code.fastix.org

Dateiansicht:

Datei:Projekte -> Linux:Netzwerk für Seminare -> Router_Server -> etc -> squid -> squid.conf.original
md5:6ff0cd218708b4769a2d6ed8638401ec
sha1:95a4ec27ac5cceae0ce52c34816a685a7067c17f
  1. #       WELCOME TO SQUID 3.5.27
  2. #       ----------------------------
  3. #      
  4. #       This is the documentation for the Squid configuration file.
  5. #       This documentation can also be found online at:
  6. #               http://www.squid-cache.org/Doc/config/
  7. #      
  8. #       You may wish to look at the Squid home page and wiki for the
  9. #       FAQ and other documentation:
  10. #               http://www.squid-cache.org/
  11. #               http://wiki.squid-cache.org/SquidFaq
  12. #               http://wiki.squid-cache.org/ConfigExamples
  13. #      
  14. #       This documentation shows what the defaults for various directives
  15. #       happen to be.  If you don't need to change the default, you should
  16. #       leave the line out of your squid.conf in most cases.
  17. #      
  18. #       In some cases "none" refers to no default setting at all,
  19. #       while in other cases it refers to the value of the option
  20. #       - the comments for that keyword indicate if this is the case.
  21. #
  22.  
  23. #  Configuration options can be included using the "include" directive.
  24. #  Include takes a list of files to include. Quoting and wildcards are
  25. #  supported.
  26. #
  27. #  For example,
  28. #
  29. #  include /path/to/included/file/squid.acl.config
  30. #
  31. #  Includes can be nested up to a hard-coded depth of 16 levels.
  32. #  This arbitrary restriction is to prevent recursive include references
  33. #  from causing Squid entering an infinite loop whilst trying to load
  34. #  configuration files.
  35. #
  36. #  Values with byte units
  37. #
  38. #       Squid accepts size units on some size related directives. All
  39. #       such directives are documented with a default value displaying
  40. #       a unit.
  41. #
  42. #       Units accepted by Squid are:
  43. #               bytes - byte
  44. #               KB - Kilobyte (1024 bytes)
  45. #               MB - Megabyte
  46. #               GB - Gigabyte
  47. #
  48. #  Values with spaces, quotes, and other special characters
  49. #
  50. #       Squid supports directive parameters with spaces, quotes, and other
  51. #       special characters. Surround such parameters with "double quotes". Use
  52. #       the configuration_includes_quoted_values directive to enable or
  53. #       disable that support.
  54. #
  55. #       Squid supports reading configuration option parameters from external
  56. #       files using the syntax:
  57. #               parameters("/path/filename")
  58. #       For example:
  59. #               acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
  60. #
  61. #  Conditional configuration
  62. #
  63. #       If-statements can be used to make configuration directives
  64. #       depend on conditions:
  65. #
  66. #           if <CONDITION>
  67. #               ... regular configuration directives ...
  68. #           [else
  69. #               ... regular configuration directives ...]
  70. #           endif
  71. #
  72. #       The else part is optional. The keywords "if", "else", and "endif"
  73. #       must be typed on their own lines, as if they were regular
  74. #       configuration directives.
  75. #
  76. #       NOTE: An else-if condition is not supported.
  77. #
  78. #       These individual conditions types are supported:
  79. #
  80. #           true
  81. #               Always evaluates to true.
  82. #           false
  83. #               Always evaluates to false.
  84. #           <integer> = <integer>
  85. #               Equality comparison of two integer numbers.
  86. #
  87. #
  88. #  SMP-Related Macros
  89. #
  90. #       The following SMP-related preprocessor macros can be used.
  91. #
  92. #       ${process_name} expands to the current Squid process "name"
  93. #       (e.g., squid1, squid2, or cache1).
  94. #
  95. #       ${process_number} expands to the current Squid process
  96. #       identifier, which is an integer number (e.g., 1, 2, 3) unique
  97. #       across all Squid processes of the current service instance.
  98. #
  99. #       ${service_name} expands into the current Squid service instance
  100. #       name identifier which is provided by -n on the command line.
  101. #
  102.  
  103. #  TAG: broken_vary_encoding
  104. #       This option is not yet supported by Squid-3.
  105. #Default:
  106. # none
  107.  
  108. #  TAG: cache_vary
  109. #       This option is not yet supported by Squid-3.
  110. #Default:
  111. # none
  112.  
  113. #  TAG: error_map
  114. #       This option is not yet supported by Squid-3.
  115. #Default:
  116. # none
  117.  
  118. #  TAG: external_refresh_check
  119. #       This option is not yet supported by Squid-3.
  120. #Default:
  121. # none
  122.  
  123. #  TAG: location_rewrite_program
  124. #       This option is not yet supported by Squid-3.
  125. #Default:
  126. # none
  127.  
  128. #  TAG: refresh_stale_hit
  129. #       This option is not yet supported by Squid-3.
  130. #Default:
  131. # none
  132.  
  133. #  TAG: hierarchy_stoplist
  134. #       Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use.
  135. #Default:
  136. # none
  137.  
  138. #  TAG: log_access
  139. #       Remove this line. Use acls with access_log directives to control access logging
  140. #Default:
  141. # none
  142.  
  143. #  TAG: log_icap
  144. #       Remove this line. Use acls with icap_log directives to control icap logging
  145. #Default:
  146. # none
  147.  
  148. #  TAG: ignore_ims_on_miss
  149. #       Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'.
  150. #Default:
  151. # none
  152.  
  153. #  TAG: chunked_request_body_max_size
  154. #       Remove this line. Squid is now HTTP/1.1 compliant.
  155. #Default:
  156. # none
  157.  
  158. #  TAG: dns_v4_fallback
  159. #       Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
  160. #Default:
  161. # none
  162.  
  163. #  TAG: emulate_httpd_log
  164. #       Replace this with an access_log directive using the format 'common' or 'combined'.
  165. #Default:
  166. # none
  167.  
  168. #  TAG: forward_log
  169. #       Use a regular access.log with ACL limiting it to MISS events.
  170. #Default:
  171. # none
  172.  
  173. #  TAG: ftp_list_width
  174. #       Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
  175. #Default:
  176. # none
  177.  
  178. #  TAG: ignore_expect_100
  179. #       Remove this line. The HTTP/1.1 feature is now fully supported by default.
  180. #Default:
  181. # none
  182.  
  183. #  TAG: log_fqdn
  184. #       Remove this option from your config. To log FQDN use %>A in the log format.
  185. #Default:
  186. # none
  187.  
  188. #  TAG: log_ip_on_direct
  189. #       Remove this option from your config. To log server or peer names use %<A in the log format.
  190. #Default:
  191. # none
  192.  
  193. #  TAG: maximum_single_addr_tries
  194. #       Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
  195. #Default:
  196. # none
  197.  
  198. #  TAG: referer_log
  199. #       Replace this with an access_log directive using the format 'referrer'.
  200. #Default:
  201. # none
  202.  
  203. #  TAG: update_headers
  204. #       Remove this line. The feature is supported by default in storage types where update is implemented.
  205. #Default:
  206. # none
  207.  
  208. #  TAG: url_rewrite_concurrency
  209. #       Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
  210. #Default:
  211. # none
  212.  
  213. #  TAG: useragent_log
  214. #       Replace this with an access_log directive using the format 'useragent'.
  215. #Default:
  216. # none
  217.  
  218. #  TAG: dns_testnames
  219. #       Remove this line. DNS is no longer tested on startup.
  220. #Default:
  221. # none
  222.  
  223. #  TAG: extension_methods
  224. #       Remove this line. All valid methods for HTTP are accepted by default.
  225. #Default:
  226. # none
  227.  
  228. #  TAG: zero_buffers
  229. #Default:
  230. # none
  231.  
  232. #  TAG: incoming_rate
  233. #Default:
  234. # none
  235.  
  236. #  TAG: server_http11
  237. #       Remove this line. HTTP/1.1 is supported by default.
  238. #Default:
  239. # none
  240.  
  241. #  TAG: upgrade_http0.9
  242. #       Remove this line. ICY/1.0 streaming protocol is supported by default.
  243. #Default:
  244. # none
  245.  
  246. #  TAG: zph_local
  247. #       Alter these entries. Use the qos_flows directive instead.
  248. #Default:
  249. # none
  250.  
  251. #  TAG: header_access
  252. #       Since squid-3.0 replace with request_header_access or reply_header_access
  253. #       depending on whether you wish to match client requests or server replies.
  254. #Default:
  255. # none
  256.  
  257. #  TAG: httpd_accel_no_pmtu_disc
  258. #       Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
  259. #Default:
  260. # none
  261.  
  262. #  TAG: wais_relay_host
  263. #       Replace this line with 'cache_peer' configuration.
  264. #Default:
  265. # none
  266.  
  267. #  TAG: wais_relay_port
  268. #       Replace this line with 'cache_peer' configuration.
  269. #Default:
  270. # none
  271.  
  272. # OPTIONS FOR SMP
  273. # -----------------------------------------------------------------------------
  274.  
  275. #  TAG: workers
  276. #       Number of main Squid processes or "workers" to fork and maintain.
  277. #       0: "no daemon" mode, like running "squid -N ..."
  278. #       1: "no SMP" mode, start one main Squid process daemon (default)
  279. #       N: start N main Squid process daemons (i.e., SMP mode)
  280. #
  281. #       In SMP mode, each worker does nearly all what a single Squid daemon
  282. #       does (e.g., listen on http_port and forward HTTP requests).
  283. #Default:
  284. # SMP support disabled.
  285.  
  286. #  TAG: cpu_affinity_map
  287. #       Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
  288. #
  289. #       Sets 1:1 mapping between Squid processes and CPU cores. For example,
  290. #
  291. #           cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
  292. #
  293. #       affects processes 1 through 4 only and places them on the first
  294. #       four even cores, starting with core #1.
  295. #
  296. #       CPU cores are numbered starting from 1. Requires support for
  297. #       sched_getaffinity(2) and sched_setaffinity(2) system calls.
  298. #
  299. #       Multiple cpu_affinity_map options are merged.
  300. #
  301. #       See also: workers
  302. #Default:
  303. # Let operating system decide.
  304.  
  305. # OPTIONS FOR AUTHENTICATION
  306. # -----------------------------------------------------------------------------
  307.  
  308. #  TAG: auth_param
  309. #       This is used to define parameters for the various authentication
  310. #       schemes supported by Squid.
  311. #
  312. #               format: auth_param scheme parameter [setting]
  313. #
  314. #       The order in which authentication schemes are presented to the client is
  315. #       dependent on the order the scheme first appears in config file. IE
  316. #       has a bug (it's not RFC 2617 compliant) in that it will use the basic
  317. #       scheme if basic is the first entry presented, even if more secure
  318. #       schemes are presented. For now use the order in the recommended
  319. #       settings section below. If other browsers have difficulties (don't
  320. #       recognize the schemes offered even if you are using basic) either
  321. #       put basic first, or disable the other schemes (by commenting out their
  322. #       program entry).
  323. #
  324. #       Once an authentication scheme is fully configured, it can only be
  325. #       shutdown by shutting squid down and restarting. Changes can be made on
  326. #       the fly and activated with a reconfigure. I.E. You can change to a
  327. #       different helper, but not unconfigure the helper completely.
  328. #
  329. #       Please note that while this directive defines how Squid processes
  330. #       authentication it does not automatically activate authentication.
  331. #       To use authentication you must in addition make use of ACLs based
  332. #       on login name in http_access (proxy_auth, proxy_auth_regex or
  333. #       external with %LOGIN used in the format tag). The browser will be
  334. #       challenged for authentication on the first such acl encountered
  335. #       in http_access processing and will also be re-challenged for new
  336. #       login credentials if the request is being denied by a proxy_auth
  337. #       type acl.
  338. #
  339. #       WARNING: authentication can't be used in a transparently intercepting
  340. #       proxy as the client then thinks it is talking to an origin server and
  341. #       not the proxy. This is a limitation of bending the TCP/IP protocol to
  342. #       transparently intercepting port 80, not a limitation in Squid.
  343. #       Ports flagged 'transparent', 'intercept', or 'tproxy' have
  344. #       authentication disabled.
  345. #
  346. #       === Parameters common to all schemes. ===
  347. #
  348. #       "program" cmdline
  349. #               Specifies the command for the external authenticator.
  350. #
  351. #               By default, each authentication scheme is not used unless a
  352. #               program is specified.
  353. #
  354. #               See http://wiki.squid-cache.org/Features/AddonHelpers for
  355. #               more details on helper operations and creating your own.
  356. #
  357. #       "key_extras" format
  358. #               Specifies a string to be append to request line format for
  359. #               the authentication helper. "Quoted" format values may contain
  360. #               spaces and logformat %macros. In theory, any logformat %macro
  361. #               can be used. In practice, a %macro expands as a dash (-) if
  362. #               the helper request is sent before the required macro
  363. #               information is available to Squid.
  364. #
  365. #               By default, Squid uses request formats provided in
  366. #               scheme-specific examples below (search for %credentials).
  367. #
  368. #               The expanded key_extras value is added to the Squid credentials
  369. #               cache and, hence, will affect authentication. It can be used to
  370. #               autenticate different users with identical user names (e.g.,
  371. #               when user authentication depends on http_port).
  372. #
  373. #               Avoid adding frequently changing information to key_extras. For
  374. #               example, if you add user source IP, and it changes frequently
  375. #               in your environment, then max_user_ip ACL is going to treat
  376. #               every user+IP combination as a unique "user", breaking the ACL
  377. #               and wasting a lot of memory on those user records. It will also
  378. #               force users to authenticate from scratch whenever their IP
  379. #               changes.
  380. #
  381. #       "realm" string
  382. #               Specifies the protection scope (aka realm name) which is to be
  383. #               reported to the client for the authentication scheme. It is
  384. #               commonly part of the text the user will see when prompted for
  385. #               their username and password.
  386. #
  387. #               For Basic the default is "Squid proxy-caching web server".
  388. #               For Digest there is no default, this parameter is mandatory.
  389. #               For NTLM and Negotiate this parameter is ignored.
  390. #
  391. #       "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
  392. #
  393. #               The maximum number of authenticator processes to spawn. If
  394. #               you start too few Squid will have to wait for them to process
  395. #               a backlog of credential verifications, slowing it down. When
  396. #               password verifications are done via a (slow) network you are
  397. #               likely to need lots of authenticator processes.
  398. #
  399. #               The startup= and idle= options permit some skew in the exact
  400. #               amount run. A minimum of startup=N will begin during startup
  401. #               and reconfigure. Squid will start more in groups of up to
  402. #               idle=N in an attempt to meet traffic needs and to keep idle=N
  403. #               free above those traffic needs up to the maximum.
  404. #
  405. #               The concurrency= option sets the number of concurrent requests
  406. #               the helper can process.  The default of 0 is used for helpers
  407. #               who only supports one request at a time. Setting this to a
  408. #               number greater than 0 changes the protocol used to include a
  409. #               channel ID field first on the request/response line, allowing
  410. #               multiple requests to be sent to the same helper in parallel
  411. #               without waiting for the response.
  412. #
  413. #               Concurrency must not be set unless it's known the helper
  414. #               supports the input format with channel-ID fields.
  415. #
  416. #               NOTE: NTLM and Negotiate schemes do not support concurrency
  417. #                       in the Squid code module even though some helpers can.
  418. #
  419. #
  420. #
  421. #       === Example Configuration ===
  422. #
  423. #       This configuration displays the recommended authentication scheme
  424. #       order from most to least secure with recommended minimum configuration
  425. #       settings for each scheme:
  426. #
  427. ##auth_param negotiate program <uncomment and complete this line to activate>
  428. ##auth_param negotiate children 20 startup=0 idle=1
  429. ##auth_param negotiate keep_alive on
  430. ##
  431. ##auth_param digest program <uncomment and complete this line to activate>
  432. ##auth_param digest children 20 startup=0 idle=1
  433. ##auth_param digest realm Squid proxy-caching web server
  434. ##auth_param digest nonce_garbage_interval 5 minutes
  435. ##auth_param digest nonce_max_duration 30 minutes
  436. ##auth_param digest nonce_max_count 50
  437. ##
  438. ##auth_param ntlm program <uncomment and complete this line to activate>
  439. ##auth_param ntlm children 20 startup=0 idle=1
  440. ##auth_param ntlm keep_alive on
  441. ##
  442. ##auth_param basic program <uncomment and complete this line>
  443. ##auth_param basic children 5 startup=5 idle=1
  444. ##auth_param basic realm Squid proxy-caching web server
  445. ##auth_param basic credentialsttl 2 hours
  446. #Default:
  447. # none
  448.  
  449. #  TAG: authenticate_cache_garbage_interval
  450. #       The time period between garbage collection across the username cache.
  451. #       This is a trade-off between memory utilization (long intervals - say
  452. #       2 days) and CPU (short intervals - say 1 minute). Only change if you
  453. #       have good reason to.
  454. #Default:
  455. # authenticate_cache_garbage_interval 1 hour
  456.  
  457. #  TAG: authenticate_ttl
  458. #       The time a user & their credentials stay in the logged in
  459. #       user cache since their last request. When the garbage
  460. #       interval passes, all user credentials that have passed their
  461. #       TTL are removed from memory.
  462. #Default:
  463. # authenticate_ttl 1 hour
  464.  
  465. #  TAG: authenticate_ip_ttl
  466. #       If you use proxy authentication and the 'max_user_ip' ACL,
  467. #       this directive controls how long Squid remembers the IP
  468. #       addresses associated with each user.  Use a small value
  469. #       (e.g., 60 seconds) if your users might change addresses
  470. #       quickly, as is the case with dialup.   You might be safe
  471. #       using a larger value (e.g., 2 hours) in a corporate LAN
  472. #       environment with relatively static address assignments.
  473. #Default:
  474. # authenticate_ip_ttl 1 second
  475.  
  476. # ACCESS CONTROLS
  477. # -----------------------------------------------------------------------------
  478.  
  479. #  TAG: external_acl_type
  480. #       This option defines external acl classes using a helper program
  481. #       to look up the status
  482. #
  483. #         external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
  484. #
  485. #       Options:
  486. #
  487. #         ttl=n         TTL in seconds for cached results (defaults to 3600
  488. #                       for 1 hour)
  489. #
  490. #         negative_ttl=n
  491. #                       TTL for cached negative lookups (default same
  492. #                       as ttl)
  493. #
  494. #         grace=n       Percentage remaining of TTL where a refresh of a
  495. #                       cached entry should be initiated without needing to
  496. #                       wait for a new reply. (default is for no grace period)
  497. #
  498. #         cache=n       The maximum number of entries in the result cache. The
  499. #                       default limit is 262144 entries.  Each cache entry usually
  500. #                       consumes at least 256 bytes. Squid currently does not remove
  501. #                       expired cache entries until the limit is reached, so a proxy
  502. #                       will sooner or later reach the limit. The expanded FORMAT
  503. #                       value is used as the cache key, so if the details in FORMAT
  504. #                       are highly variable, a larger cache may be needed to produce
  505. #                       reduction in helper load.
  506. #
  507. #         children-max=n
  508. #                       Maximum number of acl helper processes spawned to service
  509. #                       external acl lookups of this type. (default 5)
  510. #
  511. #         children-startup=n
  512. #                       Minimum number of acl helper processes to spawn during
  513. #                       startup and reconfigure to service external acl lookups
  514. #                       of this type. (default 0)
  515. #
  516. #         children-idle=n
  517. #                       Number of acl helper processes to keep ahead of traffic
  518. #                       loads. Squid will spawn this many at once whenever load
  519. #                       rises above the capabilities of existing processes.
  520. #                       Up to the value of children-max. (default 1)
  521. #
  522. #         concurrency=n concurrency level per process. Only used with helpers
  523. #                       capable of processing more than one query at a time.
  524. #
  525. #         protocol=2.5  Compatibility mode for Squid-2.5 external acl helpers.
  526. #
  527. #         ipv4 / ipv6   IP protocol used to communicate with this helper.
  528. #                       The default is to auto-detect IPv6 and use it when available.
  529. #
  530. #
  531. #       FORMAT specifications
  532. #
  533. #         %LOGIN        Authenticated user login name
  534. #         %un           A user name. Expands to the first available name
  535. #                       from the following list of information sources:
  536. #                       - authenticated user name, like %ul or %LOGIN
  537. #                       - user name sent by an external ACL, like %EXT_USER
  538. #                       - SSL client name, like %us in logformat
  539. #                       - ident user name, like %ui in logformat
  540. #         %EXT_USER     Username from previous external acl
  541. #         %EXT_LOG      Log details from previous external acl
  542. #         %EXT_TAG      Tag from previous external acl
  543. #         %IDENT        Ident user name
  544. #         %SRC          Client IP
  545. #         %SRCPORT      Client source port
  546. #         %URI          Requested URI
  547. #         %DST          Requested host
  548. #         %PROTO        Requested URL scheme
  549. #         %PORT         Requested port
  550. #         %PATH         Requested URL path
  551. #         %METHOD       Request method
  552. #         %MYADDR       Squid interface address
  553. #         %MYPORT       Squid http_port number
  554. #         %PATH         Requested URL-path (including query-string if any)
  555. #         %USER_CERT    SSL User certificate in PEM format
  556. #         %USER_CERTCHAIN SSL User certificate chain in PEM format
  557. #         %USER_CERT_xx SSL User certificate subject attribute xx
  558. #         %USER_CA_CERT_xx SSL User certificate issuer attribute xx
  559. #         %ssl::>sni    SSL client SNI sent to Squid
  560. #         %ssl::<cert_subject SSL server certificate DN
  561. #         %ssl::<cert_issuer SSL server certificate issuer DN
  562. #
  563. #         %>{Header}    HTTP request header "Header"
  564. #         %>{Hdr:member}
  565. #                       HTTP request header "Hdr" list member "member"
  566. #         %>{Hdr:;member}
  567. #                       HTTP request header list member using ; as
  568. #                       list separator. ; can be any non-alphanumeric
  569. #                       character.
  570. #
  571. #         %<{Header}    HTTP reply header "Header"
  572. #         %<{Hdr:member}
  573. #                       HTTP reply header "Hdr" list member "member"
  574. #         %<{Hdr:;member}
  575. #                       HTTP reply header list member using ; as
  576. #                       list separator. ; can be any non-alphanumeric
  577. #                       character.
  578. #
  579. #         %ACL          The name of the ACL being tested.
  580. #         %DATA         The ACL arguments. If not used then any arguments
  581. #                       is automatically added at the end of the line
  582. #                       sent to the helper.
  583. #                       NOTE: this will encode the arguments as one token,
  584. #                       whereas the default will pass each separately.
  585. #
  586. #         %%            The percent sign. Useful for helpers which need
  587. #                       an unchanging input format.
  588. #
  589. #
  590. #       General request syntax:
  591. #
  592. #         [channel-ID] FORMAT-values [acl-values ...]
  593. #
  594. #
  595. #       FORMAT-values consists of transaction details expanded with
  596. #       whitespace separation per the config file FORMAT specification
  597. #       using the FORMAT macros listed above.
  598. #
  599. #       acl-values consists of any string specified in the referencing
  600. #       config 'acl ... external' line. see the "acl external" directive.
  601. #
  602. #       Request values sent to the helper are URL escaped to protect
  603. #       each value in requests against whitespaces.
  604. #
  605. #       If using protocol=2.5 then the request sent to the helper is not
  606. #       URL escaped to protect against whitespace.
  607. #
  608. #       NOTE: protocol=3.0 is deprecated as no longer necessary.
  609. #
  610. #       When using the concurrency= option the protocol is changed by
  611. #       introducing a query channel tag in front of the request/response.
  612. #       The query channel tag is a number between 0 and concurrency-1.
  613. #       This value must be echoed back unchanged to Squid as the first part
  614. #       of the response relating to its request.
  615. #
  616. #
  617. #       The helper receives lines expanded per the above format specification
  618. #       and for each input line returns 1 line starting with OK/ERR/BH result
  619. #       code and optionally followed by additional keywords with more details.
  620. #
  621. #
  622. #       General result syntax:
  623. #
  624. #         [channel-ID] result keyword=value ...
  625. #
  626. #       Result consists of one of the codes:
  627. #
  628. #         OK
  629. #               the ACL test produced a match.
  630. #
  631. #         ERR
  632. #               the ACL test does not produce a match.
  633. #
  634. #         BH
  635. #               An internal error occurred in the helper, preventing
  636. #               a result being identified.
  637. #
  638. #       The meaning of 'a match' is determined by your squid.conf
  639. #       access control configuration. See the Squid wiki for details.
  640. #
  641. #       Defined keywords:
  642. #
  643. #         user=         The users name (login)
  644. #
  645. #         password=     The users password (for login= cache_peer option)
  646. #
  647. #         message=      Message describing the reason for this response.
  648. #                       Available as %o in error pages.
  649. #                       Useful on (ERR and BH results).
  650. #
  651. #         tag=          Apply a tag to a request. Only sets a tag once,
  652. #                       does not alter existing tags.
  653. #
  654. #         log=          String to be logged in access.log. Available as
  655. #                       %ea in logformat specifications.
  656. #
  657. #         clt_conn_tag= Associates a TAG with the client TCP connection.
  658. #                       Please see url_rewrite_program related documentation
  659. #                       for this kv-pair.
  660. #
  661. #       Any keywords may be sent on any response whether OK, ERR or BH.
  662. #
  663. #       All response keyword values need to be a single token with URL
  664. #       escaping, or enclosed in double quotes (") and escaped using \ on
  665. #       any double quotes or \ characters within the value. The wrapping
  666. #       double quotes are removed before the value is interpreted by Squid.
  667. #       \r and \n are also replace by CR and LF.
  668. #
  669. #       Some example key values:
  670. #
  671. #               user=John%20Smith
  672. #               user="John Smith"
  673. #               user="J. \"Bob\" Smith"
  674. #Default:
  675. # none
  676.  
  677. #  TAG: acl
  678. #       Defining an Access List
  679. #
  680. #       Every access list definition must begin with an aclname and acltype,
  681. #       followed by either type-specific arguments or a quoted filename that
  682. #       they are read from.
  683. #
  684. #          acl aclname acltype argument ...
  685. #          acl aclname acltype "file" ...
  686. #
  687. #       When using "file", the file should contain one item per line.
  688. #
  689. #       Some acl types supports options which changes their default behaviour.
  690. #       The available options are:
  691. #
  692. #       -i,+i   By default, regular expressions are CASE-SENSITIVE. To make them
  693. #               case-insensitive, use the -i option. To return case-sensitive
  694. #               use the +i option between patterns, or make a new ACL line
  695. #               without -i.    
  696. #
  697. #       -n      Disable lookups and address type conversions.  If lookup or
  698. #               conversion is required because the parameter type (IP or
  699. #               domain name) does not match the message address type (domain
  700. #               name or IP), then the ACL would immediately declare a mismatch
  701. #               without any warnings or lookups.
  702. #
  703. #       --      Used to stop processing all options, in the case the first acl
  704. #               value has '-' character as first character (for example the '-'
  705. #               is a valid domain name)
  706. #
  707. #       Some acl types require suspending the current request in order
  708. #       to access some external data source.
  709. #       Those which do are marked with the tag [slow], those which
  710. #       don't are marked as [fast].
  711. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl
  712. #       for further information
  713. #
  714. #       ***** ACL TYPES AVAILABLE *****
  715. #
  716. #       acl aclname src ip-address/mask ...     # clients IP address [fast]
  717. #       acl aclname src addr1-addr2/mask ...    # range of addresses [fast]
  718. #       acl aclname dst [-n] ip-address/mask ...        # URL host's IP address [slow]
  719. #       acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
  720. #
  721. #       acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
  722. #         # [fast]
  723. #         # The 'arp' ACL code is not portable to all operating systems.
  724. #         # It works on Linux, Solaris, Windows, FreeBSD, and some other
  725. #         # BSD variants.
  726. #         #
  727. #         # NOTE: Squid can only determine the MAC/EUI address for IPv4
  728. #         # clients that are on the same subnet. If the client is on a
  729. #         # different subnet, then Squid cannot find out its address.
  730. #         #
  731. #         # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either
  732. #         # encoded directly in the IPv6 address or not available.
  733. #
  734. #       acl aclname srcdomain   .foo.com ...
  735. #         # reverse lookup, from client IP [slow]
  736. #       acl aclname dstdomain [-n] .foo.com ...
  737. #         # Destination server from URL [fast]
  738. #       acl aclname srcdom_regex [-i] \.foo\.com ...
  739. #         # regex matching client name [slow]
  740. #       acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
  741. #         # regex matching server [fast]
  742. #         #
  743. #         # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
  744. #         # based URL is used and no match is found. The name "none" is used
  745. #         # if the reverse lookup fails.
  746. #
  747. #       acl aclname src_as number ...
  748. #       acl aclname dst_as number ...
  749. #         # [fast]
  750. #         # Except for access control, AS numbers can be used for
  751. #         # routing of requests to specific caches. Here's an
  752. #         # example for routing all requests for AS#1241 and only
  753. #         # those to mycache.mydomain.net:
  754. #         # acl asexample dst_as 1241
  755. #         # cache_peer_access mycache.mydomain.net allow asexample
  756. #         # cache_peer_access mycache_mydomain.net deny all
  757. #
  758. #       acl aclname peername myPeer ...
  759. #         # [fast]
  760. #         # match against a named cache_peer entry
  761. #         # set unique name= on cache_peer lines for reliable use.
  762. #
  763. #       acl aclname time [day-abbrevs] [h1:m1-h2:m2]
  764. #         # [fast]
  765. #         #  day-abbrevs:
  766. #         #     S - Sunday
  767. #         #     M - Monday
  768. #         #     T - Tuesday
  769. #         #     W - Wednesday
  770. #         #     H - Thursday
  771. #         #     F - Friday
  772. #         #     A - Saturday
  773. #         #  h1:m1 must be less than h2:m2
  774. #
  775. #       acl aclname url_regex [-i] ^http:// ...
  776. #         # regex matching on whole URL [fast]
  777. #       acl aclname urllogin [-i] [^a-zA-Z0-9] ...
  778. #         # regex matching on URL login field
  779. #       acl aclname urlpath_regex [-i] \.gif$ ...
  780. #         # regex matching on URL path [fast]
  781. #
  782. #       acl aclname port 80 70 21 0-1024...   # destination TCP port [fast]
  783. #                                             # ranges are alloed
  784. #       acl aclname localport 3128 ...        # TCP port the client connected to [fast]
  785. #                                             # NP: for interception mode this is usually '80'
  786. #
  787. #       acl aclname myportname 3128 ...       # *_port name [fast]
  788. #
  789. #       acl aclname proto HTTP FTP ...        # request protocol [fast]
  790. #
  791. #       acl aclname method GET POST ...       # HTTP request method [fast]
  792. #
  793. #       acl aclname http_status 200 301 500- 400-403 ...
  794. #         # status code in reply [fast]
  795. #
  796. #       acl aclname browser [-i] regexp ...
  797. #         # pattern match on User-Agent header (see also req_header below) [fast]
  798. #
  799. #       acl aclname referer_regex [-i] regexp ...
  800. #         # pattern match on Referer header [fast]
  801. #         # Referer is highly unreliable, so use with care
  802. #
  803. #       acl aclname ident username ...
  804. #       acl aclname ident_regex [-i] pattern ...
  805. #         # string match on ident output [slow]
  806. #         # use REQUIRED to accept any non-null ident.
  807. #
  808. #       acl aclname proxy_auth [-i] username ...
  809. #       acl aclname proxy_auth_regex [-i] pattern ...
  810. #         # perform http authentication challenge to the client and match against
  811. #         # supplied credentials [slow]
  812. #         #
  813. #         # takes a list of allowed usernames.
  814. #         # use REQUIRED to accept any valid username.
  815. #         #
  816. #         # Will use proxy authentication in forward-proxy scenarios, and plain
  817. #         # http authenticaiton in reverse-proxy scenarios
  818. #         #
  819. #         # NOTE: when a Proxy-Authentication header is sent but it is not
  820. #         # needed during ACL checking the username is NOT logged
  821. #         # in access.log.
  822. #         #
  823. #         # NOTE: proxy_auth requires a EXTERNAL authentication program
  824. #         # to check username/password combinations (see
  825. #         # auth_param directive).
  826. #         #
  827. #         # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
  828. #         # as the browser needs to be configured for using a proxy in order
  829. #         # to respond to proxy authentication.
  830. #
  831. #       acl aclname snmp_community string ...
  832. #         # A community string to limit access to your SNMP Agent [fast]
  833. #         # Example:
  834. #         #
  835. #         #     acl snmppublic snmp_community public
  836. #
  837. #       acl aclname maxconn number
  838. #         # This will be matched when the client's IP address has
  839. #         # more than <number> TCP connections established. [fast]
  840. #         # NOTE: This only measures direct TCP links so X-Forwarded-For
  841. #         # indirect clients are not counted.
  842. #
  843. #       acl aclname max_user_ip [-s] number
  844. #         # This will be matched when the user attempts to log in from more
  845. #         # than <number> different ip addresses. The authenticate_ip_ttl
  846. #         # parameter controls the timeout on the ip entries. [fast]
  847. #         # If -s is specified the limit is strict, denying browsing
  848. #         # from any further IP addresses until the ttl has expired. Without
  849. #         # -s Squid will just annoy the user by "randomly" denying requests.
  850. #         # (the counter is reset each time the limit is reached and a
  851. #         # request is denied)
  852. #         # NOTE: in acceleration mode or where there is mesh of child proxies,
  853. #         # clients may appear to come from multiple addresses if they are
  854. #         # going through proxy farms, so a limit of 1 may cause user problems.
  855. #
  856. #       acl aclname random probability
  857. #         # Pseudo-randomly match requests. Based on the probability given.
  858. #         # Probability may be written as a decimal (0.333), fraction (1/3)
  859. #         # or ratio of matches:non-matches (3:5).
  860. #
  861. #       acl aclname req_mime_type [-i] mime-type ...
  862. #         # regex match against the mime type of the request generated
  863. #         # by the client. Can be used to detect file upload or some
  864. #         # types HTTP tunneling requests [fast]
  865. #         # NOTE: This does NOT match the reply. You cannot use this
  866. #         # to match the returned file type.
  867. #
  868. #       acl aclname req_header header-name [-i] any\.regex\.here
  869. #         # regex match against any of the known request headers.  May be
  870. #         # thought of as a superset of "browser", "referer" and "mime-type"
  871. #         # ACL [fast]
  872. #
  873. #       acl aclname rep_mime_type [-i] mime-type ...
  874. #         # regex match against the mime type of the reply received by
  875. #         # squid. Can be used to detect file download or some
  876. #         # types HTTP tunneling requests. [fast]
  877. #         # NOTE: This has no effect in http_access rules. It only has
  878. #         # effect in rules that affect the reply data stream such as
  879. #         # http_reply_access.
  880. #
  881. #       acl aclname rep_header header-name [-i] any\.regex\.here
  882. #         # regex match against any of the known reply headers. May be
  883. #         # thought of as a superset of "browser", "referer" and "mime-type"
  884. #         # ACLs [fast]
  885. #
  886. #       acl aclname external class_name [arguments...]
  887. #         # external ACL lookup via a helper class defined by the
  888. #         # external_acl_type directive [slow]
  889. #
  890. #       acl aclname user_cert attribute values...
  891. #         # match against attributes in a user SSL certificate
  892. #         # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
  893. #
  894. #       acl aclname ca_cert attribute values...
  895. #         # match against attributes a users issuing CA SSL certificate
  896. #         # attribute is one of DN/C/O/CN/L/ST or a numerical OID  [fast]
  897. #
  898. #       acl aclname ext_user username ...
  899. #       acl aclname ext_user_regex [-i] pattern ...
  900. #         # string match on username returned by external acl helper [slow]
  901. #         # use REQUIRED to accept any non-null user name.
  902. #
  903. #       acl aclname tag tagvalue ...
  904. #         # string match on tag returned by external acl helper [fast]
  905. #         # DEPRECATED. Only the first tag will match with this ACL.
  906. #         # Use the 'note' ACL instead for handling multiple tag values.
  907. #
  908. #       acl aclname hier_code codename ...
  909. #         # string match against squid hierarchy code(s); [fast]
  910. #         #  e.g., DIRECT, PARENT_HIT, NONE, etc.
  911. #         #
  912. #         # NOTE: This has no effect in http_access rules. It only has
  913. #         # effect in rules that affect the reply data stream such as
  914. #         # http_reply_access.
  915. #
  916. #       acl aclname note name [value ...]
  917. #         # match transaction annotation [fast]
  918. #         # Without values, matches any annotation with a given name.
  919. #         # With value(s), matches any annotation with a given name that
  920. #         # also has one of the given values.
  921. #         # Names and values are compared using a string equality test.
  922. #         # Annotation sources include note and adaptation_meta directives
  923. #         # as well as helper and eCAP responses.
  924. #
  925. #       acl aclname adaptation_service service ...
  926. #         # Matches the name of any icap_service, ecap_service,
  927. #         # adaptation_service_set, or adaptation_service_chain that Squid
  928. #         # has used (or attempted to use) for the master transaction.
  929. #         # This ACL must be defined after the corresponding adaptation
  930. #         # service is named in squid.conf. This ACL is usable with
  931. #         # adaptation_meta because it starts matching immediately after
  932. #         # the service has been selected for adaptation.
  933. #
  934. #       acl aclname any-of acl1 acl2 ...
  935. #         # match any one of the acls [fast or slow]
  936. #         # The first matching ACL stops further ACL evaluation.
  937. #         #
  938. #         # ACLs from multiple any-of lines with the same name are ORed.
  939. #         # For example, A = (a1 or a2) or (a3 or a4) can be written as
  940. #         #   acl A any-of a1 a2
  941. #         #   acl A any-of a3 a4
  942. #         #
  943. #         # This group ACL is fast if all evaluated ACLs in the group are fast
  944. #         # and slow otherwise.
  945. #
  946. #       acl aclname all-of acl1 acl2 ...
  947. #         # match all of the acls [fast or slow]
  948. #         # The first mismatching ACL stops further ACL evaluation.
  949. #         #
  950. #         # ACLs from multiple all-of lines with the same name are ORed.
  951. #         # For example, B = (b1 and b2) or (b3 and b4) can be written as
  952. #         #   acl B all-of b1 b2
  953. #         #   acl B all-of b3 b4
  954. #         #
  955. #         # This group ACL is fast if all evaluated ACLs in the group are fast
  956. #         # and slow otherwise.
  957. #
  958. #       Examples:
  959. #               acl macaddress arp 09:00:2b:23:45:67
  960. #               acl myexample dst_as 1241
  961. #               acl password proxy_auth REQUIRED
  962. #               acl fileupload req_mime_type -i ^multipart/form-data$
  963. #               acl javascript rep_mime_type -i ^application/x-javascript$
  964. #
  965. #Default:
  966. # ACLs all, manager, localhost, and to_localhost are predefined.
  967. #
  968. #
  969. # Recommended minimum configuration:
  970. #
  971.  
  972. # Example rule allowing access from your local networks.
  973. # Adapt to list your (internal) IP networks from where browsing
  974. # should be allowed
  975. #acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
  976. #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
  977. #acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
  978. #acl localnet src fc00::/7       # RFC 4193 local private network range
  979. #acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
  980.  
  981. acl SSL_ports port 443
  982. acl Safe_ports port 80          # http
  983. acl Safe_ports port 21          # ftp
  984. acl Safe_ports port 443         # https
  985. acl Safe_ports port 70          # gopher
  986. acl Safe_ports port 210         # wais
  987. acl Safe_ports port 1025-65535  # unregistered ports
  988. acl Safe_ports port 280         # http-mgmt
  989. acl Safe_ports port 488         # gss-http
  990. acl Safe_ports port 591         # filemaker
  991. acl Safe_ports port 777         # multiling http
  992. acl CONNECT method CONNECT
  993.  
  994. #  TAG: proxy_protocol_access
  995. #       Determine which client proxies can be trusted to provide correct
  996. #       information regarding real client IP address using PROXY protocol.
  997. #
  998. #       Requests may pass through a chain of several other proxies
  999. #       before reaching us. The original source details may by sent in:
  1000. #               * HTTP message Forwarded header, or
  1001. #               * HTTP message X-Forwarded-For header, or
  1002. #               * PROXY protocol connection header.
  1003. #
  1004. #       This directive is solely for validating new PROXY protocol
  1005. #       connections received from a port flagged with require-proxy-header.
  1006. #       It is checked only once after TCP connection setup.
  1007. #
  1008. #       A deny match results in TCP connection closure.
  1009. #
  1010. #       An allow match is required for Squid to permit the corresponding
  1011. #       TCP connection, before Squid even looks for HTTP request headers.
  1012. #       If there is an allow match, Squid starts using PROXY header information
  1013. #       to determine the source address of the connection for all future ACL
  1014. #       checks, logging, etc.
  1015. #
  1016. #       SECURITY CONSIDERATIONS:
  1017. #
  1018. #               Any host from which we accept client IP details can place
  1019. #               incorrect information in the relevant header, and Squid
  1020. #               will use the incorrect information as if it were the
  1021. #               source address of the request.  This may enable remote
  1022. #               hosts to bypass any access control restrictions that are
  1023. #               based on the client's source addresses.
  1024. #
  1025. #       This clause only supports fast acl types.
  1026. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1027. #Default:
  1028. # all TCP connections to ports with require-proxy-header will be denied
  1029.  
  1030. #  TAG: follow_x_forwarded_for
  1031. #       Determine which client proxies can be trusted to provide correct
  1032. #       information regarding real client IP address.
  1033. #
  1034. #       Requests may pass through a chain of several other proxies
  1035. #       before reaching us. The original source details may by sent in:
  1036. #               * HTTP message Forwarded header, or
  1037. #               * HTTP message X-Forwarded-For header, or
  1038. #               * PROXY protocol connection header.
  1039. #
  1040. #       PROXY protocol connections are controlled by the proxy_protocol_access
  1041. #       directive which is checked before this.
  1042. #
  1043. #       If a request reaches us from a source that is allowed by this
  1044. #       directive, then we trust the information it provides regarding
  1045. #       the IP of the client it received from (if any).
  1046. #
  1047. #       For the purpose of ACLs used in this directive the src ACL type always
  1048. #       matches the address we are testing and srcdomain matches its rDNS.
  1049. #
  1050. #       On each HTTP request Squid checks for X-Forwarded-For header fields.
  1051. #       If found the header values are iterated in reverse order and an allow
  1052. #       match is required for Squid to continue on to the next value.
  1053. #       The verification ends when a value receives a deny match, cannot be
  1054. #       tested, or there are no more values to test.
  1055. #       NOTE: Squid does not yet follow the Forwarded HTTP header.
