· 5 years ago · Nov 05, 2020, 06:40 PM
1# WELCOME TO SQUID 4.10
2# ----------------------------
3#
4# This is the documentation for the Squid configuration file.
5# This documentation can also be found online at:
6# http://www.squid-cache.org/Doc/config/
7#
8# You may wish to look at the Squid home page and wiki for the
9# FAQ and other documentation:
10# http://www.squid-cache.org/
11# http://wiki.squid-cache.org/SquidFaq
12# http://wiki.squid-cache.org/ConfigExamples
13#
14# This documentation shows what the defaults for various directives
15# happen to be. If you don't need to change the default, you should
16# leave the line out of your squid.conf in most cases.
17#
18# In some cases "none" refers to no default setting at all,
19# while in other cases it refers to the value of the option
20# - the comments for that keyword indicate if this is the case.
21#
22
23# Configuration options can be included using the "include" directive.
24# Include takes a list of files to include. Quoting and wildcards are
25# supported.
26#
27# For example,
28#
29# include /path/to/included/file/squid.acl.config
30#
31# Includes can be nested up to a hard-coded depth of 16 levels.
32# This arbitrary restriction is to prevent recursive include references
33# from causing Squid entering an infinite loop whilst trying to load
34# configuration files.
35#
36# Values with byte units
37#
38# Squid accepts size units on some size related directives. All
39# such directives are documented with a default value displaying
40# a unit.
41#
42# Units accepted by Squid are:
43# bytes - byte
44# KB - Kilobyte (1024 bytes)
45# MB - Megabyte
46# GB - Gigabyte
47#
48# Values with spaces, quotes, and other special characters
49#
50# Squid supports directive parameters with spaces, quotes, and other
51# special characters. Surround such parameters with "double quotes". Use
52# the configuration_includes_quoted_values directive to enable or
53# disable that support.
54#
55# Squid supports reading configuration option parameters from external
56# files using the syntax:
57# parameters("/path/filename")
58# For example:
59# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
60#
61# Conditional configuration
62#
63# If-statements can be used to make configuration directives
64# depend on conditions:
65#
66# if <CONDITION>
67# ... regular configuration directives ...
68# [else
69# ... regular configuration directives ...]
70# endif
71#
72# The else part is optional. The keywords "if", "else", and "endif"
73# must be typed on their own lines, as if they were regular
74# configuration directives.
75#
76# NOTE: An else-if condition is not supported.
77#
78# These individual conditions types are supported:
79#
80# true
81# Always evaluates to true.
82# false
83# Always evaluates to false.
84# <integer> = <integer>
85# Equality comparison of two integer numbers.
86#
87#
88# SMP-Related Macros
89#
90# The following SMP-related preprocessor macros can be used.
91#
92# ${process_name} expands to the current Squid process "name"
93# (e.g., squid1, squid2, or cache1).
94#
95# ${process_number} expands to the current Squid process
96# identifier, which is an integer number (e.g., 1, 2, 3) unique
97# across all Squid processes of the current service instance.
98#
99# ${service_name} expands into the current Squid service instance
100# name identifier which is provided by -n on the command line.
101#
102# Logformat Macros
103#
104# Logformat macros can be used in many places outside of the logformat
105# directive. In theory, all of the logformat codes can be used as %macros,
106# where they are supported. In practice, a %macro expands as a dash (-) when
107# the transaction does not yet have enough information and a value is needed.
108#
109# There is no definitive list of what tokens are available at the various
110# stages of the transaction.
111#
112# And some information may already be available to Squid but not yet
113# committed where the macro expansion code can access it (report
114# such instances!). The macro will be expanded into a single dash
115# ('-') in such cases. Not all macros have been tested.
116#
117
118# TAG: broken_vary_encoding
119# This option is not yet supported by Squid-3.
120#Default:
121# none
122
123# TAG: cache_vary
124# This option is not yet supported by Squid-3.
125#Default:
126# none
127
128# TAG: error_map
129# This option is not yet supported by Squid-3.
130#Default:
131# none
132
133# TAG: external_refresh_check
134# This option is not yet supported by Squid-3.
135#Default:
136# none
137
138# TAG: location_rewrite_program
139# This option is not yet supported by Squid-3.
140#Default:
141# none
142
143# TAG: refresh_stale_hit
144# This option is not yet supported by Squid-3.
145#Default:
146# none
147
148# TAG: cache_peer_domain
149# Replace with dstdomain ACLs and cache_peer_access.
150#Default:
151# none
152
153# TAG: ie_refresh
154# Remove this line. The behaviour enabled by this is no longer needed.
155#Default:
156# none
157
158# TAG: sslproxy_cafile
159# Remove this line. Use tls_outgoing_options cafile= instead.
160#Default:
161# none
162
163# TAG: sslproxy_capath
164# Remove this line. Use tls_outgoing_options capath= instead.
165#Default:
166# none
167
168# TAG: sslproxy_cipher
169# Remove this line. Use tls_outgoing_options cipher= instead.
170#Default:
171# none
172
173# TAG: sslproxy_client_certificate
174# Remove this line. Use tls_outgoing_options cert= instead.
175#Default:
176# none
177
178# TAG: sslproxy_client_key
179# Remove this line. Use tls_outgoing_options key= instead.
180#Default:
181# none
182
183# TAG: sslproxy_flags
184# Remove this line. Use tls_outgoing_options flags= instead.
185#Default:
186# none
187
188# TAG: sslproxy_options
189# Remove this line. Use tls_outgoing_options options= instead.
190#Default:
191# none
192
193# TAG: sslproxy_version
194# Remove this line. Use tls_outgoing_options options= instead.
195#Default:
196# none
197
198# TAG: hierarchy_stoplist
199# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use.
200#Default:
201# none
202
203# TAG: log_access
204# Remove this line. Use acls with access_log directives to control access logging
205#Default:
206# none
207
208# TAG: log_icap
209# Remove this line. Use acls with icap_log directives to control icap logging
210#Default:
211# none
212
213# TAG: ignore_ims_on_miss
214# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'.
215#Default:
216# none
217
218# TAG: balance_on_multiple_ip
219# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, this multiple-IP algorithm is not longer relevant.
220#Default:
221# none
222
223# TAG: chunked_request_body_max_size
224# Remove this line. Squid is now HTTP/1.1 compliant.
225#Default:
226# none
227
228# TAG: dns_v4_fallback
229# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
230#Default:
231# none
232
233# TAG: emulate_httpd_log
234# Replace this with an access_log directive using the format 'common' or 'combined'.
235#Default:
236# none
237
238# TAG: forward_log
239# Use a regular access.log with ACL limiting it to MISS events.
240#Default:
241# none
242
243# TAG: ftp_list_width
244# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
245#Default:
246# none
247
248# TAG: ignore_expect_100
249# Remove this line. The HTTP/1.1 feature is now fully supported by default.
250#Default:
251# none
252
253# TAG: log_fqdn
254# Remove this option from your config. To log FQDN use %>A in the log format.
255#Default:
256# none
257
258# TAG: log_ip_on_direct
259# Remove this option from your config. To log server or peer names use %<A in the log format.
260#Default:
261# none
262
263# TAG: maximum_single_addr_tries
264# Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
265#Default:
266# none
267
268# TAG: referer_log
269# Replace this with an access_log directive using the format 'referrer'.
270#Default:
271# none
272
273# TAG: update_headers
274# Remove this line. The feature is supported by default in storage types where update is implemented.
275#Default:
276# none
277
278# TAG: url_rewrite_concurrency
279# Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
280#Default:
281# none
282
283# TAG: useragent_log
284# Replace this with an access_log directive using the format 'useragent'.
285#Default:
286# none
287
288# TAG: dns_testnames
289# Remove this line. DNS is no longer tested on startup.
290#Default:
291# none
292
293# TAG: extension_methods
294# Remove this line. All valid methods for HTTP are accepted by default.
295#Default:
296# none
297
298# TAG: zero_buffers
299#Default:
300# none
301
302# TAG: incoming_rate
303#Default:
304# none
305
306# TAG: server_http11
307# Remove this line. HTTP/1.1 is supported by default.
308#Default:
309# none
310
311# TAG: upgrade_http0.9
312# Remove this line. ICY/1.0 streaming protocol is supported by default.
313#Default:
314# none
315
316# TAG: zph_local
317# Alter these entries. Use the qos_flows directive instead.
318#Default:
319# none
320
321# TAG: header_access
322# Since squid-3.0 replace with request_header_access or reply_header_access
323# depending on whether you wish to match client requests or server replies.
324#Default:
325# none
326
327# TAG: httpd_accel_no_pmtu_disc
328# Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
329#Default:
330# none
331
332# TAG: wais_relay_host
333# Replace this line with 'cache_peer' configuration.
334#Default:
335# none
336
337# TAG: wais_relay_port
338# Replace this line with 'cache_peer' configuration.
339#Default:
340# none
341
342# OPTIONS FOR SMP
343# -----------------------------------------------------------------------------
344
345# TAG: workers
346# Number of main Squid processes or "workers" to fork and maintain.
347# 0: "no daemon" mode, like running "squid -N ..."
348# 1: "no SMP" mode, start one main Squid process daemon (default)
349# N: start N main Squid process daemons (i.e., SMP mode)
350#
351# In SMP mode, each worker does nearly all what a single Squid daemon
352# does (e.g., listen on http_port and forward HTTP requests).
353#Default:
354# SMP support disabled.
355
356# TAG: cpu_affinity_map
357# Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
358#
359# Sets 1:1 mapping between Squid processes and CPU cores. For example,
360#
361# cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
362#
363# affects processes 1 through 4 only and places them on the first
364# four even cores, starting with core #1.
365#
366# CPU cores are numbered starting from 1. Requires support for
367# sched_getaffinity(2) and sched_setaffinity(2) system calls.
368#
369# Multiple cpu_affinity_map options are merged.
370#
371# See also: workers
372#Default:
373# Let operating system decide.
374
375# TAG: shared_memory_locking on|off
376# Whether to ensure that all required shared memory is available by
377# "locking" that shared memory into RAM when Squid starts. The
378# alternative is faster startup time followed by slightly slower
379# performance and, if not enough RAM is actually available during
380# runtime, mysterious crashes.
381#
382# SMP Squid uses many shared memory segments. These segments are
383# brought into Squid memory space using an mmap(2) system call. During
384# Squid startup, the mmap() call often succeeds regardless of whether
385# the system has enough RAM. In general, Squid cannot tell whether the
386# kernel applies this "optimistic" memory allocation policy (but
387# popular modern kernels usually use it).
388#
389# Later, if Squid attempts to actually access the mapped memory
390# regions beyond what the kernel is willing to allocate, the
391# "optimistic" kernel simply kills Squid kid with a SIGBUS signal.
392# Some of the memory limits enforced by the kernel are currently
393# poorly understood: We do not know how to detect and check them. This
394# option ensures that the mapped memory will be available.
395#
396# This option may have a positive performance side-effect: Locking
397# memory at start avoids runtime paging I/O. Paging slows Squid down.
398#
399# Locking memory may require a large enough RLIMIT_MEMLOCK OS limit,
400# CAP_IPC_LOCK capability, or equivalent.
401#Default:
402# shared_memory_locking off
403
404# TAG: hopeless_kid_revival_delay time-units
405# Normally, when a kid process dies, Squid immediately restarts the
406# kid. A kid experiencing frequent deaths is marked as "hopeless" for
407# the duration specified by this directive. Hopeless kids are not
408# automatically restarted.
409#
410# Currently, zero values are not supported because they result in
411# misconfigured SMP Squid instances running forever, endlessly
412# restarting each dying kid. To effectively disable hopeless kids
413# revival, set the delay to a huge value (e.g., 1 year).
414#
415# Reconfiguration also clears all hopeless kids designations, allowing
416# for manual revival of hopeless kids.
417#Default:
418# hopeless_kid_revival_delay 1 hour
419
420# OPTIONS FOR AUTHENTICATION
421# -----------------------------------------------------------------------------
422
423# TAG: auth_param
424# This is used to define parameters for the various authentication
425# schemes supported by Squid.
426#
427# format: auth_param scheme parameter [setting]
428#
429# The order in which authentication schemes are presented to the client is
430# dependent on the order the scheme first appears in config file. IE
431# has a bug (it's not RFC 2617 compliant) in that it will use the basic
432# scheme if basic is the first entry presented, even if more secure
433# schemes are presented. For now use the order in the recommended
434# settings section below. If other browsers have difficulties (don't
435# recognize the schemes offered even if you are using basic) either
436# put basic first, or disable the other schemes (by commenting out their
437# program entry).
438#
439# Once an authentication scheme is fully configured, it can only be
440# shutdown by shutting squid down and restarting. Changes can be made on
441# the fly and activated with a reconfigure. I.E. You can change to a
442# different helper, but not unconfigure the helper completely.
443#
444# Please note that while this directive defines how Squid processes
445# authentication it does not automatically activate authentication.
446# To use authentication you must in addition make use of ACLs based
447# on login name in http_access (proxy_auth, proxy_auth_regex or
448# external with %LOGIN used in the format tag). The browser will be
449# challenged for authentication on the first such acl encountered
450# in http_access processing and will also be re-challenged for new
451# login credentials if the request is being denied by a proxy_auth
452# type acl.
453#
454# WARNING: authentication can't be used in a transparently intercepting
455# proxy as the client then thinks it is talking to an origin server and
456# not the proxy. This is a limitation of bending the TCP/IP protocol to
457# transparently intercepting port 80, not a limitation in Squid.
458# Ports flagged 'transparent', 'intercept', or 'tproxy' have
459# authentication disabled.
460#
461# === Parameters common to all schemes. ===
462#
463# "program" cmdline
464# Specifies the command for the external authenticator.
465#
466# By default, each authentication scheme is not used unless a
467# program is specified.
468#
469# See http://wiki.squid-cache.org/Features/AddonHelpers for
470# more details on helper operations and creating your own.
471#
472# "key_extras" format
473# Specifies a string to be append to request line format for
474# the authentication helper. "Quoted" format values may contain
475# spaces and logformat %macros. In theory, any logformat %macro
476# can be used. In practice, a %macro expands as a dash (-) if
477# the helper request is sent before the required macro
478# information is available to Squid.
479#
480# By default, Squid uses request formats provided in
481# scheme-specific examples below (search for %credentials).
482#
483# The expanded key_extras value is added to the Squid credentials
484# cache and, hence, will affect authentication. It can be used to
485# autenticate different users with identical user names (e.g.,
486# when user authentication depends on http_port).
487#
488# Avoid adding frequently changing information to key_extras. For
489# example, if you add user source IP, and it changes frequently
490# in your environment, then max_user_ip ACL is going to treat
491# every user+IP combination as a unique "user", breaking the ACL
492# and wasting a lot of memory on those user records. It will also
493# force users to authenticate from scratch whenever their IP
494# changes.
495#
496# "realm" string
497# Specifies the protection scope (aka realm name) which is to be
498# reported to the client for the authentication scheme. It is
499# commonly part of the text the user will see when prompted for
500# their username and password.
501#
502# For Basic the default is "Squid proxy-caching web server".
503# For Digest there is no default, this parameter is mandatory.
504# For NTLM and Negotiate this parameter is ignored.
505#
506# "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
507# [queue-size=N] [on-persistent-overload=action]
508#
509# The maximum number of authenticator processes to spawn. If
510# you start too few Squid will have to wait for them to process
511# a backlog of credential verifications, slowing it down. When
512# password verifications are done via a (slow) network you are
513# likely to need lots of authenticator processes.
514#
515# The startup= and idle= options permit some skew in the exact
516# amount run. A minimum of startup=N will begin during startup
517# and reconfigure. Squid will start more in groups of up to
518# idle=N in an attempt to meet traffic needs and to keep idle=N
519# free above those traffic needs up to the maximum.
520#
521# The concurrency= option sets the number of concurrent requests
522# the helper can process. The default of 0 is used for helpers
523# who only supports one request at a time. Setting this to a
524# number greater than 0 changes the protocol used to include a
525# channel ID field first on the request/response line, allowing
526# multiple requests to be sent to the same helper in parallel
527# without waiting for the response.
528#
529# Concurrency must not be set unless it's known the helper
530# supports the input format with channel-ID fields.
531#
532# The queue-size option sets the maximum number of queued
533# requests. A request is queued when no existing child can
534# accept it due to concurrency limit and no new child can be
535# started due to numberofchildren limit. The default maximum is
536# 2*numberofchildren. Squid is allowed to temporarily exceed the
537# configured maximum, marking the affected helper as
538# "overloaded". If the helper overload lasts more than 3
539# minutes, the action prescribed by the on-persistent-overload
540# option applies.
541#
542# The on-persistent-overload=action option specifies Squid
543# reaction to a new helper request arriving when the helper
544# has been overloaded for more that 3 minutes already. The number
545# of queued requests determines whether the helper is overloaded
546# (see the queue-size option).
547#
548# Two actions are supported:
549#
550# die Squid worker quits. This is the default behavior.
551#
552# ERR Squid treats the helper request as if it was
553# immediately submitted, and the helper immediately
554# replied with an ERR response. This action has no effect
555# on the already queued and in-progress helper requests.
556#
557# NOTE: NTLM and Negotiate schemes do not support concurrency
558# in the Squid code module even though some helpers can.
559#
560#
561#
562# === Example Configuration ===
563#
564# This configuration displays the recommended authentication scheme
565# order from most to least secure with recommended minimum configuration
566# settings for each scheme:
567#
568##auth_param negotiate program <uncomment and complete this line to activate>
569##auth_param negotiate children 20 startup=0 idle=1
570##auth_param negotiate keep_alive on
571##
572##auth_param digest program <uncomment and complete this line to activate>
573##auth_param digest children 20 startup=0 idle=1
574##auth_param digest realm Squid proxy-caching web server
575##auth_param digest nonce_garbage_interval 5 minutes
576##auth_param digest nonce_max_duration 30 minutes
577##auth_param digest nonce_max_count 50
578##
579##auth_param ntlm program <uncomment and complete this line to activate>
580##auth_param ntlm children 20 startup=0 idle=1
581##auth_param ntlm keep_alive on
582##
583##auth_param basic program <uncomment and complete this line>
584##auth_param basic children 5 startup=5 idle=1
585##auth_param basic realm Squid proxy-caching web server
586##auth_param basic credentialsttl 2 hours
587#Default:
588# none
589
590# TAG: authenticate_cache_garbage_interval
591# The time period between garbage collection across the username cache.
592# This is a trade-off between memory utilization (long intervals - say
593# 2 days) and CPU (short intervals - say 1 minute). Only change if you
594# have good reason to.
595#Default:
596# authenticate_cache_garbage_interval 1 hour
597
598# TAG: authenticate_ttl
599# The time a user & their credentials stay in the logged in
600# user cache since their last request. When the garbage
601# interval passes, all user credentials that have passed their
602# TTL are removed from memory.
603#Default:
604# authenticate_ttl 1 hour
605
606# TAG: authenticate_ip_ttl
607# If you use proxy authentication and the 'max_user_ip' ACL,
608# this directive controls how long Squid remembers the IP
609# addresses associated with each user. Use a small value
610# (e.g., 60 seconds) if your users might change addresses
611# quickly, as is the case with dialup. You might be safe
612# using a larger value (e.g., 2 hours) in a corporate LAN
613# environment with relatively static address assignments.
614#Default:
615# authenticate_ip_ttl 1 second
616
617# ACCESS CONTROLS
618# -----------------------------------------------------------------------------
619
620# TAG: external_acl_type
621# This option defines external acl classes using a helper program
622# to look up the status
623#
624# external_acl_type name [options] FORMAT /path/to/helper [helper arguments]
625#
626# Options:
627#
628# ttl=n TTL in seconds for cached results (defaults to 3600
629# for 1 hour)
630#
631# negative_ttl=n
632# TTL for cached negative lookups (default same
633# as ttl)
634#
635# grace=n Percentage remaining of TTL where a refresh of a
636# cached entry should be initiated without needing to
637# wait for a new reply. (default is for no grace period)
638#
639# cache=n The maximum number of entries in the result cache. The
640# default limit is 262144 entries. Each cache entry usually
641# consumes at least 256 bytes. Squid currently does not remove
642# expired cache entries until the limit is reached, so a proxy
643# will sooner or later reach the limit. The expanded FORMAT
644# value is used as the cache key, so if the details in FORMAT
645# are highly variable, a larger cache may be needed to produce
646# reduction in helper load.
647#
648# children-max=n
649# Maximum number of acl helper processes spawned to service
650# external acl lookups of this type. (default 5)
651#
652# children-startup=n
653# Minimum number of acl helper processes to spawn during
654# startup and reconfigure to service external acl lookups
655# of this type. (default 0)
656#
657# children-idle=n
658# Number of acl helper processes to keep ahead of traffic
659# loads. Squid will spawn this many at once whenever load
660# rises above the capabilities of existing processes.
661# Up to the value of children-max. (default 1)
662#
663# concurrency=n concurrency level per process. Only used with helpers
664# capable of processing more than one query at a time.
665#
666# queue-size=N The queue-size option sets the maximum number of
667# queued requests. A request is queued when no existing
668# helper can accept it due to concurrency limit and no
669# new helper can be started due to children-max limit.
670# If the queued requests exceed queue size, the acl is
671# ignored. The default value is set to 2*children-max.
672#
673# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers.
674#
675# ipv4 / ipv6 IP protocol used to communicate with this helper.
676# The default is to auto-detect IPv6 and use it when available.
677#
678#
679# FORMAT is a series of %macro codes. See logformat directive for a full list
680# of the accepted codes. Although note that at the time of any external ACL
681# being tested data may not be available and thus some %macro expand to '-'.
682#
683# In addition to the logformat codes; when processing external ACLs these
684# additional macros are made available:
685#
686# %ACL The name of the ACL being tested.
687#
688# %DATA The ACL arguments specified in the referencing config
689# 'acl ... external' line, separated by spaces (an
690# "argument string"). see acl external.
691#
692# If there are no ACL arguments %DATA expands to '-'.
693#
694# If you do not specify a DATA macro inside FORMAT,
695# Squid automatically appends %DATA to your FORMAT.
696# Note that Squid-3.x may expand %DATA to whitespace
697# or nothing in this case.
698#
699# By default, Squid applies URL-encoding to each ACL
700# argument inside the argument string. If an explicit
701# encoding modifier is used (e.g., %#DATA), then Squid
702# encodes the whole argument string as a single token
703# (e.g., with %#DATA, spaces between arguments become
704# %20).
705#
706# If SSL is enabled, the following formating codes become available:
707#
708# %USER_CERT SSL User certificate in PEM format
709# %USER_CERTCHAIN SSL User certificate chain in PEM format
710# %USER_CERT_xx SSL User certificate subject attribute xx
711# %USER_CA_CERT_xx SSL User certificate issuer attribute xx
712#
713#
714# NOTE: all other format codes accepted by older Squid versions
715# are deprecated.
716#
717#
718# General request syntax:
719#
720# [channel-ID] FORMAT-values
721#
722#
723# FORMAT-values consists of transaction details expanded with
724# whitespace separation per the config file FORMAT specification
725# using the FORMAT macros listed above.
726#
727# Request values sent to the helper are URL escaped to protect
728# each value in requests against whitespaces.
729#
730# If using protocol=2.5 then the request sent to the helper is not
731# URL escaped to protect against whitespace.
732#
733# NOTE: protocol=3.0 is deprecated as no longer necessary.
734#
735# When using the concurrency= option the protocol is changed by
736# introducing a query channel tag in front of the request/response.
737# The query channel tag is a number between 0 and concurrency-1.
738# This value must be echoed back unchanged to Squid as the first part
739# of the response relating to its request.
740#
741#
742# The helper receives lines expanded per the above format specification
743# and for each input line returns 1 line starting with OK/ERR/BH result
744# code and optionally followed by additional keywords with more details.
745#
746#
747# General result syntax:
748#
749# [channel-ID] result keyword=value ...
750#
751# Result consists of one of the codes:
752#
753# OK
754# the ACL test produced a match.
755#
756# ERR
757# the ACL test does not produce a match.
758#
759# BH
760# An internal error occurred in the helper, preventing
761# a result being identified.
762#
763# The meaning of 'a match' is determined by your squid.conf
764# access control configuration. See the Squid wiki for details.
765#
766# Defined keywords:
767#
768# user= The users name (login)
769#
770# password= The users password (for login= cache_peer option)
771#
772# message= Message describing the reason for this response.
773# Available as %o in error pages.
774# Useful on (ERR and BH results).
775#
776# tag= Apply a tag to a request. Only sets a tag once,
777# does not alter existing tags.
778#
779# log= String to be logged in access.log. Available as
780# %ea in logformat specifications.
781#
782# clt_conn_tag= Associates a TAG with the client TCP connection.
783# Please see url_rewrite_program related documentation
784# for this kv-pair.
785#
786# Any keywords may be sent on any response whether OK, ERR or BH.
787#
788# All response keyword values need to be a single token with URL
789# escaping, or enclosed in double quotes (") and escaped using \ on
790# any double quotes or \ characters within the value. The wrapping
791# double quotes are removed before the value is interpreted by Squid.
792# \r and \n are also replace by CR and LF.
793#
794# Some example key values:
795#
796# user=John%20Smith
797# user="John Smith"
798# user="J. \"Bob\" Smith"
799#Default:
800# none
801
802# TAG: acl
803# Defining an Access List
804#
805# Every access list definition must begin with an aclname and acltype,
806# followed by either type-specific arguments or a quoted filename that
807# they are read from.
808#
809# acl aclname acltype argument ...
810# acl aclname acltype "file" ...
811#
812# When using "file", the file should contain one item per line.
813#
814#
815# ACL Options
816#
817# Some acl types supports options which changes their default behaviour:
818#
819# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them
820# case-insensitive, use the -i option. To return case-sensitive
821# use the +i option between patterns, or make a new ACL line
822# without -i.
823#
824# -n Disable lookups and address type conversions. If lookup or
825# conversion is required because the parameter type (IP or
826# domain name) does not match the message address type (domain
827# name or IP), then the ACL would immediately declare a mismatch
828# without any warnings or lookups.
829#
830# -m[=delimiters]
831# Perform a list membership test, interpreting values as
832# comma-separated token lists and matching against individual
833# tokens instead of whole values.
834# The optional "delimiters" parameter specifies one or more
835# alternative non-alphanumeric delimiter characters.
836# non-alphanumeric delimiter characters.
837#
838# -- Used to stop processing all options, in the case the first acl
839# value has '-' character as first character (for example the '-'
840# is a valid domain name)
841#
842# Some acl types require suspending the current request in order
843# to access some external data source.
844# Those which do are marked with the tag [slow], those which
845# don't are marked as [fast].
846# See http://wiki.squid-cache.org/SquidFaq/SquidAcl
847# for further information
848#
849# ***** ACL TYPES AVAILABLE *****
850#
851# acl aclname src ip-address/mask ... # clients IP address [fast]
852# acl aclname src addr1-addr2/mask ... # range of addresses [fast]
853# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow]
854# acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
855#
856#if USE_SQUID_EUI
857# acl aclname arp mac-address ...
858# acl aclname eui64 eui64-address ...
859# # [fast]
860# # MAC (EUI-48) and EUI-64 addresses use xx:xx:xx:xx:xx:xx notation.
861# #
862# # The 'arp' ACL code is not portable to all operating systems.
863# # It works on Linux, Solaris, Windows, FreeBSD, and some other
864# # BSD variants.
865# #
866# # The eui_lookup directive is required to be 'on' (the default)
867# # and Squid built with --enable-eui for MAC/EUI addresses to be
868# # available for this ACL.
869# #
870# # Squid can only determine the MAC/EUI address for IPv4
871# # clients that are on the same subnet. If the client is on a
872# # different subnet, then Squid cannot find out its address.
873# #
874# # IPv6 protocol does not contain ARP. MAC/EUI is either
875# # encoded directly in the IPv6 address or not available.
876#endif
877# acl aclname clientside_mark mark[/mask] ...
878# # matches CONNMARK of an accepted connection [fast]
879# #
880# # mark and mask are unsigned integers (hex, octal, or decimal).
881# # If multiple marks are given, then the ACL matches if at least
882# # one mark matches.
883# #
884# # Uses netfilter-conntrack library.
885# # Requires building Squid with --enable-linux-netfilter.
886# #
887# # The client, various intermediaries, and Squid itself may set
888# # CONNMARK at various times. The last CONNMARK set wins. This ACL
889# # checks the mark present on an accepted connection or set by
890# # Squid afterwards, depending on the ACL check timing. This ACL
891# # effectively ignores any mark set by other agents after Squid has
892# # accepted the connection.
893#
894# acl aclname srcdomain .foo.com ...
895# # reverse lookup, from client IP [slow]
896# acl aclname dstdomain [-n] .foo.com ...
897# # Destination server from URL [fast]
898# acl aclname srcdom_regex [-i] \.foo\.com ...
899# # regex matching client name [slow]
900# acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
901# # regex matching server [fast]
902# #
903# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
904# # based URL is used and no match is found. The name "none" is used
905# # if the reverse lookup fails.
906#
907# acl aclname src_as number ...
908# acl aclname dst_as number ...
909# # [fast]
910# # Except for access control, AS numbers can be used for
911# # routing of requests to specific caches. Here's an
912# # example for routing all requests for AS#1241 and only
913# # those to mycache.mydomain.net:
914# # acl asexample dst_as 1241
915# # cache_peer_access mycache.mydomain.net allow asexample
916# # cache_peer_access mycache_mydomain.net deny all
917#
918# acl aclname peername myPeer ...
919# acl aclname peername_regex [-i] regex-pattern ...
920# # [fast]
921# # match against a named cache_peer entry
922# # set unique name= on cache_peer lines for reliable use.
923#
924# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
925# # [fast]
926# # day-abbrevs:
927# # S - Sunday
928# # M - Monday
929# # T - Tuesday
930# # W - Wednesday
931# # H - Thursday
932# # F - Friday
933# # A - Saturday
934# # h1:m1 must be less than h2:m2
935#
936# acl aclname url_regex [-i] ^http:// ...
937# # regex matching on whole URL [fast]
938# acl aclname urllogin [-i] [^a-zA-Z0-9] ...
939# # regex matching on URL login field
940# acl aclname urlpath_regex [-i] \.gif$ ...
941# # regex matching on URL path [fast]
942#
943# acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
944# # ranges are alloed
945# acl aclname localport 3128 ... # TCP port the client connected to [fast]
946# # NP: for interception mode this is usually '80'
947#
948# acl aclname myportname 3128 ... # *_port name [fast]
949#
950# acl aclname proto HTTP FTP ... # request protocol [fast]
951#
952# acl aclname method GET POST ... # HTTP request method [fast]
953#
954# acl aclname http_status 200 301 500- 400-403 ...
955# # status code in reply [fast]
956#
957# acl aclname browser [-i] regexp ...
958# # pattern match on User-Agent header (see also req_header below) [fast]
959#
960# acl aclname referer_regex [-i] regexp ...
961# # pattern match on Referer header [fast]
962# # Referer is highly unreliable, so use with care
963#
964# acl aclname ident [-i] username ...
965# acl aclname ident_regex [-i] pattern ...
966# # string match on ident output [slow]
967# # use REQUIRED to accept any non-null ident.
968#
969# acl aclname proxy_auth [-i] username ...
970# acl aclname proxy_auth_regex [-i] pattern ...
971# # perform http authentication challenge to the client and match against
972# # supplied credentials [slow]
973# #
974# # takes a list of allowed usernames.
975# # use REQUIRED to accept any valid username.
976# #
977# # Will use proxy authentication in forward-proxy scenarios, and plain
978# # http authenticaiton in reverse-proxy scenarios
979# #
980# # NOTE: when a Proxy-Authentication header is sent but it is not
981# # needed during ACL checking the username is NOT logged
982# # in access.log.
983# #
984# # NOTE: proxy_auth requires a EXTERNAL authentication program
985# # to check username/password combinations (see
986# # auth_param directive).
987# #
988# # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
989# # as the browser needs to be configured for using a proxy in order
990# # to respond to proxy authentication.
991#
992# acl aclname snmp_community string ...
993# # A community string to limit access to your SNMP Agent [fast]
994# # Example:
995# #
996# # acl snmppublic snmp_community public
997#
998# acl aclname maxconn number
999# # This will be matched when the client's IP address has
1000# # more than <number> TCP connections established. [fast]
1001# # NOTE: This only measures direct TCP links so X-Forwarded-For
1002# # indirect clients are not counted.
1003#
1004# acl aclname max_user_ip [-s] number
1005# # This will be matched when the user attempts to log in from more
1006# # than <number> different ip addresses. The authenticate_ip_ttl
1007# # parameter controls the timeout on the ip entries. [fast]
1008# # If -s is specified the limit is strict, denying browsing
1009# # from any further IP addresses until the ttl has expired. Without
1010# # -s Squid will just annoy the user by "randomly" denying requests.
1011# # (the counter is reset each time the limit is reached and a
1012# # request is denied)
1013# # NOTE: in acceleration mode or where there is mesh of child proxies,
1014# # clients may appear to come from multiple addresses if they are
1015# # going through proxy farms, so a limit of 1 may cause user problems.
1016#
1017# acl aclname random probability
1018# # Pseudo-randomly match requests. Based on the probability given.
1019# # Probability may be written as a decimal (0.333), fraction (1/3)
1020# # or ratio of matches:non-matches (3:5).
1021#
1022# acl aclname req_mime_type [-i] mime-type ...
1023# # regex match against the mime type of the request generated
1024# # by the client. Can be used to detect file upload or some
1025# # types HTTP tunneling requests [fast]
1026# # NOTE: This does NOT match the reply. You cannot use this
1027# # to match the returned file type.
1028#
1029# acl aclname req_header header-name [-i] any\.regex\.here
1030# # regex match against any of the known request headers. May be
1031# # thought of as a superset of "browser", "referer" and "mime-type"
1032# # ACL [fast]
1033#
1034# acl aclname rep_mime_type [-i] mime-type ...
1035# # regex match against the mime type of the reply received by
1036# # squid. Can be used to detect file download or some
1037# # types HTTP tunneling requests. [fast]
1038# # NOTE: This has no effect in http_access rules. It only has
1039# # effect in rules that affect the reply data stream such as
1040# # http_reply_access.
1041#
1042# acl aclname rep_header header-name [-i] any\.regex\.here
1043# # regex match against any of the known reply headers. May be
1044# # thought of as a superset of "browser", "referer" and "mime-type"
1045# # ACLs [fast]
1046#
1047# acl aclname external class_name [arguments...]
1048# # external ACL lookup via a helper class defined by the
1049# # external_acl_type directive [slow]
1050#
1051# acl aclname user_cert attribute values...
1052# # match against attributes in a user SSL certificate
1053# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
1054#
1055# acl aclname ca_cert attribute values...
1056# # match against attributes a users issuing CA SSL certificate
1057# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
1058#
1059# acl aclname ext_user [-i] username ...
1060# acl aclname ext_user_regex [-i] pattern ...
1061# # string match on username returned by external acl helper [slow]
1062# # use REQUIRED to accept any non-null user name.
1063#
1064# acl aclname tag tagvalue ...
1065# # string match on tag returned by external acl helper [fast]
1066# # DEPRECATED. Only the first tag will match with this ACL.
1067# # Use the 'note' ACL instead for handling multiple tag values.
1068#
1069# acl aclname hier_code codename ...
1070# # string match against squid hierarchy code(s); [fast]
1071# # e.g., DIRECT, PARENT_HIT, NONE, etc.
1072# #
1073# # NOTE: This has no effect in http_access rules. It only has
1074# # effect in rules that affect the reply data stream such as
1075# # http_reply_access.
1076#
1077# acl aclname note [-m[=delimiters]] name [value ...]
1078# # match transaction annotation [fast]
1079# # Without values, matches any annotation with a given name.
1080# # With value(s), matches any annotation with a given name that
1081# # also has one of the given values.
1082# # If the -m flag is used, then the value of the named
1083# # annotation is interpreted as a list of tokens, and the ACL
1084# # matches individual name=token pairs rather than whole
1085# # name=value pairs. See "ACL Options" above for more info.
1086# # Annotation sources include note and adaptation_meta directives
1087# # as well as helper and eCAP responses.
1088#
1089# acl aclname adaptation_service service ...
1090# # Matches the name of any icap_service, ecap_service,
1091# # adaptation_service_set, or adaptation_service_chain that Squid
1092# # has used (or attempted to use) for the master transaction.
1093# # This ACL must be defined after the corresponding adaptation
1094# # service is named in squid.conf. This ACL is usable with
1095# # adaptation_meta because it starts matching immediately after
1096# # the service has been selected for adaptation.
1097#
1098# acl aclname transaction_initiator initiator ...
1099# # Matches transaction's initiator [fast]
1100# #
1101# # Supported initiators are:
1102# # esi: matches transactions fetching ESI resources
1103# # certificate-fetching: matches transactions fetching
1104# # a missing intermediate TLS certificate
1105# # cache-digest: matches transactions fetching Cache Digests
1106# # from a cache_peer
1107# # htcp: matches HTCP requests from peers
1108# # icp: matches ICP requests to peers
1109# # icmp: matches ICMP RTT database (NetDB) requests to peers
1110# # asn: matches asns db requests
1111# # internal: matches any of the above
1112# # client: matches transactions containing an HTTP or FTP
1113# # client request received at a Squid *_port
1114# # all: matches any transaction, including internal transactions
1115# # without a configurable initiator and hopefully rare
1116# # transactions without a known-to-Squid initiator
1117# #
1118# # Multiple initiators are ORed.
1119#
1120# acl aclname has component
1121# # matches a transaction "component" [fast]
1122# #
1123# # Supported transaction components are:
1124# # request: transaction has a request header (at least)
1125# # response: transaction has a response header (at least)
1126# # ALE: transaction has an internally-generated Access Log Entry
1127# # structure; bugs notwithstanding, all transaction have it
1128# #
1129# # For example, the following configuration helps when dealing with HTTP
1130# # clients that close connections without sending a request header:
1131# #
1132# # acl hasRequest has request
1133# # acl logMe note important_transaction
1134# # # avoid "logMe ACL is used in context without an HTTP request" warnings
1135# # access_log ... logformat=detailed hasRequest logMe
1136# # # log request-less transactions, instead of ignoring them
1137# # access_log ... logformat=brief !hasRequest
1138# #
1139# # Multiple components are not supported for one "acl" rule, but
1140# # can be specified (and are ORed) using multiple same-name rules:
1141# #
1142# # # OK, this strange logging daemon needs request or response,
1143# # # but can work without either a request or a response:
1144# # acl hasWhatMyLoggingDaemonNeeds has request
1145# # acl hasWhatMyLoggingDaemonNeeds has response
1146#
1147# acl aclname any-of acl1 acl2 ...
