| blob | d177a046c98c9956520cfedbdf998e5a3284d55c |
1 # WELCOME TO SQUID 3.1.20
2 # ----------------------------
3 #
4 # This is the documentation for the Squid configuration file.
5 # This documentation can also be found online at:
6 # http://www.squid-cache.org/Doc/config/
7 #
8 # You may wish to look at the Squid home page and wiki for the
9 # FAQ and other documentation:
10 # http://www.squid-cache.org/
11 # http://wiki.squid-cache.org/SquidFaq
12 # http://wiki.squid-cache.org/ConfigExamples
13 #
14 # This documentation shows what the defaults for various directives
15 # happen to be. If you don't need to change the default, you should
16 # leave the line out of your squid.conf in most cases.
17 #
18 # In some cases "none" refers to no default setting at all,
19 # while in other cases it refers to the value of the option
20 # - the comments for that keyword indicate if this is the case.
21 #
23 # Configuration options can be included using the "include" directive.
24 # Include takes a list of files to include. Quoting and wildcards are
25 # supported.
26 #
27 # For example,
28 #
29 # include /path/to/included/file/squid.acl.config
30 #
31 # Includes can be nested up to a hard-coded depth of 16 levels.
32 # This arbitrary restriction is to prevent recursive include references
33 # from causing Squid entering an infinite loop whilst trying to load
34 # configuration files.
36 # TAG: dns_testnames
37 # Remove this line. DNS is no longer tested on startup.
38 #Default:
39 # none
41 # TAG: extension_methods
42 # Remove this line. All valid methods for HTTP are accepted by default.
43 #Default:
44 # none
46 # TAG: incoming_rate
47 #Default:
48 # none
50 # TAG: server_http11
51 # Remove this line. HTTP/1.1 is supported by default.
52 #Default:
53 # none
55 # TAG: upgrade_http0.9
56 # Remove this line. ICY/1.0 streaming protocol is supported by default.
57 #Default:
58 # none
60 # TAG: zph_local
61 # Alter these entries. Use the qos_flows directive instead.
62 #Default:
63 # none
65 # TAG: header_access
66 # Since squid-3.0 replace with request_header_access or reply_header_access
67 # depending on whether you wish to match client requests or server replies.
68 #Default:
69 # none
71 # TAG: httpd_accel_no_pmtu_disc
72 # Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
73 #Default:
74 # none
76 # OPTIONS FOR AUTHENTICATION
77 # -----------------------------------------------------------------------------
79 # TAG: auth_param
80 # This is used to define parameters for the various authentication
81 # schemes supported by Squid.
82 #
83 # format: auth_param scheme parameter [setting]
84 #
85 # The order in which authentication schemes are presented to the client is
86 # dependent on the order the scheme first appears in config file. IE
87 # has a bug (it's not RFC 2617 compliant) in that it will use the basic
88 # scheme if basic is the first entry presented, even if more secure
89 # schemes are presented. For now use the order in the recommended
90 # settings section below. If other browsers have difficulties (don't
91 # recognize the schemes offered even if you are using basic) either
92 # put basic first, or disable the other schemes (by commenting out their
93 # program entry).
94 #
95 # Once an authentication scheme is fully configured, it can only be
96 # shutdown by shutting squid down and restarting. Changes can be made on
97 # the fly and activated with a reconfigure. I.E. You can change to a
98 # different helper, but not unconfigure the helper completely.
99 #
100 # Please note that while this directive defines how Squid processes
101 # authentication it does not automatically activate authentication.
102 # To use authentication you must in addition make use of ACLs based
103 # on login name in http_access (proxy_auth, proxy_auth_regex or
104 # external with %LOGIN used in the format tag). The browser will be
105 # challenged for authentication on the first such acl encountered
106 # in http_access processing and will also be re-challenged for new
107 # login credentials if the request is being denied by a proxy_auth
108 # type acl.
109 #
110 # WARNING: authentication can't be used in a transparently intercepting
111 # proxy as the client then thinks it is talking to an origin server and
112 # not the proxy. This is a limitation of bending the TCP/IP protocol to
113 # transparently intercepting port 80, not a limitation in Squid.
114 # Ports flagged 'transparent', 'intercept', or 'tproxy' have
115 # authentication disabled.
116 #
117 # === Parameters for the basic scheme follow. ===
118 #
119 # "program" cmdline
120 # Specify the command for the external authenticator. Such a program
121 # reads a line containing "username password" and replies "OK" or
122 # "ERR" in an endless loop. "ERR" responses may optionally be followed
123 # by a error description available as %m in the returned error page.
124 # If you use an authenticator, make sure you have 1 acl of type
125 # proxy_auth.
126 #
127 # By default, the basic authentication scheme is not used unless a
128 # program is specified.
129 #
130 # If you want to use the traditional NCSA proxy authentication, set
131 # this line to something like
132 #
133 # auth_param basic program /usr/lib/squid3/ncsa_auth /usr/etc/passwd
134 #
135 # "utf8" on|off
136 # HTTP uses iso-latin-1 as characterset, while some authentication
137 # backends such as LDAP expects UTF-8. If this is set to on Squid will
138 # translate the HTTP iso-latin-1 charset to UTF-8 before sending the
139 # username & password to the helper.
140 #
141 # "children" numberofchildren
142 # The number of authenticator processes to spawn. If you start too few
143 # Squid will have to wait for them to process a backlog of credential
144 # verifications, slowing it down. When password verifications are
145 # done via a (slow) network you are likely to need lots of
146 # authenticator processes.
147 # auth_param basic children 5
148 #
149 # "concurrency" concurrency
150 # The number of concurrent requests the helper can process.
151 # The default of 0 is used for helpers who only supports
152 # one request at a time. Setting this changes the protocol used to
153 # include a channel number first on the request/response line, allowing
154 # multiple requests to be sent to the same helper in parallell without
155 # wating for the response.
156 # Must not be set unless it's known the helper supports this.
157 # auth_param basic concurrency 0
158 #
159 # "realm" realmstring
160 # Specifies the realm name which is to be reported to the
161 # client for the basic proxy authentication scheme (part of
162 # the text the user will see when prompted their username and
163 # password). There is no default.
164 # auth_param basic realm Squid proxy-caching web server
165 #
166 # "credentialsttl" timetolive
167 # Specifies how long squid assumes an externally validated
168 # username:password pair is valid for - in other words how
169 # often the helper program is called for that user. Set this
170 # low to force revalidation with short lived passwords. Note
171 # setting this high does not impact your susceptibility
172 # to replay attacks unless you are using an one-time password
173 # system (such as SecureID). If you are using such a system,
174 # you will be vulnerable to replay attacks unless you also
175 # use the max_user_ip ACL in an http_access rule.
176 #
177 # "casesensitive" on|off
178 # Specifies if usernames are case sensitive. Most user databases are
179 # case insensitive allowing the same username to be spelled using both
180 # lower and upper case letters, but some are case sensitive. This
181 # makes a big difference for user_max_ip ACL processing and similar.
182 # auth_param basic casesensitive off
183 #
184 # === Parameters for the digest scheme follow ===
185 #
186 # "program" cmdline
187 # Specify the command for the external authenticator. Such
188 # a program reads a line containing "username":"realm" and
189 # replies with the appropriate H(A1) value hex encoded or
190 # ERR if the user (or his H(A1) hash) does not exists.
191 # See rfc 2616 for the definition of H(A1).
192 # "ERR" responses may optionally be followed by a error description
193 # available as %m in the returned error page.
194 #
195 # By default, the digest authentication scheme is not used unless a
196 # program is specified.
197 #
198 # If you want to use a digest authenticator, set this line to
199 # something like
200 #
201 # auth_param digest program /usr/lib/squid3/digest_pw_auth /usr/etc/digpass
202 #
203 # "utf8" on|off
204 # HTTP uses iso-latin-1 as characterset, while some authentication
205 # backends such as LDAP expects UTF-8. If this is set to on Squid will
206 # translate the HTTP iso-latin-1 charset to UTF-8 before sending the
207 # username & password to the helper.
208 #
209 # "children" numberofchildren
210 # The number of authenticator processes to spawn (no default).
211 # If you start too few Squid will have to wait for them to
212 # process a backlog of H(A1) calculations, slowing it down.
213 # When the H(A1) calculations are done via a (slow) network
214 # you are likely to need lots of authenticator processes.
215 # auth_param digest children 5
216 #
217 # "realm" realmstring
218 # Specifies the realm name which is to be reported to the
219 # client for the digest proxy authentication scheme (part of
220 # the text the user will see when prompted their username and
221 # password). There is no default.
222 # auth_param digest realm Squid proxy-caching web server
223 #
224 # "nonce_garbage_interval" timeinterval
225 # Specifies the interval that nonces that have been issued
226 # to client_agent's are checked for validity.
227 #
228 # "nonce_max_duration" timeinterval
229 # Specifies the maximum length of time a given nonce will be
230 # valid for.
231 #
232 # "nonce_max_count" number
233 # Specifies the maximum number of times a given nonce can be
234 # used.
235 #
236 # "nonce_strictness" on|off
237 # Determines if squid requires strict increment-by-1 behavior
238 # for nonce counts, or just incrementing (off - for use when
239 # useragents generate nonce counts that occasionally miss 1
240 # (ie, 1,2,4,6)). Default off.
241 #
242 # "check_nonce_count" on|off
243 # This directive if set to off can disable the nonce count check
244 # completely to work around buggy digest qop implementations in
245 # certain mainstream browser versions. Default on to check the
246 # nonce count to protect from authentication replay attacks.
247 #
248 # "post_workaround" on|off
249 # This is a workaround to certain buggy browsers who sends
250 # an incorrect request digest in POST requests when reusing
251 # the same nonce as acquired earlier on a GET request.
252 #
253 # === NTLM scheme options follow ===
254 #
255 # "program" cmdline
256 # Specify the command for the external NTLM authenticator.
257 # Such a program reads exchanged NTLMSSP packets with
258 # the browser via Squid until authentication is completed.
259 # If you use an NTLM authenticator, make sure you have 1 acl
260 # of type proxy_auth. By default, the NTLM authenticator_program
261 # is not used.
262 #
263 # auth_param ntlm program /usr/lib/squid3/ntlm_auth
264 #
265 # "children" numberofchildren
266 # The number of authenticator processes to spawn (no default).
267 # If you start too few Squid will have to wait for them to
268 # process a backlog of credential verifications, slowing it
269 # down. When credential verifications are done via a (slow)
270 # network you are likely to need lots of authenticator
271 # processes.
272 #
273 # auth_param ntlm children 5
274 #
275 # "keep_alive" on|off
276 # Whether to keep the connection open after the initial response where
277 # Squid tells the browser which schemes are supported by the proxy.
278 # Some browsers are known to present many login popups or to corrupt
279 # POST/PUT requests transfer if the connection is not closed.
280 # The default is currently OFF to avoid this, but may change.
281 #
282 # auth_param ntlm keep_alive on
283 #
284 # === Options for configuring the NEGOTIATE auth-scheme follow ===
285 #
286 # "program" cmdline
287 # Specify the command for the external Negotiate authenticator.
288 # This protocol is used in Microsoft Active-Directory enabled setups with
289 # the Microsoft Internet Explorer or Mozilla Firefox browsers.
290 # Its main purpose is to exchange credentials with the Squid proxy
291 # using the Kerberos mechanisms.
292 # If you use a Negotiate authenticator, make sure you have at least
293 # one acl of type proxy_auth active. By default, the negotiate
294 # authenticator_program is not used.
295 # The only supported program for this role is the ntlm_auth
296 # program distributed as part of Samba, version 4 or later.
297 #
298 # auth_param negotiate program /usr/lib/squid3/ntlm_auth --helper-protocol=gss-spnego
299 #
300 # "children" numberofchildren
301 # The number of authenticator processes to spawn (no default).
302 # If you start too few Squid will have to wait for them to
303 # process a backlog of credential verifications, slowing it
304 # down. When crendential verifications are done via a (slow)
305 # network you are likely to need lots of authenticator
306 # processes.
307 # auth_param negotiate children 5
308 #
309 # "keep_alive" on|off
310 # Whether to keep the connection open after the initial response where
311 # Squid tells the browser which schemes are supported by the proxy.
312 # Some browsers are known to present many login popups or to corrupt
313 # POST/PUT requests transfer if the connection is not closed.
314 # The default is currently OFF to avoid this, but may change.
315 #
316 # auth_param negotiate keep_alive on
317 #
318 #
319 # Examples:
320 #
321 ##Recommended minimum configuration per scheme:
322 ##auth_param negotiate program <uncomment and complete this line to activate>
323 ##auth_param negotiate children 5
324 ##auth_param negotiate keep_alive on
325 ##
326 ##auth_param ntlm program <uncomment and complete this line to activate>
327 ##auth_param ntlm children 5
328 ##auth_param ntlm keep_alive on
329 ##
330 ##auth_param digest program <uncomment and complete this line>
331 ##auth_param digest children 5
332 ##auth_param digest realm Squid proxy-caching web server
333 ##auth_param digest nonce_garbage_interval 5 minutes
334 ##auth_param digest nonce_max_duration 30 minutes
335 ##auth_param digest nonce_max_count 50
336 ##
337 ##auth_param basic program <uncomment and complete this line>
338 ##auth_param basic children 5
339 ##auth_param basic realm Squid proxy-caching web server
340 ##auth_param basic credentialsttl 2 hours
341 #Default:
342 # none
344 # TAG: authenticate_cache_garbage_interval
345 # The time period between garbage collection across the username cache.
346 # This is a tradeoff between memory utilization (long intervals - say
347 # 2 days) and CPU (short intervals - say 1 minute). Only change if you
348 # have good reason to.