  1056. #
  1057. #       The end result of this process is an IP address that we will
  1058. #       refer to as the indirect client address.  This address may
  1059. #       be treated as the client address for access control, ICAP, delay
  1060. #       pools and logging, depending on the acl_uses_indirect_client,
  1061. #       icap_uses_indirect_client, delay_pool_uses_indirect_client,
  1062. #       log_uses_indirect_client and tproxy_uses_indirect_client options.
  1063. #
  1064. #       This clause only supports fast acl types.
  1065. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1066. #
  1067. #       SECURITY CONSIDERATIONS:
  1068. #
  1069. #               Any host from which we accept client IP details can place
  1070. #               incorrect information in the relevant header, and Squid
  1071. #               will use the incorrect information as if it were the
  1072. #               source address of the request.  This may enable remote
  1073. #               hosts to bypass any access control restrictions that are
  1074. #               based on the client's source addresses.
  1075. #
  1076. #       For example:
  1077. #
  1078. #               acl localhost src 127.0.0.1
  1079. #               acl my_other_proxy srcdomain .proxy.example.com
  1080. #               follow_x_forwarded_for allow localhost
  1081. #               follow_x_forwarded_for allow my_other_proxy
  1082. #Default:
  1083. # X-Forwarded-For header will be ignored.
  1084.  
  1085. #  TAG: acl_uses_indirect_client        on|off
  1086. #       Controls whether the indirect client address
  1087. #       (see follow_x_forwarded_for) is used instead of the
  1088. #       direct client address in acl matching.
  1089. #
  1090. #       NOTE: maxconn ACL considers direct TCP links and indirect
  1091. #             clients will always have zero. So no match.
  1092. #Default:
  1093. # acl_uses_indirect_client on
  1094.  
  1095. #  TAG: delay_pool_uses_indirect_client on|off
  1096. #       Controls whether the indirect client address
  1097. #       (see follow_x_forwarded_for) is used instead of the
  1098. #       direct client address in delay pools.
  1099. #Default:
  1100. # delay_pool_uses_indirect_client on
  1101.  
  1102. #  TAG: log_uses_indirect_client        on|off
  1103. #       Controls whether the indirect client address
  1104. #       (see follow_x_forwarded_for) is used instead of the
  1105. #       direct client address in the access log.
  1106. #Default:
  1107. # log_uses_indirect_client on
  1108.  
  1109. #  TAG: tproxy_uses_indirect_client     on|off
  1110. #       Controls whether the indirect client address
  1111. #       (see follow_x_forwarded_for) is used instead of the
  1112. #       direct client address when spoofing the outgoing client.
  1113. #
  1114. #       This has no effect on requests arriving in non-tproxy
  1115. #       mode ports.
  1116. #
  1117. #       SECURITY WARNING: Usage of this option is dangerous
  1118. #       and should not be used trivially. Correct configuration
  1119. #       of follow_x_forwarded_for with a limited set of trusted
  1120. #       sources is required to prevent abuse of your proxy.
  1121. #Default:
  1122. # tproxy_uses_indirect_client off
  1123.  
  1124. #  TAG: spoof_client_ip
  1125. #       Control client IP address spoofing of TPROXY traffic based on
  1126. #       defined access lists.
  1127. #
  1128. #       spoof_client_ip allow|deny [!]aclname ...
  1129. #
  1130. #       If there are no "spoof_client_ip" lines present, the default
  1131. #       is to "allow" spoofing of any suitable request.
  1132. #
  1133. #       Note that the cache_peer "no-tproxy" option overrides this ACL.
  1134. #
  1135. #       This clause supports fast acl types.
  1136. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1137. #Default:
  1138. # Allow spoofing on all TPROXY traffic.
  1139.  
  1140. #  TAG: http_access
  1141. #       Allowing or Denying access based on defined access lists
  1142. #
  1143. #       To allow or deny a message received on an HTTP, HTTPS, or FTP port:
  1144. #       http_access allow|deny [!]aclname ...
  1145. #
  1146. #       NOTE on default values:
  1147. #
  1148. #       If there are no "access" lines present, the default is to deny
  1149. #       the request.
  1150. #
  1151. #       If none of the "access" lines cause a match, the default is the
  1152. #       opposite of the last line in the list.  If the last line was
  1153. #       deny, the default is allow.  Conversely, if the last line
  1154. #       is allow, the default will be deny.  For these reasons, it is a
  1155. #       good idea to have an "deny all" entry at the end of your access
  1156. #       lists to avoid potential confusion.
  1157. #
  1158. #       This clause supports both fast and slow acl types.
  1159. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1160. #
  1161. #Default:
  1162. # Deny, unless rules exist in squid.conf.
  1163. #
  1164.  
  1165. #
  1166. # Recommended minimum Access Permission configuration:
  1167. #
  1168. # Deny requests to certain unsafe ports
  1169. http_access deny !Safe_ports
  1170.  
  1171. # Deny CONNECT to other than secure SSL ports
  1172. http_access deny CONNECT !SSL_ports
  1173.  
  1174. # Only allow cachemgr access from localhost
  1175. http_access allow localhost manager
  1176. http_access deny manager
  1177.  
  1178. # We strongly recommend the following be uncommented to protect innocent
  1179. # web applications running on the proxy server who think the only
  1180. # one who can access services on "localhost" is a local user
  1181. #http_access deny to_localhost
  1182.  
  1183. #
  1184. # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
  1185. #
  1186.  
  1187. # Example rule allowing access from your local networks.
  1188. # Adapt localnet in the ACL section to list your (internal) IP networks
  1189. # from where browsing should be allowed
  1190. #http_access allow localnet
  1191. http_access allow localhost
  1192.  
  1193. # And finally deny all other access to this proxy
  1194. http_access deny all
  1195.  
  1196. #  TAG: adapted_http_access
  1197. #       Allowing or Denying access based on defined access lists
  1198. #
  1199. #       Essentially identical to http_access, but runs after redirectors
  1200. #       and ICAP/eCAP adaptation. Allowing access control based on their
  1201. #       output.
  1202. #
  1203. #       If not set then only http_access is used.
  1204. #Default:
  1205. # Allow, unless rules exist in squid.conf.
  1206.  
  1207. #  TAG: http_reply_access
  1208. #       Allow replies to client requests. This is complementary to http_access.
  1209. #
  1210. #       http_reply_access allow|deny [!] aclname ...
  1211. #
  1212. #       NOTE: if there are no access lines present, the default is to allow
  1213. #       all replies.
  1214. #
  1215. #       If none of the access lines cause a match the opposite of the
  1216. #       last line will apply. Thus it is good practice to end the rules
  1217. #       with an "allow all" or "deny all" entry.
  1218. #
  1219. #       This clause supports both fast and slow acl types.
  1220. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1221. #Default:
  1222. # Allow, unless rules exist in squid.conf.
  1223.  
  1224. #  TAG: icp_access
  1225. #       Allowing or Denying access to the ICP port based on defined
  1226. #       access lists
  1227. #
  1228. #       icp_access  allow|deny [!]aclname ...
  1229. #
  1230. #       NOTE: The default if no icp_access lines are present is to
  1231. #       deny all traffic. This default may cause problems with peers
  1232. #       using ICP.
  1233. #
  1234. #       This clause only supports fast acl types.
  1235. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1236. #
  1237. ## Allow ICP queries from local networks only
  1238. ##icp_access allow localnet
  1239. ##icp_access deny all
  1240. #Default:
  1241. # Deny, unless rules exist in squid.conf.
  1242.  
  1243. #  TAG: htcp_access
  1244. #       Allowing or Denying access to the HTCP port based on defined
  1245. #       access lists
  1246. #
  1247. #       htcp_access  allow|deny [!]aclname ...
  1248. #
  1249. #       See also htcp_clr_access for details on access control for
  1250. #       cache purge (CLR) HTCP messages.
  1251. #
  1252. #       NOTE: The default if no htcp_access lines are present is to
  1253. #       deny all traffic. This default may cause problems with peers
  1254. #       using the htcp option.
  1255. #
  1256. #       This clause only supports fast acl types.
  1257. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1258. #
  1259. ## Allow HTCP queries from local networks only
  1260. ##htcp_access allow localnet
  1261. ##htcp_access deny all
  1262. #Default:
  1263. # Deny, unless rules exist in squid.conf.
  1264.  
  1265. #  TAG: htcp_clr_access
  1266. #       Allowing or Denying access to purge content using HTCP based
  1267. #       on defined access lists.
  1268. #       See htcp_access for details on general HTCP access control.
  1269. #
  1270. #       htcp_clr_access  allow|deny [!]aclname ...
  1271. #
  1272. #       This clause only supports fast acl types.
  1273. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1274. #
  1275. ## Allow HTCP CLR requests from trusted peers
  1276. #acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
  1277. #htcp_clr_access allow htcp_clr_peer
  1278. #htcp_clr_access deny all
  1279. #Default:
  1280. # Deny, unless rules exist in squid.conf.
  1281.  
  1282. #  TAG: miss_access
  1283. #       Determines whether network access is permitted when satisfying a request.
  1284. #
  1285. #       For example;
  1286. #           to force your neighbors to use you as a sibling instead of
  1287. #           a parent.
  1288. #
  1289. #               acl localclients src 192.0.2.0/24 2001:DB8::a:0/64
  1290. #               miss_access deny  !localclients
  1291. #               miss_access allow all
  1292. #
  1293. #       This means only your local clients are allowed to fetch relayed/MISS
  1294. #       replies from the network and all other clients can only fetch cached
  1295. #       objects (HITs).
  1296. #
  1297. #       The default for this setting allows all clients who passed the
  1298. #       http_access rules to relay via this proxy.
  1299. #
  1300. #       This clause only supports fast acl types.
  1301. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1302. #Default:
  1303. # Allow, unless rules exist in squid.conf.
  1304.  
  1305. #  TAG: ident_lookup_access
  1306. #       A list of ACL elements which, if matched, cause an ident
  1307. #       (RFC 931) lookup to be performed for this request.  For
  1308. #       example, you might choose to always perform ident lookups
  1309. #       for your main multi-user Unix boxes, but not for your Macs
  1310. #       and PCs.  By default, ident lookups are not performed for
  1311. #       any requests.
  1312. #
  1313. #       To enable ident lookups for specific client addresses, you
  1314. #       can follow this example:
  1315. #
  1316. #       acl ident_aware_hosts src 198.168.1.0/24
  1317. #       ident_lookup_access allow ident_aware_hosts
  1318. #       ident_lookup_access deny all
  1319. #
  1320. #       Only src type ACL checks are fully supported.  A srcdomain
  1321. #       ACL might work at times, but it will not always provide
  1322. #       the correct result.
  1323. #
  1324. #       This clause only supports fast acl types.
  1325. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1326. #Default:
  1327. # Unless rules exist in squid.conf, IDENT is not fetched.
  1328.  
  1329. #  TAG: reply_body_max_size     size [acl acl...]
  1330. #       This option specifies the maximum size of a reply body. It can be
  1331. #       used to prevent users from downloading very large files, such as
  1332. #       MP3's and movies. When the reply headers are received, the
  1333. #       reply_body_max_size lines are processed, and the first line where
  1334. #       all (if any) listed ACLs are true is used as the maximum body size
  1335. #       for this reply.
  1336. #
  1337. #       This size is checked twice. First when we get the reply headers,
  1338. #       we check the content-length value.  If the content length value exists
  1339. #       and is larger than the allowed size, the request is denied and the
  1340. #       user receives an error message that says "the request or reply
  1341. #       is too large." If there is no content-length, and the reply
  1342. #       size exceeds this limit, the client's connection is just closed
  1343. #       and they will receive a partial reply.
  1344. #
  1345. #       WARNING: downstream caches probably can not detect a partial reply
  1346. #       if there is no content-length header, so they will cache
  1347. #       partial responses and give them out as hits.  You should NOT
  1348. #       use this option if you have downstream caches.
  1349. #
  1350. #       WARNING: A maximum size smaller than the size of squid's error messages
  1351. #       will cause an infinite loop and crash squid. Ensure that the smallest
  1352. #       non-zero value you use is greater that the maximum header size plus
  1353. #       the size of your largest error page.
  1354. #
  1355. #       If you set this parameter none (the default), there will be
  1356. #       no limit imposed.
  1357. #
  1358. #       Configuration Format is:
  1359. #               reply_body_max_size SIZE UNITS [acl ...]
  1360. #       ie.
  1361. #               reply_body_max_size 10 MB
  1362. #
  1363. #Default:
  1364. # No limit is applied.
  1365.  
  1366. # NETWORK OPTIONS
  1367. # -----------------------------------------------------------------------------
  1368.  
  1369. #  TAG: http_port
  1370. #       Usage:  port [mode] [options]
  1371. #               hostname:port [mode] [options]
  1372. #               1.2.3.4:port [mode] [options]
  1373. #
  1374. #       The socket addresses where Squid will listen for HTTP client
  1375. #       requests.  You may specify multiple socket addresses.
  1376. #       There are three forms: port alone, hostname with port, and
  1377. #       IP address with port.  If you specify a hostname or IP
  1378. #       address, Squid binds the socket to that specific
  1379. #       address. Most likely, you do not need to bind to a specific
  1380. #       address, so you can use the port number alone.
  1381. #
  1382. #       If you are running Squid in accelerator mode, you
  1383. #       probably want to listen on port 80 also, or instead.
  1384. #
  1385. #       The -a command line option may be used to specify additional
  1386. #       port(s) where Squid listens for proxy request. Such ports will
  1387. #       be plain proxy ports with no options.
  1388. #
  1389. #       You may specify multiple socket addresses on multiple lines.
  1390. #
  1391. #       Modes:
  1392. #
  1393. #          intercept    Support for IP-Layer NAT interception delivering
  1394. #                       traffic to this Squid port.
  1395. #                       NP: disables authentication on the port.
  1396. #
  1397. #          tproxy       Support Linux TPROXY (or BSD divert-to) with spoofing
  1398. #                       of outgoing connections using the client IP address.
  1399. #                       NP: disables authentication on the port.
  1400. #
  1401. #          accel        Accelerator / reverse proxy mode
  1402. #
  1403. #          ssl-bump     For each CONNECT request allowed by ssl_bump ACLs,
  1404. #                       establish secure connection with the client and with
  1405. #                       the server, decrypt HTTPS messages as they pass through
  1406. #                       Squid, and treat them as unencrypted HTTP messages,
  1407. #                       becoming the man-in-the-middle.
  1408. #
  1409. #                       The ssl_bump option is required to fully enable
  1410. #                       bumping of CONNECT requests.
  1411. #
  1412. #       Omitting the mode flag causes default forward proxy mode to be used.
  1413. #
  1414. #
  1415. #       Accelerator Mode Options:
  1416. #
  1417. #          defaultsite=domainname
  1418. #                       What to use for the Host: header if it is not present
  1419. #                       in a request. Determines what site (not origin server)
  1420. #                       accelerators should consider the default.
  1421. #
  1422. #          no-vhost     Disable using HTTP/1.1 Host header for virtual domain support.
  1423. #
  1424. #          protocol=    Protocol to reconstruct accelerated and intercepted
  1425. #                       requests with. Defaults to HTTP/1.1 for http_port and
  1426. #                       HTTPS/1.1 for https_port.
  1427. #                       When an unsupported value is configured Squid will
  1428. #                       produce a FATAL error.
  1429. #                       Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1
  1430. #
  1431. #          vport        Virtual host port support. Using the http_port number
  1432. #                       instead of the port passed on Host: headers.
  1433. #
  1434. #          vport=NN     Virtual host port support. Using the specified port
  1435. #                       number instead of the port passed on Host: headers.
  1436. #
  1437. #          act-as-origin
  1438. #                       Act as if this Squid is the origin server.
  1439. #                       This currently means generate new Date: and Expires:
  1440. #                       headers on HIT instead of adding Age:.
  1441. #
  1442. #          ignore-cc    Ignore request Cache-Control headers.
  1443. #
  1444. #                       WARNING: This option violates HTTP specifications if
  1445. #                       used in non-accelerator setups.
  1446. #
  1447. #          allow-direct Allow direct forwarding in accelerator mode. Normally
  1448. #                       accelerated requests are denied direct forwarding as if
  1449. #                       never_direct was used.
  1450. #
  1451. #                       WARNING: this option opens accelerator mode to security
  1452. #                       vulnerabilities usually only affecting in interception
  1453. #                       mode. Make sure to protect forwarding with suitable
  1454. #                       http_access rules when using this.
  1455. #
  1456. #
  1457. #       SSL Bump Mode Options:
  1458. #           In addition to these options ssl-bump requires TLS/SSL options.
  1459. #
  1460. #          generate-host-certificates[=<on|off>]
  1461. #                       Dynamically create SSL server certificates for the
  1462. #                       destination hosts of bumped CONNECT requests.When
  1463. #                       enabled, the cert and key options are used to sign
  1464. #                       generated certificates. Otherwise generated
  1465. #                       certificate will be selfsigned.
  1466. #                       If there is a CA certificate lifetime of the generated
  1467. #                       certificate equals lifetime of the CA certificate. If
  1468. #                       generated certificate is selfsigned lifetime is three
  1469. #                       years.
  1470. #                       This option is disabled by default. See the ssl-bump
  1471. #                       option above for more information.
  1472. #                      
  1473. #          dynamic_cert_mem_cache_size=SIZE
  1474. #                       Approximate total RAM size spent on cached generated
  1475. #                       certificates. If set to zero, caching is disabled.
  1476. #
  1477. #       TLS / SSL Options:
  1478. #
  1479. #          cert=        Path to SSL certificate (PEM format).
  1480. #
  1481. #          key=         Path to SSL private key file (PEM format)
  1482. #                       if not specified, the certificate file is
  1483. #                       assumed to be a combined certificate and
  1484. #                       key file.
  1485. #
  1486. #          version=     The version of SSL/TLS supported
  1487. #                           1   automatic (default)
  1488. #                           2   SSLv2 only
  1489. #                           3   SSLv3 only
  1490. #                           4   TLSv1.0 only
  1491. #                           5   TLSv1.1 only
  1492. #                           6   TLSv1.2 only
  1493. #
  1494. #          cipher=      Colon separated list of supported ciphers.
  1495. #                       NOTE: some ciphers such as EDH ciphers depend on
  1496. #                             additional settings. If those settings are
  1497. #                             omitted the ciphers may be silently ignored
  1498. #                             by the OpenSSL library.
  1499. #
  1500. #          options=     Various SSL implementation options. The most important
  1501. #                       being:
  1502. #                           NO_SSLv2    Disallow the use of SSLv2
  1503. #                           NO_SSLv3    Disallow the use of SSLv3
  1504. #                           NO_TLSv1    Disallow the use of TLSv1.0
  1505. #                           NO_TLSv1_1  Disallow the use of TLSv1.1
  1506. #                           NO_TLSv1_2  Disallow the use of TLSv1.2
  1507. #                           SINGLE_DH_USE Always create a new key when using
  1508. #                                     temporary/ephemeral DH key exchanges
  1509. #                           NO_TICKET Disables TLS tickets extension
  1510. #
  1511. #                           SINGLE_ECDH_USE
  1512. #                                     Enable ephemeral ECDH key exchange.
  1513. #                                     The adopted curve should be specified
  1514. #                                     using the tls-dh option.
  1515. #
  1516. #                           ALL       Enable various bug workarounds
  1517. #                                     suggested as "harmless" by OpenSSL
  1518. #                                     Be warned that this reduces SSL/TLS
  1519. #                                     strength to some attacks.
  1520. #                       See OpenSSL SSL_CTX_set_options documentation for a
  1521. #                       complete list of options.
  1522. #
  1523. #          clientca=    File containing the list of CAs to use when
  1524. #                       requesting a client certificate.
  1525. #
  1526. #          cafile=      File containing additional CA certificates to
  1527. #                       use when verifying client certificates. If unset
  1528. #                       clientca will be used.
  1529. #
  1530. #          capath=      Directory containing additional CA certificates
  1531. #                       and CRL lists to use when verifying client certificates.
  1532. #
  1533. #          crlfile=     File of additional CRL lists to use when verifying
  1534. #                       the client certificate, in addition to CRLs stored in
  1535. #                       the capath. Implies VERIFY_CRL flag below.
  1536. #
  1537. #          tls-dh=[curve:]file
  1538. #                       File containing DH parameters for temporary/ephemeral DH key
  1539. #                       exchanges, optionally prefixed by a curve for ephemeral ECDH
  1540. #                       key exchanges.
  1541. #                       See OpenSSL documentation for details on how to create the
  1542. #                       DH parameter file. Supported curves for ECDH can be listed
  1543. #                       using the "openssl ecparam -list_curves" command.
  1544. #                       WARNING: EDH and EECDH ciphers will be silently disabled if
  1545. #                                this option is not set.
  1546. #
  1547. #          sslflags=    Various flags modifying the use of SSL:
  1548. #                           DELAYED_AUTH
  1549. #                               Don't request client certificates
  1550. #                               immediately, but wait until acl processing
  1551. #                               requires a certificate (not yet implemented).
  1552. #                           NO_DEFAULT_CA
  1553. #                               Don't use the default CA lists built in
  1554. #                               to OpenSSL.
  1555. #                           NO_SESSION_REUSE
  1556. #                               Don't allow for session reuse. Each connection
  1557. #                               will result in a new SSL session.
  1558. #                           VERIFY_CRL
  1559. #                               Verify CRL lists when accepting client
  1560. #                               certificates.
  1561. #                           VERIFY_CRL_ALL
  1562. #                               Verify CRL lists for all certificates in the
  1563. #                               client certificate chain.
  1564. #
  1565. #          sslcontext=  SSL session ID context identifier.
  1566. #
  1567. #       Other Options:
  1568. #
  1569. #          connection-auth[=on|off]
  1570. #                       use connection-auth=off to tell Squid to prevent
  1571. #                       forwarding Microsoft connection oriented authentication
  1572. #                       (NTLM, Negotiate and Kerberos)
  1573. #
  1574. #          disable-pmtu-discovery=
  1575. #                       Control Path-MTU discovery usage:
  1576. #                           off         lets OS decide on what to do (default).
  1577. #                           transparent disable PMTU discovery when transparent
  1578. #                                       support is enabled.
  1579. #                           always      disable always PMTU discovery.
  1580. #
  1581. #                       In many setups of transparently intercepting proxies
  1582. #                       Path-MTU discovery can not work on traffic towards the
  1583. #                       clients. This is the case when the intercepting device
  1584. #                       does not fully track connections and fails to forward
  1585. #                       ICMP must fragment messages to the cache server. If you
  1586. #                       have such setup and experience that certain clients
  1587. #                       sporadically hang or never complete requests set
  1588. #                       disable-pmtu-discovery option to 'transparent'.
  1589. #
  1590. #          name=        Specifies a internal name for the port. Defaults to
  1591. #                       the port specification (port or addr:port)
  1592. #
  1593. #          tcpkeepalive[=idle,interval,timeout]
  1594. #                       Enable TCP keepalive probes of idle connections.
  1595. #                       In seconds; idle is the initial time before TCP starts
  1596. #                       probing the connection, interval how often to probe, and
  1597. #                       timeout the time before giving up.
  1598. #
  1599. #          require-proxy-header
  1600. #                       Require PROXY protocol version 1 or 2 connections.
  1601. #                       The proxy_protocol_access is required to whitelist
  1602. #                       downstream proxies which can be trusted.
  1603. #
  1604. #       If you run Squid on a dual-homed machine with an internal
  1605. #       and an external interface we recommend you to specify the
  1606. #       internal address:port in http_port. This way Squid will only be
  1607. #       visible on the internal address.
  1608. #
  1609. #
  1610.  
  1611. # Squid normally listens to port 3128
  1612. http_port 3128
  1613.  
  1614. #  TAG: https_port
  1615. # Note: This option is only available if Squid is rebuilt with the
  1616. #       --with-openssl
  1617. #
  1618. #       Usage:  [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...]
  1619. #
  1620. #       The socket address where Squid will listen for client requests made
  1621. #       over TLS or SSL connections. Commonly referred to as HTTPS.
  1622. #
  1623. #       This is most useful for situations where you are running squid in
  1624. #       accelerator mode and you want to do the SSL work at the accelerator level.
  1625. #
  1626. #       You may specify multiple socket addresses on multiple lines,
  1627. #       each with their own SSL certificate and/or options.
  1628. #
  1629. #       Modes:
  1630. #
  1631. #          accel        Accelerator / reverse proxy mode
  1632. #
  1633. #          intercept    Support for IP-Layer interception of
  1634. #                       outgoing requests without browser settings.
  1635. #                       NP: disables authentication and IPv6 on the port.
  1636. #
  1637. #          tproxy       Support Linux TPROXY for spoofing outgoing
  1638. #                       connections using the client IP address.
  1639. #                       NP: disables authentication and maybe IPv6 on the port.
  1640. #
  1641. #          ssl-bump     For each intercepted connection allowed by ssl_bump
  1642. #                       ACLs, establish a secure connection with the client and with
  1643. #                       the server, decrypt HTTPS messages as they pass through
  1644. #                       Squid, and treat them as unencrypted HTTP messages,
  1645. #                       becoming the man-in-the-middle.
  1646. #
  1647. #                       An "ssl_bump server-first" match is required to
  1648. #                       fully enable bumping of intercepted SSL connections.
  1649. #
  1650. #                       Requires tproxy or intercept.
  1651. #
  1652. #       Omitting the mode flag causes default forward proxy mode to be used.
  1653. #
  1654. #
  1655. #       See http_port for a list of generic options
  1656. #
  1657. #
  1658. #       SSL Options:
  1659. #
  1660. #          cert=        Path to SSL certificate (PEM format).
  1661. #
  1662. #          key=         Path to SSL private key file (PEM format)
  1663. #                       if not specified, the certificate file is
  1664. #                       assumed to be a combined certificate and
  1665. #                       key file.
  1666. #
  1667. #          version=     The version of SSL/TLS supported
  1668. #                           1   automatic (default)
  1669. #                           2   SSLv2 only
  1670. #                           3   SSLv3 only
  1671. #                           4   TLSv1 only
  1672. #
  1673. #          cipher=      Colon separated list of supported ciphers.
  1674. #
  1675. #          options=     Various SSL engine options. The most important
  1676. #                       being:
  1677. #                           NO_SSLv2  Disallow the use of SSLv2
  1678. #                           NO_SSLv3  Disallow the use of SSLv3
  1679. #                           NO_TLSv1  Disallow the use of TLSv1
  1680. #
  1681. #                           SINGLE_DH_USE Always create a new key when using
  1682. #                                     temporary/ephemeral DH key exchanges
  1683. #
  1684. #                           SINGLE_ECDH_USE
  1685. #                                     Enable ephemeral ECDH key exchange.
  1686. #                                     The adopted curve should be specified
  1687. #                                     using the tls-dh option.
  1688. #
  1689. #                       See src/ssl_support.c or OpenSSL SSL_CTX_set_options
  1690. #                       documentation for a complete list of options.
  1691. #
  1692. #          clientca=    File containing the list of CAs to use when
  1693. #                       requesting a client certificate.
  1694. #
  1695. #          cafile=      File containing additional CA certificates to
  1696. #                       use when verifying client certificates. If unset
  1697. #                       clientca will be used.
  1698. #
  1699. #          capath=      Directory containing additional CA certificates
  1700. #                       and CRL lists to use when verifying client certificates.
  1701. #
  1702. #          crlfile=     File of additional CRL lists to use when verifying
  1703. #                       the client certificate, in addition to CRLs stored in
  1704. #                       the capath. Implies VERIFY_CRL flag below.
  1705. #
  1706. #          tls-dh=[curve:]file
  1707. #                       File containing DH parameters for temporary/ephemeral DH key
  1708. #                       exchanges, optionally prefixed by a curve for ephemeral ECDH
  1709. #                       key exchanges.
  1710. #
  1711. #          sslflags=    Various flags modifying the use of SSL:
  1712. #                           DELAYED_AUTH
  1713. #                               Don't request client certificates
  1714. #                               immediately, but wait until acl processing
  1715. #                               requires a certificate (not yet implemented).
  1716. #                           NO_DEFAULT_CA
  1717. #                               Don't use the default CA lists built in
  1718. #                               to OpenSSL.
  1719. #                           NO_SESSION_REUSE
  1720. #                               Don't allow for session reuse. Each connection
  1721. #                               will result in a new SSL session.
  1722. #                           VERIFY_CRL
  1723. #                               Verify CRL lists when accepting client
  1724. #                               certificates.
  1725. #                           VERIFY_CRL_ALL
  1726. #                               Verify CRL lists for all certificates in the
  1727. #                               client certificate chain.
  1728. #
  1729. #          sslcontext=  SSL session ID context identifier.
  1730. #
  1731. #          generate-host-certificates[=<on|off>]
  1732. #                       Dynamically create SSL server certificates for the
  1733. #                       destination hosts of bumped SSL requests.When
  1734. #                       enabled, the cert and key options are used to sign
  1735. #                       generated certificates. Otherwise generated
  1736. #                       certificate will be selfsigned.
  1737. #                       If there is CA certificate life time of generated
  1738. #                       certificate equals lifetime of CA certificate. If
  1739. #                       generated certificate is selfsigned lifetime is three
  1740. #                       years.
  1741. #                       This option is disabled by default. See the ssl-bump
  1742. #                       option above for more information.
  1743. #
  1744. #          dynamic_cert_mem_cache_size=SIZE
  1745. #                       Approximate total RAM size spent on cached generated
  1746. #                       certificates. If set to zero, caching is disabled.
  1747. #
  1748. #       See http_port for a list of available options.
  1749. #Default:
  1750. # none
  1751.  
  1752. #  TAG: ftp_port
  1753. #       Enables Native FTP proxy by specifying the socket address where Squid
  1754. #       listens for FTP client requests. See http_port directive for various
  1755. #       ways to specify the listening address and mode.
  1756. #
  1757. #       Usage: ftp_port address [mode] [options]
  1758. #
  1759. #       WARNING: This is a new, experimental, complex feature that has seen
  1760. #       limited production exposure. Some Squid modules (e.g., caching) do not
  1761. #       currently work with native FTP proxying, and many features have not
  1762. #       even been tested for compatibility. Test well before deploying!
  1763. #
  1764. #       Native FTP proxying differs substantially from proxying HTTP requests
  1765. #       with ftp:// URIs because Squid works as an FTP server and receives
  1766. #       actual FTP commands (rather than HTTP requests with FTP URLs).
  1767. #
  1768. #       Native FTP commands accepted at ftp_port are internally converted or
  1769. #       wrapped into HTTP-like messages. The same happens to Native FTP
  1770. #       responses received from FTP origin servers. Those HTTP-like messages
  1771. #       are shoveled through regular access control and adaptation layers
  1772. #       between the FTP client and the FTP origin server. This allows Squid to
  1773. #       examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP
  1774. #       mechanisms when shoveling wrapped FTP messages. For example,
  1775. #       http_access and adaptation_access directives are used.
  1776. #
  1777. #       Modes:
  1778. #
  1779. #          intercept    Same as http_port intercept. The FTP origin address is
  1780. #                       determined based on the intended destination of the
  1781. #                       intercepted connection.
  1782. #
  1783. #          tproxy       Support Linux TPROXY for spoofing outgoing
  1784. #                       connections using the client IP address.
  1785. #                       NP: disables authentication and maybe IPv6 on the port.
  1786. #
  1787. #       By default (i.e., without an explicit mode option), Squid extracts the
  1788. #       FTP origin address from the login@origin parameter of the FTP USER
  1789. #       command. Many popular FTP clients support such native FTP proxying.
  1790. #
  1791. #       Options:
  1792. #
  1793. #          name=token   Specifies an internal name for the port. Defaults to
  1794. #                       the port address. Usable with myportname ACL.
  1795. #
  1796. #          ftp-track-dirs
  1797. #                       Enables tracking of FTP directories by injecting extra
  1798. #                       PWD commands and adjusting Request-URI (in wrapping
  1799. #                       HTTP requests) to reflect the current FTP server
  1800. #                       directory. Tracking is disabled by default.
  1801. #
  1802. #          protocol=FTP Protocol to reconstruct accelerated and intercepted
  1803. #                       requests with. Defaults to FTP. No other accepted
  1804. #                       values have been tested with. An unsupported value
  1805. #                       results in a FATAL error. Accepted values are FTP,
  1806. #                       HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1).
  1807. #
  1808. #       Other http_port modes and options that are not specific to HTTP and
  1809. #       HTTPS may also work.
  1810. #Default:
  1811. # none
  1812.  
  1813. #  TAG: tcp_outgoing_tos
  1814. #       Allows you to select a TOS/Diffserv value for packets outgoing
  1815. #       on the server side, based on an ACL.
  1816. #
  1817. #       tcp_outgoing_tos ds-field [!]aclname ...
  1818. #
  1819. #       Example where normal_service_net uses the TOS value 0x00
  1820. #       and good_service_net uses 0x20
  1821. #
  1822. #       acl normal_service_net src 10.0.0.0/24
  1823. #       acl good_service_net src 10.0.1.0/24
  1824. #       tcp_outgoing_tos 0x00 normal_service_net
  1825. #       tcp_outgoing_tos 0x20 good_service_net
  1826. #
  1827. #       TOS/DSCP values really only have local significance - so you should
  1828. #       know what you're specifying. For more information, see RFC2474,
  1829. #       RFC2475, and RFC3260.
  1830. #
  1831. #       The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
  1832. #       "default" to use whatever default your host has.
  1833. #       Note that only multiples of 4 are usable as the two rightmost bits have
  1834. #       been redefined for use by ECN (RFC 3168 section 23.1).
  1835. #       The squid parser will enforce this by masking away the ECN bits.
  1836. #
  1837. #       Processing proceeds in the order specified, and stops at first fully
  1838. #       matching line.
  1839. #
  1840. #       Only fast ACLs are supported.
  1841. #Default:
  1842. # none
  1843.  
  1844. #  TAG: clientside_tos
  1845. #       Allows you to select a TOS/DSCP value for packets being transmitted
  1846. #       on the client-side, based on an ACL.
  1847. #
  1848. #       clientside_tos ds-field [!]aclname ...
  1849. #
  1850. #       Example where normal_service_net uses the TOS value 0x00
  1851. #       and good_service_net uses 0x20
  1852. #
  1853. #       acl normal_service_net src 10.0.0.0/24
  1854. #       acl good_service_net src 10.0.1.0/24
  1855. #       clientside_tos 0x00 normal_service_net
  1856. #       clientside_tos 0x20 good_service_net
  1857. #
  1858. #       Note: This feature is incompatible with qos_flows. Any TOS values set here
  1859. #       will be overwritten by TOS values in qos_flows.
  1860. #
  1861. #       The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
  1862. #       "default" to use whatever default your host has.
  1863. #       Note that only multiples of 4 are usable as the two rightmost bits have
  1864. #       been redefined for use by ECN (RFC 3168 section 23.1).
  1865. #       The squid parser will enforce this by masking away the ECN bits.
  1866. #
  1867. #Default:
  1868. # none
  1869.  
  1870. #  TAG: tcp_outgoing_mark
  1871. # Note: This option is only available if Squid is rebuilt with the
  1872. #       Packet MARK (Linux)
  1873. #
  1874. #       Allows you to apply a Netfilter mark value to outgoing packets
  1875. #       on the server side, based on an ACL.
  1876. #
  1877. #       tcp_outgoing_mark mark-value [!]aclname ...
  1878. #
  1879. #       Example where normal_service_net uses the mark value 0x00
  1880. #       and good_service_net uses 0x20
  1881. #
  1882. #       acl normal_service_net src 10.0.0.0/24
  1883. #       acl good_service_net src 10.0.1.0/24
  1884. #       tcp_outgoing_mark 0x00 normal_service_net
  1885. #       tcp_outgoing_mark 0x20 good_service_net
  1886. #
  1887. #       Only fast ACLs are supported.
  1888. #Default:
  1889. # none
  1890.  
  1891. #  TAG: clientside_mark
  1892. # Note: This option is only available if Squid is rebuilt with the
  1893. #       Packet MARK (Linux)
  1894. #
  1895. #       Allows you to apply a Netfilter mark value to packets being transmitted
  1896. #       on the client-side, based on an ACL.
  1897. #
  1898. #       clientside_mark mark-value [!]aclname ...
  1899. #
  1900. #       Example where normal_service_net uses the mark value 0x00
  1901. #       and good_service_net uses 0x20
  1902. #
  1903. #       acl normal_service_net src 10.0.0.0/24
  1904. #       acl good_service_net src 10.0.1.0/24
  1905. #       clientside_mark 0x00 normal_service_net
  1906. #       clientside_mark 0x20 good_service_net
  1907. #
  1908. #       Note: This feature is incompatible with qos_flows. Any mark values set here
  1909. #       will be overwritten by mark values in qos_flows.
  1910. #Default:
  1911. # none
  1912.  
  1913. #  TAG: qos_flows
  1914. #       Allows you to select a TOS/DSCP value to mark outgoing
  1915. #       connections to the client, based on where the reply was sourced.
  1916. #       For platforms using netfilter, allows you to set a netfilter mark
  1917. #       value instead of, or in addition to, a TOS value.
  1918. #
  1919. #       By default this functionality is disabled. To enable it with the default
  1920. #       settings simply use "qos_flows mark" or "qos_flows tos". Default
  1921. #       settings will result in the netfilter mark or TOS value being copied
  1922. #       from the upstream connection to the client. Note that it is the connection
  1923. #       CONNMARK value not the packet MARK value that is copied.
  1924. #
  1925. #       It is not currently possible to copy the mark or TOS value from the
  1926. #       client to the upstream connection request.
  1927. #
  1928. #       TOS values really only have local significance - so you should
  1929. #       know what you're specifying. For more information, see RFC2474,
  1930. #       RFC2475, and RFC3260.
  1931. #
  1932. #       The TOS/DSCP byte must be exactly that - a octet value  0 - 255.
  1933. #       Note that only multiples of 4 are usable as the two rightmost bits have
  1934. #       been redefined for use by ECN (RFC 3168 section 23.1).
  1935. #       The squid parser will enforce this by masking away the ECN bits.
  1936. #
  1937. #       Mark values can be any unsigned 32-bit integer value.
  1938. #
  1939. #       This setting is configured by setting the following values:
  1940. #
  1941. #       tos|mark                Whether to set TOS or netfilter mark values
  1942. #
  1943. #       local-hit=0xFF          Value to mark local cache hits.
  1944. #
  1945. #       sibling-hit=0xFF        Value to mark hits from sibling peers.
  1946. #
  1947. #       parent-hit=0xFF         Value to mark hits from parent peers.
  1948. #
  1949. #       miss=0xFF[/mask]        Value to mark cache misses. Takes precedence
  1950. #                               over the preserve-miss feature (see below), unless
  1951. #                               mask is specified, in which case only the bits
  1952. #                               specified in the mask are written.
  1953. #
  1954. #       The TOS variant of the following features are only possible on Linux
  1955. #       and require your kernel to be patched with the TOS preserving ZPH
  1956. #       patch, available from http://zph.bratcheda.org
  1957. #       No patch is needed to preserve the netfilter mark, which will work
  1958. #       with all variants of netfilter.
  1959. #
  1960. #       disable-preserve-miss
  1961. #               This option disables the preservation of the TOS or netfilter
  1962. #               mark. By default, the existing TOS or netfilter mark value of
  1963. #               the response coming from the remote server will be retained
  1964. #               and masked with miss-mark.
  1965. #               NOTE: in the case of a netfilter mark, the mark must be set on
  1966. #               the connection (using the CONNMARK target) not on the packet
  1967. #               (MARK target).
  1968. #
  1969. #       miss-mask=0xFF
  1970. #               Allows you to mask certain bits in the TOS or mark value
  1971. #               received from the remote server, before copying the value to
  1972. #               the TOS sent towards clients.
  1973. #               Default for tos: 0xFF (TOS from server is not changed).
  1974. #               Default for mark: 0xFFFFFFFF (mark from server is not changed).
  1975. #
  1976. #       All of these features require the --enable-zph-qos compilation flag
  1977. #       (enabled by default). Netfilter marking also requires the
  1978. #       libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
  1979. #       libcap 2.09+ (--with-libcap).
  1980. #
  1981. #Default:
  1982. # none
  1983.  
  1984. #  TAG: tcp_outgoing_address
  1985. #       Allows you to map requests to different outgoing IP addresses
  1986. #       based on the username or source address of the user making
  1987. #       the request.
  1988. #
  1989. #       tcp_outgoing_address ipaddr [[!]aclname] ...
  1990. #
  1991. #       For example;
  1992. #               Forwarding clients with dedicated IPs for certain subnets.
  1993. #
  1994. #         acl normal_service_net src 10.0.0.0/24
  1995. #         acl good_service_net src 10.0.2.0/24
  1996. #
  1997. #         tcp_outgoing_address 2001:db8::c001 good_service_net
  1998. #         tcp_outgoing_address 10.1.0.2 good_service_net
  1999. #
  2000. #         tcp_outgoing_address 2001:db8::beef normal_service_net
  2001. #         tcp_outgoing_address 10.1.0.1 normal_service_net
  2002. #
  2003. #         tcp_outgoing_address 2001:db8::1
  2004. #         tcp_outgoing_address 10.1.0.3
  2005. #
  2006. #       Processing proceeds in the order specified, and stops at first fully
  2007. #       matching line.
  2008. #
  2009. #       Squid will add an implicit IP version test to each line.
  2010. #       Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
  2011. #       Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
  2012. #
  2013. #
  2014. #       NOTE: The use of this directive using client dependent ACLs is
  2015. #       incompatible with the use of server side persistent connections. To
  2016. #       ensure correct results it is best to set server_persistent_connections
  2017. #       to off when using this directive in such configurations.
  2018. #
  2019. #       NOTE: The use of this directive to set a local IP on outgoing TCP links
  2020. #       is incompatible with using TPROXY to set client IP out outbound TCP links.
  2021. #       When needing to contact peers use the no-tproxy cache_peer option and the
  2022. #       client_dst_passthru directive re-enable normal forwarding such as this.
  2023. #
  2024. #Default:
  2025. # Address selection is performed by the operating system.
  2026.  
  2027. #  TAG: host_verify_strict
  2028. #       Regardless of this option setting, when dealing with intercepted
  2029. #       traffic, Squid always verifies that the destination IP address matches
  2030. #       the Host header domain or IP (called 'authority form URL').
  2031. #      
  2032. #       This enforcement is performed to satisfy a MUST-level requirement in
  2033. #       RFC 2616 section 14.23: "The Host field value MUST represent the naming
  2034. #       authority of the origin server or gateway given by the original URL".
  2035. #      
  2036. #       When set to ON:
  2037. #               Squid always responds with an HTTP 409 (Conflict) error
  2038. #               page and logs a security warning if there is no match.