1148# # match any one of the acls [fast or slow]
1149# # The first matching ACL stops further ACL evaluation.
1150# #
1151# # ACLs from multiple any-of lines with the same name are ORed.
1152# # For example, A = (a1 or a2) or (a3 or a4) can be written as
1153# # acl A any-of a1 a2
1154# # acl A any-of a3 a4
1155# #
1156# # This group ACL is fast if all evaluated ACLs in the group are fast
1157# # and slow otherwise.
1158#
1159# acl aclname all-of acl1 acl2 ...
1160# # match all of the acls [fast or slow]
1161# # The first mismatching ACL stops further ACL evaluation.
1162# #
1163# # ACLs from multiple all-of lines with the same name are ORed.
1164# # For example, B = (b1 and b2) or (b3 and b4) can be written as
1165# # acl B all-of b1 b2
1166# # acl B all-of b3 b4
1167# #
1168# # This group ACL is fast if all evaluated ACLs in the group are fast
1169# # and slow otherwise.
1170#
1171# Examples:
1172# acl macaddress arp 09:00:2b:23:45:67
1173# acl myexample dst_as 1241
1174# acl password proxy_auth REQUIRED
1175# acl fileupload req_mime_type -i ^multipart/form-data$
1176# acl javascript rep_mime_type -i ^application/x-javascript$
1177#
1178#Default:
1179# ACLs all, manager, localhost, and to_localhost are predefined.
1180#
1181#
1182# Recommended minimum configuration:
1183#
1184
1185# Example rule allowing access from your local networks.
1186# Adapt to list your (internal) IP networks from where browsing
1187# should be allowed
1188acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
1189acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
1190#acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
1191#acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
1192#acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
1193acl localnet src 165.165.100.0/24 # RFC 1918 local private network (LAN)
1194acl localnet src fc00::/7 # RFC 4193 local private network range
1195acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
1196
1197acl SSL_ports port 443
1198acl Safe_ports port 80 # http
1199acl Safe_ports port 21 # ftp
1200acl Safe_ports port 443 # https
1201acl Safe_ports port 70 # gopher
1202acl Safe_ports port 210 # wais
1203acl Safe_ports port 1025-65535 # unregistered ports
1204acl Safe_ports port 280 # http-mgmt
1205acl Safe_ports port 488 # gss-http
1206acl Safe_ports port 591 # filemaker
1207acl Safe_ports port 777 # multiling http
1208acl CONNECT method CONNECT
1209acl mylan src 165.165.100.0/24
1210
1211
1212
1213# TAG: proxy_protocol_access
1214# Determine which client proxies can be trusted to provide correct
1215# information regarding real client IP address using PROXY protocol.
1216#
1217# Requests may pass through a chain of several other proxies
1218# before reaching us. The original source details may by sent in:
1219# * HTTP message Forwarded header, or
1220# * HTTP message X-Forwarded-For header, or
1221# * PROXY protocol connection header.
1222#
1223# This directive is solely for validating new PROXY protocol
1224# connections received from a port flagged with require-proxy-header.
1225# It is checked only once after TCP connection setup.
1226#
1227# A deny match results in TCP connection closure.
1228#
1229# An allow match is required for Squid to permit the corresponding
1230# TCP connection, before Squid even looks for HTTP request headers.
1231# If there is an allow match, Squid starts using PROXY header information
1232# to determine the source address of the connection for all future ACL
1233# checks, logging, etc.
1234#
1235# SECURITY CONSIDERATIONS:
1236#
1237# Any host from which we accept client IP details can place
1238# incorrect information in the relevant header, and Squid
1239# will use the incorrect information as if it were the
1240# source address of the request. This may enable remote
1241# hosts to bypass any access control restrictions that are
1242# based on the client's source addresses.
1243#
1244# This clause only supports fast acl types.
1245# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1246#Default:
1247# all TCP connections to ports with require-proxy-header will be denied
1248
1249# TAG: follow_x_forwarded_for
1250# Determine which client proxies can be trusted to provide correct
1251# information regarding real client IP address.
1252#
1253# Requests may pass through a chain of several other proxies
1254# before reaching us. The original source details may by sent in:
1255# * HTTP message Forwarded header, or
1256# * HTTP message X-Forwarded-For header, or
1257# * PROXY protocol connection header.
1258#
1259# PROXY protocol connections are controlled by the proxy_protocol_access
1260# directive which is checked before this.
1261#
1262# If a request reaches us from a source that is allowed by this
1263# directive, then we trust the information it provides regarding
1264# the IP of the client it received from (if any).
1265#
1266# For the purpose of ACLs used in this directive the src ACL type always
1267# matches the address we are testing and srcdomain matches its rDNS.
1268#
1269# On each HTTP request Squid checks for X-Forwarded-For header fields.
1270# If found the header values are iterated in reverse order and an allow
1271# match is required for Squid to continue on to the next value.
1272# The verification ends when a value receives a deny match, cannot be
1273# tested, or there are no more values to test.
1274# NOTE: Squid does not yet follow the Forwarded HTTP header.
1275#
1276# The end result of this process is an IP address that we will
1277# refer to as the indirect client address. This address may
1278# be treated as the client address for access control, ICAP, delay
1279# pools and logging, depending on the acl_uses_indirect_client,
1280# icap_uses_indirect_client, delay_pool_uses_indirect_client,
1281# log_uses_indirect_client and tproxy_uses_indirect_client options.
1282#
1283# This clause only supports fast acl types.
1284# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1285#
1286# SECURITY CONSIDERATIONS:
1287#
1288# Any host from which we accept client IP details can place
1289# incorrect information in the relevant header, and Squid
1290# will use the incorrect information as if it were the
1291# source address of the request. This may enable remote
1292# hosts to bypass any access control restrictions that are
1293# based on the client's source addresses.
1294#
1295# For example:
1296#
1297# acl localhost src 127.0.0.1
1298# acl my_other_proxy srcdomain .proxy.example.com
1299# follow_x_forwarded_for allow localhost
1300# follow_x_forwarded_for allow my_other_proxy
1301#Default:
1302# X-Forwarded-For header will be ignored.
1303
1304# TAG: acl_uses_indirect_client on|off
1305# Controls whether the indirect client address
1306# (see follow_x_forwarded_for) is used instead of the
1307# direct client address in acl matching.
1308#
1309# NOTE: maxconn ACL considers direct TCP links and indirect
1310# clients will always have zero. So no match.
1311#Default:
1312# acl_uses_indirect_client on
1313
1314# TAG: delay_pool_uses_indirect_client on|off
1315# Controls whether the indirect client address
1316# (see follow_x_forwarded_for) is used instead of the
1317# direct client address in delay pools.
1318#Default:
1319# delay_pool_uses_indirect_client on
1320
1321# TAG: log_uses_indirect_client on|off
1322# Controls whether the indirect client address
1323# (see follow_x_forwarded_for) is used instead of the
1324# direct client address in the access log.
1325#Default:
1326# log_uses_indirect_client on
1327
1328# TAG: tproxy_uses_indirect_client on|off
1329# Controls whether the indirect client address
1330# (see follow_x_forwarded_for) is used instead of the
1331# direct client address when spoofing the outgoing client.
1332#
1333# This has no effect on requests arriving in non-tproxy
1334# mode ports.
1335#
1336# SECURITY WARNING: Usage of this option is dangerous
1337# and should not be used trivially. Correct configuration
1338# of follow_x_forwarded_for with a limited set of trusted
1339# sources is required to prevent abuse of your proxy.
1340#Default:
1341# tproxy_uses_indirect_client off
1342
1343# TAG: spoof_client_ip
1344# Control client IP address spoofing of TPROXY traffic based on
1345# defined access lists.
1346#
1347# spoof_client_ip allow|deny [!]aclname ...
1348#
1349# If there are no "spoof_client_ip" lines present, the default
1350# is to "allow" spoofing of any suitable request.
1351#
1352# Note that the cache_peer "no-tproxy" option overrides this ACL.
1353#
1354# This clause supports fast acl types.
1355# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1356#Default:
1357# Allow spoofing on all TPROXY traffic.
1358
1359# TAG: http_access
1360# Allowing or Denying access based on defined access lists
1361#
1362# To allow or deny a message received on an HTTP, HTTPS, or FTP port:
1363# http_access allow|deny [!]aclname ...
1364#
1365# NOTE on default values:
1366#
1367# If there are no "access" lines present, the default is to deny
1368# the request.
1369#
1370# If none of the "access" lines cause a match, the default is the
1371# opposite of the last line in the list. If the last line was
1372# deny, the default is allow. Conversely, if the last line
1373# is allow, the default will be deny. For these reasons, it is a
1374# good idea to have an "deny all" entry at the end of your access
1375# lists to avoid potential confusion.
1376#
1377# This clause supports both fast and slow acl types.
1378# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1379#
1380#Default:
1381# Deny, unless rules exist in squid.conf.
1382#
1383
1384#
1385# Recommended minimum Access Permission configuration:
1386#
1387# Deny requests to certain unsafe ports
1388http_access allow all
1389#http_access deny !Safe_ports
1390
1391# Deny CONNECT to other than secure SSL ports
1392#http_access deny CONNECT !SSL_ports
1393
1394# Only allow cachemgr access from localhost
1395http_access allow localhost manager
1396#http_access deny manager
1397
1398# We strongly recommend the following be uncommented to protect innocent
1399# web applications running on the proxy server who think the only
1400# one who can access services on "localhost" is a local user
1401#http_access deny to_localhost
1402
1403#
1404# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
1405#
1406include /etc/squid/conf.d/*
1407
1408# Example rule allowing access from your local networks.
1409# Adapt localnet in the ACL section to list your (internal) IP networks
1410# from where browsing should be allowed
1411http_access allow localnet
1412http_access allow localhost
1413
1414# And finally deny all other access to this proxy
1415http_access deny all
1416
1417# TAG: adapted_http_access
1418# Allowing or Denying access based on defined access lists
1419#
1420# Essentially identical to http_access, but runs after redirectors
1421# and ICAP/eCAP adaptation. Allowing access control based on their
1422# output.
1423#
1424# If not set then only http_access is used.
1425#Default:
1426# Allow, unless rules exist in squid.conf.
1427
1428# TAG: http_reply_access
1429# Allow replies to client requests. This is complementary to http_access.
1430#
1431# http_reply_access allow|deny [!] aclname ...
1432#
1433# NOTE: if there are no access lines present, the default is to allow
1434# all replies.
1435#
1436# If none of the access lines cause a match the opposite of the
1437# last line will apply. Thus it is good practice to end the rules
1438# with an "allow all" or "deny all" entry.
1439#
1440# This clause supports both fast and slow acl types.
1441# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1442#Default:
1443# Allow, unless rules exist in squid.conf.
1444
1445# TAG: icp_access
1446# Allowing or Denying access to the ICP port based on defined
1447# access lists
1448#
1449# icp_access allow|deny [!]aclname ...
1450#
1451# NOTE: The default if no icp_access lines are present is to
1452# deny all traffic. This default may cause problems with peers
1453# using ICP.
1454#
1455# This clause only supports fast acl types.
1456# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1457#
1458## Allow ICP queries from local networks only
1459##icp_access allow localnet
1460##icp_access deny all
1461#Default:
1462# Deny, unless rules exist in squid.conf.
1463
1464# TAG: htcp_access
1465# Allowing or Denying access to the HTCP port based on defined
1466# access lists
1467#
1468# htcp_access allow|deny [!]aclname ...
1469#
1470# See also htcp_clr_access for details on access control for
1471# cache purge (CLR) HTCP messages.
1472#
1473# NOTE: The default if no htcp_access lines are present is to
1474# deny all traffic. This default may cause problems with peers
1475# using the htcp option.
1476#
1477# This clause only supports fast acl types.
1478# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1479#
1480## Allow HTCP queries from local networks only
1481##htcp_access allow localnet
1482##htcp_access deny all
1483#Default:
1484# Deny, unless rules exist in squid.conf.
1485
1486# TAG: htcp_clr_access
1487# Allowing or Denying access to purge content using HTCP based
1488# on defined access lists.
1489# See htcp_access for details on general HTCP access control.
1490#
1491# htcp_clr_access allow|deny [!]aclname ...
1492#
1493# This clause only supports fast acl types.
1494# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1495#
1496## Allow HTCP CLR requests from trusted peers
1497#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
1498#htcp_clr_access allow htcp_clr_peer
1499#htcp_clr_access deny all
1500#Default:
1501# Deny, unless rules exist in squid.conf.
1502
1503# TAG: miss_access
1504# Determines whether network access is permitted when satisfying a request.
1505#
1506# For example;
1507# to force your neighbors to use you as a sibling instead of
1508# a parent.
1509#
1510# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64
1511# miss_access deny !localclients
1512# miss_access allow all
1513#
1514# This means only your local clients are allowed to fetch relayed/MISS
1515# replies from the network and all other clients can only fetch cached
1516# objects (HITs).
1517#
1518# The default for this setting allows all clients who passed the
1519# http_access rules to relay via this proxy.
1520#
1521# This clause only supports fast acl types.
1522# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1523#Default:
1524# Allow, unless rules exist in squid.conf.
1525
1526# TAG: ident_lookup_access
1527# A list of ACL elements which, if matched, cause an ident
1528# (RFC 931) lookup to be performed for this request. For
1529# example, you might choose to always perform ident lookups
1530# for your main multi-user Unix boxes, but not for your Macs
1531# and PCs. By default, ident lookups are not performed for
1532# any requests.
1533#
1534# To enable ident lookups for specific client addresses, you
1535# can follow this example:
1536#
1537# acl ident_aware_hosts src 198.168.1.0/24
1538# ident_lookup_access allow ident_aware_hosts
1539# ident_lookup_access deny all
1540#
1541# Only src type ACL checks are fully supported. A srcdomain
1542# ACL might work at times, but it will not always provide
1543# the correct result.
1544#
1545# This clause only supports fast acl types.
1546# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1547#Default:
1548# Unless rules exist in squid.conf, IDENT is not fetched.
1549
1550# TAG: reply_body_max_size size [acl acl...]
1551# This option specifies the maximum size of a reply body. It can be
1552# used to prevent users from downloading very large files, such as
1553# MP3's and movies. When the reply headers are received, the
1554# reply_body_max_size lines are processed, and the first line where
1555# all (if any) listed ACLs are true is used as the maximum body size
1556# for this reply.
1557#
1558# This size is checked twice. First when we get the reply headers,
1559# we check the content-length value. If the content length value exists
1560# and is larger than the allowed size, the request is denied and the
1561# user receives an error message that says "the request or reply
1562# is too large." If there is no content-length, and the reply
1563# size exceeds this limit, the client's connection is just closed
1564# and they will receive a partial reply.
1565#
1566# WARNING: downstream caches probably can not detect a partial reply
1567# if there is no content-length header, so they will cache
1568# partial responses and give them out as hits. You should NOT
1569# use this option if you have downstream caches.
1570#
1571# WARNING: A maximum size smaller than the size of squid's error messages
1572# will cause an infinite loop and crash squid. Ensure that the smallest
1573# non-zero value you use is greater that the maximum header size plus
1574# the size of your largest error page.
1575#
1576# If you set this parameter none (the default), there will be
1577# no limit imposed.
1578#
1579# Configuration Format is:
1580# reply_body_max_size SIZE UNITS [acl ...]
1581# ie.
1582# reply_body_max_size 10 MB
1583#
1584#Default:
1585# No limit is applied.
1586
1587# TAG: on_unsupported_protocol
1588# Determines Squid behavior when encountering strange requests at the
1589# beginning of an accepted TCP connection or the beginning of a bumped
1590# CONNECT tunnel. Controlling Squid reaction to unexpected traffic is
1591# especially useful in interception environments where Squid is likely
1592# to see connections for unsupported protocols that Squid should either
1593# terminate or tunnel at TCP level.
1594#
1595# on_unsupported_protocol <action> [!]acl ...
1596#
1597# The first matching action wins. Only fast ACLs are supported.
1598#
1599# Supported actions are:
1600#
1601# tunnel: Establish a TCP connection with the intended server and
1602# blindly shovel TCP packets between the client and server.
1603#
1604# respond: Respond with an error message, using the transfer protocol
1605# for the Squid port that received the request (e.g., HTTP
1606# for connections intercepted at the http_porthttp_port). This is the
1607# default.
1608#
1609# Squid expects the following traffic patterns:
1610#
1611# http_port: a plain HTTP request
1612# https_port: SSL/TLS handshake followed by an [encrypted] HTTP request
1613# ftp_port: a plain FTP command (no on_unsupported_protocol support yet!)
1614# CONNECT tunnel on http_port: same as https_port
1615# CONNECT tunnel on https_port: same as https_port
1616#
1617# Currently, this directive has effect on intercepted connections and
1618# bumped tunnels only. Other cases are not supported because Squid
1619# cannot know the intended destination of other traffic.
1620#
1621# For example:
1622# # define what Squid errors indicate receiving non-HTTP traffic:
1623# acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
1624# # define what Squid errors indicate receiving nothing:
1625# acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
1626# # tunnel everything that does not look like HTTP:
1627# on_unsupported_protocol tunnel foreignProtocol
1628# # tunnel if we think the client waits for the server to talk first:
1629# on_unsupported_protocol tunnel serverTalksFirstProtocol
1630# # in all other error cases, just send an HTTP "error page" response:
1631# on_unsupported_protocol respond all
1632#
1633# See also: squid_error ACL
1634#Default:
1635# Respond with an error message to unidentifiable traffic
1636
1637# NETWORK OPTIONS
1638# -----------------------------------------------------------------------------
1639
1640# TAG: http_port
1641# Usage: port [mode] [options]
1642# hostname:port [mode] [options]
1643# 1.2.3.4:port [mode] [options]
1644#
1645# The socket addresses where Squid will listen for HTTP client
1646# requests. You may specify multiple socket addresses.
1647# There are three forms: port alone, hostname with port, and
1648# IP address with port. If you specify a hostname or IP
1649# address, Squid binds the socket to that specific
1650# address. Most likely, you do not need to bind to a specific
1651# address, so you can use the port number alone.
1652#
1653# If you are running Squid in accelerator mode, you
1654# probably want to listen on port 80 also, or instead.
1655#
1656# The -a command line option may be used to specify additional
1657# port(s) where Squid listens for proxy request. Such ports will
1658# be plain proxy ports with no options.
1659#
1660# You may specify multiple socket addresses on multiple lines.
1661#
1662# Modes:
1663#
1664# intercept Support for IP-Layer NAT interception delivering
1665# traffic to this Squid port.
1666# NP: disables authentication on the port.
1667#
1668# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing
1669# of outgoing connections using the client IP address.
1670# NP: disables authentication on the port.
1671#
1672# accel Accelerator / reverse proxy mode
1673#
1674# ssl-bump For each CONNECT request allowed by ssl_bump ACLs,
1675# establish secure connection with the client and with
1676# the server, decrypt HTTPS messages as they pass through
1677# Squid, and treat them as unencrypted HTTP messages,
1678# becoming the man-in-the-middle.
1679#
1680# The ssl_bump option is required to fully enable
1681# bumping of CONNECT requests.
1682#
1683# Omitting the mode flag causes default forward proxy mode to be used.
1684#
1685#
1686# Accelerator Mode Options:
1687#
1688# defaultsite=domainname
1689# What to use for the Host: header if it is not present
1690# in a request. Determines what site (not origin server)
1691# accelerators should consider the default.
1692#
1693# no-vhost Disable using HTTP/1.1 Host header for virtual domain support.
1694#
1695# protocol= Protocol to reconstruct accelerated and intercepted
1696# requests with. Defaults to HTTP/1.1 for http_port and
1697# HTTPS/1.1 for https_port.
1698# When an unsupported value is configured Squid will
1699# produce a FATAL error.
1700# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1
1701#
1702# vport Virtual host port support. Using the http_port number
1703# instead of the port passed on Host: headers.
1704#
1705# vport=NN Virtual host port support. Using the specified port
1706# number instead of the port passed on Host: headers.
1707#
1708# act-as-origin
1709# Act as if this Squid is the origin server.
1710# This currently means generate new Date: and Expires:
1711# headers on HIT instead of adding Age:.
1712#
1713# ignore-cc Ignore request Cache-Control headers.
1714#
1715# WARNING: This option violates HTTP specifications if
1716# used in non-accelerator setups.
1717#
1718# allow-direct Allow direct forwarding in accelerator mode. Normally
1719# accelerated requests are denied direct forwarding as if
1720# never_direct was used.
1721#
1722# WARNING: this option opens accelerator mode to security
1723# vulnerabilities usually only affecting in interception
1724# mode. Make sure to protect forwarding with suitable
1725# http_access rules when using this.
1726#
1727#
1728# SSL Bump Mode Options:
1729# In addition to these options ssl-bump requires TLS/SSL options.
1730#
1731# generate-host-certificates[=<on|off>]
1732# Dynamically create SSL server certificates for the
1733# destination hosts of bumped CONNECT requests.When
1734# enabled, the cert and key options are used to sign
1735# generated certificates. Otherwise generated
1736# certificate will be selfsigned.
1737# If there is a CA certificate lifetime of the generated
1738# certificate equals lifetime of the CA certificate. If
1739# generated certificate is selfsigned lifetime is three
1740# years.
1741# This option is enabled by default when ssl-bump is used.
1742# See the ssl-bump option above for more information.
1743#
1744# dynamic_cert_mem_cache_size=SIZE
1745# Approximate total RAM size spent on cached generated
1746# certificates. If set to zero, caching is disabled. The
1747# default value is 4MB.
1748#
1749# TLS / SSL Options:
1750#
1751# tls-cert= Path to file containing an X.509 certificate (PEM format)
1752# to be used in the TLS handshake ServerHello.
1753#
1754# If this certificate is constrained by KeyUsage TLS
1755# feature it must allow HTTP server usage, along with
1756# any additional restrictions imposed by your choice
1757# of options= settings.
1758#
1759# When OpenSSL is used this file may also contain a
1760# chain of intermediate CA certificates to send in the
1761# TLS handshake.
1762#
1763# When GnuTLS is used this option (and any paired
1764# tls-key= option) may be repeated to load multiple
1765# certificates for different domains.
1766#
1767# Also, when generate-host-certificates=on is configured
1768# the first tls-cert= option must be a CA certificate
1769# capable of signing the automatically generated
1770# certificates.
1771#
1772# tls-key= Path to a file containing private key file (PEM format)
1773# for the previous tls-cert= option.
1774#
1775# If tls-key= is not specified tls-cert= is assumed to
1776# reference a PEM file containing both the certificate
1777# and private key.
1778#
1779# cipher= Colon separated list of supported ciphers.
1780# NOTE: some ciphers such as EDH ciphers depend on
1781# additional settings. If those settings are
1782# omitted the ciphers may be silently ignored
1783# by the OpenSSL library.
1784#
1785# options= Various SSL implementation options. The most important
1786# being:
1787#
1788# NO_SSLv3 Disallow the use of SSLv3
1789#
1790# NO_TLSv1 Disallow the use of TLSv1.0
1791#
1792# NO_TLSv1_1 Disallow the use of TLSv1.1
1793#
1794# NO_TLSv1_2 Disallow the use of TLSv1.2
1795#
1796# SINGLE_DH_USE
1797# Always create a new key when using
1798# temporary/ephemeral DH key exchanges
1799#
1800# SINGLE_ECDH_USE
1801# Enable ephemeral ECDH key exchange.
1802# The adopted curve should be specified
1803# using the tls-dh option.
1804#
1805# NO_TICKET
1806# Disable use of RFC5077 session tickets.
1807# Some servers may have problems
1808# understanding the TLS extension due
1809# to ambiguous specification in RFC4507.
1810#
1811# ALL Enable various bug workarounds
1812# suggested as "harmless" by OpenSSL
1813# Be warned that this reduces SSL/TLS
1814# strength to some attacks.
1815#
1816# See the OpenSSL SSL_CTX_set_options documentation for a
1817# more complete list.
1818#
1819# clientca= File containing the list of CAs to use when
1820# requesting a client certificate.
1821#
1822# tls-cafile= PEM file containing CA certificates to use when verifying
1823# client certificates. If not configured clientca will be
1824# used. May be repeated to load multiple files.
1825#
1826# capath= Directory containing additional CA certificates
1827# and CRL lists to use when verifying client certificates.
1828# Requires OpenSSL or LibreSSL.
1829#
1830# crlfile= File of additional CRL lists to use when verifying
1831# the client certificate, in addition to CRLs stored in
1832# the capath. Implies VERIFY_CRL flag below.
1833#
1834# tls-dh=[curve:]file
1835# File containing DH parameters for temporary/ephemeral DH key
1836# exchanges, optionally prefixed by a curve for ephemeral ECDH
1837# key exchanges.
1838# See OpenSSL documentation for details on how to create the
1839# DH parameter file. Supported curves for ECDH can be listed
1840# using the "openssl ecparam -list_curves" command.
1841# WARNING: EDH and EECDH ciphers will be silently disabled if
1842# this option is not set.
1843#
1844# sslflags= Various flags modifying the use of SSL:
1845# DELAYED_AUTH
1846# Don't request client certificates
1847# immediately, but wait until acl processing
1848# requires a certificate (not yet implemented).
1849# NO_SESSION_REUSE
1850# Don't allow for session reuse. Each connection
1851# will result in a new SSL session.
1852# VERIFY_CRL
1853# Verify CRL lists when accepting client
1854# certificates.
1855# VERIFY_CRL_ALL
1856# Verify CRL lists for all certificates in the
1857# client certificate chain.
1858#
1859# tls-default-ca[=off]
1860# Whether to use the system Trusted CAs. Default is OFF.
1861#
1862# tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1.
1863#
1864# sslcontext= SSL session ID context identifier.
1865#
1866# Other Options:
1867#
1868# connection-auth[=on|off]
1869# use connection-auth=off to tell Squid to prevent
1870# forwarding Microsoft connection oriented authentication
1871# (NTLM, Negotiate and Kerberos)
1872#
1873# disable-pmtu-discovery=
1874# Control Path-MTU discovery usage:
1875# off lets OS decide on what to do (default).
1876# transparent disable PMTU discovery when transparent
1877# support is enabled.
1878# always disable always PMTU discovery.
1879#
1880# In many setups of transparently intercepting proxies
1881# Path-MTU discovery can not work on traffic towards the
1882# clients. This is the case when the intercepting device
1883# does not fully track connections and fails to forward
1884# ICMP must fragment messages to the cache server. If you
1885# have such setup and experience that certain clients
1886# sporadically hang or never complete requests set
1887# disable-pmtu-discovery option to 'transparent'.
1888#
1889# name= Specifies a internal name for the port. Defaults to
1890# the port specification (port or addr:port)
1891#
1892# tcpkeepalive[=idle,interval,timeout]
1893# Enable TCP keepalive probes of idle connections.
1894# In seconds; idle is the initial time before TCP starts
1895# probing the connection, interval how often to probe, and
1896# timeout the time before giving up.
1897#
1898# require-proxy-header
1899# Require PROXY protocol version 1 or 2 connections.
1900# The proxy_protocol_access is required to whitelist
1901# downstream proxies which can be trusted.
1902#
1903# If you run Squid on a dual-homed machine with an internal
1904# and an external interface we recommend you to specify the
1905# internal address:port in http_port. This way Squid will only be
1906# visible on the internal address.
1907#
1908#
1909
1910# Squid normally listens to port 3128
1911http_port 165.165.100.100:3128
1912
1913
1914# TAG: https_port
1915# Usage: [ip:]port [mode] tls-cert=certificate.pem [options]
1916#
1917# The socket address where Squid will listen for client requests made
1918# over TLS or SSL connections. Commonly referred to as HTTPS.
1919#
1920# This is most useful for situations where you are running squid in
1921# accelerator mode and you want to do the TLS work at the accelerator
1922# level.
1923#
1924# You may specify multiple socket addresses on multiple lines,
1925# each with their own certificate and/or options.
1926#
1927# The tls-cert= option is mandatory on HTTPS ports.
1928#
1929# See http_port for a list of modes and options.
1930#Default:
1931# none
1932
1933# TAG: ftp_port
1934# Enables Native FTP proxy by specifying the socket address where Squid
1935# listens for FTP client requests. See http_port directive for various
1936# ways to specify the listening address and mode.
1937#
1938# Usage: ftp_port address [mode] [options]
1939#
1940# WARNING: This is a new, experimental, complex feature that has seen
1941# limited production exposure. Some Squid modules (e.g., caching) do not
1942# currently work with native FTP proxying, and many features have not
1943# even been tested for compatibility. Test well before deploying!
1944#
1945# Native FTP proxying differs substantially from proxying HTTP requests
1946# with ftp:// URIs because Squid works as an FTP server and receives
1947# actual FTP commands (rather than HTTP requests with FTP URLs).
1948#
1949# Native FTP commands accepted at ftp_port are internally converted or
1950# wrapped into HTTP-like messages. The same happens to Native FTP
1951# responses received from FTP origin servers. Those HTTP-like messages
1952# are shoveled through regular access control and adaptation layers
1953# between the FTP client and the FTP origin server. This allows Squid to
1954# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP
1955# mechanisms when shoveling wrapped FTP messages. For example,
1956# http_access and adaptation_access directives are used.
1957#
1958# Modes:
1959#
1960# intercept Same as http_port intercept. The FTP origin address is
1961# determined based on the intended destination of the
1962# intercepted connection.
1963#
1964# tproxy Support Linux TPROXY for spoofing outgoing
1965# connections using the client IP address.
1966# NP: disables authentication and maybe IPv6 on the port.
1967#
1968# By default (i.e., without an explicit mode option), Squid extracts the
1969# FTP origin address from the login@origin parameter of the FTP USER
1970# command. Many popular FTP clients support such native FTP proxying.
1971#
1972# Options:
1973#
1974# name=token Specifies an internal name for the port. Defaults to
1975# the port address. Usable with myportname ACL.
1976#
1977# ftp-track-dirs
1978# Enables tracking of FTP directories by injecting extra
1979# PWD commands and adjusting Request-URI (in wrapping
1980# HTTP requests) to reflect the current FTP server
1981# directory. Tracking is disabled by default.
1982#
1983# protocol=FTP Protocol to reconstruct accelerated and intercepted
1984# requests with. Defaults to FTP. No other accepted
1985# values have been tested with. An unsupported value
1986# results in a FATAL error. Accepted values are FTP,
1987# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1).
1988#
1989# Other http_port modes and options that are not specific to HTTP and
1990# HTTPS may also work.
1991#Default:
1992# none
1993
1994# TAG: tcp_outgoing_tos
1995# Allows you to select a TOS/Diffserv value for packets outgoing
1996# on the server side, based on an ACL.
1997#
1998# tcp_outgoing_tos ds-field [!]aclname ...
1999#
2000# Example where normal_service_net uses the TOS value 0x00
2001# and good_service_net uses 0x20
2002#
2003# acl normal_service_net src 10.0.0.0/24
2004# acl good_service_net src 10.0.1.0/24
2005# tcp_outgoing_tos 0x00 normal_service_net
2006# tcp_outgoing_tos 0x20 good_service_net
2007#
2008# TOS/DSCP values really only have local significance - so you should
2009# know what you're specifying. For more information, see RFC2474,
2010# RFC2475, and RFC3260.
2011#
2012# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
2013# "default" to use whatever default your host has.
2014# Note that only multiples of 4 are usable as the two rightmost bits have
2015# been redefined for use by ECN (RFC 3168 section 23.1).
2016# The squid parser will enforce this by masking away the ECN bits.
2017#
2018# Processing proceeds in the order specified, and stops at first fully
2019# matching line.
2020#
2021# Only fast ACLs are supported.
2022#Default:
2023# none
2024
2025# TAG: clientside_tos
2026# Allows you to select a TOS/DSCP value for packets being transmitted
2027# on the client-side, based on an ACL.
2028#
2029# clientside_tos ds-field [!]aclname ...
2030#
2031# Example where normal_service_net uses the TOS value 0x00
2032# and good_service_net uses 0x20
2033#
2034# acl normal_service_net src 10.0.0.0/24
2035# acl good_service_net src 10.0.1.0/24
2036# clientside_tos 0x00 normal_service_net
2037# clientside_tos 0x20 good_service_net
2038#
2039# Note: This feature is incompatible with qos_flows. Any TOS values set here
2040# will be overwritten by TOS values in qos_flows.
2041#
2042# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
2043# "default" to use whatever default your host has.
2044# Note that only multiples of 4 are usable as the two rightmost bits have
2045# been redefined for use by ECN (RFC 3168 section 23.1).
2046# The squid parser will enforce this by masking away the ECN bits.
2047#
2048# This clause only supports fast acl types.
2049# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
2050#Default:
2051# none
2052
2053# TAG: tcp_outgoing_mark
2054# Note: This option is only available if Squid is rebuilt with the
2055# Packet MARK (Linux)
2056#
2057# Allows you to apply a Netfilter mark value to outgoing packets
2058# on the server side, based on an ACL.
2059#
2060# tcp_outgoing_mark mark-value [!]aclname ...
2061#
2062# Example where normal_service_net uses the mark value 0x00
2063# and good_service_net uses 0x20
2064#
2065# acl normal_service_net src 10.0.0.0/24
2066# acl good_service_net src 10.0.1.0/24
2067# tcp_outgoing_mark 0x00 normal_service_net
2068# tcp_outgoing_mark 0x20 good_service_net
2069#
2070# Only fast ACLs are supported.
2071#Default:
2072# none
2073
2074# TAG: clientside_mark
2075# Note: This option is only available if Squid is rebuilt with the
2076# Packet MARK (Linux)
2077#
2078# Allows you to apply a Netfilter mark value to packets being transmitted
2079# on the client-side, based on an ACL.
2080#
2081# clientside_mark mark-value [!]aclname ...
2082#
2083# Example where normal_service_net uses the mark value 0x00
2084# and good_service_net uses 0x20
2085#
2086# acl normal_service_net src 10.0.0.0/24
2087# acl good_service_net src 10.0.1.0/24
2088# clientside_mark 0x00 normal_service_net
2089# clientside_mark 0x20 good_service_net
2090#
2091# Note: This feature is incompatible with qos_flows. Any mark values set here
2092# will be overwritten by mark values in qos_flows.
2093#
2094# This clause only supports fast acl types.
2095# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
2096#Default:
2097# none
2098
2099# TAG: qos_flows
2100# Allows you to select a TOS/DSCP value to mark outgoing
2101# connections to the client, based on where the reply was sourced.
2102# For platforms using netfilter, allows you to set a netfilter mark
2103# value instead of, or in addition to, a TOS value.
2104#
2105# By default this functionality is disabled. To enable it with the default
2106# settings simply use "qos_flows mark" or "qos_flows tos". Default
2107# settings will result in the netfilter mark or TOS value being copied
2108# from the upstream connection to the client. Note that it is the connection
2109# CONNMARK value not the packet MARK value that is copied.
2110#
2111# It is not currently possible to copy the mark or TOS value from the
2112# client to the upstream connection request.
2113#
2114# TOS values really only have local significance - so you should
2115# know what you're specifying. For more information, see RFC2474,
2116# RFC2475, and RFC3260.
2117#
2118# The TOS/DSCP byte must be exactly that - a octet value 0 - 255.
2119# Note that only multiples of 4 are usable as the two rightmost bits have
2120# been redefined for use by ECN (RFC 3168 section 23.1).
2121# The squid parser will enforce this by masking away the ECN bits.
2122#
2123# Mark values can be any unsigned 32-bit integer value.
2124#
2125# This setting is configured by setting the following values:
2126#
2127# tos|mark Whether to set TOS or netfilter mark values
2128#
2129# local-hit=0xFF Value to mark local cache hits.
2130#
2131# sibling-hit=0xFF Value to mark hits from sibling peers.
2132#
2133# parent-hit=0xFF Value to mark hits from parent peers.
2134#
2135# miss=0xFF[/mask] Value to mark cache misses. Takes precedence
2136# over the preserve-miss feature (see below), unless
2137# mask is specified, in which case only the bits
2138# specified in the mask are written.
2139#
2140# The TOS variant of the following features are only possible on Linux
2141# and require your kernel to be patched with the TOS preserving ZPH
2142# patch, available from http://zph.bratcheda.org
2143# No patch is needed to preserve the netfilter mark, which will work
2144# with all variants of netfilter.
2145#
2146# disable-preserve-miss
2147# This option disables the preservation of the TOS or netfilter
2148# mark. By default, the existing TOS or netfilter mark value of
2149# the response coming from the remote server will be retained
2150# and masked with miss-mark.
2151# NOTE: in the case of a netfilter mark, the mark must be set on
2152# the connection (using the CONNMARK target) not on the packet
2153# (MARK target).
2154#
2155# miss-mask=0xFF
2156# Allows you to mask certain bits in the TOS or mark value
2157# received from the remote server, before copying the value to
2158# the TOS sent towards clients.
2159# Default for tos: 0xFF (TOS from server is not changed).
2160# Default for mark: 0xFFFFFFFF (mark from server is not changed).
2161#
2162# All of these features require the --enable-zph-qos compilation flag
2163# (enabled by default). Netfilter marking also requires the
2164# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
2165# libcap 2.09+ (--with-libcap).
2166#
2167#Default:
2168# none
2169
2170# TAG: tcp_outgoing_address
2171# Allows you to map requests to different outgoing IP addresses
2172# based on the username or source address of the user making
2173# the request.
2174#
2175# tcp_outgoing_address ipaddr [[!]aclname] ...
2176#
2177# For example;
2178# Forwarding clients with dedicated IPs for certain subnets.
2179#
2180# acl normal_service_net src 10.0.0.0/24
2181# acl good_service_net src 10.0.2.0/24
2182#
2183# tcp_outgoing_address 2001:db8::c001 good_service_net
2184# tcp_outgoing_address 10.1.0.2 good_service_net
2185#
2186# tcp_outgoing_address 2001:db8::beef normal_service_net
2187# tcp_outgoing_address 10.1.0.1 normal_service_net
2188#
2189# tcp_outgoing_address 2001:db8::1
2190tcp_outgoing_address 139.1.2.3
2191
2192forwarded_for delete
2193via off
2194forwarded_for off
2195follow_x_forwarded_for deny all
2196request_header_access X-Forwarded-For deny all
2197forwarded_for delete
2198
2199
2200
2201
2202# Processing proceeds in the order specified, and stops at first fully
2203# matching line.
2204#
2205# Squid will add an implicit IP version test to each line.
2206# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
2207# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
2208#
2209#
2210# NOTE: The use of this directive using client dependent ACLs is
2211# incompatible with the use of server side persistent connections. To
2212# ensure correct results it is best to set server_persistent_connections
2213# to off when using this directive in such configurations.