349 #Default:
350 # authenticate_cache_garbage_interval 1 hour
352 # TAG: authenticate_ttl
353 # The time a user & their credentials stay in the logged in
354 # user cache since their last request. When the garbage
355 # interval passes, all user credentials that have passed their
356 # TTL are removed from memory.
357 #Default:
358 # authenticate_ttl 1 hour
360 # TAG: authenticate_ip_ttl
361 # If you use proxy authentication and the 'max_user_ip' ACL,
362 # this directive controls how long Squid remembers the IP
363 # addresses associated with each user. Use a small value
364 # (e.g., 60 seconds) if your users might change addresses
365 # quickly, as is the case with dialups. You might be safe
366 # using a larger value (e.g., 2 hours) in a corporate LAN
367 # environment with relatively static address assignments.
368 #Default:
369 # authenticate_ip_ttl 0 seconds
371 # ACCESS CONTROLS
372 # -----------------------------------------------------------------------------
374 # TAG: external_acl_type
375 # This option defines external acl classes using a helper program
376 # to look up the status
377 #
378 # external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
379 #
380 # Options:
381 #
382 # ttl=n TTL in seconds for cached results (defaults to 3600
383 # for 1 hour)
384 # negative_ttl=n
385 # TTL for cached negative lookups (default same
386 # as ttl)
387 # children=n Number of acl helper processes spawn to service
388 # external acl lookups of this type. (default 5)
389 # concurrency=n concurrency level per process. Only used with helpers
390 # capable of processing more than one query at a time.
391 # cache=n result cache size, 0 is unbounded (default)
392 # grace=n Percentage remaining of TTL where a refresh of a
393 # cached entry should be initiated without needing to
394 # wait for a new reply. (default 0 for no grace period)
395 # protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
396 # ipv4 / ipv6 IP protocol used to communicate with this helper.
397 # The default is to auto-detect IPv6 and use it when available.
398 #
399 # FORMAT specifications
400 #
401 # %LOGIN Authenticated user login name
402 # %EXT_USER Username from external acl
403 # %IDENT Ident user name
404 # %SRC Client IP
405 # %SRCPORT Client source port
406 # %URI Requested URI
407 # %DST Requested host
408 # %PROTO Requested protocol
409 # %PORT Requested port
410 # %PATH Requested URL path
411 # %METHOD Request method
412 # %MYADDR Squid interface address
413 # %MYPORT Squid http_port number
414 # %PATH Requested URL-path (including query-string if any)
415 # %USER_CERT SSL User certificate in PEM format
416 # %USER_CERTCHAIN SSL User certificate chain in PEM format
417 # %USER_CERT_xx SSL User certificate subject attribute xx
418 # %USER_CA_xx SSL User certificate issuer attribute xx
419 #
420 # %>{Header} HTTP request header "Header"
421 # %>{Hdr:member}
422 # HTTP request header "Hdr" list member "member"
423 # %>{Hdr:;member}
424 # HTTP request header list member using ; as
425 # list separator. ; can be any non-alphanumeric
426 # character.
427 #
428 # %<{Header} HTTP reply header "Header"
429 # %<{Hdr:member}
430 # HTTP reply header "Hdr" list member "member"
431 # %<{Hdr:;member}
432 # HTTP reply header list member using ; as
433 # list separator. ; can be any non-alphanumeric
434 # character.
435 #
436 # %% The percent sign. Useful for helpers which need
437 # an unchanging input format.
438 #
439 # In addition to the above, any string specified in the referencing
440 # acl will also be included in the helper request line, after the
441 # specified formats (see the "acl external" directive)
442 #
443 # The helper receives lines per the above format specification,
444 # and returns lines starting with OK or ERR indicating the validity
445 # of the request and optionally followed by additional keywords with
446 # more details.
447 #
448 # General result syntax:
449 #
450 # OK/ERR keyword=value ...
451 #
452 # Defined keywords:
453 #
454 # user= The users name (login)
455 # password= The users password (for login= cache_peer option)
456 # message= Message describing the reason. Available as %o
457 # in error pages
458 # tag= Apply a tag to a request (for both ERR and OK results)
459 # Only sets a tag, does not alter existing tags.
460 # log= String to be logged in access.log. Available as
461 # %ea in logformat specifications
462 #
463 # If protocol=3.0 (the default) then URL escaping is used to protect
464 # each value in both requests and responses.
465 #
466 # If using protocol=2.5 then all values need to be enclosed in quotes
467 # if they may contain whitespace, or the whitespace escaped using \.
468 # And quotes or \ characters within the keyword value must be \ escaped.
469 #
470 # When using the concurrency= option the protocol is changed by
471 # introducing a query channel tag infront of the request/response.
472 # The query channel tag is a number between 0 and concurrency-1.
473 #Default:
474 # none
476 # TAG: acl
477 # Defining an Access List
478 #
479 # Every access list definition must begin with an aclname and acltype,
480 # followed by either type-specific arguments or a quoted filename that
481 # they are read from.
482 #
483 # acl aclname acltype argument ...
484 # acl aclname acltype "file" ...
485 #
486 # When using "file", the file should contain one item per line.
487 #
488 # By default, regular expressions are CASE-SENSITIVE.
489 # To make them case-insensitive, use the -i option. To return case-sensitive
490 # use the +i option between patterns, or make a new ACL line without -i.
491 #
492 # Some acl types require suspending the current request in order
493 # to access some external data source.
494 # Those which do are marked with the tag [slow], those which
495 # don't are marked as [fast].
496 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl
497 # for further information
498 #
499 # ***** ACL TYPES AVAILABLE *****
500 #
501 # acl aclname src ip-address/netmask ... # clients IP address [fast]
502 # acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
503 # acl aclname dst ip-address/netmask ... # URL host's IP address [slow]
504 # acl aclname myip ip-address/netmask ... # local socket IP address [fast]
505 #
506 # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
507 # # The arp ACL requires the special configure option --enable-arp-acl.
508 # # Furthermore, the ARP ACL code is not portable to all operating systems.
509 # # It works on Linux, Solaris, Windows, FreeBSD, and some
510 # # other *BSD variants.
511 # # [fast]
512 # #
513 # # NOTE: Squid can only determine the MAC address for clients that are on
514 # # the same subnet. If the client is on a different subnet,
515 # # then Squid cannot find out its MAC address.
516 #
517 # acl aclname srcdomain .foo.com ...
518 # # reverse lookup, from client IP [slow]
519 # acl aclname dstdomain .foo.com ...
520 # # Destination server from URL [fast]
521 # acl aclname srcdom_regex [-i] \.foo\.com ...
522 # # regex matching client name [slow]
523 # acl aclname dstdom_regex [-i] \.foo\.com ...
524 # # regex matching server [fast]
525 # #
526 # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
527 # # based URL is used and no match is found. The name "none" is used
528 # # if the reverse lookup fails.
529 #
530 # acl aclname src_as number ...
531 # acl aclname dst_as number ...
532 # # [fast]
533 # # Except for access control, AS numbers can be used for
534 # # routing of requests to specific caches. Here's an
535 # # example for routing all requests for AS#1241 and only
536 # # those to mycache.mydomain.net:
537 # # acl asexample dst_as 1241
538 # # cache_peer_access mycache.mydomain.net allow asexample
539 # # cache_peer_access mycache_mydomain.net deny all
540 #
541 # acl aclname peername myPeer ...
542 # # [fast]
543 # # match against a named cache_peer entry
544 # # set unique name= on cache_peer lines for reliable use.
545 #
546 # acl aclname time [day-abbrevs] [h1:m1-h2:m2]
547 # # [fast]
548 # # day-abbrevs:
549 # # S - Sunday
550 # # M - Monday
551 # # T - Tuesday
552 # # W - Wednesday
553 # # H - Thursday
554 # # F - Friday
555 # # A - Saturday
556 # # h1:m1 must be less than h2:m2
557 #
558 # acl aclname url_regex [-i] ^http:// ...
559 # # regex matching on whole URL [fast]
560 # acl aclname urlpath_regex [-i] \.gif$ ...
561 # # regex matching on URL path [fast]
562 #
563 # acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
564 # # ranges are alloed
565 # acl aclname myport 3128 ... # local socket TCP port [fast]
566 # acl aclname myportname 3128 ... # http(s)_port name [fast]
567 #
568 # acl aclname proto HTTP FTP ... # request protocol [fast]
569 #
570 # acl aclname method GET POST ... # HTTP request method [fast]
571 #
572 # acl aclname http_status 200 301 500- 400-403 ...
573 # # status code in reply [fast]
574 #
575 # acl aclname browser [-i] regexp ...
576 # # pattern match on User-Agent header (see also req_header below) [fast]
577 #
578 # acl aclname referer_regex [-i] regexp ...
579 # # pattern match on Referer header [fast]
580 # # Referer is highly unreliable, so use with care
581 #
582 # acl aclname ident username ...
583 # acl aclname ident_regex [-i] pattern ...
584 # # string match on ident output [slow]
585 # # use REQUIRED to accept any non-null ident.
586 #
587 # acl aclname proxy_auth [-i] username ...
588 # acl aclname proxy_auth_regex [-i] pattern ...
589 # # perform http authentication challenge to the client and match against
590 # # supplied credentials [slow]
591 # #
592 # # takes a list of allowed usernames.
593 # # use REQUIRED to accept any valid username.
594 # #
595 # # Will use proxy authentication in forward-proxy scenarios, and plain
596 # # http authenticaiton in reverse-proxy scenarios
597 # #
598 # # NOTE: when a Proxy-Authentication header is sent but it is not
599 # # needed during ACL checking the username is NOT logged
600 # # in access.log.
601 # #
602 # # NOTE: proxy_auth requires a EXTERNAL authentication program
603 # # to check username/password combinations (see
604 # # auth_param directive).
605 # #
606 # # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
607 # # as the browser needs to be configured for using a proxy in order
608 # # to respond to proxy authentication.
609 #
610 # acl aclname snmp_community string ...
611 # # A community string to limit access to your SNMP Agent [fast]
612 # # Example:
613 # #
614 # # acl snmppublic snmp_community public
615 #
616 # acl aclname maxconn number
617 # # This will be matched when the client's IP address has
618 # # more than <number> TCP connections established. [fast]
619 # # NOTE: This only measures direct TCP links so X-Forwarded-For
620 # # indirect clients are not counted.
621 #
622 # acl aclname max_user_ip [-s] number
623 # # This will be matched when the user attempts to log in from more
624 # # than <number> different ip addresses. The authenticate_ip_ttl
625 # # parameter controls the timeout on the ip entries. [fast]
626 # # If -s is specified the limit is strict, denying browsing
627 # # from any further IP addresses until the ttl has expired. Without
628 # # -s Squid will just annoy the user by "randomly" denying requests.
629 # # (the counter is reset each time the limit is reached and a
630 # # request is denied)
631 # # NOTE: in acceleration mode or where there is mesh of child proxies,
632 # # clients may appear to come from multiple addresses if they are
633 # # going through proxy farms, so a limit of 1 may cause user problems.
634 #
635 # acl aclname req_mime_type [-i] mime-type ...
636 # # regex match against the mime type of the request generated
637 # # by the client. Can be used to detect file upload or some
638 # # types HTTP tunneling requests [fast]
639 # # NOTE: This does NOT match the reply. You cannot use this
640 # # to match the returned file type.
641 #
642 # acl aclname req_header header-name [-i] any\.regex\.here
643 # # regex match against any of the known request headers. May be
644 # # thought of as a superset of "browser", "referer" and "mime-type"
645 # # ACL [fast]
646 #
647 # acl aclname rep_mime_type [-i] mime-type ...
648 # # regex match against the mime type of the reply received by
649 # # squid. Can be used to detect file download or some
650 # # types HTTP tunneling requests. [fast]
651 # # NOTE: This has no effect in http_access rules. It only has
652 # # effect in rules that affect the reply data stream such as
653 # # http_reply_access.
654 #
655 # acl aclname rep_header header-name [-i] any\.regex\.here
656 # # regex match against any of the known reply headers. May be
657 # # thought of as a superset of "browser", "referer" and "mime-type"
658 # # ACLs [fast]
659 #
660 # acl aclname external class_name [arguments...]
661 # # external ACL lookup via a helper class defined by the
662 # # external_acl_type directive [slow]
663 #
664 # acl aclname user_cert attribute values...
665 # # match against attributes in a user SSL certificate
666 # # attribute is one of DN/C/O/CN/L/ST [fast]
667 #
668 # acl aclname ca_cert attribute values...
669 # # match against attributes a users issuing CA SSL certificate
670 # # attribute is one of DN/C/O/CN/L/ST [fast]
671 #
672 # acl aclname ext_user username ...
673 # acl aclname ext_user_regex [-i] pattern ...
674 # # string match on username returned by external acl helper [slow]
675 # # use REQUIRED to accept any non-null user name.
676 #
677 # acl aclname tag tagvalue ...
678 # # string match on tag returned by external acl helper [slow]
679 #
680 # Examples:
681 # acl macaddress arp 09:00:2b:23:45:67
682 # acl myexample dst_as 1241
683 # acl password proxy_auth REQUIRED
684 # acl fileupload req_mime_type -i ^multipart/form-data$
685 # acl javascript rep_mime_type -i ^application/x-javascript$
686 #
687 #Default:
688 # acl all src all
689 #
690 #
691 # Recommended minimum configuration:
692 #
693 acl manager proto cache_object
694 acl localhost src 127.0.0.1/32 ::1
695 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
697 # Example rule allowing access from your local networks.
698 # Adapt to list your (internal) IP networks from where browsing
699 # should be allowed
700 #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
701 acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
702 #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
703 #acl localnet src fc00::/7 # RFC 4193 local private network range
704 #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
706 acl SSL_ports port 443
707 acl Safe_ports port 80 # http
708 acl Safe_ports port 21 # ftp
709 acl Safe_ports port 443 # https
710 acl Safe_ports port 70 # gopher
711 acl Safe_ports port 210 # wais
712 acl Safe_ports port 1025-65535 # unregistered ports
713 acl Safe_ports port 280 # http-mgmt
714 acl Safe_ports port 488 # gss-http
715 acl Safe_ports port 591 # filemaker
716 acl Safe_ports port 777 # multiling http
717 acl CONNECT method CONNECT
719 # TAG: follow_x_forwarded_for
720 # Allowing or Denying the X-Forwarded-For header to be followed to
721 # find the original source of a request.
