ACL determines which retriable ICAP transactions are
5303# retried. Transactions that received a complete ICAP response
5304# and did not have to consume or produce HTTP bodies to receive
5305# that response are usually retriable.
5306#
5307# icap_retry allow|deny [!]aclname ...
5308#
5309# Squid automatically retries some ICAP I/O timeouts and errors
5310# due to persistent connection race conditions.
5311#
5312# See also: icap_retry_limit
5313#Default:
5314# icap_retry deny all
5315
5316# TAG: icap_retry_limit
5317# Limits the number of retries allowed. When set to zero (default),
5318# no retries are allowed.
5319#
5320# Communication errors due to persistent connection race
5321# conditions are unavoidable, automatically retried, and do not
5322# count against this limit.
5323#
5324# See also: icap_retry
5325#Default:
5326# icap_retry_limit 0
5327
5328# DNS OPTIONS
5329# -----------------------------------------------------------------------------
5330
5331# TAG: check_hostnames
5332# For security and stability reasons Squid can check
5333# hostnames for Internet standard RFC compliance. If you want
5334# Squid to perform these checks turn this directive on.
5335#Default:
5336# check_hostnames off
5337
5338# TAG: allow_underscore
5339# Underscore characters is not strictly allowed in Internet hostnames
5340# but nevertheless used by many sites. Set this to off if you want
5341# Squid to be strict about the standard.
5342# This check is performed only when check_hostnames is set to on.
5343#Default:
5344# allow_underscore on
5345
5346# TAG: cache_dns_program
5347# Note: This option is only available if Squid is rebuilt with the
5348# --disable-internal-dns option
5349#
5350# Specify the location of the executable for dnslookup process.
5351#Default:
5352# cache_dns_program /usr/lib/squid3/dnsserver
5353
5354# TAG: dns_children
5355# Note: This option is only available if Squid is rebuilt with the
5356# --disable-internal-dns option
5357#
5358# The number of processes spawn to service DNS name lookups.
5359# For heavily loaded caches on large servers, you should
5360# probably increase this value to at least 10. The maximum
5361# is 32. The default is 5.
5362#
5363# You must have at least one dnsserver process.
5364#Default:
5365# dns_children 5
5366
5367# TAG: dns_retransmit_interval
5368# Initial retransmit interval for DNS queries. The interval is
5369# doubled each time all configured DNS servers have been tried.
5370#
5371#Default:
5372# dns_retransmit_interval 5 seconds
5373
5374# TAG: dns_timeout
5375# DNS Query timeout. If no response is received to a DNS query
5376# within this time all DNS servers for the queried domain
5377# are assumed to be unavailable.
5378#Default:
5379# dns_timeout 2 minutes
5380
5381# TAG: dns_defnames on|off
5382# Normally the RES_DEFNAMES resolver option is disabled
5383# (see res_init(3)). This prevents caches in a hierarchy
5384# from interpreting single-component hostnames locally. To allow
5385# Squid to handle single-component names, enable this option.
5386#Default:
5387# dns_defnames off
5388
5389# TAG: dns_nameservers
5390# Use this if you want to specify a list of DNS name servers
5391# (IP addresses) to use instead of those given in your
5392# /etc/resolv.conf file.
5393# On Windows platforms, if no value is specified here or in
5394# the /etc/resolv.conf file, the list of DNS name servers are
5395# taken from the Windows registry, both static and dynamic DHCP
5396# configurations are supported.
5397#
5398# Example: dns_nameservers 10.0.0.1 192.172.0.4
5399#Default:
5400# none
5401
5402# TAG: hosts_file
5403# Location of the host-local IP name-address associations
5404# database. Most Operating Systems have such a file on different
5405# default locations:
5406# - Un*X & Linux: /etc/hosts
5407# - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
5408# (%SystemRoot% value install default is c:\winnt)
5409# - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
5410# (%SystemRoot% value install default is c:\windows)
5411# - Windows 9x/Me: %windir%\hosts
5412# (%windir% value is usually c:\windows)
5413# - Cygwin: /etc/hosts
5414#
5415# The file contains newline-separated definitions, in the
5416# form ip_address_in_dotted_form name [name ...] names are
5417# whitespace-separated. Lines beginning with an hash (#)
5418# character are comments.
5419#
5420# The file is checked at startup and upon configuration.
5421# If set to 'none', it won't be checked.
5422# If append_domain is used, that domain will be added to
5423# domain-local (i.e. not containing any dot character) host
5424# definitions.