2214#
2215# NOTE: The use of this directive to set a local IP on outgoing TCP links
2216# is incompatible with using TPROXY to set client IP out outbound TCP links.
2217# When needing to contact peers use the no-tproxy cache_peer option and the
2218# client_dst_passthru directive re-enable normal forwarding such as this.
2219#
2220# This clause only supports fast acl types.
2221# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
2222#Default:
2223# Address selection is performed by the operating system.
2224
2225# TAG: host_verify_strict
2226# Regardless of this option setting, when dealing with intercepted
2227# traffic, Squid always verifies that the destination IP address matches
2228# the Host header domain or IP (called 'authority form URL').
2229#
2230# This enforcement is performed to satisfy a MUST-level requirement in
2231# RFC 2616 section 14.23: "The Host field value MUST represent the naming
2232# authority of the origin server or gateway given by the original URL".
2233#
2234# When set to ON:
2235# Squid always responds with an HTTP 409 (Conflict) error
2236# page and logs a security warning if there is no match.
2237#
2238# Squid verifies that the destination IP address matches
2239# the Host header for forward-proxy and reverse-proxy traffic
2240# as well. For those traffic types, Squid also enables the
2241# following checks, comparing the corresponding Host header
2242# and Request-URI components:
2243#
2244# * The host names (domain or IP) must be identical,
2245# but valueless or missing Host header disables all checks.
2246# For the two host names to match, both must be either IP
2247# or FQDN.
2248#
2249# * Port numbers must be identical, but if a port is missing
2250# the scheme-default port is assumed.
2251#
2252#
2253# When set to OFF (the default):
2254# Squid allows suspicious requests to continue but logs a
2255# security warning and blocks caching of the response.
2256#
2257# * Forward-proxy traffic is not checked at all.
2258#
2259# * Reverse-proxy traffic is not checked at all.
2260#
2261# * Intercepted traffic which passes verification is handled
2262# according to client_dst_passthru.
2263#
2264# * Intercepted requests which fail verification are sent
2265# to the client original destination instead of DIRECT.
2266# This overrides 'client_dst_passthru off'.
2267#
2268# For now suspicious intercepted CONNECT requests are always
2269# responded to with an HTTP 409 (Conflict) error page.
2270#
2271#
2272# SECURITY NOTE:
2273#
2274# As described in CVE-2009-0801 when the Host: header alone is used
2275# to determine the destination of a request it becomes trivial for
2276# malicious scripts on remote websites to bypass browser same-origin
2277# security policy and sandboxing protections.
2278#
2279# The cause of this is that such applets are allowed to perform their
2280# own HTTP stack, in which case the same-origin policy of the browser
2281# sandbox only verifies that the applet tries to contact the same IP
2282# as from where it was loaded at the IP level. The Host: header may
2283# be different from the connected IP and approved origin.
2284#
2285#Default:
2286# host_verify_strict off
2287
2288# TAG: client_dst_passthru
2289# With NAT or TPROXY intercepted traffic Squid may pass the request
2290# directly to the original client destination IP or seek a faster
2291# source using the HTTP Host header.
2292#
2293# Using Host to locate alternative servers can provide faster
2294# connectivity with a range of failure recovery options.
2295# But can also lead to connectivity trouble when the client and
2296# server are attempting stateful interactions unaware of the proxy.
2297#
2298# This option (on by default) prevents alternative DNS entries being
2299# located to send intercepted traffic DIRECT to an origin server.
2300# The clients original destination IP and port will be used instead.
2301#
2302# Regardless of this option setting, when dealing with intercepted
2303# traffic Squid will verify the Host: header and any traffic which
2304# fails Host verification will be treated as if this option were ON.
2305#
2306# see host_verify_strict for details on the verification process.
2307#Default:
2308# client_dst_passthru on
2309
2310# TLS OPTIONS
2311# -----------------------------------------------------------------------------
2312
2313# TAG: tls_outgoing_options
2314# disable Do not support https:// URLs.
2315#
2316# cert=/path/to/client/certificate
2317# A client X.509 certificate to use when connecting.
2318#
2319# key=/path/to/client/private_key
2320# The private key corresponding to the cert= above.
2321#
2322# If key= is not specified cert= is assumed to
2323# reference a PEM file containing both the certificate
2324# and private key.
2325#
2326# cipher=... The list of valid TLS ciphers to use.
2327#
2328# min-version=1.N
2329# The minimum TLS protocol version to permit.
2330# To control SSLv3 use the options= parameter.
2331# Supported Values: 1.0 (default), 1.1, 1.2, 1.3
2332#
2333# options=... Specify various TLS/SSL implementation options.
2334#
2335# OpenSSL options most important are:
2336#
2337# NO_SSLv3 Disallow the use of SSLv3
2338#
2339# SINGLE_DH_USE
2340# Always create a new key when using
2341# temporary/ephemeral DH key exchanges
2342#
2343# NO_TICKET
2344# Disable use of RFC5077 session tickets.
2345# Some servers may have problems
2346# understanding the TLS extension due
2347# to ambiguous specification in RFC4507.
2348#
2349# ALL Enable various bug workarounds
2350# suggested as "harmless" by OpenSSL
2351# Be warned that this reduces SSL/TLS
2352# strength to some attacks.
2353#
2354# See the OpenSSL SSL_CTX_set_options documentation
2355# for a more complete list.
2356#
2357# GnuTLS options most important are:
2358#
2359# %NO_TICKETS
2360# Disable use of RFC5077 session tickets.
2361# Some servers may have problems
2362# understanding the TLS extension due
2363# to ambiguous specification in RFC4507.
2364#
2365# See the GnuTLS Priority Strings documentation
2366# for a more complete list.
2367# http://www.gnutls.org/manual/gnutls.html#Priority-Strings
2368#
2369#
2370# cafile= PEM file containing CA certificates to use when verifying
2371# the peer certificate. May be repeated to load multiple files.
2372#
2373# capath= A directory containing additional CA certificates to
2374# use when verifying the peer certificate.
2375# Requires OpenSSL or LibreSSL.
2376#
2377# crlfile=... A certificate revocation list file to use when
2378# verifying the peer certificate.
2379#
2380# flags=... Specify various flags modifying the TLS implementation:
2381#
2382# DONT_VERIFY_PEER
2383# Accept certificates even if they fail to
2384# verify.
2385# DONT_VERIFY_DOMAIN
2386# Don't verify the peer certificate
2387# matches the server name
2388#
2389# default-ca[=off]
2390# Whether to use the system Trusted CAs. Default is ON.
2391#
2392# domain= The peer name as advertised in its certificate.
2393# Used for verifying the correctness of the received peer
2394# certificate. If not specified the peer hostname will be
2395# used.
2396#Default:
2397# tls_outgoing_options min-version=1.0
2398
2399# SSL OPTIONS
2400# -----------------------------------------------------------------------------
2401
2402# TAG: ssl_unclean_shutdown
2403# Note: This option is only available if Squid is rebuilt with the
2404# --with-openssl
2405#
2406# Some browsers (especially MSIE) bugs out on SSL shutdown
2407# messages.
2408#Default:
2409# ssl_unclean_shutdown off
2410
2411# TAG: ssl_engine
2412# Note: This option is only available if Squid is rebuilt with the
2413# --with-openssl
2414#
2415# The OpenSSL engine to use. You will need to set this if you
2416# would like to use hardware SSL acceleration for example.
2417#Default:
2418# none
2419
2420# TAG: sslproxy_session_ttl
2421# Note: This option is only available if Squid is rebuilt with the
2422# --with-openssl
2423#
2424# Sets the timeout value for SSL sessions
2425#Default:
2426# sslproxy_session_ttl 300
2427
2428# TAG: sslproxy_session_cache_size
2429# Note: This option is only available if Squid is rebuilt with the
2430# --with-openssl
2431#
2432# Sets the cache size to use for ssl session
2433#Default:
2434# sslproxy_session_cache_size 2 MB
2435
2436# TAG: sslproxy_foreign_intermediate_certs
2437# Note: This option is only available if Squid is rebuilt with the
2438# --with-openssl
2439#
2440# Many origin servers fail to send their full server certificate
2441# chain for verification, assuming the client already has or can
2442# easily locate any missing intermediate certificates.
2443#
2444# Squid uses the certificates from the specified file to fill in
2445# these missing chains when trying to validate origin server
2446# certificate chains.
2447#
2448# The file is expected to contain zero or more PEM-encoded
2449# intermediate certificates. These certificates are not treated
2450# as trusted root certificates, and any self-signed certificate in
2451# this file will be ignored.
2452#Default:
2453# none
2454
2455# TAG: sslproxy_cert_sign_hash
2456# Note: This option is only available if Squid is rebuilt with the
2457# --with-openssl
2458#
2459# Sets the hashing algorithm to use when signing generated certificates.
2460# Valid algorithm names depend on the OpenSSL library used. The following
2461# names are usually available: sha1, sha256, sha512, and md5. Please see
2462# your OpenSSL library manual for the available hashes. By default, Squids
2463# that support this option use sha256 hashes.
2464#
2465# Squid does not forcefully purge cached certificates that were generated
2466# with an algorithm other than the currently configured one. They remain
2467# in the cache, subject to the regular cache eviction policy, and become
2468# useful if the algorithm changes again.
2469#Default:
2470# none
2471
2472# TAG: ssl_bump
2473# Note: This option is only available if Squid is rebuilt with the
2474# --with-openssl
2475#
2476# This option is consulted when a CONNECT request is received on
2477# an http_port (or a new connection is intercepted at an
2478# https_port), provided that port was configured with an ssl-bump
2479# flag. The subsequent data on the connection is either treated as
2480# HTTPS and decrypted OR tunneled at TCP level without decryption,
2481# depending on the first matching bumping "action".
2482#
2483# ssl_bump <action> [!]acl ...
2484#
2485# The following bumping actions are currently supported:
2486#
2487# splice
2488# Become a TCP tunnel without decrypting proxied traffic.
2489# This is the default action.
2490#
2491# bump
2492# When used on step SslBump1, establishes a secure connection
2493# with the client first, then connect to the server.
2494# When used on step SslBump2 or SslBump3, establishes a secure
2495# connection with the server and, using a mimicked server
2496# certificate, with the client.
2497#
2498# peek
2499# Receive client (step SslBump1) or server (step SslBump2)
2500# certificate while preserving the possibility of splicing the
2501# connection. Peeking at the server certificate (during step 2)
2502# usually precludes bumping of the connection at step 3.
2503#
2504# stare
2505# Receive client (step SslBump1) or server (step SslBump2)
2506# certificate while preserving the possibility of bumping the
2507# connection. Staring at the server certificate (during step 2)
2508# usually precludes splicing of the connection at step 3.
2509#
2510# terminate
2511# Close client and server connections.
2512#
2513# Backward compatibility actions available at step SslBump1:
2514#
2515# client-first
2516# Bump the connection. Establish a secure connection with the
2517# client first, then connect to the server. This old mode does
2518# not allow Squid to mimic server SSL certificate and does not
2519# work with intercepted SSL connections.
2520#
2521# server-first
2522# Bump the connection. Establish a secure connection with the
2523# server first, then establish a secure connection with the
2524# client, using a mimicked server certificate. Works with both
2525# CONNECT requests and intercepted SSL connections, but does
2526# not allow to make decisions based on SSL handshake info.
2527#
2528# peek-and-splice
2529# Decide whether to bump or splice the connection based on
2530# client-to-squid and server-to-squid SSL hello messages.
2531# XXX: Remove.
2532#
2533# none
2534# Same as the "splice" action.
2535#
2536# All ssl_bump rules are evaluated at each of the supported bumping
2537# steps. Rules with actions that are impossible at the current step are
2538# ignored. The first matching ssl_bump action wins and is applied at the
2539# end of the current step. If no rules match, the splice action is used.
2540# See the at_step ACL for a list of the supported SslBump steps.
2541#
2542# This clause supports both fast and slow acl types.
2543# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
2544#
2545# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step.
2546#
2547#
2548# # Example: Bump all TLS connections except those originating from
2549# # localhost or those going to example.com.
2550#
2551# acl broken_sites ssl::server_name .example.com
2552# ssl_bump splice localhost
2553# ssl_bump splice broken_sites
2554# ssl_bump bump all
2555#Default:
2556# Become a TCP tunnel without decrypting proxied traffic.
2557
2558# TAG: sslproxy_cert_error
2559# Note: This option is only available if Squid is rebuilt with the
2560# --with-openssl
2561#
2562# Use this ACL to bypass server certificate validation errors.
2563#
2564# For example, the following lines will bypass all validation errors
2565# when talking to servers for example.com. All other
2566# validation errors will result in ERR_SECURE_CONNECT_FAIL error.
2567#
2568# acl BrokenButTrustedServers dstdomain example.com
2569# sslproxy_cert_error allow BrokenButTrustedServers
2570# sslproxy_cert_error deny all
2571#
2572# This clause only supports fast acl types.
2573# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
2574# Using slow acl types may result in server crashes
2575#
2576# Without this option, all server certificate validation errors
2577# terminate the transaction to protect Squid and the client.
2578#
2579# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed
2580# but should not happen unless your OpenSSL library is buggy.
2581#
2582# SECURITY WARNING:
2583# Bypassing validation errors is dangerous because an
2584# error usually implies that the server cannot be trusted
2585# and the connection may be insecure.
2586#
2587# See also: sslproxy_flags and DONT_VERIFY_PEER.
2588#Default:
2589# Server certificate errors terminate the transaction.
2590
2591# TAG: sslproxy_cert_sign
2592# Note: This option is only available if Squid is rebuilt with the
2593# --with-openssl
2594#
2595#
2596# sslproxy_cert_sign <signing algorithm> acl ...
2597#
2598# The following certificate signing algorithms are supported:
2599#
2600# signTrusted
2601# Sign using the configured CA certificate which is usually
2602# placed in and trusted by end-user browsers. This is the
2603# default for trusted origin server certificates.
2604#
2605# signUntrusted
2606# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
2607# This is the default for untrusted origin server certificates
2608# that are not self-signed (see ssl::certUntrusted).
2609#
2610# signSelf
2611# Sign using a self-signed certificate with the right CN to
2612# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
2613# browser. This is the default for self-signed origin server
2614# certificates (see ssl::certSelfSigned).
2615#
2616# This clause only supports fast acl types.
2617#
2618# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
2619# signing algorithm to generate the certificate and ignores all
2620# subsequent sslproxy_cert_sign options (the first match wins). If no
2621# acl(s) match, the default signing algorithm is determined by errors
2622# detected when obtaining and validating the origin server certificate.
2623#
2624# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
2625# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
2626# CONNECT request that carries a domain name. In all other cases (CONNECT
2627# to an IP address or an intercepted SSL connection), Squid cannot detect
2628# the domain mismatch at certificate generation time when
2629# bump-server-first is used.
2630#Default:
2631# none
2632
2633# TAG: sslproxy_cert_adapt
2634# Note: This option is only available if Squid is rebuilt with the
2635# --with-openssl
2636#
2637#
2638# sslproxy_cert_adapt <adaptation algorithm> acl ...
2639#
2640# The following certificate adaptation algorithms are supported:
2641#
2642# setValidAfter
2643# Sets the "Not After" property to the "Not After" property of
2644# the CA certificate used to sign generated certificates.
2645#
2646# setValidBefore
2647# Sets the "Not Before" property to the "Not Before" property of
2648# the CA certificate used to sign generated certificates.
2649#
2650# setCommonName or setCommonName{CN}
2651# Sets Subject.CN property to the host name specified as a
2652# CN parameter or, if no explicit CN parameter was specified,
2653# extracted from the CONNECT request. It is a misconfiguration
2654# to use setCommonName without an explicit parameter for
2655# intercepted or tproxied SSL connections.
2656#
2657# This clause only supports fast acl types.
2658#
2659# Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
2660# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
2661# corresponding adaptation algorithm to generate the certificate and
2662# ignores all subsequent sslproxy_cert_adapt options in that algorithm's
2663# group (i.e., the first match wins within each algorithm group). If no
2664# acl(s) match, the default mimicking action takes place.
2665#
2666# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
2667# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
2668# CONNECT request that carries a domain name. In all other cases (CONNECT
2669# to an IP address or an intercepted SSL connection), Squid cannot detect
2670# the domain mismatch at certificate generation time when
2671# bump-server-first is used.
2672#Default:
2673# none
2674
2675# TAG: sslpassword_program
2676# Note: This option is only available if Squid is rebuilt with the
2677# --with-openssl
2678#
2679# Specify a program used for entering SSL key passphrases
2680# when using encrypted SSL certificate keys. If not specified
2681# keys must either be unencrypted, or Squid started with the -N
2682# option to allow it to query interactively for the passphrase.
2683#
2684# The key file name is given as argument to the program allowing
2685# selection of the right password if you have multiple encrypted
2686# keys.
2687#Default:
2688# none
2689
2690# OPTIONS RELATING TO EXTERNAL SSL_CRTD
2691# -----------------------------------------------------------------------------
2692
2693# TAG: sslcrtd_program
2694# Note: This option is only available if Squid is rebuilt with the
2695# --enable-ssl-crtd
2696#
2697# Specify the location and options of the executable for certificate
2698# generator.
2699#
2700# /usr/lib/squid/security_file_certgen program can use a disk cache to improve response
2701# times on repeated requests. To enable caching, specify -s and -M
2702# parameters. If those parameters are not given, the program generates
2703# a new certificate on every request.
2704#
2705# For more information use:
2706# /usr/lib/squid/security_file_certgen -h
2707#Default:
2708# sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
2709
2710# TAG: sslcrtd_children
2711# Note: This option is only available if Squid is rebuilt with the
2712# --enable-ssl-crtd
2713#
2714# Specifies the maximum number of certificate generation processes that
2715# Squid may spawn (numberofchildren) and several related options. Using
2716# too few of these helper processes (a.k.a. "helpers") creates request
2717# queues. Using too many helpers wastes your system resources. Squid
2718# does not support spawning more than 32 helpers.
2719#
2720# Usage: numberofchildren [option]...
2721#
2722# The startup= and idle= options allow some measure of skew in your
2723# tuning.
2724#
2725# startup=N
2726#
2727# Sets the minimum number of processes to spawn when Squid
2728# starts or reconfigures. When set to zero the first request will
2729# cause spawning of the first child process to handle it.
2730#
2731# Starting too few children temporary slows Squid under load while it
2732# tries to spawn enough additional processes to cope with traffic.
2733#
2734# idle=N
2735#
2736# Sets a minimum of how many processes Squid is to try and keep available
2737# at all times. When traffic begins to rise above what the existing
2738# processes can handle this many more will be spawned up to the maximum
2739# configured. A minimum setting of 1 is required.
2740#
2741# queue-size=N
2742#
2743# Sets the maximum number of queued requests. A request is queued when
2744# no existing child is idle and no new child can be started due to
2745# numberofchildren limit. If the queued requests exceed queue size for
2746# more than 3 minutes squid aborts its operation. The default value is
2747# set to 2*numberofchildren.
2748#
2749# You must have at least one ssl_crtd process.
2750#Default:
2751# sslcrtd_children 32 startup=5 idle=1
2752
2753# TAG: sslcrtvalidator_program
2754# Note: This option is only available if Squid is rebuilt with the
2755# --with-openssl
2756#
2757# Specify the location and options of the executable for ssl_crt_validator
2758# process.
2759#
2760# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ...
2761#
2762# Options:
2763# ttl=n TTL in seconds for cached results. The default is 60 secs
2764# cache=n limit the result cache size. The default value is 2048
2765#Default:
2766# none
2767
2768# TAG: sslcrtvalidator_children
2769# Note: This option is only available if Squid is rebuilt with the
2770# --with-openssl
2771#
2772# Specifies the maximum number of certificate validation processes that
2773# Squid may spawn (numberofchildren) and several related options. Using
2774# too few of these helper processes (a.k.a. "helpers") creates request
2775# queues. Using too many helpers wastes your system resources. Squid
2776# does not support spawning more than 32 helpers.
2777#
2778# Usage: numberofchildren [option]...
2779#
2780# The startup= and idle= options allow some measure of skew in your
2781# tuning.
2782#
2783# startup=N
2784#
2785# Sets the minimum number of processes to spawn when Squid
2786# starts or reconfigures. When set to zero the first request will
2787# cause spawning of the first child process to handle it.
2788#
2789# Starting too few children temporary slows Squid under load while it
2790# tries to spawn enough additional processes to cope with traffic.
2791#
2792# idle=N
2793#
2794# Sets a minimum of how many processes Squid is to try and keep available
2795# at all times. When traffic begins to rise above what the existing
2796# processes can handle this many more will be spawned up to the maximum
2797# configured. A minimum setting of 1 is required.
2798#
2799# concurrency=
2800#
2801# The number of requests each certificate validator helper can handle in
2802# parallel. A value of 0 indicates the certficate validator does not
2803# support concurrency. Defaults to 1.
2804#
2805# When this directive is set to a value >= 1 then the protocol
2806# used to communicate with the helper is modified to include
2807# a request ID in front of the request/response. The request
2808# ID from the request must be echoed back with the response
2809# to that request.
2810#
2811# queue-size=N
2812#
2813# Sets the maximum number of queued requests. A request is queued when
2814# no existing child can accept it due to concurrency limit and no new
2815# child can be started due to numberofchildren limit. If the queued
2816# requests exceed queue size for more than 3 minutes squid aborts its
2817# operation. The default value is set to 2*numberofchildren.
2818#
2819# You must have at least one ssl_crt_validator process.
2820#Default:
2821# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1
2822
2823# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
2824# -----------------------------------------------------------------------------
2825
2826# TAG: cache_peer
2827# To specify other caches in a hierarchy, use the format:
2828#
2829# cache_peer hostname type http-port icp-port [options]
2830#
2831# For example,
2832#
2833# # proxy icp
2834# # hostname type port port options
2835# # -------------------- -------- ----- ----- -----------
2836# cache_peer parent.foo.net parent 3128 3130 default
2837# cache_peer sib1.foo.net sibling 3128 3130 proxy-only
2838# cache_peer sib2.foo.net sibling 3128 3130 proxy-only
2839# cache_peer example.com parent 80 0 default
2840# cache_peer cdn.example.com sibling 3128 0
2841#
2842# type: either 'parent', 'sibling', or 'multicast'.
2843#
2844# proxy-port: The port number where the peer accept HTTP requests.
2845# For other Squid proxies this is usually 3128
2846# For web servers this is usually 80
2847#
2848# icp-port: Used for querying neighbor caches about objects.
2849# Set to 0 if the peer does not support ICP or HTCP.
2850# See ICP and HTCP options below for additional details.
2851#
2852#
2853# ==== ICP OPTIONS ====
2854#
2855# You MUST also set icp_port and icp_access explicitly when using these options.
2856# The defaults will prevent peer traffic using ICP.
2857#
2858#
2859# no-query Disable ICP queries to this neighbor.
2860#
2861# multicast-responder
2862# Indicates the named peer is a member of a multicast group.
2863# ICP queries will not be sent directly to the peer, but ICP
2864# replies will be accepted from it.
2865#
2866# closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward
2867# CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
2868#
2869# background-ping
2870# To only send ICP queries to this neighbor infrequently.
2871# This is used to keep the neighbor round trip time updated
2872# and is usually used in conjunction with weighted-round-robin.
2873#
2874#
2875# ==== HTCP OPTIONS ====
2876#
2877# You MUST also set htcp_port and htcp_access explicitly when using these options.
2878# The defaults will prevent peer traffic using HTCP.
2879#
2880#
2881# htcp Send HTCP, instead of ICP, queries to the neighbor.
2882# You probably also want to set the "icp-port" to 4827
2883# instead of 3130. This directive accepts a comma separated
2884# list of options described below.
2885#
2886# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier).
2887#
2888# htcp=no-clr Send HTCP to the neighbor but without
2889# sending any CLR requests. This cannot be used with
2890# only-clr.
2891#
2892# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests.
2893# This cannot be used with no-clr.
2894#
2895# htcp=no-purge-clr
2896# Send HTCP to the neighbor including CLRs but only when
2897# they do not result from PURGE requests.
2898#
2899# htcp=forward-clr
2900# Forward any HTCP CLR requests this proxy receives to the peer.
2901#
2902#
2903# ==== PEER SELECTION METHODS ====
2904#
2905# The default peer selection method is ICP, with the first responding peer
2906# being used as source. These options can be used for better load balancing.
2907#
2908#
2909# default This is a parent cache which can be used as a "last-resort"
2910# if a peer cannot be located by any of the peer-selection methods.
2911# If specified more than once, only the first is used.
2912#
2913# round-robin Load-Balance parents which should be used in a round-robin
2914# fashion in the absence of any ICP queries.
2915# weight=N can be used to add bias.
2916#
2917# weighted-round-robin
2918# Load-Balance parents which should be used in a round-robin
2919# fashion with the frequency of each parent being based on the
2920# round trip time. Closer parents are used more often.
2921# Usually used for background-ping parents.
2922# weight=N can be used to add bias.
2923#
2924# carp Load-Balance parents which should be used as a CARP array.
2925# The requests will be distributed among the parents based on the
2926# CARP load balancing hash function based on their weight.
2927#
2928# userhash Load-balance parents based on the client proxy_auth or ident username.
2929#
2930# sourcehash Load-balance parents based on the client source IP.
2931#
2932# multicast-siblings
2933# To be used only for cache peers of type "multicast".
2934# ALL members of this multicast group have "sibling"
2935# relationship with it, not "parent". This is to a multicast
2936# group when the requested object would be fetched only from
2937# a "parent" cache, anyway. It's useful, e.g., when
2938# configuring a pool of redundant Squid proxies, being
2939# members of the same multicast group.
2940#
2941#
2942# ==== PEER SELECTION OPTIONS ====
2943#
2944# weight=N use to affect the selection of a peer during any weighted
2945# peer-selection mechanisms.
2946# The weight must be an integer; default is 1,
2947# larger weights are favored more.
2948# This option does not affect parent selection if a peering
2949# protocol is not in use.
2950#
2951# basetime=N Specify a base amount to be subtracted from round trip
2952# times of parents.
2953# It is subtracted before division by weight in calculating
2954# which parent to fectch from. If the rtt is less than the
2955# base time the rtt is set to a minimal value.
2956#
2957# ttl=N Specify a TTL to use when sending multicast ICP queries
2958# to this address.
2959# Only useful when sending to a multicast group.
2960# Because we don't accept ICP replies from random
2961# hosts, you must configure other group members as
2962# peers with the 'multicast-responder' option.
2963#
2964# no-delay To prevent access to this neighbor from influencing the
2965# delay pools.
2966#
2967# digest-url=URL Tell Squid to fetch the cache digest (if digests are
2968# enabled) for this host from the specified URL rather
2969# than the Squid default location.
2970#
2971#
2972# ==== CARP OPTIONS ====
2973#
2974# carp-key=key-specification
2975# use a different key than the full URL to hash against the peer.
2976# the key-specification is a comma-separated list of the keywords
2977# scheme, host, port, path, params
2978# Order is not important.
2979#
2980# ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
2981#
2982# originserver Causes this parent to be contacted as an origin server.
2983# Meant to be used in accelerator setups when the peer
2984# is a web server.
2985#
2986# forceddomain=name
2987# Set the Host header of requests forwarded to this peer.
2988# Useful in accelerator setups where the server (peer)
2989# expects a certain domain name but clients may request
2990# others. ie example.com or www.example.com
2991#
2992# no-digest Disable request of cache digests.
2993#
2994# no-netdb-exchange
2995# Disables requesting ICMP RTT database (NetDB).
2996#
2997#
2998# ==== AUTHENTICATION OPTIONS ====
2999#
3000# login=user:password
3001# If this is a personal/workgroup proxy and your parent
3002# requires proxy authentication.
3003#
3004# Note: The string can include URL escapes (i.e. %20 for
3005# spaces). This also means % must be written as %%.
3006#
3007# login=PASSTHRU
3008# Send login details received from client to this peer.
3009# Both Proxy- and WWW-Authorization headers are passed
3010# without alteration to the peer.
3011# Authentication is not required by Squid for this to work.
3012#
3013# Note: This will pass any form of authentication but
3014# only Basic auth will work through a proxy unless the
3015# connection-auth options are also used.
3016#
3017# login=PASS Send login details received from client to this peer.
3018# Authentication is not required by this option.
3019#
3020# If there are no client-provided authentication headers
3021# to pass on, but username and password are available
3022# from an external ACL user= and password= result tags
3023# they may be sent instead.
3024#
3025# Note: To combine this with proxy_auth both proxies must
3026# share the same user database as HTTP only allows for
3027# a single login (one for proxy, one for origin server).
3028# Also be warned this will expose your users proxy
3029# password to the peer. USE WITH CAUTION
3030#
3031# login=*:password
3032# Send the username to the upstream cache, but with a
3033# fixed password. This is meant to be used when the peer
3034# is in another administrative domain, but it is still
3035# needed to identify each user.
3036# The star can optionally be followed by some extra
3037# information which is added to the username. This can
3038# be used to identify this proxy to the peer, similar to
3039# the login=username:password option above.
3040#
3041# login=NEGOTIATE
3042# If this is a personal/workgroup proxy and your parent
3043# requires a secure proxy authentication.
3044# The first principal from the default keytab or defined by
3045# the environment variable KRB5_KTNAME will be used.
3046#
3047# WARNING: The connection may transmit requests from multiple
3048# clients. Negotiate often assumes end-to-end authentication
3049# and a single-client. Which is not strictly true here.
3050#
3051# login=NEGOTIATE:principal_name
3052# If this is a personal/workgroup proxy and your parent
3053# requires a secure proxy authentication.
3054# The principal principal_name from the default keytab or
3055# defined by the environment variable KRB5_KTNAME will be
3056# used.
3057#
3058# WARNING: The connection may transmit requests from multiple
3059# clients. Negotiate often assumes end-to-end authentication
3060# and a single-client. Which is not strictly true here.
3061#
3062# connection-auth=on|off
3063# Tell Squid that this peer does or not support Microsoft
3064# connection oriented authentication, and any such
3065# challenges received from there should be ignored.
3066# Default is auto to automatically determine the status
3067# of the peer.
3068#
3069# auth-no-keytab
3070# Do not use a keytab to authenticate to a peer when
3071# login=NEGOTIATE is specified. Let the GSSAPI
3072# implementation determine which already existing
3073# credentials cache to use instead.
3074#
3075#
3076# ==== SSL / HTTPS / TLS OPTIONS ====
3077#
3078# tls Encrypt connections to this peer with TLS.
3079#
3080# sslcert=/path/to/ssl/certificate
3081# A client X.509 certificate to use when connecting to
3082# this peer.
3083#
3084# sslkey=/path/to/ssl/key
3085# The private key corresponding to sslcert above.
3086#
3087# If sslkey= is not specified sslcert= is assumed to
3088# reference a PEM file containing both the certificate
3089# and private key.
3090#
3091# Notes:
3092#
3093# On Debian/Ubuntu systems a default snakeoil certificate is
3094# available in /etc/ssl and users can set:
3095#
3096# sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem
3097#
3098# and
3099#
3100# sslkey=/etc/ssl/private/ssl-cert-snakeoil.key
3101#
3102# for testing.
3103#
3104# sslcipher=... The list of valid SSL ciphers to use when connecting
3105# to this peer.
3106#
3107# tls-min-version=1.N
3108# The minimum TLS protocol version to permit. To control
3109# SSLv3 use the tls-options= parameter.
3110# Supported Values: 1.0 (default), 1.1, 1.2
3111#
3112# tls-options=... Specify various TLS implementation options.
3113#
3114# OpenSSL options most important are:
3115#
3116# NO_SSLv3 Disallow the use of SSLv3
3117#
3118# SINGLE_DH_USE
3119# Always create a new key when using
3120# temporary/ephemeral DH key exchanges
3121#
3122# NO_TICKET
3123# Disable use of RFC5077 session tickets.
3124# Some servers may have problems
3125# understanding the TLS extension due
3126# to ambiguous specification in RFC4507.
3127#
3128# ALL Enable various bug workarounds
3129# suggested as "harmless" by OpenSSL
3130# Be warned that this reduces SSL/TLS
3131# strength to some attacks.
3132#
3133# See the OpenSSL SSL_CTX_set_options documentation for a
3134# more complete list.
3135#
3136# GnuTLS options most important are:
3137#
3138# %NO_TICKETS
3139# Disable use of RFC5077 session tickets.
3140# Some servers may have problems
3141# understanding the TLS extension due
3142# to ambiguous specification in RFC4507.
3143#
3144# See the GnuTLS Priority Strings documentation
3145# for a more complete list.
3146# http://www.gnutls.org/manual/gnutls.html#Priority-Strings
3147#
3148# tls-cafile= PEM file containing CA certificates to use when verifying
3149# the peer certificate. May be repeated to load multiple files.
3150#
3151# sslcapath=... A directory containing additional CA certificates to
3152# use when verifying the peer certificate.
3153# Requires OpenSSL or LibreSSL.
3154#
3155# sslcrlfile=... A certificate revocation list file to use when
3156# verifying the peer certificate.
3157#
3158# sslflags=... Specify various flags modifying the SSL implementation:
3159#
3160# DONT_VERIFY_PEER
3161# Accept certificates even if they fail to
3162# verify.
3163#
3164# DONT_VERIFY_DOMAIN
3165# Don't verify the peer certificate
3166# matches the server name
3167#
3168# ssldomain= The peer name as advertised in it's certificate.
3169# Used for verifying the correctness of the received peer
3170# certificate. If not specified the peer hostname will be
3171# used.
3172#
3173# front-end-https[=off|on|auto]
3174# Enable the "Front-End-Https: On" header needed when
3175# using Squid as a SSL frontend in front of Microsoft OWA.
3176# See MS KB document Q307347 for details on this header.
3177# If set to auto the header will only be added if the
3178# request is forwarded as a https:// URL.
3179#
3180# tls-default-ca[=off]
3181# Whether to use the system Trusted CAs. Default is ON.
3182#
3183# tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1.
3184#
3185# ==== GENERAL OPTIONS ====
3186#
3187# connect-timeout=N
3188# A peer-specific connect timeout.
3189# Also see the peer_connect_timeout directive.
3190#
3191# connect-fail-limit=N
3192# How many times connecting to a peer must fail before
3193# it is marked as down. Standby connection failures
3194# count towards this limit. Default is 10.
3195#
3196# allow-miss Disable Squid's use of only-if-cached when forwarding
3197# requests to siblings. This is primarily useful when
3198# icp_hit_stale is used by the sibling. Excessive use
3199# of this option may result in forwarding loops. One way
3200# to prevent peering loops when using this option, is to
3201# deny cache peer usage on requests from a peer:
3202# acl fromPeer ...
3203# cache_peer_access peerName deny fromPeer
3204#
3205# max-conn=N Limit the number of concurrent connections the Squid
3206# may open to this peer, including already opened idle
3207# and standby connections. There is no peer-specific
3208# connection limit by default.
3209#
3210# A peer exceeding the limit is not used for new
3211# requests unless a standby connection is available.
3212#
3213# max-conn currently works poorly with idle persistent
3214# connections: When a peer reaches its max-conn limit,
3215# and there are idle persistent connections to the peer,
3216# the peer may not be selected because the limiting code
3217# does not know whether Squid can reuse those idle
3218# connections.
3219#
3220# standby=N Maintain a pool of N "hot standby" connections to an
3221# UP peer, available for requests when no idle
3222# persistent connection is available (or safe) to use.
3223# By default and with zero N, no such pool is maintained.
3224# N must not exceed the max-conn limit (if any).
3225#
3226# At start or after reconfiguration, Squid opens new TCP
3227# standby connections until there are N connections
3228# available and then replenishes the standby pool as
3229# opened connections are used up for requests. A used
3230# connection never goes back to the standby pool, but
3231# may go to the regular idle persistent connection pool
3232# shared by all peers and origin servers.
3233#
3234# Squid never opens multiple new standby connections
3235# concurrently. This one-at-a-time approach minimizes
3236# flooding-like effect on peers. Furthermore, just a few
3237# standby connections should be sufficient in most cases
3238# to supply most new requests with a ready-to-use
3239# connection.
3240#
3241# Standby connections obey server_idle_pconn_timeout.
3242# For the feature to work as intended, the peer must be
3243# configured to accept and keep them open longer than
3244# the idle timeout at the connecting Squid, to minimize
3245# race conditions typical to idle used persistent
3246# connections. Default request_timeout and
3247# server_idle_pconn_timeout values ensure such a
3248# configuration.
3249#
3250# name=xxx Unique name for the peer.
3251# Required if you have multiple peers on the same host
3252# but different ports.
3253# This name can be used in cache_peer_access and similar
3254# directives to identify the peer.
3255# Can be used by outgoing access controls through the
3256# peername ACL type.
3257#
3258# no-tproxy Do not use the client-spoof TPROXY support when forwarding
3259# requests to this peer. Use normal address selection instead.
3260# This overrides the spoof_client_ip ACL.
3261#
3262# proxy-only objects fetched from the peer will not be stored locally.
3263#
3264#Default:
3265# none
3266
3267# TAG: cache_peer_access
3268# Restricts usage of cache_peer proxies.
3269#
3270# Usage:
3271# cache_peer_access peer-name allow|deny [!]aclname ...
3272#
3273# For the required peer-name parameter, use either the value of the
3274# cache_peer name=value parameter or, if name=value is missing, the
3275# cache_peer hostname parameter.
3276#
3277# This directive narrows down the selection of peering candidates, but
3278# does not determine the order in which the selected candidates are
3279# contacted. That order is determined by the peer selection algorithms
3280# (see PEER SELECTION sections in the cache_peer documentation).
3281#
3282# If a deny rule matches, the corresponding peer will not be contacted
3283# for the current transaction -- Squid will not send ICP queries and
3284# will not forward HTTP requests to that peer. An allow match leaves
3285# the corresponding peer in the selection. The first match for a given
3286# peer wins for that peer.
3287#
3288# The relative order of cache_peer_access directives for the same peer
3289# matters. The relative order of any two cache_peer_access directives
3290# for different peers does not matter. To ease interpretation, it is a
3291# good idea to group cache_peer_access directives for the same peer
3292# together.
3293#
3294# A single cache_peer_access directive may be evaluated multiple times
3295# for a given transaction because individual peer selection algorithms
3296# may check it independently from each other. These redundant checks
3297# may be optimized away in future Squid versions.
3298#
3299# This clause only supports fast acl types.
3300# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3301#
3302#Default:
3303# No peer usage restrictions.
3304
3305# TAG: neighbor_type_domain
3306# Modify the cache_peer neighbor type when passing requests
3307# about specific domains to the peer.
3308#
3309# Usage:
3310# neighbor_type_domain neighbor parent|sibling domain domain ...