722 #
723 # Requests may pass through a chain of several other proxies
724 # before reaching us. The X-Forwarded-For header will contain a
725 # comma-separated list of the IP addresses in the chain, with the
726 # rightmost address being the most recent.
727 #
728 # If a request reaches us from a source that is allowed by this
729 # configuration item, then we consult the X-Forwarded-For header
730 # to see where that host received the request from. If the
731 # X-Forwarded-For header contains multiple addresses, we continue
732 # backtracking until we reach an address for which we are not allowed
733 # to follow the X-Forwarded-For header, or until we reach the first
734 # address in the list. For the purpose of ACL used in the
735 # follow_x_forwarded_for directive the src ACL type always matches
736 # the address we are testing and srcdomain matches its rDNS.
737 #
738 # The end result of this process is an IP address that we will
739 # refer to as the indirect client address. This address may
740 # be treated as the client address for access control, ICAP, delay
741 # pools and logging, depending on the acl_uses_indirect_client,
742 # icap_uses_indirect_client, delay_pool_uses_indirect_client and
743 # log_uses_indirect_client options.
744 #
745 # This clause only supports fast acl types.
746 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
747 #
748 # SECURITY CONSIDERATIONS:
749 #
750 # Any host for which we follow the X-Forwarded-For header
751 # can place incorrect information in the header, and Squid
752 # will use the incorrect information as if it were the
753 # source address of the request. This may enable remote
754 # hosts to bypass any access control restrictions that are
755 # based on the client's source addresses.
756 #
757 # For example:
758 #
759 # acl localhost src 127.0.0.1
760 # acl my_other_proxy srcdomain .proxy.example.com
761 # follow_x_forwarded_for allow localhost
762 # follow_x_forwarded_for allow my_other_proxy
763 #Default:
764 # follow_x_forwarded_for deny all
766 # TAG: acl_uses_indirect_client on|off
767 # Controls whether the indirect client address
768 # (see follow_x_forwarded_for) is used instead of the
769 # direct client address in acl matching.
770 #
771 # NOTE: maxconn ACL considers direct TCP links and indirect
772 # clients will always have zero. So no match.
773 #Default:
774 # acl_uses_indirect_client on
776 # TAG: delay_pool_uses_indirect_client on|off
777 # Controls whether the indirect client address
778 # (see follow_x_forwarded_for) is used instead of the
779 # direct client address in delay pools.
780 #Default:
781 # delay_pool_uses_indirect_client on
783 # TAG: log_uses_indirect_client on|off
784 # Controls whether the indirect client address
785 # (see follow_x_forwarded_for) is used instead of the
786 # direct client address in the access log.
787 #Default:
788 # log_uses_indirect_client on
790 # TAG: http_access
791 # Allowing or Denying access based on defined access lists
792 #
793 # Access to the HTTP port:
794 # http_access allow|deny [!]aclname ...
795 #
796 # NOTE on default values:
797 #
798 # If there are no "access" lines present, the default is to deny
799 # the request.
800 #
801 # If none of the "access" lines cause a match, the default is the
802 # opposite of the last line in the list. If the last line was
803 # deny, the default is allow. Conversely, if the last line
804 # is allow, the default will be deny. For these reasons, it is a
805 # good idea to have an "deny all" entry at the end of your access
806 # lists to avoid potential confusion.
807 #
808 # This clause supports both fast and slow acl types.
809 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
810 #
811 #Default:
812 # http_access deny all
813 #
815 #
816 # Recommended minimum Access Permission configuration:
817 #
818 # Only allow cachemgr access from localhost
819 http_access allow manager localhost
820 http_access deny manager
822 # Deny requests to certain unsafe ports
823 http_access deny !Safe_ports
825 # Deny CONNECT to other than secure SSL ports
826 http_access allow CONNECT !SSL_ports
828 # We strongly recommend the following be uncommented to protect innocent
829 # web applications running on the proxy server who think the only
830 # one who can access services on "localhost" is a local user
831 #http_access deny to_localhost
833 #
834 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
835 #
837 # Example rule allowing access from your local networks.
838 # Adapt localnet in the ACL section to list your (internal) IP networks
839 # from where browsing should be allowed
840 #http_access allow localnet
841 http_access allow localhost
843 # And finally deny all other access to this proxy
844 http_access allow all
846 # TAG: adapted_http_access
847 # Allowing or Denying access based on defined access lists
848 #
849 # Essentially identical to http_access, but runs after redirectors
850 # and ICAP/eCAP adaptation. Allowing access control based on their
851 # output.
852 #
853 # If not set then only http_access is used.
854 #Default:
855 # none
857 # TAG: http_reply_access
858 # Allow replies to client requests. This is complementary to http_access.
859 #
860 # http_reply_access allow|deny [!] aclname ...
861 #
862 # NOTE: if there are no access lines present, the default is to allow
863 # all replies
864 #
865 # If none of the access lines cause a match the opposite of the
866 # last line will apply. Thus it is good practice to end the rules
867 # with an "allow all" or "deny all" entry.
868 #
869 # This clause supports both fast and slow acl types.
870 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
871 #Default:
872 # none
874 # TAG: icp_access
875 # Allowing or Denying access to the ICP port based on defined
876 # access lists
877 #
878 # icp_access allow|deny [!]aclname ...
879 #
880 # See http_access for details
881 #
882 # This clause only supports fast acl types.
883 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
884 #
885 ## Allow ICP queries from local networks only
886 ##icp_access allow localnet
887 ##icp_access deny all
888 #Default:
889 # icp_access deny all
891 # TAG: htcp_access
892 # Allowing or Denying access to the HTCP port based on defined
893 # access lists
894 #
895 # htcp_access allow|deny [!]aclname ...
896 #
897 # See http_access for details
898 #
899 # NOTE: The default if no htcp_access lines are present is to
900 # deny all traffic. This default may cause problems with peers
901 # using the htcp or htcp-oldsquid options.
902 #
903 # This clause only supports fast acl types.
904 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
905 #
906 ## Allow HTCP queries from local networks only
907 htcp_access allow localnet
908 ##htcp_access deny all
909 #Default:
910 # htcp_access deny all
912 # TAG: htcp_clr_access
913 # Allowing or Denying access to purge content using HTCP based
914 # on defined access lists
915 #
916 # htcp_clr_access allow|deny [!]aclname ...
917 #
918 # See http_access for details
919 #
920 # This clause only supports fast acl types.
921 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
922 #
923 ## Allow HTCP CLR requests from trusted peers
924 #acl htcp_clr_peer src 172.16.1.2
925 #htcp_clr_access allow htcp_clr_peer
926 #Default:
927 # htcp_clr_access deny all
929 # TAG: miss_access
930 # Determins whether network access is permitted when satisfying a request.
931 #
932 # For example;
933 # to force your neighbors to use you as a sibling instead of
934 # a parent.
935 #
936 # acl localclients src 172.16.0.0/16
937 # miss_access allow localclients
938 # miss_access deny !localclients
939 #
940 # This means only your local clients are allowed to fetch relayed/MISS
941 # replies from the network and all other clients can only fetch cached
942 # objects (HITs).
943 #
944 #
945 # The default for this setting allows all clients who passed the
946 # http_access rules to relay via this proxy.
947 #
948 # This clause only supports fast acl types.
949 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
950 #Default:
951 # miss_access allow all
953 # TAG: ident_lookup_access
954 # A list of ACL elements which, if matched, cause an ident
955 # (RFC 931) lookup to be performed for this request. For
956 # example, you might choose to always perform ident lookups
957 # for your main multi-user Unix boxes, but not for your Macs
958 # and PCs. By default, ident lookups are not performed for
959 # any requests.
960 #
961 # To enable ident lookups for specific client addresses, you
962 # can follow this example:
963 #
964 # acl ident_aware_hosts src 198.168.1.0/24
965 # ident_lookup_access allow ident_aware_hosts
966 # ident_lookup_access deny all
967 #
968 # Only src type ACL checks are fully supported. A srcdomain
969 # ACL might work at times, but it will not always provide
970 # the correct result.
971 #
972 # This clause only supports fast acl types.
973 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
974 #Default:
975 # ident_lookup_access deny all
977 # TAG: reply_body_max_size size [acl acl...]
978 # This option specifies the maximum size of a reply body. It can be
979 # used to prevent users from downloading very large files, such as
980 # MP3's and movies. When the reply headers are received, the
981 # reply_body_max_size lines are processed, and the first line where
982 # all (if any) listed ACLs are true is used as the maximum body size
983 # for this reply.
984 #
985 # This size is checked twice. First when we get the reply headers,
986 # we check the content-length value. If the content length value exists
987 # and is larger than the allowed size, the request is denied and the
988 # user receives an error message that says "the request or reply
989 # is too large." If there is no content-length, and the reply
990 # size exceeds this limit, the client's connection is just closed
991 # and they will receive a partial reply.
992 #
993 # WARNING: downstream caches probably can not detect a partial reply
994 # if there is no content-length header, so they will cache
995 # partial responses and give them out as hits. You should NOT
996 # use this option if you have downstream caches.
997 #
998 # WARNING: A maximum size smaller than the size of squid's error messages
999 # will cause an infinite loop and crash squid. Ensure that the smallest
1000 # non-zero value you use is greater that the maximum header size plus
1001 # the size of your largest error page.
1002 #
1003 # If you set this parameter none (the default), there will be
1004 # no limit imposed.
1005 #
1006 # Configuration Format is:
1007 # reply_body_max_size SIZE UNITS [acl ...]
1008 # ie.
1009 # reply_body_max_size 10 MB
1010 #
1011 #Default:
1012 # none
1014 # NETWORK OPTIONS
1015 # -----------------------------------------------------------------------------
1017 # TAG: http_port
1018 # Usage: port [options]
1019 # hostname:port [options]
1020 # 1.2.3.4:port [options]
1021 #
1022 # The socket addresses where Squid will listen for HTTP client
1023 # requests. You may specify multiple socket addresses.
1024 # There are three forms: port alone, hostname with port, and
1025 # IP address with port. If you specify a hostname or IP
1026 # address, Squid binds the socket to that specific
1027 # address. This replaces the old 'tcp_incoming_address'
1028 # option. Most likely, you do not need to bind to a specific
1029 # address, so you can use the port number alone.
1030 #
1031 # If you are running Squid in accelerator mode, you
1032 # probably want to listen on port 80 also, or instead.
1033 #
1034 # The -a command line option may be used to specify additional
1035 # port(s) where Squid listens for proxy request. Such ports will
1036 # be plain proxy ports with no options.
1037 #
1038 # You may specify multiple socket addresses on multiple lines.
1039 #
1040 # Options:
1041 #
1042 # intercept Support for IP-Layer interception of
1043 # outgoing requests without browser settings.
1044 # NP: disables authentication and IPv6 on the port.
1045 #
1046 # tproxy Support Linux TPROXY for spoofing outgoing
1047 # connections using the client IP address.
1048 # NP: disables authentication and maybe IPv6 on the port.
1049 #
1050 # accel Accelerator mode. Also needs at least one of
1051 # vhost / vport / defaultsite.
1052 #
1053 # allow-direct Allow direct forwarding in accelerator mode. Normally
1054 # accelerated requests are denied direct forwarding as if
1055 # never_direct was used.
1056 #
1057 # defaultsite=domainname
1058 # What to use for the Host: header if it is not present
1059 # in a request. Determines what site (not origin server)
1060 # accelerators should consider the default.
1061 # Implies accel.
1062 #
1063 # vhost Accelerator mode using Host header for virtual domain support.
1064 # Also uses the port as specified in Host: header unless
1065 # overridden by the vport option. Implies accel.
1066 #
1067 # vport Virtual host port support. Using the http_port number
1068 # instead of the port passed on Host: headers. Implies accel.
1069 #
1070 # vport=NN Virtual host port support. Using the specified port
1071 # number instead of the port passed on Host: headers.
1072 # Implies accel.
1073 #
1074 # protocol= Protocol to reconstruct accelerated requests with.
1075 # Defaults to http.
1076 #
1077 # ignore-cc Ignore request Cache-Control headers.
1078 #
1079 # Warning: This option violates HTTP specifications if
1080 # used in non-accelerator setups.
1081 #
1082 # connection-auth[=on|off]
1083 # use connection-auth=off to tell Squid to prevent
1084 # forwarding Microsoft connection oriented authentication
1085 # (NTLM, Negotiate and Kerberos)
1086 #
1087 # disable-pmtu-discovery=
1088 # Control Path-MTU discovery usage:
1089 # off lets OS decide on what to do (default).
1090 # transparent disable PMTU discovery when transparent
1091 # support is enabled.
1092 # always disable always PMTU discovery.
1093 #
1094 # In many setups of transparently intercepting proxies
1095 # Path-MTU discovery can not work on traffic towards the
1096 # clients. This is the case when the intercepting device
1097 # does not fully track connections and fails to forward
1098 # ICMP must fragment messages to the cache server. If you
1099 # have such setup and experience that certain clients
1100 # sporadically hang or never complete requests set
1101 # disable-pmtu-discovery option to 'transparent'.
1102 #
1103 # ssl-bump Intercept each CONNECT request matching ssl_bump ACL,
1104 # establish secure connection with the client and with
1105 # the server, decrypt HTTP messages as they pass through
1106 # Squid, and treat them as unencrypted HTTP messages,
1107 # becoming the man-in-the-middle.