  2039. #      
  2040. #               Squid verifies that the destination IP address matches
  2041. #               the Host header for forward-proxy and reverse-proxy traffic
  2042. #               as well. For those traffic types, Squid also enables the
  2043. #               following checks, comparing the corresponding Host header
  2044. #               and Request-URI components:
  2045. #      
  2046. #                * The host names (domain or IP) must be identical,
  2047. #                  but valueless or missing Host header disables all checks.
  2048. #                  For the two host names to match, both must be either IP
  2049. #                  or FQDN.
  2050. #      
  2051. #                * Port numbers must be identical, but if a port is missing
  2052. #                  the scheme-default port is assumed.
  2053. #      
  2054. #      
  2055. #       When set to OFF (the default):
  2056. #               Squid allows suspicious requests to continue but logs a
  2057. #               security warning and blocks caching of the response.
  2058. #      
  2059. #                * Forward-proxy traffic is not checked at all.
  2060. #      
  2061. #                * Reverse-proxy traffic is not checked at all.
  2062. #      
  2063. #                * Intercepted traffic which passes verification is handled
  2064. #                  according to client_dst_passthru.
  2065. #      
  2066. #                * Intercepted requests which fail verification are sent
  2067. #                  to the client original destination instead of DIRECT.
  2068. #                  This overrides 'client_dst_passthru off'.
  2069. #      
  2070. #               For now suspicious intercepted CONNECT requests are always
  2071. #               responded to with an HTTP 409 (Conflict) error page.
  2072. #      
  2073. #      
  2074. #       SECURITY NOTE:
  2075. #      
  2076. #       As described in CVE-2009-0801 when the Host: header alone is used
  2077. #       to determine the destination of a request it becomes trivial for
  2078. #       malicious scripts on remote websites to bypass browser same-origin
  2079. #       security policy and sandboxing protections.
  2080. #      
  2081. #       The cause of this is that such applets are allowed to perform their
  2082. #       own HTTP stack, in which case the same-origin policy of the browser
  2083. #       sandbox only verifies that the applet tries to contact the same IP
  2084. #       as from where it was loaded at the IP level. The Host: header may
  2085. #       be different from the connected IP and approved origin.
  2086. #      
  2087. #Default:
  2088. # host_verify_strict off
  2089.  
  2090. #  TAG: client_dst_passthru
  2091. #       With NAT or TPROXY intercepted traffic Squid may pass the request
  2092. #       directly to the original client destination IP or seek a faster
  2093. #       source using the HTTP Host header.
  2094. #      
  2095. #       Using Host to locate alternative servers can provide faster
  2096. #       connectivity with a range of failure recovery options.
  2097. #       But can also lead to connectivity trouble when the client and
  2098. #       server are attempting stateful interactions unaware of the proxy.
  2099. #      
  2100. #       This option (on by default) prevents alternative DNS entries being
  2101. #       located to send intercepted traffic DIRECT to an origin server.
  2102. #       The clients original destination IP and port will be used instead.
  2103. #      
  2104. #       Regardless of this option setting, when dealing with intercepted
  2105. #       traffic Squid will verify the Host: header and any traffic which
  2106. #       fails Host verification will be treated as if this option were ON.
  2107. #      
  2108. #       see host_verify_strict for details on the verification process.
  2109. #Default:
  2110. # client_dst_passthru on
  2111.  
  2112. # SSL OPTIONS
  2113. # -----------------------------------------------------------------------------
  2114.  
  2115. #  TAG: ssl_unclean_shutdown
  2116. # Note: This option is only available if Squid is rebuilt with the
  2117. #       --with-openssl
  2118. #
  2119. #       Some browsers (especially MSIE) bugs out on SSL shutdown
  2120. #       messages.
  2121. #Default:
  2122. # ssl_unclean_shutdown off
  2123.  
  2124. #  TAG: ssl_engine
  2125. # Note: This option is only available if Squid is rebuilt with the
  2126. #       --with-openssl
  2127. #
  2128. #       The OpenSSL engine to use. You will need to set this if you
  2129. #       would like to use hardware SSL acceleration for example.
  2130. #Default:
  2131. # none
  2132.  
  2133. #  TAG: sslproxy_client_certificate
  2134. # Note: This option is only available if Squid is rebuilt with the
  2135. #       --with-openssl
  2136. #
  2137. #       Client SSL Certificate to use when proxying https:// URLs
  2138. #Default:
  2139. # none
  2140.  
  2141. #  TAG: sslproxy_client_key
  2142. # Note: This option is only available if Squid is rebuilt with the
  2143. #       --with-openssl
  2144. #
  2145. #       Client SSL Key to use when proxying https:// URLs
  2146. #Default:
  2147. # none
  2148.  
  2149. #  TAG: sslproxy_version
  2150. # Note: This option is only available if Squid is rebuilt with the
  2151. #       --with-openssl
  2152. #
  2153. #       SSL version level to use when proxying https:// URLs
  2154. #
  2155. #       The versions of SSL/TLS supported:
  2156. #
  2157. #           1   automatic (default)
  2158. #           2   SSLv2 only
  2159. #           3   SSLv3 only
  2160. #           4   TLSv1.0 only
  2161. #           5   TLSv1.1 only
  2162. #           6   TLSv1.2 only
  2163. #Default:
  2164. # automatic SSL/TLS version negotiation
  2165.  
  2166. #  TAG: sslproxy_options
  2167. # Note: This option is only available if Squid is rebuilt with the
  2168. #       --with-openssl
  2169. #
  2170. #       Colon (:) or comma (,) separated list of SSL implementation options
  2171. #       to use when proxying https:// URLs
  2172. #      
  2173. #       The most important being:
  2174. #
  2175. #           NO_SSLv2    Disallow the use of SSLv2
  2176. #           NO_SSLv3    Disallow the use of SSLv3
  2177. #           NO_TLSv1    Disallow the use of TLSv1.0
  2178. #           NO_TLSv1_1  Disallow the use of TLSv1.1
  2179. #           NO_TLSv1_2  Disallow the use of TLSv1.2
  2180. #
  2181. #           SINGLE_DH_USE
  2182. #                     Always create a new key when using temporary/ephemeral
  2183. #                     DH key exchanges
  2184. #
  2185. #           NO_TICKET
  2186. #                     Disable use of RFC5077 session tickets. Some servers
  2187. #                     may have problems understanding the TLS extension due
  2188. #                     to ambiguous specification in RFC4507.
  2189. #
  2190. #           ALL       Enable various bug workarounds suggested as "harmless"
  2191. #                     by OpenSSL. Be warned that this may reduce SSL/TLS
  2192. #                     strength to some attacks.
  2193. #      
  2194. #       See the OpenSSL SSL_CTX_set_options documentation for a
  2195. #       complete list of possible options.
  2196. #      
  2197. #       WARNING: This directive takes a single token. If a space is used
  2198. #                the value(s) after that space are SILENTLY IGNORED.
  2199. #Default:
  2200. # none
  2201.  
  2202. #  TAG: sslproxy_cipher
  2203. # Note: This option is only available if Squid is rebuilt with the
  2204. #       --with-openssl
  2205. #
  2206. #       SSL cipher list to use when proxying https:// URLs
  2207. #
  2208. #       Colon separated list of supported ciphers.
  2209. #Default:
  2210. # none
  2211.  
  2212. #  TAG: sslproxy_cafile
  2213. # Note: This option is only available if Squid is rebuilt with the
  2214. #       --with-openssl
  2215. #
  2216. #       file containing CA certificates to use when verifying server
  2217. #       certificates while proxying https:// URLs
  2218. #Default:
  2219. # none
  2220.  
  2221. #  TAG: sslproxy_capath
  2222. # Note: This option is only available if Squid is rebuilt with the
  2223. #       --with-openssl
  2224. #
  2225. #       directory containing CA certificates to use when verifying
  2226. #       server certificates while proxying https:// URLs
  2227. #Default:
  2228. # none
  2229.  
  2230. #  TAG: sslproxy_session_ttl
  2231. # Note: This option is only available if Squid is rebuilt with the
  2232. #       --with-openssl
  2233. #
  2234. #       Sets the timeout value for SSL sessions
  2235. #Default:
  2236. # sslproxy_session_ttl 300
  2237.  
  2238. #  TAG: sslproxy_session_cache_size
  2239. # Note: This option is only available if Squid is rebuilt with the
  2240. #       --with-openssl
  2241. #
  2242. #        Sets the cache size to use for ssl session
  2243. #Default:
  2244. # sslproxy_session_cache_size 2 MB
  2245.  
  2246. #  TAG: sslproxy_foreign_intermediate_certs
  2247. # Note: This option is only available if Squid is rebuilt with the
  2248. #       --with-openssl
  2249. #
  2250. #       Many origin servers fail to send their full server certificate
  2251. #       chain for verification, assuming the client already has or can
  2252. #       easily locate any missing intermediate certificates.
  2253. #
  2254. #       Squid uses the certificates from the specified file to fill in
  2255. #       these missing chains when trying to validate origin server
  2256. #       certificate chains.
  2257. #
  2258. #       The file is expected to contain zero or more PEM-encoded
  2259. #       intermediate certificates. These certificates are not treated
  2260. #       as trusted root certificates, and any self-signed certificate in
  2261. #       this file will be ignored.
  2262. #Default:
  2263. # none
  2264.  
  2265. #  TAG: sslproxy_cert_sign_hash
  2266. # Note: This option is only available if Squid is rebuilt with the
  2267. #       --with-openssl
  2268. #
  2269. #       Sets the hashing algorithm to use when signing generated certificates.
  2270. #       Valid algorithm names depend on the OpenSSL library used. The following
  2271. #       names are usually available: sha1, sha256, sha512, and md5. Please see
  2272. #       your OpenSSL library manual for the available hashes. By default, Squids
  2273. #       that support this option use sha256 hashes.
  2274. #
  2275. #       Squid does not forcefully purge cached certificates that were generated
  2276. #       with an algorithm other than the currently configured one. They remain
  2277. #       in the cache, subject to the regular cache eviction policy, and become
  2278. #       useful if the algorithm changes again.
  2279. #Default:
  2280. # none
  2281.  
  2282. #  TAG: ssl_bump
  2283. # Note: This option is only available if Squid is rebuilt with the
  2284. #       --with-openssl
  2285. #
  2286. #       This option is consulted when a CONNECT request is received on
  2287. #       an http_port (or a new connection is intercepted at an
  2288. #       https_port), provided that port was configured with an ssl-bump
  2289. #       flag. The subsequent data on the connection is either treated as
  2290. #       HTTPS and decrypted OR tunneled at TCP level without decryption,
  2291. #       depending on the first matching bumping "action".
  2292. #
  2293. #       ssl_bump <action> [!]acl ...
  2294. #
  2295. #       The following bumping actions are currently supported:
  2296. #
  2297. #           splice
  2298. #               Become a TCP tunnel without decrypting proxied traffic.
  2299. #               This is the default action.
  2300. #
  2301. #           bump
  2302. #               When used on step SslBump1, establishes a secure connection
  2303. #               with the client first, then connect to the server.
  2304. #               When used on step SslBump2 or SslBump3, establishes a secure
  2305. #               connection with the server and, using a mimicked server
  2306. #               certificate, with the client.
  2307. #
  2308. #           peek
  2309. #               Receive client (step SslBump1) or server (step SslBump2)
  2310. #               certificate while preserving the possibility of splicing the
  2311. #               connection. Peeking at the server certificate (during step 2)
  2312. #               usually precludes bumping of the connection at step 3.
  2313. #
  2314. #           stare
  2315. #               Receive client (step SslBump1) or server (step SslBump2)
  2316. #               certificate while preserving the possibility of bumping the
  2317. #               connection. Staring at the server certificate (during step 2)
  2318. #               usually precludes splicing of the connection at step 3.
  2319. #
  2320. #           terminate
  2321. #               Close client and server connections.
  2322. #
  2323. #       Backward compatibility actions available at step SslBump1:
  2324. #
  2325. #           client-first
  2326. #               Bump the connection. Establish a secure connection with the
  2327. #               client first, then connect to the server. This old mode does
  2328. #               not allow Squid to mimic server SSL certificate and does not
  2329. #               work with intercepted SSL connections.
  2330. #
  2331. #           server-first
  2332. #               Bump the connection. Establish a secure connection with the
  2333. #               server first, then establish a secure connection with the
  2334. #               client, using a mimicked server certificate. Works with both
  2335. #               CONNECT requests and intercepted SSL connections, but does
  2336. #               not allow to make decisions based on SSL handshake info.
  2337. #
  2338. #           peek-and-splice
  2339. #               Decide whether to bump or splice the connection based on
  2340. #               client-to-squid and server-to-squid SSL hello messages.
  2341. #               XXX: Remove.
  2342. #
  2343. #           none
  2344. #               Same as the "splice" action.
  2345. #
  2346. #       All ssl_bump rules are evaluated at each of the supported bumping
  2347. #       steps.  Rules with actions that are impossible at the current step are
  2348. #       ignored. The first matching ssl_bump action wins and is applied at the
  2349. #       end of the current step. If no rules match, the splice action is used.
  2350. #       See the at_step ACL for a list of the supported SslBump steps.
  2351. #
  2352. #       This clause supports both fast and slow acl types.
  2353. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2354. #
  2355. #       See also: http_port ssl-bump, https_port ssl-bump, and acl at_step.
  2356. #
  2357. #
  2358. #       # Example: Bump all TLS connections except those originating from
  2359. #       # localhost or those going to example.com.
  2360. #
  2361. #       acl broken_sites ssl::server_name .example.com
  2362. #       ssl_bump splice localhost
  2363. #       ssl_bump splice broken_sites
  2364. #       ssl_bump bump all
  2365. #Default:
  2366. # Become a TCP tunnel without decrypting proxied traffic.
  2367.  
  2368. #  TAG: sslproxy_flags
  2369. # Note: This option is only available if Squid is rebuilt with the
  2370. #       --with-openssl
  2371. #
  2372. #       Various flags modifying the use of SSL while proxying https:// URLs:
  2373. #           DONT_VERIFY_PEER    Accept certificates that fail verification.
  2374. #                               For refined control, see sslproxy_cert_error.
  2375. #           NO_DEFAULT_CA       Don't use the default CA list built in
  2376. #                               to OpenSSL.
  2377. #Default:
  2378. # none
  2379.  
  2380. #  TAG: sslproxy_cert_error
  2381. # Note: This option is only available if Squid is rebuilt with the
  2382. #       --with-openssl
  2383. #
  2384. #       Use this ACL to bypass server certificate validation errors.
  2385. #
  2386. #       For example, the following lines will bypass all validation errors
  2387. #       when talking to servers for example.com. All other
  2388. #       validation errors will result in ERR_SECURE_CONNECT_FAIL error.
  2389. #
  2390. #               acl BrokenButTrustedServers dstdomain example.com
  2391. #               sslproxy_cert_error allow BrokenButTrustedServers
  2392. #               sslproxy_cert_error deny all
  2393. #
  2394. #       This clause only supports fast acl types.
  2395. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2396. #       Using slow acl types may result in server crashes
  2397. #
  2398. #       Without this option, all server certificate validation errors
  2399. #       terminate the transaction to protect Squid and the client.
  2400. #
  2401. #       SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed
  2402. #       but should not happen unless your OpenSSL library is buggy.
  2403. #
  2404. #       SECURITY WARNING:
  2405. #               Bypassing validation errors is dangerous because an
  2406. #               error usually implies that the server cannot be trusted
  2407. #               and the connection may be insecure.
  2408. #
  2409. #       See also: sslproxy_flags and DONT_VERIFY_PEER.
  2410. #Default:
  2411. # Server certificate errors terminate the transaction.
  2412.  
  2413. #  TAG: sslproxy_cert_sign
  2414. # Note: This option is only available if Squid is rebuilt with the
  2415. #       --with-openssl
  2416. #
  2417. #
  2418. #        sslproxy_cert_sign <signing algorithm> acl ...
  2419. #
  2420. #        The following certificate signing algorithms are supported:
  2421. #
  2422. #          signTrusted
  2423. #               Sign using the configured CA certificate which is usually
  2424. #               placed in and trusted by end-user browsers. This is the
  2425. #               default for trusted origin server certificates.
  2426. #
  2427. #          signUntrusted
  2428. #               Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
  2429. #               This is the default for untrusted origin server certificates
  2430. #               that are not self-signed (see ssl::certUntrusted).
  2431. #
  2432. #          signSelf
  2433. #               Sign using a self-signed certificate with the right CN to
  2434. #               generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
  2435. #               browser. This is the default for self-signed origin server
  2436. #               certificates (see ssl::certSelfSigned).
  2437. #
  2438. #       This clause only supports fast acl types.
  2439. #
  2440. #       When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
  2441. #       signing algorithm to generate the certificate and ignores all
  2442. #       subsequent sslproxy_cert_sign options (the first match wins). If no
  2443. #       acl(s) match, the default signing algorithm is determined by errors
  2444. #       detected when obtaining and validating the origin server certificate.
  2445. #
  2446. #       WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
  2447. #       be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
  2448. #       CONNECT request that carries a domain name. In all other cases (CONNECT
  2449. #       to an IP address or an intercepted SSL connection), Squid cannot detect
  2450. #       the domain mismatch at certificate generation time when
  2451. #       bump-server-first is used.
  2452. #Default:
  2453. # none
  2454.  
  2455. #  TAG: sslproxy_cert_adapt
  2456. # Note: This option is only available if Squid is rebuilt with the
  2457. #       --with-openssl
  2458. #
  2459. #      
  2460. #       sslproxy_cert_adapt <adaptation algorithm> acl ...
  2461. #
  2462. #       The following certificate adaptation algorithms are supported:
  2463. #
  2464. #          setValidAfter
  2465. #               Sets the "Not After" property to the "Not After" property of
  2466. #               the CA certificate used to sign generated certificates.
  2467. #
  2468. #          setValidBefore
  2469. #               Sets the "Not Before" property to the "Not Before" property of
  2470. #               the CA certificate used to sign generated certificates.
  2471. #
  2472. #          setCommonName or setCommonName{CN}
  2473. #               Sets Subject.CN property to the host name specified as a
  2474. #               CN parameter or, if no explicit CN parameter was specified,
  2475. #               extracted from the CONNECT request. It is a misconfiguration
  2476. #               to use setCommonName without an explicit parameter for
  2477. #               intercepted or tproxied SSL connections.
  2478. #              
  2479. #       This clause only supports fast acl types.
  2480. #
  2481. #       Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
  2482. #       Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
  2483. #       corresponding adaptation algorithm to generate the certificate and
  2484. #       ignores all subsequent sslproxy_cert_adapt options in that algorithm's
  2485. #       group (i.e., the first match wins within each algorithm group). If no
  2486. #       acl(s) match, the default mimicking action takes place.
  2487. #
  2488. #       WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
  2489. #       be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
  2490. #       CONNECT request that carries a domain name. In all other cases (CONNECT
  2491. #       to an IP address or an intercepted SSL connection), Squid cannot detect
  2492. #       the domain mismatch at certificate generation time when
  2493. #       bump-server-first is used.
  2494. #Default:
  2495. # none
  2496.  
  2497. #  TAG: sslpassword_program
  2498. # Note: This option is only available if Squid is rebuilt with the
  2499. #       --with-openssl
  2500. #
  2501. #       Specify a program used for entering SSL key passphrases
  2502. #       when using encrypted SSL certificate keys. If not specified
  2503. #       keys must either be unencrypted, or Squid started with the -N
  2504. #       option to allow it to query interactively for the passphrase.
  2505. #
  2506. #       The key file name is given as argument to the program allowing
  2507. #       selection of the right password if you have multiple encrypted
  2508. #       keys.
  2509. #Default:
  2510. # none
  2511.  
  2512. # OPTIONS RELATING TO EXTERNAL SSL_CRTD
  2513. # -----------------------------------------------------------------------------
  2514.  
  2515. #  TAG: sslcrtd_program
  2516. # Note: This option is only available if Squid is rebuilt with the
  2517. #       --enable-ssl-crtd
  2518. #
  2519. #       Specify the location and options of the executable for ssl_crtd process.
  2520. #       /usr/lib/squid/ssl_crtd program requires -s and -M parameters
  2521. #       For more information use:
  2522. #               /usr/lib/squid/ssl_crtd -h
  2523. #Default:
  2524. # sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
  2525.  
  2526. #  TAG: sslcrtd_children
  2527. # Note: This option is only available if Squid is rebuilt with the
  2528. #       --enable-ssl-crtd
  2529. #
  2530. #       The maximum number of processes spawn to service ssl server.
  2531. #       The maximum this may be safely set to is 32.
  2532. #      
  2533. #       The startup= and idle= options allow some measure of skew in your
  2534. #       tuning.
  2535. #      
  2536. #               startup=N
  2537. #      
  2538. #       Sets the minimum number of processes to spawn when Squid
  2539. #       starts or reconfigures. When set to zero the first request will
  2540. #       cause spawning of the first child process to handle it.
  2541. #      
  2542. #       Starting too few children temporary slows Squid under load while it
  2543. #       tries to spawn enough additional processes to cope with traffic.
  2544. #      
  2545. #               idle=N
  2546. #      
  2547. #       Sets a minimum of how many processes Squid is to try and keep available
  2548. #       at all times. When traffic begins to rise above what the existing
  2549. #       processes can handle this many more will be spawned up to the maximum
  2550. #       configured. A minimum setting of 1 is required.
  2551. #      
  2552. #       You must have at least one ssl_crtd process.
  2553. #Default:
  2554. # sslcrtd_children 32 startup=5 idle=1
  2555.  
  2556. #  TAG: sslcrtvalidator_program
  2557. # Note: This option is only available if Squid is rebuilt with the
  2558. #       --with-openssl
  2559. #
  2560. #       Specify the location and options of the executable for ssl_crt_validator
  2561. #       process.
  2562. #
  2563. #       Usage:  sslcrtvalidator_program [ttl=n] [cache=n] path ...
  2564. #
  2565. #       Options:
  2566. #         ttl=n         TTL in seconds for cached results. The default is 60 secs
  2567. #         cache=n       limit the result cache size. The default value is 2048
  2568. #Default:
  2569. # none
  2570.  
  2571. #  TAG: sslcrtvalidator_children
  2572. # Note: This option is only available if Squid is rebuilt with the
  2573. #       --with-openssl
  2574. #
  2575. #       The maximum number of processes spawn to service SSL server.
  2576. #       The maximum this may be safely set to is 32.
  2577. #      
  2578. #       The startup= and idle= options allow some measure of skew in your
  2579. #       tuning.
  2580. #      
  2581. #               startup=N
  2582. #      
  2583. #       Sets the minimum number of processes to spawn when Squid
  2584. #       starts or reconfigures. When set to zero the first request will
  2585. #       cause spawning of the first child process to handle it.
  2586. #      
  2587. #       Starting too few children temporary slows Squid under load while it
  2588. #       tries to spawn enough additional processes to cope with traffic.
  2589. #      
  2590. #               idle=N
  2591. #      
  2592. #       Sets a minimum of how many processes Squid is to try and keep available
  2593. #       at all times. When traffic begins to rise above what the existing
  2594. #       processes can handle this many more will be spawned up to the maximum
  2595. #       configured. A minimum setting of 1 is required.
  2596. #
  2597. #               concurrency=
  2598. #      
  2599. #       The number of requests each certificate validator helper can handle in
  2600. #       parallel. A value of 0 indicates the certficate validator does not
  2601. #       support concurrency. Defaults to 1.
  2602. #      
  2603. #       When this directive is set to a value >= 1 then the protocol
  2604. #       used to communicate with the helper is modified to include
  2605. #       a request ID in front of the request/response. The request
  2606. #       ID from the request must be echoed back with the response
  2607. #       to that request.
  2608. #      
  2609. #       You must have at least one ssl_crt_validator process.
  2610. #Default:
  2611. # sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1
  2612.  
  2613. # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
  2614. # -----------------------------------------------------------------------------
  2615.  
  2616. #  TAG: cache_peer
  2617. #       To specify other caches in a hierarchy, use the format:
  2618. #      
  2619. #               cache_peer hostname type http-port icp-port [options]
  2620. #      
  2621. #       For example,
  2622. #      
  2623. #       #                                        proxy  icp
  2624. #       #          hostname             type     port   port  options
  2625. #       #          -------------------- -------- ----- -----  -----------
  2626. #       cache_peer parent.foo.net       parent    3128  3130  default
  2627. #       cache_peer sib1.foo.net         sibling   3128  3130  proxy-only
  2628. #       cache_peer sib2.foo.net         sibling   3128  3130  proxy-only
  2629. #       cache_peer example.com          parent    80       0  default
  2630. #       cache_peer cdn.example.com      sibling   3128     0  
  2631. #      
  2632. #             type:     either 'parent', 'sibling', or 'multicast'.
  2633. #      
  2634. #       proxy-port:     The port number where the peer accept HTTP requests.
  2635. #                       For other Squid proxies this is usually 3128
  2636. #                       For web servers this is usually 80
  2637. #      
  2638. #         icp-port:     Used for querying neighbor caches about objects.
  2639. #                       Set to 0 if the peer does not support ICP or HTCP.
  2640. #                       See ICP and HTCP options below for additional details.
  2641. #      
  2642. #      
  2643. #       ==== ICP OPTIONS ====
  2644. #      
  2645. #       You MUST also set icp_port and icp_access explicitly when using these options.
  2646. #       The defaults will prevent peer traffic using ICP.
  2647. #      
  2648. #      
  2649. #       no-query        Disable ICP queries to this neighbor.
  2650. #      
  2651. #       multicast-responder
  2652. #                       Indicates the named peer is a member of a multicast group.
  2653. #                       ICP queries will not be sent directly to the peer, but ICP
  2654. #                       replies will be accepted from it.
  2655. #      
  2656. #       closest-only    Indicates that, for ICP_OP_MISS replies, we'll only forward
  2657. #                       CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
  2658. #      
  2659. #       background-ping
  2660. #                       To only send ICP queries to this neighbor infrequently.
  2661. #                       This is used to keep the neighbor round trip time updated
  2662. #                       and is usually used in conjunction with weighted-round-robin.
  2663. #      
  2664. #      
  2665. #       ==== HTCP OPTIONS ====
  2666. #      
  2667. #       You MUST also set htcp_port and htcp_access explicitly when using these options.
  2668. #       The defaults will prevent peer traffic using HTCP.
  2669. #      
  2670. #      
  2671. #       htcp            Send HTCP, instead of ICP, queries to the neighbor.
  2672. #                       You probably also want to set the "icp-port" to 4827
  2673. #                       instead of 3130. This directive accepts a comma separated
  2674. #                       list of options described below.
  2675. #      
  2676. #       htcp=oldsquid   Send HTCP to old Squid versions (2.5 or earlier).
  2677. #      
  2678. #       htcp=no-clr     Send HTCP to the neighbor but without
  2679. #                       sending any CLR requests.  This cannot be used with
  2680. #                       only-clr.
  2681. #      
  2682. #       htcp=only-clr   Send HTCP to the neighbor but ONLY CLR requests.
  2683. #                       This cannot be used with no-clr.
  2684. #      
  2685. #       htcp=no-purge-clr
  2686. #                       Send HTCP to the neighbor including CLRs but only when
  2687. #                       they do not result from PURGE requests.
  2688. #      
  2689. #       htcp=forward-clr
  2690. #                       Forward any HTCP CLR requests this proxy receives to the peer.
  2691. #      
  2692. #      
  2693. #       ==== PEER SELECTION METHODS ====
  2694. #      
  2695. #       The default peer selection method is ICP, with the first responding peer
  2696. #       being used as source. These options can be used for better load balancing.
  2697. #      
  2698. #      
  2699. #       default         This is a parent cache which can be used as a "last-resort"
  2700. #                       if a peer cannot be located by any of the peer-selection methods.
  2701. #                       If specified more than once, only the first is used.
  2702. #      
  2703. #       round-robin     Load-Balance parents which should be used in a round-robin
  2704. #                       fashion in the absence of any ICP queries.
  2705. #                       weight=N can be used to add bias.
  2706. #      
  2707. #       weighted-round-robin
  2708. #                       Load-Balance parents which should be used in a round-robin
  2709. #                       fashion with the frequency of each parent being based on the
  2710. #                       round trip time. Closer parents are used more often.
  2711. #                       Usually used for background-ping parents.
  2712. #                       weight=N can be used to add bias.
  2713. #      
  2714. #       carp            Load-Balance parents which should be used as a CARP array.
  2715. #                       The requests will be distributed among the parents based on the
  2716. #                       CARP load balancing hash function based on their weight.
  2717. #      
  2718. #       userhash        Load-balance parents based on the client proxy_auth or ident username.
  2719. #      
  2720. #       sourcehash      Load-balance parents based on the client source IP.
  2721. #
  2722. #       multicast-siblings
  2723. #                       To be used only for cache peers of type "multicast".
  2724. #                       ALL members of this multicast group have "sibling"
  2725. #                       relationship with it, not "parent".  This is to a multicast
  2726. #                       group when the requested object would be fetched only from
  2727. #                       a "parent" cache, anyway.  It's useful, e.g., when
  2728. #                       configuring a pool of redundant Squid proxies, being
  2729. #                       members of the same multicast group.
  2730. #      
  2731. #      
  2732. #       ==== PEER SELECTION OPTIONS ====
  2733. #      
  2734. #       weight=N        use to affect the selection of a peer during any weighted
  2735. #                       peer-selection mechanisms.
  2736. #                       The weight must be an integer; default is 1,
  2737. #                       larger weights are favored more.
  2738. #                       This option does not affect parent selection if a peering
  2739. #                       protocol is not in use.
  2740. #      
  2741. #       basetime=N      Specify a base amount to be subtracted from round trip
  2742. #                       times of parents.
  2743. #                       It is subtracted before division by weight in calculating
  2744. #                       which parent to fectch from. If the rtt is less than the
  2745. #                       base time the rtt is set to a minimal value.
  2746. #      
  2747. #       ttl=N           Specify a TTL to use when sending multicast ICP queries
  2748. #                       to this address.
  2749. #                       Only useful when sending to a multicast group.
  2750. #                       Because we don't accept ICP replies from random
  2751. #                       hosts, you must configure other group members as
  2752. #                       peers with the 'multicast-responder' option.
  2753. #      
  2754. #       no-delay        To prevent access to this neighbor from influencing the
  2755. #                       delay pools.
  2756. #      
  2757. #       digest-url=URL  Tell Squid to fetch the cache digest (if digests are
  2758. #                       enabled) for this host from the specified URL rather
  2759. #                       than the Squid default location.
  2760. #      
  2761. #      
  2762. #       ==== CARP OPTIONS ====
  2763. #      
  2764. #       carp-key=key-specification
  2765. #                       use a different key than the full URL to hash against the peer.
  2766. #                       the key-specification is a comma-separated list of the keywords                
  2767. #                       scheme, host, port, path, params
  2768. #                       Order is not important.
  2769. #      
  2770. #       ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
  2771. #      
  2772. #       originserver    Causes this parent to be contacted as an origin server.
  2773. #                       Meant to be used in accelerator setups when the peer
  2774. #                       is a web server.
  2775. #      
  2776. #       forceddomain=name
  2777. #                       Set the Host header of requests forwarded to this peer.
  2778. #                       Useful in accelerator setups where the server (peer)
  2779. #                       expects a certain domain name but clients may request
  2780. #                       others. ie example.com or www.example.com
  2781. #      
  2782. #       no-digest       Disable request of cache digests.
  2783. #      
  2784. #       no-netdb-exchange
  2785. #                       Disables requesting ICMP RTT database (NetDB).
  2786. #      
  2787. #      
  2788. #       ==== AUTHENTICATION OPTIONS ====
  2789. #      
  2790. #       login=user:password
  2791. #                       If this is a personal/workgroup proxy and your parent
  2792. #                       requires proxy authentication.
  2793. #                      
  2794. #                       Note: The string can include URL escapes (i.e. %20 for
  2795. #                       spaces). This also means % must be written as %%.
  2796. #      
  2797. #       login=PASSTHRU
  2798. #                       Send login details received from client to this peer.
  2799. #                       Both Proxy- and WWW-Authorization headers are passed
  2800. #                       without alteration to the peer.
  2801. #                       Authentication is not required by Squid for this to work.
  2802. #                      
  2803. #                       Note: This will pass any form of authentication but
  2804. #                       only Basic auth will work through a proxy unless the
  2805. #                       connection-auth options are also used.
  2806. #
  2807. #       login=PASS      Send login details received from client to this peer.
  2808. #                       Authentication is not required by this option.
  2809. #                      
  2810. #                       If there are no client-provided authentication headers
  2811. #                       to pass on, but username and password are available
  2812. #                       from an external ACL user= and password= result tags
  2813. #                       they may be sent instead.
  2814. #                      
  2815. #                       Note: To combine this with proxy_auth both proxies must
  2816. #                       share the same user database as HTTP only allows for
  2817. #                       a single login (one for proxy, one for origin server).
  2818. #                       Also be warned this will expose your users proxy
  2819. #                       password to the peer. USE WITH CAUTION
  2820. #      
  2821. #       login=*:password
  2822. #                       Send the username to the upstream cache, but with a
  2823. #                       fixed password. This is meant to be used when the peer
  2824. #                       is in another administrative domain, but it is still
  2825. #                       needed to identify each user.
  2826. #                       The star can optionally be followed by some extra
  2827. #                       information which is added to the username. This can
  2828. #                       be used to identify this proxy to the peer, similar to
  2829. #                       the login=username:password option above.
  2830. #      
  2831. #       login=NEGOTIATE
  2832. #                       If this is a personal/workgroup proxy and your parent
  2833. #                       requires a secure proxy authentication.
  2834. #                       The first principal from the default keytab or defined by
  2835. #                       the environment variable KRB5_KTNAME will be used.
  2836. #      
  2837. #                       WARNING: The connection may transmit requests from multiple
  2838. #                       clients. Negotiate often assumes end-to-end authentication
  2839. #                       and a single-client. Which is not strictly true here.
  2840. #      
  2841. #       login=NEGOTIATE:principal_name
  2842. #                       If this is a personal/workgroup proxy and your parent
  2843. #                       requires a secure proxy authentication.
  2844. #                       The principal principal_name from the default keytab or
  2845. #                       defined by the environment variable KRB5_KTNAME will be
  2846. #                       used.
  2847. #      
  2848. #                       WARNING: The connection may transmit requests from multiple
  2849. #                       clients. Negotiate often assumes end-to-end authentication
  2850. #                       and a single-client. Which is not strictly true here.
  2851. #      
  2852. #       connection-auth=on|off
  2853. #                       Tell Squid that this peer does or not support Microsoft
  2854. #                       connection oriented authentication, and any such
  2855. #                       challenges received from there should be ignored.
  2856. #                       Default is auto to automatically determine the status
  2857. #                       of the peer.
  2858. #      
  2859. #      
  2860. #       ==== SSL / HTTPS / TLS OPTIONS ====
  2861. #      
  2862. #       ssl             Encrypt connections to this peer with SSL/TLS.
  2863. #      
  2864. #       sslcert=/path/to/ssl/certificate
  2865. #                       A client SSL certificate to use when connecting to
  2866. #                       this peer.
  2867. #      
  2868. #       sslkey=/path/to/ssl/key
  2869. #                       The private SSL key corresponding to sslcert above.
  2870. #                       If 'sslkey' is not specified 'sslcert' is assumed to
  2871. #                       reference a combined file containing both the
  2872. #                       certificate and the key.
  2873. #
  2874. #       Notes:
  2875. #      
  2876. #       On Debian/Ubuntu systems a default snakeoil certificate is
  2877. #    available in /etc/ssl and users can set:
  2878. #
  2879. #               cert=/etc/ssl/certs/ssl-cert-snakeoil.pem
  2880. #
  2881. #       and
  2882. #
  2883. #               key=/etc/ssl/private/ssl-cert-snakeoil.key
  2884. #
  2885. #       for testing.
  2886. #      
  2887. #       sslversion=1|2|3|4|5|6
  2888. #                       The SSL version to use when connecting to this peer
  2889. #                               1 = automatic (default)
  2890. #                               2 = SSL v2 only
  2891. #                               3 = SSL v3 only
  2892. #                               4 = TLS v1.0 only
  2893. #                               5 = TLS v1.1 only
  2894. #                               6 = TLS v1.2 only
  2895. #      
  2896. #       sslcipher=...   The list of valid SSL ciphers to use when connecting
  2897. #                       to this peer.
  2898. #      
  2899. #       ssloptions=...  Specify various SSL implementation options:
  2900. #
  2901. #                           NO_SSLv2    Disallow the use of SSLv2
  2902. #                           NO_SSLv3    Disallow the use of SSLv3
  2903. #                           NO_TLSv1    Disallow the use of TLSv1.0
  2904. #                           NO_TLSv1_1  Disallow the use of TLSv1.1
  2905. #                           NO_TLSv1_2  Disallow the use of TLSv1.2
  2906. #
  2907. #                           SINGLE_DH_USE
  2908. #                                     Always create a new key when using
  2909. #                                     temporary/ephemeral DH key exchanges
  2910. #
  2911. #                           NO_TICKET
  2912. #                                     Disable use of RFC5077 session tickets. Some servers
  2913. #                                     may have problems understanding the TLS extension due
  2914. #                                     to ambiguous specification in RFC4507.
  2915. #
  2916. #                           ALL       Enable various bug workarounds
  2917. #                                     suggested as "harmless" by OpenSSL
  2918. #                                     Be warned that this reduces SSL/TLS
  2919. #                                     strength to some attacks.
  2920. #
  2921. #                       See the OpenSSL SSL_CTX_set_options documentation for a
  2922. #                       more complete list.
  2923. #      
  2924. #       sslcafile=...   A file containing additional CA certificates to use
  2925. #                       when verifying the peer certificate.
  2926. #      
  2927. #       sslcapath=...   A directory containing additional CA certificates to
  2928. #                       use when verifying the peer certificate.
  2929. #      
  2930. #       sslcrlfile=...  A certificate revocation list file to use when
  2931. #                       verifying the peer certificate.
  2932. #      
  2933. #       sslflags=...    Specify various flags modifying the SSL implementation:
  2934. #      
  2935. #                       DONT_VERIFY_PEER
  2936. #                               Accept certificates even if they fail to
  2937. #                               verify.
  2938. #                       NO_DEFAULT_CA
  2939. #                               Don't use the default CA list built in
  2940. #                               to OpenSSL.
  2941. #                       DONT_VERIFY_DOMAIN
  2942. #                               Don't verify the peer certificate
  2943. #                               matches the server name
  2944. #      
  2945. #       ssldomain=      The peer name as advertised in it's certificate.
  2946. #                       Used for verifying the correctness of the received peer
  2947. #                       certificate. If not specified the peer hostname will be
  2948. #                       used.
  2949. #      
  2950. #       front-end-https
  2951. #                       Enable the "Front-End-Https: On" header needed when
  2952. #                       using Squid as a SSL frontend in front of Microsoft OWA.
  2953. #                       See MS KB document Q307347 for details on this header.
  2954. #                       If set to auto the header will only be added if the
  2955. #                       request is forwarded as a https:// URL.
  2956. #      
  2957. #      
  2958. #       ==== GENERAL OPTIONS ====
  2959. #      
  2960. #       connect-timeout=N
  2961. #                       A peer-specific connect timeout.
  2962. #                       Also see the peer_connect_timeout directive.
  2963. #      
  2964. #       connect-fail-limit=N
  2965. #                       How many times connecting to a peer must fail before
  2966. #                       it is marked as down. Standby connection failures
  2967. #                       count towards this limit. Default is 10.
  2968. #      
  2969. #       allow-miss      Disable Squid's use of only-if-cached when forwarding
  2970. #                       requests to siblings. This is primarily useful when
  2971. #                       icp_hit_stale is used by the sibling. Excessive use
  2972. #                       of this option may result in forwarding loops. One way
  2973. #                       to prevent peering loops when using this option, is to
  2974. #                       deny cache peer usage on requests from a peer:
  2975. #                       acl fromPeer ...
  2976. #                       cache_peer_access peerName deny fromPeer
  2977. #      
  2978. #       max-conn=N      Limit the number of concurrent connections the Squid
  2979. #                       may open to this peer, including already opened idle
  2980. #                       and standby connections. There is no peer-specific
  2981. #                       connection limit by default.
  2982. #      
  2983. #                       A peer exceeding the limit is not used for new
  2984. #                       requests unless a standby connection is available.
  2985. #      
  2986. #                       max-conn currently works poorly with idle persistent
  2987. #                       connections: When a peer reaches its max-conn limit,
  2988. #                       and there are idle persistent connections to the peer,
  2989. #                       the peer may not be selected because the limiting code
  2990. #                       does not know whether Squid can reuse those idle
  2991. #                       connections.
  2992. #      
  2993. #       standby=N       Maintain a pool of N "hot standby" connections to an
  2994. #                       UP peer, available for requests when no idle
  2995. #                       persistent connection is available (or safe) to use.
  2996. #                       By default and with zero N, no such pool is maintained.
  2997. #                       N must not exceed the max-conn limit (if any).
  2998. #      
  2999. #                       At start or after reconfiguration, Squid opens new TCP
  3000. #                       standby connections until there are N connections
  3001. #                       available and then replenishes the standby pool as
  3002. #                       opened connections are used up for requests. A used
  3003. #                       connection never goes back to the standby pool, but
  3004. #                       may go to the regular idle persistent connection pool
  3005. #                       shared by all peers and origin servers.
  3006. #      
  3007. #                       Squid never opens multiple new standby connections
  3008. #                       concurrently.  This one-at-a-time approach minimizes
  3009. #                       flooding-like effect on peers. Furthermore, just a few
  3010. #                       standby connections should be sufficient in most cases
  3011. #                       to supply most new requests with a ready-to-use
  3012. #                       connection.
  3013. #      
  3014. #                       Standby connections obey server_idle_pconn_timeout.
  3015. #                       For the feature to work as intended, the peer must be
  3016. #                       configured to accept and keep them open longer than
  3017. #                       the idle timeout at the connecting Squid, to minimize
  3018. #                       race conditions typical to idle used persistent
  3019. #                       connections. Default request_timeout and
  3020. #                       server_idle_pconn_timeout values ensure such a
  3021. #                       configuration.
  3022. #      
  3023. #       name=xxx        Unique name for the peer.
  3024. #                       Required if you have multiple peers on the same host
  3025. #                       but different ports.
  3026. #                       This name can be used in cache_peer_access and similar
  3027. #                       directives to identify the peer.
  3028. #                       Can be used by outgoing access controls through the
  3029. #                       peername ACL type.
  3030. #      
  3031. #       no-tproxy       Do not use the client-spoof TPROXY support when forwarding
  3032. #                       requests to this peer. Use normal address selection instead.