3311#
3312# For example:
3313# cache_peer foo.example.com parent 3128 3130
3314# neighbor_type_domain foo.example.com sibling .au .de
3315#
3316# The above configuration treats all requests to foo.example.com as a
3317# parent proxy unless the request is for a .au or .de ccTLD domain name.
3318#Default:
3319# The peer type from cache_peer directive is used for all requests to that peer.
3320
3321# TAG: dead_peer_timeout (seconds)
3322# This controls how long Squid waits to declare a peer cache
3323# as "dead." If there are no ICP replies received in this
3324# amount of time, Squid will declare the peer dead and not
3325# expect to receive any further ICP replies. However, it
3326# continues to send ICP queries, and will mark the peer as
3327# alive upon receipt of the first subsequent ICP reply.
3328#
3329# This timeout also affects when Squid expects to receive ICP
3330# replies from peers. If more than 'dead_peer' seconds have
3331# passed since the last ICP reply was received, Squid will not
3332# expect to receive an ICP reply on the next query. Thus, if
3333# your time between requests is greater than this timeout, you
3334# will see a lot of requests sent DIRECT to origin servers
3335# instead of to your parents.
3336#Default:
3337# dead_peer_timeout 10 seconds
3338
3339# TAG: forward_max_tries
3340# Limits the number of attempts to forward the request.
3341#
3342# For the purpose of this limit, Squid counts all high-level request
3343# forwarding attempts, including any same-destination retries after
3344# certain persistent connection failures and any attempts to use a
3345# different peer. However, low-level connection reopening attempts
3346# (enabled using connect_retries) are not counted.
3347#
3348# See also: forward_timeout and connect_retries.
3349#Default:
3350# forward_max_tries 25
3351
3352# MEMORY CACHE OPTIONS
3353# -----------------------------------------------------------------------------
3354
3355# TAG: cache_mem (bytes)
3356# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
3357# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
3358# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
3359# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
3360#
3361# 'cache_mem' specifies the ideal amount of memory to be used
3362# for:
3363# * In-Transit objects
3364# * Hot Objects
3365# * Negative-Cached objects
3366#
3367# Data for these objects are stored in 4 KB blocks. This
3368# parameter specifies the ideal upper limit on the total size of
3369# 4 KB blocks allocated. In-Transit objects take the highest
3370# priority.
3371#
3372# In-transit objects have priority over the others. When
3373# additional space is needed for incoming data, negative-cached
3374# and hot objects will be released. In other words, the
3375# negative-cached and hot objects will fill up any unused space
3376# not needed for in-transit objects.
3377#
3378# If circumstances require, this limit will be exceeded.
3379# Specifically, if your incoming request rate requires more than
3380# 'cache_mem' of memory to hold in-transit objects, Squid will
3381# exceed this limit to satisfy the new requests. When the load
3382# decreases, blocks will be freed until the high-water mark is
3383# reached. Thereafter, blocks will be used to store hot
3384# objects.
3385#
3386# If shared memory caching is enabled, Squid does not use the shared
3387# cache space for in-transit objects, but they still consume as much
3388# local memory as they need. For more details about the shared memory
3389# cache, see memory_cache_shared.
3390#Default:
3391cache_mem 256 MB
3392
3393# TAG: maximum_object_size_in_memory (bytes)
3394# Objects greater than this size will not be attempted to kept in
3395# the memory cache. This should be set high enough to keep objects
3396# accessed frequently in memory to improve performance whilst low
3397# enough to keep larger objects from hoarding cache_mem.
3398#Default:
3399# maximum_object_size_in_memory 512 KB
3400
3401# TAG: memory_cache_shared on|off
3402# Controls whether the memory cache is shared among SMP workers.
3403#
3404# The shared memory cache is meant to occupy cache_mem bytes and replace
3405# the non-shared memory cache, although some entities may still be
3406# cached locally by workers for now (e.g., internal and in-transit
3407# objects may be served from a local memory cache even if shared memory
3408# caching is enabled).
3409#
3410# By default, the memory cache is shared if and only if all of the
3411# following conditions are satisfied: Squid runs in SMP mode with
3412# multiple workers, cache_mem is positive, and Squid environment
3413# supports required IPC primitives (e.g., POSIX shared memory segments
3414# and GCC-style atomic operations).
3415#
3416# To avoid blocking locks, shared memory uses opportunistic algorithms
3417# that do not guarantee that every cachable entity that could have been
3418# shared among SMP workers will actually be shared.
3419#Default:
3420# "on" where supported if doing memory caching with multiple SMP workers.
3421
3422# TAG: memory_cache_mode
3423# Controls which objects to keep in the memory cache (cache_mem)
3424#
3425# always Keep most recently fetched objects in memory (default)
3426#
3427# disk Only disk cache hits are kept in memory, which means
3428# an object must first be cached on disk and then hit
3429# a second time before cached in memory.
3430#
3431# network Only objects fetched from network is kept in memory
3432#Default:
3433# Keep the most recently fetched objects in memory
3434
3435# TAG: memory_replacement_policy
3436# The memory replacement policy parameter determines which
3437# objects are purged from memory when memory space is needed.
3438#
3439# See cache_replacement_policy for details on algorithms.
3440#Default:
3441# memory_replacement_policy lru
3442
3443# DISK CACHE OPTIONS
3444# -----------------------------------------------------------------------------
3445
3446# TAG: cache_replacement_policy
3447# The cache replacement policy parameter determines which
3448# objects are evicted (replaced) when disk space is needed.
3449#
3450# lru : Squid's original list based LRU policy
3451# heap GDSF : Greedy-Dual Size Frequency
3452# heap LFUDA: Least Frequently Used with Dynamic Aging
3453# heap LRU : LRU policy implemented using a heap
3454#
3455# Applies to any cache_dir lines listed below this directive.
3456#
3457# The LRU policies keeps recently referenced objects.
3458#
3459# The heap GDSF policy optimizes object hit rate by keeping smaller
3460# popular objects in cache so it has a better chance of getting a
3461# hit. It achieves a lower byte hit rate than LFUDA though since
3462# it evicts larger (possibly popular) objects.
3463#
3464# The heap LFUDA policy keeps popular objects in cache regardless of
3465# their size and thus optimizes byte hit rate at the expense of
3466# hit rate since one large, popular object will prevent many
3467# smaller, slightly less popular objects from being cached.
3468#
3469# Both policies utilize a dynamic aging mechanism that prevents
3470# cache pollution that can otherwise occur with frequency-based
3471# replacement policies.
3472#
3473# NOTE: if using the LFUDA replacement policy you should increase
3474# the value of maximum_object_size above its default of 4 MB to
3475# to maximize the potential byte hit rate improvement of LFUDA.
3476#
3477# For more information about the GDSF and LFUDA cache replacement
3478# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
3479# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
3480#Default:
3481# cache_replacement_policy lru
3482
3483# TAG: minimum_object_size (bytes)
3484# Objects smaller than this size will NOT be saved on disk. The
3485# value is specified in bytes, and the default is 0 KB, which
3486# means all responses can be stored.
3487#Default:
3488# no limit
3489#-----------------minimum_object_size 0 KB
3490
3491# TAG: maximum_object_size (bytes)
3492# Set the default value for max-size parameter on any cache_dir.
3493# The value is specified in bytes, and the default is 4 MB.
3494#
3495# If you wish to get a high BYTES hit ratio, you should probably
3496# increase this (one 32 MB object hit counts for 3200 10KB
3497# hits).
3498#
3499# If you wish to increase hit ratio more than you want to
3500# save bandwidth you should leave this low.
3501#
3502# NOTE: if using the LFUDA replacement policy you should increase
3503# this value to maximize the byte hit rate improvement of LFUDA!
3504# See cache_replacement_policy for a discussion of this policy.
3505#Default:
3506# maximum_object_size 4 MB
3507#------------------maximum_object_size 120 MB
3508
3509# TAG: cache_dir
3510# Format:
3511# cache_dir Type Directory-Name Fs-specific-data [options]
3512#
3513# You can specify multiple cache_dir lines to spread the
3514# cache among different disk partitions.
3515#
3516# Type specifies the kind of storage system to use. Only "ufs"
3517# is built by default. To enable any of the other storage systems
3518# see the --enable-storeio configure option.
3519#
3520# 'Directory' is a top-level directory where cache swap
3521# files will be stored. If you want to use an entire disk
3522# for caching, this can be the mount-point directory.
3523# The directory must exist and be writable by the Squid
3524# process. Squid will NOT create this directory for you.
3525#
3526# In SMP configurations, cache_dir must not precede the workers option
3527# and should use configuration macros or conditionals to give each
3528# worker interested in disk caching a dedicated cache directory.
3529#
3530#
3531# ==== The ufs store type ====
3532#
3533# "ufs" is the old well-known Squid storage format that has always
3534# been there.
3535#
3536# Usage:
3537# cache_dir ufs Directory-Name Mbytes L1 L2 [options]
3538#
3539# 'Mbytes' is the amount of disk space (MB) to use under this
3540# directory. The default is 100 MB. Change this to suit your
3541# configuration. Do NOT put the size of your disk drive here.
3542# Instead, if you want Squid to use the entire disk drive,
3543# subtract 20% and use that value.
3544#
3545# 'L1' is the number of first-level subdirectories which
3546# will be created under the 'Directory'. The default is 16.
3547#
3548# 'L2' is the number of second-level subdirectories which
3549# will be created under each first-level directory. The default
3550# is 256.
3551#
3552#
3553# ==== The aufs store type ====
3554#
3555# "aufs" uses the same storage format as "ufs", utilizing
3556# POSIX-threads to avoid blocking the main Squid process on
3557# disk-I/O. This was formerly known in Squid as async-io.
3558#
3559# Usage:
3560# cache_dir aufs Directory-Name Mbytes L1 L2 [options]
3561#
3562# see argument descriptions under ufs above
3563#
3564#
3565# ==== The diskd store type ====
3566#
3567# "diskd" uses the same storage format as "ufs", utilizing a
3568# separate process to avoid blocking the main Squid process on
3569# disk-I/O.
3570#
3571# Usage:
3572# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
3573#
3574# see argument descriptions under ufs above
3575#
3576# Q1 specifies the number of unacknowledged I/O requests when Squid
3577# stops opening new files. If this many messages are in the queues,
3578# Squid won't open new files. Default is 64
3579#
3580# Q2 specifies the number of unacknowledged messages when Squid
3581# starts blocking. If this many messages are in the queues,
3582# Squid blocks until it receives some replies. Default is 72
3583#
3584# When Q1 < Q2 (the default), the cache directory is optimized
3585# for lower response time at the expense of a decrease in hit
3586# ratio. If Q1 > Q2, the cache directory is optimized for
3587# higher hit ratio at the expense of an increase in response
3588# time.
3589#
3590#
3591# ==== The rock store type ====
3592#
3593# Usage:
3594# cache_dir rock Directory-Name Mbytes [options]
3595#
3596# The Rock Store type is a database-style storage. All cached
3597# entries are stored in a "database" file, using fixed-size slots.
3598# A single entry occupies one or more slots.
3599#
3600# If possible, Squid using Rock Store creates a dedicated kid
3601# process called "disker" to avoid blocking Squid worker(s) on disk
3602# I/O. One disker kid is created for each rock cache_dir. Diskers
3603# are created only when Squid, running in daemon mode, has support
3604# for the IpcIo disk I/O module.
3605#
3606# swap-timeout=msec: Squid will not start writing a miss to or
3607# reading a hit from disk if it estimates that the swap operation
3608# will take more than the specified number of milliseconds. By
3609# default and when set to zero, disables the disk I/O time limit
3610# enforcement. Ignored when using blocking I/O module because
3611# blocking synchronous I/O does not allow Squid to estimate the
3612# expected swap wait time.
3613#
3614# max-swap-rate=swaps/sec: Artificially limits disk access using
3615# the specified I/O rate limit. Swap out requests that
3616# would cause the average I/O rate to exceed the limit are
3617# delayed. Individual swap in requests (i.e., hits or reads) are
3618# not delayed, but they do contribute to measured swap rate and
3619# since they are placed in the same FIFO queue as swap out
3620# requests, they may wait longer if max-swap-rate is smaller.
3621# This is necessary on file systems that buffer "too
3622# many" writes and then start blocking Squid and other processes
3623# while committing those writes to disk. Usually used together
3624# with swap-timeout to avoid excessive delays and queue overflows
3625# when disk demand exceeds available disk "bandwidth". By default
3626# and when set to zero, disables the disk I/O rate limit
3627# enforcement. Currently supported by IpcIo module only.
3628#
3629# slot-size=bytes: The size of a database "record" used for
3630# storing cached responses. A cached response occupies at least
3631# one slot and all database I/O is done using individual slots so
3632# increasing this parameter leads to more disk space waste while
3633# decreasing it leads to more disk I/O overheads. Should be a
3634# multiple of your operating system I/O page size. Defaults to
3635# 16KBytes. A housekeeping header is stored with each slot and
3636# smaller slot-sizes will be rejected. The header is smaller than
3637# 100 bytes.
3638#
3639#
3640# ==== COMMON OPTIONS ====
3641#
3642# no-store no new objects should be stored to this cache_dir.
3643#
3644# min-size=n the minimum object size in bytes this cache_dir
3645# will accept. It's used to restrict a cache_dir
3646# to only store large objects (e.g. AUFS) while
3647# other stores are optimized for smaller objects
3648# (e.g. Rock).
3649# Defaults to 0.
3650#
3651# max-size=n the maximum object size in bytes this cache_dir
3652# supports.
3653# The value in maximum_object_size directive sets
3654# the default unless more specific details are
3655# available (ie a small store capacity).
3656#
3657# Note: To make optimal use of the max-size limits you should order
3658# the cache_dir lines with the smallest max-size value first.
3659#
3660#Default:
3661# No disk cache. Store cache ojects only in memory.
3662#
3663
3664# Uncomment and adjust the following to add a disk cache directory.
3665# -------------------------- cache_dir ufs /var/spool/squid 3000 16 256
3666
3667# TAG: store_dir_select_algorithm
3668# How Squid selects which cache_dir to use when the response
3669# object will fit into more than one.
3670#
3671# Regardless of which algorithm is used the cache_dir min-size
3672# and max-size parameters are obeyed. As such they can affect
3673# the selection algorithm by limiting the set of considered
3674# cache_dir.
3675#
3676# Algorithms:
3677#
3678# least-load
3679#
3680# This algorithm is suited to caches with similar cache_dir
3681# sizes and disk speeds.
3682#
3683# The disk with the least I/O pending is selected.
3684# When there are multiple disks with the same I/O load ranking
3685# the cache_dir with most available capacity is selected.
3686#
3687# When a mix of cache_dir sizes are configured the faster disks
3688# have a naturally lower I/O loading and larger disks have more
3689# capacity. So space used to store objects and data throughput
3690# may be very unbalanced towards larger disks.
3691#
3692#
3693# round-robin
3694#
3695# This algorithm is suited to caches with unequal cache_dir
3696# disk sizes.
3697#
3698# Each cache_dir is selected in a rotation. The next suitable
3699# cache_dir is used.
3700#
3701# Available cache_dir capacity is only considered in relation
3702# to whether the object will fit and meets the min-size and
3703# max-size parameters.
3704#
3705# Disk I/O loading is only considered to prevent overload on slow
3706# disks. This algorithm does not spread objects by size, so any
3707# I/O loading per-disk may appear very unbalanced and volatile.
3708#
3709# If several cache_dirs use similar min-size, max-size, or other
3710# limits to to reject certain responses, then do not group such
3711# cache_dir lines together, to avoid round-robin selection bias
3712# towards the first cache_dir after the group. Instead, interleave
3713# cache_dir lines from different groups. For example:
3714#
3715# store_dir_select_algorithm round-robin
3716# cache_dir rock /hdd1 ... min-size=100000
3717# cache_dir rock /ssd1 ... max-size=99999
3718# cache_dir rock /hdd2 ... min-size=100000
3719# cache_dir rock /ssd2 ... max-size=99999
3720# cache_dir rock /hdd3 ... min-size=100000
3721# cache_dir rock /ssd3 ... max-size=99999
3722#Default:
3723# store_dir_select_algorithm least-load
3724
3725# TAG: max_open_disk_fds
3726# To avoid having disk as the I/O bottleneck Squid can optionally
3727# bypass the on-disk cache if more than this amount of disk file
3728# descriptors are open.
3729#
3730# A value of 0 indicates no limit.
3731#Default:
3732# no limit
3733
3734# TAG: cache_swap_low (percent, 0-100)
3735# The low-water mark for AUFS/UFS/diskd cache object eviction by
3736# the cache_replacement_policy algorithm.
3737#
3738# Removal begins when the swap (disk) usage of a cache_dir is
3739# above this low-water mark and attempts to maintain utilization
3740# near the low-water mark.
3741#
3742# As swap utilization increases towards the high-water mark set
3743# by cache_swap_high object eviction becomes more agressive.
3744#
3745# The value difference in percentages between low- and high-water
3746# marks represent an eviction rate of 300 objects per second and
3747# the rate continues to scale in agressiveness by multiples of
3748# this above the high-water mark.
3749#
3750# Defaults are 90% and 95%. If you have a large cache, 5% could be
3751# hundreds of MB. If this is the case you may wish to set these
3752# numbers closer together.
3753#
3754# See also cache_swap_high and cache_replacement_policy
3755#Default:
3756# cache_swap_low 90
3757
3758# TAG: cache_swap_high (percent, 0-100)
3759# The high-water mark for AUFS/UFS/diskd cache object eviction by
3760# the cache_replacement_policy algorithm.
3761#
3762# Removal begins when the swap (disk) usage of a cache_dir is
3763# above the low-water mark set by cache_swap_low and attempts to
3764# maintain utilization near the low-water mark.
3765#
3766# As swap utilization increases towards this high-water mark object
3767# eviction becomes more agressive.
3768#
3769# The value difference in percentages between low- and high-water
3770# marks represent an eviction rate of 300 objects per second and
3771# the rate continues to scale in agressiveness by multiples of
3772# this above the high-water mark.
3773#
3774# Defaults are 90% and 95%. If you have a large cache, 5% could be
3775# hundreds of MB. If this is the case you may wish to set these
3776# numbers closer together.
3777#
3778# See also cache_swap_low and cache_replacement_policy
3779#Default:
3780# cache_swap_high 95
3781
3782# LOGFILE OPTIONS
3783# -----------------------------------------------------------------------------
3784
3785# TAG: logformat
3786# Usage:
3787#
3788# logformat <name> <format specification>
3789#
3790# Defines an access log format.
3791#
3792# The <format specification> is a string with embedded % format codes
3793#
3794# % format codes all follow the same basic structure where all
3795# components but the formatcode are optional and usually unnecessary,
3796# especially when dealing with common codes.
3797#
3798# % [encoding] [-] [[0]width] [{arg}] formatcode [{arg}]
3799#
3800# encoding escapes or otherwise protects "special" characters:
3801#
3802# " Quoted string encoding where quote(") and
3803# backslash(\) characters are \-escaped while
3804# CR, LF, and TAB characters are encoded as \r,
3805# \n, and \t two-character sequences.
3806#
3807# [ Custom Squid encoding where percent(%), square
3808# brackets([]), backslash(\) and characters with
3809# codes outside of [32,126] range are %-encoded.
3810# SP is not encoded. Used by log_mime_hdrs.
3811#
3812# # URL encoding (a.k.a. percent-encoding) where
3813# all URL unsafe and control characters (per RFC
3814# 1738) are %-encoded.
3815#
3816# / Shell-like encoding where quote(") and
3817# backslash(\) characters are \-escaped while CR
3818# and LF characters are encoded as \r and \n
3819# two-character sequences. Values containing SP
3820# character(s) are surrounded by quotes(").
3821#
3822# ' Raw/as-is encoding with no escaping/quoting.
3823#
3824# Default encoding: When no explicit encoding is
3825# specified, each %code determines its own encoding.
3826# Most %codes use raw/as-is encoding, but some codes use
3827# a so called "pass-through URL encoding" where all URL
3828# unsafe and control characters (per RFC 1738) are
3829# %-encoded, but the percent character(%) is left as is.
3830#
3831# - left aligned
3832#
3833# width minimum and/or maximum field width:
3834# [width_min][.width_max]
3835# When minimum starts with 0, the field is zero-padded.
3836# String values exceeding maximum width are truncated.
3837#
3838# {arg} argument such as header name etc. This field may be
3839# placed before or after the token, but not both at once.
3840#
3841# Format codes:
3842#
3843# % a literal % character
3844# sn Unique sequence number per log line entry
3845# err_code The ID of an error response served by Squid or
3846# a similar internal error identifier.
3847# err_detail Additional err_code-dependent error information.
3848# note The annotation specified by the argument. Also
3849# logs the adaptation meta headers set by the
3850# adaptation_meta configuration parameter.
3851# If no argument given all annotations logged.
3852# The argument may include a separator to use with
3853# annotation values:
3854# name[:separator]
3855# By default, multiple note values are separated with ","
3856# and multiple notes are separated with "\r\n".
3857# When logging named notes with %{name}note, the
3858# explicitly configured separator is used between note
3859# values. When logging all notes with %note, the
3860# explicitly configured separator is used between
3861# individual notes. There is currently no way to
3862# specify both value and notes separators when logging
3863# all notes with %note.
3864#
3865# Connection related format codes:
3866#
3867# >a Client source IP address
3868# >A Client FQDN
3869# >p Client source port
3870# >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
3871# >la Local IP address the client connected to
3872# >lp Local port number the client connected to
3873# >qos Client connection TOS/DSCP value set by Squid
3874# >nfmark Client connection netfilter mark set by Squid
3875#
3876# la Local listening IP address the client connection was connected to.
3877# lp Local listening port number the client connection was connected to.
3878#
3879# <a Server IP address of the last server or peer connection
3880# <A Server FQDN or peer name
3881# <p Server port number of the last server or peer connection
3882# <la Local IP address of the last server or peer connection
3883# <lp Local port number of the last server or peer connection
3884# <qos Server connection TOS/DSCP value set by Squid
3885# <nfmark Server connection netfilter mark set by Squid
3886#
3887# >handshake Raw client handshake
3888# Initial client bytes received by Squid on a newly
3889# accepted TCP connection or inside a just established
3890# CONNECT tunnel. Squid stops accumulating handshake
3891# bytes as soon as the handshake parser succeeds or
3892# fails (determining whether the client is using the
3893# expected protocol).
3894#
3895# For HTTP clients, the handshake is the request line.
3896# For TLS clients, the handshake consists of all TLS
3897# records up to and including the TLS record that
3898# contains the last byte of the first ClientHello
3899# message. For clients using an unsupported protocol,
3900# this field contains the bytes received by Squid at the
3901# time of the handshake parsing failure.
3902#
3903# See the on_unsupported_protocol directive for more
3904# information on Squid handshake traffic expectations.
3905#
3906# Current support is limited to these contexts:
3907# - http_port connections, but only when the
3908# on_unsupported_protocol directive is in use.
3909# - https_port connections (and CONNECT tunnels) that
3910# are subject to the ssl_bump peek or stare action.
3911#
3912# To protect binary handshake data, this field is always
3913# base64-encoded (RFC 4648 Section 4). If logformat
3914# field encoding is configured, that encoding is applied
3915# on top of base64. Otherwise, the computed base64 value
3916# is recorded as is.
3917#
3918# Time related format codes:
3919#
3920# ts Seconds since epoch
3921# tu subsecond time (milliseconds)
3922# tl Local time. Optional strftime format argument
3923# default %d/%b/%Y:%H:%M:%S %z
3924# tg GMT time. Optional strftime format argument
3925# default %d/%b/%Y:%H:%M:%S %z
3926# tr Response time (milliseconds)
3927# dt Total time spent making DNS lookups (milliseconds)
3928# tS Approximate master transaction start time in
3929# <full seconds since epoch>.<fractional seconds> format.
3930# Currently, Squid considers the master transaction
3931# started when a complete HTTP request header initiating
3932# the transaction is received from the client. This is
3933# the same value that Squid uses to calculate transaction
3934# response time when logging %tr to access.log. Currently,
3935# Squid uses millisecond resolution for %tS values,
3936# similar to the default access.log "current time" field
3937# (%ts.%03tu).
3938#
3939# Access Control related format codes:
3940#
3941# et Tag returned by external acl
3942# ea Log string returned by external acl
3943# un User name (any available)
3944# ul User name from authentication
3945# ue User name from external acl helper
3946# ui User name from ident
3947# un A user name. Expands to the first available name
3948# from the following list of information sources:
3949# - authenticated user name, like %ul
3950# - user name supplied by an external ACL, like %ue
3951# - SSL client name, like %us
3952# - ident user name, like %ui
3953# credentials Client credentials. The exact meaning depends on
3954# the authentication scheme: For Basic authentication,
3955# it is the password; for Digest, the realm sent by the
3956# client; for NTLM and Negotiate, the client challenge
3957# or client credentials prefixed with "YR " or "KK ".
3958#
3959# HTTP related format codes:
3960#
3961# REQUEST
3962#
3963# [http::]rm Request method (GET/POST etc)
3964# [http::]>rm Request method from client
3965# [http::]<rm Request method sent to server or peer
3966#
3967# [http::]ru Request URL received (or computed) and sanitized
3968#
3969# Logs request URI received from the client, a
3970# request adaptation service, or a request
3971# redirector (whichever was applied last).
3972#
3973# Computed URLs are URIs of internally generated
3974# requests and various "error:..." URIs.
3975#
3976# Honors strip_query_terms and uri_whitespace.
3977#
3978# This field is not encoded by default. Encoding
3979# this field using variants of %-encoding will
3980# clash with uri_whitespace modifications that
3981# also use %-encoding.
3982#
3983# [http::]>ru Request URL received from the client (or computed)
3984#
3985# Computed URLs are URIs of internally generated
3986# requests and various "error:..." URIs.
3987#
3988# Unlike %ru, this request URI is not affected
3989# by request adaptation, URL rewriting services,
3990# and strip_query_terms.
3991#
3992# Honors uri_whitespace.
3993#
3994# This field is using pass-through URL encoding
3995# by default. Encoding this field using other
3996# variants of %-encoding will clash with
3997# uri_whitespace modifications that also use
3998# %-encoding.
3999#
4000# [http::]<ru Request URL sent to server or peer
4001# [http::]>rs Request URL scheme from client
4002# [http::]<rs Request URL scheme sent to server or peer
4003# [http::]>rd Request URL domain from client
4004# [http::]<rd Request URL domain sent to server or peer
4005# [http::]>rP Request URL port from client
4006# [http::]<rP Request URL port sent to server or peer
4007# [http::]rp Request URL path excluding hostname
4008# [http::]>rp Request URL path excluding hostname from client
4009# [http::]<rp Request URL path excluding hostname sent to server or peer
4010# [http::]rv Request protocol version
4011# [http::]>rv Request protocol version from client
4012# [http::]<rv Request protocol version sent to server or peer
4013#
4014# [http::]>h Original received request header.
4015# Usually differs from the request header sent by
4016# Squid, although most fields are often preserved.
4017# Accepts optional header field name/value filter
4018# argument using name[:[separator]element] format.
4019# [http::]>ha Received request header after adaptation and
4020# redirection (pre-cache REQMOD vectoring point).
4021# Usually differs from the request header sent by
4022# Squid, although most fields are often preserved.
4023# Optional header name argument as for >h
4024#
4025# RESPONSE
4026#
4027# [http::]<Hs HTTP status code received from the next hop
4028# [http::]>Hs HTTP status code sent to the client
4029#
4030# [http::]<h Reply header. Optional header name argument
4031# as for >h
4032#
4033# [http::]mt MIME content type
4034#
4035#
4036# SIZE COUNTERS
4037#
4038# [http::]st Total size of request + reply traffic with client
4039# [http::]>st Total size of request received from client.
4040# Excluding chunked encoding bytes.
4041# [http::]<st Total size of reply sent to client (after adaptation)
4042#
4043# [http::]>sh Size of request headers received from client
4044# [http::]<sh Size of reply headers sent to client (after adaptation)
4045#
4046# [http::]<sH Reply high offset sent
4047# [http::]<sS Upstream object size
4048#
4049# [http::]<bs Number of HTTP-equivalent message body bytes
4050# received from the next hop, excluding chunked
4051# transfer encoding and control messages.
4052# Generated FTP/Gopher listings are treated as
4053# received bodies.
4054#
4055# TIMING
4056#
4057# [http::]<pt Peer response time in milliseconds. The timer starts
4058# when the last request byte is sent to the next hop
4059# and stops when the last response byte is received.
4060# [http::]<tt Total time in milliseconds. The timer
4061# starts with the first connect request (or write I/O)
4062# sent to the first selected peer. The timer stops
4063# with the last I/O with the last peer.
4064#
4065# Squid handling related format codes:
4066#
4067# Ss Squid request status (TCP_MISS etc)
4068# Sh Squid hierarchy status (DEFAULT_PARENT etc)
4069#
4070# SSL-related format codes:
4071#
4072# ssl::bump_mode SslBump decision for the transaction:
4073#
4074# For CONNECT requests that initiated bumping of
4075# a connection and for any request received on
4076# an already bumped connection, Squid logs the
4077# corresponding SslBump mode ("splice", "bump",
4078# "peek", "stare", "terminate", "server-first"
4079# or "client-first"). See the ssl_bump option
4080# for more information about these modes.
4081#
4082# A "none" token is logged for requests that
4083# triggered "ssl_bump" ACL evaluation matching
4084# a "none" rule.
4085#
4086# In all other cases, a single dash ("-") is
4087# logged.
4088#
4089# ssl::>sni SSL client SNI sent to Squid.
4090#
4091# ssl::>cert_subject
4092# The Subject field of the received client
4093# SSL certificate or a dash ('-') if Squid has
4094# received an invalid/malformed certificate or
4095# no certificate at all. Consider encoding the
4096# logged value because Subject often has spaces.
4097#
4098# ssl::>cert_issuer
4099# The Issuer field of the received client
4100# SSL certificate or a dash ('-') if Squid has
4101# received an invalid/malformed certificate or
4102# no certificate at all. Consider encoding the
4103# logged value because Issuer often has spaces.
4104#
4105# ssl::<cert_subject
4106# The Subject field of the received server
4107# TLS certificate or a dash ('-') if this is
4108# not available. Consider encoding the logged
4109# value because Subject often has spaces.
4110#
4111# ssl::<cert_issuer
4112# The Issuer field of the received server
4113# TLS certificate or a dash ('-') if this is
4114# not available. Consider encoding the logged
4115# value because Issuer often has spaces.
4116#
4117# ssl::<cert_errors
4118# The list of certificate validation errors
4119# detected by Squid (including OpenSSL and
4120# certificate validation helper components). The
4121# errors are listed in the discovery order. By
4122# default, the error codes are separated by ':'.
4123# Accepts an optional separator argument.
4124#
4125# %ssl::>negotiated_version The negotiated TLS version of the
4126# client connection.
4127#
4128# %ssl::<negotiated_version The negotiated TLS version of the
4129# last server or peer connection.
4130#
4131# %ssl::>received_hello_version The TLS version of the Hello
4132# message received from TLS client.
4133#
4134# %ssl::<received_hello_version The TLS version of the Hello
4135# message received from TLS server.
4136#
4137# %ssl::>received_supported_version The maximum TLS version
4138# supported by the TLS client.
4139#
4140# %ssl::<received_supported_version The maximum TLS version
4141# supported by the TLS server.
4142#
4143# %ssl::>negotiated_cipher The negotiated cipher of the
4144# client connection.
4145#
4146# %ssl::<negotiated_cipher The negotiated cipher of the
4147# last server or peer connection.
4148#
4149# If ICAP is enabled, the following code becomes available (as
4150# well as ICAP log codes documented with the icap_log option):
4151#
4152# icap::tt Total ICAP processing time for the HTTP
4153# transaction. The timer ticks when ICAP
4154# ACLs are checked and when ICAP
4155# transaction is in progress.
4156#
4157# If adaptation is enabled the following codes become available:
4158#
4159# adapt::<last_h The header of the last ICAP response or
4160# meta-information from the last eCAP
4161# transaction related to the HTTP transaction.
4162# Like <h, accepts an optional header name
4163# argument.
4164#
4165# adapt::sum_trs Summed adaptation transaction response
4166# times recorded as a comma-separated list in
4167# the order of transaction start time. Each time
4168# value is recorded as an integer number,
4169# representing response time of one or more
4170# adaptation (ICAP or eCAP) transaction in
4171# milliseconds. When a failed transaction is
4172# being retried or repeated, its time is not
4173# logged individually but added to the
4174# replacement (next) transaction. See also:
4175# adapt::all_trs.
4176#
4177# adapt::all_trs All adaptation transaction response times.
4178# Same as adaptation_strs but response times of
4179# individual transactions are never added
4180# together. Instead, all transaction response
4181# times are recorded individually.
4182#
4183# You can prefix adapt::*_trs format codes with adaptation
4184# service name in curly braces to record response time(s) specific
4185# to that service. For example: %{my_service}adapt::sum_trs
4186#
4187# The default formats available (which do not need re-defining) are:
4188#
4189#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
4190#logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
4191#logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
4192#logformat referrer %ts.%03tu %>a %{Referer}>h %ru
4193#logformat useragent %>a [%tl] "%{User-Agent}>h"
4194#
4195# NOTE: When the log_mime_hdrs directive is set to ON.
4196# The squid, common and combined formats have a safely encoded copy
4197# of the mime headers appended to each line within a pair of brackets.
4198#
4199# NOTE: The common and combined formats are not quite true to the Apache definition.
4200# The logs from Squid contain an extra status and hierarchy code appended.
4201#
4202#Default:
4203# The format definitions squid, common, combined, referrer, useragent are built in.
4204
4205# TAG: access_log
4206# Configures whether and how Squid logs HTTP and ICP transactions.
4207# If access logging is enabled, a single line is logged for every
4208# matching HTTP or ICP request. The recommended directive formats are:
4209#
4210# access_log <module>:<place> [option ...] [acl acl ...]
4211# access_log none [acl acl ...]
4212#
4213# The following directive format is accepted but may be deprecated:
4214# access_log <module>:<place> [<logformat name> [acl acl ...]]
4215#
4216# In most cases, the first ACL name must not contain the '=' character
4217# and should not be equal to an existing logformat name. You can always
4218# start with an 'all' ACL to work around those restrictions.
4219#
4220# Will log to the specified module:place using the specified format (which
4221# must be defined in a logformat directive) those entries which match
4222# ALL the acl's specified (which must be defined in acl clauses).
4223# If no acl is specified, all requests will be logged to this destination.
4224#
4225# ===== Available options for the recommended directive format =====
4226#
4227# logformat=name Names log line format (either built-in or
4228# defined by a logformat directive). Defaults
4229# to 'squid'.
4230#
4231# buffer-size=64KB Defines approximate buffering limit for log
4232# records (see buffered_logs). Squid should not
4233# keep more than the specified size and, hence,
4234# should flush records before the buffer becomes
4235# full to avoid overflows under normal
4236# conditions (the exact flushing algorithm is
4237# module-dependent though). The on-error option
4238# controls overflow handling.
4239#
4240# on-error=die|drop Defines action on unrecoverable errors. The
4241# 'drop' action ignores (i.e., does not log)
4242# affected log records. The default 'die' action
4243# kills the affected worker. The drop action
4244# support has not been tested for modules other
4245# than tcp.
4246#
4247# rotate=N Specifies the number of log file rotations to
4248# make when you run 'squid -k rotate'. The default
4249# is to obey the logfile_rotate directive. Setting
4250# rotate=0 will disable the file name rotation,
4251# but the log files are still closed and re-opened.
4252# This will enable you to rename the logfiles
4253# yourself just before sending the rotate signal.
4254# Only supported by the stdio module.
4255#
4256# ===== Modules Currently available =====
4257#
4258# none Do not log any requests matching these ACL.
4259# Do not specify Place or logformat name.
4260#
4261# stdio Write each log line to disk immediately at the completion of
4262# each request.
4263# Place: the filename and path to be written.
4264#
4265# daemon Very similar to stdio. But instead of writing to disk the log
4266# line is passed to a daemon helper for asychronous handling instead.
4267# Place: varies depending on the daemon.
4268#
4269# log_file_daemon Place: the file name and path to be written.
4270#
4271# syslog To log each request via syslog facility.
4272# Place: The syslog facility and priority level for these entries.
4273# Place Format: facility.priority
4274#
4275# where facility could be any of:
4276# authpriv, daemon, local0 ... local7 or user.
4277#
4278# And priority could be any of:
4279# err, warning, notice, info, debug.
4280#
4281# udp To send each log line as text data to a UDP receiver.
4282# Place: The destination host name or IP and port.
4283# Place Format: //host:port
4284#
4285# tcp To send each log line as text data to a TCP receiver.
4286# Lines may be accumulated before sending (see buffered_logs).
4287# Place: The destination host name or IP and port.
4288# Place Format: //host:port
4289#
4290# Default:
4291# access_log daemon:/var/log/squid/access.log squid
4292#Default:
4293# access_log daemon:/var/log/squid/access.log squid
4294
4295# TAG: icap_log
4296# ICAP log files record ICAP transaction summaries, one line per
4297# transaction.
4298#
4299# The icap_log option format is:
4300# icap_log <filepath> [<logformat name> [acl acl ...]]
4301# icap_log none [acl acl ...]]
4302#
4303# Please see access_log option documentation for details. The two
4304# kinds of logs share the overall configuration approach and many
4305# features.
4306#
4307# ICAP processing of a single HTTP message or transaction may
4308# require multiple ICAP transactions. In such cases, multiple
4309# ICAP transaction log lines will correspond to a single access
4310# log line.
4311#
4312# ICAP log supports many access.log logformat %codes. In ICAP context,
4313# HTTP message-related %codes are applied to the HTTP message embedded
4314# in an ICAP message. Logformat "%http::>..." codes are used for HTTP
4315# messages embedded in ICAP requests while "%http::<..." codes are used
4316# for HTTP messages embedded in ICAP responses. For example:
4317#
4318# http::>h To-be-adapted HTTP message headers sent by Squid to
4319# the ICAP service. For REQMOD transactions, these are
4320# HTTP request headers. For RESPMOD, these are HTTP
4321# response headers, but Squid currently cannot log them
4322# (i.e., %http::>h will expand to "-" for RESPMOD).
4323#
4324# http::<h Adapted HTTP message headers sent by the ICAP
4325# service to Squid (i.e., HTTP request headers in regular
4326# REQMOD; HTTP response headers in RESPMOD and during
4327# request satisfaction in REQMOD).
4328#
4329# ICAP OPTIONS transactions do not embed HTTP messages.