1108 #
1109 # When this option is enabled, additional options become
1110 # available to specify SSL-related properties of the
1111 # client-side connection: cert, key, version, cipher,
1112 # options, clientca, cafile, capath, crlfile, dhparams,
1113 # sslflags, and sslcontext. See the https_port directive
1114 # for more information on these options.
1115 #
1116 # The ssl_bump option is required to fully enable
1117 # the SslBump feature.
1118 #
1119 # name= Specifies a internal name for the port. Defaults to
1120 # the port specification (port or addr:port)
1121 #
1122 # tcpkeepalive[=idle,interval,timeout]
1123 # Enable TCP keepalive probes of idle connections.
1124 # In seconds; idle is the initial time before TCP starts
1125 # probing the connection, interval how often to probe, and
1126 # timeout the time before giving up.
1127 #
1128 # If you run Squid on a dual-homed machine with an internal
1129 # and an external interface we recommend you to specify the
1130 # internal address:port in http_port. This way Squid will only be
1131 # visible on the internal address.
1132 #
1133 #
1135 # Squid normally listens to port 3128
1136 http_port 10128
1138 # TAG: https_port
1139 # Note: This option is only available if Squid is rebuilt with the
1140 # --enable-ssl option
1141 #
1142 # Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
1143 #
1144 # The socket address where Squid will listen for HTTPS client
1145 # requests.
1146 #
1147 # This is really only useful for situations where you are running
1148 # squid in accelerator mode and you want to do the SSL work at the
1149 # accelerator level.
1150 #
1151 # You may specify multiple socket addresses on multiple lines,
1152 # each with their own SSL certificate and/or options.
1153 #
1154 # Options:
1155 #
1156 # accel Accelerator mode. Also needs at least one of
1157 # defaultsite or vhost.
1158 #
1159 # defaultsite= The name of the https site presented on
1160 # this port. Implies accel.
1161 #
1162 # vhost Accelerator mode using Host header for virtual
1163 # domain support. Requires a wildcard certificate
1164 # or other certificate valid for more than one domain.
1165 # Implies accel.
1166 #
1167 # protocol= Protocol to reconstruct accelerated requests with.
1168 # Defaults to https.
1169 #
1170 # cert= Path to SSL certificate (PEM format).
1171 #
1172 # key= Path to SSL private key file (PEM format)
1173 # if not specified, the certificate file is
1174 # assumed to be a combined certificate and
1175 # key file.
1176 #
1177 # version= The version of SSL/TLS supported
1178 # 1 automatic (default)
1179 # 2 SSLv2 only
1180 # 3 SSLv3 only
1181 # 4 TLSv1 only
1182 #
1183 # cipher= Colon separated list of supported ciphers.
1184 # NOTE: some ciphers such as EDH ciphers depend on
1185 # additional settings. If those settings are
1186 # omitted the ciphers may be silently ignored
1187 # by the OpenSSL library.
1188 #
1189 # options= Various SSL engine options. The most important
1190 # being:
1191 # NO_SSLv2 Disallow the use of SSLv2
1192 # NO_SSLv3 Disallow the use of SSLv3
1193 # NO_TLSv1 Disallow the use of TLSv1
1194 # SINGLE_DH_USE Always create a new key when using
1195 # temporary/ephemeral DH key exchanges
1196 # See OpenSSL SSL_CTX_set_options documentation for a
1197 # complete list of options.
1198 #
1199 # clientca= File containing the list of CAs to use when
1200 # requesting a client certificate.
1201 #
1202 # cafile= File containing additional CA certificates to
1203 # use when verifying client certificates. If unset
1204 # clientca will be used.
1205 #
1206 # capath= Directory containing additional CA certificates
1207 # and CRL lists to use when verifying client certificates.
1208 #
1209 # crlfile= File of additional CRL lists to use when verifying
1210 # the client certificate, in addition to CRLs stored in
1211 # the capath. Implies VERIFY_CRL flag below.
1212 #
1213 # dhparams= File containing DH parameters for temporary/ephemeral
1214 # DH key exchanges. See OpenSSL documentation for details
1215 # on how to create this file.
1216 # WARNING: EDH ciphers will be silently disabled if this
1217 # option is not set.
1218 #
1219 # sslflags= Various flags modifying the use of SSL:
1220 # DELAYED_AUTH
1221 # Don't request client certificates
1222 # immediately, but wait until acl processing
1223 # requires a certificate (not yet implemented).
1224 # NO_DEFAULT_CA
1225 # Don't use the default CA lists built in
1226 # to OpenSSL.
1227 # NO_SESSION_REUSE
1228 # Don't allow for session reuse. Each connection
1229 # will result in a new SSL session.
1230 # VERIFY_CRL
1231 # Verify CRL lists when accepting client
1232 # certificates.
1233 # VERIFY_CRL_ALL
1234 # Verify CRL lists for all certificates in the
1235 # client certificate chain.
1236 #
1237 # sslcontext= SSL session ID context identifier.
1238 #
1239 # generate-host-certificates[=<on|off>]
1240 # Dynamically create SSL server certificates for the
1241 # destination hosts of bumped CONNECT requests.When
1242 # enabled, the cert and key options are used to sign
1243 # generated certificates. Otherwise generated
1244 # certificate will be selfsigned.
1245 # If there is CA certificate life time of generated
1246 # certificate equals lifetime of CA certificate. If
1247 # generated certificate is selfsigned lifetime is three
1248 # years.
1249 # This option is enabled by default when SslBump is used.
1250 # See the sslBump option above for more information.
1251 #
1252 # dynamic_cert_mem_cache_size=SIZE
1253 # Approximate total RAM size spent on cached generated
1254 # certificates. If set to zero, caching is disabled. The
1255 # default value is 4MB. An average XXX-bit certificate
1256 # consumes about XXX bytes of RAM.
1257 #
1258 # vport Accelerator with IP based virtual host support.
1259 #
1260 # vport=NN As above, but uses specified port number rather
1261 # than the https_port number. Implies accel.
1262 #
1263 # name= Specifies a internal name for the port. Defaults to
1264 # the port specification (port or addr:port)
1265 #
1266 #Default:
1267 # none
1269 # TAG: tcp_outgoing_tos
1270 # Allows you to select a TOS/Diffserv value to mark outgoing
1271 # connections with, based on the username or source address
1272 # making the request.
1273 #
1274 # tcp_outgoing_tos ds-field [!]aclname ...
1275 #
1276 # Example where normal_service_net uses the TOS value 0x00
1277 # and good_service_net uses 0x20
1278 #
1279 # acl normal_service_net src 10.0.0.0/24
1280 # acl good_service_net src 10.0.1.0/24
1281 # tcp_outgoing_tos 0x00 normal_service_net
1282 # tcp_outgoing_tos 0x20 good_service_net
1283 #
1284 # TOS/DSCP values really only have local significance - so you should
1285 # know what you're specifying. For more information, see RFC2474,
1286 # RFC2475, and RFC3260.
1287 #
1288 # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
1289 # "default" to use whatever default your host has. Note that in
1290 # practice often only multiples of 4 is usable as the two rightmost bits
1291 # have been redefined for use by ECN (RFC 3168 section 23.1).
1292 #
1293 # Processing proceeds in the order specified, and stops at first fully
1294 # matching line.
1295 #
1296 # Note: The use of this directive using client dependent ACLs is
1297 # incompatible with the use of server side persistent connections. To
1298 # ensure correct results it is best to set server_persistent_connections
1299 # to off when using this directive in such configurations.
1300 #Default:
1301 # none
1303 # TAG: clientside_tos
1304 # Allows you to select a TOS/Diffserv value to mark client-side
1305 # connections with, based on the username or source address
1306 # making the request.
1307 #Default:
1308 # none
1310 # TAG: qos_flows
1311 # Allows you to select a TOS/DSCP value to mark outgoing
1312 # connections with, based on where the reply was sourced.
1313 #
1314 # TOS values really only have local significance - so you should
1315 # know what you're specifying. For more information, see RFC2474,
1316 # RFC2475, and RFC3260.
1317 #
1318 # The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF.
1319 # Note that in practice often only values up to 0x3F are usable
1320 # as the two highest bits have been redefined for use by ECN
1321 # (RFC3168).
1322 #
1323 # This setting is configured by setting the source TOS values:
1324 #
1325 # local-hit=0xFF Value to mark local cache hits.
1326 #
1327 # sibling-hit=0xFF Value to mark hits from sibling peers.
1328 #
1329 # parent-hit=0xFF Value to mark hits from parent peers.
1330 #
1331 #
1332 # NOTE: 'miss' preserve feature is only possible on Linux at this time.
1333 #
1334 # For the following to work correctly, you will need to patch your
1335 # linux kernel with the TOS preserving ZPH patch.
1336 # The kernel patch can be downloaded from http://zph.bratcheda.org
1337 #
1338 # disable-preserve-miss
1339 # By default, the existing TOS value of the response coming
1340 # from the remote server will be retained and masked with
1341 # miss-mark. This option disables that feature.
1342 #
1343 # miss-mask=0xFF
1344 # Allows you to mask certain bits in the TOS received from the
1345 # remote server, before copying the value to the TOS sent
1346 # towards clients.
1347 # Default: 0xFF (TOS from server is not changed).
1348 #
1349 #Default:
1350 # none
1352 # TAG: tcp_outgoing_address
1353 # Allows you to map requests to different outgoing IP addresses
1354 # based on the username or source address of the user making
1355 # the request.
1356 #
1357 # tcp_outgoing_address ipaddr [[!]aclname] ...
1358 #
1359 # Example where requests from 10.0.0.0/24 will be forwarded
1360 # with source address 10.1.0.1, 10.0.2.0/24 forwarded with
1361 # source address 10.1.0.2 and the rest will be forwarded with
1362 # source address 10.1.0.3.
1363 #
1364 # acl normal_service_net src 10.0.0.0/24
1365 # acl good_service_net src 10.0.2.0/24
1366 # tcp_outgoing_address 10.1.0.1 normal_service_net
1367 # tcp_outgoing_address 10.1.0.2 good_service_net
1368 # tcp_outgoing_address 10.1.0.3
1369 #
1370 # Processing proceeds in the order specified, and stops at first fully
1371 # matching line.
1372 #
1373 # Note: The use of this directive using client dependent ACLs is
1374 # incompatible with the use of server side persistent connections. To
1375 # ensure correct results it is best to set server_persistent_connections
1376 # to off when using this directive in such configurations.
1377 #
1378 #
1379 # IPv6 Magic:
1380 #
1381 # Squid is built with a capability of bridging the IPv4 and IPv6
1382 # internets.
1383 # tcp_outgoing_address as exampled above breaks this bridging by forcing
1384 # all outbound traffic through a certain IPv4 which may be on the wrong
1385 # side of the IPv4/IPv6 boundary.
1386 #
1387 # To operate with tcp_outgoing_address and keep the bridging benefits
1388 # an additional ACL needs to be used which ensures the IPv6-bound traffic
1389 # is never forced or permitted out the IPv4 interface.
1390 #
1391 # # IPv6 destination test along with a dummy access control to perform the required DNS
1392 # # This MUST be place before any ALLOW rules.
1393 # acl to_ipv6 dst ipv6
1394 # http_access deny ipv6 !all
1395 #
1396 # tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6
1397 # tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
1398 #
1399 # tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6
1400 # tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
1401 #
1402 # tcp_outgoing_address 2001:db8::1 to_ipv6
1403 # tcp_outgoing_address 10.1.0.3 !to_ipv6
1404 #
1405 # WARNING:
1406 # 'dst ipv6' bases its selection assuming DIRECT access.
1407 # If peers are used the peername ACL are needed to select outgoing
1408 # address which can link to the peer.
1409 #
1410 # 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used
1411 # previously in the http_access rules to locate the destination IP.
1412 # Some more magic may be needed for that:
1413 # http_access allow to_ipv6 !all
1414 # (meaning, allow if to IPv6 but not from anywhere ;)
1415 #
1416 #Default:
1417 # none
1419 # SSL OPTIONS
1420 # -----------------------------------------------------------------------------
1422 # TAG: ssl_unclean_shutdown
1423 # Note: This option is only available if Squid is rebuilt with the
1424 # --enable-ssl option
1425 #
1426 # Some browsers (especially MSIE) bugs out on SSL shutdown
1427 # messages.
1428 #Default:
1429 # ssl_unclean_shutdown off
1431 # TAG: ssl_engine
1432 # Note: This option is only available if Squid is rebuilt with the
1433 # --enable-ssl option
1434 #
1435 # The OpenSSL engine to use. You will need to set this if you
1436 # would like to use hardware SSL acceleration for example.
1437 #Default:
1438 # none
1440 # TAG: sslproxy_client_certificate
1441 # Note: This option is only available if Squid is rebuilt with the
1442 # --enable-ssl option
1443 #
1444 # Client SSL Certificate to use when proxying https:// URLs
1445 #Default:
1446 # none
1448 # TAG: sslproxy_client_key
1449 # Note: This option is only available if Squid is rebuilt with the
1450 # --enable-ssl option
1451 #
1452 # Client SSL Key to use when proxying https:// URLs
1453 #Default:
1454 # none
1456 # TAG: sslproxy_version
1457 # Note: This option is only available if Squid is rebuilt with the
1458 # --enable-ssl option
1459 #
1460 # SSL version level to use when proxying https:// URLs
1461 #Default:
1462 # sslproxy_version 1
1464 # TAG: sslproxy_options
1465 # Note: This option is only available if Squid is rebuilt with the
1466 # --enable-ssl option
1467 #
1468 # SSL engine options to use when proxying https:// URLs
1469 #
1470 # The most important being:
1471 #
1472 # NO_SSLv2 Disallow the use of SSLv2
1473 # NO_SSLv3 Disallow the use of SSLv3
1474 # NO_TLSv1 Disallow the use of TLSv1
1475 # SINGLE_DH_USE
1476 # Always create a new key when using
1477 # temporary/ephemeral DH key exchanges
1478 #
1479 # These options vary depending on your SSL engine.