  3033. #                       This overrides the spoof_client_ip ACL.
  3034. #      
  3035. #       proxy-only      objects fetched from the peer will not be stored locally.
  3036. #      
  3037. #Default:
  3038. # none
  3039.  
  3040. #  TAG: cache_peer_domain
  3041. #       Use to limit the domains for which a neighbor cache will be
  3042. #       queried.
  3043. #
  3044. #       Usage:
  3045. #               cache_peer_domain cache-host domain [domain ...]
  3046. #               cache_peer_domain cache-host !domain
  3047. #
  3048. #       For example, specifying
  3049. #
  3050. #               cache_peer_domain parent.foo.net        .edu
  3051. #
  3052. #       has the effect such that UDP query packets are sent to
  3053. #       'bigserver' only when the requested object exists on a
  3054. #       server in the .edu domain.  Prefixing the domainname
  3055. #       with '!' means the cache will be queried for objects
  3056. #       NOT in that domain.
  3057. #
  3058. #       NOTE:   * Any number of domains may be given for a cache-host,
  3059. #                 either on the same or separate lines.
  3060. #               * When multiple domains are given for a particular
  3061. #                 cache-host, the first matched domain is applied.
  3062. #               * Cache hosts with no domain restrictions are queried
  3063. #                 for all requests.
  3064. #               * There are no defaults.
  3065. #               * There is also a 'cache_peer_access' tag in the ACL
  3066. #                 section.
  3067. #Default:
  3068. # none
  3069.  
  3070. #  TAG: cache_peer_access
  3071. #       Restricts usage of cache_peer proxies.
  3072. #
  3073. #       Usage:
  3074. #               cache_peer_access peer-name allow|deny [!]aclname ...
  3075. #
  3076. #       For the required peer-name parameter, use either the value of the
  3077. #       cache_peer name=value parameter or, if name=value is missing, the
  3078. #       cache_peer hostname parameter.
  3079. #
  3080. #       This directive narrows down the selection of peering candidates, but
  3081. #       does not determine the order in which the selected candidates are
  3082. #       contacted. That order is determined by the peer selection algorithms
  3083. #       (see PEER SELECTION sections in the cache_peer documentation).
  3084. #
  3085. #       If a deny rule matches, the corresponding peer will not be contacted
  3086. #       for the current transaction -- Squid will not send ICP queries and
  3087. #       will not forward HTTP requests to that peer. An allow match leaves
  3088. #       the corresponding peer in the selection. The first match for a given
  3089. #       peer wins for that peer.
  3090. #
  3091. #       The relative order of cache_peer_access directives for the same peer
  3092. #       matters. The relative order of any two cache_peer_access directives
  3093. #       for different peers does not matter. To ease interpretation, it is a
  3094. #       good idea to group cache_peer_access directives for the same peer
  3095. #       together.
  3096. #
  3097. #       A single cache_peer_access directive may be evaluated multiple times
  3098. #       for a given transaction because individual peer selection algorithms
  3099. #       may check it independently from each other. These redundant checks
  3100. #       may be optimized away in future Squid versions.
  3101. #
  3102. #       This clause only supports fast acl types.
  3103. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  3104. #Default:
  3105. # No peer usage restrictions.
  3106.  
  3107. #  TAG: neighbor_type_domain
  3108. #       Modify the cache_peer neighbor type when passing requests
  3109. #       about specific domains to the peer.
  3110. #
  3111. #       Usage:
  3112. #                neighbor_type_domain neighbor parent|sibling domain domain ...
  3113. #
  3114. #       For example:
  3115. #               cache_peer foo.example.com parent 3128 3130
  3116. #               neighbor_type_domain foo.example.com sibling .au .de
  3117. #
  3118. #       The above configuration treats all requests to foo.example.com as a
  3119. #       parent proxy unless the request is for a .au or .de ccTLD domain name.
  3120. #Default:
  3121. # The peer type from cache_peer directive is used for all requests to that peer.
  3122.  
  3123. #  TAG: dead_peer_timeout       (seconds)
  3124. #       This controls how long Squid waits to declare a peer cache
  3125. #       as "dead."  If there are no ICP replies received in this
  3126. #       amount of time, Squid will declare the peer dead and not
  3127. #       expect to receive any further ICP replies.  However, it
  3128. #       continues to send ICP queries, and will mark the peer as
  3129. #       alive upon receipt of the first subsequent ICP reply.
  3130. #
  3131. #       This timeout also affects when Squid expects to receive ICP
  3132. #       replies from peers.  If more than 'dead_peer' seconds have
  3133. #       passed since the last ICP reply was received, Squid will not
  3134. #       expect to receive an ICP reply on the next query.  Thus, if
  3135. #       your time between requests is greater than this timeout, you
  3136. #       will see a lot of requests sent DIRECT to origin servers
  3137. #       instead of to your parents.
  3138. #Default:
  3139. # dead_peer_timeout 10 seconds
  3140.  
  3141. #  TAG: forward_max_tries
  3142. #       Controls how many different forward paths Squid will try
  3143. #       before giving up. See also forward_timeout.
  3144. #      
  3145. #       NOTE: connect_retries (default: none) can make each of these
  3146. #       possible forwarding paths be tried multiple times.
  3147. #Default:
  3148. # forward_max_tries 25
  3149.  
  3150. # MEMORY CACHE OPTIONS
  3151. # -----------------------------------------------------------------------------
  3152.  
  3153. #  TAG: cache_mem       (bytes)
  3154. #       NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
  3155. #       IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
  3156. #       USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
  3157. #       THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
  3158. #
  3159. #       'cache_mem' specifies the ideal amount of memory to be used
  3160. #       for:
  3161. #               * In-Transit objects
  3162. #               * Hot Objects
  3163. #               * Negative-Cached objects
  3164. #
  3165. #       Data for these objects are stored in 4 KB blocks.  This
  3166. #       parameter specifies the ideal upper limit on the total size of
  3167. #       4 KB blocks allocated.  In-Transit objects take the highest
  3168. #       priority.
  3169. #
  3170. #       In-transit objects have priority over the others.  When
  3171. #       additional space is needed for incoming data, negative-cached
  3172. #       and hot objects will be released.  In other words, the
  3173. #       negative-cached and hot objects will fill up any unused space
  3174. #       not needed for in-transit objects.
  3175. #
  3176. #       If circumstances require, this limit will be exceeded.
  3177. #       Specifically, if your incoming request rate requires more than
  3178. #       'cache_mem' of memory to hold in-transit objects, Squid will
  3179. #       exceed this limit to satisfy the new requests.  When the load
  3180. #       decreases, blocks will be freed until the high-water mark is
  3181. #       reached.  Thereafter, blocks will be used to store hot
  3182. #       objects.
  3183. #
  3184. #       If shared memory caching is enabled, Squid does not use the shared
  3185. #       cache space for in-transit objects, but they still consume as much
  3186. #       local memory as they need. For more details about the shared memory
  3187. #       cache, see memory_cache_shared.
  3188. #Default:
  3189. # cache_mem 256 MB
  3190.  
  3191. #  TAG: maximum_object_size_in_memory   (bytes)
  3192. #       Objects greater than this size will not be attempted to kept in
  3193. #       the memory cache. This should be set high enough to keep objects
  3194. #       accessed frequently in memory to improve performance whilst low
  3195. #       enough to keep larger objects from hoarding cache_mem.
  3196. #Default:
  3197. # maximum_object_size_in_memory 512 KB
  3198.  
  3199. #  TAG: memory_cache_shared     on|off
  3200. #       Controls whether the memory cache is shared among SMP workers.
  3201. #
  3202. #       The shared memory cache is meant to occupy cache_mem bytes and replace
  3203. #       the non-shared memory cache, although some entities may still be
  3204. #       cached locally by workers for now (e.g., internal and in-transit
  3205. #       objects may be served from a local memory cache even if shared memory
  3206. #       caching is enabled).
  3207. #
  3208. #       By default, the memory cache is shared if and only if all of the
  3209. #       following conditions are satisfied: Squid runs in SMP mode with
  3210. #       multiple workers, cache_mem is positive, and Squid environment
  3211. #       supports required IPC primitives (e.g., POSIX shared memory segments
  3212. #       and GCC-style atomic operations).
  3213. #
  3214. #       To avoid blocking locks, shared memory uses opportunistic algorithms
  3215. #       that do not guarantee that every cachable entity that could have been
  3216. #       shared among SMP workers will actually be shared.
  3217. #Default:
  3218. # "on" where supported if doing memory caching with multiple SMP workers.
  3219.  
  3220. #  TAG: memory_cache_mode
  3221. #       Controls which objects to keep in the memory cache (cache_mem)
  3222. #
  3223. #       always  Keep most recently fetched objects in memory (default)
  3224. #
  3225. #       disk    Only disk cache hits are kept in memory, which means
  3226. #               an object must first be cached on disk and then hit
  3227. #               a second time before cached in memory.
  3228. #
  3229. #       network Only objects fetched from network is kept in memory
  3230. #Default:
  3231. # Keep the most recently fetched objects in memory
  3232.  
  3233. #  TAG: memory_replacement_policy
  3234. #       The memory replacement policy parameter determines which
  3235. #       objects are purged from memory when memory space is needed.
  3236. #
  3237. #       See cache_replacement_policy for details on algorithms.
  3238. #Default:
  3239. # memory_replacement_policy lru
  3240.  
  3241. # DISK CACHE OPTIONS
  3242. # -----------------------------------------------------------------------------
  3243.  
  3244. #  TAG: cache_replacement_policy
  3245. #       The cache replacement policy parameter determines which
  3246. #       objects are evicted (replaced) when disk space is needed.
  3247. #
  3248. #           lru       : Squid's original list based LRU policy
  3249. #           heap GDSF : Greedy-Dual Size Frequency
  3250. #           heap LFUDA: Least Frequently Used with Dynamic Aging
  3251. #           heap LRU  : LRU policy implemented using a heap
  3252. #
  3253. #       Applies to any cache_dir lines listed below this directive.
  3254. #
  3255. #       The LRU policies keeps recently referenced objects.
  3256. #
  3257. #       The heap GDSF policy optimizes object hit rate by keeping smaller
  3258. #       popular objects in cache so it has a better chance of getting a
  3259. #       hit.  It achieves a lower byte hit rate than LFUDA though since
  3260. #       it evicts larger (possibly popular) objects.
  3261. #
  3262. #       The heap LFUDA policy keeps popular objects in cache regardless of
  3263. #       their size and thus optimizes byte hit rate at the expense of
  3264. #       hit rate since one large, popular object will prevent many
  3265. #       smaller, slightly less popular objects from being cached.
  3266. #
  3267. #       Both policies utilize a dynamic aging mechanism that prevents
  3268. #       cache pollution that can otherwise occur with frequency-based
  3269. #       replacement policies.
  3270. #
  3271. #       NOTE: if using the LFUDA replacement policy you should increase
  3272. #       the value of maximum_object_size above its default of 4 MB to
  3273. #       to maximize the potential byte hit rate improvement of LFUDA.
  3274. #
  3275. #       For more information about the GDSF and LFUDA cache replacement
  3276. #       policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
  3277. #       and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
  3278. #Default:
  3279. # cache_replacement_policy lru
  3280.  
  3281. #  TAG: minimum_object_size     (bytes)
  3282. #       Objects smaller than this size will NOT be saved on disk.  The
  3283. #       value is specified in bytes, and the default is 0 KB, which
  3284. #       means all responses can be stored.
  3285. #Default:
  3286. # no limit
  3287.  
  3288. #  TAG: maximum_object_size     (bytes)
  3289. #       Set the default value for max-size parameter on any cache_dir.
  3290. #       The value is specified in bytes, and the default is 4 MB.
  3291. #      
  3292. #       If you wish to get a high BYTES hit ratio, you should probably
  3293. #       increase this (one 32 MB object hit counts for 3200 10KB
  3294. #       hits).
  3295. #      
  3296. #       If you wish to increase hit ratio more than you want to
  3297. #       save bandwidth you should leave this low.
  3298. #      
  3299. #       NOTE: if using the LFUDA replacement policy you should increase
  3300. #       this value to maximize the byte hit rate improvement of LFUDA!
  3301. #       See cache_replacement_policy for a discussion of this policy.
  3302. #Default:
  3303. # maximum_object_size 4 MB
  3304.  
  3305. #  TAG: cache_dir
  3306. #       Format:
  3307. #               cache_dir Type Directory-Name Fs-specific-data [options]
  3308. #
  3309. #       You can specify multiple cache_dir lines to spread the
  3310. #       cache among different disk partitions.
  3311. #
  3312. #       Type specifies the kind of storage system to use. Only "ufs"
  3313. #       is built by default. To enable any of the other storage systems
  3314. #       see the --enable-storeio configure option.
  3315. #
  3316. #       'Directory' is a top-level directory where cache swap
  3317. #       files will be stored.  If you want to use an entire disk
  3318. #       for caching, this can be the mount-point directory.
  3319. #       The directory must exist and be writable by the Squid
  3320. #       process.  Squid will NOT create this directory for you.
  3321. #
  3322. #       In SMP configurations, cache_dir must not precede the workers option
  3323. #       and should use configuration macros or conditionals to give each
  3324. #       worker interested in disk caching a dedicated cache directory.
  3325. #
  3326. #
  3327. #       ====  The ufs store type  ====
  3328. #
  3329. #       "ufs" is the old well-known Squid storage format that has always
  3330. #       been there.
  3331. #
  3332. #       Usage:
  3333. #               cache_dir ufs Directory-Name Mbytes L1 L2 [options]
  3334. #
  3335. #       'Mbytes' is the amount of disk space (MB) to use under this
  3336. #       directory.  The default is 100 MB.  Change this to suit your
  3337. #       configuration.  Do NOT put the size of your disk drive here.
  3338. #       Instead, if you want Squid to use the entire disk drive,
  3339. #       subtract 20% and use that value.
  3340. #
  3341. #       'L1' is the number of first-level subdirectories which
  3342. #       will be created under the 'Directory'.  The default is 16.
  3343. #
  3344. #       'L2' is the number of second-level subdirectories which
  3345. #       will be created under each first-level directory.  The default
  3346. #       is 256.
  3347. #
  3348. #
  3349. #       ====  The aufs store type  ====
  3350. #
  3351. #       "aufs" uses the same storage format as "ufs", utilizing
  3352. #       POSIX-threads to avoid blocking the main Squid process on
  3353. #       disk-I/O. This was formerly known in Squid as async-io.
  3354. #
  3355. #       Usage:
  3356. #               cache_dir aufs Directory-Name Mbytes L1 L2 [options]
  3357. #
  3358. #       see argument descriptions under ufs above
  3359. #
  3360. #
  3361. #       ====  The diskd store type  ====
  3362. #
  3363. #       "diskd" uses the same storage format as "ufs", utilizing a
  3364. #       separate process to avoid blocking the main Squid process on
  3365. #       disk-I/O.
  3366. #
  3367. #       Usage:
  3368. #               cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
  3369. #
  3370. #       see argument descriptions under ufs above
  3371. #
  3372. #       Q1 specifies the number of unacknowledged I/O requests when Squid
  3373. #       stops opening new files. If this many messages are in the queues,
  3374. #       Squid won't open new files. Default is 64
  3375. #
  3376. #       Q2 specifies the number of unacknowledged messages when Squid
  3377. #       starts blocking.  If this many messages are in the queues,
  3378. #       Squid blocks until it receives some replies. Default is 72
  3379. #
  3380. #       When Q1 < Q2 (the default), the cache directory is optimized
  3381. #       for lower response time at the expense of a decrease in hit
  3382. #       ratio.  If Q1 > Q2, the cache directory is optimized for
  3383. #       higher hit ratio at the expense of an increase in response
  3384. #       time.
  3385. #
  3386. #
  3387. #       ====  The rock store type  ====
  3388. #
  3389. #       Usage:
  3390. #           cache_dir rock Directory-Name Mbytes [options]
  3391. #
  3392. #       The Rock Store type is a database-style storage. All cached
  3393. #       entries are stored in a "database" file, using fixed-size slots.
  3394. #       A single entry occupies one or more slots.
  3395. #
  3396. #       If possible, Squid using Rock Store creates a dedicated kid
  3397. #       process called "disker" to avoid blocking Squid worker(s) on disk
  3398. #       I/O. One disker kid is created for each rock cache_dir.  Diskers
  3399. #       are created only when Squid, running in daemon mode, has support
  3400. #       for the IpcIo disk I/O module.
  3401. #
  3402. #       swap-timeout=msec: Squid will not start writing a miss to or
  3403. #       reading a hit from disk if it estimates that the swap operation
  3404. #       will take more than the specified number of milliseconds. By
  3405. #       default and when set to zero, disables the disk I/O time limit
  3406. #       enforcement. Ignored when using blocking I/O module because
  3407. #       blocking synchronous I/O does not allow Squid to estimate the
  3408. #       expected swap wait time.
  3409. #
  3410. #       max-swap-rate=swaps/sec: Artificially limits disk access using
  3411. #       the specified I/O rate limit. Swap out requests that
  3412. #       would cause the average I/O rate to exceed the limit are
  3413. #       delayed. Individual swap in requests (i.e., hits or reads) are
  3414. #       not delayed, but they do contribute to measured swap rate and
  3415. #       since they are placed in the same FIFO queue as swap out
  3416. #       requests, they may wait longer if max-swap-rate is smaller.
  3417. #       This is necessary on file systems that buffer "too
  3418. #       many" writes and then start blocking Squid and other processes
  3419. #       while committing those writes to disk.  Usually used together
  3420. #       with swap-timeout to avoid excessive delays and queue overflows
  3421. #       when disk demand exceeds available disk "bandwidth". By default
  3422. #       and when set to zero, disables the disk I/O rate limit
  3423. #       enforcement. Currently supported by IpcIo module only.
  3424. #
  3425. #       slot-size=bytes: The size of a database "record" used for
  3426. #       storing cached responses. A cached response occupies at least
  3427. #       one slot and all database I/O is done using individual slots so
  3428. #       increasing this parameter leads to more disk space waste while
  3429. #       decreasing it leads to more disk I/O overheads. Should be a
  3430. #       multiple of your operating system I/O page size. Defaults to
  3431. #       16KBytes. A housekeeping header is stored with each slot and
  3432. #       smaller slot-sizes will be rejected. The header is smaller than
  3433. #       100 bytes.
  3434. #
  3435. #
  3436. #       ==== COMMON OPTIONS ====
  3437. #
  3438. #       no-store        no new objects should be stored to this cache_dir.
  3439. #
  3440. #       min-size=n      the minimum object size in bytes this cache_dir
  3441. #                       will accept.  It's used to restrict a cache_dir
  3442. #                       to only store large objects (e.g. AUFS) while
  3443. #                       other stores are optimized for smaller objects
  3444. #                       (e.g. Rock).
  3445. #                       Defaults to 0.
  3446. #
  3447. #       max-size=n      the maximum object size in bytes this cache_dir
  3448. #                       supports.
  3449. #                       The value in maximum_object_size directive sets
  3450. #                       the default unless more specific details are
  3451. #                       available (ie a small store capacity).
  3452. #
  3453. #       Note: To make optimal use of the max-size limits you should order
  3454. #       the cache_dir lines with the smallest max-size value first.
  3455. #
  3456. #Default:
  3457. # No disk cache. Store cache ojects only in memory.
  3458. #
  3459.  
  3460. # Uncomment and adjust the following to add a disk cache directory.
  3461. #cache_dir ufs /var/spool/squid 100 16 256
  3462.  
  3463. #  TAG: store_dir_select_algorithm
  3464. #       How Squid selects which cache_dir to use when the response
  3465. #       object will fit into more than one.
  3466. #
  3467. #       Regardless of which algorithm is used the cache_dir min-size
  3468. #       and max-size parameters are obeyed. As such they can affect
  3469. #       the selection algorithm by limiting the set of considered
  3470. #       cache_dir.
  3471. #
  3472. #       Algorithms:
  3473. #
  3474. #               least-load
  3475. #
  3476. #       This algorithm is suited to caches with similar cache_dir
  3477. #       sizes and disk speeds.
  3478. #
  3479. #       The disk with the least I/O pending is selected.
  3480. #       When there are multiple disks with the same I/O load ranking
  3481. #       the cache_dir with most available capacity is selected.
  3482. #
  3483. #       When a mix of cache_dir sizes are configured the faster disks
  3484. #       have a naturally lower I/O loading and larger disks have more
  3485. #       capacity. So space used to store objects and data throughput
  3486. #       may be very unbalanced towards larger disks.
  3487. #
  3488. #
  3489. #               round-robin
  3490. #
  3491. #       This algorithm is suited to caches with unequal cache_dir
  3492. #       disk sizes.
  3493. #
  3494. #       Each cache_dir is selected in a rotation. The next suitable
  3495. #       cache_dir is used.
  3496. #
  3497. #       Available cache_dir capacity is only considered in relation
  3498. #       to whether the object will fit and meets the min-size and
  3499. #       max-size parameters.
  3500. #
  3501. #       Disk I/O loading is only considered to prevent overload on slow
  3502. #       disks. This algorithm does not spread objects by size, so any
  3503. #       I/O loading per-disk may appear very unbalanced and volatile.
  3504. #
  3505. #       If several cache_dirs use similar min-size, max-size, or other
  3506. #       limits to to reject certain responses, then do not group such
  3507. #       cache_dir lines together, to avoid round-robin selection bias
  3508. #       towards the first cache_dir after the group. Instead, interleave
  3509. #       cache_dir lines from different groups. For example:
  3510. #
  3511. #               store_dir_select_algorithm round-robin
  3512. #               cache_dir rock /hdd1 ... min-size=100000
  3513. #               cache_dir rock /ssd1 ... max-size=99999
  3514. #               cache_dir rock /hdd2 ... min-size=100000
  3515. #               cache_dir rock /ssd2 ... max-size=99999
  3516. #               cache_dir rock /hdd3 ... min-size=100000
  3517. #               cache_dir rock /ssd3 ... max-size=99999
  3518. #Default:
  3519. # store_dir_select_algorithm least-load
  3520.  
  3521. #  TAG: max_open_disk_fds
  3522. #       To avoid having disk as the I/O bottleneck Squid can optionally
  3523. #       bypass the on-disk cache if more than this amount of disk file
  3524. #       descriptors are open.
  3525. #
  3526. #       A value of 0 indicates no limit.
  3527. #Default:
  3528. # no limit
  3529.  
  3530. #  TAG: cache_swap_low  (percent, 0-100)
  3531. #       The low-water mark for AUFS/UFS/diskd cache object eviction by
  3532. #       the cache_replacement_policy algorithm.
  3533. #
  3534. #       Removal begins when the swap (disk) usage of a cache_dir is
  3535. #       above this low-water mark and attempts to maintain utilization
  3536. #       near the low-water mark.
  3537. #
  3538. #       As swap utilization increases towards the high-water mark set
  3539. #       by cache_swap_high object eviction becomes more agressive.
  3540. #
  3541. #       The value difference in percentages between low- and high-water
  3542. #       marks represent an eviction rate of 300 objects per second and
  3543. #       the rate continues to scale in agressiveness by multiples of
  3544. #       this above the high-water mark.
  3545. #
  3546. #       Defaults are 90% and 95%. If you have a large cache, 5% could be
  3547. #       hundreds of MB. If this is the case you may wish to set these
  3548. #       numbers closer together.
  3549. #
  3550. #       See also cache_swap_high and cache_replacement_policy
  3551. #Default:
  3552. # cache_swap_low 90
  3553.  
  3554. #  TAG: cache_swap_high (percent, 0-100)
  3555. #       The high-water mark for AUFS/UFS/diskd cache object eviction by
  3556. #       the cache_replacement_policy algorithm.
  3557. #
  3558. #       Removal begins when the swap (disk) usage of a cache_dir is
  3559. #       above the low-water mark set by cache_swap_low and attempts to
  3560. #       maintain utilization near the low-water mark.
  3561. #
  3562. #       As swap utilization increases towards this high-water mark object
  3563. #       eviction becomes more agressive.
  3564. #
  3565. #       The value difference in percentages between low- and high-water
  3566. #       marks represent an eviction rate of 300 objects per second and
  3567. #       the rate continues to scale in agressiveness by multiples of
  3568. #       this above the high-water mark.
  3569. #
  3570. #       Defaults are 90% and 95%. If you have a large cache, 5% could be
  3571. #       hundreds of MB. If this is the case you may wish to set these
  3572. #       numbers closer together.
  3573. #
  3574. #       See also cache_swap_low and cache_replacement_policy
  3575. #Default:
  3576. # cache_swap_high 95
  3577.  
  3578. # LOGFILE OPTIONS
  3579. # -----------------------------------------------------------------------------
  3580.  
  3581. #  TAG: logformat
  3582. #       Usage:
  3583. #
  3584. #       logformat <name> <format specification>
  3585. #
  3586. #       Defines an access log format.
  3587. #
  3588. #       The <format specification> is a string with embedded % format codes
  3589. #
  3590. #       % format codes all follow the same basic structure where all but
  3591. #       the formatcode is optional. Output strings are automatically escaped
  3592. #       as required according to their context and the output format
  3593. #       modifiers are usually not needed, but can be specified if an explicit
  3594. #       output format is desired.
  3595. #
  3596. #               % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
  3597. #
  3598. #               "       output in quoted string format
  3599. #               [       output in squid text log format as used by log_mime_hdrs
  3600. #               #       output in URL quoted format
  3601. #               '       output as-is
  3602. #
  3603. #               -       left aligned
  3604. #
  3605. #               width   minimum and/or maximum field width:
  3606. #                           [width_min][.width_max]
  3607. #                       When minimum starts with 0, the field is zero-padded.
  3608. #                       String values exceeding maximum width are truncated.
  3609. #
  3610. #               {arg}   argument such as header name etc
  3611. #
  3612. #       Format codes:
  3613. #
  3614. #               %       a literal % character
  3615. #               sn      Unique sequence number per log line entry
  3616. #               err_code    The ID of an error response served by Squid or
  3617. #                               a similar internal error identifier.
  3618. #               err_detail  Additional err_code-dependent error information.
  3619. #               note    The annotation specified by the argument. Also
  3620. #                       logs the adaptation meta headers set by the
  3621. #                       adaptation_meta configuration parameter.
  3622. #                       If no argument given all annotations logged.
  3623. #                       The argument may include a separator to use with
  3624. #                       annotation values:
  3625. #                            name[:separator]
  3626. #                       By default, multiple note values are separated with ","
  3627. #                       and multiple notes are separated with "\r\n".
  3628. #                       When logging named notes with %{name}note, the
  3629. #                       explicitly configured separator is used between note
  3630. #                       values. When logging all notes with %note, the
  3631. #                       explicitly configured separator is used between
  3632. #                       individual notes. There is currently no way to
  3633. #                       specify both value and notes separators when logging
  3634. #                       all notes with %note.
  3635. #
  3636. #       Connection related format codes:
  3637. #
  3638. #               >a      Client source IP address
  3639. #               >A      Client FQDN
  3640. #               >p      Client source port
  3641. #               >eui    Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
  3642. #               >la     Local IP address the client connected to
  3643. #               >lp     Local port number the client connected to
  3644. #               >qos    Client connection TOS/DSCP value set by Squid
  3645. #               >nfmark Client connection netfilter mark set by Squid
  3646. #
  3647. #               la      Local listening IP address the client connection was connected to.
  3648. #               lp      Local listening port number the client connection was connected to.
  3649. #
  3650. #               <a      Server IP address of the last server or peer connection
  3651. #               <A      Server FQDN or peer name
  3652. #               <p      Server port number of the last server or peer connection
  3653. #               <la     Local IP address of the last server or peer connection
  3654. #               <lp     Local port number of the last server or peer connection
  3655. #               <qos    Server connection TOS/DSCP value set by Squid
  3656. #               <nfmark Server connection netfilter mark set by Squid
  3657. #
  3658. #       Time related format codes:
  3659. #
  3660. #               ts      Seconds since epoch
  3661. #               tu      subsecond time (milliseconds)
  3662. #               tl      Local time. Optional strftime format argument
  3663. #                               default %d/%b/%Y:%H:%M:%S %z
  3664. #               tg      GMT time. Optional strftime format argument
  3665. #                               default %d/%b/%Y:%H:%M:%S %z
  3666. #               tr      Response time (milliseconds)
  3667. #               dt      Total time spent making DNS lookups (milliseconds)
  3668. #               tS      Approximate master transaction start time in
  3669. #                       <full seconds since epoch>.<fractional seconds> format.
  3670. #                       Currently, Squid considers the master transaction
  3671. #                       started when a complete HTTP request header initiating
  3672. #                       the transaction is received from the client. This is
  3673. #                       the same value that Squid uses to calculate transaction
  3674. #                       response time when logging %tr to access.log. Currently,
  3675. #                       Squid uses millisecond resolution for %tS values,
  3676. #                       similar to the default access.log "current time" field
  3677. #                       (%ts.%03tu).
  3678. #
  3679. #       Access Control related format codes:
  3680. #
  3681. #               et      Tag returned by external acl
  3682. #               ea      Log string returned by external acl
  3683. #               un      User name (any available)
  3684. #               ul      User name from authentication
  3685. #               ue      User name from external acl helper
  3686. #               ui      User name from ident
  3687. #               un      A user name. Expands to the first available name
  3688. #                       from the following list of information sources:
  3689. #                       - authenticated user name, like %ul
  3690. #                       - user name supplied by an external ACL, like %ue
  3691. #                       - SSL client name, like %us
  3692. #                       - ident user name, like %ui
  3693. #               credentials Client credentials. The exact meaning depends on
  3694. #                       the authentication scheme: For Basic authentication,
  3695. #                       it is the password; for Digest, the realm sent by the
  3696. #                       client; for NTLM and Negotiate, the client challenge
  3697. #                       or client credentials prefixed with "YR " or "KK ".
  3698. #
  3699. #       HTTP related format codes:
  3700. #
  3701. #           REQUEST
  3702. #
  3703. #               [http::]rm      Request method (GET/POST etc)
  3704. #               [http::]>rm     Request method from client
  3705. #               [http::]<rm     Request method sent to server or peer
  3706. #               [http::]ru      Request URL from client (historic, filtered for logging)
  3707. #               [http::]>ru     Request URL from client
  3708. #               [http::]<ru     Request URL sent to server or peer
  3709. #               [http::]>rs     Request URL scheme from client
  3710. #               [http::]<rs     Request URL scheme sent to server or peer
  3711. #               [http::]>rd     Request URL domain from client
  3712. #               [http::]<rd     Request URL domain sent to server or peer
  3713. #               [http::]>rP     Request URL port from client
  3714. #               [http::]<rP     Request URL port sent to server or peer
  3715. #               [http::]rp      Request URL path excluding hostname
  3716. #               [http::]>rp     Request URL path excluding hostname from client
  3717. #               [http::]<rp     Request URL path excluding hostname sent to server or peer
  3718. #               [http::]rv      Request protocol version
  3719. #               [http::]>rv     Request protocol version from client
  3720. #               [http::]<rv     Request protocol version sent to server or peer
  3721. #
  3722. #               [http::]>h      Original received request header.
  3723. #                               Usually differs from the request header sent by
  3724. #                               Squid, although most fields are often preserved.
  3725. #                               Accepts optional header field name/value filter
  3726. #                               argument using name[:[separator]element] format.
  3727. #               [http::]>ha     Received request header after adaptation and
  3728. #                               redirection (pre-cache REQMOD vectoring point).
  3729. #                               Usually differs from the request header sent by
  3730. #                               Squid, although most fields are often preserved.
  3731. #                               Optional header name argument as for >h
  3732. #
  3733. #
  3734. #           RESPONSE
  3735. #
  3736. #               [http::]<Hs     HTTP status code received from the next hop
  3737. #               [http::]>Hs     HTTP status code sent to the client
  3738. #
  3739. #               [http::]<h      Reply header. Optional header name argument
  3740. #                               as for >h
  3741. #
  3742. #               [http::]mt      MIME content type
  3743. #
  3744. #
  3745. #           SIZE COUNTERS
  3746. #
  3747. #               [http::]st      Total size of request + reply traffic with client
  3748. #               [http::]>st     Total size of request received from client.
  3749. #                               Excluding chunked encoding bytes.
  3750. #               [http::]<st     Total size of reply sent to client (after adaptation)
  3751. #
  3752. #               [http::]>sh     Size of request headers received from client
  3753. #               [http::]<sh     Size of reply headers sent to client (after adaptation)
  3754. #
  3755. #               [http::]<sH     Reply high offset sent
  3756. #               [http::]<sS     Upstream object size
  3757. #
  3758. #               [http::]<bs     Number of HTTP-equivalent message body bytes
  3759. #                               received from the next hop, excluding chunked
  3760. #                               transfer encoding and control messages.
  3761. #                               Generated FTP/Gopher listings are treated as
  3762. #                               received bodies.
  3763. #
  3764. #
  3765. #           TIMING
  3766. #
  3767. #               [http::]<pt     Peer response time in milliseconds. The timer starts
  3768. #                               when the last request byte is sent to the next hop
  3769. #                               and stops when the last response byte is received.
  3770. #               [http::]<tt     Total time in milliseconds. The timer
  3771. #                               starts with the first connect request (or write I/O)
  3772. #                               sent to the first selected peer. The timer stops
  3773. #                               with the last I/O with the last peer.
  3774. #
  3775. #       Squid handling related format codes:
  3776. #
  3777. #               Ss      Squid request status (TCP_MISS etc)
  3778. #               Sh      Squid hierarchy status (DEFAULT_PARENT etc)
  3779. #
  3780. #       SSL-related format codes:
  3781. #
  3782. #               ssl::bump_mode  SslBump decision for the transaction:
  3783. #
  3784. #                               For CONNECT requests that initiated bumping of
  3785. #                               a connection and for any request received on
  3786. #                               an already bumped connection, Squid logs the
  3787. #                               corresponding SslBump mode ("server-first" or
  3788. #                               "client-first"). See the ssl_bump option for
  3789. #                               more information about these modes.
  3790. #
  3791. #                               A "none" token is logged for requests that
  3792. #                               triggered "ssl_bump" ACL evaluation matching
  3793. #                               either a "none" rule or no rules at all.
  3794. #
  3795. #                               In all other cases, a single dash ("-") is
  3796. #                               logged.
  3797. #
  3798. #               ssl::>sni       SSL client SNI sent to Squid. Available only
  3799. #                               after the peek, stare, or splice SSL bumping
  3800. #                               actions.
  3801. #
  3802. #       If ICAP is enabled, the following code becomes available (as
  3803. #       well as ICAP log codes documented with the icap_log option):
  3804. #
  3805. #               icap::tt        Total ICAP processing time for the HTTP
  3806. #                               transaction. The timer ticks when ICAP
  3807. #                               ACLs are checked and when ICAP
  3808. #                               transaction is in progress.
  3809. #
  3810. #       If adaptation is enabled the following three codes become available:
  3811. #
  3812. #               adapt::<last_h  The header of the last ICAP response or
  3813. #                               meta-information from the last eCAP
  3814. #                               transaction related to the HTTP transaction.
  3815. #                               Like <h, accepts an optional header name
  3816. #                               argument.
  3817. #
  3818. #               adapt::sum_trs Summed adaptation transaction response
  3819. #                               times recorded as a comma-separated list in
  3820. #                               the order of transaction start time. Each time
  3821. #                               value is recorded as an integer number,
  3822. #                               representing response time of one or more
  3823. #                               adaptation (ICAP or eCAP) transaction in
  3824. #                               milliseconds.  When a failed transaction is
  3825. #                               being retried or repeated, its time is not
  3826. #                               logged individually but added to the
  3827. #                               replacement (next) transaction. See also:
  3828. #                               adapt::all_trs.
  3829. #
  3830. #               adapt::all_trs All adaptation transaction response times.
  3831. #                               Same as adaptation_strs but response times of
  3832. #                               individual transactions are never added
  3833. #                               together. Instead, all transaction response
  3834. #                               times are recorded individually.
  3835. #
  3836. #       You can prefix adapt::*_trs format codes with adaptation
  3837. #       service name in curly braces to record response time(s) specific
  3838. #       to that service. For example: %{my_service}adapt::sum_trs
  3839. #
  3840. #       If SSL is enabled, the following formating codes become available:
  3841. #
  3842. #               %ssl::>cert_subject The Subject field of the received client
  3843. #                               SSL certificate or a dash ('-') if Squid has
  3844. #                               received an invalid/malformed certificate or
  3845. #                               no certificate at all. Consider encoding the
  3846. #                               logged value because Subject often has spaces.
  3847. #
  3848. #               %ssl::>cert_issuer The Issuer field of the received client
  3849. #                               SSL certificate or a dash ('-') if Squid has
  3850. #                               received an invalid/malformed certificate or
  3851. #                               no certificate at all. Consider encoding the
  3852. #                               logged value because Issuer often has spaces.
  3853. #
  3854. #       The default formats available (which do not need re-defining) are:
  3855. #
  3856. #logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
  3857. #logformat common     %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
  3858. #logformat combined   %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
  3859. #logformat referrer   %ts.%03tu %>a %{Referer}>h %ru
  3860. #logformat useragent  %>a [%tl] "%{User-Agent}>h"
  3861. #
  3862. #       NOTE: When the log_mime_hdrs directive is set to ON.
  3863. #               The squid, common and combined formats have a safely encoded copy
  3864. #               of the mime headers appended to each line within a pair of brackets.
  3865. #
  3866. #       NOTE: The common and combined formats are not quite true to the Apache definition.
  3867. #               The logs from Squid contain an extra status and hierarchy code appended.
  3868. #
  3869. #Default:
  3870. # The format definitions squid, common, combined, referrer, useragent are built in.
  3871.  
  3872. #  TAG: access_log
  3873. #       Configures whether and how Squid logs HTTP and ICP transactions.
  3874. #       If access logging is enabled, a single line is logged for every
  3875. #       matching HTTP or ICP request. The recommended directive formats are:
  3876. #
  3877. #       access_log <module>:<place> [option ...] [acl acl ...]
  3878. #       access_log none [acl acl ...]
  3879. #
  3880. #       The following directive format is accepted but may be deprecated:
  3881. #       access_log <module>:<place> [<logformat name> [acl acl ...]]
  3882. #
  3883. #        In most cases, the first ACL name must not contain the '=' character
  3884. #       and should not be equal to an existing logformat name. You can always
  3885. #       start with an 'all' ACL to work around those restrictions.
  3886. #      
  3887. #       Will log to the specified module:place using the specified format (which
  3888. #       must be defined in a logformat directive) those entries which match
  3889. #       ALL the acl's specified (which must be defined in acl clauses).
  3890. #       If no acl is specified, all requests will be logged to this destination.
  3891. #      
  3892. #       ===== Available options for the recommended directive format =====
  3893. #
  3894. #       logformat=name          Names log line format (either built-in or
  3895. #                               defined by a logformat directive). Defaults
  3896. #                               to 'squid'.
  3897. #
  3898. #       buffer-size=64KB        Defines approximate buffering limit for log
  3899. #                               records (see buffered_logs).  Squid should not
  3900. #                               keep more than the specified size and, hence,
  3901. #                               should flush records before the buffer becomes
  3902. #                               full to avoid overflows under normal
  3903. #                               conditions (the exact flushing algorithm is
  3904. #                               module-dependent though).  The on-error option
  3905. #                               controls overflow handling.
  3906. #
  3907. #       on-error=die|drop       Defines action on unrecoverable errors. The
  3908. #                               'drop' action ignores (i.e., does not log)
  3909. #                               affected log records. The default 'die' action
  3910. #                               kills the affected worker. The drop action
  3911. #                               support has not been tested for modules other
  3912. #                               than tcp.
  3913. #
  3914. #       ===== Modules Currently available =====
  3915. #      
  3916. #       none    Do not log any requests matching these ACL.
  3917. #               Do not specify Place or logformat name.
  3918. #      
  3919. #       stdio   Write each log line to disk immediately at the completion of
  3920. #               each request.
  3921. #               Place: the filename and path to be written.
  3922. #      
  3923. #       daemon  Very similar to stdio. But instead of writing to disk the log
  3924. #               line is passed to a daemon helper for asychronous handling instead.
  3925. #               Place: varies depending on the daemon.
  3926. #              
  3927. #               log_file_daemon Place: the file name and path to be written.
  3928. #      
  3929. #       syslog  To log each request via syslog facility.
  3930. #               Place: The syslog facility and priority level for these entries.
  3931. #               Place Format:  facility.priority
  3932. #
  3933. #               where facility could be any of:
  3934. #                       authpriv, daemon, local0 ... local7 or user.
  3935. #
  3936. #               And priority could be any of:
  3937. #                       err, warning, notice, info, debug.
  3938. #      
  3939. #       udp     To send each log line as text data to a UDP receiver.
  3940. #               Place: The destination host name or IP and port.
  3941. #               Place Format:   //host:port
  3942. #
  3943. #       tcp     To send each log line as text data to a TCP receiver.
  3944. #               Lines may be accumulated before sending (see buffered_logs).
  3945. #               Place: The destination host name or IP and port.
  3946. #               Place Format:   //host:port
  3947. #
  3948. #       Default:
  3949. #               access_log daemon:/var/log/squid/access.log squid
  3950. #Default:
  3951. # access_log daemon:/var/log/squid/access.log squid
  3952.  
  3953. #  TAG: icap_log
  3954. #       ICAP log files record ICAP transaction summaries, one line per
  3955. #       transaction.
  3956. #
  3957. #       The icap_log option format is:
  3958. #       icap_log <filepath> [<logformat name> [acl acl ...]]
  3959. #       icap_log none [acl acl ...]]
  3960. #      
  3961. #       Please see access_log option documentation for details. The two
  3962. #       kinds of logs share the overall configuration approach and many
  3963. #       features.
  3964. #
  3965. #       ICAP processing of a single HTTP message or transaction may
  3966. #       require multiple ICAP transactions.  In such cases, multiple
  3967. #       ICAP transaction log lines will correspond to a single access
  3968. #       log line.
  3969. #
  3970. #       ICAP log supports many access.log logformat %codes. In ICAP context,
  3971. #       HTTP message-related %codes are applied to the HTTP message embedded
  3972. #       in an ICAP message. Logformat "%http::>..." codes are used for HTTP
  3973. #       messages embedded in ICAP requests while "%http::<..." codes are used
  3974. #       for HTTP messages embedded in ICAP responses. For example:
  3975. #
  3976. #               http::>h        To-be-adapted HTTP message headers sent by Squid to
  3977. #                               the ICAP service. For REQMOD transactions, these are
  3978. #                               HTTP request headers. For RESPMOD, these are HTTP
  3979. #                               response headers, but Squid currently cannot log them
  3980. #                               (i.e., %http::>h will expand to "-" for RESPMOD).