4330#
4331# Several logformat codes below deal with ICAP message bodies. An ICAP
4332# message body, if any, typically includes a complete HTTP message
4333# (required HTTP headers plus optional HTTP message body). When
4334# computing HTTP message body size for these logformat codes, Squid
4335# either includes or excludes chunked encoding overheads; see
4336# code-specific documentation for details.
4337#
4338# For Secure ICAP services, all size-related information is currently
4339# computed before/after TLS encryption/decryption, as if TLS was not
4340# in use at all.
4341#
4342# The following format codes are also available for ICAP logs:
4343#
4344# icap::<A ICAP server IP address. Similar to <A.
4345#
4346# icap::<service_name ICAP service name from the icap_service
4347# option in Squid configuration file.
4348#
4349# icap::ru ICAP Request-URI. Similar to ru.
4350#
4351# icap::rm ICAP request method (REQMOD, RESPMOD, or
4352# OPTIONS). Similar to existing rm.
4353#
4354# icap::>st The total size of the ICAP request sent to the ICAP
4355# server (ICAP headers + ICAP body), including chunking
4356# metadata (if any).
4357#
4358# icap::<st The total size of the ICAP response received from the
4359# ICAP server (ICAP headers + ICAP body), including
4360# chunking metadata (if any).
4361#
4362# icap::<bs The size of the ICAP response body received from the
4363# ICAP server, excluding chunking metadata (if any).
4364#
4365# icap::tr Transaction response time (in
4366# milliseconds). The timer starts when
4367# the ICAP transaction is created and
4368# stops when the transaction is completed.
4369# Similar to tr.
4370#
4371# icap::tio Transaction I/O time (in milliseconds). The
4372# timer starts when the first ICAP request
4373# byte is scheduled for sending. The timers
4374# stops when the last byte of the ICAP response
4375# is received.
4376#
4377# icap::to Transaction outcome: ICAP_ERR* for all
4378# transaction errors, ICAP_OPT for OPTION
4379# transactions, ICAP_ECHO for 204
4380# responses, ICAP_MOD for message
4381# modification, and ICAP_SAT for request
4382# satisfaction. Similar to Ss.
4383#
4384# icap::Hs ICAP response status code. Similar to Hs.
4385#
4386# icap::>h ICAP request header(s). Similar to >h.
4387#
4388# icap::<h ICAP response header(s). Similar to <h.
4389#
4390# The default ICAP log format, which can be used without an explicit
4391# definition, is called icap_squid:
4392#
4393#logformat icap_squid %ts.%03tu %6icap::tr %>A %icap::to/%03icap::Hs %icap::<st %icap::rm %icap::ru %un -/%icap::<A -
4394#
4395# See also: logformat and %adapt::<last_h
4396#Default:
4397# none
4398
4399# TAG: logfile_daemon
4400# Specify the path to the logfile-writing daemon. This daemon is
4401# used to write the access and store logs, if configured.
4402#
4403# Squid sends a number of commands to the log daemon:
4404# L<data>\n - logfile data
4405# R\n - rotate file
4406# T\n - truncate file
4407# O\n - reopen file
4408# F\n - flush file
4409# r<n>\n - set rotate count to <n>
4410# b<n>\n - 1 = buffer output, 0 = don't buffer output
4411#
4412# No responses is expected.
4413#Default:
4414# logfile_daemon /usr/lib/squid/log_file_daemon
4415
4416# TAG: stats_collection allow|deny acl acl...
4417# This options allows you to control which requests gets accounted
4418# in performance counters.
4419#
4420# This clause only supports fast acl types.
4421# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
4422#Default:
4423# Allow logging for all transactions.
4424
4425# TAG: cache_store_log
4426# Logs the activities of the storage manager. Shows which
4427# objects are ejected from the cache, and which objects are
4428# saved and for how long.
4429# There are not really utilities to analyze this data, so you can safely
4430# disable it (the default).
4431#
4432# Store log uses modular logging outputs. See access_log for the list
4433# of modules supported.
4434#
4435# Example:
4436# cache_store_log stdio:/var/log/squid/store.log
4437# cache_store_log daemon:/var/log/squid/store.log
4438#Default:
4439# none
4440
4441# TAG: cache_swap_state
4442# Location for the cache "swap.state" file. This index file holds
4443# the metadata of objects saved on disk. It is used to rebuild
4444# the cache during startup. Normally this file resides in each
4445# 'cache_dir' directory, but you may specify an alternate
4446# pathname here. Note you must give a full filename, not just
4447# a directory. Since this is the index for the whole object
4448# list you CANNOT periodically rotate it!
4449#
4450# If %s can be used in the file name it will be replaced with a
4451# a representation of the cache_dir name where each / is replaced
4452# with '.'. This is needed to allow adding/removing cache_dir
4453# lines when cache_swap_log is being used.
4454#
4455# If have more than one 'cache_dir', and %s is not used in the name
4456# these swap logs will have names such as:
4457#
4458# cache_swap_log.00
4459# cache_swap_log.01
4460# cache_swap_log.02
4461#
4462# The numbered extension (which is added automatically)
4463# corresponds to the order of the 'cache_dir' lines in this
4464# configuration file. If you change the order of the 'cache_dir'
4465# lines in this file, these index files will NOT correspond to
4466# the correct 'cache_dir' entry (unless you manually rename
4467# them). We recommend you do NOT use this option. It is
4468# better to keep these index files in each 'cache_dir' directory.
4469#Default:
4470# Store the journal inside its cache_dir
4471
4472# TAG: logfile_rotate
4473# Specifies the default number of logfile rotations to make when you
4474# type 'squid -k rotate'. The default is 10, which will rotate
4475# with extensions 0 through 9. Setting logfile_rotate to 0 will
4476# disable the file name rotation, but the logfiles are still closed
4477# and re-opened. This will enable you to rename the logfiles
4478# yourself just before sending the rotate signal.
4479#
4480# Note, from Squid-3.1 this option is only a default for cache.log,
4481# that log can be rotated separately by using debug_options.
4482#
4483# Note, from Squid-4 this option is only a default for access.log
4484# recorded by stdio: module. Those logs can be rotated separately by
4485# using the rotate=N option on their access_log directive.
4486#
4487# Note, the 'squid -k rotate' command normally sends a USR1
4488# signal to the running squid process. In certain situations
4489# (e.g. on Linux with Async I/O), USR1 is used for other
4490# purposes, so -k rotate uses another signal. It is best to get
4491# in the habit of using 'squid -k rotate' instead of 'kill -USR1
4492# <pid>'.
4493#
4494# Note, for Debian/Linux the default of logfile_rotate is
4495# zero, since it includes external logfile-rotation methods.
4496#Default:
4497# logfile_rotate 0
4498
4499# TAG: mime_table
4500# Path to Squid's icon configuration file.
4501#
4502# You shouldn't need to change this, but the default file contains
4503# examples and formatting information if you do.
4504#Default:
4505# mime_table /usr/share/squid/mime.conf
4506
4507# TAG: log_mime_hdrs on|off
4508# The Cache can record both the request and the response MIME
4509# headers for each HTTP transaction. The headers are encoded
4510# safely and will appear as two bracketed fields at the end of
4511# the access log (for either the native or httpd-emulated log
4512# formats). To enable this logging set log_mime_hdrs to 'on'.
4513#Default:
4514# log_mime_hdrs off
4515
4516# TAG: pid_filename
4517# A filename to write the process-id to. To disable, enter "none".
4518#Default:
4519# pid_filename /var/run/squid.pid
4520
4521# TAG: client_netmask
4522# A netmask for client addresses in logfiles and cachemgr output.
4523# Change this to protect the privacy of your cache clients.
4524# A netmask of 255.255.255.0 will log all IP's in that range with
4525# the last digit set to '0'.
4526#Default:
4527# Log full client IP address
4528
4529# TAG: strip_query_terms
4530# By default, Squid strips query terms from requested URLs before
4531# logging. This protects your user's privacy and reduces log size.
4532#
4533# When investigating HIT/MISS or other caching behaviour you
4534# will need to disable this to see the full URL used by Squid.
4535#Default:
4536# strip_query_terms on
4537
4538# TAG: buffered_logs on|off
4539# Whether to write/send access_log records ASAP or accumulate them and
4540# then write/send them in larger chunks. Buffering may improve
4541# performance because it decreases the number of I/Os. However,
4542# buffering increases the delay before log records become available to
4543# the final recipient (e.g., a disk file or logging daemon) and,
4544# hence, increases the risk of log records loss.
4545#
4546# Note that even when buffered_logs are off, Squid may have to buffer
4547# records if it cannot write/send them immediately due to pending I/Os
4548# (e.g., the I/O writing the previous log record) or connectivity loss.
4549#
4550# Currently honored by 'daemon' and 'tcp' access_log modules only.
4551#Default:
4552# buffered_logs off
4553
4554# TAG: netdb_filename
4555# Where Squid stores it's netdb journal.
4556# When enabled this journal preserves netdb state between restarts.
4557#
4558# To disable, enter "none".
4559#Default:
4560# netdb_filename stdio:/var/spool/squid/netdb.state
4561
4562# OPTIONS FOR TROUBLESHOOTING
4563# -----------------------------------------------------------------------------
4564
4565# TAG: cache_log
4566# Squid administrative logging file.
4567#
4568# This is where general information about Squid behavior goes. You can
4569# increase the amount of data logged to this file and how often it is
4570# rotated with "debug_options"
4571#Default:
4572# cache_log /var/log/squid/cache.log
4573
4574# TAG: debug_options
4575# Logging options are set as section,level where each source file
4576# is assigned a unique section. Lower levels result in less
4577# output, Full debugging (level 9) can result in a very large
4578# log file, so be careful.
4579#
4580# The magic word "ALL" sets debugging levels for all sections.
4581# The default is to run with "ALL,1" to record important warnings.
4582#
4583# The rotate=N option can be used to keep more or less of these logs
4584# than would otherwise be kept by logfile_rotate.
4585# For most uses a single log should be enough to monitor current
4586# events affecting Squid.
4587#Default:
4588# Log all critical and important messages.
4589
4590# TAG: coredump_dir
4591# By default Squid leaves core files in the directory from where
4592# it was started. If you set 'coredump_dir' to a directory
4593# that exists, Squid will chdir() to that directory at startup
4594# and coredump files will be left there.
4595#
4596#Default:
4597# Use the directory from where Squid was started.
4598#
4599
4600# Leave coredumps in the first cache dir
4601coredump_dir /var/spool/squid
4602
4603# OPTIONS FOR FTP GATEWAYING
4604# -----------------------------------------------------------------------------
4605
4606# TAG: ftp_user
4607# If you want the anonymous login password to be more informative
4608# (and enable the use of picky FTP servers), set this to something
4609# reasonable for your domain, like wwwuser@somewhere.net
4610#
4611# The reason why this is domainless by default is the
4612# request can be made on the behalf of a user in any domain,
4613# depending on how the cache is used.
4614# Some FTP server also validate the email address is valid
4615# (for example perl.com).
4616#Default:
4617# ftp_user Squid@
4618
4619# TAG: ftp_passive
4620# If your firewall does not allow Squid to use passive
4621# connections, turn off this option.
4622#
4623# Use of ftp_epsv_all option requires this to be ON.
4624#Default:
4625# ftp_passive on
4626
4627# TAG: ftp_epsv_all
4628# FTP Protocol extensions permit the use of a special "EPSV ALL" command.
4629#
4630# NATs may be able to put the connection on a "fast path" through the
4631# translator, as the EPRT command will never be used and therefore,
4632# translation of the data portion of the segments will never be needed.
4633#
4634# When a client only expects to do two-way FTP transfers this may be
4635# useful.
4636# If squid finds that it must do a three-way FTP transfer after issuing
4637# an EPSV ALL command, the FTP session will fail.
4638#
4639# If you have any doubts about this option do not use it.
4640# Squid will nicely attempt all other connection methods.
4641#
4642# Requires ftp_passive to be ON (default) for any effect.
4643#Default:
4644# ftp_epsv_all off
4645
4646# TAG: ftp_epsv
4647# FTP Protocol extensions permit the use of a special "EPSV" command.
4648#
4649# NATs may be able to put the connection on a "fast path" through the
4650# translator using EPSV, as the EPRT command will never be used
4651# and therefore, translation of the data portion of the segments
4652# will never be needed.
4653#
4654# EPSV is often required to interoperate with FTP servers on IPv6
4655# networks. On the other hand, it may break some IPv4 servers.
4656#
4657# By default, EPSV may try EPSV with any FTP server. To fine tune
4658# that decision, you may restrict EPSV to certain clients or servers
4659# using ACLs:
4660#
4661# ftp_epsv allow|deny al1 acl2 ...
4662#
4663# WARNING: Disabling EPSV may cause problems with external NAT and IPv6.
4664#
4665# Only fast ACLs are supported.
4666# Requires ftp_passive to be ON (default) for any effect.
4667#Default:
4668# none
4669
4670# TAG: ftp_eprt
4671# FTP Protocol extensions permit the use of a special "EPRT" command.
4672#
4673# This extension provides a protocol neutral alternative to the
4674# IPv4-only PORT command. When supported it enables active FTP data
4675# channels over IPv6 and efficient NAT handling.
4676#
4677# Turning this OFF will prevent EPRT being attempted and will skip
4678# straight to using PORT for IPv4 servers.
4679#
4680# Some devices are known to not handle this extension correctly and
4681# may result in crashes. Devices which suport EPRT enough to fail
4682# cleanly will result in Squid attempting PORT anyway. This directive
4683# should only be disabled when EPRT results in device failures.
4684#
4685# WARNING: Doing so will convert Squid back to the old behavior with all
4686# the related problems with external NAT devices/layers and IPv4-only FTP.
4687#Default:
4688# ftp_eprt on
4689
4690# TAG: ftp_sanitycheck
4691# For security and data integrity reasons Squid by default performs
4692# sanity checks of the addresses of FTP data connections ensure the
4693# data connection is to the requested server. If you need to allow
4694# FTP connections to servers using another IP address for the data
4695# connection turn this off.
4696#Default:
4697# ftp_sanitycheck on
4698
4699# TAG: ftp_telnet_protocol
4700# The FTP protocol is officially defined to use the telnet protocol
4701# as transport channel for the control connection. However, many
4702# implementations are broken and does not respect this aspect of
4703# the FTP protocol.
4704#
4705# If you have trouble accessing files with ASCII code 255 in the
4706# path or similar problems involving this ASCII code you can
4707# try setting this directive to off. If that helps, report to the
4708# operator of the FTP server in question that their FTP server
4709# is broken and does not follow the FTP standard.
4710#Default:
4711# ftp_telnet_protocol on
4712
4713# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
4714# -----------------------------------------------------------------------------
4715
4716# TAG: diskd_program
4717# Specify the location of the diskd executable.
4718# Note this is only useful if you have compiled in
4719# diskd as one of the store io modules.
4720#Default:
4721# diskd_program /usr/lib/squid/diskd
4722
4723# TAG: unlinkd_program
4724# Specify the location of the executable for file deletion process.
4725#Default:
4726# unlinkd_program /usr/lib/squid/unlinkd
4727
4728# TAG: pinger_program
4729# Specify the location of the executable for the pinger process.
4730#Default:
4731# pinger_program /usr/lib/squid/pinger
4732
4733# TAG: pinger_enable
4734# Control whether the pinger is active at run-time.
4735# Enables turning ICMP pinger on and off with a simple
4736# squid -k reconfigure.
4737#Default:
4738# pinger_enable on
4739
4740# OPTIONS FOR URL REWRITING
4741# -----------------------------------------------------------------------------
4742
4743# TAG: url_rewrite_program
4744# Specify the location of the executable URL rewriter to use.
4745# Since they can perform almost any function there isn't one included.
4746#
4747# For each requested URL, the rewriter will receive on line with the format
4748#
4749# [channel-ID <SP>] URL [<SP> extras]<NL>
4750#
4751# See url_rewrite_extras on how to send "extras" with optional values to
4752# the helper.
4753# After processing the request the helper must reply using the following format:
4754#
4755# [channel-ID <SP>] result [<SP> kv-pairs]
4756#
4757# The result code can be:
4758#
4759# OK status=30N url="..."
4760# Redirect the URL to the one supplied in 'url='.
4761# 'status=' is optional and contains the status code to send
4762# the client in Squids HTTP response. It must be one of the
4763# HTTP redirect status codes: 301, 302, 303, 307, 308.
4764# When no status is given Squid will use 302.
4765#
4766# OK rewrite-url="..."
4767# Rewrite the URL to the one supplied in 'rewrite-url='.
4768# The new URL is fetched directly by Squid and returned to
4769# the client as the response to its request.
4770#
4771# OK
4772# When neither of url= and rewrite-url= are sent Squid does
4773# not change the URL.
4774#
4775# ERR
4776# Do not change the URL.
4777#
4778# BH
4779# An internal error occurred in the helper, preventing
4780# a result being identified. The 'message=' key name is
4781# reserved for delivering a log message.
4782#
4783#
4784# In addition to the above kv-pairs Squid also understands the following
4785# optional kv-pairs received from URL rewriters:
4786# clt_conn_tag=TAG
4787# Associates a TAG with the client TCP connection.
4788# The TAG is treated as a regular annotation but persists across
4789# future requests on the client connection rather than just the
4790# current request. A helper may update the TAG during subsequent
4791# requests be returning a new kv-pair.
4792#
4793# When using the concurrency= option the protocol is changed by
4794# introducing a query channel tag in front of the request/response.
4795# The query channel tag is a number between 0 and concurrency-1.
4796# This value must be echoed back unchanged to Squid as the first part
4797# of the response relating to its request.
4798#
4799# WARNING: URL re-writing ability should be avoided whenever possible.
4800# Use the URL redirect form of response instead.
4801#
4802# Re-write creates a difference in the state held by the client
4803# and server. Possibly causing confusion when the server response
4804# contains snippets of its view state. Embeded URLs, response
4805# and content Location headers, etc. are not re-written by this
4806# interface.
4807#
4808# By default, a URL rewriter is not used.
4809#Default:
4810# none
4811
4812# TAG: url_rewrite_children
4813# Specifies the maximum number of redirector processes that Squid may
4814# spawn (numberofchildren) and several related options. Using too few of
4815# these helper processes (a.k.a. "helpers") creates request queues.
4816# Using too many helpers wastes your system resources.
4817#
4818# Usage: numberofchildren [option]...
4819#
4820# The startup= and idle= options allow some measure of skew in your
4821# tuning.
4822#
4823# startup=
4824#
4825# Sets a minimum of how many processes are to be spawned when Squid
4826# starts or reconfigures. When set to zero the first request will
4827# cause spawning of the first child process to handle it.
4828#
4829# Starting too few will cause an initial slowdown in traffic as Squid
4830# attempts to simultaneously spawn enough processes to cope.
4831#
4832# idle=
4833#
4834# Sets a minimum of how many processes Squid is to try and keep available
4835# at all times. When traffic begins to rise above what the existing
4836# processes can handle this many more will be spawned up to the maximum
4837# configured. A minimum setting of 1 is required.
4838#
4839# concurrency=
4840#
4841# The number of requests each redirector helper can handle in
4842# parallel. Defaults to 0 which indicates the redirector
4843# is a old-style single threaded redirector.
4844#
4845# When this directive is set to a value >= 1 then the protocol
4846# used to communicate with the helper is modified to include
4847# an ID in front of the request/response. The ID from the request
4848# must be echoed back with the response to that request.
4849#
4850# queue-size=N
4851#
4852# Sets the maximum number of queued requests. A request is queued when
4853# no existing child can accept it due to concurrency limit and no new
4854# child can be started due to numberofchildren limit. The default
4855# maximum is zero if url_rewrite_bypass is enabled and
4856# 2*numberofchildren otherwise. If the queued requests exceed queue size
4857# and redirector_bypass configuration option is set, then redirector is
4858# bypassed. Otherwise, Squid is allowed to temporarily exceed the
4859# configured maximum, marking the affected helper as "overloaded". If
4860# the helper overload lasts more than 3 minutes, the action prescribed
4861# by the on-persistent-overload option applies.
4862#
4863# on-persistent-overload=action
4864#
4865# Specifies Squid reaction to a new helper request arriving when the helper
4866# has been overloaded for more that 3 minutes already. The number of queued
4867# requests determines whether the helper is overloaded (see the queue-size
4868# option).
4869#
4870# Two actions are supported:
4871#
4872# die Squid worker quits. This is the default behavior.
4873#
4874# ERR Squid treats the helper request as if it was
4875# immediately submitted, and the helper immediately
4876# replied with an ERR response. This action has no effect
4877# on the already queued and in-progress helper requests.
4878#Default:
4879# url_rewrite_children 20 startup=0 idle=1 concurrency=0
4880
4881# TAG: url_rewrite_host_header
4882# To preserve same-origin security policies in browsers and
4883# prevent Host: header forgery by redirectors Squid rewrites
4884# any Host: header in redirected requests.
4885#
4886# If you are running an accelerator this may not be a wanted
4887# effect of a redirector. This directive enables you disable
4888# Host: alteration in reverse-proxy traffic.
4889#
4890# WARNING: Entries are cached on the result of the URL rewriting
4891# process, so be careful if you have domain-virtual hosts.
4892#
4893# WARNING: Squid and other software verifies the URL and Host
4894# are matching, so be careful not to relay through other proxies
4895# or inspecting firewalls with this disabled.
4896#Default:
4897# url_rewrite_host_header on
4898
4899# TAG: url_rewrite_access
4900# If defined, this access list specifies which requests are
4901# sent to the redirector processes.
4902#
4903# This clause supports both fast and slow acl types.
4904# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
4905#Default:
4906# Allow, unless rules exist in squid.conf.
4907
4908# TAG: url_rewrite_bypass
4909# When this is 'on', a request will not go through the
4910# redirector if all the helpers are busy. If this is 'off' and the
4911# redirector queue grows too large, the action is prescribed by the
4912# on-persistent-overload option. You should only enable this if the
4913# redirectors are not critical to your caching system. If you use
4914# redirectors for access control, and you enable this option,
4915# users may have access to pages they should not
4916# be allowed to request.
4917#
4918# Enabling this option sets the default url_rewrite_children queue-size
4919# option value to 0.
4920#Default:
4921# url_rewrite_bypass off
4922
4923# TAG: url_rewrite_extras
4924# Specifies a string to be append to request line format for the
4925# rewriter helper. "Quoted" format values may contain spaces and
4926# logformat %macros. In theory, any logformat %macro can be used.
4927# In practice, a %macro expands as a dash (-) if the helper request is
4928# sent before the required macro information is available to Squid.
4929#Default:
4930# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
4931
4932# TAG: url_rewrite_timeout
4933# Squid times active requests to redirector. The timeout value and Squid
4934# reaction to a timed out request are configurable using the following
4935# format:
4936#
4937# url_rewrite_timeout timeout time-units on_timeout=<action> [response=<quoted-response>]
4938#
4939# supported timeout actions:
4940# fail Squid return a ERR_GATEWAY_FAILURE error page
4941#
4942# bypass Do not re-write the URL
4943#
4944# retry Send the lookup to the helper again
4945#
4946# use_configured_response
4947# Use the <quoted-response> as helper response
4948#Default:
4949# Squid waits for the helper response forever
4950
4951# OPTIONS FOR STORE ID
4952# -----------------------------------------------------------------------------
4953
4954# TAG: store_id_program
4955# Specify the location of the executable StoreID helper to use.
4956# Since they can perform almost any function there isn't one included.
4957#
4958# For each requested URL, the helper will receive one line with the format
4959#
4960# [channel-ID <SP>] URL [<SP> extras]<NL>
4961#
4962#
4963# After processing the request the helper must reply using the following format:
4964#
4965# [channel-ID <SP>] result [<SP> kv-pairs]
4966#
4967# The result code can be:
4968#
4969# OK store-id="..."
4970# Use the StoreID supplied in 'store-id='.
4971#
4972# ERR
4973# The default is to use HTTP request URL as the store ID.
4974#
4975# BH
4976# An internal error occurred in the helper, preventing
4977# a result being identified.
4978#
4979# In addition to the above kv-pairs Squid also understands the following
4980# optional kv-pairs received from URL rewriters:
4981# clt_conn_tag=TAG
4982# Associates a TAG with the client TCP connection.
4983# Please see url_rewrite_program related documentation for this
4984# kv-pair
4985#
4986# Helper programs should be prepared to receive and possibly ignore
4987# additional whitespace-separated tokens on each input line.
4988#
4989# When using the concurrency= option the protocol is changed by
4990# introducing a query channel tag in front of the request/response.
4991# The query channel tag is a number between 0 and concurrency-1.
4992# This value must be echoed back unchanged to Squid as the first part
4993# of the response relating to its request.
4994#
4995# NOTE: when using StoreID refresh_pattern will apply to the StoreID
4996# returned from the helper and not the URL.
4997#
4998# WARNING: Wrong StoreID value returned by a careless helper may result
4999# in the wrong cached response returned to the user.
5000#
5001# By default, a StoreID helper is not used.
5002#Default:
5003# none
5004
5005# TAG: store_id_extras
5006# Specifies a string to be append to request line format for the
5007# StoreId helper. "Quoted" format values may contain spaces and
5008# logformat %macros. In theory, any logformat %macro can be used.
5009# In practice, a %macro expands as a dash (-) if the helper request is
5010# sent before the required macro information is available to Squid.
5011#Default:
5012# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
5013
5014# TAG: store_id_children
5015# Specifies the maximum number of StoreID helper processes that Squid
5016# may spawn (numberofchildren) and several related options. Using
5017# too few of these helper processes (a.k.a. "helpers") creates request
5018# queues. Using too many helpers wastes your system resources.
5019#
5020# Usage: numberofchildren [option]...
5021#
5022# The startup= and idle= options allow some measure of skew in your
5023# tuning.
5024#
5025# startup=
5026#
5027# Sets a minimum of how many processes are to be spawned when Squid
5028# starts or reconfigures. When set to zero the first request will
5029# cause spawning of the first child process to handle it.
5030#
5031# Starting too few will cause an initial slowdown in traffic as Squid
5032# attempts to simultaneously spawn enough processes to cope.
5033#
5034# idle=
5035#
5036# Sets a minimum of how many processes Squid is to try and keep available
5037# at all times. When traffic begins to rise above what the existing
5038# processes can handle this many more will be spawned up to the maximum
5039# configured. A minimum setting of 1 is required.
5040#
5041# concurrency=
5042#
5043# The number of requests each storeID helper can handle in
5044# parallel. Defaults to 0 which indicates the helper
5045# is a old-style single threaded program.
5046#
5047# When this directive is set to a value >= 1 then the protocol
5048# used to communicate with the helper is modified to include
5049# an ID in front of the request/response. The ID from the request
5050# must be echoed back with the response to that request.
5051#
5052# queue-size=N
5053#
5054# Sets the maximum number of queued requests to N. A request is queued
5055# when no existing child can accept it due to concurrency limit and no
5056# new child can be started due to numberofchildren limit. The default
5057# maximum is 2*numberofchildren. If the queued requests exceed queue
5058# size and redirector_bypass configuration option is set, then
5059# redirector is bypassed. Otherwise, Squid is allowed to temporarily
5060# exceed the configured maximum, marking the affected helper as
5061# "overloaded". If the helper overload lasts more than 3 minutes, the
5062# action prescribed by the on-persistent-overload option applies.
5063#
5064# on-persistent-overload=action
5065#
5066# Specifies Squid reaction to a new helper request arriving when the helper
5067# has been overloaded for more that 3 minutes already. The number of queued
5068# requests determines whether the helper is overloaded (see the queue-size
5069# option).
5070#
5071# Two actions are supported:
5072#
5073# die Squid worker quits. This is the default behavior.
5074#
5075# ERR Squid treats the helper request as if it was
5076# immediately submitted, and the helper immediately
5077# replied with an ERR response. This action has no effect
5078# on the already queued and in-progress helper requests.
5079#Default:
5080# store_id_children 20 startup=0 idle=1 concurrency=0
5081
5082# TAG: store_id_access
5083# If defined, this access list specifies which requests are
5084# sent to the StoreID processes. By default all requests
5085# are sent.
5086#
5087# This clause supports both fast and slow acl types.
5088# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5089#Default:
5090# Allow, unless rules exist in squid.conf.
5091
5092# TAG: store_id_bypass
5093# When this is 'on', a request will not go through the
5094# helper if all helpers are busy. If this is 'off' and the helper
5095# queue grows too large, the action is prescribed by the
5096# on-persistent-overload option. You should only enable this if the
5097# helpers are not critical to your caching system. If you use
5098# helpers for critical caching components, and you enable this
5099# option, users may not get objects from cache.
5100# This options sets default queue-size option of the store_id_children
5101# to 0.
5102#Default:
5103# store_id_bypass on
5104
5105# OPTIONS FOR TUNING THE CACHE
5106# -----------------------------------------------------------------------------
5107
5108# TAG: cache
5109# Requests denied by this directive will not be served from the cache
5110# and their responses will not be stored in the cache. This directive
5111# has no effect on other transactions and on already cached responses.
5112#
5113# This clause supports both fast and slow acl types.
5114# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5115#
5116# This and the two other similar caching directives listed below are
5117# checked at different transaction processing stages, have different
5118# access to response information, affect different cache operations,
5119# and differ in slow ACLs support:
5120#
5121# * cache: Checked before Squid makes a hit/miss determination.
5122# No access to reply information!
5123# Denies both serving a hit and storing a miss.
5124# Supports both fast and slow ACLs.
5125# * send_hit: Checked after a hit was detected.
5126# Has access to reply (hit) information.
5127# Denies serving a hit only.
5128# Supports fast ACLs only.
5129# * store_miss: Checked before storing a cachable miss.
5130# Has access to reply (miss) information.
5131# Denies storing a miss only.
5132# Supports fast ACLs only.
5133#
5134# If you are not sure which of the three directives to use, apply the
5135# following decision logic:
5136#
5137# * If your ACL(s) are of slow type _and_ need response info, redesign.
5138# Squid does not support that particular combination at this time.
5139# Otherwise:
5140# * If your directive ACL(s) are of slow type, use "cache"; and/or
5141# * if your directive ACL(s) need no response info, use "cache".
5142# Otherwise:
5143# * If you do not want the response cached, use store_miss; and/or
5144# * if you do not want a hit on a cached response, use send_hit.
5145#Default:
5146# By default, this directive is unused and has no effect.
5147
5148# TAG: send_hit
5149# Responses denied by this directive will not be served from the cache
5150# (but may still be cached, see store_miss). This directive has no
5151# effect on the responses it allows and on the cached objects.
5152#
5153# Please see the "cache" directive for a summary of differences among
5154# store_miss, send_hit, and cache directives.
5155#
5156# Unlike the "cache" directive, send_hit only supports fast acl
5157# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5158#
5159# For example:
5160#
5161# # apply custom Store ID mapping to some URLs
5162# acl MapMe dstdomain .c.example.com
5163# store_id_program ...
5164# store_id_access allow MapMe
5165#
5166# # but prevent caching of special responses
5167# # such as 302 redirects that cause StoreID loops
5168# acl Ordinary http_status 200-299
5169# store_miss deny MapMe !Ordinary
5170#
5171# # and do not serve any previously stored special responses
5172# # from the cache (in case they were already cached before
5173# # the above store_miss rule was in effect).
5174# send_hit deny MapMe !Ordinary
5175#Default:
5176# By default, this directive is unused and has no effect.
5177
5178# TAG: store_miss
5179# Responses denied by this directive will not be cached (but may still
5180# be served from the cache, see send_hit). This directive has no
5181# effect on the responses it allows and on the already cached responses.
5182#
5183# Please see the "cache" directive for a summary of differences among
5184# store_miss, send_hit, and cache directives. See the
5185# send_hit directive for a usage example.
5186#
5187# Unlike the "cache" directive, store_miss only supports fast acl
5188# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5189#Default:
5190# By default, this directive is unused and has no effect.
5191
5192# TAG: max_stale time-units
5193# This option puts an upper limit on how stale content Squid
5194# will serve from the cache if cache validation fails.
5195# Can be overriden by the refresh_pattern max-stale option.
5196#Default:
5197# max_stale 1 week
5198
5199# TAG: refresh_pattern
5200# usage: refresh_pattern [-i] regex min percent max [options]
5201#
5202# By default, regular expressions are CASE-SENSITIVE. To make
5203# them case-insensitive, use the -i option.
5204#
5205# 'Min' is the time (in minutes) an object without an explicit
5206# expiry time should be considered fresh. The recommended
5207# value is 0, any higher values may cause dynamic applications
5208# to be erroneously cached unless the application designer
5209# has taken the appropriate actions.
5210#
5211# 'Percent' is a percentage of the objects age (time since last
5212# modification age) an object without explicit expiry time
5213# will be considered fresh.
5214#
5215# 'Max' is an upper limit on how long objects without an explicit
5216# expiry time will be considered fresh. The value is also used
5217# to form Cache-Control: max-age header for a request sent from
5218# Squid to origin/parent.
5219#
5220# options: override-expire
5221# override-lastmod
5222# reload-into-ims
5223# ignore-reload
5224# ignore-no-store
5225# ignore-private
5226# max-stale=NN
5227# refresh-ims
5228# store-stale
5229#
5230# override-expire enforces min age even if the server
5231# sent an explicit expiry time (e.g., with the
5232# Expires: header or Cache-Control: max-age). Doing this
5233# VIOLATES the HTTP standard. Enabling this feature
5234# could make you liable for problems which it causes.
5235#
5236# Note: override-expire does not enforce staleness - it only extends
5237# freshness / min. If the server returns a Expires time which
5238# is longer than your max time, Squid will still consider
5239# the object fresh for that period of time.
5240#
5241# override-lastmod enforces min age even on objects
5242# that were modified recently.
5243#
5244# reload-into-ims changes a client no-cache or ``reload''
5245# request for a cached entry into a conditional request using
5246# If-Modified-Since and/or If-None-Match headers, provided the
5247# cached entry has a Last-Modified and/or a strong ETag header.
5248# Doing this VIOLATES the HTTP standard. Enabling this feature
5249# could make you liable for problems which it causes.
5250#
5251# ignore-reload ignores a client no-cache or ``reload''
5252# header. Doing this VIOLATES the HTTP standard. Enabling
5253# this feature could make you liable for problems which
5254# it causes.
5255#
5256# ignore-no-store ignores any ``Cache-control: no-store''
5257# headers received from a server. Doing this VIOLATES
5258# the HTTP standard. Enabling this feature could make you
5259# liable for problems which it causes.
5260#
5261# ignore-private ignores any ``Cache-control: private''
5262# headers received from a server. Doing this VIOLATES
5263# the HTTP standard. Enabling this feature could make you
5264# liable for problems which it causes.
5265#
5266# refresh-ims causes squid to contact the origin server
5267# when a client issues an If-Modified-Since request. This
5268# ensures that the client will receive an updated version
5269# if one is available.
5270#
5271# store-stale stores responses even if they don't have explicit
5272# freshness or a validator (i.e., Last-Modified or an ETag)
5273# present, or if they're already stale. By default, Squid will
5274# not cache such responses because they usually can't be
5275# reused. Note that such responses will be stale by default.
5276#
5277# max-stale=NN provide a maximum staleness factor. Squid won't
5278# serve objects more stale than this even if it failed to
5279# validate the object. Default: use the max_stale global limit.
5280#
5281# Basically a cached object is:
5282#
5283# FRESH if expire > now, else STALE
5284# STALE if age > max
5285# FRESH if lm-factor < percent, else STALE
5286# FRESH if age < min
5287# else STALE
5288#
5289# The refresh_pattern lines are checked in the order listed here.
5290# The first entry which matches is used. If none of the entries
5291# match the default will be used.
5292#
5293# Note, you must uncomment all the default lines if you want
5294# to change one. The default setting is only active if none is
5295# used.
5296#
5297#
5298
5299#
5300# Add any of your own refresh_pattern entries above these.
5301#
5302refresh_pattern ^ftp: 1440 20% 10080
5303refresh_pattern ^gopher: 1440 0% 1440
5304refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
5305refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
5306refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
5307refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
5308refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
5309# example pattern for deb packages
5310#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
5311refresh_pattern . 0 20% 4320
5312
5313# TAG: quick_abort_min (KB)
5314#Default:
5315# quick_abort_min 16 KB
5316
5317# TAG: quick_abort_max (KB)
5318#Default:
5319# quick_abort_max 16 KB
5320
5321# TAG: quick_abort_pct (percent)
5322# The cache by default continues downloading aborted requests
5323# which are almost completed (less than 16 KB remaining). This
5324# may be undesirable on slow (e.g. SLIP) links and/or very busy
5325# caches. Impatient users may tie up file descriptors and
5326# bandwidth by repeatedly requesting and immediately aborting
5327# downloads.
5328#
5329# When the user aborts a request, Squid will check the
5330# quick_abort values to the amount of data transferred until
5331# then.
5332#
5333# If the transfer has less than 'quick_abort_min' KB remaining,
5334# it will finish the retrieval.
5335#
5336# If the transfer has more than 'quick_abort_max' KB remaining,
5337# it will abort the retrieval.
5338#
5339# If more than 'quick_abort_pct' of the transfer has completed,
5340# it will finish the retrieval.
5341#
5342# If you do not want any retrieval to continue after the client
5343# has aborted, set both 'quick_abort_min' and 'quick_abort_max'
5344# to '0 KB'.
5345#
5346# If you want retrievals to always continue if they are being
5347# cached set 'quick_abort_min' to '-1 KB'.
5348#Default:
5349# quick_abort_pct 95
5350
5351# TAG: read_ahead_gap buffer-size
5352# The amount of data the cache will buffer ahead of what has been
5353# sent to the client when retrieving an object from another server.
5354#Default:
5355# read_ahead_gap 16 KB
5356
5357# TAG: negative_ttl time-units
5358# Set the Default Time-to-Live (TTL) for failed requests.
5359# Certain types of failures (such as "connection refused" and
5360# "404 Not Found") are able to be negatively-cached for a short time.
5361# Modern web servers should provide Expires: header, however if they
5362# do not this can provide a minimum TTL.
5363# The default is not to cache errors with unknown expiry details.
5364#
5365# Note that this is different from negative caching of DNS lookups.
5366#
5367# WARNING: Doing this VIOLATES the HTTP standard. Enabling
5368# this feature could make you liable for problems which it
5369# causes.
5370#Default:
5371# negative_ttl 0 seconds
5372
5373# TAG: positive_dns_ttl time-units
5374# Upper limit on how long Squid will cache positive DNS responses.
5375# Default is 6 hours (360 minutes). This directive must be set
5376# larger than negative_dns_ttl.