1480 # See the OpenSSL SSL_CTX_set_options documentation for a
1481 # complete list of possible options.
1482 #Default:
1483 # none
1485 # TAG: sslproxy_cipher
1486 # Note: This option is only available if Squid is rebuilt with the
1487 # --enable-ssl option
1488 #
1489 # SSL cipher list to use when proxying https:// URLs
1490 #
1491 # Colon separated list of supported ciphers.
1492 #Default:
1493 # none
1495 # TAG: sslproxy_cafile
1496 # Note: This option is only available if Squid is rebuilt with the
1497 # --enable-ssl option
1498 #
1499 # file containing CA certificates to use when verifying server
1500 # certificates while proxying https:// URLs
1501 #Default:
1502 # none
1504 # TAG: sslproxy_capath
1505 # Note: This option is only available if Squid is rebuilt with the
1506 # --enable-ssl option
1507 #
1508 # directory containing CA certificates to use when verifying
1509 # server certificates while proxying https:// URLs
1510 #Default:
1511 # none
1513 # TAG: ssl_bump
1514 # Note: This option is only available if Squid is rebuilt with the
1515 # --enable-ssl option
1516 #
1517 # This ACL controls which CONNECT requests to an http_port
1518 # marked with an sslBump flag are actually "bumped". Please
1519 # see the sslBump flag of an http_port option for more details
1520 # about decoding proxied SSL connections.
1521 #
1522 # By default, no requests are bumped.
1523 #
1524 # See also: http_port ssl-bump
1525 #
1526 # This clause supports both fast and slow acl types.
1527 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1528 #
1529 #
1530 # # Example: Bump all requests except those originating from localhost and
1531 # # those going to webax.com or example.com sites.
1532 #
1533 # acl localhost src 127.0.0.1/32
1534 # acl broken_sites dstdomain .webax.com
1535 # acl broken_sites dstdomain .example.com
1536 # ssl_bump deny localhost
1537 # ssl_bump deny broken_sites
1538 # ssl_bump allow all
1539 #Default:
1540 # none
1542 # TAG: sslproxy_flags
1543 # Note: This option is only available if Squid is rebuilt with the
1544 # --enable-ssl option
1545 #
1546 # Various flags modifying the use of SSL while proxying https:// URLs:
1547 # DONT_VERIFY_PEER Accept certificates that fail verification.
1548 # For refined control, see sslproxy_cert_error.
1549 # NO_DEFAULT_CA Don't use the default CA list built in
1550 # to OpenSSL.
1551 #Default:
1552 # none
1554 # TAG: sslproxy_cert_error
1555 # Note: This option is only available if Squid is rebuilt with the
1556 # --enable-ssl option
1557 #
1558 # Use this ACL to bypass server certificate validation errors.
1559 #
1560 # For example, the following lines will bypass all validation errors
1561 # when talking to servers located at 172.16.0.0/16. All other
1562 # validation errors will result in ERR_SECURE_CONNECT_FAIL error.
1563 #
1564 # acl BrokenServersAtTrustedIP dst 172.16.0.0/16
1565 # sslproxy_cert_error allow BrokenServersAtTrustedIP
1566 # sslproxy_cert_error deny all
1567 #
1568 # This clause only supports fast acl types.
1569 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1570 # Using slow acl types may result in server crashes
1571 #
1572 # Without this option, all server certificate validation errors
1573 # terminate the transaction. Bypassing validation errors is dangerous
1574 # because an error usually implies that the server cannot be trusted and
1575 # the connection may be insecure.
1576 #
1577 # See also: sslproxy_flags and DONT_VERIFY_PEER.
1578 #
1579 # Default setting: sslproxy_cert_error deny all
1580 #Default:
1581 # none
1583 # TAG: sslpassword_program
1584 # Note: This option is only available if Squid is rebuilt with the
1585 # --enable-ssl option
1586 #
1587 # Specify a program used for entering SSL key passphrases
1588 # when using encrypted SSL certificate keys. If not specified
1589 # keys must either be unencrypted, or Squid started with the -N
1590 # option to allow it to query interactively for the passphrase.
1591 #
1592 # The key file name is given as argument to the program allowing
1593 # selection of the right password if you have multiple encrypted
1594 # keys.
1595 #Default:
1596 # none
1598 #OPTIONS RELATING TO EXTERNAL SSL_CRTD
1599 #-----------------------------------------------------------------------------
1601 # TAG: sslcrtd_program
1602 # Note: This option is only available if Squid is rebuilt with the
1603 # -DUSE_SSL_CRTD define
1604 #
1605 # Specify the location and options of the executable for ssl_crtd process.
1606 # /usr/lib/squid3/ssl_crtd program requires -s and -M parameters
1607 # For more information use:
1608 # /usr/lib/squid3/ssl_crtd -h
1609 #Default:
1610 # sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
1612 # TAG: sslcrtd_children
1613 # Note: This option is only available if Squid is rebuilt with the
1614 # -DUSE_SSL_CRTD define
1615 #
1616 # The maximum number of processes spawn to service ssl server.
1617 # The maximum this may be safely set to is 32.
1618 #
1619 # You must have at least one ssl_crtd process.
1620 #Default:
1621 # sslcrtd_children 5
1623 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
1624 # -----------------------------------------------------------------------------
1626 # TAG: cache_peer
1627 # To specify other caches in a hierarchy, use the format:
1628 #
1629 # cache_peer hostname type http-port icp-port [options]
1630 #
1631 # For example,
1632 #
1633 # # proxy icp
1634 # # hostname type port port options
1635 # # -------------------- -------- ----- ----- -----------
1636 # cache_peer parent.foo.net parent 3128 3130 default
1637 # cache_peer sib1.foo.net sibling 3128 3130 proxy-only
1638 # cache_peer sib2.foo.net sibling 3128 3130 proxy-only
1639 # cache_peer example.com parent 80 0 default
1640 # cache_peer cdn.example.com sibling 3128 0
1641 #
1642 # type: either 'parent', 'sibling', or 'multicast'.
1643 #
1644 # proxy-port: The port number where the peer accept HTTP requests.
1645 # For other Squid proxies this is usually 3128
1646 # For web servers this is usually 80
1647 #
1648 # icp-port: Used for querying neighbor caches about objects.
1649 # Set to 0 if the peer does not support ICP or HTCP.
1650 # See ICP and HTCP options below for additional details.
1651 #
1652 #
1653 # ==== ICP OPTIONS ====
1654 #
1655 # You MUST also set icp_port and icp_access explicitly when using these options.
1656 # The defaults will prevent peer traffic using ICP.
1657 #
1658 #
1659 # no-query Disable ICP queries to this neighbor.
1660 #
1661 # multicast-responder
1662 # Indicates the named peer is a member of a multicast group.
1663 # ICP queries will not be sent directly to the peer, but ICP
1664 # replies will be accepted from it.
1665 #
1666 # closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward
1667 # CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
1668 #
1669 # background-ping
1670 # To only send ICP queries to this neighbor infrequently.
1671 # This is used to keep the neighbor round trip time updated
1672 # and is usually used in conjunction with weighted-round-robin.
1673 #
1674 #
1675 # ==== HTCP OPTIONS ====
1676 #
1677 # You MUST also set htcp_port and htcp_access explicitly when using these options.
1678 # The defaults will prevent peer traffic using HTCP.
1679 #
1680 #
1681 # htcp Send HTCP, instead of ICP, queries to the neighbor.
1682 # You probably also want to set the "icp-port" to 4827
1683 # instead of 3130.
1684 #
1685 # htcp-oldsquid Send HTCP to old Squid versions.
1686 #
1687 # htcp-no-clr Send HTCP to the neighbor but without
1688 # sending any CLR requests. This cannot be used with
1689 # htcp-only-clr.
1690 #
1691 # htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests.
1692 # This cannot be used with htcp-no-clr.
1693 #
1694 # htcp-no-purge-clr
1695 # Send HTCP to the neighbor including CLRs but only when
1696 # they do not result from PURGE requests.
1697 #
1698 # htcp-forward-clr
1699 # Forward any HTCP CLR requests this proxy receives to the peer.
1700 #
1701 #
1702 # ==== PEER SELECTION METHODS ====
1703 #
1704 # The default peer selection method is ICP, with the first responding peer
1705 # being used as source. These options can be used for better load balancing.
1706 #
1707 #
1708 # default This is a parent cache which can be used as a "last-resort"
1709 # if a peer cannot be located by any of the peer-selection methods.
1710 # If specified more than once, only the first is used.
1711 #
1712 # round-robin Load-Balance parents which should be used in a round-robin
1713 # fashion in the absence of any ICP queries.
1714 # weight=N can be used to add bias.
1715 #
1716 # weighted-round-robin
1717 # Load-Balance parents which should be used in a round-robin
1718 # fashion with the frequency of each parent being based on the
1719 # round trip time. Closer parents are used more often.
1720 # Usually used for background-ping parents.
1721 # weight=N can be used to add bias.
1722 #
1723 # carp Load-Balance parents which should be used as a CARP array.
1724 # The requests will be distributed among the parents based on the
1725 # CARP load balancing hash function based on their weight.
1726 #
1727 # userhash Load-balance parents based on the client proxy_auth or ident username.
1728 #
1729 # sourcehash Load-balance parents based on the client source IP.
1730 #
1731 # multicast-siblings
1732 # To be used only for cache peers of type "multicast".
1733 # ALL members of this multicast group have "sibling"
1734 # relationship with it, not "parent". This is to a multicast
1735 # group when the requested object would be fetched only from
1736 # a "parent" cache, anyway. It's useful, e.g., when
1737 # configuring a pool of redundant Squid proxies, being
1738 # members of the same multicast group.
1739 #
1740 #
1741 # ==== PEER SELECTION OPTIONS ====
1742 #
1743 # weight=N use to affect the selection of a peer during any weighted
1744 # peer-selection mechanisms.
1745 # The weight must be an integer; default is 1,
1746 # larger weights are favored more.
1747 # This option does not affect parent selection if a peering
1748 # protocol is not in use.
1749 #
1750 # basetime=N Specify a base amount to be subtracted from round trip
1751 # times of parents.
1752 # It is subtracted before division by weight in calculating
1753 # which parent to fectch from. If the rtt is less than the
1754 # base time the rtt is set to a minimal value.
1755 #
1756 # ttl=N Specify a TTL to use when sending multicast ICP queries
1757 # to this address.
1758 # Only useful when sending to a multicast group.
1759 # Because we don't accept ICP replies from random
1760 # hosts, you must configure other group members as
1761 # peers with the 'multicast-responder' option.
1762 #
1763 # no-delay To prevent access to this neighbor from influencing the
1764 # delay pools.
1765 #
1766 # digest-url=URL Tell Squid to fetch the cache digest (if digests are
1767 # enabled) for this host from the specified URL rather
1768 # than the Squid default location.
1769 #
1770 #
1771 # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
1772 #
1773 # originserver Causes this parent to be contacted as an origin server.
1774 # Meant to be used in accelerator setups when the peer
1775 # is a web server.
1776 #
1777 # forceddomain=name
1778 # Set the Host header of requests forwarded to this peer.
1779 # Useful in accelerator setups where the server (peer)
1780 # expects a certain domain name but clients may request
1781 # others. ie example.com or www.example.com
1782 #
1783 # no-digest Disable request of cache digests.
1784 #
1785 # no-netdb-exchange
1786 # Disables requesting ICMP RTT database (NetDB).
1787 #
1788 #
1789 # ==== AUTHENTICATION OPTIONS ====
1790 #
1791 # login=user:password
1792 # If this is a personal/workgroup proxy and your parent
1793 # requires proxy authentication.
1794 #
1795 # Note: The string can include URL escapes (i.e. %20 for
1796 # spaces). This also means % must be written as %%.
1797 #
1798 # login=PROXYPASS
1799 # Send login details received from client to this peer.
1800 # Authentication is not required, nor changed.
1801 #
1802 # Note: This will pass any form of authentication but
1803 # only Basic auth will work through a proxy unless the
1804 # connection-auth options are also used.
1805 #
1806 # login=PASS Send login details received from client to this peer.
1807 # Authentication is not required by this option.
1808 # If there are no client-provided authentication headers
1809 # to pass on, but username and password are available
1810 # from either proxy login or an external ACL user= and
1811 # password= result tags they may be sent instead.
1812 #
1813 # Note: To combine this with proxy_auth both proxies must
1814 # share the same user database as HTTP only allows for
1815 # a single login (one for proxy, one for origin server).
1816 # Also be warned this will expose your users proxy
1817 # password to the peer. USE WITH CAUTION
1818 #
1819 # login=*:password
1820 # Send the username to the upstream cache, but with a
1821 # fixed password. This is meant to be used when the peer
1822 # is in another administrative domain, but it is still
1823 # needed to identify each user.
1824 # The star can optionally be followed by some extra
1825 # information which is added to the username. This can
1826 # be used to identify this proxy to the peer, similar to
1827 # the login=username:password option above.
1828 #
1829 # connection-auth=on|off
1830 # Tell Squid that this peer does or not support Microsoft
1831 # connection oriented authentication, and any such
1832 # challenges received from there should be ignored.
1833 # Default is auto to automatically determine the status
1834 # of the peer.
1835 #
1836 #
1837 # ==== SSL / HTTPS / TLS OPTIONS ====
1838 #
1839 # ssl Encrypt connections to this peer with SSL/TLS.
1840 #
1841 # sslcert=/path/to/ssl/certificate
1842 # A client SSL certificate to use when connecting to
1843 # this peer.
1844 #
1845 # sslkey=/path/to/ssl/key
1846 # The private SSL key corresponding to sslcert above.