  3981. #
  3982. #               http::<h        Adapted HTTP message headers sent by the ICAP
  3983. #                               service to Squid (i.e., HTTP request headers in regular
  3984. #                               REQMOD; HTTP response headers in RESPMOD and during
  3985. #                               request satisfaction in REQMOD).
  3986. #
  3987. #       ICAP OPTIONS transactions do not embed HTTP messages.
  3988. #
  3989. #       Several logformat codes below deal with ICAP message bodies. An ICAP
  3990. #       message body, if any, typically includes a complete HTTP message
  3991. #       (required HTTP headers plus optional HTTP message body). When
  3992. #       computing HTTP message body size for these logformat codes, Squid
  3993. #       either includes or excludes chunked encoding overheads; see
  3994. #       code-specific documentation for details.
  3995. #
  3996. #       For Secure ICAP services, all size-related information is currently
  3997. #       computed before/after TLS encryption/decryption, as if TLS was not
  3998. #       in use at all.
  3999. #
  4000. #       The following format codes are also available for ICAP logs:
  4001. #
  4002. #               icap::<A        ICAP server IP address. Similar to <A.
  4003. #
  4004. #               icap::<service_name     ICAP service name from the icap_service
  4005. #                               option in Squid configuration file.
  4006. #
  4007. #               icap::ru        ICAP Request-URI. Similar to ru.
  4008. #
  4009. #               icap::rm        ICAP request method (REQMOD, RESPMOD, or
  4010. #                               OPTIONS). Similar to existing rm.
  4011. #
  4012. #               icap::>st       The total size of the ICAP request sent to the ICAP
  4013. #                               server (ICAP headers + ICAP body), including chunking
  4014. #                               metadata (if any).
  4015. #
  4016. #               icap::<st       The total size of the ICAP response received from the
  4017. #                               ICAP server (ICAP headers + ICAP body), including
  4018. #                               chunking metadata (if any).
  4019. #
  4020. #               icap::<bs       The size of the ICAP response body received from the
  4021. #                               ICAP server, excluding chunking metadata (if any).
  4022. #
  4023. #               icap::tr        Transaction response time (in
  4024. #                               milliseconds).  The timer starts when
  4025. #                               the ICAP transaction is created and
  4026. #                               stops when the transaction is completed.
  4027. #                               Similar to tr.
  4028. #
  4029. #               icap::tio       Transaction I/O time (in milliseconds). The
  4030. #                               timer starts when the first ICAP request
  4031. #                               byte is scheduled for sending. The timers
  4032. #                               stops when the last byte of the ICAP response
  4033. #                               is received.
  4034. #
  4035. #               icap::to        Transaction outcome: ICAP_ERR* for all
  4036. #                               transaction errors, ICAP_OPT for OPTION
  4037. #                               transactions, ICAP_ECHO for 204
  4038. #                               responses, ICAP_MOD for message
  4039. #                               modification, and ICAP_SAT for request
  4040. #                               satisfaction. Similar to Ss.
  4041. #
  4042. #               icap::Hs        ICAP response status code. Similar to Hs.
  4043. #
  4044. #               icap::>h        ICAP request header(s). Similar to >h.
  4045. #
  4046. #               icap::<h        ICAP response header(s). Similar to <h.
  4047. #
  4048. #       The default ICAP log format, which can be used without an explicit
  4049. #       definition, is called icap_squid:
  4050. #
  4051. #logformat icap_squid %ts.%03tu %6icap::tr %>A %icap::to/%03icap::Hs %icap::<st %icap::rm %icap::ru %un -/%icap::<A -
  4052. #
  4053. #       See also: logformat and %adapt::<last_h
  4054. #Default:
  4055. # none
  4056.  
  4057. #  TAG: logfile_daemon
  4058. #       Specify the path to the logfile-writing daemon. This daemon is
  4059. #       used to write the access and store logs, if configured.
  4060. #
  4061. #       Squid sends a number of commands to the log daemon:
  4062. #         L<data>\n - logfile data
  4063. #         R\n - rotate file
  4064. #         T\n - truncate file
  4065. #         O\n - reopen file
  4066. #         F\n - flush file
  4067. #         r<n>\n - set rotate count to <n>
  4068. #         b<n>\n - 1 = buffer output, 0 = don't buffer output
  4069. #
  4070. #       No responses is expected.
  4071. #Default:
  4072. # logfile_daemon /usr/lib/squid/log_file_daemon
  4073.  
  4074. #  TAG: stats_collection        allow|deny acl acl...
  4075. #       This options allows you to control which requests gets accounted
  4076. #       in performance counters.
  4077. #
  4078. #       This clause only supports fast acl types.
  4079. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4080. #Default:
  4081. # Allow logging for all transactions.
  4082.  
  4083. #  TAG: cache_store_log
  4084. #       Logs the activities of the storage manager.  Shows which
  4085. #       objects are ejected from the cache, and which objects are
  4086. #       saved and for how long.
  4087. #       There are not really utilities to analyze this data, so you can safely
  4088. #       disable it (the default).
  4089. #      
  4090. #       Store log uses modular logging outputs. See access_log for the list
  4091. #       of modules supported.
  4092. #      
  4093. #       Example:
  4094. #               cache_store_log stdio:/var/log/squid/store.log
  4095. #               cache_store_log daemon:/var/log/squid/store.log
  4096. #Default:
  4097. # none
  4098.  
  4099. #  TAG: cache_swap_state
  4100. #       Location for the cache "swap.state" file. This index file holds
  4101. #       the metadata of objects saved on disk.  It is used to rebuild
  4102. #       the cache during startup.  Normally this file resides in each
  4103. #       'cache_dir' directory, but you may specify an alternate
  4104. #       pathname here.  Note you must give a full filename, not just
  4105. #       a directory. Since this is the index for the whole object
  4106. #       list you CANNOT periodically rotate it!
  4107. #
  4108. #       If %s can be used in the file name it will be replaced with a
  4109. #       a representation of the cache_dir name where each / is replaced
  4110. #       with '.'. This is needed to allow adding/removing cache_dir
  4111. #       lines when cache_swap_log is being used.
  4112. #
  4113. #       If have more than one 'cache_dir', and %s is not used in the name
  4114. #       these swap logs will have names such as:
  4115. #
  4116. #               cache_swap_log.00
  4117. #               cache_swap_log.01
  4118. #               cache_swap_log.02
  4119. #
  4120. #       The numbered extension (which is added automatically)
  4121. #       corresponds to the order of the 'cache_dir' lines in this
  4122. #       configuration file.  If you change the order of the 'cache_dir'
  4123. #       lines in this file, these index files will NOT correspond to
  4124. #       the correct 'cache_dir' entry (unless you manually rename
  4125. #       them).  We recommend you do NOT use this option.  It is
  4126. #       better to keep these index files in each 'cache_dir' directory.
  4127. #Default:
  4128. # Store the journal inside its cache_dir
  4129.  
  4130. #  TAG: logfile_rotate
  4131. #       Specifies the number of logfile rotations to make when you
  4132. #       type 'squid -k rotate'. The default is 10, which will rotate
  4133. #       with extensions 0 through 9. Setting logfile_rotate to 0 will
  4134. #       disable the file name rotation, but the logfiles are still closed
  4135. #       and re-opened. This will enable you to rename the logfiles
  4136. #       yourself just before sending the rotate signal.
  4137. #
  4138. #       Note, the 'squid -k rotate' command normally sends a USR1
  4139. #       signal to the running squid process.  In certain situations
  4140. #       (e.g. on Linux with Async I/O), USR1 is used for other
  4141. #       purposes, so -k rotate uses another signal.  It is best to get
  4142. #       in the habit of using 'squid -k rotate' instead of 'kill -USR1
  4143. #       <pid>'.
  4144. #
  4145. #       Note, from Squid-3.1 this option is only a default for cache.log,
  4146. #       that log can be rotated separately by using debug_options.
  4147. #
  4148. #       Note2, for Debian/Linux the default of logfile_rotate is
  4149. #       zero, since it includes external logfile-rotation methods.
  4150. #Default:
  4151. # logfile_rotate 0
  4152.  
  4153. #  TAG: mime_table
  4154. #       Path to Squid's icon configuration file.
  4155. #
  4156. #       You shouldn't need to change this, but the default file contains
  4157. #       examples and formatting information if you do.
  4158. #Default:
  4159. # mime_table /usr/share/squid/mime.conf
  4160.  
  4161. #  TAG: log_mime_hdrs   on|off
  4162. #       The Cache can record both the request and the response MIME
  4163. #       headers for each HTTP transaction.  The headers are encoded
  4164. #       safely and will appear as two bracketed fields at the end of
  4165. #       the access log (for either the native or httpd-emulated log
  4166. #       formats).  To enable this logging set log_mime_hdrs to 'on'.
  4167. #Default:
  4168. # log_mime_hdrs off
  4169.  
  4170. #  TAG: pid_filename
  4171. #       A filename to write the process-id to.  To disable, enter "none".
  4172. #Default:
  4173. # pid_filename /var/run/squid.pid
  4174.  
  4175. #  TAG: client_netmask
  4176. #       A netmask for client addresses in logfiles and cachemgr output.
  4177. #       Change this to protect the privacy of your cache clients.
  4178. #       A netmask of 255.255.255.0 will log all IP's in that range with
  4179. #       the last digit set to '0'.
  4180. #Default:
  4181. # Log full client IP address
  4182.  
  4183. #  TAG: strip_query_terms
  4184. #       By default, Squid strips query terms from requested URLs before
  4185. #       logging.  This protects your user's privacy and reduces log size.
  4186. #
  4187. #       When investigating HIT/MISS or other caching behaviour you
  4188. #       will need to disable this to see the full URL used by Squid.
  4189. #Default:
  4190. # strip_query_terms on
  4191.  
  4192. #  TAG: buffered_logs   on|off
  4193. #       Whether to write/send access_log records ASAP or accumulate them and
  4194. #       then write/send them in larger chunks. Buffering may improve
  4195. #       performance because it decreases the number of I/Os. However,
  4196. #       buffering increases the delay before log records become available to
  4197. #       the final recipient (e.g., a disk file or logging daemon) and,
  4198. #       hence, increases the risk of log records loss.
  4199. #
  4200. #       Note that even when buffered_logs are off, Squid may have to buffer
  4201. #       records if it cannot write/send them immediately due to pending I/Os
  4202. #       (e.g., the I/O writing the previous log record) or connectivity loss.
  4203. #
  4204. #       Currently honored by 'daemon' and 'tcp' access_log modules only.
  4205. #Default:
  4206. # buffered_logs off
  4207.  
  4208. #  TAG: netdb_filename
  4209. #       Where Squid stores it's netdb journal.
  4210. #       When enabled this journal preserves netdb state between restarts.
  4211. #
  4212. #       To disable, enter "none".
  4213. #Default:
  4214. # netdb_filename stdio:/var/log/squid/netdb.state
  4215.  
  4216. # OPTIONS FOR TROUBLESHOOTING
  4217. # -----------------------------------------------------------------------------
  4218.  
  4219. #  TAG: cache_log
  4220. #       Squid administrative logging file.
  4221. #
  4222. #       This is where general information about Squid behavior goes. You can
  4223. #       increase the amount of data logged to this file and how often it is
  4224. #       rotated with "debug_options"
  4225. #Default:
  4226. # cache_log /var/log/squid/cache.log
  4227.  
  4228. #  TAG: debug_options
  4229. #       Logging options are set as section,level where each source file
  4230. #       is assigned a unique section.  Lower levels result in less
  4231. #       output,  Full debugging (level 9) can result in a very large
  4232. #       log file, so be careful.
  4233. #
  4234. #       The magic word "ALL" sets debugging levels for all sections.
  4235. #       The default is to run with "ALL,1" to record important warnings.
  4236. #
  4237. #       The rotate=N option can be used to keep more or less of these logs
  4238. #       than would otherwise be kept by logfile_rotate.
  4239. #       For most uses a single log should be enough to monitor current
  4240. #       events affecting Squid.
  4241. #Default:
  4242. # Log all critical and important messages.
  4243.  
  4244. #  TAG: coredump_dir
  4245. #       By default Squid leaves core files in the directory from where
  4246. #       it was started. If you set 'coredump_dir' to a directory
  4247. #       that exists, Squid will chdir() to that directory at startup
  4248. #       and coredump files will be left there.
  4249. #
  4250. #Default:
  4251. # Use the directory from where Squid was started.
  4252. #
  4253.  
  4254. # Leave coredumps in the first cache dir
  4255. coredump_dir /var/spool/squid
  4256.  
  4257. # OPTIONS FOR FTP GATEWAYING
  4258. # -----------------------------------------------------------------------------
  4259.  
  4260. #  TAG: ftp_user
  4261. #       If you want the anonymous login password to be more informative
  4262. #       (and enable the use of picky FTP servers), set this to something
  4263. #       reasonable for your domain, like wwwuser@somewhere.net
  4264. #
  4265. #       The reason why this is domainless by default is the
  4266. #       request can be made on the behalf of a user in any domain,
  4267. #       depending on how the cache is used.
  4268. #       Some FTP server also validate the email address is valid
  4269. #       (for example perl.com).
  4270. #Default:
  4271. # ftp_user Squid@
  4272.  
  4273. #  TAG: ftp_passive
  4274. #       If your firewall does not allow Squid to use passive
  4275. #       connections, turn off this option.
  4276. #
  4277. #       Use of ftp_epsv_all option requires this to be ON.
  4278. #Default:
  4279. # ftp_passive on
  4280.  
  4281. #  TAG: ftp_epsv_all
  4282. #       FTP Protocol extensions permit the use of a special "EPSV ALL" command.
  4283. #
  4284. #       NATs may be able to put the connection on a "fast path" through the
  4285. #       translator, as the EPRT command will never be used and therefore,
  4286. #       translation of the data portion of the segments will never be needed.
  4287. #
  4288. #       When a client only expects to do two-way FTP transfers this may be
  4289. #       useful.
  4290. #       If squid finds that it must do a three-way FTP transfer after issuing
  4291. #       an EPSV ALL command, the FTP session will fail.
  4292. #
  4293. #       If you have any doubts about this option do not use it.
  4294. #       Squid will nicely attempt all other connection methods.
  4295. #
  4296. #       Requires ftp_passive to be ON (default) for any effect.
  4297. #Default:
  4298. # ftp_epsv_all off
  4299.  
  4300. #  TAG: ftp_epsv
  4301. #       FTP Protocol extensions permit the use of a special "EPSV" command.
  4302. #
  4303. #       NATs may be able to put the connection on a "fast path" through the
  4304. #       translator using EPSV, as the EPRT command will never be used
  4305. #       and therefore, translation of the data portion of the segments
  4306. #       will never be needed.
  4307. #
  4308. #       EPSV is often required to interoperate with FTP servers on IPv6
  4309. #       networks. On the other hand, it may break some IPv4 servers.
  4310. #
  4311. #       By default, EPSV may try EPSV with any FTP server. To fine tune
  4312. #       that decision, you may restrict EPSV to certain clients or servers
  4313. #       using ACLs:
  4314. #
  4315. #               ftp_epsv allow|deny al1 acl2 ...
  4316. #
  4317. #       WARNING: Disabling EPSV may cause problems with external NAT and IPv6.
  4318. #
  4319. #       Only fast ACLs are supported.
  4320. #       Requires ftp_passive to be ON (default) for any effect.
  4321. #Default:
  4322. # none
  4323.  
  4324. #  TAG: ftp_eprt
  4325. #       FTP Protocol extensions permit the use of a special "EPRT" command.
  4326. #
  4327. #       This extension provides a protocol neutral alternative to the
  4328. #       IPv4-only PORT command. When supported it enables active FTP data
  4329. #       channels over IPv6 and efficient NAT handling.
  4330. #
  4331. #       Turning this OFF will prevent EPRT being attempted and will skip
  4332. #       straight to using PORT for IPv4 servers.
  4333. #
  4334. #       Some devices are known to not handle this extension correctly and
  4335. #       may result in crashes. Devices which suport EPRT enough to fail
  4336. #       cleanly will result in Squid attempting PORT anyway. This directive
  4337. #       should only be disabled when EPRT results in device failures.
  4338. #
  4339. #       WARNING: Doing so will convert Squid back to the old behavior with all
  4340. #       the related problems with external NAT devices/layers and IPv4-only FTP.
  4341. #Default:
  4342. # ftp_eprt on
  4343.  
  4344. #  TAG: ftp_sanitycheck
  4345. #       For security and data integrity reasons Squid by default performs
  4346. #       sanity checks of the addresses of FTP data connections ensure the
  4347. #       data connection is to the requested server. If you need to allow
  4348. #       FTP connections to servers using another IP address for the data
  4349. #       connection turn this off.
  4350. #Default:
  4351. # ftp_sanitycheck on
  4352.  
  4353. #  TAG: ftp_telnet_protocol
  4354. #       The FTP protocol is officially defined to use the telnet protocol
  4355. #       as transport channel for the control connection. However, many
  4356. #       implementations are broken and does not respect this aspect of
  4357. #       the FTP protocol.
  4358. #
  4359. #       If you have trouble accessing files with ASCII code 255 in the
  4360. #       path or similar problems involving this ASCII code you can
  4361. #       try setting this directive to off. If that helps, report to the
  4362. #       operator of the FTP server in question that their FTP server
  4363. #       is broken and does not follow the FTP standard.
  4364. #Default:
  4365. # ftp_telnet_protocol on
  4366.  
  4367. # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
  4368. # -----------------------------------------------------------------------------
  4369.  
  4370. #  TAG: diskd_program
  4371. #       Specify the location of the diskd executable.
  4372. #       Note this is only useful if you have compiled in
  4373. #       diskd as one of the store io modules.
  4374. #Default:
  4375. # diskd_program /usr/lib/squid/diskd
  4376.  
  4377. #  TAG: unlinkd_program
  4378. #       Specify the location of the executable for file deletion process.
  4379. #Default:
  4380. # unlinkd_program /usr/lib/squid/unlinkd
  4381.  
  4382. #  TAG: pinger_program
  4383. #       Specify the location of the executable for the pinger process.
  4384. #Default:
  4385. # pinger_program /usr/lib/squid/pinger
  4386.  
  4387. #  TAG: pinger_enable
  4388. #       Control whether the pinger is active at run-time.
  4389. #       Enables turning ICMP pinger on and off with a simple
  4390. #       squid -k reconfigure.
  4391. #Default:
  4392. # pinger_enable on
  4393.  
  4394. # OPTIONS FOR URL REWRITING
  4395. # -----------------------------------------------------------------------------
  4396.  
  4397. #  TAG: url_rewrite_program
  4398. #       Specify the location of the executable URL rewriter to use.
  4399. #       Since they can perform almost any function there isn't one included.
  4400. #
  4401. #       For each requested URL, the rewriter will receive on line with the format
  4402. #
  4403. #         [channel-ID <SP>] URL [<SP> extras]<NL>
  4404. #
  4405. #       See url_rewrite_extras on how to send "extras" with optional values to
  4406. #       the helper.
  4407. #       After processing the request the helper must reply using the following format:
  4408. #
  4409. #         [channel-ID <SP>] result [<SP> kv-pairs]
  4410. #
  4411. #       The result code can be:
  4412. #
  4413. #         OK status=30N url="..."
  4414. #               Redirect the URL to the one supplied in 'url='.
  4415. #               'status=' is optional and contains the status code to send
  4416. #               the client in Squids HTTP response. It must be one of the
  4417. #               HTTP redirect status codes: 301, 302, 303, 307, 308.
  4418. #               When no status is given Squid will use 302.
  4419. #
  4420. #         OK rewrite-url="..."
  4421. #               Rewrite the URL to the one supplied in 'rewrite-url='.
  4422. #               The new URL is fetched directly by Squid and returned to
  4423. #               the client as the response to its request.
  4424. #
  4425. #         OK
  4426. #               When neither of url= and rewrite-url= are sent Squid does
  4427. #               not change the URL.
  4428. #
  4429. #         ERR
  4430. #               Do not change the URL.
  4431. #
  4432. #         BH
  4433. #               An internal error occurred in the helper, preventing
  4434. #               a result being identified. The 'message=' key name is
  4435. #               reserved for delivering a log message.
  4436. #
  4437. #
  4438. #       In addition to the above kv-pairs Squid also understands the following
  4439. #       optional kv-pairs received from URL rewriters:
  4440. #         clt_conn_tag=TAG
  4441. #               Associates a TAG with the client TCP connection.
  4442. #               The TAG is treated as a regular annotation but persists across
  4443. #               future requests on the client connection rather than just the
  4444. #               current request. A helper may update the TAG during subsequent
  4445. #               requests be returning a new kv-pair.
  4446. #
  4447. #       When using the concurrency= option the protocol is changed by
  4448. #       introducing a query channel tag in front of the request/response.
  4449. #       The query channel tag is a number between 0 and concurrency-1.
  4450. #       This value must be echoed back unchanged to Squid as the first part
  4451. #       of the response relating to its request.
  4452. #
  4453. #       WARNING: URL re-writing ability should be avoided whenever possible.
  4454. #                Use the URL redirect form of response instead.
  4455. #
  4456. #       Re-write creates a difference in the state held by the client
  4457. #       and server. Possibly causing confusion when the server response
  4458. #       contains snippets of its view state. Embeded URLs, response
  4459. #       and content Location headers, etc. are not re-written by this
  4460. #       interface.
  4461. #
  4462. #       By default, a URL rewriter is not used.
  4463. #Default:
  4464. # none
  4465.  
  4466. #  TAG: url_rewrite_children
  4467. #       The maximum number of redirector processes to spawn. If you limit
  4468. #       it too few Squid will have to wait for them to process a backlog of
  4469. #       URLs, slowing it down. If you allow too many they will use RAM
  4470. #       and other system resources noticably.
  4471. #      
  4472. #       The startup= and idle= options allow some measure of skew in your
  4473. #       tuning.
  4474. #      
  4475. #               startup=
  4476. #      
  4477. #       Sets a minimum of how many processes are to be spawned when Squid
  4478. #       starts or reconfigures. When set to zero the first request will
  4479. #       cause spawning of the first child process to handle it.
  4480. #      
  4481. #       Starting too few will cause an initial slowdown in traffic as Squid
  4482. #       attempts to simultaneously spawn enough processes to cope.
  4483. #      
  4484. #               idle=
  4485. #      
  4486. #       Sets a minimum of how many processes Squid is to try and keep available
  4487. #       at all times. When traffic begins to rise above what the existing
  4488. #       processes can handle this many more will be spawned up to the maximum
  4489. #       configured. A minimum setting of 1 is required.
  4490. #
  4491. #               concurrency=
  4492. #
  4493. #       The number of requests each redirector helper can handle in
  4494. #       parallel. Defaults to 0 which indicates the redirector
  4495. #       is a old-style single threaded redirector.
  4496. #
  4497. #       When this directive is set to a value >= 1 then the protocol
  4498. #       used to communicate with the helper is modified to include
  4499. #       an ID in front of the request/response. The ID from the request
  4500. #       must be echoed back with the response to that request.
  4501. #Default:
  4502. # url_rewrite_children 20 startup=0 idle=1 concurrency=0
  4503.  
  4504. #  TAG: url_rewrite_host_header
  4505. #       To preserve same-origin security policies in browsers and
  4506. #       prevent Host: header forgery by redirectors Squid rewrites
  4507. #       any Host: header in redirected requests.
  4508. #      
  4509. #       If you are running an accelerator this may not be a wanted
  4510. #       effect of a redirector. This directive enables you disable
  4511. #       Host: alteration in reverse-proxy traffic.
  4512. #      
  4513. #       WARNING: Entries are cached on the result of the URL rewriting
  4514. #       process, so be careful if you have domain-virtual hosts.
  4515. #      
  4516. #       WARNING: Squid and other software verifies the URL and Host
  4517. #       are matching, so be careful not to relay through other proxies
  4518. #       or inspecting firewalls with this disabled.
  4519. #Default:
  4520. # url_rewrite_host_header on
  4521.  
  4522. #  TAG: url_rewrite_access
  4523. #       If defined, this access list specifies which requests are
  4524. #       sent to the redirector processes.
  4525. #
  4526. #       This clause supports both fast and slow acl types.
  4527. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4528. #Default:
  4529. # Allow, unless rules exist in squid.conf.
  4530.  
  4531. #  TAG: url_rewrite_bypass
  4532. #       When this is 'on', a request will not go through the
  4533. #       redirector if all the helpers are busy.  If this is 'off'
  4534. #       and the redirector queue grows too large, Squid will exit
  4535. #       with a FATAL error and ask you to increase the number of
  4536. #       redirectors.  You should only enable this if the redirectors
  4537. #       are not critical to your caching system.  If you use
  4538. #       redirectors for access control, and you enable this option,
  4539. #       users may have access to pages they should not
  4540. #       be allowed to request.
  4541. #Default:
  4542. # url_rewrite_bypass off
  4543.  
  4544. #  TAG: url_rewrite_extras
  4545. #       Specifies a string to be append to request line format for the
  4546. #       rewriter helper. "Quoted" format values may contain spaces and
  4547. #       logformat %macros. In theory, any logformat %macro can be used.
  4548. #       In practice, a %macro expands as a dash (-) if the helper request is
  4549. #       sent before the required macro information is available to Squid.
  4550. #Default:
  4551. # url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
  4552.  
  4553. # OPTIONS FOR STORE ID
  4554. # -----------------------------------------------------------------------------
  4555.  
  4556. #  TAG: store_id_program
  4557. #       Specify the location of the executable StoreID helper to use.
  4558. #       Since they can perform almost any function there isn't one included.
  4559. #
  4560. #       For each requested URL, the helper will receive one line with the format
  4561. #
  4562. #         [channel-ID <SP>] URL [<SP> extras]<NL>
  4563. #
  4564. #
  4565. #       After processing the request the helper must reply using the following format:
  4566. #
  4567. #         [channel-ID <SP>] result [<SP> kv-pairs]
  4568. #
  4569. #       The result code can be:
  4570. #
  4571. #         OK store-id="..."
  4572. #               Use the StoreID supplied in 'store-id='.
  4573. #
  4574. #         ERR
  4575. #               The default is to use HTTP request URL as the store ID.
  4576. #
  4577. #         BH
  4578. #               An internal error occured in the helper, preventing
  4579. #               a result being identified.
  4580. #
  4581. #       In addition to the above kv-pairs Squid also understands the following
  4582. #       optional kv-pairs received from URL rewriters:
  4583. #         clt_conn_tag=TAG
  4584. #               Associates a TAG with the client TCP connection.
  4585. #               Please see url_rewrite_program related documentation for this
  4586. #               kv-pair
  4587. #
  4588. #       Helper programs should be prepared to receive and possibly ignore
  4589. #       additional whitespace-separated tokens on each input line.
  4590. #
  4591. #       When using the concurrency= option the protocol is changed by
  4592. #       introducing a query channel tag in front of the request/response.
  4593. #       The query channel tag is a number between 0 and concurrency-1.
  4594. #       This value must be echoed back unchanged to Squid as the first part
  4595. #       of the response relating to its request.
  4596. #
  4597. #       NOTE: when using StoreID refresh_pattern will apply to the StoreID
  4598. #             returned from the helper and not the URL.
  4599. #
  4600. #       WARNING: Wrong StoreID value returned by a careless helper may result
  4601. #                in the wrong cached response returned to the user.
  4602. #
  4603. #       By default, a StoreID helper is not used.
  4604. #Default:
  4605. # none
  4606.  
  4607. #  TAG: store_id_extras
  4608. #        Specifies a string to be append to request line format for the
  4609. #        StoreId helper. "Quoted" format values may contain spaces and
  4610. #        logformat %macros. In theory, any logformat %macro can be used.
  4611. #        In practice, a %macro expands as a dash (-) if the helper request is
  4612. #        sent before the required macro information is available to Squid.
  4613. #Default:
  4614. # store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
  4615.  
  4616. #  TAG: store_id_children
  4617. #       The maximum number of StoreID helper processes to spawn. If you limit
  4618. #       it too few Squid will have to wait for them to process a backlog of
  4619. #       requests, slowing it down. If you allow too many they will use RAM
  4620. #       and other system resources noticably.
  4621. #      
  4622. #       The startup= and idle= options allow some measure of skew in your
  4623. #       tuning.
  4624. #      
  4625. #               startup=
  4626. #      
  4627. #       Sets a minimum of how many processes are to be spawned when Squid
  4628. #       starts or reconfigures. When set to zero the first request will
  4629. #       cause spawning of the first child process to handle it.
  4630. #      
  4631. #       Starting too few will cause an initial slowdown in traffic as Squid
  4632. #       attempts to simultaneously spawn enough processes to cope.
  4633. #      
  4634. #               idle=
  4635. #      
  4636. #       Sets a minimum of how many processes Squid is to try and keep available
  4637. #       at all times. When traffic begins to rise above what the existing
  4638. #       processes can handle this many more will be spawned up to the maximum
  4639. #       configured. A minimum setting of 1 is required.
  4640. #
  4641. #               concurrency=
  4642. #
  4643. #       The number of requests each storeID helper can handle in
  4644. #       parallel. Defaults to 0 which indicates the helper
  4645. #       is a old-style single threaded program.
  4646. #
  4647. #       When this directive is set to a value >= 1 then the protocol
  4648. #       used to communicate with the helper is modified to include
  4649. #       an ID in front of the request/response. The ID from the request
  4650. #       must be echoed back with the response to that request.
  4651. #Default:
  4652. # store_id_children 20 startup=0 idle=1 concurrency=0
  4653.  
  4654. #  TAG: store_id_access
  4655. #       If defined, this access list specifies which requests are
  4656. #       sent to the StoreID processes.  By default all requests
  4657. #       are sent.
  4658. #
  4659. #       This clause supports both fast and slow acl types.
  4660. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4661. #Default:
  4662. # Allow, unless rules exist in squid.conf.
  4663.  
  4664. #  TAG: store_id_bypass
  4665. #       When this is 'on', a request will not go through the
  4666. #       helper if all helpers are busy.  If this is 'off'
  4667. #       and the helper queue grows too large, Squid will exit
  4668. #       with a FATAL error and ask you to increase the number of
  4669. #       helpers.  You should only enable this if the helperss
  4670. #       are not critical to your caching system.  If you use
  4671. #       helpers for critical caching components, and you enable this
  4672. #       option, users may not get objects from cache.
  4673. #Default:
  4674. # store_id_bypass on
  4675.  
  4676. # OPTIONS FOR TUNING THE CACHE
  4677. # -----------------------------------------------------------------------------
  4678.  
  4679. #  TAG: cache
  4680. #       Requests denied by this directive will not be served from the cache
  4681. #       and their responses will not be stored in the cache. This directive
  4682. #       has no effect on other transactions and on already cached responses.
  4683. #
  4684. #       This clause supports both fast and slow acl types.
  4685. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4686. #
  4687. #       This and the two other similar caching directives listed below are
  4688. #       checked at different transaction processing stages, have different
  4689. #       access to response information, affect different cache operations,
  4690. #       and differ in slow ACLs support:
  4691. #
  4692. #       * cache: Checked before Squid makes a hit/miss determination.
  4693. #               No access to reply information!
  4694. #               Denies both serving a hit and storing a miss.
  4695. #               Supports both fast and slow ACLs.
  4696. #       * send_hit: Checked after a hit was detected.
  4697. #               Has access to reply (hit) information.
  4698. #               Denies serving a hit only.
  4699. #               Supports fast ACLs only.
  4700. #       * store_miss: Checked before storing a cachable miss.
  4701. #               Has access to reply (miss) information.
  4702. #               Denies storing a miss only.
  4703. #               Supports fast ACLs only.
  4704. #
  4705. #       If you are not sure which of the three directives to use, apply the
  4706. #       following decision logic:
  4707. #
  4708. #       * If your ACL(s) are of slow type _and_ need response info, redesign.
  4709. #         Squid does not support that particular combination at this time.
  4710. #        Otherwise:
  4711. #       * If your directive ACL(s) are of slow type, use "cache"; and/or
  4712. #       * if your directive ACL(s) need no response info, use "cache".
  4713. #        Otherwise:
  4714. #       * If you do not want the response cached, use store_miss; and/or
  4715. #       * if you do not want a hit on a cached response, use send_hit.
  4716. #Default:
  4717. # By default, this directive is unused and has no effect.
  4718.  
  4719. #  TAG: send_hit
  4720. #       Responses denied by this directive will not be served from the cache
  4721. #       (but may still be cached, see store_miss). This directive has no
  4722. #       effect on the responses it allows and on the cached objects.
  4723. #
  4724. #       Please see the "cache" directive for a summary of differences among
  4725. #       store_miss, send_hit, and cache directives.
  4726. #
  4727. #       Unlike the "cache" directive, send_hit only supports fast acl
  4728. #       types.  See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4729. #
  4730. #       For example:
  4731. #
  4732. #               # apply custom Store ID mapping to some URLs
  4733. #               acl MapMe dstdomain .c.example.com
  4734. #               store_id_program ...
  4735. #               store_id_access allow MapMe
  4736. #
  4737. #               # but prevent caching of special responses
  4738. #               # such as 302 redirects that cause StoreID loops
  4739. #               acl Ordinary http_status 200-299
  4740. #               store_miss deny MapMe !Ordinary
  4741. #
  4742. #               # and do not serve any previously stored special responses
  4743. #               # from the cache (in case they were already cached before
  4744. #               # the above store_miss rule was in effect).
  4745. #               send_hit deny MapMe !Ordinary
  4746. #Default:
  4747. # By default, this directive is unused and has no effect.
  4748.  
  4749. #  TAG: store_miss
  4750. #       Responses denied by this directive will not be cached (but may still
  4751. #       be served from the cache, see send_hit). This directive has no
  4752. #       effect on the responses it allows and on the already cached responses.
  4753. #
  4754. #       Please see the "cache" directive for a summary of differences among
  4755. #       store_miss, send_hit, and cache directives. See the
  4756. #       send_hit directive for a usage example.
  4757. #
  4758. #       Unlike the "cache" directive, store_miss only supports fast acl
  4759. #       types.  See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4760. #Default:
  4761. # By default, this directive is unused and has no effect.
  4762.  
  4763. #  TAG: max_stale       time-units
  4764. #       This option puts an upper limit on how stale content Squid
  4765. #       will serve from the cache if cache validation fails.
  4766. #       Can be overriden by the refresh_pattern max-stale option.
  4767. #Default:
  4768. # max_stale 1 week
  4769.  
  4770. #  TAG: refresh_pattern
  4771. #       usage: refresh_pattern [-i] regex min percent max [options]
  4772. #
  4773. #       By default, regular expressions are CASE-SENSITIVE.  To make
  4774. #       them case-insensitive, use the -i option.
  4775. #
  4776. #       'Min' is the time (in minutes) an object without an explicit
  4777. #       expiry time should be considered fresh. The recommended
  4778. #       value is 0, any higher values may cause dynamic applications
  4779. #       to be erroneously cached unless the application designer
  4780. #       has taken the appropriate actions.
  4781. #
  4782. #       'Percent' is a percentage of the objects age (time since last
  4783. #       modification age) an object without explicit expiry time
  4784. #       will be considered fresh.
  4785. #
  4786. #       'Max' is an upper limit on how long objects without an explicit
  4787. #       expiry time will be considered fresh. The value is also used
  4788. #       to form Cache-Control: max-age header for a request sent from
  4789. #       Squid to origin/parent.
  4790. #
  4791. #       options: override-expire
  4792. #                override-lastmod
  4793. #                reload-into-ims
  4794. #                ignore-reload
  4795. #                ignore-no-store
  4796. #                ignore-must-revalidate
  4797. #                ignore-private
  4798. #                ignore-auth
  4799. #                max-stale=NN
  4800. #                refresh-ims
  4801. #                store-stale
  4802. #
  4803. #               override-expire enforces min age even if the server
  4804. #               sent an explicit expiry time (e.g., with the
  4805. #               Expires: header or Cache-Control: max-age). Doing this
  4806. #               VIOLATES the HTTP standard.  Enabling this feature
  4807. #               could make you liable for problems which it causes.
  4808. #
  4809. #               Note: override-expire does not enforce staleness - it only extends
  4810. #               freshness / min. If the server returns a Expires time which
  4811. #               is longer than your max time, Squid will still consider
  4812. #               the object fresh for that period of time.
  4813. #
  4814. #               override-lastmod enforces min age even on objects
  4815. #               that were modified recently.
  4816. #
  4817. #               reload-into-ims changes a client no-cache or ``reload''
  4818. #               request for a cached entry into a conditional request using
  4819. #               If-Modified-Since and/or If-None-Match headers, provided the
  4820. #               cached entry has a Last-Modified and/or a strong ETag header.
  4821. #               Doing this VIOLATES the HTTP standard. Enabling this feature
  4822. #               could make you liable for problems which it causes.
  4823. #
  4824. #               ignore-reload ignores a client no-cache or ``reload''
  4825. #               header. Doing this VIOLATES the HTTP standard. Enabling
  4826. #               this feature could make you liable for problems which
  4827. #               it causes.
  4828. #
  4829. #               ignore-no-store ignores any ``Cache-control: no-store''
  4830. #               headers received from a server. Doing this VIOLATES
  4831. #               the HTTP standard. Enabling this feature could make you
  4832. #               liable for problems which it causes.
  4833. #
  4834. #               ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
  4835. #               headers received from a server. Doing this VIOLATES
  4836. #               the HTTP standard. Enabling this feature could make you
  4837. #               liable for problems which it causes.
  4838. #
  4839. #               ignore-private ignores any ``Cache-control: private''
  4840. #               headers received from a server. Doing this VIOLATES
  4841. #               the HTTP standard. Enabling this feature could make you
  4842. #               liable for problems which it causes.
  4843. #
  4844. #               ignore-auth caches responses to requests with authorization,
  4845. #               as if the originserver had sent ``Cache-control: public''
  4846. #               in the response header. Doing this VIOLATES the HTTP standard.
  4847. #               Enabling this feature could make you liable for problems which
  4848. #               it causes.
  4849. #
  4850. #               refresh-ims causes squid to contact the origin server
  4851. #               when a client issues an If-Modified-Since request. This
  4852. #               ensures that the client will receive an updated version
  4853. #               if one is available.
  4854. #
  4855. #               store-stale stores responses even if they don't have explicit
  4856. #               freshness or a validator (i.e., Last-Modified or an ETag)
  4857. #               present, or if they're already stale. By default, Squid will
  4858. #               not cache such responses because they usually can't be
  4859. #               reused. Note that such responses will be stale by default.
  4860. #
  4861. #               max-stale=NN provide a maximum staleness factor. Squid won't
  4862. #               serve objects more stale than this even if it failed to
  4863. #               validate the object. Default: use the max_stale global limit.
  4864. #
  4865. #       Basically a cached object is:
  4866. #
  4867. #               FRESH if expire > now, else STALE
  4868. #               STALE if age > max
  4869. #               FRESH if lm-factor < percent, else STALE
  4870. #               FRESH if age < min
  4871. #               else STALE
  4872. #
  4873. #       The refresh_pattern lines are checked in the order listed here.
  4874. #       The first entry which matches is used.  If none of the entries
  4875. #       match the default will be used.
  4876. #
  4877. #       Note, you must uncomment all the default lines if you want
  4878. #       to change one. The default setting is only active if none is
  4879. #       used.
  4880. #
  4881. #
  4882.  
  4883. #
  4884. # Add any of your own refresh_pattern entries above these.
  4885. #
  4886. refresh_pattern ^ftp:           1440    20%     10080
  4887. refresh_pattern ^gopher:        1440    0%      1440
  4888. refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
  4889. refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
  4890. # example lin deb packages
  4891. #refresh_pattern (\.deb|\.udeb)$   129600 100% 129600
  4892. refresh_pattern .               0       20%     4320
  4893.  
  4894. #  TAG: quick_abort_min (KB)
  4895. #Default:
  4896. # quick_abort_min 16 KB
  4897.  
  4898. #  TAG: quick_abort_max (KB)
  4899. #Default:
  4900. # quick_abort_max 16 KB
  4901.  
  4902. #  TAG: quick_abort_pct (percent)
  4903. #       The cache by default continues downloading aborted requests
  4904. #       which are almost completed (less than 16 KB remaining). This
  4905. #       may be undesirable on slow (e.g. SLIP) links and/or very busy
  4906. #       caches.  Impatient users may tie up file descriptors and
  4907. #       bandwidth by repeatedly requesting and immediately aborting
  4908. #       downloads.
  4909. #
  4910. #       When the user aborts a request, Squid will check the
  4911. #       quick_abort values to the amount of data transferred until
  4912. #       then.
  4913. #
  4914. #       If the transfer has less than 'quick_abort_min' KB remaining,
  4915. #       it will finish the retrieval.
  4916. #
  4917. #       If the transfer has more than 'quick_abort_max' KB remaining,
  4918. #       it will abort the retrieval.
  4919. #
  4920. #       If more than 'quick_abort_pct' of the transfer has completed,
  4921. #       it will finish the retrieval.
  4922. #
  4923. #       If you do not want any retrieval to continue after the client
  4924. #       has aborted, set both 'quick_abort_min' and 'quick_abort_max'
  4925. #       to '0 KB'.
  4926. #
  4927. #       If you want retrievals to always continue if they are being
  4928. #       cached set 'quick_abort_min' to '-1 KB'.
  4929. #Default:
  4930. # quick_abort_pct 95
  4931.  
  4932. #  TAG: read_ahead_gap  buffer-size
  4933. #       The amount of data the cache will buffer ahead of what has been
  4934. #       sent to the client when retrieving an object from another server.
  4935. #Default:
  4936. # read_ahead_gap 16 KB
  4937.  
  4938. #  TAG: negative_ttl    time-units
  4939. #       Set the Default Time-to-Live (TTL) for failed requests.
  4940. #       Certain types of failures (such as "connection refused" and
  4941. #       "404 Not Found") are able to be negatively-cached for a short time.
  4942. #       Modern web servers should provide Expires: header, however if they
  4943. #       do not this can provide a minimum TTL.
  4944. #       The default is not to cache errors with unknown expiry details.
  4945. #
  4946. #       Note that this is different from negative caching of DNS lookups.
  4947. #
  4948. #       WARNING: Doing this VIOLATES the HTTP standard.  Enabling
  4949. #       this feature could make you liable for problems which it
  4950. #       causes.
  4951. #Default:
  4952. # negative_ttl 0 seconds
  4953.  
  4954. #  TAG: positive_dns_ttl        time-units
  4955. #       Upper limit on how long Squid will cache positive DNS responses.
  4956. #       Default is 6 hours (360 minutes). This directive must be set
  4957. #       larger than negative_dns_ttl.
  4958. #Default:
  4959. # positive_dns_ttl 6 hours
  4960.  