5377#Default:
5378# positive_dns_ttl 6 hours
5379
5380# TAG: negative_dns_ttl time-units
5381# Time-to-Live (TTL) for negative caching of failed DNS lookups.
5382# This also sets the lower cache limit on positive lookups.
5383# Minimum value is 1 second, and it is not recommendable to go
5384# much below 10 seconds.
5385#Default:
5386# negative_dns_ttl 1 minutes
5387
5388# TAG: range_offset_limit size [acl acl...]
5389# usage: (size) [units] [[!]aclname]
5390#
5391# Sets an upper limit on how far (number of bytes) into the file
5392# a Range request may be to cause Squid to prefetch the whole file.
5393# If beyond this limit, Squid forwards the Range request as it is and
5394# the result is NOT cached.
5395#
5396# This is to stop a far ahead range request (lets say start at 17MB)
5397# from making Squid fetch the whole object up to that point before
5398# sending anything to the client.
5399#
5400# Multiple range_offset_limit lines may be specified, and they will
5401# be searched from top to bottom on each request until a match is found.
5402# The first match found will be used. If no line matches a request, the
5403# default limit of 0 bytes will be used.
5404#
5405# 'size' is the limit specified as a number of units.
5406#
5407# 'units' specifies whether to use bytes, KB, MB, etc.
5408# If no units are specified bytes are assumed.
5409#
5410# A size of 0 causes Squid to never fetch more than the
5411# client requested. (default)
5412#
5413# A size of 'none' causes Squid to always fetch the object from the
5414# beginning so it may cache the result. (2.0 style)
5415#
5416# 'aclname' is the name of a defined ACL.
5417#
5418# NP: Using 'none' as the byte value here will override any quick_abort settings
5419# that may otherwise apply to the range request. The range request will
5420# be fully fetched from start to finish regardless of the client
5421# actions. This affects bandwidth usage.
5422#Default:
5423# none
5424
5425# TAG: minimum_expiry_time (seconds)
5426# The minimum caching time according to (Expires - Date)
5427# headers Squid honors if the object can't be revalidated.
5428# The default is 60 seconds.
5429#
5430# In reverse proxy environments it might be desirable to honor
5431# shorter object lifetimes. It is most likely better to make
5432# your server return a meaningful Last-Modified header however.
5433#
5434# In ESI environments where page fragments often have short
5435# lifetimes, this will often be best set to 0.
5436#Default:
5437# minimum_expiry_time 60 seconds
5438
5439# TAG: store_avg_object_size (bytes)
5440# Average object size, used to estimate number of objects your
5441# cache can hold. The default is 13 KB.
5442#
5443# This is used to pre-seed the cache index memory allocation to
5444# reduce expensive reallocate operations while handling clients
5445# traffic. Too-large values may result in memory allocation during
5446# peak traffic, too-small values will result in wasted memory.
5447#
5448# Check the cache manager 'info' report metrics for the real
5449# object sizes seen by your Squid before tuning this.
5450#Default:
5451# store_avg_object_size 13 KB
5452
5453# TAG: store_objects_per_bucket
5454# Target number of objects per bucket in the store hash table.
5455# Lowering this value increases the total number of buckets and
5456# also the storage maintenance rate. The default is 20.
5457#Default:
5458# store_objects_per_bucket 20
5459
5460# HTTP OPTIONS
5461# -----------------------------------------------------------------------------
5462
5463# TAG: request_header_max_size (KB)
5464# This specifies the maximum size for HTTP headers in a request.
5465# Request headers are usually relatively small (about 512 bytes).
5466# Placing a limit on the request header size will catch certain
5467# bugs (for example with persistent connections) and possibly
5468# buffer-overflow or denial-of-service attacks.
5469#Default:
5470# request_header_max_size 64 KB
5471
5472# TAG: reply_header_max_size (KB)
5473# This specifies the maximum size for HTTP headers in a reply.
5474# Reply headers are usually relatively small (about 512 bytes).
5475# Placing a limit on the reply header size will catch certain
5476# bugs (for example with persistent connections) and possibly
5477# buffer-overflow or denial-of-service attacks.
5478#Default:
5479# reply_header_max_size 64 KB
5480
5481# TAG: request_body_max_size (bytes)
5482# This specifies the maximum size for an HTTP request body.
5483# In other words, the maximum size of a PUT/POST request.
5484# A user who attempts to send a request with a body larger
5485# than this limit receives an "Invalid Request" error message.
5486# If you set this parameter to a zero (the default), there will
5487# be no limit imposed.
5488#
5489# See also client_request_buffer_max_size for an alternative
5490# limitation on client uploads which can be configured.
5491#Default:
5492# No limit.
5493
5494# TAG: client_request_buffer_max_size (bytes)
5495# This specifies the maximum buffer size of a client request.
5496# It prevents squid eating too much memory when somebody uploads
5497# a large file.
5498#Default:
5499# client_request_buffer_max_size 512 KB
5500
5501# TAG: broken_posts
5502# A list of ACL elements which, if matched, causes Squid to send
5503# an extra CRLF pair after the body of a PUT/POST request.
5504#
5505# Some HTTP servers has broken implementations of PUT/POST,
5506# and rely on an extra CRLF pair sent by some WWW clients.
5507#
5508# Quote from RFC2616 section 4.1 on this matter:
5509#
5510# Note: certain buggy HTTP/1.0 client implementations generate an
5511# extra CRLF's after a POST request. To restate what is explicitly
5512# forbidden by the BNF, an HTTP/1.1 client must not preface or follow
5513# a request with an extra CRLF.
5514#
5515# This clause only supports fast acl types.
5516# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5517#
5518#Example:
5519# acl buggy_server url_regex ^http://....
5520# broken_posts allow buggy_server
5521#Default:
5522# Obey RFC 2616.
5523
5524# TAG: adaptation_uses_indirect_client on|off
5525# Controls whether the indirect client IP address (instead of the direct
5526# client IP address) is passed to adaptation services.
5527#
5528# See also: follow_x_forwarded_for adaptation_send_client_ip
5529#Default:
5530# adaptation_uses_indirect_client on
5531
5532# TAG: via on|off
5533# If set (default), Squid will include a Via header in requests and
5534# replies as required by RFC2616.
5535#Default:
5536via off
5537
5538# TAG: vary_ignore_expire on|off
5539# Many HTTP servers supporting Vary gives such objects
5540# immediate expiry time with no cache-control header
5541# when requested by a HTTP/1.0 client. This option
5542# enables Squid to ignore such expiry times until
5543# HTTP/1.1 is fully implemented.
5544#
5545# WARNING: If turned on this may eventually cause some
5546# varying objects not intended for caching to get cached.
5547#Default:
5548# vary_ignore_expire off
5549
5550# TAG: request_entities
5551# Squid defaults to deny GET and HEAD requests with request entities,
5552# as the meaning of such requests are undefined in the HTTP standard
5553# even if not explicitly forbidden.
5554#
5555# Set this directive to on if you have clients which insists
5556# on sending request entities in GET or HEAD requests. But be warned
5557# that there is server software (both proxies and web servers) which
5558# can fail to properly process this kind of request which may make you
5559# vulnerable to cache pollution attacks if enabled.
5560#Default:
5561# request_entities off
5562
5563# TAG: request_header_access
5564# Usage: request_header_access header_name allow|deny [!]aclname ...
5565#
5566# WARNING: Doing this VIOLATES the HTTP standard. Enabling
5567# this feature could make you liable for problems which it
5568# causes.
5569#
5570# This option replaces the old 'anonymize_headers' and the
5571# older 'http_anonymizer' option with something that is much
5572# more configurable. A list of ACLs for each header name allows
5573# removal of specific header fields under specific conditions.
5574#
5575# This option only applies to outgoing HTTP request headers (i.e.,
5576# headers sent by Squid to the next HTTP hop such as a cache peer
5577# or an origin server). The option has no effect during cache hit
5578# detection. The equivalent adaptation vectoring point in ICAP
5579# terminology is post-cache REQMOD.
5580#
5581# The option is applied to individual outgoing request header
5582# fields. For each request header field F, Squid uses the first
5583# qualifying sets of request_header_access rules:
5584#
5585# 1. Rules with header_name equal to F's name.
5586# 2. Rules with header_name 'Other', provided F's name is not
5587# on the hard-coded list of commonly used HTTP header names.
5588# 3. Rules with header_name 'All'.
5589#
5590# Within that qualifying rule set, rule ACLs are checked as usual.
5591# If ACLs of an "allow" rule match, the header field is allowed to
5592# go through as is. If ACLs of a "deny" rule match, the header is
5593# removed and request_header_replace is then checked to identify
5594# if the removed header has a replacement. If no rules within the
5595# set have matching ACLs, the header field is left as is.
5596#
5597# For example, to achieve the same behavior as the old
5598# 'http_anonymizer standard' option, you should use:
5599#
5600# request_header_access From deny all
5601# request_header_access Referer deny all
5602# request_header_access User-Agent deny all
5603#
5604# Or, to reproduce the old 'http_anonymizer paranoid' feature
5605# you should use:
5606#
5607# request_header_access Authorization allow all
5608# request_header_access Proxy-Authorization allow all
5609# request_header_access Cache-Control allow all
5610# request_header_access Content-Length allow all
5611# request_header_access Content-Type allow all
5612# request_header_access Date allow all
5613# request_header_access Host allow all
5614# request_header_access If-Modified-Since allow all
5615# request_header_access Pragma allow all
5616# request_header_access Accept allow all
5617# request_header_access Accept-Charset allow all
5618# request_header_access Accept-Encoding allow all
5619# request_header_access Accept-Language allow all
5620# request_header_access Connection allow all
5621# request_header_access All deny all
5622#
5623# HTTP reply headers are controlled with the reply_header_access directive.
5624#
5625# By default, all headers are allowed (no anonymizing is performed).
5626#Default:
5627# No limits.
5628
5629# TAG: reply_header_access
5630# Usage: reply_header_access header_name allow|deny [!]aclname ...
5631#
5632# WARNING: Doing this VIOLATES the HTTP standard. Enabling
5633# this feature could make you liable for problems which it
5634# causes.
5635#
5636# This option only applies to reply headers, i.e., from the
5637# server to the client.
5638#
5639# This is the same as request_header_access, but in the other
5640# direction. Please see request_header_access for detailed
5641# documentation.
5642#
5643# For example, to achieve the same behavior as the old
5644# 'http_anonymizer standard' option, you should use:
5645#
5646# reply_header_access Server deny all
5647# reply_header_access WWW-Authenticate deny all
5648# reply_header_access Link deny all
5649#
5650# Or, to reproduce the old 'http_anonymizer paranoid' feature
5651# you should use:
5652#
5653# reply_header_access Allow allow all
5654# reply_header_access WWW-Authenticate allow all
5655# reply_header_access Proxy-Authenticate allow all
5656# reply_header_access Cache-Control allow all
5657# reply_header_access Content-Encoding allow all
5658# reply_header_access Content-Length allow all
5659# reply_header_access Content-Type allow all
5660# reply_header_access Date allow all
5661# reply_header_access Expires allow all
5662# reply_header_access Last-Modified allow all
5663# reply_header_access Location allow all
5664# reply_header_access Pragma allow all
5665# reply_header_access Content-Language allow all
5666# reply_header_access Retry-After allow all
5667# reply_header_access Title allow all
5668# reply_header_access Content-Disposition allow all
5669# reply_header_access Connection allow all
5670# reply_header_access All deny all
5671#
5672# HTTP request headers are controlled with the request_header_access directive.
5673#
5674# By default, all headers are allowed (no anonymizing is
5675# performed).
5676#Default:
5677# No limits.
5678
5679# TAG: request_header_replace
5680# Usage: request_header_replace header_name message
5681# Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
5682#
5683# This option allows you to change the contents of headers
5684# denied with request_header_access above, by replacing them
5685# with some fixed string.
5686#
5687# This only applies to request headers, not reply headers.
5688#
5689# By default, headers are removed if denied.
5690#Default:
5691# none
5692
5693# TAG: reply_header_replace
5694# Usage: reply_header_replace header_name message
5695# Example: reply_header_replace Server Foo/1.0
5696#
5697# This option allows you to change the contents of headers
5698# denied with reply_header_access above, by replacing them
5699# with some fixed string.
5700#
5701# This only applies to reply headers, not request headers.
5702#
5703# By default, headers are removed if denied.
5704#Default:
5705# none
5706
5707# TAG: request_header_add
5708# Usage: request_header_add field-name field-value [ acl ... ]
5709# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
5710#
5711# This option adds header fields to outgoing HTTP requests (i.e.,
5712# request headers sent by Squid to the next HTTP hop such as a
5713# cache peer or an origin server). The option has no effect during
5714# cache hit detection. The equivalent adaptation vectoring point
5715# in ICAP terminology is post-cache REQMOD.
5716#
5717# Field-name is a token specifying an HTTP header name. If a
5718# standard HTTP header name is used, Squid does not check whether
5719# the new header conflicts with any existing headers or violates
5720# HTTP rules. If the request to be modified already contains a
5721# field with the same name, the old field is preserved but the
5722# header field values are not merged.
5723#
5724# Field-value is either a token or a quoted string. If quoted
5725# string format is used, then the surrounding quotes are removed
5726# while escape sequences and %macros are processed.
5727#
5728# One or more Squid ACLs may be specified to restrict header
5729# injection to matching requests. As always in squid.conf, all
5730# ACLs in the ACL list must be satisfied for the insertion to
5731# happen. The request_header_add supports fast ACLs only.
5732#
5733# See also: reply_header_add.
5734#Default:
5735# none
5736
5737# TAG: reply_header_add
5738# Usage: reply_header_add field-name field-value [ acl ... ]
5739# Example: reply_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
5740#
5741# This option adds header fields to outgoing HTTP responses (i.e., response
5742# headers delivered by Squid to the client). This option has no effect on
5743# cache hit detection. The equivalent adaptation vectoring point in
5744# ICAP terminology is post-cache RESPMOD. This option does not apply to
5745# successful CONNECT replies.
5746#
5747# Field-name is a token specifying an HTTP header name. If a
5748# standard HTTP header name is used, Squid does not check whether
5749# the new header conflicts with any existing headers or violates
5750# HTTP rules. If the response to be modified already contains a
5751# field with the same name, the old field is preserved but the
5752# header field values are not merged.
5753#
5754# Field-value is either a token or a quoted string. If quoted
5755# string format is used, then the surrounding quotes are removed
5756# while escape sequences and %macros are processed.
5757#
5758# One or more Squid ACLs may be specified to restrict header
5759# injection to matching responses. As always in squid.conf, all
5760# ACLs in the ACL list must be satisfied for the insertion to
5761# happen. The reply_header_add option supports fast ACLs only.
5762#
5763# See also: request_header_add.
5764#Default:
5765# none
5766
5767# TAG: note
5768# This option used to log custom information about the master
5769# transaction. For example, an admin may configure Squid to log
5770# which "user group" the transaction belongs to, where "user group"
5771# will be determined based on a set of ACLs and not [just]
5772# authentication information.
5773# Values of key/value pairs can be logged using %{key}note macros:
5774#
5775# note key value acl ...
5776# logformat myFormat ... %{key}note ...
5777#
5778# This clause only supports fast acl types.
5779# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5780#Default:
5781# none
5782
5783# TAG: relaxed_header_parser on|off|warn
5784# In the default "on" setting Squid accepts certain forms
5785# of non-compliant HTTP messages where it is unambiguous
5786# what the sending application intended even if the message
5787# is not correctly formatted. The messages is then normalized
5788# to the correct form when forwarded by Squid.
5789#
5790# If set to "warn" then a warning will be emitted in cache.log
5791# each time such HTTP error is encountered.
5792#
5793# If set to "off" then such HTTP errors will cause the request
5794# or response to be rejected.
5795#Default:
5796# relaxed_header_parser on
5797
5798# TAG: collapsed_forwarding (on|off)
5799# This option controls whether Squid is allowed to merge multiple
5800# potentially cachable requests for the same URI before Squid knows
5801# whether the response is going to be cachable.
5802#
5803# When enabled, instead of forwarding each concurrent request for
5804# the same URL, Squid just sends the first of them. The other, so
5805# called "collapsed" requests, wait for the response to the first
5806# request and, if it happens to be cachable, use that response.
5807# Here, "concurrent requests" means "received after the first
5808# request headers were parsed and before the corresponding response
5809# headers were parsed".
5810#
5811# This feature is disabled by default: enabling collapsed
5812# forwarding needlessly delays forwarding requests that look
5813# cachable (when they are collapsed) but then need to be forwarded
5814# individually anyway because they end up being for uncachable
5815# content. However, in some cases, such as acceleration of highly
5816# cachable content with periodic or grouped expiration times, the
5817# gains from collapsing [large volumes of simultaneous refresh
5818# requests] outweigh losses from such delays.
5819#
5820# Squid collapses two kinds of requests: regular client requests
5821# received on one of the listening ports and internal "cache
5822# revalidation" requests which are triggered by those regular
5823# requests hitting a stale cached object. Revalidation collapsing
5824# is currently disabled for Squid instances containing SMP-aware
5825# disk or memory caches and for Vary-controlled cached objects.
5826#Default:
5827# collapsed_forwarding off
5828
5829# TAG: collapsed_forwarding_shared_entries_limit (number of entries)
5830# This limits the size of a table used for sharing information
5831# about collapsible entries among SMP workers. Limiting sharing
5832# too much results in cache content duplication and missed
5833# collapsing opportunities. Using excessively large values
5834# wastes shared memory.
5835#
5836# The limit should be significantly larger then the number of
5837# concurrent collapsible entries one wants to share. For a cache
5838# that handles less than 5000 concurrent requests, the default
5839# setting of 16384 should be plenty.
5840#
5841# If the limit is set to zero, it disables sharing of collapsed
5842# forwarding between SMP workers.
5843#Default:
5844# collapsed_forwarding_shared_entries_limit 16384
5845
5846# TIMEOUTS
5847# -----------------------------------------------------------------------------
5848
5849# TAG: forward_timeout time-units
5850# This parameter specifies how long Squid should at most attempt in
5851# finding a forwarding path for the request before giving up.
5852#Default:
5853# forward_timeout 4 minutes
5854
5855# TAG: connect_timeout time-units
5856# This parameter specifies how long to wait for the TCP connect to
5857# the requested server or peer to complete before Squid should
5858# attempt to find another path where to forward the request.
5859#Default:
5860# connect_timeout 1 minute
5861
5862# TAG: peer_connect_timeout time-units
5863# This parameter specifies how long to wait for a pending TCP
5864# connection to a peer cache. The default is 30 seconds. You
5865# may also set different timeout values for individual neighbors
5866# with the 'connect-timeout' option on a 'cache_peer' line.
5867#Default:
5868# peer_connect_timeout 30 seconds
5869
5870# TAG: read_timeout time-units
5871# Applied on peer server connections.
5872#
5873# After each successful read(), the timeout will be extended by this
5874# amount. If no data is read again after this amount of time,
5875# the request is aborted and logged with ERR_READ_TIMEOUT.
5876#
5877# The default is 15 minutes.
5878#Default:
5879# read_timeout 15 minutes
5880
5881# TAG: write_timeout time-units
5882# This timeout is tracked for all connections that have data
5883# available for writing and are waiting for the socket to become
5884# ready. After each successful write, the timeout is extended by
5885# the configured amount. If Squid has data to write but the
5886# connection is not ready for the configured duration, the
5887# transaction associated with the connection is terminated. The
5888# default is 15 minutes.
5889#Default:
5890# write_timeout 15 minutes
5891
5892# TAG: request_timeout
5893# How long to wait for complete HTTP request headers after initial
5894# connection establishment.
5895#Default:
5896# request_timeout 5 minutes
5897
5898# TAG: request_start_timeout
5899# How long to wait for the first request byte after initial
5900# connection establishment.
5901#Default:
5902# request_start_timeout 5 minutes
5903
5904# TAG: client_idle_pconn_timeout
5905# How long to wait for the next HTTP request on a persistent
5906# client connection after the previous request completes.
5907#Default:
5908# client_idle_pconn_timeout 2 minutes
5909
5910# TAG: ftp_client_idle_timeout
5911# How long to wait for an FTP request on a connection to Squid ftp_port.
5912# Many FTP clients do not deal with idle connection closures well,
5913# necessitating a longer default timeout than client_idle_pconn_timeout
5914# used for incoming HTTP requests.
5915#Default:
5916# ftp_client_idle_timeout 30 minutes
5917
5918# TAG: client_lifetime time-units
5919# The maximum amount of time a client (browser) is allowed to
5920# remain connected to the cache process. This protects the Cache
5921# from having a lot of sockets (and hence file descriptors) tied up
5922# in a CLOSE_WAIT state from remote clients that go away without
5923# properly shutting down (either because of a network failure or
5924# because of a poor client implementation). The default is one
5925# day, 1440 minutes.
5926#
5927# NOTE: The default value is intended to be much larger than any
5928# client would ever need to be connected to your cache. You
5929# should probably change client_lifetime only as a last resort.
5930# If you seem to have many client connections tying up
5931# filedescriptors, we recommend first tuning the read_timeout,
5932# request_timeout, persistent_request_timeout and quick_abort values.
5933#Default:
5934# client_lifetime 1 day
5935
5936# TAG: pconn_lifetime time-units
5937# Desired maximum lifetime of a persistent connection.
5938# When set, Squid will close a now-idle persistent connection that
5939# exceeded configured lifetime instead of moving the connection into
5940# the idle connection pool (or equivalent). No effect on ongoing/active
5941# transactions. Connection lifetime is the time period from the
5942# connection acceptance or opening time until "now".
5943#
5944# This limit is useful in environments with long-lived connections
5945# where Squid configuration or environmental factors change during a
5946# single connection lifetime. If unrestricted, some connections may
5947# last for hours and even days, ignoring those changes that should
5948# have affected their behavior or their existence.
5949#
5950# Currently, a new lifetime value supplied via Squid reconfiguration
5951# has no effect on already idle connections unless they become busy.
5952#
5953# When set to '0' this limit is not used.
5954#Default:
5955# pconn_lifetime 0 seconds
5956
5957# TAG: half_closed_clients
5958# Some clients may shutdown the sending side of their TCP
5959# connections, while leaving their receiving sides open. Sometimes,
5960# Squid can not tell the difference between a half-closed and a
5961# fully-closed TCP connection.
5962#
5963# By default, Squid will immediately close client connections when
5964# read(2) returns "no more data to read."
5965#
5966# Change this option to 'on' and Squid will keep open connections
5967# until a read(2) or write(2) on the socket returns an error.
5968# This may show some benefits for reverse proxies. But if not
5969# it is recommended to leave OFF.
5970#Default:
5971# half_closed_clients off
5972
5973# TAG: server_idle_pconn_timeout
5974# Timeout for idle persistent connections to servers and other
5975# proxies.
5976#Default:
5977# server_idle_pconn_timeout 1 minute
5978
5979# TAG: ident_timeout
5980# Maximum time to wait for IDENT lookups to complete.
5981#
5982# If this is too high, and you enabled IDENT lookups from untrusted
5983# users, you might be susceptible to denial-of-service by having
5984# many ident requests going at once.
5985#Default:
5986# ident_timeout 10 seconds
5987
5988# TAG: shutdown_lifetime time-units
5989# When SIGTERM or SIGHUP is received, the cache is put into
5990# "shutdown pending" mode until all active sockets are closed.
5991# This value is the lifetime to set for all open descriptors
5992# during shutdown mode. Any active clients after this many
5993# seconds will receive a 'timeout' message.
5994#Default:
5995# shutdown_lifetime 30 seconds
5996
5997# ADMINISTRATIVE PARAMETERS
5998# -----------------------------------------------------------------------------
5999
6000# TAG: cache_mgr
6001# Email-address of local cache manager who will receive
6002# mail if the cache dies. The default is "webmaster".
6003#Default:
6004# cache_mgr webmaster
6005
6006# TAG: mail_from
6007# From: email-address for mail sent when the cache dies.
6008# The default is to use 'squid@unique_hostname'.
6009#
6010# See also: unique_hostname directive.
6011#Default:
6012# none
6013
6014# TAG: mail_program
6015# Email program used to send mail if the cache dies.
6016# The default is "mail". The specified program must comply
6017# with the standard Unix mail syntax:
6018# mail-program recipient < mailfile
6019#
6020# Optional command line options can be specified.
6021#Default:
6022# mail_program mail
6023
6024# TAG: cache_effective_user
6025# If you start Squid as root, it will change its effective/real
6026# UID/GID to the user specified below. The default is to change
6027# to UID of proxy.
6028# see also; cache_effective_group
6029#Default:
6030# cache_effective_user proxy
6031
6032# TAG: cache_effective_group
6033# Squid sets the GID to the effective user's default group ID
6034# (taken from the password file) and supplementary group list
6035# from the groups membership.
6036#
6037# If you want Squid to run with a specific GID regardless of
6038# the group memberships of the effective user then set this
6039# to the group (or GID) you want Squid to run as. When set
6040# all other group privileges of the effective user are ignored
6041# and only this GID is effective. If Squid is not started as
6042# root the user starting Squid MUST be member of the specified
6043# group.
6044#
6045# This option is not recommended by the Squid Team.
6046# Our preference is for administrators to configure a secure
6047# user account for squid with UID/GID matching system policies.
6048#Default:
6049# Use system group memberships of the cache_effective_user account
6050
6051# TAG: httpd_suppress_version_string on|off
6052# Suppress Squid version string info in HTTP headers and HTML error pages.
6053#Default:
6054# httpd_suppress_version_string off
6055
6056# TAG: visible_hostname
6057# If you want to present a special hostname in error messages, etc,
6058# define this. Otherwise, the return value of gethostname()
6059# will be used. If you have multiple caches in a cluster and
6060# get errors about IP-forwarding you must set them to have individual
6061# names with this setting.
6062#Default:
6063# Automatically detect the system host name
6064
6065# TAG: unique_hostname
6066# If you want to have multiple machines with the same
6067# 'visible_hostname' you must give each machine a different
6068# 'unique_hostname' so forwarding loops can be detected.
6069#Default:
6070# Copy the value from visible_hostname
6071
6072# TAG: hostname_aliases
6073# A list of other DNS names your cache has.
6074#Default:
6075# none
6076
6077# TAG: umask
6078# Minimum umask which should be enforced while the proxy
6079# is running, in addition to the umask set at startup.
6080#
6081# For a traditional octal representation of umasks, start
6082# your value with 0.
6083#Default:
6084# umask 027
6085
6086# OPTIONS FOR THE CACHE REGISTRATION SERVICE
6087# -----------------------------------------------------------------------------
6088#
6089# This section contains parameters for the (optional) cache
6090# announcement service. This service is provided to help
6091# cache administrators locate one another in order to join or
6092# create cache hierarchies.
6093#
6094# An 'announcement' message is sent (via UDP) to the registration
6095# service by Squid. By default, the announcement message is NOT
6096# SENT unless you enable it with 'announce_period' below.
6097#
6098# The announcement message includes your hostname, plus the
6099# following information from this configuration file:
6100#
6101# http_port
6102# icp_port
6103# cache_mgr
6104#
6105# All current information is processed regularly and made
6106# available on the Web at http://www.ircache.net/Cache/Tracker/.
6107
6108# TAG: announce_period
6109# This is how frequently to send cache announcements.
6110#
6111# To enable announcing your cache, just set an announce period.
6112#
6113# Example:
6114# announce_period 1 day
6115#Default:
6116# Announcement messages disabled.
6117
6118# TAG: announce_host
6119# Set the hostname where announce registration messages will be sent.
6120#
6121# See also announce_port and announce_file
6122#Default:
6123# announce_host tracker.ircache.net
6124
6125# TAG: announce_file
6126# The contents of this file will be included in the announce
6127# registration messages.
6128#Default:
6129# none
6130
6131# TAG: announce_port
6132# Set the port where announce registration messages will be sent.
6133#
6134# See also announce_host and announce_file
6135#Default:
6136# announce_port 3131
6137
6138# HTTPD-ACCELERATOR OPTIONS
6139# -----------------------------------------------------------------------------
6140
6141# TAG: httpd_accel_surrogate_id
6142# Surrogates (http://www.esi.org/architecture_spec_1.0.html)
6143# need an identification token to allow control targeting. Because
6144# a farm of surrogates may all perform the same tasks, they may share
6145# an identification token.
6146#Default:
6147# visible_hostname is used if no specific ID is set.
6148
6149# TAG: http_accel_surrogate_remote on|off
6150# Remote surrogates (such as those in a CDN) honour the header
6151# "Surrogate-Control: no-store-remote".
6152#
6153# Set this to on to have squid behave as a remote surrogate.
6154#Default:
6155# http_accel_surrogate_remote off
6156
6157# TAG: esi_parser libxml2|expat
6158# Selects the XML parsing library to use when interpreting responses with
6159# Edge Side Includes.
6160#
6161# To disable ESI handling completely, ./configure Squid with --disable-esi.
6162#Default:
6163# Selects libxml2 if available at ./configure time or libexpat otherwise.
6164
6165# DELAY POOL PARAMETERS
6166# -----------------------------------------------------------------------------
6167
6168# TAG: delay_pools
6169# This represents the number of delay pools to be used. For example,
6170# if you have one class 2 delay pool and one class 3 delays pool, you
6171# have a total of 2 delay pools.
6172#
6173# See also delay_parameters, delay_class, delay_access for pool
6174# configuration details.
6175#Default:
6176# delay_pools 0
6177
6178# TAG: delay_class
6179# This defines the class of each delay pool. There must be exactly one
6180# delay_class line for each delay pool. For example, to define two
6181# delay pools, one of class 2 and one of class 3, the settings above
6182# and here would be:
6183#
6184# Example:
6185# delay_pools 4 # 4 delay pools
6186# delay_class 1 2 # pool 1 is a class 2 pool
6187# delay_class 2 3 # pool 2 is a class 3 pool
6188# delay_class 3 4 # pool 3 is a class 4 pool
6189# delay_class 4 5 # pool 4 is a class 5 pool
6190#
6191# The delay pool classes are:
6192#
6193# class 1 Everything is limited by a single aggregate
6194# bucket.
6195#
6196# class 2 Everything is limited by a single aggregate
6197# bucket as well as an "individual" bucket chosen
6198# from bits 25 through 32 of the IPv4 address.
6199#
6200# class 3 Everything is limited by a single aggregate
6201# bucket as well as a "network" bucket chosen
6202# from bits 17 through 24 of the IP address and a
6203# "individual" bucket chosen from bits 17 through
6204# 32 of the IPv4 address.
6205#
6206# class 4 Everything in a class 3 delay pool, with an
6207# additional limit on a per user basis. This
6208# only takes effect if the username is established
6209# in advance - by forcing authentication in your
6210# http_access rules.
6211#
6212# class 5 Requests are grouped according their tag (see
6213# external_acl's tag= reply).
6214#
6215#
6216# Each pool also requires a delay_parameters directive to configure the pool size
6217# and speed limits used whenever the pool is applied to a request. Along with
6218# a set of delay_access directives to determine when it is used.
6219#
6220# NOTE: If an IP address is a.b.c.d
6221# -> bits 25 through 32 are "d"
6222# -> bits 17 through 24 are "c"
6223# -> bits 17 through 32 are "c * 256 + d"
6224#
6225# NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
6226# IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
6227#
6228# This clause only supports fast acl types.
6229# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
6230#
6231# See also delay_parameters and delay_access.
6232#Default:
6233# none
6234
6235# TAG: delay_access
6236# This is used to determine which delay pool a request falls into.
6237#
6238# delay_access is sorted per pool and the matching starts with pool 1,
6239# then pool 2, ..., and finally pool N. The first delay pool where the
6240# request is allowed is selected for the request. If it does not allow
6241# the request to any pool then the request is not delayed (default).
6242#
6243# For example, if you want some_big_clients in delay
6244# pool 1 and lotsa_little_clients in delay pool 2:
6245#
6246# delay_access 1 allow some_big_clients
6247# delay_access 1 deny all
6248# delay_access 2 allow lotsa_little_clients
6249# delay_access 2 deny all
6250# delay_access 3 allow authenticated_clients
6251#
6252# See also delay_parameters and delay_class.
6253#
6254#Default:
6255# Deny using the pool, unless allow rules exist in squid.conf for the pool.
6256
6257# TAG: delay_parameters
6258# This defines the parameters for a delay pool. Each delay pool has
6259# a number of "buckets" associated with it, as explained in the
6260# description of delay_class.
6261#
6262# For a class 1 delay pool, the syntax is:
6263# delay_class pool 1
6264# delay_parameters pool aggregate
6265#
6266# For a class 2 delay pool:
6267# delay_class pool 2
6268# delay_parameters pool aggregate individual
6269#
6270# For a class 3 delay pool:
6271# delay_class pool 3
6272# delay_parameters pool aggregate network individual
6273#
6274# For a class 4 delay pool:
6275# delay_class pool 4
6276# delay_parameters pool aggregate network individual user
6277#
6278# For a class 5 delay pool:
6279# delay_class pool 5
6280# delay_parameters pool tagrate
6281#
6282# The option variables are:
6283#
6284# pool a pool number - ie, a number between 1 and the
6285# number specified in delay_pools as used in
6286# delay_class lines.
6287#
6288# aggregate the speed limit parameters for the aggregate bucket
6289# (class 1, 2, 3).
6290#
6291# individual the speed limit parameters for the individual
6292# buckets (class 2, 3).
6293#
6294# network the speed limit parameters for the network buckets
6295# (class 3).
6296#
6297# user the speed limit parameters for the user buckets
6298# (class 4).
6299#
6300# tagrate the speed limit parameters for the tag buckets
6301# (class 5).
6302#
6303# A pair of delay parameters is written restore/maximum, where restore is
6304# the number of bytes (not bits - modem and network speeds are usually
6305# quoted in bits) per second placed into the bucket, and maximum is the
6306# maximum number of bytes which can be in the bucket at any time.
6307#
6308# There must be one delay_parameters line for each delay pool.
6309#
6310#
6311# For example, if delay pool number 1 is a class 2 delay pool as in the
6312# above example, and is being used to strictly limit each host to 64Kbit/sec
6313# (plus overheads), with no overall limit, the line is:
6314#
6315# delay_parameters 1 none 8000/8000
6316#
6317# Note that 8 x 8K Byte/sec -> 64K bit/sec.
6318#
6319# Note that the word 'none' is used to represent no limit.
6320#
6321#
6322# And, if delay pool number 2 is a class 3 delay pool as in the above
6323# example, and you want to limit it to a total of 256Kbit/sec (strict limit)
6324# with each 8-bit network permitted 64Kbit/sec (strict limit) and each
6325# individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
6326# to permit a decent web page to be downloaded at a decent speed
6327# (if the network is not being limited due to overuse) but slow down
6328# large downloads more significantly:
6329#
6330# delay_parameters 2 32000/32000 8000/8000 600/8000
6331#
6332# Note that 8 x 32K Byte/sec -> 256K bit/sec.
6333# 8 x 8K Byte/sec -> 64K bit/sec.
6334# 8 x 600 Byte/sec -> 4800 bit/sec.
6335#
6336#
6337# Finally, for a class 4 delay pool as in the example - each user will
6338# be limited to 128Kbits/sec no matter how many workstations they are logged into.:
6339#
6340# delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
6341#
6342#
6343# See also delay_class and delay_access.
6344#
6345#Default:
6346# none
6347
6348# TAG: delay_initial_bucket_level (percent, 0-100)
6349# The initial bucket percentage is used to determine how much is put
6350# in each bucket when squid starts, is reconfigured, or first notices
6351# a host accessing it (in class 2 and class 3, individual hosts and
6352# networks only have buckets associated with them once they have been
6353# "seen" by squid).
6354#Default:
6355# delay_initial_bucket_level 50
6356
6357# CLIENT DELAY POOL PARAMETERS
6358# -----------------------------------------------------------------------------
6359
6360# TAG: client_delay_pools
6361# This option specifies the number of client delay pools used. It must
6362# preceed other client_delay_* options.
6363#
6364# Example:
6365# client_delay_pools 2
6366#
6367# See also client_delay_parameters and client_delay_access.
6368#Default:
6369# client_delay_pools 0
6370
6371# TAG: client_delay_initial_bucket_level (percent, 0-no_limit)
6372# This option determines the initial bucket size as a percentage of
6373# max_bucket_size from client_delay_parameters. Buckets are created
6374# at the time of the "first" connection from the matching IP. Idle
6375# buckets are periodically deleted up.
6376#
6377# You can specify more than 100 percent but note that such "oversized"
6378# buckets are not refilled until their size goes down to max_bucket_size
6379# from client_delay_parameters.
6380#
6381# Example:
6382# client_delay_initial_bucket_level 50
6383#Default:
6384# client_delay_initial_bucket_level 50
6385
6386# TAG: client_delay_parameters
6387#
6388# This option configures client-side bandwidth limits using the
6389# following format:
6390#
6391# client_delay_parameters pool speed_limit max_bucket_size
6392#
6393# pool is an integer ID used for client_delay_access matching.
6394#
6395# speed_limit is bytes added to the bucket per second.
6396#
6397# max_bucket_size is the maximum size of a bucket, enforced after any
6398# speed_limit additions.
6399#
6400# Please see the delay_parameters option for more information and
6401# examples.
6402#
6403# Example:
6404# client_delay_parameters 1 1024 2048
6405# client_delay_parameters 2 51200 16384
6406#
6407# See also client_delay_access.
6408#
6409#Default:
6410# none
6411
6412# TAG: client_delay_access
6413# This option determines the client-side delay pool for the
6414# request:
6415#
6416# client_delay_access pool_ID allow|deny acl_name
6417#
6418# All client_delay_access options are checked in their pool ID
6419# order, starting with pool 1. The first checked pool with allowed
6420# request is selected for the request. If no ACL matches or there
6421# are no client_delay_access options, the request bandwidth is not
6422# limited.
6423#
6424# The ACL-selected pool is then used to find the
6425# client_delay_parameters for the request. Client-side pools are
6426# not used to aggregate clients. Clients are always aggregated
6427# based on their source IP addresses (one bucket per source IP).
6428#
6429# This clause only supports fast acl types.
6430# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
6431# Additionally, only the client TCP connection details are available.
6432# ACLs testing HTTP properties will not work.
6433#
6434# Please see delay_access for more examples.
6435#
6436# Example:
6437# client_delay_access 1 allow low_rate_network
6438# client_delay_access 2 allow vips_network
6439#
6440#
6441# See also client_delay_parameters and client_delay_pools.
6442#Default:
6443# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
6444
6445# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
6446# -----------------------------------------------------------------------------
6447
6448# TAG: wccp_router
6449# Use this option to define your WCCP ``home'' router for
6450# Squid.