1847 # If 'sslkey' is not specified 'sslcert' is assumed to
1848 # reference a combined file containing both the
1849 # certificate and the key.
1850 #
1851 # sslversion=1|2|3|4
1852 # The SSL version to use when connecting to this peer
1853 # 1 = automatic (default)
1854 # 2 = SSL v2 only
1855 # 3 = SSL v3 only
1856 # 4 = TLS v1 only
1857 #
1858 # sslcipher=... The list of valid SSL ciphers to use when connecting
1859 # to this peer.
1860 #
1861 # ssloptions=... Specify various SSL engine options:
1862 # NO_SSLv2 Disallow the use of SSLv2
1863 # NO_SSLv3 Disallow the use of SSLv3
1864 # NO_TLSv1 Disallow the use of TLSv1
1865 # See src/ssl_support.c or the OpenSSL documentation for
1866 # a more complete list.
1867 #
1868 # sslcafile=... A file containing additional CA certificates to use
1869 # when verifying the peer certificate.
1870 #
1871 # sslcapath=... A directory containing additional CA certificates to
1872 # use when verifying the peer certificate.
1873 #
1874 # sslcrlfile=... A certificate revocation list file to use when
1875 # verifying the peer certificate.
1876 #
1877 # sslflags=... Specify various flags modifying the SSL implementation:
1878 #
1879 # DONT_VERIFY_PEER
1880 # Accept certificates even if they fail to
1881 # verify.
1882 # NO_DEFAULT_CA
1883 # Don't use the default CA list built in
1884 # to OpenSSL.
1885 # DONT_VERIFY_DOMAIN
1886 # Don't verify the peer certificate
1887 # matches the server name
1888 #
1889 # ssldomain= The peer name as advertised in it's certificate.
1890 # Used for verifying the correctness of the received peer
1891 # certificate. If not specified the peer hostname will be
1892 # used.
1893 #
1894 # front-end-https
1895 # Enable the "Front-End-Https: On" header needed when
1896 # using Squid as a SSL frontend in front of Microsoft OWA.
1897 # See MS KB document Q307347 for details on this header.
1898 # If set to auto the header will only be added if the
1899 # request is forwarded as a https:// URL.
1900 #
1901 #
1902 # ==== GENERAL OPTIONS ====
1903 #
1904 # connect-timeout=N
1905 # A peer-specific connect timeout.
1906 # Also see the peer_connect_timeout directive.
1907 #
1908 # connect-fail-limit=N
1909 # How many times connecting to a peer must fail before
1910 # it is marked as down. Default is 10.
1911 #
1912 # allow-miss Disable Squid's use of only-if-cached when forwarding
1913 # requests to siblings. This is primarily useful when
1914 # icp_hit_stale is used by the sibling. To extensive use
1915 # of this option may result in forwarding loops, and you
1916 # should avoid having two-way peerings with this option.
1917 # For example to deny peer usage on requests from peer
1918 # by denying cache_peer_access if the source is a peer.
1919 #
1920 # max-conn=N Limit the amount of connections Squid may open to this
1921 # peer. see also
1922 #
1923 # name=xxx Unique name for the peer.
1924 # Required if you have multiple peers on the same host
1925 # but different ports.
1926 # This name can be used in cache_peer_access and similar
1927 # directives to dentify the peer.
1928 # Can be used by outgoing access controls through the
1929 # peername ACL type.
1930 #
1931 # no-tproxy Do not use the client-spoof TPROXY support when forwarding
1932 # requests to this peer. Use normal address selection instead.
1933 #
1934 # proxy-only objects fetched from the peer will not be stored locally.
1935 #
1936 #Default:
1937 # none
1939 # TAG: cache_peer_domain
1940 # Use to limit the domains for which a neighbor cache will be
1941 # queried. Usage:
1942 #
1943 # cache_peer_domain cache-host domain [domain ...]
1944 # cache_peer_domain cache-host !domain
1945 #
1946 # For example, specifying
1947 #
1948 # cache_peer_domain parent.foo.net .edu
1949 #
1950 # has the effect such that UDP query packets are sent to
1951 # 'bigserver' only when the requested object exists on a
1952 # server in the .edu domain. Prefixing the domainname
1953 # with '!' means the cache will be queried for objects
1954 # NOT in that domain.
1955 #
1956 # NOTE: * Any number of domains may be given for a cache-host,
1957 # either on the same or separate lines.
1958 # * When multiple domains are given for a particular
1959 # cache-host, the first matched domain is applied.
1960 # * Cache hosts with no domain restrictions are queried
1961 # for all requests.
1962 # * There are no defaults.
1963 # * There is also a 'cache_peer_access' tag in the ACL
1964 # section.
1965 #Default:
1966 # none
1968 # TAG: cache_peer_access
1969 # Similar to 'cache_peer_domain' but provides more flexibility by
1970 # using ACL elements.
1971 #
1972 # cache_peer_access cache-host allow|deny [!]aclname ...
1973 #
1974 # The syntax is identical to 'http_access' and the other lists of
1975 # ACL elements. See the comments for 'http_access' below, or
1976 # the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl).
1977 #Default:
1978 # none
1980 # TAG: neighbor_type_domain
1981 # usage: neighbor_type_domain neighbor parent|sibling domain domain ...
1982 #
1983 # Modifying the neighbor type for specific domains is now
1984 # possible. You can treat some domains differently than the the
1985 # default neighbor type specified on the 'cache_peer' line.
1986 # Normally it should only be necessary to list domains which
1987 # should be treated differently because the default neighbor type
1988 # applies for hostnames which do not match domains listed here.
1989 #
1990 #EXAMPLE:
1991 # cache_peer cache.foo.org parent 3128 3130
1992 # neighbor_type_domain cache.foo.org sibling .com .net
1993 # neighbor_type_domain cache.foo.org sibling .au .de
1994 #Default:
1995 # none
1997 # TAG: dead_peer_timeout (seconds)
1998 # This controls how long Squid waits to declare a peer cache
1999 # as "dead." If there are no ICP replies received in this
2000 # amount of time, Squid will declare the peer dead and not
2001 # expect to receive any further ICP replies. However, it
2002 # continues to send ICP queries, and will mark the peer as
2003 # alive upon receipt of the first subsequent ICP reply.
2004 #
2005 # This timeout also affects when Squid expects to receive ICP
2006 # replies from peers. If more than 'dead_peer' seconds have
2007 # passed since the last ICP reply was received, Squid will not
2008 # expect to receive an ICP reply on the next query. Thus, if
2009 # your time between requests is greater than this timeout, you
2010 # will see a lot of requests sent DIRECT to origin servers
2011 # instead of to your parents.
2012 #Default:
2013 # dead_peer_timeout 10 seconds
2015 # TAG: forward_max_tries
2016 # Controls how many different forward paths Squid will try
2017 # before giving up. See also forward_timeout.
2018 #Default:
2019 # forward_max_tries 10
2021 # TAG: hierarchy_stoplist
2022 # A list of words which, if found in a URL, cause the object to
2023 # be handled directly by this cache. In other words, use this
2024 # to not query neighbor caches for certain objects. You may
2025 # list this option multiple times.
2026 #
2027 # Example:
2028 # hierarchy_stoplist cgi-bin ?
2029 #
2030 # Note: never_direct overrides this option.
2031 #Default:
2032 # none
2034 # MEMORY CACHE OPTIONS
2035 # -----------------------------------------------------------------------------
2037 # TAG: cache_mem (bytes)
2038 # NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
2039 # IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
2040 # USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
2041 # THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
2042 #
2043 # 'cache_mem' specifies the ideal amount of memory to be used
2044 # for:
2045 # * In-Transit objects
2046 # * Hot Objects
2047 # * Negative-Cached objects
2048 #
2049 # Data for these objects are stored in 4 KB blocks. This
2050 # parameter specifies the ideal upper limit on the total size of
2051 # 4 KB blocks allocated. In-Transit objects take the highest
2052 # priority.
2053 #
2054 # In-transit objects have priority over the others. When
2055 # additional space is needed for incoming data, negative-cached
2056 # and hot objects will be released. In other words, the
2057 # negative-cached and hot objects will fill up any unused space
2058 # not needed for in-transit objects.
2059 #
2060 # If circumstances require, this limit will be exceeded.
2061 # Specifically, if your incoming request rate requires more than
2062 # 'cache_mem' of memory to hold in-transit objects, Squid will
2063 # exceed this limit to satisfy the new requests. When the load
2064 # decreases, blocks will be freed until the high-water mark is
2065 # reached. Thereafter, blocks will be used to store hot
2066 # objects.
2067 #Default:
2068 # cache_mem 256 MB
2070 # TAG: maximum_object_size_in_memory (bytes)
2071 # Objects greater than this size will not be attempted to kept in
2072 # the memory cache. This should be set high enough to keep objects
2073 # accessed frequently in memory to improve performance whilst low
2074 # enough to keep larger objects from hoarding cache_mem.
2075 #Default:
2076 # maximum_object_size_in_memory 512 KB
2078 # TAG: memory_replacement_policy
2079 # The memory replacement policy parameter determines which
2080 # objects are purged from memory when memory space is needed.
2081 #
2082 # See cache_replacement_policy for details.
2083 #Default:
2084 # memory_replacement_policy lru
2086 # DISK CACHE OPTIONS
2087 # -----------------------------------------------------------------------------
2089 # TAG: cache_replacement_policy
2090 # The cache replacement policy parameter determines which
2091 # objects are evicted (replaced) when disk space is needed.
2092 #
2093 # lru : Squid's original list based LRU policy
2094 # heap GDSF : Greedy-Dual Size Frequency
2095 # heap LFUDA: Least Frequently Used with Dynamic Aging
2096 # heap LRU : LRU policy implemented using a heap
2097 #
2098 # Applies to any cache_dir lines listed below this.
2099 #
2100 # The LRU policies keeps recently referenced objects.
2101 #
2102 # The heap GDSF policy optimizes object hit rate by keeping smaller
2103 # popular objects in cache so it has a better chance of getting a
2104 # hit. It achieves a lower byte hit rate than LFUDA though since
2105 # it evicts larger (possibly popular) objects.
2106 #
2107 # The heap LFUDA policy keeps popular objects in cache regardless of
2108 # their size and thus optimizes byte hit rate at the expense of
2109 # hit rate since one large, popular object will prevent many
2110 # smaller, slightly less popular objects from being cached.
2111 #
2112 # Both policies utilize a dynamic aging mechanism that prevents
2113 # cache pollution that can otherwise occur with frequency-based
2114 # replacement policies.
2115 #
2116 # NOTE: if using the LFUDA replacement policy you should increase
2117 # the value of maximum_object_size above its default of 4096 KB to
2118 # to maximize the potential byte hit rate improvement of LFUDA.
2119 #
2120 # For more information about the GDSF and LFUDA cache replacement
2121 # policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
2122 # and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
2123 #Default:
2124 # cache_replacement_policy lru
2126 # TAG: cache_dir
2127 # Usage:
2128 #
2129 # cache_dir Type Directory-Name Fs-specific-data [options]
2130 #
2131 # You can specify multiple cache_dir lines to spread the
2132 # cache among different disk partitions.
2133 #
2134 # Type specifies the kind of storage system to use. Only "ufs"
2135 # is built by default. To enable any of the other storage systems
2136 # see the --enable-storeio configure option.
2137 #
2138 # 'Directory' is a top-level directory where cache swap
2139 # files will be stored. If you want to use an entire disk
2140 # for caching, this can be the mount-point directory.
2141 # The directory must exist and be writable by the Squid
2142 # process. Squid will NOT create this directory for you.
2143 #
2144 # The ufs store type:
2145 #
2146 # "ufs" is the old well-known Squid storage format that has always
2147 # been there.
2148 #
2149 # cache_dir ufs Directory-Name Mbytes L1 L2 [options]
2150 #
2151 # 'Mbytes' is the amount of disk space (MB) to use under this
2152 # directory. The default is 100 MB. Change this to suit your
2153 # configuration. Do NOT put the size of your disk drive here.
2154 # Instead, if you want Squid to use the entire disk drive,
2155 # subtract 20% and use that value.
2156 #
2157 # 'L1' is the number of first-level subdirectories which
2158 # will be created under the 'Directory'. The default is 16.
2159 #
2160 # 'L2' is the number of second-level subdirectories which
2161 # will be created under each first-level directory. The default
2162 # is 256.
2163 #
2164 # The aufs store type:
2165 #
2166 # "aufs" uses the same storage format as "ufs", utilizing
2167 # POSIX-threads to avoid blocking the main Squid process on
2168 # disk-I/O. This was formerly known in Squid as async-io.
2169 #
2170 # cache_dir aufs Directory-Name Mbytes L1 L2 [options]
2171 #
2172 # see argument descriptions under ufs above
2173 #
2174 # The diskd store type:
2175 #
2176 # "diskd" uses the same storage format as "ufs", utilizing a
2177 # separate process to avoid blocking the main Squid process on
2178 # disk-I/O.
2179 #
2180 # cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
2181 #
2182 # see argument descriptions under ufs above
2183 #
2184 # Q1 specifies the number of unacknowledged I/O requests when Squid
2185 # stops opening new files. If this many messages are in the queues,
2186 # Squid won't open new files. Default is 64
2187 #
2188 # Q2 specifies the number of unacknowledged messages when Squid
2189 # starts blocking. If this many messages are in the queues,
2190 # Squid blocks until it receives some replies. Default is 72
2191 #
2192 # When Q1 < Q2 (the default), the cache directory is optimized
2193 # for lower response time at the expense of a decrease in hit
2194 # ratio. If Q1 > Q2, the cache directory is optimized for
2195 # higher hit ratio at the expense of an increase in response
2196 # time.
2197 #
2198 # The coss store type:
2199 #
2200 # NP: COSS filesystem in Squid-3 has been deemed too unstable for
2201 # production use and has thus been removed from this release.