5425#Default:
5426# hosts_file /etc/hosts
5427
5428# TAG: append_domain
5429# Appends local domain name to hostnames without any dots in
5430# them. append_domain must begin with a period.
5431#
5432# Be warned there are now Internet names with no dots in
5433# them using only top-domain names, so setting this may
5434# cause some Internet sites to become unavailable.
5435#
5436#Example:
5437# append_domain .yourdomain.com
5438#Default:
5439# none
5440
5441# TAG: ignore_unknown_nameservers
5442# By default Squid checks that DNS responses are received
5443# from the same IP addresses they are sent to. If they
5444# don't match, Squid ignores the response and writes a warning
5445# message to cache.log. You can allow responses from unknown
5446# nameservers by setting this option to 'off'.
5447#Default:
5448# ignore_unknown_nameservers on
5449
5450# TAG: dns_v4_fallback
5451# Standard practice with DNS is to lookup either A or AAAA records
5452# and use the results if it succeeds. Only looking up the other if
5453# the first attempt fails or otherwise produces no results.
5454#
5455# That policy however will cause squid to produce error pages for some
5456# servers that advertise AAAA but are unreachable over IPv6.
5457#
5458# If this is ON squid will always lookup both AAAA and A, using both.
5459# If this is OFF squid will lookup AAAA and only try A if none found.
5460#
5461# WARNING: There are some possibly unwanted side-effects with this on:
5462# *) Doubles the load placed by squid on the DNS network.
5463# *) May negatively impact connection delay times.
5464#Default:
5465# dns_v4_fallback on
5466
5467# TAG: dns_v4_first
5468# With the IPv6 Internet being as fast or faster than IPv4 Internet
5469# for most networks Squid prefers to contact websites over IPv6.
5470#
5471# This option reverses the order of preference to make Squid contact
5472# dual-stack websites over IPv4 first. Squid will still perform both
5473# IPv6 and IPv4 DNS lookups before connecting.
5474#
5475# WARNING:
5476# This option will restrict the situations under which IPv6
5477# connectivity is used (and tested). Hiding network problems
5478# which would otherwise be detected and warned about.
5479#Default:
5480# dns_v4_first off
5481
5482# TAG: ipcache_size (number of entries)
5483#Default:
5484# ipcache_size 1024
5485
5486# TAG: ipcache_low (percent)
5487#Default:
5488# ipcache_low 90
5489
5490# TAG: ipcache_high (percent)
5491# The size, low-, and high-water marks for the IP cache.
5492#Default:
5493# ipcache_high 95
5494
5495# TAG: fqdncache_size (number of entries)
5496# Maximum number of FQDN cache entries.
5497#Default:
5498# fqdncache_size 1024
5499
5500# MISCELLANEOUS
5501# -----------------------------------------------------------------------------
5502
5503# TAG: memory_pools on|off
5504# If set, Squid will keep pools of allocated (but unused) memory
5505# available for future use. If memory is a premium on your
5506# system and you believe your malloc library outperforms Squid
5507# routines, disable this.
5508#Default:
5509# memory_pools on
5510
5511# TAG: memory_pools_limit (bytes)
5512# Used only with memory_pools on:
5513# memory_pools_limit 50 MB
5514#
5515# If set to a non-zero value, Squid will keep at most the specified
5516# limit of allocated (but unused) memory in memory pools. All free()
5517# requests that exceed this limit will be handled by your malloc
5518# library. Squid does not pre-allocate any memory, just safe-keeps
5519# objects that otherwise would be free()d. Thus, it is safe to set
5520# memory_pools_limit to a reasonably high value even if your
5521# configuration will use less memory.
5522#
5523# If set to none, Squid will keep all memory it can. That is, there
5524# will be no limit on the total amount of memory used for safe-keeping.
5525#
5526# To disable memory allocation optimization, do not set
5527# memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
5528#
5529# An overhead for maintaining memory pools is not taken into account
5530# when the limit is checked. This overhead is close to four bytes per
5531# object kept. However, pools may actually _save_ memory because of
5532# reduced memory thrashing in your malloc library.
5533#Default:
5534# memory_pools_limit 5 MB
5535
5536# TAG: forwarded_for on|off|transparent|truncate|delete
5537# If set to "on", Squid will append your client's IP address
5538# in the HTTP requests it forwards. By default it looks like:
5539#
5540# X-Forwarded-For: 192.1.2.3
5541#
5542# If set to "off", it will appear as
5543#
5544# X-Forwarded-For: unknown
5545#
5546# If set to "transparent", Squid will not alter the
5547# X-Forwarded-For header in any way.