6451#
6452# wccp_router supports a single WCCP(v1) router
6453#
6454# wccp2_router supports multiple WCCPv2 routers
6455#
6456# only one of the two may be used at the same time and defines
6457# which version of WCCP to use.
6458#Default:
6459# WCCP disabled.
6460
6461# TAG: wccp2_router
6462# Use this option to define your WCCP ``home'' router for
6463# Squid.
6464#
6465# wccp_router supports a single WCCP(v1) router
6466#
6467# wccp2_router supports multiple WCCPv2 routers
6468#
6469# only one of the two may be used at the same time and defines
6470# which version of WCCP to use.
6471#Default:
6472# WCCPv2 disabled.
6473
6474# TAG: wccp_version
6475# This directive is only relevant if you need to set up WCCP(v1)
6476# to some very old and end-of-life Cisco routers. In all other
6477# setups it must be left unset or at the default setting.
6478# It defines an internal version in the WCCP(v1) protocol,
6479# with version 4 being the officially documented protocol.
6480#
6481# According to some users, Cisco IOS 11.2 and earlier only
6482# support WCCP version 3. If you're using that or an earlier
6483# version of IOS, you may need to change this value to 3, otherwise
6484# do not specify this parameter.
6485#Default:
6486# wccp_version 4
6487
6488# TAG: wccp2_rebuild_wait
6489# If this is enabled Squid will wait for the cache dir rebuild to finish
6490# before sending the first wccp2 HereIAm packet
6491#Default:
6492# wccp2_rebuild_wait on
6493
6494# TAG: wccp2_forwarding_method
6495# WCCP2 allows the setting of forwarding methods between the
6496# router/switch and the cache. Valid values are as follows:
6497#
6498# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
6499# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
6500#
6501# Currently (as of IOS 12.4) cisco routers only support GRE.
6502# Cisco switches only support the L2 redirect assignment method.
6503#Default:
6504# wccp2_forwarding_method gre
6505
6506# TAG: wccp2_return_method
6507# WCCP2 allows the setting of return methods between the
6508# router/switch and the cache for packets that the cache
6509# decides not to handle. Valid values are as follows:
6510#
6511# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
6512# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
6513#
6514# Currently (as of IOS 12.4) cisco routers only support GRE.
6515# Cisco switches only support the L2 redirect assignment.
6516#
6517# If the "ip wccp redirect exclude in" command has been
6518# enabled on the cache interface, then it is still safe for
6519# the proxy server to use a l2 redirect method even if this
6520# option is set to GRE.
6521#Default:
6522# wccp2_return_method gre
6523
6524# TAG: wccp2_assignment_method
6525# WCCP2 allows the setting of methods to assign the WCCP hash
6526# Valid values are as follows:
6527#
6528# hash - Hash assignment
6529# mask - Mask assignment
6530#
6531# As a general rule, cisco routers support the hash assignment method
6532# and cisco switches support the mask assignment method.
6533#Default:
6534# wccp2_assignment_method hash
6535
6536# TAG: wccp2_service
6537# WCCP2 allows for multiple traffic services. There are two
6538# types: "standard" and "dynamic". The standard type defines
6539# one service id - http (id 0). The dynamic service ids can be from
6540# 51 to 255 inclusive. In order to use a dynamic service id
6541# one must define the type of traffic to be redirected; this is done
6542# using the wccp2_service_info option.
6543#
6544# The "standard" type does not require a wccp2_service_info option,
6545# just specifying the service id will suffice.
6546#
6547# MD5 service authentication can be enabled by adding
6548# "password=<password>" to the end of this service declaration.
6549#
6550# Examples:
6551#
6552# wccp2_service standard 0 # for the 'web-cache' standard service
6553# wccp2_service dynamic 80 # a dynamic service type which will be
6554# # fleshed out with subsequent options.
6555# wccp2_service standard 0 password=foo
6556#Default:
6557# Use the 'web-cache' standard service.
6558
6559# TAG: wccp2_service_info
6560# Dynamic WCCPv2 services require further information to define the
6561# traffic you wish to have diverted.
6562#
6563# The format is:
6564#
6565# wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
6566# priority=<priority> ports=<port>,<port>..
6567#
6568# The relevant WCCPv2 flags:
6569# + src_ip_hash, dst_ip_hash
6570# + source_port_hash, dst_port_hash
6571# + src_ip_alt_hash, dst_ip_alt_hash
6572# + src_port_alt_hash, dst_port_alt_hash
6573# + ports_source
6574#
6575# The port list can be one to eight entries.
6576#
6577# Example:
6578#
6579# wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
6580# priority=240 ports=80
6581#
6582# Note: the service id must have been defined by a previous
6583# 'wccp2_service dynamic <id>' entry.
6584#Default:
6585# none
6586
6587# TAG: wccp2_weight
6588# Each cache server gets assigned a set of the destination
6589# hash proportional to their weight.
6590#Default:
6591# wccp2_weight 10000
6592
6593# TAG: wccp_address
6594# Use this option if you require WCCPv2 to use a specific
6595# interface address.
6596#
6597# The default behavior is to not bind to any specific address.
6598#Default:
6599# Address selected by the operating system.
6600
6601# TAG: wccp2_address
6602# Use this option if you require WCCP to use a specific
6603# interface address.
6604#
6605# The default behavior is to not bind to any specific address.
6606#Default:
6607# Address selected by the operating system.
6608
6609# PERSISTENT CONNECTION HANDLING
6610# -----------------------------------------------------------------------------
6611#
6612# Also see "pconn_timeout" in the TIMEOUTS section
6613
6614# TAG: client_persistent_connections
6615# Persistent connection support for clients.
6616# Squid uses persistent connections (when allowed). You can use
6617# this option to disable persistent connections with clients.
6618#Default:
6619# client_persistent_connections on
6620
6621# TAG: server_persistent_connections
6622# Persistent connection support for servers.
6623# Squid uses persistent connections (when allowed). You can use
6624# this option to disable persistent connections with servers.
6625#Default:
6626# server_persistent_connections on
6627
6628# TAG: persistent_connection_after_error
6629# With this directive the use of persistent connections after
6630# HTTP errors can be disabled. Useful if you have clients
6631# who fail to handle errors on persistent connections proper.
6632#Default:
6633# persistent_connection_after_error on
6634
6635# TAG: detect_broken_pconn
6636# Some servers have been found to incorrectly signal the use
6637# of HTTP/1.0 persistent connections even on replies not
6638# compatible, causing significant delays. This server problem
6639# has mostly been seen on redirects.
6640#
6641# By enabling this directive Squid attempts to detect such
6642# broken replies and automatically assume the reply is finished
6643# after 10 seconds timeout.
6644#Default:
6645# detect_broken_pconn off
6646
6647# CACHE DIGEST OPTIONS
6648# -----------------------------------------------------------------------------
6649
6650# TAG: digest_generation
6651# This controls whether the server will generate a Cache Digest
6652# of its contents. By default, Cache Digest generation is
6653# enabled if Squid is compiled with --enable-cache-digests defined.
6654#Default:
6655# digest_generation on
6656
6657# TAG: digest_bits_per_entry
6658# This is the number of bits of the server's Cache Digest which
6659# will be associated with the Digest entry for a given HTTP
6660# Method and URL (public key) combination. The default is 5.
6661#Default:
6662# digest_bits_per_entry 5
6663
6664# TAG: digest_rebuild_period (seconds)
6665# This is the wait time between Cache Digest rebuilds.
6666#Default:
6667# digest_rebuild_period 1 hour
6668
6669# TAG: digest_rewrite_period (seconds)
6670# This is the wait time between Cache Digest writes to
6671# disk.
6672#Default:
6673# digest_rewrite_period 1 hour
6674
6675# TAG: digest_swapout_chunk_size (bytes)
6676# This is the number of bytes of the Cache Digest to write to
6677# disk at a time. It defaults to 4096 bytes (4KB), the Squid
6678# default swap page.
6679#Default:
6680# digest_swapout_chunk_size 4096 bytes
6681
6682# TAG: digest_rebuild_chunk_percentage (percent, 0-100)
6683# This is the percentage of the Cache Digest to be scanned at a
6684# time. By default it is set to 10% of the Cache Digest.
6685#Default:
6686# digest_rebuild_chunk_percentage 10
6687
6688# SNMP OPTIONS
6689# -----------------------------------------------------------------------------
6690
6691# TAG: snmp_port
6692# The port number where Squid listens for SNMP requests. To enable
6693# SNMP support set this to a suitable port number. Port number
6694# 3401 is often used for the Squid SNMP agent. By default it's
6695# set to "0" (disabled)
6696#
6697# Example:
6698# snmp_port 3401
6699#Default:
6700# SNMP disabled.
6701
6702# TAG: snmp_access
6703# Allowing or denying access to the SNMP port.
6704#
6705# All access to the agent is denied by default.
6706# usage:
6707#
6708# snmp_access allow|deny [!]aclname ...
6709#
6710# This clause only supports fast acl types.
6711# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
6712#
6713#Example:
6714# snmp_access allow snmppublic localhost
6715# snmp_access deny all
6716#Default:
6717# Deny, unless rules exist in squid.conf.
6718
6719# TAG: snmp_incoming_address
6720# Just like 'udp_incoming_address', but for the SNMP port.
6721#
6722# snmp_incoming_address is used for the SNMP socket receiving
6723# messages from SNMP agents.
6724#
6725# The default snmp_incoming_address is to listen on all
6726# available network interfaces.
6727#Default:
6728# Accept SNMP packets from all machine interfaces.
6729
6730# TAG: snmp_outgoing_address
6731# Just like 'udp_outgoing_address', but for the SNMP port.
6732#
6733# snmp_outgoing_address is used for SNMP packets returned to SNMP
6734# agents.
6735#
6736# If snmp_outgoing_address is not set it will use the same socket
6737# as snmp_incoming_address. Only change this if you want to have
6738# SNMP replies sent using another address than where this Squid
6739# listens for SNMP queries.
6740#
6741# NOTE, snmp_incoming_address and snmp_outgoing_address can not have
6742# the same value since they both use the same port.
6743#Default:
6744# Use snmp_incoming_address or an address selected by the operating system.
6745
6746# ICP OPTIONS
6747# -----------------------------------------------------------------------------
6748
6749# TAG: icp_port
6750# The port number where Squid sends and receives ICP queries to
6751# and from neighbor caches. The standard UDP port for ICP is 3130.
6752#
6753# Example:
6754# icp_port 3130
6755#Default:
6756# ICP disabled.
6757
6758# TAG: htcp_port
6759# The port number where Squid sends and receives HTCP queries to
6760# and from neighbor caches. To turn it on you want to set it to
6761# 4827.
6762#
6763# Example:
6764# htcp_port 4827
6765#Default:
6766# HTCP disabled.
6767
6768# TAG: log_icp_queries on|off
6769# If set, ICP queries are logged to access.log. You may wish
6770# do disable this if your ICP load is VERY high to speed things
6771# up or to simplify log analysis.
6772#Default:
6773# log_icp_queries on
6774
6775# TAG: udp_incoming_address
6776# udp_incoming_address is used for UDP packets received from other
6777# caches.
6778#
6779# The default behavior is to not bind to any specific address.
6780#
6781# Only change this if you want to have all UDP queries received on
6782# a specific interface/address.
6783#
6784# NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
6785# modules. Altering it will affect all of them in the same manner.
6786#
6787# see also; udp_outgoing_address
6788#
6789# NOTE, udp_incoming_address and udp_outgoing_address can not
6790# have the same value since they both use the same port.
6791#Default:
6792# Accept packets from all machine interfaces.
6793
6794# TAG: udp_outgoing_address
6795# udp_outgoing_address is used for UDP packets sent out to other
6796# caches.
6797#
6798# The default behavior is to not bind to any specific address.
6799#
6800# Instead it will use the same socket as udp_incoming_address.
6801# Only change this if you want to have UDP queries sent using another
6802# address than where this Squid listens for UDP queries from other
6803# caches.
6804#
6805# NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
6806# modules. Altering it will affect all of them in the same manner.
6807#
6808# see also; udp_incoming_address
6809#
6810# NOTE, udp_incoming_address and udp_outgoing_address can not
6811# have the same value since they both use the same port.
6812#Default:
6813# Use udp_incoming_address or an address selected by the operating system.
6814
6815# TAG: icp_hit_stale on|off
6816# If you want to return ICP_HIT for stale cache objects, set this
6817# option to 'on'. If you have sibling relationships with caches
6818# in other administrative domains, this should be 'off'. If you only
6819# have sibling relationships with caches under your control,
6820# it is probably okay to set this to 'on'.
6821# If set to 'on', your siblings should use the option "allow-miss"
6822# on their cache_peer lines for connecting to you.
6823#Default:
6824# icp_hit_stale off
6825
6826# TAG: minimum_direct_hops
6827# If using the ICMP pinging stuff, do direct fetches for sites
6828# which are no more than this many hops away.
6829#Default:
6830# minimum_direct_hops 4
6831
6832# TAG: minimum_direct_rtt (msec)
6833# If using the ICMP pinging stuff, do direct fetches for sites
6834# which are no more than this many rtt milliseconds away.
6835#Default:
6836# minimum_direct_rtt 400
6837
6838# TAG: netdb_low
6839# The low water mark for the ICMP measurement database.
6840#
6841# Note: high watermark controlled by netdb_high directive.
6842#
6843# These watermarks are counts, not percents. The defaults are
6844# (low) 900 and (high) 1000. When the high water mark is
6845# reached, database entries will be deleted until the low
6846# mark is reached.
6847#Default:
6848# netdb_low 900
6849
6850# TAG: netdb_high
6851# The high water mark for the ICMP measurement database.
6852#
6853# Note: low watermark controlled by netdb_low directive.
6854#
6855# These watermarks are counts, not percents. The defaults are
6856# (low) 900 and (high) 1000. When the high water mark is
6857# reached, database entries will be deleted until the low
6858# mark is reached.
6859#Default:
6860# netdb_high 1000
6861
6862# TAG: netdb_ping_period
6863# The minimum period for measuring a site. There will be at
6864# least this much delay between successive pings to the same
6865# network. The default is five minutes.
6866#Default:
6867# netdb_ping_period 5 minutes
6868
6869# TAG: query_icmp on|off
6870# If you want to ask your peers to include ICMP data in their ICP
6871# replies, enable this option.
6872#
6873# If your peer has configured Squid (during compilation) with
6874# '--enable-icmp' that peer will send ICMP pings to origin server
6875# sites of the URLs it receives. If you enable this option the
6876# ICP replies from that peer will include the ICMP data (if available).
6877# Then, when choosing a parent cache, Squid will choose the parent with
6878# the minimal RTT to the origin server. When this happens, the
6879# hierarchy field of the access.log will be
6880# "CLOSEST_PARENT_MISS". This option is off by default.
6881#Default:
6882# query_icmp off
6883
6884# TAG: test_reachability on|off
6885# When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
6886# instead of ICP_MISS if the target host is NOT in the ICMP
6887# database, or has a zero RTT.
6888#Default:
6889# test_reachability off
6890
6891# TAG: icp_query_timeout (msec)
6892# Normally Squid will automatically determine an optimal ICP
6893# query timeout value based on the round-trip-time of recent ICP
6894# queries. If you want to override the value determined by
6895# Squid, set this 'icp_query_timeout' to a non-zero value. This
6896# value is specified in MILLISECONDS, so, to use a 2-second
6897# timeout (the old default), you would write:
6898#
6899# icp_query_timeout 2000
6900#Default:
6901# Dynamic detection.
6902
6903# TAG: maximum_icp_query_timeout (msec)
6904# Normally the ICP query timeout is determined dynamically. But
6905# sometimes it can lead to very large values (say 5 seconds).
6906# Use this option to put an upper limit on the dynamic timeout
6907# value. Do NOT use this option to always use a fixed (instead
6908# of a dynamic) timeout value. To set a fixed timeout see the
6909# 'icp_query_timeout' directive.
6910#Default:
6911# maximum_icp_query_timeout 2000
6912
6913# TAG: minimum_icp_query_timeout (msec)
6914# Normally the ICP query timeout is determined dynamically. But
6915# sometimes it can lead to very small timeouts, even lower than
6916# the normal latency variance on your link due to traffic.
6917# Use this option to put an lower limit on the dynamic timeout
6918# value. Do NOT use this option to always use a fixed (instead
6919# of a dynamic) timeout value. To set a fixed timeout see the
6920# 'icp_query_timeout' directive.
6921#Default:
6922# minimum_icp_query_timeout 5
6923
6924# TAG: background_ping_rate time-units
6925# Controls how often the ICP pings are sent to siblings that
6926# have background-ping set.
6927#Default:
6928# background_ping_rate 10 seconds
6929
6930# MULTICAST ICP OPTIONS
6931# -----------------------------------------------------------------------------
6932
6933# TAG: mcast_groups
6934# This tag specifies a list of multicast groups which your server
6935# should join to receive multicasted ICP queries.
6936#
6937# NOTE! Be very careful what you put here! Be sure you
6938# understand the difference between an ICP _query_ and an ICP
6939# _reply_. This option is to be set only if you want to RECEIVE
6940# multicast queries. Do NOT set this option to SEND multicast
6941# ICP (use cache_peer for that). ICP replies are always sent via
6942# unicast, so this option does not affect whether or not you will
6943# receive replies from multicast group members.
6944#
6945# You must be very careful to NOT use a multicast address which
6946# is already in use by another group of caches.
6947#
6948# If you are unsure about multicast, please read the Multicast
6949# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
6950#
6951# Usage: mcast_groups 239.128.16.128 224.0.1.20
6952#
6953# By default, Squid doesn't listen on any multicast groups.
6954#Default:
6955# none
6956
6957# TAG: mcast_miss_addr
6958# Note: This option is only available if Squid is rebuilt with the
6959# -DMULTICAST_MISS_STREAM define
6960#
6961# If you enable this option, every "cache miss" URL will
6962# be sent out on the specified multicast address.
6963#
6964# Do not enable this option unless you are are absolutely
6965# certain you understand what you are doing.
6966#Default:
6967# disabled.
6968
6969# TAG: mcast_miss_ttl
6970# Note: This option is only available if Squid is rebuilt with the
6971# -DMULTICAST_MISS_STREAM define
6972#
6973# This is the time-to-live value for packets multicasted
6974# when multicasting off cache miss URLs is enabled. By
6975# default this is set to 'site scope', i.e. 16.
6976#Default:
6977# mcast_miss_ttl 16
6978
6979# TAG: mcast_miss_port
6980# Note: This option is only available if Squid is rebuilt with the
6981# -DMULTICAST_MISS_STREAM define
6982#
6983# This is the port number to be used in conjunction with
6984# 'mcast_miss_addr'.
6985#Default:
6986# mcast_miss_port 3135
6987
6988# TAG: mcast_miss_encode_key
6989# Note: This option is only available if Squid is rebuilt with the
6990# -DMULTICAST_MISS_STREAM define
6991#
6992# The URLs that are sent in the multicast miss stream are
6993# encrypted. This is the encryption key.
6994#Default:
6995# mcast_miss_encode_key XXXXXXXXXXXXXXXX
6996
6997# TAG: mcast_icp_query_timeout (msec)
6998# For multicast peers, Squid regularly sends out ICP "probes" to
6999# count how many other peers are listening on the given multicast
7000# address. This value specifies how long Squid should wait to
7001# count all the replies. The default is 2000 msec, or 2
7002# seconds.
7003#Default:
7004# mcast_icp_query_timeout 2000
7005
7006# INTERNAL ICON OPTIONS
7007# -----------------------------------------------------------------------------
7008
7009# TAG: icon_directory
7010# Where the icons are stored. These are normally kept in
7011# /usr/share/squid/icons
7012#Default:
7013# icon_directory /usr/share/squid/icons
7014
7015# TAG: global_internal_static
7016# This directive controls is Squid should intercept all requests for
7017# /squid-internal-static/ no matter which host the URL is requesting
7018# (default on setting), or if nothing special should be done for
7019# such URLs (off setting). The purpose of this directive is to make
7020# icons etc work better in complex cache hierarchies where it may
7021# not always be possible for all corners in the cache mesh to reach
7022# the server generating a directory listing.
7023#Default:
7024# global_internal_static on
7025
7026# TAG: short_icon_urls
7027# If this is enabled Squid will use short URLs for icons.
7028# If disabled it will revert to the old behavior of including
7029# it's own name and port in the URL.
7030#
7031# If you run a complex cache hierarchy with a mix of Squid and
7032# other proxies you may need to disable this directive.
7033#Default:
7034# short_icon_urls on
7035
7036# ERROR PAGE OPTIONS
7037# -----------------------------------------------------------------------------
7038
7039# TAG: error_directory
7040# If you wish to create your own versions of the default
7041# error files to customize them to suit your company copy
7042# the error/template files to another directory and point
7043# this tag at them.
7044#
7045# WARNING: This option will disable multi-language support
7046# on error pages if used.
7047#
7048# The squid developers are interested in making squid available in
7049# a wide variety of languages. If you are making translations for a
7050# language that Squid does not currently provide please consider
7051# contributing your translation back to the project.
7052# http://wiki.squid-cache.org/Translations
7053#
7054# The squid developers working on translations are happy to supply drop-in
7055# translated error files in exchange for any new language contributions.
7056#Default:
7057# Send error pages in the clients preferred language
7058
7059# TAG: error_default_language
7060# Set the default language which squid will send error pages in
7061# if no existing translation matches the clients language
7062# preferences.
7063#
7064# If unset (default) generic English will be used.
7065#
7066# The squid developers are interested in making squid available in
7067# a wide variety of languages. If you are interested in making
7068# translations for any language see the squid wiki for details.
7069# http://wiki.squid-cache.org/Translations
7070#Default:
7071# Generate English language pages.
7072
7073# TAG: error_log_languages
7074# Log to cache.log what languages users are attempting to
7075# auto-negotiate for translations.
7076#
7077# Successful negotiations are not logged. Only failures
7078# have meaning to indicate that Squid may need an upgrade
7079# of its error page translations.
7080#Default:
7081# error_log_languages on
7082
7083# TAG: err_page_stylesheet
7084# CSS Stylesheet to pattern the display of Squid default error pages.
7085#
7086# For information on CSS see http://www.w3.org/Style/CSS/
7087#Default:
7088# err_page_stylesheet /etc/squid/errorpage.css
7089
7090# TAG: err_html_text
7091# HTML text to include in error messages. Make this a "mailto"
7092# URL to your admin address, or maybe just a link to your
7093# organizations Web page.
7094#
7095# To include this in your error messages, you must rewrite
7096# the error template files (found in the "errors" directory).
7097# Wherever you want the 'err_html_text' line to appear,
7098# insert a %L tag in the error template file.
7099#Default:
7100# none
7101
7102# TAG: email_err_data on|off
7103# If enabled, information about the occurred error will be
7104# included in the mailto links of the ERR pages (if %W is set)
7105# so that the email body contains the data.
7106# Syntax is <A HREF="mailto:%w%W">%w</A>
7107#Default:
7108# email_err_data on
7109
7110# TAG: deny_info
7111# Usage: deny_info err_page_name acl
7112# or deny_info http://... acl
7113# or deny_info TCP_RESET acl
7114#
7115# This can be used to return a ERR_ page for requests which
7116# do not pass the 'http_access' rules. Squid remembers the last
7117# acl it evaluated in http_access, and if a 'deny_info' line exists
7118# for that ACL Squid returns a corresponding error page.
7119#
7120# The acl is typically the last acl on the http_access deny line which
7121# denied access. The exceptions to this rule are:
7122# - When Squid needs to request authentication credentials. It's then
7123# the first authentication related acl encountered
7124# - When none of the http_access lines matches. It's then the last
7125# acl processed on the last http_access line.
7126# - When the decision to deny access was made by an adaptation service,
7127# the acl name is the corresponding eCAP or ICAP service_name.
7128#
7129# NP: If providing your own custom error pages with error_directory
7130# you may also specify them by your custom file name:
7131# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
7132#
7133# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
7134# may be specified by prefixing the file name with the code and a colon.
7135# e.g. 404:ERR_CUSTOM_ACCESS_DENIED
7136#
7137# Alternatively you can tell Squid to reset the TCP connection
7138# by specifying TCP_RESET.
7139#
7140# Or you can specify an error URL or URL pattern. The browsers will
7141# get redirected to the specified URL after formatting tags have
7142# been replaced. Redirect will be done with 302 or 307 according to
7143# HTTP/1.1 specs. A different 3xx code may be specified by prefixing
7144# the URL. e.g. 303:http://example.com/
7145#
7146# URL FORMAT TAGS:
7147# %a - username (if available. Password NOT included)
7148# %B - FTP path URL
7149# %e - Error number
7150# %E - Error description
7151# %h - Squid hostname
7152# %H - Request domain name
7153# %i - Client IP Address
7154# %M - Request Method
7155# %O - Unescaped message result from external ACL helper
7156# %o - Message result from external ACL helper
7157# %p - Request Port number
7158# %P - Request Protocol name
7159# %R - Request URL path
7160# %T - Timestamp in RFC 1123 format
7161# %U - Full canonical URL from client
7162# (HTTPS URLs terminate with *)
7163# %u - Full canonical URL from client
7164# %w - Admin email from squid.conf
7165# %x - Error name
7166# %% - Literal percent (%) code
7167#
7168#Default:
7169# none
7170
7171# OPTIONS INFLUENCING REQUEST FORWARDING
7172# -----------------------------------------------------------------------------
7173
7174# TAG: nonhierarchical_direct
7175# By default, Squid will send any non-hierarchical requests
7176# (not cacheable request type) direct to origin servers.
7177#
7178# When this is set to "off", Squid will prefer to send these
7179# requests to parents.
7180#
7181# Note that in most configurations, by turning this off you will only
7182# add latency to these request without any improvement in global hit
7183# ratio.
7184#
7185# This option only sets a preference. If the parent is unavailable a
7186# direct connection to the origin server may still be attempted. To
7187# completely prevent direct connections use never_direct.
7188#Default:
7189# nonhierarchical_direct on
7190
7191# TAG: prefer_direct
7192# Normally Squid tries to use parents for most requests. If you for some
7193# reason like it to first try going direct and only use a parent if
7194# going direct fails set this to on.
7195#
7196# By combining nonhierarchical_direct off and prefer_direct on you
7197# can set up Squid to use a parent as a backup path if going direct
7198# fails.
7199#
7200# Note: If you want Squid to use parents for all requests see
7201# the never_direct directive. prefer_direct only modifies how Squid
7202# acts on cacheable requests.
7203#Default:
7204# prefer_direct off
7205
7206# TAG: cache_miss_revalidate on|off
7207# RFC 7232 defines a conditional request mechanism to prevent
7208# response objects being unnecessarily transferred over the network.
7209# If that mechanism is used by the client and a cache MISS occurs
7210# it can prevent new cache entries being created.
7211#
7212# This option determines whether Squid on cache MISS will pass the
7213# client revalidation request to the server or tries to fetch new
7214# content for caching. It can be useful while the cache is mostly
7215# empty to more quickly have the cache populated by generating
7216# non-conditional GETs.
7217#
7218# When set to 'on' (default), Squid will pass all client If-* headers
7219# to the server. This permits server responses without a cacheable
7220# payload to be delivered and on MISS no new cache entry is created.
7221#
7222# When set to 'off' and if the request is cacheable, Squid will
7223# remove the clients If-Modified-Since and If-None-Match headers from
7224# the request sent to the server. This requests a 200 status response
7225# from the server to create a new cache entry with.
7226#Default:
7227# cache_miss_revalidate on
7228
7229# TAG: always_direct
7230# Usage: always_direct allow|deny [!]aclname ...
7231#
7232# Here you can use ACL elements to specify requests which should
7233# ALWAYS be forwarded by Squid to the origin servers without using
7234# any peers. For example, to always directly forward requests for
7235# local servers ignoring any parents or siblings you may have use
7236# something like:
7237#
7238# acl local-servers dstdomain my.domain.net
7239# always_direct allow local-servers
7240#
7241# To always forward FTP requests directly, use
7242#
7243# acl FTP proto FTP
7244# always_direct allow FTP
7245#
7246# NOTE: There is a similar, but opposite option named
7247# 'never_direct'. You need to be aware that "always_direct deny
7248# foo" is NOT the same thing as "never_direct allow foo". You
7249# may need to use a deny rule to exclude a more-specific case of
7250# some other rule. Example:
7251#
7252# acl local-external dstdomain external.foo.net
7253# acl local-servers dstdomain .foo.net
7254# always_direct deny local-external
7255# always_direct allow local-servers
7256#
7257# NOTE: If your goal is to make the client forward the request
7258# directly to the origin server bypassing Squid then this needs
7259# to be done in the client configuration. Squid configuration
7260# can only tell Squid how Squid should fetch the object.
7261#
7262# NOTE: This directive is not related to caching. The replies
7263# is cached as usual even if you use always_direct. To not cache
7264# the replies see the 'cache' directive.
7265#
7266# This clause supports both fast and slow acl types.
7267# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
7268#Default:
7269# Prevent any cache_peer being used for this request.
7270
7271# TAG: never_direct
7272# Usage: never_direct allow|deny [!]aclname ...
7273#
7274# never_direct is the opposite of always_direct. Please read
7275# the description for always_direct if you have not already.
7276#
7277# With 'never_direct' you can use ACL elements to specify
7278# requests which should NEVER be forwarded directly to origin
7279# servers. For example, to force the use of a proxy for all
7280# requests, except those in your local domain use something like:
7281#
7282# acl local-servers dstdomain .foo.net
7283# never_direct deny local-servers
7284# never_direct allow all
7285#
7286# or if Squid is inside a firewall and there are local intranet
7287# servers inside the firewall use something like:
7288#
7289# acl local-intranet dstdomain .foo.net
7290# acl local-external dstdomain external.foo.net
7291# always_direct deny local-external
7292# always_direct allow local-intranet
7293# never_direct allow all
7294#
7295# This clause supports both fast and slow acl types.
7296# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
7297#Default:
7298# Allow DNS results to be used for this request.
7299
7300# ADVANCED NETWORKING OPTIONS
7301# -----------------------------------------------------------------------------
7302
7303# TAG: incoming_udp_average
7304# Heavy voodoo here. I can't even believe you are reading this.
7305# Are you crazy? Don't even think about adjusting these unless
7306# you understand the algorithms in comm_select.c first!
7307#Default:
7308# incoming_udp_average 6
7309
7310# TAG: incoming_tcp_average
7311# Heavy voodoo here. I can't even believe you are reading this.
7312# Are you crazy? Don't even think about adjusting these unless
7313# you understand the algorithms in comm_select.c first!
7314#Default:
7315# incoming_tcp_average 4
7316
7317# TAG: incoming_dns_average
7318# Heavy voodoo here. I can't even believe you are reading this.
7319# Are you crazy? Don't even think about adjusting these unless
7320# you understand the algorithms in comm_select.c first!
7321#Default:
7322# incoming_dns_average 4
7323
7324# TAG: min_udp_poll_cnt
7325# Heavy voodoo here. I can't even believe you are reading this.
7326# Are you crazy? Don't even think about adjusting these unless
7327# you understand the algorithms in comm_select.c first!
7328#Default:
7329# min_udp_poll_cnt 8
7330
7331# TAG: min_dns_poll_cnt
7332# Heavy voodoo here. I can't even believe you are reading this.
7333# Are you crazy? Don't even think about adjusting these unless
7334# you understand the algorithms in comm_select.c first!
7335#Default:
7336# min_dns_poll_cnt 8
7337
7338# TAG: min_tcp_poll_cnt
7339# Heavy voodoo here. I can't even believe you are reading this.
7340# Are you crazy? Don't even think about adjusting these unless
7341# you understand the algorithms in comm_select.c first!
7342#Default:
7343# min_tcp_poll_cnt 8
7344
7345# TAG: accept_filter
7346# FreeBSD:
7347#
7348# The name of an accept(2) filter to install on Squid's
7349# listen socket(s). This feature is perhaps specific to
7350# FreeBSD and requires support in the kernel.
7351#
7352# The 'httpready' filter delays delivering new connections
7353# to Squid until a full HTTP request has been received.
7354# See the accf_http(9) man page for details.
7355#
7356# The 'dataready' filter delays delivering new connections
7357# to Squid until there is some data to process.
7358# See the accf_dataready(9) man page for details.
7359#
7360# Linux:
7361#
7362# The 'data' filter delays delivering of new connections
7363# to Squid until there is some data to process by TCP_ACCEPT_DEFER.
7364# You may optionally specify a number of seconds to wait by
7365# 'data=N' where N is the number of seconds. Defaults to 30
7366# if not specified. See the tcp(7) man page for details.
7367#EXAMPLE:
7368## FreeBSD
7369#accept_filter httpready
7370## Linux
7371#accept_filter data
7372#Default:
7373# none
7374
7375# TAG: client_ip_max_connections
7376# Set an absolute limit on the number of connections a single
7377# client IP can use. Any more than this and Squid will begin to drop
7378# new connections from the client until it closes some links.
7379#
7380# Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
7381# connections from the client. For finer control use the ACL access controls.
7382#
7383# Requires client_db to be enabled (the default).
7384#
7385# WARNING: This may noticably slow down traffic received via external proxies
7386# or NAT devices and cause them to rebound error messages back to their clients.
7387#Default:
7388# No limit.
7389
7390# TAG: tcp_recv_bufsize (bytes)
7391# Size of receive buffer to set for TCP sockets. Probably just
7392# as easy to change your kernel's default.
7393# Omit from squid.conf to use the default buffer size.
7394#Default:
7395# Use operating system TCP defaults.
7396
7397# ICAP OPTIONS
7398# -----------------------------------------------------------------------------
7399
7400# TAG: icap_enable on|off
7401# If you want to enable the ICAP module support, set this to on.
7402#Default:
7403# icap_enable off
7404
7405# TAG: icap_connect_timeout
7406# This parameter specifies how long to wait for the TCP connect to
7407# the requested ICAP server to complete before giving up and either
7408# terminating the HTTP transaction or bypassing the failure.
7409#
7410# The default for optional services is peer_connect_timeout.
7411# The default for essential services is connect_timeout.
7412# If this option is explicitly set, its value applies to all services.
7413#Default:
7414# none
7415
7416# TAG: icap_io_timeout time-units
7417# This parameter specifies how long to wait for an I/O activity on
7418# an established, active ICAP connection before giving up and
7419# either terminating the HTTP transaction or bypassing the
7420# failure.
7421#Default:
7422# Use read_timeout.
7423
7424# TAG: icap_service_failure_limit limit [in memory-depth time-units]
7425# The limit specifies the number of failures that Squid tolerates
7426# when establishing a new TCP connection with an ICAP service. If
7427# the number of failures exceeds the limit, the ICAP service is
7428# not used for new ICAP requests until it is time to refresh its
7429# OPTIONS.
7430#
7431# A negative value disables the limit. Without the limit, an ICAP
7432# service will not be considered down due to connectivity failures
7433# between ICAP OPTIONS requests.
7434#
7435# Squid forgets ICAP service failures older than the specified
7436# value of memory-depth. The memory fading algorithm
7437# is approximate because Squid does not remember individual
7438# errors but groups them instead, splitting the option
7439# value into ten time slots of equal length.
7440#
7441# When memory-depth is 0 and by default this option has no
7442# effect on service failure expiration.
7443#
7444# Squid always forgets failures when updating service settings
7445# using an ICAP OPTIONS transaction, regardless of this option
7446# setting.
7447#
7448# For example,
7449# # suspend service usage after 10 failures in 5 seconds:
7450# icap_service_failure_limit 10 in 5 seconds
7451#Default:
7452# icap_service_failure_limit 10
7453
7454# TAG: icap_service_revival_delay
7455# The delay specifies the number of seconds to wait after an ICAP
7456# OPTIONS request failure before requesting the options again. The
7457# failed ICAP service is considered "down" until fresh OPTIONS are
7458# fetched.
7459#
7460# The actual delay cannot be smaller than the hardcoded minimum
7461# delay of 30 seconds.
7462#Default:
7463# icap_service_revival_delay 180
7464
7465# TAG: icap_preview_enable on|off
7466# The ICAP Preview feature allows the ICAP server to handle the
7467# HTTP message by looking only at the beginning of the message body
7468# or even without receiving the body at all. In some environments,
7469# previews greatly speedup ICAP processing.
7470#
7471# During an ICAP OPTIONS transaction, the server may tell Squid what
7472# HTTP messages should be previewed and how big the preview should be.
7473# Squid will not use Preview if the server did not request one.
7474#
7475# To disable ICAP Preview for all ICAP services, regardless of
7476# individual ICAP server OPTIONS responses, set this option to "off".
7477#Example:
7478#icap_preview_enable off
7479#Default:
7480# icap_preview_enable on
7481
7482# TAG: icap_preview_size
7483# The default size of preview data to be sent to the ICAP server.
7484# This value might be overwritten on a per server basis by OPTIONS requests.
7485#Default:
7486# No preview sent.
7487
7488# TAG: icap_206_enable on|off
7489# 206 (Partial Content) responses is an ICAP extension that allows the
7490# ICAP agents to optionally combine adapted and original HTTP message
7491# content. The decision to combine is postponed until the end of the
7492# ICAP response. Squid supports Partial Content extension by default.
7493#
7494# Activation of the Partial Content extension is negotiated with each
7495# ICAP service during OPTIONS exchange. Most ICAP servers should handle
7496# negotation correctly even if they do not support the extension, but
7497# some might fail. To disable Partial Content support for all ICAP
7498# services and to avoid any negotiation, set this option to "off".
7499#
7500# Example:
7501# icap_206_enable off
7502#Default:
7503# icap_206_enable on
7504
7505# TAG: icap_default_options_ttl
7506# The default TTL value for ICAP OPTIONS responses that don't have
7507# an Options-TTL header.
7508#Default:
7509# icap_default_options_ttl 60
7510
7511# TAG: icap_persistent_connections on|off
7512# Whether or not Squid should use persistent connections to
7513# an ICAP server.
7514#Default:
7515# icap_persistent_connections on
7516
7517# TAG: adaptation_send_client_ip on|off
7518# If enabled, Squid shares HTTP client IP information with adaptation
7519# services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
7520# For eCAP, Squid sets the libecap::metaClientIp transaction option.
7521#
7522# See also: adaptation_uses_indirect_client
7523#Default:
7524# adaptation_send_client_ip off
7525
7526# TAG: adaptation_send_username on|off
7527# This sends authenticated HTTP client username (if available) to
7528# the adaptation service.
7529#
7530# For ICAP, the username value is encoded based on the
7531# icap_client_username_encode option and is sent using the header
7532# specified by the icap_client_username_header option.
7533#Default:
7534# adaptation_send_username off
7535
7536# TAG: icap_client_username_header
7537# ICAP request header name to use for adaptation_send_username.