2202 # We hope that it can be made usable again soon.
2203 #
2204 # block-size=n defines the "block size" for COSS cache_dir's.
2205 # Squid uses file numbers as block numbers. Since file numbers
2206 # are limited to 24 bits, the block size determines the maximum
2207 # size of the COSS partition. The default is 512 bytes, which
2208 # leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
2209 # you should not change the coss block size after Squid
2210 # has written some objects to the cache_dir.
2211 #
2212 # The coss file store has changed from 2.5. Now it uses a file
2213 # called 'stripe' in the directory names in the config - and
2214 # this will be created by squid -z.
2215 #
2216 # Common options:
2217 #
2218 # no-store, no new objects should be stored to this cache_dir
2219 #
2220 # max-size=n, refers to the max object size in bytes this cache_dir
2221 # supports. It is used to select the cache_dir to store the object.
2222 # Note: To make optimal use of the max-size limits you should order
2223 # the cache_dir lines with the smallest max-size value first and the
2224 # ones with no max-size specification last.
2225 #
2226 # Note for coss, max-size must be less than COSS_MEMBUF_SZ,
2227 # which can be changed with the --with-coss-membuf-size=N configure
2228 # option.
2229 #
2231 # Uncomment and adjust the following to add a disk cache directory.
2232 #cache_dir ufs /var/spool/squid3 100 16 256
2234 # TAG: store_dir_select_algorithm
2235 # Set this to 'round-robin' as an alternative.
2236 #Default:
2237 # store_dir_select_algorithm least-load
2239 # TAG: max_open_disk_fds
2240 # To avoid having disk as the I/O bottleneck Squid can optionally
2241 # bypass the on-disk cache if more than this amount of disk file
2242 # descriptors are open.
2243 #
2244 # A value of 0 indicates no limit.
2245 #Default:
2246 # max_open_disk_fds 0
2248 # TAG: minimum_object_size (bytes)
2249 # Objects smaller than this size will NOT be saved on disk. The
2250 # value is specified in kilobytes, and the default is 0 KB, which
2251 # means there is no minimum.
2252 #Default:
2253 # minimum_object_size 0 KB
2255 # TAG: maximum_object_size (bytes)
2256 # Objects larger than this size will NOT be saved on disk. The
2257 # value is specified in kilobytes, and the default is 4MB. If
2258 # you wish to get a high BYTES hit ratio, you should probably
2259 # increase this (one 32 MB object hit counts for 3200 10KB
2260 # hits). If you wish to increase speed more than your want to
2261 # save bandwidth you should leave this low.
2262 #
2263 # NOTE: if using the LFUDA replacement policy you should increase
2264 # this value to maximize the byte hit rate improvement of LFUDA!
2265 # See replacement_policy below for a discussion of this policy.
2266 #Default:
2267 # maximum_object_size 4096 KB
2269 # TAG: cache_swap_low (percent, 0-100)
2270 #Default:
2271 # cache_swap_low 90
2273 # TAG: cache_swap_high (percent, 0-100)
2274 #
2275 # The low- and high-water marks for cache object replacement.
2276 # Replacement begins when the swap (disk) usage is above the
2277 # low-water mark and attempts to maintain utilization near the
2278 # low-water mark. As swap utilization gets close to high-water
2279 # mark object eviction becomes more aggressive. If utilization is
2280 # close to the low-water mark less replacement is done each time.
2281 #
2282 # Defaults are 90% and 95%. If you have a large cache, 5% could be
2283 # hundreds of MB. If this is the case you may wish to set these
2284 # numbers closer together.
2285 #Default:
2286 # cache_swap_high 95
2288 # LOGFILE OPTIONS
2289 # -----------------------------------------------------------------------------
2291 # TAG: logformat
2292 # Usage:
2293 #
2294 # logformat <name> <format specification>
2295 #
2296 # Defines an access log format.
2297 #
2298 # The <format specification> is a string with embedded % format codes
2299 #
2300 # % format codes all follow the same basic structure where all but
2301 # the formatcode is optional. Output strings are automatically escaped
2302 # as required according to their context and the output format
2303 # modifiers are usually not needed, but can be specified if an explicit
2304 # output format is desired.
2305 #
2306 # % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
2307 #
2308 # " output in quoted string format
2309 # [ output in squid text log format as used by log_mime_hdrs
2310 # # output in URL quoted format
2311 # ' output as-is
2312 #
2313 # - left aligned
2314 # width field width. If starting with 0 the
2315 # output is zero padded
2316 # {arg} argument such as header name etc
2317 #
2318 # Format codes:
2319 #
2320 # % a literal % character
2321 # >a Client source IP address
2322 # >A Client FQDN
2323 # >p Client source port
2324 # <A Server IP address or peer name
2325 # la Local IP address (http_port)
2326 # lp Local port number (http_port)
2327 # <la Local IP address of the last server or peer connection
2328 # <lp Local port number of the last server or peer connection
2329 # ts Seconds since epoch
2330 # tu subsecond time (milliseconds)
2331 # tl Local time. Optional strftime format argument
2332 # default %d/%b/%Y:%H:%M:%S %z
2333 # tg GMT time. Optional strftime format argument
2334 # default %d/%b/%Y:%H:%M:%S %z
2335 # tr Response time (milliseconds)
2336 # dt Total time spent making DNS lookups (milliseconds)
2337 #
2338 # HTTP cache related format codes:
2339 #
2340 # [http::]>h Original request header. Optional header name argument
2341 # on the format header[:[separator]element]
2342 # [http::]>ha The HTTP request headers after adaptation and redirection.
2343 # Optional header name argument as for >h
2344 # [http::]<h Reply header. Optional header name argument
2345 # as for >h
2346 # [http::]un User name
2347 # [http::]ul User name from authentication
2348 # [http::]ui User name from ident
2349 # [http::]us User name from SSL
2350 # [http::]ue User name from external acl helper
2351 # [http::]>Hs HTTP status code sent to the client
2352 # [http::]<Hs HTTP status code received from the next hop
2353 # [http::]Ss Squid request status (TCP_MISS etc)
2354 # [http::]Sh Squid hierarchy status (DEFAULT_PARENT etc)
2355 # [http::]mt MIME content type
2356 # [http::]rm Request method (GET/POST etc)
2357 # [http::]ru Request URL
2358 # [http::]rp Request URL-Path excluding hostname
2359 # [http::]rv Request protocol version
2360 # [http::]et Tag returned by external acl
2361 # [http::]ea Log string returned by external acl
2362 # [http::]<st Sent reply size including HTTP headers
2363 # [http::]>st Received request size including HTTP headers. In the
2364 # case of chunked requests the chunked encoding metadata
2365 # are not included
2366 # [http::]>sh Received HTTP request headers size
2367 # [http::]<sh Sent HTTP reply headers size
2368 # [http::]st Request+Reply size including HTTP headers
2369 # [http::]<sH Reply high offset sent
2370 # [http::]<sS Upstream object size
2371 # [http::]<pt Peer response time in milliseconds. The timer starts
2372 # when the last request byte is sent to the next hop
2373 # and stops when the last response byte is received.
2374 # [http::]<tt Total server-side time in milliseconds. The timer
2375 # starts with the first connect request (or write I/O)
2376 # sent to the first selected peer. The timer stops
2377 # with the last I/O with the last peer.
2378 #
2379 # If ICAP is enabled, the following two codes become available (as
2380 # well as ICAP log codes documented with the icap_log option):
2381 #
2382 # icap::tt Total ICAP processing time for the HTTP
2383 # transaction. The timer ticks when ICAP
2384 # ACLs are checked and when ICAP
2385 # transaction is in progress.
2386 #
2387 # icap::<last_h The header of the last ICAP response
2388 # related to the HTTP transaction. Like
2389 # <h, accepts an optional header name
2390 # argument. Will not change semantics
2391 # when multiple ICAP transactions per HTTP
2392 # transaction are supported.
2393 #
2394 # If adaptation is enabled the following two codes become available:
2395 #
2396 # adapt::sum_trs Summed adaptation transaction response
2397 # times recorded as a comma-separated list in
2398 # the order of transaction start time. Each time
2399 # value is recorded as an integer number,
2400 # representing response time of one or more
2401 # adaptation (ICAP or eCAP) transaction in
2402 # milliseconds. When a failed transaction is
2403 # being retried or repeated, its time is not
2404 # logged individually but added to the
2405 # replacement (next) transaction. See also:
2406 # adapt::all_trs.
2407 #
2408 # adapt::all_trs All adaptation transaction response times.
2409 # Same as adaptation_strs but response times of
2410 # individual transactions are never added
2411 # together. Instead, all transaction response
2412 # times are recorded individually.
2413 #
2414 # You can prefix adapt::*_trs format codes with adaptation
2415 # service name in curly braces to record response time(s) specific
2416 # to that service. For example: %{my_service}adapt::sum_trs
2417 #
2418 # The default formats available (which do not need re-defining) are:
2419 #
2420 #logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
2421 #logformat squidmime %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
2422 #logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
2423 #logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
2424 #Default:
2425 # none
2427 # TAG: access_log
2428 # These files log client request activities. Has a line every HTTP or
2429 # ICP request. The format is:
2430 # access_log <filepath> [<logformat name> [acl acl ...]]
2431 # access_log none [acl acl ...]]
2432 #
2433 # Will log to the specified file using the specified format (which
2434 # must be defined in a logformat directive) those entries which match
2435 # ALL the acl's specified (which must be defined in acl clauses).
2436 #
2437 # If no acl is specified, all requests will be logged to this file.
2438 #
2439 # To disable logging of a request use the filepath "none", in which case
2440 # a logformat name should not be specified.
2441 #
2442 # To log the request via syslog specify a filepath of "syslog":
2443 #
2444 # access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]]
2445 # where facility could be any of:
2446 # authpriv, daemon, local0 .. local7 or user.
2447 #
2448 # And priority could be any of:
2449 # err, warning, notice, info, debug.
2450 #
2451 # Default:
2452 # access_log /var/log/squid3/access.log squid
2453 #Default:
2454 access_log /run/shm/squid3-access.log squid
2456 # TAG: icap_log
2457 # ICAP log files record ICAP transaction summaries, one line per
2458 # transaction.
2459 #
2460 # The icap_log option format is:
2461 # icap_log <filepath> [<logformat name> [acl acl ...]]
2462 # icap_log none [acl acl ...]]
2463 #
2464 # Please see access_log option documentation for details. The two
2465 # kinds of logs share the overall configuration approach and many
2466 # features.
2467 #
2468 # ICAP processing of a single HTTP message or transaction may
2469 # require multiple ICAP transactions. In such cases, multiple
2470 # ICAP transaction log lines will correspond to a single access
2471 # log line.
2472 #
2473 # ICAP log uses logformat codes that make sense for an ICAP
2474 # transaction. Header-related codes are applied to the HTTP header
2475 # embedded in an ICAP server response, with the following caveats:
2476 # For REQMOD, there is no HTTP response header unless the ICAP
2477 # server performed request satisfaction. For RESPMOD, the HTTP
2478 # request header is the header sent to the ICAP server. For
2479 # OPTIONS, there are no HTTP headers.
2480 #
2481 # The following format codes are also available for ICAP logs:
2482 #
2483 # icap::<A ICAP server IP address. Similar to <A.
2484 #
2485 # icap::<service_name ICAP service name from the icap_service
2486 # option in Squid configuration file.
2487 #
2488 # icap::ru ICAP Request-URI. Similar to ru.
2489 #
2490 # icap::rm ICAP request method (REQMOD, RESPMOD, or
2491 # OPTIONS). Similar to existing rm.
2492 #
2493 # icap::>st Bytes sent to the ICAP server (TCP payload
2494 # only; i.e., what Squid writes to the socket).
2495 #
2496 # icap::<st Bytes received from the ICAP server (TCP
2497 # payload only; i.e., what Squid reads from
2498 # the socket).
2499 #
2500 # icap::tr Transaction response time (in
2501 # milliseconds). The timer starts when
2502 # the ICAP transaction is created and
2503 # stops when the transaction is completed.
2504 # Similar to tr.
2505 #
2506 # icap::tio Transaction I/O time (in milliseconds). The
2507 # timer starts when the first ICAP request
2508 # byte is scheduled for sending. The timers
2509 # stops when the last byte of the ICAP response
2510 # is received.
2511 #
2512 # icap::to Transaction outcome: ICAP_ERR* for all
2513 # transaction errors, ICAP_OPT for OPTION
2514 # transactions, ICAP_ECHO for 204
2515 # responses, ICAP_MOD for message
2516 # modification, and ICAP_SAT for request
2517 # satisfaction. Similar to Ss.
2518 #
2519 # icap::Hs ICAP response status code. Similar to Hs.
2520 #
2521 # icap::>h ICAP request header(s). Similar to >h.
2522 #
2523 # icap::<h ICAP response header(s). Similar to <h.
2524 #
2525 # The default ICAP log format, which can be used without an explicit
2526 # definition, is called icap_squid:
2527 #
2528 #logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
2529 #
2530 # See also: logformat, log_icap, and %icap::<last_h
2531 #Default:
2532 # none
2534 # TAG: log_access allow|deny acl acl...
2535 # This options allows you to control which requests gets logged
2536 # to access.log (see access_log directive). Requests denied for
2537 # logging will also not be accounted for in performance counters.
2538 #
2539 # This clause only supports fast acl types.
2540 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
2541 #Default:
2542 # none
2544 # TAG: log_icap
2545 # This options allows you to control which requests get logged
2546 # to icap.log. See the icap_log directive for ICAP log details.
2547 #Default:
2548 # none
2550 # TAG: cache_store_log
2551 # Logs the activities of the storage manager. Shows which
2552 # objects are ejected from the cache, and which objects are
2553 # saved and for how long. To disable, enter "none" or remove the line.