5548#
5549# If set to "delete", Squid will delete the entire
5550# X-Forwarded-For header.
5551#
5552# If set to "truncate", Squid will remove all existing
5553# X-Forwarded-For entries, and place itself as the sole entry.
5554#Default:
5555# forwarded_for on
5556
5557# TAG: cachemgr_passwd
5558# Specify passwords for cachemgr operations.
5559#
5560# Usage: cachemgr_passwd password action action ...
5561#
5562# Some valid actions are (see cache manager menu for a full list):
5563# 5min
5564# 60min
5565# asndb
5566# authenticator
5567# cbdata
5568# client_list
5569# comm_incoming
5570# config *
5571# counters
5572# delay
5573# digest_stats
5574# dns
5575# events
5576# filedescriptors
5577# fqdncache
5578# histograms
5579# http_headers
5580# info
5581# io
5582# ipcache
5583# mem
5584# menu
5585# netdb
5586# non_peers
5587# objects
5588# offline_toggle *
5589# pconn
5590# peer_select
5591# reconfigure *
5592# redirector
5593# refresh
5594# server_list
5595# shutdown *
5596# store_digest
5597# storedir
5598# utilization
5599# via_headers
5600# vm_objects
5601#
5602# * Indicates actions which will not be performed without a
5603# valid password, others can be performed if not listed here.
5604#
5605# To disable an action, set the password to "disable".
5606# To allow performing an action without a password, set the
5607# password to "none".
5608#
5609# Use the keyword "all" to set the same password for all actions.
5610#
5611#Example:
5612# cachemgr_passwd secret shutdown
5613# cachemgr_passwd lesssssssecret info stats/objects
5614# cachemgr_passwd disable all
5615#Default:
5616# none
5617
5618# TAG: client_db on|off
5619# If you want to disable collecting per-client statistics,
5620# turn off client_db here.
5621#Default:
5622# client_db on
5623
5624# TAG: refresh_all_ims on|off
5625# When you enable this option, squid will always check
5626# the origin server for an update when a client sends an
5627# If-Modified-Since request. Many browsers use IMS
5628# requests when the user requests a reload, and this
5629# ensures those clients receive the latest version.
5630#
5631# By default (off), squid may return a Not Modified response
5632# based on the age of the cached version.
5633#Default:
5634# refresh_all_ims off
5635
5636# TAG: reload_into_ims on|off
5637# When you enable this option, client no-cache or ``reload''
5638# requests will be changed to If-Modified-Since requests.
5639# Doing this VIOLATES the HTTP standard. Enabling this
5640# feature could make you liable for problems which it
5641# causes.
5642#
5643# see also refresh_pattern for a more selective approach.
5644#Default:
5645# reload_into_ims off
5646
5647# TAG: maximum_single_addr_tries
5648# This sets the maximum number of connection attempts for a
5649# host that only has one address (for multiple-address hosts,
5650# each address is tried once).
5651#
5652# The default value is one attempt, the (not recommended)
5653# maximum is 255 tries. A warning message will be generated
5654# if it is set to a value greater than ten.
5655#
5656# Note: This is in addition to the request re-forwarding which
5657# takes place if Squid fails to get a satisfying response.
5658#Default:
5659# maximum_single_addr_tries 1
5660
5661# TAG: retry_on_error
5662# If set to ON Squid will automatically retry requests when
5663# receiving an error response with status 403 (Forbidden),
5664# 500 (Internal Error), 501 or 503 (Service not available).
5665# Status 502 and 504 (Gateway errors) are always retried.
5666#
5667# This is mainly useful if you are in a complex cache hierarchy to
5668# work around access control errors.
5669#
5670# NOTE: This retry will attempt to find another working destination.
5671# Which is different from the server which just failed.
5672#Default:
5673# retry_on_error off
5674
5675# TAG: as_whois_server
5676# WHOIS server to query for AS numbers. NOTE: AS numbers are
5677# queried only when Squid starts up, not for every request.
5678#Default:
5679# as_whois_server whois.ra.net
5680
5681# TAG: offline_mode
5682# Enable this option and Squid will never try to validate cached
5683# objects.