  4961. #  TAG: negative_dns_ttl        time-units
  4962. #       Time-to-Live (TTL) for negative caching of failed DNS lookups.
  4963. #       This also sets the lower cache limit on positive lookups.
  4964. #       Minimum value is 1 second, and it is not recommendable to go
  4965. #       much below 10 seconds.
  4966. #Default:
  4967. # negative_dns_ttl 1 minutes
  4968.  
  4969. #  TAG: range_offset_limit      size [acl acl...]
  4970. #       usage: (size) [units] [[!]aclname]
  4971. #      
  4972. #       Sets an upper limit on how far (number of bytes) into the file
  4973. #       a Range request may be to cause Squid to prefetch the whole file.
  4974. #       If beyond this limit, Squid forwards the Range request as it is and
  4975. #       the result is NOT cached.
  4976. #      
  4977. #       This is to stop a far ahead range request (lets say start at 17MB)
  4978. #       from making Squid fetch the whole object up to that point before
  4979. #       sending anything to the client.
  4980. #      
  4981. #       Multiple range_offset_limit lines may be specified, and they will
  4982. #       be searched from top to bottom on each request until a match is found.
  4983. #       The first match found will be used.  If no line matches a request, the
  4984. #       default limit of 0 bytes will be used.
  4985. #      
  4986. #       'size' is the limit specified as a number of units.
  4987. #      
  4988. #       'units' specifies whether to use bytes, KB, MB, etc.
  4989. #       If no units are specified bytes are assumed.
  4990. #      
  4991. #       A size of 0 causes Squid to never fetch more than the
  4992. #       client requested. (default)
  4993. #      
  4994. #       A size of 'none' causes Squid to always fetch the object from the
  4995. #       beginning so it may cache the result. (2.0 style)
  4996. #      
  4997. #       'aclname' is the name of a defined ACL.
  4998. #      
  4999. #       NP: Using 'none' as the byte value here will override any quick_abort settings
  5000. #           that may otherwise apply to the range request. The range request will
  5001. #           be fully fetched from start to finish regardless of the client
  5002. #           actions. This affects bandwidth usage.
  5003. #Default:
  5004. # none
  5005.  
  5006. #  TAG: minimum_expiry_time     (seconds)
  5007. #       The minimum caching time according to (Expires - Date)
  5008. #       headers Squid honors if the object can't be revalidated.
  5009. #       The default is 60 seconds.
  5010. #
  5011. #       In reverse proxy environments it might be desirable to honor
  5012. #       shorter object lifetimes. It is most likely better to make
  5013. #       your server return a meaningful Last-Modified header however.
  5014. #
  5015. #       In ESI environments where page fragments often have short
  5016. #       lifetimes, this will often be best set to 0.
  5017. #Default:
  5018. # minimum_expiry_time 60 seconds
  5019.  
  5020. #  TAG: store_avg_object_size   (bytes)
  5021. #       Average object size, used to estimate number of objects your
  5022. #       cache can hold.  The default is 13 KB.
  5023. #
  5024. #       This is used to pre-seed the cache index memory allocation to
  5025. #       reduce expensive reallocate operations while handling clients
  5026. #       traffic. Too-large values may result in memory allocation during
  5027. #       peak traffic, too-small values will result in wasted memory.
  5028. #
  5029. #       Check the cache manager 'info' report metrics for the real
  5030. #       object sizes seen by your Squid before tuning this.
  5031. #Default:
  5032. # store_avg_object_size 13 KB
  5033.  
  5034. #  TAG: store_objects_per_bucket
  5035. #       Target number of objects per bucket in the store hash table.
  5036. #       Lowering this value increases the total number of buckets and
  5037. #       also the storage maintenance rate.  The default is 20.
  5038. #Default:
  5039. # store_objects_per_bucket 20
  5040.  
  5041. # HTTP OPTIONS
  5042. # -----------------------------------------------------------------------------
  5043.  
  5044. #  TAG: request_header_max_size (KB)
  5045. #       This specifies the maximum size for HTTP headers in a request.
  5046. #       Request headers are usually relatively small (about 512 bytes).
  5047. #       Placing a limit on the request header size will catch certain
  5048. #       bugs (for example with persistent connections) and possibly
  5049. #       buffer-overflow or denial-of-service attacks.
  5050. #Default:
  5051. # request_header_max_size 64 KB
  5052.  
  5053. #  TAG: reply_header_max_size   (KB)
  5054. #       This specifies the maximum size for HTTP headers in a reply.
  5055. #       Reply headers are usually relatively small (about 512 bytes).
  5056. #       Placing a limit on the reply header size will catch certain
  5057. #       bugs (for example with persistent connections) and possibly
  5058. #       buffer-overflow or denial-of-service attacks.
  5059. #Default:
  5060. # reply_header_max_size 64 KB
  5061.  
  5062. #  TAG: request_body_max_size   (bytes)
  5063. #       This specifies the maximum size for an HTTP request body.
  5064. #       In other words, the maximum size of a PUT/POST request.
  5065. #       A user who attempts to send a request with a body larger
  5066. #       than this limit receives an "Invalid Request" error message.
  5067. #       If you set this parameter to a zero (the default), there will
  5068. #       be no limit imposed.
  5069. #
  5070. #       See also client_request_buffer_max_size for an alternative
  5071. #       limitation on client uploads which can be configured.
  5072. #Default:
  5073. # No limit.
  5074.  
  5075. #  TAG: client_request_buffer_max_size  (bytes)
  5076. #       This specifies the maximum buffer size of a client request.
  5077. #       It prevents squid eating too much memory when somebody uploads
  5078. #       a large file.
  5079. #Default:
  5080. # client_request_buffer_max_size 512 KB
  5081.  
  5082. #  TAG: broken_posts
  5083. #       A list of ACL elements which, if matched, causes Squid to send
  5084. #       an extra CRLF pair after the body of a PUT/POST request.
  5085. #
  5086. #       Some HTTP servers has broken implementations of PUT/POST,
  5087. #       and rely on an extra CRLF pair sent by some WWW clients.
  5088. #
  5089. #       Quote from RFC2616 section 4.1 on this matter:
  5090. #
  5091. #         Note: certain buggy HTTP/1.0 client implementations generate an
  5092. #         extra CRLF's after a POST request. To restate what is explicitly
  5093. #         forbidden by the BNF, an HTTP/1.1 client must not preface or follow
  5094. #         a request with an extra CRLF.
  5095. #
  5096. #       This clause only supports fast acl types.
  5097. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5098. #
  5099. #Example:
  5100. # acl buggy_server url_regex ^http://....
  5101. # broken_posts allow buggy_server
  5102. #Default:
  5103. # Obey RFC 2616.
  5104.  
  5105. #  TAG: adaptation_uses_indirect_client on|off
  5106. #       Controls whether the indirect client IP address (instead of the direct
  5107. #       client IP address) is passed to adaptation services.
  5108. #
  5109. #       See also: follow_x_forwarded_for adaptation_send_client_ip
  5110. #Default:
  5111. # adaptation_uses_indirect_client on
  5112.  
  5113. #  TAG: via     on|off
  5114. #       If set (default), Squid will include a Via header in requests and
  5115. #       replies as required by RFC2616.
  5116. #Default:
  5117. # via on
  5118.  
  5119. #  TAG: ie_refresh      on|off
  5120. #       Microsoft Internet Explorer up until version 5.5 Service
  5121. #       Pack 1 has an issue with transparent proxies, wherein it
  5122. #       is impossible to force a refresh.  Turning this on provides
  5123. #       a partial fix to the problem, by causing all IMS-REFRESH
  5124. #       requests from older IE versions to check the origin server
  5125. #       for fresh content.  This reduces hit ratio by some amount
  5126. #       (~10% in my experience), but allows users to actually get
  5127. #       fresh content when they want it.  Note because Squid
  5128. #       cannot tell if the user is using 5.5 or 5.5SP1, the behavior
  5129. #       of 5.5 is unchanged from old versions of Squid (i.e. a
  5130. #       forced refresh is impossible).  Newer versions of IE will,
  5131. #       hopefully, continue to have the new behavior and will be
  5132. #       handled based on that assumption.  This option defaults to
  5133. #       the old Squid behavior, which is better for hit ratios but
  5134. #       worse for clients using IE, if they need to be able to
  5135. #       force fresh content.
  5136. #Default:
  5137. # ie_refresh off
  5138.  
  5139. #  TAG: vary_ignore_expire      on|off
  5140. #       Many HTTP servers supporting Vary gives such objects
  5141. #       immediate expiry time with no cache-control header
  5142. #       when requested by a HTTP/1.0 client. This option
  5143. #       enables Squid to ignore such expiry times until
  5144. #       HTTP/1.1 is fully implemented.
  5145. #
  5146. #       WARNING: If turned on this may eventually cause some
  5147. #       varying objects not intended for caching to get cached.
  5148. #Default:
  5149. # vary_ignore_expire off
  5150.  
  5151. #  TAG: request_entities
  5152. #       Squid defaults to deny GET and HEAD requests with request entities,
  5153. #       as the meaning of such requests are undefined in the HTTP standard
  5154. #       even if not explicitly forbidden.
  5155. #
  5156. #       Set this directive to on if you have clients which insists
  5157. #       on sending request entities in GET or HEAD requests. But be warned
  5158. #       that there is server software (both proxies and web servers) which
  5159. #       can fail to properly process this kind of request which may make you
  5160. #       vulnerable to cache pollution attacks if enabled.
  5161. #Default:
  5162. # request_entities off
  5163.  
  5164. #  TAG: request_header_access
  5165. #       Usage: request_header_access header_name allow|deny [!]aclname ...
  5166. #
  5167. #       WARNING: Doing this VIOLATES the HTTP standard.  Enabling
  5168. #       this feature could make you liable for problems which it
  5169. #       causes.
  5170. #
  5171. #       This option replaces the old 'anonymize_headers' and the
  5172. #       older 'http_anonymizer' option with something that is much
  5173. #       more configurable. A list of ACLs for each header name allows
  5174. #       removal of specific header fields under specific conditions.
  5175. #
  5176. #       This option only applies to outgoing HTTP request headers (i.e.,
  5177. #       headers sent by Squid to the next HTTP hop such as a cache peer
  5178. #       or an origin server). The option has no effect during cache hit
  5179. #       detection. The equivalent adaptation vectoring point in ICAP
  5180. #       terminology is post-cache REQMOD.
  5181. #
  5182. #       The option is applied to individual outgoing request header
  5183. #       fields. For each request header field F, Squid uses the first
  5184. #       qualifying sets of request_header_access rules:
  5185. #
  5186. #           1. Rules with header_name equal to F's name.
  5187. #           2. Rules with header_name 'Other', provided F's name is not
  5188. #              on the hard-coded list of commonly used HTTP header names.
  5189. #           3. Rules with header_name 'All'.
  5190. #
  5191. #       Within that qualifying rule set, rule ACLs are checked as usual.
  5192. #       If ACLs of an "allow" rule match, the header field is allowed to
  5193. #       go through as is. If ACLs of a "deny" rule match, the header is
  5194. #       removed and request_header_replace is then checked to identify
  5195. #       if the removed header has a replacement. If no rules within the
  5196. #       set have matching ACLs, the header field is left as is.
  5197. #
  5198. #       For example, to achieve the same behavior as the old
  5199. #       'http_anonymizer standard' option, you should use:
  5200. #
  5201. #               request_header_access From deny all
  5202. #               request_header_access Referer deny all
  5203. #               request_header_access User-Agent deny all
  5204. #
  5205. #       Or, to reproduce the old 'http_anonymizer paranoid' feature
  5206. #       you should use:
  5207. #
  5208. #               request_header_access Authorization allow all
  5209. #               request_header_access Proxy-Authorization allow all
  5210. #               request_header_access Cache-Control allow all
  5211. #               request_header_access Content-Length allow all
  5212. #               request_header_access Content-Type allow all
  5213. #               request_header_access Date allow all
  5214. #               request_header_access Host allow all
  5215. #               request_header_access If-Modified-Since allow all
  5216. #               request_header_access Pragma allow all
  5217. #               request_header_access Accept allow all
  5218. #               request_header_access Accept-Charset allow all
  5219. #               request_header_access Accept-Encoding allow all
  5220. #               request_header_access Accept-Language allow all
  5221. #               request_header_access Connection allow all
  5222. #               request_header_access All deny all
  5223. #
  5224. #       HTTP reply headers are controlled with the reply_header_access directive.
  5225. #
  5226. #       By default, all headers are allowed (no anonymizing is performed).
  5227. #Default:
  5228. # No limits.
  5229.  
  5230. #  TAG: reply_header_access
  5231. #       Usage: reply_header_access header_name allow|deny [!]aclname ...
  5232. #
  5233. #       WARNING: Doing this VIOLATES the HTTP standard.  Enabling
  5234. #       this feature could make you liable for problems which it
  5235. #       causes.
  5236. #
  5237. #       This option only applies to reply headers, i.e., from the
  5238. #       server to the client.
  5239. #
  5240. #       This is the same as request_header_access, but in the other
  5241. #       direction. Please see request_header_access for detailed
  5242. #       documentation.
  5243. #
  5244. #       For example, to achieve the same behavior as the old
  5245. #       'http_anonymizer standard' option, you should use:
  5246. #
  5247. #               reply_header_access Server deny all
  5248. #               reply_header_access WWW-Authenticate deny all
  5249. #               reply_header_access Link deny all
  5250. #
  5251. #       Or, to reproduce the old 'http_anonymizer paranoid' feature
  5252. #       you should use:
  5253. #
  5254. #               reply_header_access Allow allow all
  5255. #               reply_header_access WWW-Authenticate allow all
  5256. #               reply_header_access Proxy-Authenticate allow all
  5257. #               reply_header_access Cache-Control allow all
  5258. #               reply_header_access Content-Encoding allow all
  5259. #               reply_header_access Content-Length allow all
  5260. #               reply_header_access Content-Type allow all
  5261. #               reply_header_access Date allow all
  5262. #               reply_header_access Expires allow all
  5263. #               reply_header_access Last-Modified allow all
  5264. #               reply_header_access Location allow all
  5265. #               reply_header_access Pragma allow all
  5266. #               reply_header_access Content-Language allow all
  5267. #               reply_header_access Retry-After allow all
  5268. #               reply_header_access Title allow all
  5269. #               reply_header_access Content-Disposition allow all
  5270. #               reply_header_access Connection allow all
  5271. #               reply_header_access All deny all
  5272. #
  5273. #       HTTP request headers are controlled with the request_header_access directive.
  5274. #
  5275. #       By default, all headers are allowed (no anonymizing is
  5276. #       performed).
  5277. #Default:
  5278. # No limits.
  5279.  
  5280. #  TAG: request_header_replace
  5281. #       Usage:   request_header_replace header_name message
  5282. #       Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
  5283. #
  5284. #       This option allows you to change the contents of headers
  5285. #       denied with request_header_access above, by replacing them
  5286. #       with some fixed string.
  5287. #
  5288. #       This only applies to request headers, not reply headers.
  5289. #
  5290. #       By default, headers are removed if denied.
  5291. #Default:
  5292. # none
  5293.  
  5294. #  TAG: reply_header_replace
  5295. #        Usage:   reply_header_replace header_name message
  5296. #        Example: reply_header_replace Server Foo/1.0
  5297. #
  5298. #        This option allows you to change the contents of headers
  5299. #        denied with reply_header_access above, by replacing them
  5300. #        with some fixed string.
  5301. #
  5302. #        This only applies to reply headers, not request headers.
  5303. #
  5304. #        By default, headers are removed if denied.
  5305. #Default:
  5306. # none
  5307.  
  5308. #  TAG: request_header_add
  5309. #       Usage:   request_header_add field-name field-value acl1 [acl2] ...
  5310. #       Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
  5311. #
  5312. #       This option adds header fields to outgoing HTTP requests (i.e.,
  5313. #       request headers sent by Squid to the next HTTP hop such as a
  5314. #       cache peer or an origin server). The option has no effect during
  5315. #       cache hit detection. The equivalent adaptation vectoring point
  5316. #       in ICAP terminology is post-cache REQMOD.
  5317. #
  5318. #       Field-name is a token specifying an HTTP header name. If a
  5319. #       standard HTTP header name is used, Squid does not check whether
  5320. #       the new header conflicts with any existing headers or violates
  5321. #       HTTP rules. If the request to be modified already contains a
  5322. #       field with the same name, the old field is preserved but the
  5323. #       header field values are not merged.
  5324. #
  5325. #       Field-value is either a token or a quoted string. If quoted
  5326. #       string format is used, then the surrounding quotes are removed
  5327. #       while escape sequences and %macros are processed.
  5328. #
  5329. #       In theory, all of the logformat codes can be used as %macros.
  5330. #       However, unlike logging (which happens at the very end of
  5331. #       transaction lifetime), the transaction may not yet have enough
  5332. #       information to expand a macro when the new header value is needed.
  5333. #       And some information may already be available to Squid but not yet
  5334. #       committed where the macro expansion code can access it (report
  5335. #       such instances!). The macro will be expanded into a single dash
  5336. #       ('-') in such cases. Not all macros have been tested.
  5337. #
  5338. #       One or more Squid ACLs may be specified to restrict header
  5339. #       injection to matching requests. As always in squid.conf, all
  5340. #       ACLs in an option ACL list must be satisfied for the insertion
  5341. #       to happen. The request_header_add option supports fast ACLs
  5342. #       only.
  5343. #Default:
  5344. # none
  5345.  
  5346. #  TAG: note
  5347. #       This option used to log custom information about the master
  5348. #       transaction. For example, an admin may configure Squid to log
  5349. #       which "user group" the transaction belongs to, where "user group"
  5350. #       will be determined based on a set of ACLs and not [just]
  5351. #       authentication information.
  5352. #       Values of key/value pairs can be logged using %{key}note macros:
  5353. #
  5354. #           note key value acl ...
  5355. #           logformat myFormat ... %{key}note ...
  5356. #Default:
  5357. # none
  5358.  
  5359. #  TAG: relaxed_header_parser   on|off|warn
  5360. #       In the default "on" setting Squid accepts certain forms
  5361. #       of non-compliant HTTP messages where it is unambiguous
  5362. #       what the sending application intended even if the message
  5363. #       is not correctly formatted. The messages is then normalized
  5364. #       to the correct form when forwarded by Squid.
  5365. #
  5366. #       If set to "warn" then a warning will be emitted in cache.log
  5367. #       each time such HTTP error is encountered.
  5368. #
  5369. #       If set to "off" then such HTTP errors will cause the request
  5370. #       or response to be rejected.
  5371. #Default:
  5372. # relaxed_header_parser on
  5373.  
  5374. #  TAG: collapsed_forwarding    (on|off)
  5375. #       When enabled, instead of forwarding each concurrent request for
  5376. #       the same URL, Squid just sends the first of them. The other, so
  5377. #       called "collapsed" requests, wait for the response to the first
  5378. #       request and, if it happens to be cachable, use that response.
  5379. #       Here, "concurrent requests" means "received after the first
  5380. #       request headers were parsed and before the corresponding response
  5381. #       headers were parsed".
  5382. #
  5383. #       This feature is disabled by default: enabling collapsed
  5384. #       forwarding needlessly delays forwarding requests that look
  5385. #       cachable (when they are collapsed) but then need to be forwarded
  5386. #       individually anyway because they end up being for uncachable
  5387. #       content. However, in some cases, such as acceleration of highly
  5388. #       cachable content with periodic or grouped expiration times, the
  5389. #       gains from collapsing [large volumes of simultaneous refresh
  5390. #       requests] outweigh losses from such delays.
  5391. #
  5392. #       Squid collapses two kinds of requests: regular client requests
  5393. #       received on one of the listening ports and internal "cache
  5394. #       revalidation" requests which are triggered by those regular
  5395. #       requests hitting a stale cached object. Revalidation collapsing
  5396. #       is currently disabled for Squid instances containing SMP-aware
  5397. #       disk or memory caches and for Vary-controlled cached objects.
  5398. #Default:
  5399. # collapsed_forwarding off
  5400.  
  5401. # TIMEOUTS
  5402. # -----------------------------------------------------------------------------
  5403.  
  5404. #  TAG: forward_timeout time-units
  5405. #       This parameter specifies how long Squid should at most attempt in
  5406. #       finding a forwarding path for the request before giving up.
  5407. #Default:
  5408. # forward_timeout 4 minutes
  5409.  
  5410. #  TAG: connect_timeout time-units
  5411. #       This parameter specifies how long to wait for the TCP connect to
  5412. #       the requested server or peer to complete before Squid should
  5413. #       attempt to find another path where to forward the request.
  5414. #Default:
  5415. # connect_timeout 1 minute
  5416.  
  5417. #  TAG: peer_connect_timeout    time-units
  5418. #       This parameter specifies how long to wait for a pending TCP
  5419. #       connection to a peer cache.  The default is 30 seconds.   You
  5420. #       may also set different timeout values for individual neighbors
  5421. #       with the 'connect-timeout' option on a 'cache_peer' line.
  5422. #Default:
  5423. # peer_connect_timeout 30 seconds
  5424.  
  5425. #  TAG: read_timeout    time-units
  5426. #       Applied on peer server connections.
  5427. #
  5428. #       After each successful read(), the timeout will be extended by this
  5429. #       amount.  If no data is read again after this amount of time,
  5430. #       the request is aborted and logged with ERR_READ_TIMEOUT.
  5431. #
  5432. #       The default is 15 minutes.
  5433. #Default:
  5434. # read_timeout 15 minutes
  5435.  
  5436. #  TAG: write_timeout   time-units
  5437. #       This timeout is tracked for all connections that have data
  5438. #       available for writing and are waiting for the socket to become
  5439. #       ready. After each successful write, the timeout is extended by
  5440. #       the configured amount. If Squid has data to write but the
  5441. #       connection is not ready for the configured duration, the
  5442. #       transaction associated with the connection is terminated. The
  5443. #       default is 15 minutes.
  5444. #Default:
  5445. # write_timeout 15 minutes
  5446.  
  5447. #  TAG: request_timeout
  5448. #       How long to wait for complete HTTP request headers after initial
  5449. #       connection establishment.
  5450. #Default:
  5451. # request_timeout 5 minutes
  5452.  
  5453. #  TAG: client_idle_pconn_timeout
  5454. #       How long to wait for the next HTTP request on a persistent
  5455. #       client connection after the previous request completes.
  5456. #Default:
  5457. # client_idle_pconn_timeout 2 minutes
  5458.  
  5459. #  TAG: ftp_client_idle_timeout
  5460. #       How long to wait for an FTP request on a connection to Squid ftp_port.
  5461. #       Many FTP clients do not deal with idle connection closures well,
  5462. #       necessitating a longer default timeout than client_idle_pconn_timeout
  5463. #       used for incoming HTTP requests.
  5464. #Default:
  5465. # ftp_client_idle_timeout 30 minutes
  5466.  
  5467. #  TAG: client_lifetime time-units
  5468. #       The maximum amount of time a client (browser) is allowed to
  5469. #       remain connected to the cache process.  This protects the Cache
  5470. #       from having a lot of sockets (and hence file descriptors) tied up
  5471. #       in a CLOSE_WAIT state from remote clients that go away without
  5472. #       properly shutting down (either because of a network failure or
  5473. #       because of a poor client implementation).  The default is one
  5474. #       day, 1440 minutes.
  5475. #
  5476. #       NOTE:  The default value is intended to be much larger than any
  5477. #       client would ever need to be connected to your cache.  You
  5478. #       should probably change client_lifetime only as a last resort.
  5479. #       If you seem to have many client connections tying up
  5480. #       filedescriptors, we recommend first tuning the read_timeout,
  5481. #       request_timeout, persistent_request_timeout and quick_abort values.
  5482. #Default:
  5483. # client_lifetime 1 day
  5484.  
  5485. #  TAG: half_closed_clients
  5486. #       Some clients may shutdown the sending side of their TCP
  5487. #       connections, while leaving their receiving sides open.  Sometimes,
  5488. #       Squid can not tell the difference between a half-closed and a
  5489. #       fully-closed TCP connection.
  5490. #
  5491. #       By default, Squid will immediately close client connections when
  5492. #       read(2) returns "no more data to read."
  5493. #
  5494. #       Change this option to 'on' and Squid will keep open connections
  5495. #       until a read(2) or write(2) on the socket returns an error.
  5496. #       This may show some benefits for reverse proxies. But if not
  5497. #       it is recommended to leave OFF.
  5498. #Default:
  5499. # half_closed_clients off
  5500.  
  5501. #  TAG: server_idle_pconn_timeout
  5502. #       Timeout for idle persistent connections to servers and other
  5503. #       proxies.
  5504. #Default:
  5505. # server_idle_pconn_timeout 1 minute
  5506.  
  5507. #  TAG: ident_timeout
  5508. #       Maximum time to wait for IDENT lookups to complete.
  5509. #
  5510. #       If this is too high, and you enabled IDENT lookups from untrusted
  5511. #       users, you might be susceptible to denial-of-service by having
  5512. #       many ident requests going at once.
  5513. #Default:
  5514. # ident_timeout 10 seconds
  5515.  
  5516. #  TAG: shutdown_lifetime       time-units
  5517. #       When SIGTERM or SIGHUP is received, the cache is put into
  5518. #       "shutdown pending" mode until all active sockets are closed.
  5519. #       This value is the lifetime to set for all open descriptors
  5520. #       during shutdown mode.  Any active clients after this many
  5521. #       seconds will receive a 'timeout' message.
  5522. #Default:
  5523. # shutdown_lifetime 30 seconds
  5524.  
  5525. # ADMINISTRATIVE PARAMETERS
  5526. # -----------------------------------------------------------------------------
  5527.  
  5528. #  TAG: cache_mgr
  5529. #       Email-address of local cache manager who will receive
  5530. #       mail if the cache dies.  The default is "webmaster".
  5531. #Default:
  5532. # cache_mgr webmaster
  5533.  
  5534. #  TAG: mail_from
  5535. #       From: email-address for mail sent when the cache dies.
  5536. #       The default is to use 'squid@unique_hostname'.
  5537. #
  5538. #       See also: unique_hostname directive.
  5539. #Default:
  5540. # none
  5541.  
  5542. #  TAG: mail_program
  5543. #       Email program used to send mail if the cache dies.
  5544. #       The default is "mail". The specified program must comply
  5545. #       with the standard Unix mail syntax:
  5546. #         mail-program recipient < mailfile
  5547. #
  5548. #       Optional command line options can be specified.
  5549. #Default:
  5550. # mail_program mail
  5551.  
  5552. #  TAG: cache_effective_user
  5553. #       If you start Squid as root, it will change its effective/real
  5554. #       UID/GID to the user specified below.  The default is to change
  5555. #       to UID of proxy.
  5556. #       see also; cache_effective_group
  5557. #Default:
  5558. # cache_effective_user proxy
  5559.  
  5560. #  TAG: cache_effective_group
  5561. #       Squid sets the GID to the effective user's default group ID
  5562. #       (taken from the password file) and supplementary group list
  5563. #       from the groups membership.
  5564. #
  5565. #       If you want Squid to run with a specific GID regardless of
  5566. #       the group memberships of the effective user then set this
  5567. #       to the group (or GID) you want Squid to run as. When set
  5568. #       all other group privileges of the effective user are ignored
  5569. #       and only this GID is effective. If Squid is not started as
  5570. #       root the user starting Squid MUST be member of the specified
  5571. #       group.
  5572. #
  5573. #       This option is not recommended by the Squid Team.
  5574. #       Our preference is for administrators to configure a secure
  5575. #       user account for squid with UID/GID matching system policies.
  5576. #Default:
  5577. # Use system group memberships of the cache_effective_user account
  5578.  
  5579. #  TAG: httpd_suppress_version_string   on|off
  5580. #       Suppress Squid version string info in HTTP headers and HTML error pages.
  5581. #Default:
  5582. # httpd_suppress_version_string off
  5583.  
  5584. #  TAG: visible_hostname
  5585. #       If you want to present a special hostname in error messages, etc,
  5586. #       define this.  Otherwise, the return value of gethostname()
  5587. #       will be used. If you have multiple caches in a cluster and
  5588. #       get errors about IP-forwarding you must set them to have individual
  5589. #       names with this setting.
  5590. #Default:
  5591. # Automatically detect the system host name
  5592.  
  5593. #  TAG: unique_hostname
  5594. #       If you want to have multiple machines with the same
  5595. #       'visible_hostname' you must give each machine a different
  5596. #       'unique_hostname' so forwarding loops can be detected.
  5597. #Default:
  5598. # Copy the value from visible_hostname
  5599.  
  5600. #  TAG: hostname_aliases
  5601. #       A list of other DNS names your cache has.
  5602. #Default:
  5603. # none
  5604.  
  5605. #  TAG: umask
  5606. #       Minimum umask which should be enforced while the proxy
  5607. #       is running, in addition to the umask set at startup.
  5608. #
  5609. #       For a traditional octal representation of umasks, start
  5610. #        your value with 0.
  5611. #Default:
  5612. # umask 027
  5613.  
  5614. # OPTIONS FOR THE CACHE REGISTRATION SERVICE
  5615. # -----------------------------------------------------------------------------
  5616. #
  5617. #       This section contains parameters for the (optional) cache
  5618. #       announcement service.  This service is provided to help
  5619. #       cache administrators locate one another in order to join or
  5620. #       create cache hierarchies.
  5621. #
  5622. #       An 'announcement' message is sent (via UDP) to the registration
  5623. #       service by Squid.  By default, the announcement message is NOT
  5624. #       SENT unless you enable it with 'announce_period' below.
  5625. #
  5626. #       The announcement message includes your hostname, plus the
  5627. #       following information from this configuration file:
  5628. #
  5629. #               http_port
  5630. #               icp_port
  5631. #               cache_mgr
  5632. #
  5633. #       All current information is processed regularly and made
  5634. #       available on the Web at http://www.ircache.net/Cache/Tracker/.
  5635.  
  5636. #  TAG: announce_period
  5637. #       This is how frequently to send cache announcements.
  5638. #
  5639. #       To enable announcing your cache, just set an announce period.
  5640. #
  5641. #       Example:
  5642. #               announce_period 1 day
  5643. #Default:
  5644. # Announcement messages disabled.
  5645.  
  5646. #  TAG: announce_host
  5647. #       Set the hostname where announce registration messages will be sent.
  5648. #
  5649. #       See also announce_port and announce_file
  5650. #Default:
  5651. # announce_host tracker.ircache.net
  5652.  
  5653. #  TAG: announce_file
  5654. #       The contents of this file will be included in the announce
  5655. #       registration messages.
  5656. #Default:
  5657. # none
  5658.  
  5659. #  TAG: announce_port
  5660. #       Set the port where announce registration messages will be sent.
  5661. #
  5662. #       See also announce_host and announce_file
  5663. #Default:
  5664. # announce_port 3131
  5665.  
  5666. # HTTPD-ACCELERATOR OPTIONS
  5667. # -----------------------------------------------------------------------------
  5668.  
  5669. #  TAG: httpd_accel_surrogate_id
  5670. #       Surrogates (http://www.esi.org/architecture_spec_1.0.html)
  5671. #       need an identification token to allow control targeting. Because
  5672. #       a farm of surrogates may all perform the same tasks, they may share
  5673. #       an identification token.
  5674. #Default:
  5675. # visible_hostname is used if no specific ID is set.
  5676.  
  5677. #  TAG: http_accel_surrogate_remote     on|off
  5678. #       Remote surrogates (such as those in a CDN) honour the header
  5679. #       "Surrogate-Control: no-store-remote".
  5680. #
  5681. #       Set this to on to have squid behave as a remote surrogate.
  5682. #Default:
  5683. # http_accel_surrogate_remote off
  5684.  
  5685. #  TAG: esi_parser      libxml2|expat|custom
  5686. #       ESI markup is not strictly XML compatible. The custom ESI parser
  5687. #       will give higher performance, but cannot handle non ASCII character
  5688. #       encodings.
  5689. #Default:
  5690. # esi_parser custom
  5691.  
  5692. # DELAY POOL PARAMETERS
  5693. # -----------------------------------------------------------------------------
  5694.  
  5695. #  TAG: delay_pools
  5696. #       This represents the number of delay pools to be used.  For example,
  5697. #       if you have one class 2 delay pool and one class 3 delays pool, you
  5698. #       have a total of 2 delay pools.
  5699. #
  5700. #       See also delay_parameters, delay_class, delay_access for pool
  5701. #       configuration details.
  5702. #Default:
  5703. # delay_pools 0
  5704.  
  5705. #  TAG: delay_class
  5706. #       This defines the class of each delay pool.  There must be exactly one
  5707. #       delay_class line for each delay pool.  For example, to define two
  5708. #       delay pools, one of class 2 and one of class 3, the settings above
  5709. #       and here would be:
  5710. #
  5711. #       Example:
  5712. #           delay_pools 4      # 4 delay pools
  5713. #           delay_class 1 2    # pool 1 is a class 2 pool
  5714. #           delay_class 2 3    # pool 2 is a class 3 pool
  5715. #           delay_class 3 4    # pool 3 is a class 4 pool
  5716. #           delay_class 4 5    # pool 4 is a class 5 pool
  5717. #
  5718. #       The delay pool classes are:
  5719. #
  5720. #               class 1         Everything is limited by a single aggregate
  5721. #                               bucket.
  5722. #
  5723. #               class 2         Everything is limited by a single aggregate
  5724. #                               bucket as well as an "individual" bucket chosen
  5725. #                               from bits 25 through 32 of the IPv4 address.
  5726. #
  5727. #               class 3         Everything is limited by a single aggregate
  5728. #                               bucket as well as a "network" bucket chosen
  5729. #                               from bits 17 through 24 of the IP address and a
  5730. #                               "individual" bucket chosen from bits 17 through
  5731. #                               32 of the IPv4 address.
  5732. #
  5733. #               class 4         Everything in a class 3 delay pool, with an
  5734. #                               additional limit on a per user basis. This
  5735. #                               only takes effect if the username is established
  5736. #                               in advance - by forcing authentication in your
  5737. #                               http_access rules.
  5738. #
  5739. #               class 5         Requests are grouped according their tag (see
  5740. #                               external_acl's tag= reply).
  5741. #
  5742. #
  5743. #       Each pool also requires a delay_parameters directive to configure the pool size
  5744. #       and speed limits used whenever the pool is applied to a request. Along with
  5745. #       a set of delay_access directives to determine when it is used.
  5746. #
  5747. #       NOTE: If an IP address is a.b.c.d
  5748. #               -> bits 25 through 32 are "d"
  5749. #               -> bits 17 through 24 are "c"
  5750. #               -> bits 17 through 32 are "c * 256 + d"
  5751. #
  5752. #       NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
  5753. #               IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
  5754. #
  5755. #       This clause only supports fast acl types.
  5756. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5757. #
  5758. #       See also delay_parameters and delay_access.
  5759. #Default:
  5760. # none
  5761.  
  5762. #  TAG: delay_access
  5763. #       This is used to determine which delay pool a request falls into.
  5764. #
  5765. #       delay_access is sorted per pool and the matching starts with pool 1,
  5766. #       then pool 2, ..., and finally pool N. The first delay pool where the
  5767. #       request is allowed is selected for the request. If it does not allow
  5768. #       the request to any pool then the request is not delayed (default).
  5769. #
  5770. #       For example, if you want some_big_clients in delay
  5771. #       pool 1 and lotsa_little_clients in delay pool 2:
  5772. #
  5773. #               delay_access 1 allow some_big_clients
  5774. #               delay_access 1 deny all
  5775. #               delay_access 2 allow lotsa_little_clients
  5776. #               delay_access 2 deny all
  5777. #               delay_access 3 allow authenticated_clients
  5778. #
  5779. #       See also delay_parameters and delay_class.
  5780. #
  5781. #Default:
  5782. # Deny using the pool, unless allow rules exist in squid.conf for the pool.
  5783.  
  5784. #  TAG: delay_parameters
  5785. #       This defines the parameters for a delay pool.  Each delay pool has
  5786. #       a number of "buckets" associated with it, as explained in the
  5787. #       description of delay_class.
  5788. #
  5789. #       For a class 1 delay pool, the syntax is:
  5790. #               delay_class pool 1
  5791. #               delay_parameters pool aggregate
  5792. #
  5793. #       For a class 2 delay pool:
  5794. #               delay_class pool 2
  5795. #               delay_parameters pool aggregate individual
  5796. #
  5797. #       For a class 3 delay pool:
  5798. #               delay_class pool 3
  5799. #               delay_parameters pool aggregate network individual
  5800. #
  5801. #       For a class 4 delay pool:
  5802. #               delay_class pool 4
  5803. #               delay_parameters pool aggregate network individual user
  5804. #
  5805. #       For a class 5 delay pool:
  5806. #               delay_class pool 5
  5807. #               delay_parameters pool tagrate
  5808. #
  5809. #       The option variables are:
  5810. #
  5811. #               pool            a pool number - ie, a number between 1 and the
  5812. #                               number specified in delay_pools as used in
  5813. #                               delay_class lines.
  5814. #
  5815. #               aggregate       the speed limit parameters for the aggregate bucket
  5816. #                               (class 1, 2, 3).
  5817. #
  5818. #               individual      the speed limit parameters for the individual
  5819. #                               buckets (class 2, 3).
  5820. #
  5821. #               network         the speed limit parameters for the network buckets
  5822. #                               (class 3).
  5823. #
  5824. #               user            the speed limit parameters for the user buckets
  5825. #                               (class 4).
  5826. #
  5827. #               tagrate         the speed limit parameters for the tag buckets
  5828. #                               (class 5).
  5829. #
  5830. #       A pair of delay parameters is written restore/maximum, where restore is
  5831. #       the number of bytes (not bits - modem and network speeds are usually
  5832. #       quoted in bits) per second placed into the bucket, and maximum is the
  5833. #       maximum number of bytes which can be in the bucket at any time.
  5834. #
  5835. #       There must be one delay_parameters line for each delay pool.
  5836. #
  5837. #
  5838. #       For example, if delay pool number 1 is a class 2 delay pool as in the
  5839. #       above example, and is being used to strictly limit each host to 64Kbit/sec
  5840. #       (plus overheads), with no overall limit, the line is:
  5841. #
  5842. #               delay_parameters 1 none 8000/8000
  5843. #
  5844. #       Note that 8 x 8K Byte/sec -> 64K bit/sec.
  5845. #
  5846. #       Note that the word 'none' is used to represent no limit.
  5847. #
  5848. #
  5849. #       And, if delay pool number 2 is a class 3 delay pool as in the above
  5850. #       example, and you want to limit it to a total of 256Kbit/sec (strict limit)
  5851. #       with each 8-bit network permitted 64Kbit/sec (strict limit) and each
  5852. #       individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
  5853. #       to permit a decent web page to be downloaded at a decent speed
  5854. #       (if the network is not being limited due to overuse) but slow down
  5855. #       large downloads more significantly:
  5856. #
  5857. #               delay_parameters 2 32000/32000 8000/8000 600/8000
  5858. #
  5859. #       Note that 8 x  32K Byte/sec ->  256K bit/sec.
  5860. #                 8 x   8K Byte/sec ->   64K bit/sec.
  5861. #                 8 x 600  Byte/sec -> 4800  bit/sec.
  5862. #
  5863. #
  5864. #       Finally, for a class 4 delay pool as in the example - each user will
  5865. #       be limited to 128Kbits/sec no matter how many workstations they are logged into.:
  5866. #
  5867. #               delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
  5868. #
  5869. #
  5870. #       See also delay_class and delay_access.
  5871. #
  5872. #Default:
  5873. # none
  5874.  
  5875. #  TAG: delay_initial_bucket_level      (percent, 0-100)
  5876. #       The initial bucket percentage is used to determine how much is put
  5877. #       in each bucket when squid starts, is reconfigured, or first notices
  5878. #       a host accessing it (in class 2 and class 3, individual hosts and
  5879. #       networks only have buckets associated with them once they have been
  5880. #       "seen" by squid).
  5881. #Default:
  5882. # delay_initial_bucket_level 50
  5883.  
  5884. # CLIENT DELAY POOL PARAMETERS
  5885. # -----------------------------------------------------------------------------
  5886.  
  5887. #  TAG: client_delay_pools
  5888. #       This option specifies the number of client delay pools used. It must
  5889. #       preceed other client_delay_* options.
  5890. #
  5891. #       Example:
  5892. #               client_delay_pools 2
  5893. #
  5894. #       See also client_delay_parameters and client_delay_access.
  5895. #Default:
  5896. # client_delay_pools 0
  5897.  
  5898. #  TAG: client_delay_initial_bucket_level       (percent, 0-no_limit)
  5899. #       This option determines the initial bucket size as a percentage of
  5900. #       max_bucket_size from client_delay_parameters. Buckets are created
  5901. #       at the time of the "first" connection from the matching IP. Idle
  5902. #       buckets are periodically deleted up.
  5903. #
  5904. #       You can specify more than 100 percent but note that such "oversized"
  5905. #       buckets are not refilled until their size goes down to max_bucket_size
  5906. #       from client_delay_parameters.
  5907. #
  5908. #       Example:
  5909. #               client_delay_initial_bucket_level 50
  5910. #Default:
  5911. # client_delay_initial_bucket_level 50
  5912.  
  5913. #  TAG: client_delay_parameters
  5914. #
  5915. #       This option configures client-side bandwidth limits using the
  5916. #       following format:
  5917. #
  5918. #           client_delay_parameters pool speed_limit max_bucket_size
  5919. #
  5920. #       pool is an integer ID used for client_delay_access matching.
  5921. #
  5922. #       speed_limit is bytes added to the bucket per second.
  5923. #
  5924. #       max_bucket_size is the maximum size of a bucket, enforced after any
  5925. #       speed_limit additions.
  5926. #
  5927. #       Please see the delay_parameters option for more information and
  5928. #       examples.
  5929. #
  5930. #       Example:
  5931. #               client_delay_parameters 1 1024 2048
  5932. #               client_delay_parameters 2 51200 16384
  5933. #
  5934. #       See also client_delay_access.
  5935. #
  5936. #Default:
  5937. # none
  5938.  
  5939. #  TAG: client_delay_access
  5940. #       This option determines the client-side delay pool for the
  5941. #       request:
  5942. #
  5943. #           client_delay_access pool_ID allow|deny acl_name
  5944. #
  5945. #       All client_delay_access options are checked in their pool ID
  5946. #       order, starting with pool 1. The first checked pool with allowed
  5947. #       request is selected for the request. If no ACL matches or there
  5948. #       are no client_delay_access options, the request bandwidth is not
  5949. #       limited.
  5950. #
  5951. #       The ACL-selected pool is then used to find the
  5952. #       client_delay_parameters for the request. Client-side pools are
  5953. #       not used to aggregate clients. Clients are always aggregated
  5954. #       based on their source IP addresses (one bucket per source IP).