7538#Default:
7539# icap_client_username_header X-Client-Username
7540
7541# TAG: icap_client_username_encode on|off
7542# Whether to base64 encode the authenticated client username.
7543#Default:
7544# icap_client_username_encode off
7545
7546# TAG: icap_service
7547# Defines a single ICAP service using the following format:
7548#
7549# icap_service id vectoring_point uri [option ...]
7550#
7551# id: ID
7552# an opaque identifier or name which is used to direct traffic to
7553# this specific service. Must be unique among all adaptation
7554# services in squid.conf.
7555#
7556# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
7557# This specifies at which point of transaction processing the
7558# ICAP service should be activated. *_postcache vectoring points
7559# are not yet supported.
7560#
7561# uri: icap://servername:port/servicepath
7562# ICAP server and service location.
7563# icaps://servername:port/servicepath
7564# The "icap:" URI scheme is used for traditional ICAP server and
7565# service location (default port is 1344, connections are not
7566# encrypted). The "icaps:" URI scheme is for Secure ICAP
7567# services that use SSL/TLS-encrypted ICAP connections (by
7568# default, on port 11344).
7569#
7570# ICAP does not allow a single service to handle both REQMOD and RESPMOD
7571# transactions. Squid does not enforce that requirement. You can specify
7572# services with the same service_url and different vectoring_points. You
7573# can even specify multiple identical services as long as their
7574# service_names differ.
7575#
7576# To activate a service, use the adaptation_access directive. To group
7577# services, use adaptation_service_chain and adaptation_service_set.
7578#
7579# Service options are separated by white space. ICAP services support
7580# the following name=value options:
7581#
7582# bypass=on|off|1|0
7583# If set to 'on' or '1', the ICAP service is treated as
7584# optional. If the service cannot be reached or malfunctions,
7585# Squid will try to ignore any errors and process the message as
7586# if the service was not enabled. No all ICAP errors can be
7587# bypassed. If set to 0, the ICAP service is treated as
7588# essential and all ICAP errors will result in an error page
7589# returned to the HTTP client.
7590#
7591# Bypass is off by default: services are treated as essential.
7592#
7593# routing=on|off|1|0
7594# If set to 'on' or '1', the ICAP service is allowed to
7595# dynamically change the current message adaptation plan by
7596# returning a chain of services to be used next. The services
7597# are specified using the X-Next-Services ICAP response header
7598# value, formatted as a comma-separated list of service names.
7599# Each named service should be configured in squid.conf. Other
7600# services are ignored. An empty X-Next-Services value results
7601# in an empty plan which ends the current adaptation.
7602#
7603# Dynamic adaptation plan may cross or cover multiple supported
7604# vectoring points in their natural processing order.
7605#
7606# Routing is not allowed by default: the ICAP X-Next-Services
7607# response header is ignored.
7608#
7609# ipv6=on|off
7610# Only has effect on split-stack systems. The default on those systems
7611# is to use IPv4-only connections. When set to 'on' this option will
7612# make Squid use IPv6-only connections to contact this ICAP service.
7613#
7614# on-overload=block|bypass|wait|force
7615# If the service Max-Connections limit has been reached, do
7616# one of the following for each new ICAP transaction:
7617# * block: send an HTTP error response to the client
7618# * bypass: ignore the "over-connected" ICAP service
7619# * wait: wait (in a FIFO queue) for an ICAP connection slot
7620# * force: proceed, ignoring the Max-Connections limit
7621#
7622# In SMP mode with N workers, each worker assumes the service
7623# connection limit is Max-Connections/N, even though not all
7624# workers may use a given service.
7625#
7626# The default value is "bypass" if service is bypassable,
7627# otherwise it is set to "wait".
7628#
7629#
7630# max-conn=number
7631# Use the given number as the Max-Connections limit, regardless
7632# of the Max-Connections value given by the service, if any.
7633#
7634# connection-encryption=on|off
7635# Determines the ICAP service effect on the connections_encrypted
7636# ACL.
7637#
7638# The default is "on" for Secure ICAP services (i.e., those
7639# with the icaps:// service URIs scheme) and "off" for plain ICAP
7640# services.
7641#
7642# Does not affect ICAP connections (e.g., does not turn Secure
7643# ICAP on or off).
7644#
7645# ==== ICAPS / TLS OPTIONS ====
7646#
7647# These options are used for Secure ICAP (icaps://....) services only.
7648#
7649# tls-cert=/path/to/ssl/certificate
7650# A client X.509 certificate to use when connecting to
7651# this ICAP server.
7652#
7653# tls-key=/path/to/ssl/key
7654# The private key corresponding to the previous
7655# tls-cert= option.
7656#
7657# If tls-key= is not specified tls-cert= is assumed to
7658# reference a PEM file containing both the certificate
7659# and private key.
7660#
7661# tls-cipher=... The list of valid TLS/SSL ciphers to use when connecting
7662# to this icap server.
7663#
7664# tls-min-version=1.N
7665# The minimum TLS protocol version to permit. To control
7666# SSLv3 use the tls-options= parameter.
7667# Supported Values: 1.0 (default), 1.1, 1.2
7668#
7669# tls-options=... Specify various OpenSSL library options:
7670#
7671# NO_SSLv3 Disallow the use of SSLv3
7672#
7673# SINGLE_DH_USE
7674# Always create a new key when using
7675# temporary/ephemeral DH key exchanges
7676#
7677# ALL Enable various bug workarounds
7678# suggested as "harmless" by OpenSSL
7679# Be warned that this reduces SSL/TLS
7680# strength to some attacks.
7681#
7682# See the OpenSSL SSL_CTX_set_options documentation for a
7683# more complete list. Options relevant only to SSLv2 are
7684# not supported.
7685#
7686# tls-cafile= PEM file containing CA certificates to use when verifying
7687# the icap server certificate.
7688# Use to specify intermediate CA certificate(s) if not sent
7689# by the server. Or the full CA chain for the server when
7690# using the tls-default-ca=off flag.
7691# May be repeated to load multiple files.
7692#
7693# tls-capath=... A directory containing additional CA certificates to
7694# use when verifying the icap server certificate.
7695# Requires OpenSSL or LibreSSL.
7696#
7697# tls-crlfile=... A certificate revocation list file to use when
7698# verifying the icap server certificate.
7699#
7700# tls-flags=... Specify various flags modifying the Squid TLS implementation:
7701#
7702# DONT_VERIFY_PEER
7703# Accept certificates even if they fail to
7704# verify.
7705# DONT_VERIFY_DOMAIN
7706# Don't verify the icap server certificate
7707# matches the server name
7708#
7709# tls-default-ca[=off]
7710# Whether to use the system Trusted CAs. Default is ON.
7711#
7712# tls-domain= The icap server name as advertised in it's certificate.
7713# Used for verifying the correctness of the received icap
7714# server certificate. If not specified the icap server
7715# hostname extracted from ICAP URI will be used.
7716#
7717# Older icap_service format without optional named parameters is
7718# deprecated but supported for backward compatibility.
7719#
7720#Example:
7721#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0
7722#icap_service svcLogger reqmod_precache icaps://icap2.mydomain.net:11344/reqmod routing=on
7723#Default:
7724# none
7725
7726# TAG: icap_class
7727# This deprecated option was documented to define an ICAP service
7728# chain, even though it actually defined a set of similar, redundant
7729# services, and the chains were not supported.
7730#
7731# To define a set of redundant services, please use the
7732# adaptation_service_set directive. For service chains, use
7733# adaptation_service_chain.
7734#Default:
7735# none
7736
7737# TAG: icap_access
7738# This option is deprecated. Please use adaptation_access, which
7739# has the same ICAP functionality, but comes with better
7740# documentation, and eCAP support.
7741#Default:
7742# none
7743
7744# eCAP OPTIONS
7745# -----------------------------------------------------------------------------
7746
7747# TAG: ecap_enable on|off
7748# Controls whether eCAP support is enabled.
7749#Default:
7750# ecap_enable off
7751
7752# TAG: ecap_service
7753# Defines a single eCAP service
7754#
7755# ecap_service id vectoring_point uri [option ...]
7756#
7757# id: ID
7758# an opaque identifier or name which is used to direct traffic to
7759# this specific service. Must be unique among all adaptation
7760# services in squid.conf.
7761#
7762# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
7763# This specifies at which point of transaction processing the
7764# eCAP service should be activated. *_postcache vectoring points
7765# are not yet supported.
7766#
7767# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional
7768# Squid uses the eCAP service URI to match this configuration
7769# line with one of the dynamically loaded services. Each loaded
7770# eCAP service must have a unique URI. Obtain the right URI from
7771# the service provider.
7772#
7773# To activate a service, use the adaptation_access directive. To group
7774# services, use adaptation_service_chain and adaptation_service_set.
7775#
7776# Service options are separated by white space. eCAP services support
7777# the following name=value options:
7778#
7779# bypass=on|off|1|0
7780# If set to 'on' or '1', the eCAP service is treated as optional.
7781# If the service cannot be reached or malfunctions, Squid will try
7782# to ignore any errors and process the message as if the service
7783# was not enabled. No all eCAP errors can be bypassed.
7784# If set to 'off' or '0', the eCAP service is treated as essential
7785# and all eCAP errors will result in an error page returned to the
7786# HTTP client.
7787#
7788# Bypass is off by default: services are treated as essential.
7789#
7790# routing=on|off|1|0
7791# If set to 'on' or '1', the eCAP service is allowed to
7792# dynamically change the current message adaptation plan by
7793# returning a chain of services to be used next.
7794#
7795# Dynamic adaptation plan may cross or cover multiple supported
7796# vectoring points in their natural processing order.
7797#
7798# Routing is not allowed by default.
7799#
7800# connection-encryption=on|off
7801# Determines the eCAP service effect on the connections_encrypted
7802# ACL.
7803#
7804# Defaults to "on", which does not taint the master transaction
7805# w.r.t. that ACL.
7806#
7807# Does not affect eCAP API calls.
7808#
7809# Older ecap_service format without optional named parameters is
7810# deprecated but supported for backward compatibility.
7811#
7812#
7813#Example:
7814#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off
7815#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on
7816#Default:
7817# none
7818
7819# TAG: loadable_modules
7820# Instructs Squid to load the specified dynamic module(s) or activate
7821# preloaded module(s).
7822#Example:
7823#loadable_modules /usr/lib/MinimalAdapter.so
7824#Default:
7825# none
7826
7827# MESSAGE ADAPTATION OPTIONS
7828# -----------------------------------------------------------------------------
7829
7830# TAG: adaptation_service_set
7831#
7832# Configures an ordered set of similar, redundant services. This is
7833# useful when hot standby or backup adaptation servers are available.
7834#
7835# adaptation_service_set set_name service_name1 service_name2 ...
7836#
7837# The named services are used in the set declaration order. The first
7838# applicable adaptation service from the set is used first. The next
7839# applicable service is tried if and only if the transaction with the
7840# previous service fails and the message waiting to be adapted is still
7841# intact.
7842#
7843# When adaptation starts, broken services are ignored as if they were
7844# not a part of the set. A broken service is a down optional service.
7845#
7846# The services in a set must be attached to the same vectoring point
7847# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
7848#
7849# If all services in a set are optional then adaptation failures are
7850# bypassable. If all services in the set are essential, then a
7851# transaction failure with one service may still be retried using
7852# another service from the set, but when all services fail, the master
7853# transaction fails as well.
7854#
7855# A set may contain a mix of optional and essential services, but that
7856# is likely to lead to surprising results because broken services become
7857# ignored (see above), making previously bypassable failures fatal.
7858# Technically, it is the bypassability of the last failed service that
7859# matters.
7860#
7861# See also: adaptation_access adaptation_service_chain
7862#
7863#Example:
7864#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
7865#adaptation service_set svcLogger loggerLocal loggerRemote
7866#Default:
7867# none
7868
7869# TAG: adaptation_service_chain
7870#
7871# Configures a list of complementary services that will be applied
7872# one-by-one, forming an adaptation chain or pipeline. This is useful
7873# when Squid must perform different adaptations on the same message.
7874#
7875# adaptation_service_chain chain_name service_name1 svc_name2 ...
7876#
7877# The named services are used in the chain declaration order. The first
7878# applicable adaptation service from the chain is used first. The next
7879# applicable service is applied to the successful adaptation results of
7880# the previous service in the chain.
7881#
7882# When adaptation starts, broken services are ignored as if they were
7883# not a part of the chain. A broken service is a down optional service.
7884#
7885# Request satisfaction terminates the adaptation chain because Squid
7886# does not currently allow declaration of RESPMOD services at the
7887# "reqmod_precache" vectoring point (see icap_service or ecap_service).
7888#
7889# The services in a chain must be attached to the same vectoring point
7890# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
7891#
7892# A chain may contain a mix of optional and essential services. If an
7893# essential adaptation fails (or the failure cannot be bypassed for
7894# other reasons), the master transaction fails. Otherwise, the failure
7895# is bypassed as if the failed adaptation service was not in the chain.
7896#
7897# See also: adaptation_access adaptation_service_set
7898#
7899#Example:
7900#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
7901#Default:
7902# none
7903
7904# TAG: adaptation_access
7905# Sends an HTTP transaction to an ICAP or eCAP adaptation service.
7906#
7907# adaptation_access service_name allow|deny [!]aclname...
7908# adaptation_access set_name allow|deny [!]aclname...
7909#
7910# At each supported vectoring point, the adaptation_access
7911# statements are processed in the order they appear in this
7912# configuration file. Statements pointing to the following services
7913# are ignored (i.e., skipped without checking their ACL):
7914#
7915# - services serving different vectoring points
7916# - "broken-but-bypassable" services
7917# - "up" services configured to ignore such transactions
7918# (e.g., based on the ICAP Transfer-Ignore header).
7919#
7920# When a set_name is used, all services in the set are checked
7921# using the same rules, to find the first applicable one. See
7922# adaptation_service_set for details.
7923#
7924# If an access list is checked and there is a match, the
7925# processing stops: For an "allow" rule, the corresponding
7926# adaptation service is used for the transaction. For a "deny"
7927# rule, no adaptation service is activated.
7928#
7929# It is currently not possible to apply more than one adaptation
7930# service at the same vectoring point to the same HTTP transaction.
7931#
7932# See also: icap_service and ecap_service
7933#
7934#Example:
7935#adaptation_access service_1 allow all
7936#Default:
7937# Allow, unless rules exist in squid.conf.
7938
7939# TAG: adaptation_service_iteration_limit
7940# Limits the number of iterations allowed when applying adaptation
7941# services to a message. If your longest adaptation set or chain
7942# may have more than 16 services, increase the limit beyond its
7943# default value of 16. If detecting infinite iteration loops sooner
7944# is critical, make the iteration limit match the actual number
7945# of services in your longest adaptation set or chain.
7946#
7947# Infinite adaptation loops are most likely with routing services.
7948#
7949# See also: icap_service routing=1
7950#Default:
7951# adaptation_service_iteration_limit 16
7952
7953# TAG: adaptation_masterx_shared_names
7954# For each master transaction (i.e., the HTTP request and response
7955# sequence, including all related ICAP and eCAP exchanges), Squid
7956# maintains a table of metadata. The table entries are (name, value)
7957# pairs shared among eCAP and ICAP exchanges. The table is destroyed
7958# with the master transaction.
7959#
7960# This option specifies the table entry names that Squid must accept
7961# from and forward to the adaptation transactions.
7962#
7963# An ICAP REQMOD or RESPMOD transaction may set an entry in the
7964# shared table by returning an ICAP header field with a name
7965# specified in adaptation_masterx_shared_names.
7966#
7967# An eCAP REQMOD or RESPMOD transaction may set an entry in the
7968# shared table by implementing the libecap::visitEachOption() API
7969# to provide an option with a name specified in
7970# adaptation_masterx_shared_names.
7971#
7972# Squid will store and forward the set entry to subsequent adaptation
7973# transactions within the same master transaction scope.
7974#
7975# Only one shared entry name is supported at this time.
7976#
7977#Example:
7978## share authentication information among ICAP services
7979#adaptation_masterx_shared_names X-Subscriber-ID
7980#Default:
7981# none
7982
7983# TAG: adaptation_meta
7984# This option allows Squid administrator to add custom ICAP request
7985# headers or eCAP options to Squid ICAP requests or eCAP transactions.
7986# Use it to pass custom authentication tokens and other
7987# transaction-state related meta information to an ICAP/eCAP service.
7988#
7989# The addition of a meta header is ACL-driven:
7990# adaptation_meta name value [!]aclname ...
7991#
7992# Processing for a given header name stops after the first ACL list match.
7993# Thus, it is impossible to add two headers with the same name. If no ACL
7994# lists match for a given header name, no such header is added. For
7995# example:
7996#
7997# # do not debug transactions except for those that need debugging
7998# adaptation_meta X-Debug 1 needs_debugging
7999#
8000# # log all transactions except for those that must remain secret
8001# adaptation_meta X-Log 1 !keep_secret
8002#
8003# # mark transactions from users in the "G 1" group
8004# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1
8005#
8006# The "value" parameter may be a regular squid.conf token or a "double
8007# quoted string". Within the quoted string, use backslash (\) to escape
8008# any character, which is currently only useful for escaping backslashes
8009# and double quotes. For example,
8010# "this string has one backslash (\\) and two \"quotes\""
8011#
8012# Used adaptation_meta header values may be logged via %note
8013# logformat code. If multiple adaptation_meta headers with the same name
8014# are used during master transaction lifetime, the header values are
8015# logged in the order they were used and duplicate values are ignored
8016# (only the first repeated value will be logged).
8017#Default:
8018# none
8019
8020# TAG: icap_retry
8021# This ACL determines which retriable ICAP transactions are
8022# retried. Transactions that received a complete ICAP response
8023# and did not have to consume or produce HTTP bodies to receive
8024# that response are usually retriable.
8025#
8026# icap_retry allow|deny [!]aclname ...
8027#
8028# Squid automatically retries some ICAP I/O timeouts and errors
8029# due to persistent connection race conditions.
8030#
8031# See also: icap_retry_limit
8032#Default:
8033# icap_retry deny all
8034
8035# TAG: icap_retry_limit
8036# Limits the number of retries allowed.
8037#
8038# Communication errors due to persistent connection race
8039# conditions are unavoidable, automatically retried, and do not
8040# count against this limit.
8041#
8042# See also: icap_retry
8043#Default:
8044# No retries are allowed.
8045
8046# DNS OPTIONS
8047# -----------------------------------------------------------------------------
8048
8049# TAG: check_hostnames
8050# For security and stability reasons Squid can check
8051# hostnames for Internet standard RFC compliance. If you want
8052# Squid to perform these checks turn this directive on.
8053#Default:
8054# check_hostnames off
8055
8056# TAG: allow_underscore
8057# Underscore characters is not strictly allowed in Internet hostnames
8058# but nevertheless used by many sites. Set this to off if you want
8059# Squid to be strict about the standard.
8060# This check is performed only when check_hostnames is set to on.
8061#Default:
8062# allow_underscore on
8063
8064# TAG: dns_retransmit_interval
8065# Initial retransmit interval for DNS queries. The interval is
8066# doubled each time all configured DNS servers have been tried.
8067#Default:
8068# dns_retransmit_interval 5 seconds
8069
8070# TAG: dns_timeout
8071# DNS Query timeout. If no response is received to a DNS query
8072# within this time all DNS servers for the queried domain
8073# are assumed to be unavailable.
8074#Default:
8075# dns_timeout 30 seconds
8076
8077# TAG: dns_packet_max
8078# Maximum number of bytes packet size to advertise via EDNS.
8079# Set to "none" to disable EDNS large packet support.
8080#
8081# For legacy reasons DNS UDP replies will default to 512 bytes which
8082# is too small for many responses. EDNS provides a means for Squid to
8083# negotiate receiving larger responses back immediately without having
8084# to failover with repeat requests. Responses larger than this limit
8085# will retain the old behaviour of failover to TCP DNS.
8086#
8087# Squid has no real fixed limit internally, but allowing packet sizes
8088# over 1500 bytes requires network jumbogram support and is usually not
8089# necessary.
8090#
8091# WARNING: The RFC also indicates that some older resolvers will reply
8092# with failure of the whole request if the extension is added. Some
8093# resolvers have already been identified which will reply with mangled
8094# EDNS response on occasion. Usually in response to many-KB jumbogram
8095# sizes being advertised by Squid.
8096# Squid will currently treat these both as an unable-to-resolve domain
8097# even if it would be resolvable without EDNS.
8098#Default:
8099# EDNS disabled
8100
8101# TAG: dns_defnames on|off
8102# Normally the RES_DEFNAMES resolver option is disabled
8103# (see res_init(3)). This prevents caches in a hierarchy
8104# from interpreting single-component hostnames locally. To allow
8105# Squid to handle single-component names, enable this option.
8106#Default:
8107# Search for single-label domain names is disabled.
8108
8109# TAG: dns_multicast_local on|off
8110# When set to on, Squid sends multicast DNS lookups on the local
8111# network for domains ending in .local and .arpa.
8112# This enables local servers and devices to be contacted in an
8113# ad-hoc or zero-configuration network environment.
8114#Default:
8115# Search for .local and .arpa names is disabled.
8116
8117# TAG: dns_nameservers
8118# Use this if you want to specify a list of DNS name servers
8119# (IP addresses) to use instead of those given in your
8120# /etc/resolv.conf file.
8121#
8122# On Windows platforms, if no value is specified here or in
8123# the /etc/resolv.conf file, the list of DNS name servers are
8124# taken from the Windows registry, both static and dynamic DHCP
8125# configurations are supported.
8126#
8127dns_nameservers 194.204.159.1 , 194.204.152.34
8128#dns_nameserwers 10.8.0.1
8129
8130#Default:
8131# Use operating system definitions
8132
8133# TAG: hosts_file
8134# Location of the host-local IP name-address associations
8135# database. Most Operating Systems have such a file on different
8136# default locations:
8137# - Un*X & Linux: /etc/hosts
8138# - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
8139# (%SystemRoot% value install default is c:\winnt)
8140# - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
8141# (%SystemRoot% value install default is c:\windows)
8142# - Windows 9x/Me: %windir%\hosts
8143# (%windir% value is usually c:\windows)
8144# - Cygwin: /etc/hosts
8145#
8146# The file contains newline-separated definitions, in the
8147# form ip_address_in_dotted_form name [name ...] names are
8148# whitespace-separated. Lines beginning with an hash (#)
8149# character are comments.
8150#
8151# The file is checked at startup and upon configuration.
8152# If set to 'none', it won't be checked.
8153# If append_domain is used, that domain will be added to
8154# domain-local (i.e. not containing any dot character) host
8155# definitions.
8156#Default:
8157# hosts_file /etc/hosts
8158
8159# TAG: append_domain
8160# Appends local domain name to hostnames without any dots in
8161# them. append_domain must begin with a period.
8162#
8163# Be warned there are now Internet names with no dots in
8164# them using only top-domain names, so setting this may
8165# cause some Internet sites to become unavailable.
8166#
8167#Example:
8168# append_domain .yourdomain.com
8169#Default:
8170# Use operating system definitions
8171
8172# TAG: ignore_unknown_nameservers
8173# By default Squid checks that DNS responses are received
8174# from the same IP addresses they are sent to. If they
8175# don't match, Squid ignores the response and writes a warning
8176# message to cache.log. You can allow responses from unknown
8177# nameservers by setting this option to 'off'.
8178#Default:
8179# ignore_unknown_nameservers on
8180
8181# TAG: dns_v4_first
8182# With the IPv6 Internet being as fast or faster than IPv4 Internet
8183# for most networks Squid prefers to contact websites over IPv6.
8184#
8185# This option reverses the order of preference to make Squid contact
8186# dual-stack websites over IPv4 first. Squid will still perform both
8187# IPv6 and IPv4 DNS lookups before connecting.
8188#
8189# WARNING:
8190# This option will restrict the situations under which IPv6
8191# connectivity is used (and tested), potentially hiding network
8192# problems which would otherwise be detected and warned about.
8193#Default:
8194# dns_v4_first off
8195
8196# TAG: ipcache_size (number of entries)
8197# Maximum number of DNS IP cache entries.
8198#Default:
8199# ipcache_size 1024
8200
8201# TAG: ipcache_low (percent)
8202#Default:
8203# ipcache_low 90
8204
8205# TAG: ipcache_high (percent)
8206# The size, low-, and high-water marks for the IP cache.
8207#Default:
8208# ipcache_high 95
8209
8210# TAG: fqdncache_size (number of entries)
8211# Maximum number of FQDN cache entries.
8212#Default:
8213# fqdncache_size 1024
8214
8215# MISCELLANEOUS
8216# -----------------------------------------------------------------------------
8217
8218# TAG: configuration_includes_quoted_values on|off
8219# If set, Squid will recognize each "quoted string" after a configuration
8220# directive as a single parameter. The quotes are stripped before the
8221# parameter value is interpreted or used.
8222# See "Values with spaces, quotes, and other special characters"
8223# section for more details.
8224#Default:
8225# configuration_includes_quoted_values off
8226
8227# TAG: memory_pools on|off
8228# If set, Squid will keep pools of allocated (but unused) memory
8229# available for future use. If memory is a premium on your
8230# system and you believe your malloc library outperforms Squid
8231# routines, disable this.
8232#Default:
8233# memory_pools on
8234
8235# TAG: memory_pools_limit (bytes)
8236# Used only with memory_pools on:
8237# memory_pools_limit 50 MB
8238#
8239# If set to a non-zero value, Squid will keep at most the specified
8240# limit of allocated (but unused) memory in memory pools. All free()
8241# requests that exceed this limit will be handled by your malloc
8242# library. Squid does not pre-allocate any memory, just safe-keeps
8243# objects that otherwise would be free()d. Thus, it is safe to set
8244# memory_pools_limit to a reasonably high value even if your
8245# configuration will use less memory.
8246#
8247# If set to none, Squid will keep all memory it can. That is, there
8248# will be no limit on the total amount of memory used for safe-keeping.
8249#
8250# To disable memory allocation optimization, do not set
8251# memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
8252#
8253# An overhead for maintaining memory pools is not taken into account
8254# when the limit is checked. This overhead is close to four bytes per
8255# object kept. However, pools may actually _save_ memory because of
8256# reduced memory thrashing in your malloc library.
8257#Default:
8258# memory_pools_limit 5 MB
8259
8260# TAG: forwarded_for on|off|transparent|truncate|delete
8261# If set to "on", Squid will append your client's IP address
8262# in the HTTP requests it forwards. By default it looks like:
8263#
8264# X-Forwarded-For: 192.1.2.3
8265#
8266# If set to "off", it will appear as
8267#
8268# X-Forwarded-For: unknown
8269#
8270# If set to "transparent", Squid will not alter the
8271# X-Forwarded-For header in any way.
8272#
8273# If set to "delete", Squid will delete the entire
8274# X-Forwarded-For header.
8275#
8276# If set to "truncate", Squid will remove all existing
8277# X-Forwarded-For entries, and place the client IP as the sole entry.
8278#Default:
8279# forwarded_for on
8280
8281# TAG: cachemgr_passwd
8282# Specify passwords for cachemgr operations.
8283#
8284# Usage: cachemgr_passwd password action action ...
8285#
8286# Some valid actions are (see cache manager menu for a full list):
8287# 5min
8288# 60min
8289# asndb
8290# authenticator
8291# cbdata
8292# client_list
8293# comm_incoming
8294# config *
8295# counters
8296# delay
8297# digest_stats
8298# dns
8299# events
8300# filedescriptors
8301# fqdncache
8302# histograms
8303# http_headers
8304# info
8305# io
8306# ipcache
8307# mem
8308# menu
8309# netdb
8310# non_peers
8311# objects
8312# offline_toggle *
8313# pconn
8314# peer_select
8315# reconfigure *
8316# redirector
8317# refresh
8318# server_list
8319# shutdown *
8320# store_digest
8321# storedir
8322# utilization
8323# via_headers
8324# vm_objects
8325#
8326# * Indicates actions which will not be performed without a
8327# valid password, others can be performed if not listed here.
8328#
8329# To disable an action, set the password to "disable".
8330# To allow performing an action without a password, set the
8331# password to "none".
8332#
8333# Use the keyword "all" to set the same password for all actions.
8334#
8335#Example:
8336# cachemgr_passwd secret shutdown
8337# cachemgr_passwd lesssssssecret info stats/objects
8338# cachemgr_passwd disable all
8339#Default:
8340# No password. Actions which require password are denied.
8341
8342# TAG: client_db on|off
8343# If you want to disable collecting per-client statistics,
8344# turn off client_db here.
8345#Default:
8346# client_db on
8347
8348# TAG: refresh_all_ims on|off
8349# When you enable this option, squid will always check
8350# the origin server for an update when a client sends an
8351# If-Modified-Since request. Many browsers use IMS
8352# requests when the user requests a reload, and this
8353# ensures those clients receive the latest version.
8354#
8355# By default (off), squid may return a Not Modified response
8356# based on the age of the cached version.
8357#Default:
8358# refresh_all_ims off
8359
8360# TAG: reload_into_ims on|off
8361# When you enable this option, client no-cache or ``reload''
8362# requests will be changed to If-Modified-Since requests.
8363# Doing this VIOLATES the HTTP standard. Enabling this
8364# feature could make you liable for problems which it
8365# causes.
8366#
8367# see also refresh_pattern for a more selective approach.
8368#Default:
8369# reload_into_ims off
8370
8371# TAG: connect_retries
8372# Limits the number of reopening attempts when establishing a single
8373# TCP connection. All these attempts must still complete before the
8374# applicable connection opening timeout expires.
8375#
8376# By default and when connect_retries is set to zero, Squid does not
8377# retry failed connection opening attempts.
8378#
8379# The (not recommended) maximum is 10 tries. An attempt to configure a
8380# higher value results in the value of 10 being used (with a warning).
8381#
8382# Squid may open connections to retry various high-level forwarding
8383# failures. For an outside observer, that activity may look like a
8384# low-level connection reopening attempt, but those high-level retries
8385# are governed by forward_max_tries instead.
8386#
8387# See also: connect_timeout, forward_timeout, icap_connect_timeout,
8388# ident_timeout, and forward_max_tries.
8389#Default:
8390# Do not retry failed connections.
8391
8392# TAG: retry_on_error
8393# If set to ON Squid will automatically retry requests when
8394# receiving an error response with status 403 (Forbidden),
8395# 500 (Internal Error), 501 or 503 (Service not available).
8396# Status 502 and 504 (Gateway errors) are always retried.
8397#
8398# This is mainly useful if you are in a complex cache hierarchy to
8399# work around access control errors.
8400#
8401# NOTE: This retry will attempt to find another working destination.
8402# Which is different from the server which just failed.
8403#Default:
8404# retry_on_error off
8405
8406# TAG: as_whois_server
8407# WHOIS server to query for AS numbers. NOTE: AS numbers are
8408# queried only when Squid starts up, not for every request.
8409#Default:
8410# as_whois_server whois.ra.net
8411
8412# TAG: offline_mode
8413# Enable this option and Squid will never try to validate cached
8414# objects.
8415#Default:
8416# offline_mode off
8417
8418# TAG: uri_whitespace
8419# What to do with requests that have whitespace characters in the
8420# URI. Options:
8421#
8422# strip: The whitespace characters are stripped out of the URL.
8423# This is the behavior recommended by RFC2396 and RFC3986
8424# for tolerant handling of generic URI.
8425# NOTE: This is one difference between generic URI and HTTP URLs.
8426#
8427# deny: The request is denied. The user receives an "Invalid
8428# Request" message.
8429# This is the behaviour recommended by RFC2616 for safe
8430# handling of HTTP request URL.
8431#
8432# allow: The request is allowed and the URI is not changed. The
8433# whitespace characters remain in the URI. Note the
8434# whitespace is passed to redirector processes if they
8435# are in use.
8436# Note this may be considered a violation of RFC2616
8437# request parsing where whitespace is prohibited in the
8438# URL field.
8439#
8440# encode: The request is allowed and the whitespace characters are
8441# encoded according to RFC1738.
8442#
8443# chop: The request is allowed and the URI is chopped at the
8444# first whitespace.
8445#
8446#
8447# NOTE the current Squid implementation of encode and chop violates
8448# RFC2616 by not using a 301 redirect after altering the URL.
8449#Default:
8450# uri_whitespace strip
8451
8452# TAG: chroot
8453# Specifies a directory where Squid should do a chroot() while
8454# initializing. This also causes Squid to fully drop root
8455# privileges after initializing. This means, for example, if you
8456# use a HTTP port less than 1024 and try to reconfigure, you may
8457# get an error saying that Squid can not open the port.
8458#Default:
8459# none
8460
8461# TAG: pipeline_prefetch
8462# HTTP clients may send a pipeline of 1+N requests to Squid using a
8463# single connection, without waiting for Squid to respond to the first
8464# of those requests. This option limits the number of concurrent
8465# requests Squid will try to handle in parallel. If set to N, Squid
8466# will try to receive and process up to 1+N requests on the same
8467# connection concurrently.
8468#
8469# Defaults to 0 (off) for bandwidth management and access logging
8470# reasons.
8471#
8472# NOTE: pipelining requires persistent connections to clients.
8473#
8474# WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
8475#Default:
8476# Do not pre-parse pipelined requests.
8477
8478# TAG: high_response_time_warning (msec)
8479# If the one-minute median response time exceeds this value,
8480# Squid prints a WARNING with debug level 0 to get the
8481# administrators attention. The value is in milliseconds.
8482#Default:
8483# disabled.
8484
8485# TAG: high_page_fault_warning
8486# If the one-minute average page fault rate exceeds this
8487# value, Squid prints a WARNING with debug level 0 to get
8488# the administrators attention. The value is in page faults
8489# per second.
8490#Default:
8491# disabled.
8492
8493# TAG: high_memory_warning
8494# Note: This option is only available if Squid is rebuilt with the
8495# GNU Malloc with mstats()
8496#
8497# If the memory usage (as determined by gnumalloc, if available and used)
8498# exceeds this amount, Squid prints a WARNING with debug level 0 to get
8499# the administrators attention.
8500#Default:
8501# disabled.
8502
8503# TAG: sleep_after_fork (microseconds)
8504# When this is set to a non-zero value, the main Squid process
8505# sleeps the specified number of microseconds after a fork()
8506# system call. This sleep may help the situation where your
8507# system reports fork() failures due to lack of (virtual)
8508# memory. Note, however, if you have a lot of child
8509# processes, these sleep delays will add up and your
8510# Squid will not service requests for some amount of time
8511# until all the child processes have been started.
8512# On Windows value less then 1000 (1 milliseconds) are
8513# rounded to 1000.
8514#Default:
8515# sleep_after_fork 0
8516
8517# TAG: windows_ipaddrchangemonitor on|off
8518# Note: This option is only available if Squid is rebuilt with the
8519# MS Windows
8520#
8521# On Windows Squid by default will monitor IP address changes and will
8522# reconfigure itself after any detected event. This is very useful for
8523# proxies connected to internet with dial-up interfaces.
8524# In some cases (a Proxy server acting as VPN gateway is one) it could be
8525# desiderable to disable this behaviour setting this to 'off'.
8526# Note: after changing this, Squid service must be restarted.
8527#Default:
8528# windows_ipaddrchangemonitor on
8529
8530# TAG: eui_lookup
8531# Whether to lookup the EUI or MAC address of a connected client.
8532#Default:
8533# eui_lookup on
8534
8535# TAG: max_filedescriptors
8536# Set the maximum number of filedescriptors, either below the
8537# operating system default or up to the hard limit.
8538#
8539# Remove from squid.conf to inherit the current ulimit soft
8540# limit setting.
8541#
8542# Note: Changing this requires a restart of Squid. Also
8543# not all I/O types supports large values (eg on Windows).
8544#Default:
8545# Use operating system soft limit set by ulimit.
8546
8547# TAG: force_request_body_continuation
8548# This option controls how Squid handles data upload requests from HTTP
8549# and FTP agents that require a "Please Continue" control message response
8550# to actually send the request body to Squid. It is mostly useful in
8551# adaptation environments.
8552#
8553# When Squid receives an HTTP request with an "Expect: 100-continue"
8554# header or an FTP upload command (e.g., STOR), Squid normally sends the
8555# request headers or FTP command information to an adaptation service (or
8556# peer) and waits for a response. Most adaptation services (and some
8557# broken peers) may not respond to Squid at that stage because they may
8558# decide to wait for the HTTP request body or FTP data transfer. However,
8559# that request body or data transfer may never come because Squid has not
8560# responded with the HTTP 100 or FTP 150 (Please Continue) control message
8561# to the request sender yet!
8562#
8563# An allow match tells Squid to respond with the HTTP 100 or FTP 150
8564# (Please Continue) control message on its own, before forwarding the
8565# request to an adaptation service or peer. Such a response usually forces
8566# the request sender to proceed with sending the body. A deny match tells
8567# Squid to delay that control response until the origin server confirms
8568# that the request body is needed. Delaying is the default behavior.
8569#Default:
8570# Deny, unless rules exist in squid.conf.
8571
8572# TAG: server_pconn_for_nonretriable
8573# This option provides fine-grained control over persistent connection
8574# reuse when forwarding HTTP requests that Squid cannot retry. It is useful
8575# in environments where opening new connections is very expensive
8576# (e.g., all connections are secured with TLS with complex client and server
8577# certificate validation) and race conditions associated with persistent
8578# connections are very rare and/or only cause minor problems.
8579#
8580# HTTP prohibits retrying unsafe and non-idempotent requests (e.g., POST).
8581# Squid limitations also prohibit retrying all requests with bodies (e.g., PUT).
8582# By default, when forwarding such "risky" requests, Squid opens a new
8583# connection to the server or cache_peer, even if there is an idle persistent
8584# connection available. When Squid is configured to risk sending a non-retriable
8585# request on a previously used persistent connection, and the server closes
8586# the connection before seeing that risky request, the user gets an error response
8587# from Squid. In most cases, that error response will be HTTP 502 (Bad Gateway)
8588# with ERR_ZERO_SIZE_OBJECT or ERR_WRITE_ERROR (peer connection reset) error detail.
8589#
8590# If an allow rule matches, Squid reuses an available idle persistent connection
8591# (if any) for the request that Squid cannot retry. If a deny rule matches, then
8592# Squid opens a new connection for the request that Squid cannot retry.
8593#
8594# This option does not affect requests that Squid can retry. They will reuse idle
8595# persistent connections (if any).
8596#
8597# This clause only supports fast acl types.
8598# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
8599#
8600# Example:
8601# acl SpeedIsWorthTheRisk method POST
8602# server_pconn_for_nonretriable allow SpeedIsWorthTheRisk
8603#Default:
8604# Open new connections for forwarding requests Squid cannot retry safely.
8605
8606