5684#Default:
5685# offline_mode off
5686
5687# TAG: uri_whitespace
5688# What to do with requests that have whitespace characters in the
5689# URI. Options:
5690#
5691# strip: The whitespace characters are stripped out of the URL.
5692# This is the behavior recommended by RFC2396.
5693# deny: The request is denied. The user receives an "Invalid
5694# Request" message.
5695# allow: The request is allowed and the URI is not changed. The
5696# whitespace characters remain in the URI. Note the
5697# whitespace is passed to redirector processes if they
5698# are in use.
5699# encode: The request is allowed and the whitespace characters are
5700# encoded according to RFC1738. This could be considered
5701# a violation of the HTTP/1.1
5702# RFC because proxies are not allowed to rewrite URI's.
5703# chop: The request is allowed and the URI is chopped at the
5704# first whitespace. This might also be considered a
5705# violation.
5706#Default:
5707# uri_whitespace strip
5708
5709# TAG: chroot
5710# Specifies a directory where Squid should do a chroot() while
5711# initializing. This also causes Squid to fully drop root
5712# privileges after initializing. This means, for example, if you
5713# use a HTTP port less than 1024 and try to reconfigure, you may
5714# get an error saying that Squid can not open the port.
5715#Default:
5716# none
5717
5718# TAG: balance_on_multiple_ip
5719# Modern IP resolvers in squid sort lookup results by preferred access.
5720# By default squid will use these IP in order and only rotates to
5721# the next listed when the most preffered fails.
5722#
5723# Some load balancing servers based on round robin DNS have been
5724# found not to preserve user session state across requests
5725# to different IP addresses.
5726#
5727# Enabling this directive Squid rotates IP's per request.
5728#Default:
5729# balance_on_multiple_ip off
5730
5731# TAG: pipeline_prefetch
5732# To boost the performance of pipelined requests to closer
5733# match that of a non-proxied environment Squid can try to fetch
5734# up to two requests in parallel from a pipeline.
5735#
5736# Defaults to off for bandwidth management and access logging
5737# reasons.
5738#
5739# WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
5740#Default:
5741# pipeline_prefetch off
5742
5743# TAG: high_response_time_warning (msec)
5744# If the one-minute median response time exceeds this value,
5745# Squid prints a WARNING with debug level 0 to get the
5746# administrators attention. The value is in milliseconds.
5747#Default:
5748# high_response_time_warning 0
5749
5750# TAG: high_page_fault_warning
5751# If the one-minute average page fault rate exceeds this
5752# value, Squid prints a WARNING with debug level 0 to get
5753# the administrators attention. The value is in page faults
5754# per second.
5755#Default:
5756# high_page_fault_warning 0
5757
5758# TAG: high_memory_warning
5759# If the memory usage (as determined by mallinfo) exceeds
5760# this amount, Squid prints a WARNING with debug level 0 to get
5761# the administrators attention.
5762#Default:
5763# high_memory_warning 0 KB
5764
5765# TAG: sleep_after_fork (microseconds)
5766# When this is set to a non-zero value, the main Squid process
5767# sleeps the specified number of microseconds after a fork()
5768# system call. This sleep may help the situation where your
5769# system reports fork() failures due to lack of (virtual)
5770# memory. Note, however, if you have a lot of child
5771# processes, these sleep delays will add up and your
5772# Squid will not service requests for some amount of time
5773# until all the child processes have been started.
5774# On Windows value less then 1000 (1 milliseconds) are
5775# rounded to 1000.
5776#Default:
5777# sleep_after_fork 0
5778
5779# TAG: windows_ipaddrchangemonitor on|off
5780# On Windows Squid by default will monitor IP address changes and will
5781# reconfigure itself after any detected event. This is very useful for
5782# proxies connected to internet with dial-up interfaces.
5783# In some cases (a Proxy server acting as VPN gateway is one) it could be
5784# desiderable to disable this behaviour setting this to 'off'.
5785# Note: after changing this, Squid service must be restarted.
5786#Default:
5787# windows_ipaddrchangemonitor on
5788
5789# TAG: max_filedescriptors
5790# The maximum number of filedescriptors supported.
5791#
5792# The default "0" means Squid inherits the current ulimit setting.
5793#
5794# Note: Changing this requires a restart of Squid. Also
5795# not all comm loops supports large values.
5796#Default:
5797# max_filedescriptors 0
5798
5799icp_port 3130
5800cache_mem 8 MB
5801cache_dir ufs /var/spool/squid3 100 16 256
5802client_netmask 255.255.255.255