  5955. #
  5956. #       This clause only supports fast acl types.
  5957. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5958. #       Additionally, only the client TCP connection details are available.
  5959. #       ACLs testing HTTP properties will not work.
  5960. #
  5961. #       Please see delay_access for more examples.
  5962. #
  5963. #       Example:
  5964. #               client_delay_access 1 allow low_rate_network
  5965. #               client_delay_access 2 allow vips_network
  5966. #
  5967. #
  5968. #       See also client_delay_parameters and client_delay_pools.
  5969. #Default:
  5970. # Deny use of the pool, unless allow rules exist in squid.conf for the pool.
  5971.  
  5972. # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
  5973. # -----------------------------------------------------------------------------
  5974.  
  5975. #  TAG: wccp_router
  5976. #       Use this option to define your WCCP ``home'' router for
  5977. #       Squid.
  5978. #
  5979. #       wccp_router supports a single WCCP(v1) router
  5980. #
  5981. #       wccp2_router supports multiple WCCPv2 routers
  5982. #
  5983. #       only one of the two may be used at the same time and defines
  5984. #       which version of WCCP to use.
  5985. #Default:
  5986. # WCCP disabled.
  5987.  
  5988. #  TAG: wccp2_router
  5989. #       Use this option to define your WCCP ``home'' router for
  5990. #       Squid.
  5991. #
  5992. #       wccp_router supports a single WCCP(v1) router
  5993. #
  5994. #       wccp2_router supports multiple WCCPv2 routers
  5995. #
  5996. #       only one of the two may be used at the same time and defines
  5997. #       which version of WCCP to use.
  5998. #Default:
  5999. # WCCPv2 disabled.
  6000.  
  6001. #  TAG: wccp_version
  6002. #       This directive is only relevant if you need to set up WCCP(v1)
  6003. #       to some very old and end-of-life Cisco routers. In all other
  6004. #       setups it must be left unset or at the default setting.
  6005. #       It defines an internal version in the WCCP(v1) protocol,
  6006. #       with version 4 being the officially documented protocol.
  6007. #
  6008. #       According to some users, Cisco IOS 11.2 and earlier only
  6009. #       support WCCP version 3.  If you're using that or an earlier
  6010. #       version of IOS, you may need to change this value to 3, otherwise
  6011. #       do not specify this parameter.
  6012. #Default:
  6013. # wccp_version 4
  6014.  
  6015. #  TAG: wccp2_rebuild_wait
  6016. #       If this is enabled Squid will wait for the cache dir rebuild to finish
  6017. #       before sending the first wccp2 HereIAm packet
  6018. #Default:
  6019. # wccp2_rebuild_wait on
  6020.  
  6021. #  TAG: wccp2_forwarding_method
  6022. #       WCCP2 allows the setting of forwarding methods between the
  6023. #       router/switch and the cache.  Valid values are as follows:
  6024. #
  6025. #       gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
  6026. #       l2  - L2 redirect (forward the packet using Layer 2/MAC rewriting)
  6027. #
  6028. #       Currently (as of IOS 12.4) cisco routers only support GRE.
  6029. #       Cisco switches only support the L2 redirect assignment method.
  6030. #Default:
  6031. # wccp2_forwarding_method gre
  6032.  
  6033. #  TAG: wccp2_return_method
  6034. #       WCCP2 allows the setting of return methods between the
  6035. #       router/switch and the cache for packets that the cache
  6036. #       decides not to handle.  Valid values are as follows:
  6037. #
  6038. #       gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
  6039. #       l2  - L2 redirect (forward the packet using Layer 2/MAC rewriting)
  6040. #
  6041. #       Currently (as of IOS 12.4) cisco routers only support GRE.
  6042. #       Cisco switches only support the L2 redirect assignment.
  6043. #
  6044. #       If the "ip wccp redirect exclude in" command has been
  6045. #       enabled on the cache interface, then it is still safe for
  6046. #       the proxy server to use a l2 redirect method even if this
  6047. #       option is set to GRE.
  6048. #Default:
  6049. # wccp2_return_method gre
  6050.  
  6051. #  TAG: wccp2_assignment_method
  6052. #       WCCP2 allows the setting of methods to assign the WCCP hash
  6053. #       Valid values are as follows:
  6054. #
  6055. #       hash - Hash assignment
  6056. #       mask - Mask assignment
  6057. #
  6058. #       As a general rule, cisco routers support the hash assignment method
  6059. #       and cisco switches support the mask assignment method.
  6060. #Default:
  6061. # wccp2_assignment_method hash
  6062.  
  6063. #  TAG: wccp2_service
  6064. #       WCCP2 allows for multiple traffic services. There are two
  6065. #       types: "standard" and "dynamic". The standard type defines
  6066. #       one service id - http (id 0). The dynamic service ids can be from
  6067. #       51 to 255 inclusive.  In order to use a dynamic service id
  6068. #       one must define the type of traffic to be redirected; this is done
  6069. #       using the wccp2_service_info option.
  6070. #
  6071. #       The "standard" type does not require a wccp2_service_info option,
  6072. #       just specifying the service id will suffice.
  6073. #
  6074. #       MD5 service authentication can be enabled by adding
  6075. #       "password=<password>" to the end of this service declaration.
  6076. #
  6077. #       Examples:
  6078. #
  6079. #       wccp2_service standard 0        # for the 'web-cache' standard service
  6080. #       wccp2_service dynamic 80        # a dynamic service type which will be
  6081. #                                       # fleshed out with subsequent options.
  6082. #       wccp2_service standard 0 password=foo
  6083. #Default:
  6084. # Use the 'web-cache' standard service.
  6085.  
  6086. #  TAG: wccp2_service_info
  6087. #       Dynamic WCCPv2 services require further information to define the
  6088. #       traffic you wish to have diverted.
  6089. #
  6090. #       The format is:
  6091. #
  6092. #       wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
  6093. #           priority=<priority> ports=<port>,<port>..
  6094. #
  6095. #       The relevant WCCPv2 flags:
  6096. #       + src_ip_hash, dst_ip_hash
  6097. #       + source_port_hash, dst_port_hash
  6098. #       + src_ip_alt_hash, dst_ip_alt_hash
  6099. #       + src_port_alt_hash, dst_port_alt_hash
  6100. #       + ports_source
  6101. #
  6102. #       The port list can be one to eight entries.
  6103. #
  6104. #       Example:
  6105. #
  6106. #       wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
  6107. #           priority=240 ports=80
  6108. #
  6109. #       Note: the service id must have been defined by a previous
  6110. #       'wccp2_service dynamic <id>' entry.
  6111. #Default:
  6112. # none
  6113.  
  6114. #  TAG: wccp2_weight
  6115. #       Each cache server gets assigned a set of the destination
  6116. #       hash proportional to their weight.
  6117. #Default:
  6118. # wccp2_weight 10000
  6119.  
  6120. #  TAG: wccp_address
  6121. #       Use this option if you require WCCPv2 to use a specific
  6122. #       interface address.
  6123. #
  6124. #       The default behavior is to not bind to any specific address.
  6125. #Default:
  6126. # Address selected by the operating system.
  6127.  
  6128. #  TAG: wccp2_address
  6129. #       Use this option if you require WCCP to use a specific
  6130. #       interface address.
  6131. #
  6132. #       The default behavior is to not bind to any specific address.
  6133. #Default:
  6134. # Address selected by the operating system.
  6135.  
  6136. # PERSISTENT CONNECTION HANDLING
  6137. # -----------------------------------------------------------------------------
  6138. #
  6139. # Also see "pconn_timeout" in the TIMEOUTS section
  6140.  
  6141. #  TAG: client_persistent_connections
  6142. #       Persistent connection support for clients.
  6143. #       Squid uses persistent connections (when allowed). You can use
  6144. #       this option to disable persistent connections with clients.
  6145. #Default:
  6146. # client_persistent_connections on
  6147.  
  6148. #  TAG: server_persistent_connections
  6149. #       Persistent connection support for servers.
  6150. #       Squid uses persistent connections (when allowed). You can use
  6151. #       this option to disable persistent connections with servers.
  6152. #Default:
  6153. # server_persistent_connections on
  6154.  
  6155. #  TAG: persistent_connection_after_error
  6156. #       With this directive the use of persistent connections after
  6157. #       HTTP errors can be disabled. Useful if you have clients
  6158. #       who fail to handle errors on persistent connections proper.
  6159. #Default:
  6160. # persistent_connection_after_error on
  6161.  
  6162. #  TAG: detect_broken_pconn
  6163. #       Some servers have been found to incorrectly signal the use
  6164. #       of HTTP/1.0 persistent connections even on replies not
  6165. #       compatible, causing significant delays. This server problem
  6166. #       has mostly been seen on redirects.
  6167. #
  6168. #       By enabling this directive Squid attempts to detect such
  6169. #       broken replies and automatically assume the reply is finished
  6170. #       after 10 seconds timeout.
  6171. #Default:
  6172. # detect_broken_pconn off
  6173.  
  6174. # CACHE DIGEST OPTIONS
  6175. # -----------------------------------------------------------------------------
  6176.  
  6177. #  TAG: digest_generation
  6178. #       This controls whether the server will generate a Cache Digest
  6179. #       of its contents.  By default, Cache Digest generation is
  6180. #       enabled if Squid is compiled with --enable-cache-digests defined.
  6181. #Default:
  6182. # digest_generation on
  6183.  
  6184. #  TAG: digest_bits_per_entry
  6185. #       This is the number of bits of the server's Cache Digest which
  6186. #       will be associated with the Digest entry for a given HTTP
  6187. #       Method and URL (public key) combination.  The default is 5.
  6188. #Default:
  6189. # digest_bits_per_entry 5
  6190.  
  6191. #  TAG: digest_rebuild_period   (seconds)
  6192. #       This is the wait time between Cache Digest rebuilds.
  6193. #Default:
  6194. # digest_rebuild_period 1 hour
  6195.  
  6196. #  TAG: digest_rewrite_period   (seconds)
  6197. #       This is the wait time between Cache Digest writes to
  6198. #       disk.
  6199. #Default:
  6200. # digest_rewrite_period 1 hour
  6201.  
  6202. #  TAG: digest_swapout_chunk_size       (bytes)
  6203. #       This is the number of bytes of the Cache Digest to write to
  6204. #       disk at a time.  It defaults to 4096 bytes (4KB), the Squid
  6205. #       default swap page.
  6206. #Default:
  6207. # digest_swapout_chunk_size 4096 bytes
  6208.  
  6209. #  TAG: digest_rebuild_chunk_percentage (percent, 0-100)
  6210. #       This is the percentage of the Cache Digest to be scanned at a
  6211. #       time.  By default it is set to 10% of the Cache Digest.
  6212. #Default:
  6213. # digest_rebuild_chunk_percentage 10
  6214.  
  6215. # SNMP OPTIONS
  6216. # -----------------------------------------------------------------------------
  6217.  
  6218. #  TAG: snmp_port
  6219. #       The port number where Squid listens for SNMP requests. To enable
  6220. #       SNMP support set this to a suitable port number. Port number
  6221. #       3401 is often used for the Squid SNMP agent. By default it's
  6222. #       set to "0" (disabled)
  6223. #
  6224. #       Example:
  6225. #               snmp_port 3401
  6226. #Default:
  6227. # SNMP disabled.
  6228.  
  6229. #  TAG: snmp_access
  6230. #       Allowing or denying access to the SNMP port.
  6231. #
  6232. #       All access to the agent is denied by default.
  6233. #       usage:
  6234. #
  6235. #       snmp_access allow|deny [!]aclname ...
  6236. #
  6237. #       This clause only supports fast acl types.
  6238. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  6239. #
  6240. #Example:
  6241. # snmp_access allow snmppublic localhost
  6242. # snmp_access deny all
  6243. #Default:
  6244. # Deny, unless rules exist in squid.conf.
  6245.  
  6246. #  TAG: snmp_incoming_address
  6247. #       Just like 'udp_incoming_address', but for the SNMP port.
  6248. #
  6249. #       snmp_incoming_address   is used for the SNMP socket receiving
  6250. #                               messages from SNMP agents.
  6251. #
  6252. #       The default snmp_incoming_address is to listen on all
  6253. #       available network interfaces.
  6254. #Default:
  6255. # Accept SNMP packets from all machine interfaces.
  6256.  
  6257. #  TAG: snmp_outgoing_address
  6258. #       Just like 'udp_outgoing_address', but for the SNMP port.
  6259. #
  6260. #       snmp_outgoing_address   is used for SNMP packets returned to SNMP
  6261. #                               agents.
  6262. #
  6263. #       If snmp_outgoing_address is not set it will use the same socket
  6264. #       as snmp_incoming_address. Only change this if you want to have
  6265. #       SNMP replies sent using another address than where this Squid
  6266. #       listens for SNMP queries.
  6267. #
  6268. #       NOTE, snmp_incoming_address and snmp_outgoing_address can not have
  6269. #       the same value since they both use the same port.
  6270. #Default:
  6271. # Use snmp_incoming_address or an address selected by the operating system.
  6272.  
  6273. # ICP OPTIONS
  6274. # -----------------------------------------------------------------------------
  6275.  
  6276. #  TAG: icp_port
  6277. #       The port number where Squid sends and receives ICP queries to
  6278. #       and from neighbor caches.  The standard UDP port for ICP is 3130.
  6279. #
  6280. #       Example:
  6281. #               icp_port 3130
  6282. #Default:
  6283. # ICP disabled.
  6284.  
  6285. #  TAG: htcp_port
  6286. #       The port number where Squid sends and receives HTCP queries to
  6287. #       and from neighbor caches.  To turn it on you want to set it to
  6288. #       4827.
  6289. #
  6290. #       Example:
  6291. #               htcp_port 4827
  6292. #Default:
  6293. # HTCP disabled.
  6294.  
  6295. #  TAG: log_icp_queries on|off
  6296. #       If set, ICP queries are logged to access.log. You may wish
  6297. #       do disable this if your ICP load is VERY high to speed things
  6298. #       up or to simplify log analysis.
  6299. #Default:
  6300. # log_icp_queries on
  6301.  
  6302. #  TAG: udp_incoming_address
  6303. #       udp_incoming_address    is used for UDP packets received from other
  6304. #                               caches.
  6305. #
  6306. #       The default behavior is to not bind to any specific address.
  6307. #
  6308. #       Only change this if you want to have all UDP queries received on
  6309. #       a specific interface/address.
  6310. #
  6311. #       NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
  6312. #       modules. Altering it will affect all of them in the same manner.
  6313. #
  6314. #       see also; udp_outgoing_address
  6315. #
  6316. #       NOTE, udp_incoming_address and udp_outgoing_address can not
  6317. #       have the same value since they both use the same port.
  6318. #Default:
  6319. # Accept packets from all machine interfaces.
  6320.  
  6321. #  TAG: udp_outgoing_address
  6322. #       udp_outgoing_address    is used for UDP packets sent out to other
  6323. #                               caches.
  6324. #
  6325. #       The default behavior is to not bind to any specific address.
  6326. #
  6327. #       Instead it will use the same socket as udp_incoming_address.
  6328. #       Only change this if you want to have UDP queries sent using another
  6329. #       address than where this Squid listens for UDP queries from other
  6330. #       caches.
  6331. #
  6332. #       NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
  6333. #       modules. Altering it will affect all of them in the same manner.
  6334. #
  6335. #       see also; udp_incoming_address
  6336. #
  6337. #       NOTE, udp_incoming_address and udp_outgoing_address can not
  6338. #       have the same value since they both use the same port.
  6339. #Default:
  6340. # Use udp_incoming_address or an address selected by the operating system.
  6341.  
  6342. #  TAG: icp_hit_stale   on|off
  6343. #       If you want to return ICP_HIT for stale cache objects, set this
  6344. #       option to 'on'.  If you have sibling relationships with caches
  6345. #       in other administrative domains, this should be 'off'.  If you only
  6346. #       have sibling relationships with caches under your control,
  6347. #       it is probably okay to set this to 'on'.
  6348. #       If set to 'on', your siblings should use the option "allow-miss"
  6349. #       on their cache_peer lines for connecting to you.
  6350. #Default:
  6351. # icp_hit_stale off
  6352.  
  6353. #  TAG: minimum_direct_hops
  6354. #       If using the ICMP pinging stuff, do direct fetches for sites
  6355. #       which are no more than this many hops away.
  6356. #Default:
  6357. # minimum_direct_hops 4
  6358.  
  6359. #  TAG: minimum_direct_rtt      (msec)
  6360. #       If using the ICMP pinging stuff, do direct fetches for sites
  6361. #       which are no more than this many rtt milliseconds away.
  6362. #Default:
  6363. # minimum_direct_rtt 400
  6364.  
  6365. #  TAG: netdb_low
  6366. #       The low water mark for the ICMP measurement database.
  6367. #
  6368. #       Note: high watermark controlled by netdb_high directive.
  6369. #
  6370. #       These watermarks are counts, not percents.  The defaults are
  6371. #       (low) 900 and (high) 1000.  When the high water mark is
  6372. #       reached, database entries will be deleted until the low
  6373. #       mark is reached.
  6374. #Default:
  6375. # netdb_low 900
  6376.  
  6377. #  TAG: netdb_high
  6378. #       The high water mark for the ICMP measurement database.
  6379. #
  6380. #       Note: low watermark controlled by netdb_low directive.
  6381. #
  6382. #       These watermarks are counts, not percents.  The defaults are
  6383. #       (low) 900 and (high) 1000.  When the high water mark is
  6384. #       reached, database entries will be deleted until the low
  6385. #       mark is reached.
  6386. #Default:
  6387. # netdb_high 1000
  6388.  
  6389. #  TAG: netdb_ping_period
  6390. #       The minimum period for measuring a site.  There will be at
  6391. #       least this much delay between successive pings to the same
  6392. #       network.  The default is five minutes.
  6393. #Default:
  6394. # netdb_ping_period 5 minutes
  6395.  
  6396. #  TAG: query_icmp      on|off
  6397. #       If you want to ask your peers to include ICMP data in their ICP
  6398. #       replies, enable this option.
  6399. #
  6400. #       If your peer has configured Squid (during compilation) with
  6401. #       '--enable-icmp' that peer will send ICMP pings to origin server
  6402. #       sites of the URLs it receives.  If you enable this option the
  6403. #       ICP replies from that peer will include the ICMP data (if available).
  6404. #       Then, when choosing a parent cache, Squid will choose the parent with
  6405. #       the minimal RTT to the origin server.  When this happens, the
  6406. #       hierarchy field of the access.log will be
  6407. #       "CLOSEST_PARENT_MISS".  This option is off by default.
  6408. #Default:
  6409. # query_icmp off
  6410.  
  6411. #  TAG: test_reachability       on|off
  6412. #       When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
  6413. #       instead of ICP_MISS if the target host is NOT in the ICMP
  6414. #       database, or has a zero RTT.
  6415. #Default:
  6416. # test_reachability off
  6417.  
  6418. #  TAG: icp_query_timeout       (msec)
  6419. #       Normally Squid will automatically determine an optimal ICP
  6420. #       query timeout value based on the round-trip-time of recent ICP
  6421. #       queries.  If you want to override the value determined by
  6422. #       Squid, set this 'icp_query_timeout' to a non-zero value.  This
  6423. #       value is specified in MILLISECONDS, so, to use a 2-second
  6424. #       timeout (the old default), you would write:
  6425. #
  6426. #               icp_query_timeout 2000
  6427. #Default:
  6428. # Dynamic detection.
  6429.  
  6430. #  TAG: maximum_icp_query_timeout       (msec)
  6431. #       Normally the ICP query timeout is determined dynamically.  But
  6432. #       sometimes it can lead to very large values (say 5 seconds).
  6433. #       Use this option to put an upper limit on the dynamic timeout
  6434. #       value.  Do NOT use this option to always use a fixed (instead
  6435. #       of a dynamic) timeout value. To set a fixed timeout see the
  6436. #       'icp_query_timeout' directive.
  6437. #Default:
  6438. # maximum_icp_query_timeout 2000
  6439.  
  6440. #  TAG: minimum_icp_query_timeout       (msec)
  6441. #       Normally the ICP query timeout is determined dynamically.  But
  6442. #       sometimes it can lead to very small timeouts, even lower than
  6443. #       the normal latency variance on your link due to traffic.
  6444. #       Use this option to put an lower limit on the dynamic timeout
  6445. #       value.  Do NOT use this option to always use a fixed (instead
  6446. #       of a dynamic) timeout value. To set a fixed timeout see the
  6447. #       'icp_query_timeout' directive.
  6448. #Default:
  6449. # minimum_icp_query_timeout 5
  6450.  
  6451. #  TAG: background_ping_rate    time-units
  6452. #       Controls how often the ICP pings are sent to siblings that
  6453. #       have background-ping set.
  6454. #Default:
  6455. # background_ping_rate 10 seconds
  6456.  
  6457. # MULTICAST ICP OPTIONS
  6458. # -----------------------------------------------------------------------------
  6459.  
  6460. #  TAG: mcast_groups
  6461. #       This tag specifies a list of multicast groups which your server
  6462. #       should join to receive multicasted ICP queries.
  6463. #
  6464. #       NOTE!  Be very careful what you put here!  Be sure you
  6465. #       understand the difference between an ICP _query_ and an ICP
  6466. #       _reply_.  This option is to be set only if you want to RECEIVE
  6467. #       multicast queries.  Do NOT set this option to SEND multicast
  6468. #       ICP (use cache_peer for that).  ICP replies are always sent via
  6469. #       unicast, so this option does not affect whether or not you will
  6470. #       receive replies from multicast group members.
  6471. #
  6472. #       You must be very careful to NOT use a multicast address which
  6473. #       is already in use by another group of caches.
  6474. #
  6475. #       If you are unsure about multicast, please read the Multicast
  6476. #       chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
  6477. #
  6478. #       Usage: mcast_groups 239.128.16.128 224.0.1.20
  6479. #
  6480. #       By default, Squid doesn't listen on any multicast groups.
  6481. #Default:
  6482. # none
  6483.  
  6484. #  TAG: mcast_miss_addr
  6485. # Note: This option is only available if Squid is rebuilt with the
  6486. #       -DMULTICAST_MISS_STREAM define
  6487. #
  6488. #       If you enable this option, every "cache miss" URL will
  6489. #       be sent out on the specified multicast address.
  6490. #
  6491. #       Do not enable this option unless you are are absolutely
  6492. #       certain you understand what you are doing.
  6493. #Default:
  6494. # disabled.
  6495.  
  6496. #  TAG: mcast_miss_ttl
  6497. # Note: This option is only available if Squid is rebuilt with the
  6498. #       -DMULTICAST_MISS_STREAM define
  6499. #
  6500. #       This is the time-to-live value for packets multicasted
  6501. #       when multicasting off cache miss URLs is enabled.  By
  6502. #       default this is set to 'site scope', i.e. 16.
  6503. #Default:
  6504. # mcast_miss_ttl 16
  6505.  
  6506. #  TAG: mcast_miss_port
  6507. # Note: This option is only available if Squid is rebuilt with the
  6508. #       -DMULTICAST_MISS_STREAM define
  6509. #
  6510. #       This is the port number to be used in conjunction with
  6511. #       'mcast_miss_addr'.
  6512. #Default:
  6513. # mcast_miss_port 3135
  6514.  
  6515. #  TAG: mcast_miss_encode_key
  6516. # Note: This option is only available if Squid is rebuilt with the
  6517. #       -DMULTICAST_MISS_STREAM define
  6518. #
  6519. #       The URLs that are sent in the multicast miss stream are
  6520. #       encrypted.  This is the encryption key.
  6521. #Default:
  6522. # mcast_miss_encode_key XXXXXXXXXXXXXXXX
  6523.  
  6524. #  TAG: mcast_icp_query_timeout (msec)
  6525. #       For multicast peers, Squid regularly sends out ICP "probes" to
  6526. #       count how many other peers are listening on the given multicast
  6527. #       address.  This value specifies how long Squid should wait to
  6528. #       count all the replies.  The default is 2000 msec, or 2
  6529. #       seconds.
  6530. #Default:
  6531. # mcast_icp_query_timeout 2000
  6532.  
  6533. # INTERNAL ICON OPTIONS
  6534. # -----------------------------------------------------------------------------
  6535.  
  6536. #  TAG: icon_directory
  6537. #       Where the icons are stored. These are normally kept in
  6538. #       /usr/share/squid/icons
  6539. #Default:
  6540. # icon_directory /usr/share/squid/icons
  6541.  
  6542. #  TAG: global_internal_static
  6543. #       This directive controls is Squid should intercept all requests for
  6544. #       /squid-internal-static/ no matter which host the URL is requesting
  6545. #       (default on setting), or if nothing special should be done for
  6546. #       such URLs (off setting). The purpose of this directive is to make
  6547. #       icons etc work better in complex cache hierarchies where it may
  6548. #       not always be possible for all corners in the cache mesh to reach
  6549. #       the server generating a directory listing.
  6550. #Default:
  6551. # global_internal_static on
  6552.  
  6553. #  TAG: short_icon_urls
  6554. #       If this is enabled Squid will use short URLs for icons.
  6555. #       If disabled it will revert to the old behavior of including
  6556. #       it's own name and port in the URL.
  6557. #
  6558. #       If you run a complex cache hierarchy with a mix of Squid and
  6559. #       other proxies you may need to disable this directive.
  6560. #Default:
  6561. # short_icon_urls on
  6562.  
  6563. # ERROR PAGE OPTIONS
  6564. # -----------------------------------------------------------------------------
  6565.  
  6566. #  TAG: error_directory
  6567. #       If you wish to create your own versions of the default
  6568. #       error files to customize them to suit your company copy
  6569. #       the error/template files to another directory and point
  6570. #       this tag at them.
  6571. #
  6572. #       WARNING: This option will disable multi-language support
  6573. #                on error pages if used.
  6574. #
  6575. #       The squid developers are interested in making squid available in
  6576. #       a wide variety of languages. If you are making translations for a
  6577. #       language that Squid does not currently provide please consider
  6578. #       contributing your translation back to the project.
  6579. #       http://wiki.squid-cache.org/Translations
  6580. #
  6581. #       The squid developers working on translations are happy to supply drop-in
  6582. #       translated error files in exchange for any new language contributions.
  6583. #Default:
  6584. # Send error pages in the clients preferred language
  6585.  
  6586. #  TAG: error_default_language
  6587. #       Set the default language which squid will send error pages in
  6588. #       if no existing translation matches the clients language
  6589. #       preferences.
  6590. #
  6591. #       If unset (default) generic English will be used.
  6592. #
  6593. #       The squid developers are interested in making squid available in
  6594. #       a wide variety of languages. If you are interested in making
  6595. #       translations for any language see the squid wiki for details.
  6596. #       http://wiki.squid-cache.org/Translations
  6597. #Default:
  6598. # Generate English language pages.
  6599.  
  6600. #  TAG: error_log_languages
  6601. #       Log to cache.log what languages users are attempting to
  6602. #       auto-negotiate for translations.
  6603. #
  6604. #       Successful negotiations are not logged. Only failures
  6605. #       have meaning to indicate that Squid may need an upgrade
  6606. #       of its error page translations.
  6607. #Default:
  6608. # error_log_languages on
  6609.  
  6610. #  TAG: err_page_stylesheet
  6611. #       CSS Stylesheet to pattern the display of Squid default error pages.
  6612. #
  6613. #       For information on CSS see http://www.w3.org/Style/CSS/
  6614. #Default:
  6615. # err_page_stylesheet /etc/squid/errorpage.css
  6616.  
  6617. #  TAG: err_html_text
  6618. #       HTML text to include in error messages.  Make this a "mailto"
  6619. #       URL to your admin address, or maybe just a link to your
  6620. #       organizations Web page.
  6621. #
  6622. #       To include this in your error messages, you must rewrite
  6623. #       the error template files (found in the "errors" directory).
  6624. #       Wherever you want the 'err_html_text' line to appear,
  6625. #       insert a %L tag in the error template file.
  6626. #Default:
  6627. # none
  6628.  
  6629. #  TAG: email_err_data  on|off
  6630. #       If enabled, information about the occurred error will be
  6631. #       included in the mailto links of the ERR pages (if %W is set)
  6632. #       so that the email body contains the data.
  6633. #       Syntax is <A HREF="mailto:%w%W">%w</A>
  6634. #Default:
  6635. # email_err_data on
  6636.  
  6637. #  TAG: deny_info
  6638. #       Usage:   deny_info err_page_name acl
  6639. #       or       deny_info http://... acl
  6640. #       or       deny_info TCP_RESET acl
  6641. #
  6642. #       This can be used to return a ERR_ page for requests which
  6643. #       do not pass the 'http_access' rules.  Squid remembers the last
  6644. #       acl it evaluated in http_access, and if a 'deny_info' line exists
  6645. #       for that ACL Squid returns a corresponding error page.
  6646. #
  6647. #       The acl is typically the last acl on the http_access deny line which
  6648. #       denied access. The exceptions to this rule are:
  6649. #       - When Squid needs to request authentication credentials. It's then
  6650. #         the first authentication related acl encountered
  6651. #       - When none of the http_access lines matches. It's then the last
  6652. #         acl processed on the last http_access line.
  6653. #       - When the decision to deny access was made by an adaptation service,
  6654. #         the acl name is the corresponding eCAP or ICAP service_name.
  6655. #
  6656. #       NP: If providing your own custom error pages with error_directory
  6657. #           you may also specify them by your custom file name:
  6658. #           Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
  6659. #
  6660. #       By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
  6661. #       may be specified by prefixing the file name with the code and a colon.
  6662. #       e.g. 404:ERR_CUSTOM_ACCESS_DENIED
  6663. #
  6664. #       Alternatively you can tell Squid to reset the TCP connection
  6665. #       by specifying TCP_RESET.
  6666. #
  6667. #       Or you can specify an error URL or URL pattern. The browsers will
  6668. #       get redirected to the specified URL after formatting tags have
  6669. #       been replaced. Redirect will be done with 302 or 307 according to
  6670. #       HTTP/1.1 specs. A different 3xx code may be specified by prefixing
  6671. #       the URL. e.g. 303:http://example.com/
  6672. #
  6673. #       URL FORMAT TAGS:
  6674. #               %a      - username (if available. Password NOT included)
  6675. #               %B      - FTP path URL
  6676. #               %e      - Error number
  6677. #               %E      - Error description
  6678. #               %h      - Squid hostname
  6679. #               %H      - Request domain name
  6680. #               %i      - Client IP Address
  6681. #               %M      - Request Method
  6682. #               %o      - Message result from external ACL helper
  6683. #               %p      - Request Port number
  6684. #               %P      - Request Protocol name
  6685. #               %R      - Request URL path
  6686. #               %T      - Timestamp in RFC 1123 format
  6687. #               %U      - Full canonical URL from client
  6688. #                         (HTTPS URLs terminate with *)
  6689. #               %u      - Full canonical URL from client
  6690. #               %w      - Admin email from squid.conf
  6691. #               %x      - Error name
  6692. #               %%      - Literal percent (%) code
  6693. #
  6694. #Default:
  6695. # none
  6696.  
  6697. # OPTIONS INFLUENCING REQUEST FORWARDING
  6698. # -----------------------------------------------------------------------------
  6699.  
  6700. #  TAG: nonhierarchical_direct
  6701. #       By default, Squid will send any non-hierarchical requests
  6702. #       (not cacheable request type) direct to origin servers.
  6703. #
  6704. #       When this is set to "off", Squid will prefer to send these
  6705. #       requests to parents.
  6706. #
  6707. #       Note that in most configurations, by turning this off you will only
  6708. #       add latency to these request without any improvement in global hit
  6709. #       ratio.
  6710. #
  6711. #       This option only sets a preference. If the parent is unavailable a
  6712. #       direct connection to the origin server may still be attempted. To
  6713. #       completely prevent direct connections use never_direct.
  6714. #Default:
  6715. # nonhierarchical_direct on
  6716.  
  6717. #  TAG: prefer_direct
  6718. #       Normally Squid tries to use parents for most requests. If you for some
  6719. #       reason like it to first try going direct and only use a parent if
  6720. #       going direct fails set this to on.
  6721. #
  6722. #       By combining nonhierarchical_direct off and prefer_direct on you
  6723. #       can set up Squid to use a parent as a backup path if going direct
  6724. #       fails.
  6725. #
  6726. #       Note: If you want Squid to use parents for all requests see
  6727. #       the never_direct directive. prefer_direct only modifies how Squid
  6728. #       acts on cacheable requests.
  6729. #Default:
  6730. # prefer_direct off
  6731.  
  6732. #  TAG: cache_miss_revalidate   on|off
  6733. #       RFC 7232 defines a conditional request mechanism to prevent
  6734. #       response objects being unnecessarily transferred over the network.
  6735. #       If that mechanism is used by the client and a cache MISS occurs
  6736. #       it can prevent new cache entries being created.
  6737. #
  6738. #       This option determines whether Squid on cache MISS will pass the
  6739. #       client revalidation request to the server or tries to fetch new
  6740. #       content for caching. It can be useful while the cache is mostly
  6741. #       empty to more quickly have the cache populated by generating
  6742. #       non-conditional GETs.
  6743. #
  6744. #       When set to 'on' (default), Squid will pass all client If-* headers
  6745. #       to the server. This permits server responses without a cacheable
  6746. #       payload to be delivered and on MISS no new cache entry is created.
  6747. #
  6748. #       When set to 'off' and if the request is cacheable, Squid will
  6749. #       remove the clients If-Modified-Since and If-None-Match headers from
  6750. #       the request sent to the server. This requests a 200 status response
  6751. #       from the server to create a new cache entry with.
  6752. #Default:
  6753. # cache_miss_revalidate on
  6754.  
  6755. #  TAG: always_direct
  6756. #       Usage: always_direct allow|deny [!]aclname ...
  6757. #
  6758. #       Here you can use ACL elements to specify requests which should
  6759. #       ALWAYS be forwarded by Squid to the origin servers without using
  6760. #       any peers.  For example, to always directly forward requests for
  6761. #       local servers ignoring any parents or siblings you may have use
  6762. #       something like:
  6763. #
  6764. #               acl local-servers dstdomain my.domain.net
  6765. #               always_direct allow local-servers
  6766. #
  6767. #       To always forward FTP requests directly, use
  6768. #
  6769. #               acl FTP proto FTP
  6770. #               always_direct allow FTP
  6771. #
  6772. #       NOTE: There is a similar, but opposite option named
  6773. #       'never_direct'.  You need to be aware that "always_direct deny
  6774. #       foo" is NOT the same thing as "never_direct allow foo".  You
  6775. #       may need to use a deny rule to exclude a more-specific case of
  6776. #       some other rule.  Example:
  6777. #
  6778. #               acl local-external dstdomain external.foo.net
  6779. #               acl local-servers dstdomain  .foo.net
  6780. #               always_direct deny local-external
  6781. #               always_direct allow local-servers
  6782. #
  6783. #       NOTE: If your goal is to make the client forward the request
  6784. #       directly to the origin server bypassing Squid then this needs
  6785. #       to be done in the client configuration. Squid configuration
  6786. #       can only tell Squid how Squid should fetch the object.
  6787. #
  6788. #       NOTE: This directive is not related to caching. The replies
  6789. #       is cached as usual even if you use always_direct. To not cache
  6790. #       the replies see the 'cache' directive.
  6791. #
  6792. #       This clause supports both fast and slow acl types.
  6793. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  6794. #Default:
  6795. # Prevent any cache_peer being used for this request.
  6796.  
  6797. #  TAG: never_direct
  6798. #       Usage: never_direct allow|deny [!]aclname ...
  6799. #
  6800. #       never_direct is the opposite of always_direct.  Please read
  6801. #       the description for always_direct if you have not already.
  6802. #
  6803. #       With 'never_direct' you can use ACL elements to specify
  6804. #       requests which should NEVER be forwarded directly to origin
  6805. #       servers.  For example, to force the use of a proxy for all
  6806. #       requests, except those in your local domain use something like:
  6807. #
  6808. #               acl local-servers dstdomain .foo.net
  6809. #               never_direct deny local-servers
  6810. #               never_direct allow all
  6811. #
  6812. #       or if Squid is inside a firewall and there are local intranet
  6813. #       servers inside the firewall use something like:
  6814. #
  6815. #               acl local-intranet dstdomain .foo.net
  6816. #               acl local-external dstdomain external.foo.net
  6817. #               always_direct deny local-external
  6818. #               always_direct allow local-intranet
  6819. #               never_direct allow all
  6820. #
  6821. #       This clause supports both fast and slow acl types.
  6822. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  6823. #Default:
  6824. # Allow DNS results to be used for this request.
  6825.  
  6826. # ADVANCED NETWORKING OPTIONS
  6827. # -----------------------------------------------------------------------------
  6828.  
  6829. #  TAG: incoming_udp_average
  6830. #       Heavy voodoo here.  I can't even believe you are reading this.
  6831. #       Are you crazy?  Don't even think about adjusting these unless
  6832. #       you understand the algorithms in comm_select.c first!
  6833. #Default:
  6834. # incoming_udp_average 6
  6835.  
  6836. #  TAG: incoming_tcp_average
  6837. #       Heavy voodoo here.  I can't even believe you are reading this.
  6838. #       Are you crazy?  Don't even think about adjusting these unless
  6839. #       you understand the algorithms in comm_select.c first!
  6840. #Default:
  6841. # incoming_tcp_average 4
  6842.  
  6843. #  TAG: incoming_dns_average
  6844. #       Heavy voodoo here.  I can't even believe you are reading this.
  6845. #       Are you crazy?  Don't even think about adjusting these unless
  6846. #       you understand the algorithms in comm_select.c first!
  6847. #Default:
  6848. # incoming_dns_average 4
  6849.  
  6850. #  TAG: min_udp_poll_cnt
  6851. #       Heavy voodoo here.  I can't even believe you are reading this.
  6852. #       Are you crazy?  Don't even think about adjusting these unless
  6853. #       you understand the algorithms in comm_select.c first!
  6854. #Default:
  6855. # min_udp_poll_cnt 8
  6856.  
  6857. #  TAG: min_dns_poll_cnt
  6858. #       Heavy voodoo here.  I can't even believe you are reading this.
  6859. #       Are you crazy?  Don't even think about adjusting these unless
  6860. #       you understand the algorithms in comm_select.c first!
  6861. #Default:
  6862. # min_dns_poll_cnt 8
  6863.  
  6864. #  TAG: min_tcp_poll_cnt
  6865. #       Heavy voodoo here.  I can't even believe you are reading this.
  6866. #       Are you crazy?  Don't even think about adjusting these unless
  6867. #       you understand the algorithms in comm_select.c first!
  6868. #Default:
  6869. # min_tcp_poll_cnt 8
  6870.  
  6871. #  TAG: accept_filter
  6872. #       FreeBSD:
  6873. #
  6874. #       The name of an accept(2) filter to install on Squid's
  6875. #       listen socket(s).  This feature is perhaps specific to
  6876. #       FreeBSD and requires support in the kernel.
  6877. #
  6878. #       The 'httpready' filter delays delivering new connections
  6879. #       to Squid until a full HTTP request has been received.
  6880. #       See the accf_http(9) man page for details.
  6881. #
  6882. #       The 'dataready' filter delays delivering new connections
  6883. #       to Squid until there is some data to process.
  6884. #       See the accf_dataready(9) man page for details.
  6885. #
  6886. #       Linux:
  6887. #      
  6888. #       The 'data' filter delays delivering of new connections
  6889. #       to Squid until there is some data to process by TCP_ACCEPT_DEFER.
  6890. #       You may optionally specify a number of seconds to wait by
  6891. #       'data=N' where N is the number of seconds. Defaults to 30
  6892. #       if not specified.  See the tcp(7) man page for details.
  6893. #EXAMPLE:
  6894. ## FreeBSD
  6895. #accept_filter httpready
  6896. ## Linux
  6897. #accept_filter data
  6898. #Default:
  6899. # none
  6900.  
  6901. #  TAG: client_ip_max_connections
  6902. #       Set an absolute limit on the number of connections a single
  6903. #       client IP can use. Any more than this and Squid will begin to drop
  6904. #       new connections from the client until it closes some links.
  6905. #
  6906. #       Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
  6907. #       connections from the client. For finer control use the ACL access controls.
  6908. #
  6909. #       Requires client_db to be enabled (the default).
  6910. #
  6911. #       WARNING: This may noticably slow down traffic received via external proxies
  6912. #       or NAT devices and cause them to rebound error messages back to their clients.
  6913. #Default:
  6914. # No limit.
  6915.  
  6916. #  TAG: tcp_recv_bufsize        (bytes)
  6917. #       Size of receive buffer to set for TCP sockets.  Probably just
  6918. #       as easy to change your kernel's default.
  6919. #       Omit from squid.conf to use the default buffer size.
  6920. #Default:
  6921. # Use operating system TCP defaults.
  6922.  
  6923. # ICAP OPTIONS
  6924. # -----------------------------------------------------------------------------
  6925.  
  6926. #  TAG: icap_enable     on|off
  6927. #       If you want to enable the ICAP module support, set this to on.
  6928. #Default:
  6929. # icap_enable off
  6930.  
  6931. #  TAG: icap_connect_timeout
  6932. #       This parameter specifies how long to wait for the TCP connect to
  6933. #       the requested ICAP server to complete before giving up and either
  6934. #       terminating the HTTP transaction or bypassing the failure.
  6935. #
  6936. #       The default for optional services is peer_connect_timeout.
  6937. #       The default for essential services is connect_timeout.
  6938. #       If this option is explicitly set, its value applies to all services.
  6939. #Default:
  6940. # none
  6941.  
  6942. #  TAG: icap_io_timeout time-units
  6943. #       This parameter specifies how long to wait for an I/O activity on
  6944. #       an established, active ICAP connection before giving up and
  6945. #       either terminating the HTTP transaction or bypassing the
  6946. #       failure.
  6947. #Default:
  6948. # Use read_timeout.
  6949.  
  6950. #  TAG: icap_service_failure_limit      limit [in memory-depth time-units]
  6951. #       The limit specifies the number of failures that Squid tolerates
  6952. #       when establishing a new TCP connection with an ICAP service. If
  6953. #       the number of failures exceeds the limit, the ICAP service is
  6954. #       not used for new ICAP requests until it is time to refresh its
  6955. #       OPTIONS.
  6956. #
  6957. #       A negative value disables the limit. Without the limit, an ICAP
  6958. #       service will not be considered down due to connectivity failures
  6959. #       between ICAP OPTIONS requests.
  6960. #
  6961. #       Squid forgets ICAP service failures older than the specified
  6962. #       value of memory-depth. The memory fading algorithm
  6963. #       is approximate because Squid does not remember individual
  6964. #       errors but groups them instead, splitting the option
  6965. #       value into ten time slots of equal length.
  6966. #
  6967. #       When memory-depth is 0 and by default this option has no
  6968. #       effect on service failure expiration.
  6969. #
  6970. #       Squid always forgets failures when updating service settings
  6971. #       using an ICAP OPTIONS transaction, regardless of this option
  6972. #       setting.
  6973. #
  6974. #       For example,
  6975. #               # suspend service usage after 10 failures in 5 seconds:
  6976. #               icap_service_failure_limit 10 in 5 seconds
  6977. #Default:
  6978. # icap_service_failure_limit 10
  6979.  
  6980. #  TAG: icap_service_revival_delay
  6981. #       The delay specifies the number of seconds to wait after an ICAP
  6982. #       OPTIONS request failure before requesting the options again. The
  6983. #       failed ICAP service is considered "down" until fresh OPTIONS are
  6984. #       fetched.
  6985. #
  6986. #       The actual delay cannot be smaller than the hardcoded minimum
  6987. #       delay of 30 seconds.
  6988. #Default:
  6989. # icap_service_revival_delay 180
  6990.  
  6991. #  TAG: icap_preview_enable     on|off
  6992. #       The ICAP Preview feature allows the ICAP server to handle the
  6993. #       HTTP message by looking only at the beginning of the message body
  6994. #       or even without receiving the body at all. In some environments,
  6995. #       previews greatly speedup ICAP processing.
  6996. #
  6997. #       During an ICAP OPTIONS transaction, the server may tell Squid what
  6998. #       HTTP messages should be previewed and how big the preview should be.
  6999. #       Squid will not use Preview if the server did not request one.
  7000. #
  7001. #       To disable ICAP Preview for all ICAP services, regardless of
  7002. #       individual ICAP server OPTIONS responses, set this option to "off".
  7003. #Example:
  7004. #icap_preview_enable off
  7005. #Default:
  7006. # icap_preview_enable on
  7007.  
  7008. #  TAG: icap_preview_size
  7009. #       The default size of preview data to be sent to the ICAP server.
  7010. #       This value might be overwritten on a per server basis by OPTIONS requests.
  7011. #Default:
  7012. # No preview sent.
  7013.  
  7014. #  TAG: icap_206_enable on|off
  7015. #       206 (Partial Content) responses is an ICAP extension that allows the
  7016. #       ICAP agents to optionally combine adapted and original HTTP message
  7017. #       content. The decision to combine is postponed until the end of the
  7018. #       ICAP response. Squid supports Partial Content extension by default.
  7019. #
  7020. #       Activation of the Partial Content extension is negotiated with each
  7021. #       ICAP service during OPTIONS exchange. Most ICAP servers should handle
  7022. #       negotation correctly even if they do not support the extension, but
  7023. #       some might fail. To disable Partial Content support for all ICAP
  7024. #       services and to avoid any negotiation, set this option to "off".
  7025. #
  7026. #       Example:
  7027. #           icap_206_enable off
  7028. #Default:
  7029. # icap_206_enable on
  7030.  
  7031. #  TAG: icap_default_options_ttl
  7032. #       The default TTL value for ICAP OPTIONS responses that don't have
  7033. #       an Options-TTL header.
  7034. #Default:
  7035. # icap_default_options_ttl 60
  7036.  
  7037. #  TAG: icap_persistent_connections     on|off
  7038. #       Whether or not Squid should use persistent connections to
  7039. #       an ICAP server.
  7040. #Default:
  7041. # icap_persistent_connections on
  7042.  
  7043. #  TAG: adaptation_send_client_ip       on|off
  7044. #       If enabled, Squid shares HTTP client IP information with adaptation
  7045. #       services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
  7046. #       For eCAP, Squid sets the libecap::metaClientIp transaction option.
  7047. #
  7048. #       See also: adaptation_uses_indirect_client
  7049. #Default:
  7050. # adaptation_send_client_ip off
  7051.  
  7052. #  TAG: adaptation_send_username        on|off
  7053. #       This sends authenticated HTTP client username (if available) to
  7054. #       the adaptation service.
  7055. #
  7056. #       For ICAP, the username value is encoded based on the
  7057. #       icap_client_username_encode option and is sent using the header
  7058. #       specified by the icap_client_username_header option.
  7059. #Default:
  7060. # adaptation_send_username off
  7061.  
  7062. #  TAG: icap_client_username_header
  7063. #       ICAP request header name to use for adaptation_send_username.
  7064. #Default:
  7065. # icap_client_username_header X-Client-Username
  7066.  
  7067. #  TAG: icap_client_username_encode     on|off
  7068. #       Whether to base64 encode the authenticated client username.
  7069. #Default:
  7070. # icap_client_username_encode off
  7071.  
  7072. #  TAG: icap_service
  7073. #       Defines a single ICAP service using the following format:
  7074. #
  7075. #       icap_service id vectoring_point uri [option ...]
  7076. #
  7077. #       id: ID
  7078. #               an opaque identifier or name which is used to direct traffic to
  7079. #               this specific service. Must be unique among all adaptation
  7080. #               services in squid.conf.
  7081. #
  7082. #       vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
  7083. #               This specifies at which point of transaction processing the
  7084. #               ICAP service should be activated. *_postcache vectoring points
  7085. #               are not yet supported.
  7086. #
  7087. #       uri: icap://servername:port/servicepath
  7088. #               ICAP server and service location.
  7089. #
  7090. #       ICAP does not allow a single service to handle both REQMOD and RESPMOD
  7091. #       transactions. Squid does not enforce that requirement. You can specify
  7092. #       services with the same service_url and different vectoring_points. You
  7093. #       can even specify multiple identical services as long as their
  7094. #       service_names differ.
  7095. #
  7096. #       To activate a service, use the adaptation_access directive. To group
  7097. #       services, use adaptation_service_chain and adaptation_service_set.
  7098. #
  7099. #       Service options are separated by white space. ICAP services support
  7100. #       the following name=value options:
  7101. #
  7102. #       bypass=on|off|1|0
  7103. #               If set to 'on' or '1', the ICAP service is treated as
  7104. #               optional. If the service cannot be reached or malfunctions,
  7105. #               Squid will try to ignore any errors and process the message as
  7106. #               if the service was not enabled. No all ICAP errors can be
  7107. #               bypassed.  If set to 0, the ICAP service is treated as
  7108. #               essential and all ICAP errors will result in an error page
  7109. #               returned to the HTTP client.
  7110. #
  7111. #               Bypass is off by default: services are treated as essential.
  7112. #
  7113. #       routing=on|off|1|0
  7114. #               If set to 'on' or '1', the ICAP service is allowed to
  7115. #               dynamically change the current message adaptation plan by
  7116. #               returning a chain of services to be used next. The services
  7117. #               are specified using the X-Next-Services ICAP response header
  7118. #               value, formatted as a comma-separated list of service names.
  7119. #               Each named service should be configured in squid.conf. Other
  7120. #               services are ignored. An empty X-Next-Services value results
  7121. #               in an empty plan which ends the current adaptation.
  7122. #
  7123. #               Dynamic adaptation plan may cross or cover multiple supported
  7124. #               vectoring points in their natural processing order.
  7125. #
  7126. #               Routing is not allowed by default: the ICAP X-Next-Services
  7127. #               response header is ignored.
  7128. #
  7129. #       ipv6=on|off
  7130. #               Only has effect on split-stack systems. The default on those systems
  7131. #               is to use IPv4-only connections. When set to 'on' this option will
  7132. #               make Squid use IPv6-only connections to contact this ICAP service.
  7133. #
  7134. #       on-overload=block|bypass|wait|force
  7135. #               If the service Max-Connections limit has been reached, do
  7136. #               one of the following for each new ICAP transaction:
  7137. #                 * block:  send an HTTP error response to the client
  7138. #                 * bypass: ignore the "over-connected" ICAP service
  7139. #                 * wait:   wait (in a FIFO queue) for an ICAP connection slot
  7140. #                 * force:  proceed, ignoring the Max-Connections limit
  7141. #
  7142. #               In SMP mode with N workers, each worker assumes the service
  7143. #               connection limit is Max-Connections/N, even though not all
  7144. #               workers may use a given service.
  7145. #
  7146. #               The default value is "bypass" if service is bypassable,
  7147. #               otherwise it is set to "wait".
  7148. #              
  7149. #
  7150. #       max-conn=number
  7151. #               Use the given number as the Max-Connections limit, regardless
  7152. #               of the Max-Connections value given by the service, if any.
  7153. #
  7154. #       Older icap_service format without optional named parameters is
  7155. #       deprecated but supported for backward compatibility.
  7156. #
  7157. #Example:
  7158. #icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0
  7159. #icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on
  7160. #Default:
  7161. # none
  7162.  
  7163. #  TAG: icap_class
  7164. #       This deprecated option was documented to define an ICAP service
  7165. #       chain, even though it actually defined a set of similar, redundant
  7166. #       services, and the chains were not supported.
  7167. #
  7168. #       To define a set of redundant services, please use the
  7169. #       adaptation_service_set directive. For service chains, use
  7170. #       adaptation_service_chain.
  7171. #Default:
  7172. # none
  7173.  
  7174. #  TAG: icap_access
  7175. #       This option is deprecated. Please use adaptation_access, which
  7176. #       has the same ICAP functionality, but comes with better
  7177. #       documentation, and eCAP support.
  7178. #Default:
  7179. # none
  7180.  
  7181. # eCAP OPTIONS
  7182. # -----------------------------------------------------------------------------
  7183.  
  7184. #  TAG: ecap_enable     on|off
  7185. #       Controls whether eCAP support is enabled.
  7186. #Default:
  7187. # ecap_enable off
  7188.  
  7189. #  TAG: ecap_service
  7190. #       Defines a single eCAP service
  7191. #
  7192. #       ecap_service id vectoring_point uri [option ...]
  7193. #
  7194. #        id: ID
  7195. #               an opaque identifier or name which is used to direct traffic to
  7196. #               this specific service. Must be unique among all adaptation
  7197. #               services in squid.conf.
  7198. #
  7199. #       vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
  7200. #               This specifies at which point of transaction processing the
  7201. #               eCAP service should be activated. *_postcache vectoring points
  7202. #               are not yet supported.
  7203. #
  7204. #       uri: ecap://vendor/service_name?custom&cgi=style&parameters=optional
  7205. #               Squid uses the eCAP service URI to match this configuration
  7206. #               line with one of the dynamically loaded services. Each loaded
  7207. #               eCAP service must have a unique URI. Obtain the right URI from
  7208. #               the service provider.
  7209. #
  7210. #       To activate a service, use the adaptation_access directive. To group
  7211. #       services, use adaptation_service_chain and adaptation_service_set.
  7212. #
  7213. #       Service options are separated by white space. eCAP services support
  7214. #       the following name=value options:
  7215. #
  7216. #       bypass=on|off|1|0
  7217. #               If set to 'on' or '1', the eCAP service is treated as optional.
  7218. #               If the service cannot be reached or malfunctions, Squid will try
  7219. #               to ignore any errors and process the message as if the service
  7220. #               was not enabled. No all eCAP errors can be bypassed.
  7221. #               If set to 'off' or '0', the eCAP service is treated as essential
  7222. #               and all eCAP errors will result in an error page returned to the
  7223. #               HTTP client.
  7224. #
  7225. #                Bypass is off by default: services are treated as essential.
  7226. #
  7227. #       routing=on|off|1|0
  7228. #               If set to 'on' or '1', the eCAP service is allowed to
  7229. #               dynamically change the current message adaptation plan by
  7230. #               returning a chain of services to be used next.
  7231. #
  7232. #               Dynamic adaptation plan may cross or cover multiple supported
  7233. #               vectoring points in their natural processing order.
  7234. #
  7235. #               Routing is not allowed by default.
  7236. #
  7237. #       Older ecap_service format without optional named parameters is
  7238. #       deprecated but supported for backward compatibility.
  7239. #
  7240. #
  7241. #Example:
  7242. #ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off
  7243. #ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on
  7244. #Default:
  7245. # none
  7246.  
  7247. #  TAG: loadable_modules
  7248. #       Instructs Squid to load the specified dynamic module(s) or activate
  7249. #       preloaded module(s).
  7250. #Example:
  7251. #loadable_modules /usr/lib/MinimalAdapter.so
  7252. #Default:
  7253. # none
  7254.  
  7255. # MESSAGE ADAPTATION OPTIONS
  7256. # -----------------------------------------------------------------------------
  7257.  
  7258. #  TAG: adaptation_service_set
  7259. #
  7260. #       Configures an ordered set of similar, redundant services. This is
  7261. #       useful when hot standby or backup adaptation servers are available.
  7262. #
  7263. #           adaptation_service_set set_name service_name1 service_name2 ...
  7264. #
  7265. #       The named services are used in the set declaration order. The first
  7266. #       applicable adaptation service from the set is used first. The next
  7267. #       applicable service is tried if and only if the transaction with the
  7268. #       previous service fails and the message waiting to be adapted is still
  7269. #       intact.
  7270. #
  7271. #       When adaptation starts, broken services are ignored as if they were
  7272. #       not a part of the set. A broken service is a down optional service.
  7273. #
  7274. #       The services in a set must be attached to the same vectoring point
  7275. #       (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
  7276. #
  7277. #       If all services in a set are optional then adaptation failures are
  7278. #       bypassable. If all services in the set are essential, then a
  7279. #       transaction failure with one service may still be retried using
  7280. #       another service from the set, but when all services fail, the master
  7281. #       transaction fails as well.
  7282. #
  7283. #       A set may contain a mix of optional and essential services, but that
  7284. #       is likely to lead to surprising results because broken services become
  7285. #       ignored (see above), making previously bypassable failures fatal.
  7286. #       Technically, it is the bypassability of the last failed service that
  7287. #       matters.
  7288. #
  7289. #       See also: adaptation_access adaptation_service_chain
  7290. #
  7291. #Example:
  7292. #adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
  7293. #adaptation service_set svcLogger loggerLocal loggerRemote
  7294. #Default:
  7295. # none
  7296.  
  7297. #  TAG: adaptation_service_chain
  7298. #
  7299. #       Configures a list of complementary services that will be applied
  7300. #       one-by-one, forming an adaptation chain or pipeline. This is useful
  7301. #       when Squid must perform different adaptations on the same message.
  7302. #
  7303. #           adaptation_service_chain chain_name service_name1 svc_name2 ...
  7304. #
  7305. #       The named services are used in the chain declaration order. The first
  7306. #       applicable adaptation service from the chain is used first. The next
  7307. #       applicable service is applied to the successful adaptation results of
  7308. #       the previous service in the chain.
  7309. #
  7310. #       When adaptation starts, broken services are ignored as if they were
  7311. #       not a part of the chain. A broken service is a down optional service.
  7312. #
  7313. #       Request satisfaction terminates the adaptation chain because Squid
  7314. #       does not currently allow declaration of RESPMOD services at the
  7315. #       "reqmod_precache" vectoring point (see icap_service or ecap_service).
  7316. #
  7317. #       The services in a chain must be attached to the same vectoring point
  7318. #       (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
  7319. #
  7320. #       A chain may contain a mix of optional and essential services. If an
  7321. #       essential adaptation fails (or the failure cannot be bypassed for
  7322. #       other reasons), the master transaction fails. Otherwise, the failure
  7323. #       is bypassed as if the failed adaptation service was not in the chain.
  7324. #
  7325. #       See also: adaptation_access adaptation_service_set
  7326. #
  7327. #Example:
  7328. #adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
  7329. #Default:
  7330. # none
  7331.  
  7332. #  TAG: adaptation_access
  7333. #       Sends an HTTP transaction to an ICAP or eCAP adaptation service.
  7334. #
  7335. #       adaptation_access service_name allow|deny [!]aclname...
  7336. #       adaptation_access set_name     allow|deny [!]aclname...
  7337. #
  7338. #       At each supported vectoring point, the adaptation_access
  7339. #       statements are processed in the order they appear in this
  7340. #       configuration file. Statements pointing to the following services
  7341. #       are ignored (i.e., skipped without checking their ACL):
  7342. #
  7343. #           - services serving different vectoring points
  7344. #           - "broken-but-bypassable" services
  7345. #           - "up" services configured to ignore such transactions
  7346. #              (e.g., based on the ICAP Transfer-Ignore header).
  7347. #
  7348. #        When a set_name is used, all services in the set are checked
  7349. #       using the same rules, to find the first applicable one. See
  7350. #       adaptation_service_set for details.
  7351. #
  7352. #       If an access list is checked and there is a match, the
  7353. #       processing stops: For an "allow" rule, the corresponding
  7354. #       adaptation service is used for the transaction. For a "deny"
  7355. #       rule, no adaptation service is activated.
  7356. #
  7357. #       It is currently not possible to apply more than one adaptation
  7358. #       service at the same vectoring point to the same HTTP transaction.
  7359. #
  7360. #        See also: icap_service and ecap_service
  7361. #
  7362. #Example:
  7363. #adaptation_access service_1 allow all
  7364. #Default:
  7365. # Allow, unless rules exist in squid.conf.
  7366.  
  7367. #  TAG: adaptation_service_iteration_limit
  7368. #       Limits the number of iterations allowed when applying adaptation
  7369. #       services to a message. If your longest adaptation set or chain
  7370. #       may have more than 16 services, increase the limit beyond its
  7371. #       default value of 16. If detecting infinite iteration loops sooner
  7372. #       is critical, make the iteration limit match the actual number
  7373. #       of services in your longest adaptation set or chain.
  7374. #
  7375. #       Infinite adaptation loops are most likely with routing services.
  7376. #
  7377. #       See also: icap_service routing=1
  7378. #Default:
  7379. # adaptation_service_iteration_limit 16
  7380.  
  7381. #  TAG: adaptation_masterx_shared_names
  7382. #       For each master transaction (i.e., the HTTP request and response
  7383. #       sequence, including all related ICAP and eCAP exchanges), Squid
  7384. #       maintains a table of metadata. The table entries are (name, value)
  7385. #       pairs shared among eCAP and ICAP exchanges. The table is destroyed
  7386. #       with the master transaction.
  7387. #
  7388. #       This option specifies the table entry names that Squid must accept
  7389. #       from and forward to the adaptation transactions.
  7390. #
  7391. #       An ICAP REQMOD or RESPMOD transaction may set an entry in the
  7392. #       shared table by returning an ICAP header field with a name
  7393. #       specified in adaptation_masterx_shared_names.
  7394. #
  7395. #       An eCAP REQMOD or RESPMOD transaction may set an entry in the
  7396. #       shared table by implementing the libecap::visitEachOption() API
  7397. #       to provide an option with a name specified in
  7398. #       adaptation_masterx_shared_names.
  7399. #
  7400. #       Squid will store and forward the set entry to subsequent adaptation
  7401. #       transactions within the same master transaction scope.
  7402. #
  7403. #       Only one shared entry name is supported at this time.
  7404. #
  7405. #Example:
  7406. ## share authentication information among ICAP services
  7407. #adaptation_masterx_shared_names X-Subscriber-ID
  7408. #Default:
  7409. # none
  7410.  
  7411. #  TAG: adaptation_meta
  7412. #       This option allows Squid administrator to add custom ICAP request
  7413. #       headers or eCAP options to Squid ICAP requests or eCAP transactions.
  7414. #       Use it to pass custom authentication tokens and other
  7415. #       transaction-state related meta information to an ICAP/eCAP service.
  7416. #      
  7417. #       The addition of a meta header is ACL-driven:
  7418. #               adaptation_meta name value [!]aclname ...
  7419. #      
  7420. #       Processing for a given header name stops after the first ACL list match.
  7421. #       Thus, it is impossible to add two headers with the same name. If no ACL
  7422. #       lists match for a given header name, no such header is added. For
  7423. #       example:
  7424. #      
  7425. #               # do not debug transactions except for those that need debugging
  7426. #               adaptation_meta X-Debug 1 needs_debugging
  7427. #      
  7428. #               # log all transactions except for those that must remain secret
  7429. #               adaptation_meta X-Log 1 !keep_secret
  7430. #      
  7431. #               # mark transactions from users in the "G 1" group
  7432. #               adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1
  7433. #      
  7434. #       The "value" parameter may be a regular squid.conf token or a "double
  7435. #       quoted string". Within the quoted string, use backslash (\) to escape
  7436. #       any character, which is currently only useful for escaping backslashes
  7437. #       and double quotes. For example,
  7438. #           "this string has one backslash (\\) and two \"quotes\""
  7439. #
  7440. #       Used adaptation_meta header values may be logged via %note
  7441. #       logformat code. If multiple adaptation_meta headers with the same name
  7442. #       are used during master transaction lifetime, the header values are
  7443. #       logged in the order they were used and duplicate values are ignored
  7444. #       (only the first repeated value will be logged).
  7445. #Default:
  7446. # none
  7447.  
  7448. #  TAG: icap_retry
  7449. #       This ACL determines which retriable ICAP transactions are
  7450. #       retried. Transactions that received a complete ICAP response
  7451. #       and did not have to consume or produce HTTP bodies to receive
  7452. #       that response are usually retriable.
  7453. #
  7454. #       icap_retry allow|deny [!]aclname ...
  7455. #
  7456. #       Squid automatically retries some ICAP I/O timeouts and errors
  7457. #       due to persistent connection race conditions.
  7458. #
  7459. #       See also: icap_retry_limit
  7460. #Default:
  7461. # icap_retry deny all
  7462.  
  7463. #  TAG: icap_retry_limit
  7464. #       Limits the number of retries allowed.
  7465. #
  7466. #       Communication errors due to persistent connection race
  7467. #       conditions are unavoidable, automatically retried, and do not
  7468. #       count against this limit.
  7469. #
  7470. #       See also: icap_retry
  7471. #Default:
  7472. # No retries are allowed.
  7473.  
  7474. # DNS OPTIONS
  7475. # -----------------------------------------------------------------------------
  7476.  
  7477. #  TAG: check_hostnames
  7478. #       For security and stability reasons Squid can check
  7479. #       hostnames for Internet standard RFC compliance. If you want
  7480. #       Squid to perform these checks turn this directive on.
  7481. #Default:
  7482. # check_hostnames off
  7483.  
  7484. #  TAG: allow_underscore
  7485. #       Underscore characters is not strictly allowed in Internet hostnames
  7486. #       but nevertheless used by many sites. Set this to off if you want
  7487. #       Squid to be strict about the standard.
  7488. #       This check is performed only when check_hostnames is set to on.
  7489. #Default:
  7490. # allow_underscore on
  7491.  
  7492. #  TAG: dns_retransmit_interval
  7493. #       Initial retransmit interval for DNS queries. The interval is
  7494. #       doubled each time all configured DNS servers have been tried.
  7495. #Default:
  7496. # dns_retransmit_interval 5 seconds
  7497.  
  7498. #  TAG: dns_timeout
  7499. #       DNS Query timeout. If no response is received to a DNS query
  7500. #       within this time all DNS servers for the queried domain
  7501. #       are assumed to be unavailable.
  7502. #Default:
  7503. # dns_timeout 30 seconds
  7504.  
  7505. #  TAG: dns_packet_max
  7506. #       Maximum number of bytes packet size to advertise via EDNS.
  7507. #       Set to "none" to disable EDNS large packet support.
  7508. #      
  7509. #       For legacy reasons DNS UDP replies will default to 512 bytes which
  7510. #       is too small for many responses. EDNS provides a means for Squid to
  7511. #       negotiate receiving larger responses back immediately without having
  7512. #       to failover with repeat requests. Responses larger than this limit
  7513. #       will retain the old behaviour of failover to TCP DNS.
  7514. #      
  7515. #       Squid has no real fixed limit internally, but allowing packet sizes
  7516. #       over 1500 bytes requires network jumbogram support and is usually not
  7517. #       necessary.
  7518. #      
  7519. #       WARNING: The RFC also indicates that some older resolvers will reply
  7520. #       with failure of the whole request if the extension is added. Some
  7521. #       resolvers have already been identified which will reply with mangled
  7522. #       EDNS response on occasion. Usually in response to many-KB jumbogram
  7523. #       sizes being advertised by Squid.
  7524. #       Squid will currently treat these both as an unable-to-resolve domain
  7525. #       even if it would be resolvable without EDNS.
  7526. #Default:
  7527. # EDNS disabled
  7528.  
  7529. #  TAG: dns_defnames    on|off
  7530. #       Normally the RES_DEFNAMES resolver option is disabled
  7531. #       (see res_init(3)).  This prevents caches in a hierarchy
  7532. #       from interpreting single-component hostnames locally.  To allow
  7533. #       Squid to handle single-component names, enable this option.
  7534. #Default:
  7535. # Search for single-label domain names is disabled.
  7536.  
  7537. #  TAG: dns_multicast_local     on|off
  7538. #       When set to on, Squid sends multicast DNS lookups on the local
  7539. #       network for domains ending in .local and .arpa.
  7540. #       This enables local servers and devices to be contacted in an
  7541. #       ad-hoc or zero-configuration network environment.
  7542. #Default:
  7543. # Search for .local and .arpa names is disabled.
  7544.  
  7545. #  TAG: dns_nameservers
  7546. #       Use this if you want to specify a list of DNS name servers
  7547. #       (IP addresses) to use instead of those given in your
  7548. #       /etc/resolv.conf file.
  7549. #
  7550. #       On Windows platforms, if no value is specified here or in
  7551. #       the /etc/resolv.conf file, the list of DNS name servers are
  7552. #       taken from the Windows registry, both static and dynamic DHCP
  7553. #       configurations are supported.
  7554. #
  7555. #       Example: dns_nameservers 10.0.0.1 192.172.0.4
  7556. #Default:
  7557. # Use operating system definitions
  7558.  
  7559. #  TAG: hosts_file
  7560. #       Location of the host-local IP name-address associations
  7561. #       database. Most Operating Systems have such a file on different
  7562. #       default locations:
  7563. #       - Un*X & Linux:    /etc/hosts
  7564. #       - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
  7565. #                          (%SystemRoot% value install default is c:\winnt)
  7566. #       - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
  7567. #                          (%SystemRoot% value install default is c:\windows)
  7568. #       - Windows 9x/Me:   %windir%\hosts
  7569. #                          (%windir% value is usually c:\windows)
  7570. #       - Cygwin:          /etc/hosts
  7571. #
  7572. #       The file contains newline-separated definitions, in the
  7573. #       form ip_address_in_dotted_form name [name ...] names are
  7574. #       whitespace-separated. Lines beginning with an hash (#)
  7575. #       character are comments.
  7576. #
  7577. #       The file is checked at startup and upon configuration.
  7578. #       If set to 'none', it won't be checked.
  7579. #       If append_domain is used, that domain will be added to
  7580. #       domain-local (i.e. not containing any dot character) host
  7581. #       definitions.
  7582. #Default:
  7583. # hosts_file /etc/hosts
  7584.  
  7585. #  TAG: append_domain
  7586. #       Appends local domain name to hostnames without any dots in
  7587. #       them.  append_domain must begin with a period.
  7588. #
  7589. #       Be warned there are now Internet names with no dots in
  7590. #       them using only top-domain names, so setting this may
  7591. #       cause some Internet sites to become unavailable.
  7592. #
  7593. #Example:
  7594. # append_domain .yourdomain.com
  7595. #Default:
  7596. # Use operating system definitions
  7597.  
  7598. #  TAG: ignore_unknown_nameservers
  7599. #       By default Squid checks that DNS responses are received
  7600. #       from the same IP addresses they are sent to.  If they
  7601. #       don't match, Squid ignores the response and writes a warning
  7602. #       message to cache.log.  You can allow responses from unknown
  7603. #       nameservers by setting this option to 'off'.
  7604. #Default:
  7605. # ignore_unknown_nameservers on
  7606.  
  7607. #  TAG: dns_v4_first
  7608. #       With the IPv6 Internet being as fast or faster than IPv4 Internet
  7609. #       for most networks Squid prefers to contact websites over IPv6.
  7610. #
  7611. #       This option reverses the order of preference to make Squid contact
  7612. #       dual-stack websites over IPv4 first. Squid will still perform both
  7613. #       IPv6 and IPv4 DNS lookups before connecting.
  7614. #
  7615. #       WARNING:
  7616. #         This option will restrict the situations under which IPv6
  7617. #         connectivity is used (and tested), potentially hiding network
  7618. #         problems which would otherwise be detected and warned about.
  7619. #Default:
  7620. # dns_v4_first off
  7621.  
  7622. #  TAG: ipcache_size    (number of entries)
  7623. #       Maximum number of DNS IP cache entries.
  7624. #Default:
  7625. # ipcache_size 1024
  7626.  
  7627. #  TAG: ipcache_low     (percent)
  7628. #Default:
  7629. # ipcache_low 90
  7630.  
  7631. #  TAG: ipcache_high    (percent)
  7632. #       The size, low-, and high-water marks for the IP cache.
  7633. #Default:
  7634. # ipcache_high 95
  7635.  
  7636. #  TAG: fqdncache_size  (number of entries)
  7637. #       Maximum number of FQDN cache entries.
  7638. #Default:
  7639. # fqdncache_size 1024
  7640.  
  7641. # MISCELLANEOUS
  7642. # -----------------------------------------------------------------------------
  7643.  
  7644. #  TAG: configuration_includes_quoted_values    on|off
  7645. #       If set, Squid will recognize each "quoted string" after a configuration
  7646. #       directive as a single parameter. The quotes are stripped before the
  7647. #       parameter value is interpreted or used.
  7648. #       See "Values with spaces, quotes, and other special characters"
  7649. #       section for more details.
  7650. #Default:
  7651. # configuration_includes_quoted_values off
  7652.  
  7653. #  TAG: memory_pools    on|off
  7654. #       If set, Squid will keep pools of allocated (but unused) memory
  7655. #       available for future use.  If memory is a premium on your
  7656. #       system and you believe your malloc library outperforms Squid
  7657. #       routines, disable this.
  7658. #Default:
  7659. # memory_pools on
  7660.  
  7661. #  TAG: memory_pools_limit      (bytes)
  7662. #       Used only with memory_pools on:
  7663. #       memory_pools_limit 50 MB
  7664. #
  7665. #       If set to a non-zero value, Squid will keep at most the specified
  7666. #       limit of allocated (but unused) memory in memory pools. All free()
  7667. #       requests that exceed this limit will be handled by your malloc
  7668. #       library. Squid does not pre-allocate any memory, just safe-keeps
  7669. #       objects that otherwise would be free()d. Thus, it is safe to set
  7670. #       memory_pools_limit to a reasonably high value even if your
  7671. #       configuration will use less memory.
  7672. #
  7673. #       If set to none, Squid will keep all memory it can. That is, there
  7674. #       will be no limit on the total amount of memory used for safe-keeping.
  7675. #
  7676. #       To disable memory allocation optimization, do not set
  7677. #       memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
  7678. #
  7679. #       An overhead for maintaining memory pools is not taken into account
  7680. #       when the limit is checked. This overhead is close to four bytes per
  7681. #       object kept. However, pools may actually _save_ memory because of
  7682. #       reduced memory thrashing in your malloc library.
  7683. #Default:
  7684. # memory_pools_limit 5 MB
  7685.  
  7686. #  TAG: forwarded_for   on|off|transparent|truncate|delete
  7687. #       If set to "on", Squid will append your client's IP address
  7688. #       in the HTTP requests it forwards. By default it looks like:
  7689. #
  7690. #               X-Forwarded-For: 192.1.2.3
  7691. #
  7692. #       If set to "off", it will appear as
  7693. #
  7694. #               X-Forwarded-For: unknown
  7695. #
  7696. #       If set to "transparent", Squid will not alter the
  7697. #       X-Forwarded-For header in any way.
  7698. #
  7699. #       If set to "delete", Squid will delete the entire
  7700. #       X-Forwarded-For header.
  7701. #
  7702. #       If set to "truncate", Squid will remove all existing
  7703. #       X-Forwarded-For entries, and place the client IP as the sole entry.
  7704. #Default:
  7705. # forwarded_for on
  7706.  
  7707. #  TAG: cachemgr_passwd
  7708. #       Specify passwords for cachemgr operations.
  7709. #
  7710. #       Usage: cachemgr_passwd password action action ...
  7711. #
  7712. #       Some valid actions are (see cache manager menu for a full list):
  7713. #               5min
  7714. #               60min
  7715. #               asndb
  7716. #               authenticator
  7717. #               cbdata
  7718. #               client_list
  7719. #               comm_incoming
  7720. #               config *
  7721. #               counters
  7722. #               delay
  7723. #               digest_stats
  7724. #               dns
  7725. #               events
  7726. #               filedescriptors
  7727. #               fqdncache
  7728. #               histograms
  7729. #               http_headers
  7730. #               info
  7731. #               io
  7732. #               ipcache
  7733. #               mem
  7734. #               menu
  7735. #               netdb
  7736. #               non_peers
  7737. #               objects
  7738. #               offline_toggle *
  7739. #               pconn
  7740. #               peer_select
  7741. #               reconfigure *
  7742. #               redirector
  7743. #               refresh
  7744. #               server_list
  7745. #               shutdown *
  7746. #               store_digest
  7747. #               storedir
  7748. #               utilization
  7749. #               via_headers
  7750. #               vm_objects
  7751. #
  7752. #       * Indicates actions which will not be performed without a
  7753. #         valid password, others can be performed if not listed here.
  7754. #
  7755. #       To disable an action, set the password to "disable".
  7756. #       To allow performing an action without a password, set the
  7757. #       password to "none".
  7758. #
  7759. #       Use the keyword "all" to set the same password for all actions.
  7760. #
  7761. #Example:
  7762. # cachemgr_passwd secret shutdown
  7763. # cachemgr_passwd lesssssssecret info stats/objects
  7764. # cachemgr_passwd disable all
  7765. #Default:
  7766. # No password. Actions which require password are denied.
  7767.  
  7768. #  TAG: client_db       on|off
  7769. #       If you want to disable collecting per-client statistics,
  7770. #       turn off client_db here.
  7771. #Default:
  7772. # client_db on
  7773.  
  7774. #  TAG: refresh_all_ims on|off
  7775. #       When you enable this option, squid will always check
  7776. #       the origin server for an update when a client sends an
  7777. #       If-Modified-Since request.  Many browsers use IMS
  7778. #       requests when the user requests a reload, and this
  7779. #       ensures those clients receive the latest version.
  7780. #
  7781. #       By default (off), squid may return a Not Modified response
  7782. #       based on the age of the cached version.
  7783. #Default:
  7784. # refresh_all_ims off
  7785.  
  7786. #  TAG: reload_into_ims on|off
  7787. #       When you enable this option, client no-cache or ``reload''
  7788. #       requests will be changed to If-Modified-Since requests.
  7789. #       Doing this VIOLATES the HTTP standard.  Enabling this
  7790. #       feature could make you liable for problems which it
  7791. #       causes.
  7792. #
  7793. #       see also refresh_pattern for a more selective approach.
  7794. #Default:
  7795. # reload_into_ims off
  7796.  
  7797. #  TAG: connect_retries
  7798. #       This sets the maximum number of connection attempts made for each
  7799. #       TCP connection. The connect_retries attempts must all still
  7800. #       complete within the connection timeout period.
  7801. #
  7802. #       The default is not to re-try if the first connection attempt fails.
  7803. #       The (not recommended) maximum is 10 tries.
  7804. #
  7805. #       A warning message will be generated if it is set to a too-high
  7806. #       value and the configured value will be over-ridden.
  7807. #
  7808. #       Note: These re-tries are in addition to forward_max_tries
  7809. #       which limit how many different addresses may be tried to find
  7810. #       a useful server.
  7811. #Default:
  7812. # Do not retry failed connections.
  7813.  
  7814. #  TAG: retry_on_error
  7815. #       If set to ON Squid will automatically retry requests when
  7816. #       receiving an error response with status 403 (Forbidden),
  7817. #       500 (Internal Error), 501 or 503 (Service not available).
  7818. #       Status 502 and 504 (Gateway errors) are always retried.
  7819. #      
  7820. #       This is mainly useful if you are in a complex cache hierarchy to
  7821. #       work around access control errors.
  7822. #      
  7823. #       NOTE: This retry will attempt to find another working destination.
  7824. #       Which is different from the server which just failed.
  7825. #Default:
  7826. # retry_on_error off
  7827.  
  7828. #  TAG: as_whois_server
  7829. #       WHOIS server to query for AS numbers.  NOTE: AS numbers are
  7830. #       queried only when Squid starts up, not for every request.
  7831. #Default:
  7832. # as_whois_server whois.ra.net
  7833.  
  7834. #  TAG: offline_mode
  7835. #       Enable this option and Squid will never try to validate cached
  7836. #       objects.
  7837. #Default:
  7838. # offline_mode off
  7839.  
  7840. #  TAG: uri_whitespace
  7841. #       What to do with requests that have whitespace characters in the
  7842. #       URI.  Options:
  7843. #
  7844. #       strip:  The whitespace characters are stripped out of the URL.
  7845. #               This is the behavior recommended by RFC2396 and RFC3986
  7846. #               for tolerant handling of generic URI.
  7847. #               NOTE: This is one difference between generic URI and HTTP URLs.
  7848. #
  7849. #       deny:   The request is denied.  The user receives an "Invalid
  7850. #               Request" message.
  7851. #               This is the behaviour recommended by RFC2616 for safe
  7852. #               handling of HTTP request URL.
  7853. #
  7854. #       allow:  The request is allowed and the URI is not changed.  The
  7855. #               whitespace characters remain in the URI.  Note the
  7856. #               whitespace is passed to redirector processes if they
  7857. #               are in use.
  7858. #               Note this may be considered a violation of RFC2616
  7859. #               request parsing where whitespace is prohibited in the
  7860. #               URL field.
  7861. #
  7862. #       encode: The request is allowed and the whitespace characters are
  7863. #               encoded according to RFC1738.
  7864. #
  7865. #       chop:   The request is allowed and the URI is chopped at the
  7866. #               first whitespace.
  7867. #
  7868. #
  7869. #       NOTE the current Squid implementation of encode and chop violates
  7870. #       RFC2616 by not using a 301 redirect after altering the URL.
  7871. #Default:
  7872. # uri_whitespace strip
  7873.  
  7874. #  TAG: chroot
  7875. #       Specifies a directory where Squid should do a chroot() while
  7876. #       initializing.  This also causes Squid to fully drop root
  7877. #       privileges after initializing.  This means, for example, if you
  7878. #       use a HTTP port less than 1024 and try to reconfigure, you may
  7879. #       get an error saying that Squid can not open the port.
  7880. #Default:
  7881. # none
  7882.  
  7883. #  TAG: balance_on_multiple_ip
  7884. #       Modern IP resolvers in squid sort lookup results by preferred access.
  7885. #       By default squid will use these IP in order and only rotates to
  7886. #       the next listed when the most preffered fails.
  7887. #
  7888. #       Some load balancing servers based on round robin DNS have been
  7889. #       found not to preserve user session state across requests
  7890. #       to different IP addresses.
  7891. #
  7892. #       Enabling this directive Squid rotates IP's per request.
  7893. #Default:
  7894. # balance_on_multiple_ip off
  7895.  
  7896. #  TAG: pipeline_prefetch
  7897. #       HTTP clients may send a pipeline of 1+N requests to Squid using a
  7898. #       single connection, without waiting for Squid to respond to the first
  7899. #       of those requests. This option limits the number of concurrent
  7900. #       requests Squid will try to handle in parallel. If set to N, Squid
  7901. #       will try to receive and process up to 1+N requests on the same
  7902. #       connection concurrently.
  7903. #
  7904. #       Defaults to 0 (off) for bandwidth management and access logging
  7905. #       reasons.
  7906. #
  7907. #       NOTE: pipelining requires persistent connections to clients.
  7908. #
  7909. #       WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
  7910. #Default:
  7911. # Do not pre-parse pipelined requests.
  7912.  
  7913. #  TAG: high_response_time_warning      (msec)
  7914. #       If the one-minute median response time exceeds this value,
  7915. #       Squid prints a WARNING with debug level 0 to get the
  7916. #       administrators attention.  The value is in milliseconds.
  7917. #Default:
  7918. # disabled.
  7919.  
  7920. #  TAG: high_page_fault_warning
  7921. #       If the one-minute average page fault rate exceeds this
  7922. #       value, Squid prints a WARNING with debug level 0 to get
  7923. #       the administrators attention.  The value is in page faults
  7924. #       per second.
  7925. #Default:
  7926. # disabled.
  7927.  
  7928. #  TAG: high_memory_warning
  7929. # Note: This option is only available if Squid is rebuilt with the
  7930. #       GNU Malloc with mstats()
  7931. #
  7932. #       If the memory usage (as determined by gnumalloc, if available and used)
  7933. #       exceeds this amount, Squid prints a WARNING with debug level 0 to get
  7934. #       the administrators attention.
  7935. #Default:
  7936. # disabled.
  7937.  
  7938. #  TAG: sleep_after_fork        (microseconds)
  7939. #       When this is set to a non-zero value, the main Squid process
  7940. #       sleeps the specified number of microseconds after a fork()
  7941. #       system call. This sleep may help the situation where your
  7942. #       system reports fork() failures due to lack of (virtual)
  7943. #       memory. Note, however, if you have a lot of child
  7944. #       processes, these sleep delays will add up and your
  7945. #       Squid will not service requests for some amount of time
  7946. #       until all the child processes have been started.
  7947. #       On Windows value less then 1000 (1 milliseconds) are
  7948. #       rounded to 1000.
  7949. #Default:
  7950. # sleep_after_fork 0
  7951.  
  7952. #  TAG: windows_ipaddrchangemonitor     on|off
  7953. # Note: This option is only available if Squid is rebuilt with the
  7954. #       MS Windows
  7955. #
  7956. #       On Windows Squid by default will monitor IP address changes and will
  7957. #       reconfigure itself after any detected event. This is very useful for
  7958. #       proxies connected to internet with dial-up interfaces.
  7959. #       In some cases (a Proxy server acting as VPN gateway is one) it could be
  7960. #       desiderable to disable this behaviour setting this to 'off'.
  7961. #       Note: after changing this, Squid service must be restarted.
  7962. #Default:
  7963. # windows_ipaddrchangemonitor on
  7964.  
  7965. #  TAG: eui_lookup
  7966. #       Whether to lookup the EUI or MAC address of a connected client.
  7967. #Default:
  7968. # eui_lookup on
  7969.  
  7970. #  TAG: max_filedescriptors
  7971. #       Reduce the maximum number of filedescriptors supported below
  7972. #       the usual operating system defaults.
  7973. #
  7974. #       Remove from squid.conf to inherit the current ulimit setting.
  7975. #
  7976. #       Note: Changing this requires a restart of Squid. Also
  7977. #       not all I/O types supports large values (eg on Windows).
  7978. #Default:
  7979. # Use operating system limits set by ulimit.
  7980.  
  7981.