2554 # There are not really utilities to analyze this data, so you can safely
2555 # disable it.
2556 #
2557 # Example:
2558 # cache_store_log /var/log/squid3/store.log
2559 #Default:
2560 # none
2562 # TAG: cache_swap_state
2563 # Location for the cache "swap.state" file. This index file holds
2564 # the metadata of objects saved on disk. It is used to rebuild
2565 # the cache during startup. Normally this file resides in each
2566 # 'cache_dir' directory, but you may specify an alternate
2567 # pathname here. Note you must give a full filename, not just
2568 # a directory. Since this is the index for the whole object
2569 # list you CANNOT periodically rotate it!
2570 #
2571 # If %s can be used in the file name it will be replaced with a
2572 # a representation of the cache_dir name where each / is replaced
2573 # with '.'. This is needed to allow adding/removing cache_dir
2574 # lines when cache_swap_log is being used.
2575 #
2576 # If have more than one 'cache_dir', and %s is not used in the name
2577 # these swap logs will have names such as:
2578 #
2579 # cache_swap_log.00
2580 # cache_swap_log.01
2581 # cache_swap_log.02
2582 #
2583 # The numbered extension (which is added automatically)
2584 # corresponds to the order of the 'cache_dir' lines in this
2585 # configuration file. If you change the order of the 'cache_dir'
2586 # lines in this file, these index files will NOT correspond to
2587 # the correct 'cache_dir' entry (unless you manually rename
2588 # them). We recommend you do NOT use this option. It is
2589 # better to keep these index files in each 'cache_dir' directory.
2590 #Default:
2591 # none
2593 # TAG: logfile_rotate
2594 # Specifies the number of logfile rotations to make when you
2595 # type 'squid -k rotate'. The default is 10, which will rotate
2596 # with extensions 0 through 9. Setting logfile_rotate to 0 will
2597 # disable the file name rotation, but the logfiles are still closed
2598 # and re-opened. This will enable you to rename the logfiles
2599 # yourself just before sending the rotate signal.
2600 #
2601 # Note, the 'squid -k rotate' command normally sends a USR1
2602 # signal to the running squid process. In certain situations
2603 # (e.g. on Linux with Async I/O), USR1 is used for other
2604 # purposes, so -k rotate uses another signal. It is best to get
2605 # in the habit of using 'squid -k rotate' instead of 'kill -USR1
2606 # <pid>'.
2607 #
2608 # Note, from Squid-3.1 this option has no effect on the cache.log,
2609 # that log can be rotated separately by using debug_options
2610 #
2611 # Note2, for Debian/Linux the default of logfile_rotate is
2612 # zero, since it includes external logfile-rotation methods.
2613 #Default:
2614 # logfile_rotate 0
2616 # TAG: emulate_httpd_log on|off
2617 # The Cache can emulate the log file format which many 'httpd'
2618 # programs use. To disable/enable this emulation, set
2619 # emulate_httpd_log to 'off' or 'on'. The default
2620 # is to use the native log format since it includes useful
2621 # information Squid-specific log analyzers use.
2622 #Default:
2623 # emulate_httpd_log off
2625 # TAG: log_ip_on_direct on|off
2626 # Log the destination IP address in the hierarchy log tag when going
2627 # direct. Earlier Squid versions logged the hostname here. If you
2628 # prefer the old way set this to off.
2629 #Default:
2630 # log_ip_on_direct on
2632 # TAG: mime_table
2633 # Pathname to Squid's MIME table. You shouldn't need to change
2634 # this, but the default file contains examples and formatting
2635 # information if you do.
2636 #Default:
2637 # mime_table /usr/share/squid3/mime.conf
2639 # TAG: log_mime_hdrs on|off
2640 # The Cache can record both the request and the response MIME
2641 # headers for each HTTP transaction. The headers are encoded
2642 # safely and will appear as two bracketed fields at the end of
2643 # the access log (for either the native or httpd-emulated log
2644 # formats). To enable this logging set log_mime_hdrs to 'on'.
2645 #Default:
2646 # log_mime_hdrs off
2648 # TAG: useragent_log
2649 # Note: This option is only available if Squid is rebuilt with the
2650 # --enable-useragent-log option
2651 #
2652 # Squid will write the User-Agent field from HTTP requests
2653 # to the filename specified here. By default useragent_log
2654 # is disabled.
2655 #Default:
2656 # none
2658 # TAG: referer_log
2659 # Note: This option is only available if Squid is rebuilt with the
2660 # --enable-referer-log option
2661 #
2662 # Squid will write the Referer field from HTTP requests to the
2663 # filename specified here. By default referer_log is disabled.
2664 # Note that "referer" is actually a misspelling of "referrer"
2665 # however the misspelt version has been accepted into the HTTP RFCs
2666 # and we accept both.
2667 #Default:
2668 # none
2670 # TAG: pid_filename
2671 # A filename to write the process-id to. To disable, enter "none".
2672 #Default:
2673 # pid_filename /var/run/squid3.pid
2675 # TAG: log_fqdn on|off
2676 # Turn this on if you wish to log fully qualified domain names
2677 # in the access.log. To do this Squid does a DNS lookup of all
2678 # IP's connecting to it. This can (in some situations) increase
2679 # latency, which makes your cache seem slower for interactive
2680 # browsing.
2681 #Default:
2682 # log_fqdn off
2684 # TAG: client_netmask
2685 # A netmask for client addresses in logfiles and cachemgr output.
2686 # Change this to protect the privacy of your cache clients.
2687 # A netmask of 255.255.255.0 will log all IP's in that range with
2688 # the last digit set to '0'.
2689 #Default:
2690 # client_netmask no_addr
2692 # TAG: forward_log
2693 # Note: This option is only available if Squid is rebuilt with the
2694 # -DWIP_FWD_LOG define
2695 #
2696 # Logs the server-side requests.
2697 #
2698 # This is currently work in progress.
2699 #Default:
2700 # none
2702 # TAG: strip_query_terms
2703 # By default, Squid strips query terms from requested URLs before
2704 # logging. This protects your user's privacy.
2705 #Default:
2706 # strip_query_terms on
2708 # TAG: buffered_logs on|off
2709 # cache.log log file is written with stdio functions, and as such
2710 # it can be buffered or unbuffered. By default it will be unbuffered.
2711 # Buffering it can speed up the writing slightly (though you are
2712 # unlikely to need to worry unless you run with tons of debugging
2713 # enabled in which case performance will suffer badly anyway..).
2714 #Default:
2715 # buffered_logs off
2717 # TAG: netdb_filename
2718 # Note: This option is only available if Squid is rebuilt with the
2719 # --enable-icmp option
2720 #
2721 # A filename where Squid stores it's netdb state between restarts.
2722 # To disable, enter "none".
2723 #Default:
2724 #netdb_filename /var/log/squid3-netdb.state
2726 # OPTIONS FOR TROUBLESHOOTING
2727 # -----------------------------------------------------------------------------
2729 # TAG: cache_log
2730 # Cache logging file. This is where general information about
2731 # your cache's behavior goes. You can increase the amount of data
2732 # logged to this file and how often its rotated with "debug_options"
2733 #Default:
2734 cache_log /run/shm/squid3-cache.log
2736 # TAG: debug_options
2737 # Logging options are set as section,level where each source file
2738 # is assigned a unique section. Lower levels result in less
2739 # output, Full debugging (level 9) can result in a very large
2740 # log file, so be careful.
2741 #
2742 # The magic word "ALL" sets debugging levels for all sections.
2743 # We recommend normally running with "ALL,1".
2744 #
2745 # The rotate=N option can be used to keep more or less of these logs
2746 # than would otherwise be kept by logfile_rotate.
2747 # For most uses a single log should be enough to monitor current
2748 # events affecting Squid.
2749 #Default:
2750 # debug_options ALL,1
2752 # TAG: coredump_dir
2753 # By default Squid leaves core files in the directory from where
2754 # it was started. If you set 'coredump_dir' to a directory
2755 # that exists, Squid will chdir() to that directory at startup
2756 # and coredump files will be left there.
2757 #
2758 #Default:
2759 # coredump_dir none
2760 #
2762 # Leave coredumps in the first cache dir
2763 coredump_dir /var/spool/squid3
2765 # OPTIONS FOR FTP GATEWAYING
2766 # -----------------------------------------------------------------------------
2768 # TAG: ftp_user
2769 # If you want the anonymous login password to be more informative
2770 # (and enable the use of picky ftp servers), set this to something
2771 # reasonable for your domain, like wwwuser@somewhere.net
2772 #
2773 # The reason why this is domainless by default is the
2774 # request can be made on the behalf of a user in any domain,
2775 # depending on how the cache is used.
2776 # Some ftp server also validate the email address is valid
2777 # (for example perl.com).
2778 #Default:
2779 # ftp_user Squid@
2781 # TAG: ftp_list_width
2782 # Sets the width of ftp listings. This should be set to fit in
2783 # the width of a standard browser. Setting this too small
2784 # can cut off long filenames when browsing ftp sites.
2785 #Default:
2786 # ftp_list_width 32
2788 # TAG: ftp_passive
2789 # If your firewall does not allow Squid to use passive
2790 # connections, turn off this option.
2791 #
2792 # Use of ftp_epsv_all option requires this to be ON.
2793 #Default:
2794 # ftp_passive on
2796 # TAG: ftp_epsv_all
2797 # FTP Protocol extensions permit the use of a special "EPSV ALL" command.
2798 #
2799 # NATs may be able to put the connection on a "fast path" through the
2800 # translator, as the EPRT command will never be used and therefore,
2801 # translation of the data portion of the segments will never be needed.
2802 #
2803 # When a client only expects to do two-way FTP transfers this may be
2804 # useful.
2805 # If squid finds that it must do a three-way FTP transfer after issuing
2806 # an EPSV ALL command, the FTP session will fail.
2807 #
2808 # If you have any doubts about this option do not use it.
2809 # Squid will nicely attempt all other connection methods.
2810 #
2811 # Requires ftp_passive to be ON (default) for any effect.
2812 #Default:
2813 # ftp_epsv_all off
2815 # TAG: ftp_epsv
2816 # FTP Protocol extensions permit the use of a special "EPSV" command.
2817 #
2818 # NATs may be able to put the connection on a "fast path" through the
2819 # translator using EPSV, as the EPRT command will never be used
2820 # and therefore, translation of the data portion of the segments
2821 # will never be needed.
2822 #
2823 # Turning this OFF will prevent EPSV being attempted.
2824 # WARNING: Doing so will convert Squid back to the old behavior with all
2825 # the related problems with external NAT devices/layers.
2826 #
2827 # Requires ftp_passive to be ON (default) for any effect.
2828 #Default:
2829 # ftp_epsv on
2831 # TAG: ftp_eprt
2832 # FTP Protocol extensions permit the use of a special "EPRT" command.
2833 #
2834 # This extension provides a protocol neutral alternative to the
2835 # IPv4-only PORT command. When supported it enables active FTP data
2836 # channels over IPv6 and efficient NAT handling.
2837 #
2838 # Turning this OFF will prevent EPRT being attempted and will skip
2839 # straight to using PORT for IPv4 servers.
2840 #
2841 # Some devices are known to not handle this extension correctly and
2842 # may result in crashes. Devices which suport EPRT enough to fail
2843 # cleanly will result in Squid attempting PORT anyway. This directive
2844 # should only be disabled when EPRT results in device failures.
2845 #
2846 # WARNING: Doing so will convert Squid back to the old behavior with all
2847 # the related problems with external NAT devices/layers and IPv4-only FTP.
2848 #Default:
2849 # ftp_eprt on
2851 # TAG: ftp_sanitycheck
2852 # For security and data integrity reasons Squid by default performs
2853 # sanity checks of the addresses of FTP data connections ensure the
2854 # data connection is to the requested server. If you need to allow
2855 # FTP connections to servers using another IP address for the data
2856 # connection turn this off.
2857 #Default:
2858 # ftp_sanitycheck on
2860 # TAG: ftp_telnet_protocol
2861 # The FTP protocol is officially defined to use the telnet protocol
2862 # as transport channel for the control connection. However, many
2863 # implementations are broken and does not respect this aspect of
2864 # the FTP protocol.
2865 #
2866 # If you have trouble accessing files with ASCII code 255 in the
2867 # path or similar problems involving this ASCII code you can
2868 # try setting this directive to off. If that helps, report to the
2869 # operator of the FTP server in question that their FTP server
2870 # is broken and does not follow the FTP standard.
2871 #Default:
2872 # ftp_telnet_protocol on
2874 # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
2875 # -----------------------------------------------------------------------------
2877 # TAG: diskd_program
2878 # Specify the location of the diskd executable.
2879 # Note this is only useful if you have compiled in
2880 # diskd as one of the store io modules.
2881 #Default:
2882 # diskd_program /usr/lib/squid3/diskd
2884 # TAG: unlinkd_program
2885 # Specify the location of the executable for file deletion process.
2886 #Default:
2887 # unlinkd_program /usr/lib/squid3/unlinkd
2889 # TAG: pinger_program
2890 # Note: This option is only available if Squid is rebuilt with the
2891 # --enable-icmp option
2892 #
2893 # Specify the location of the executable for the pinger process.
2894 #Default:
2895 # pinger_program /usr/lib/squid3/pinger
2897 # TAG: pinger_enable
2898 # Note: This option is only available if Squid is rebuilt with the
2899 # --enable-icmp option
2900 #
2901 # Control whether the pinger is active at run-time.
2902 # Enables turning ICMP pinger on and off with a simple
2903 # squid -k reconfigure.
2904 #Default:
2905 # pinger_enable off
2907 # OPTIONS FOR URL REWRITING
2908 # -----------------------------------------------------------------------------
2910 # TAG: url_rewrite_program
2911 # Specify the location of the executable URL rewriter to use.
2912 # Since they can perform almost any function there isn't one included.
2913 #
2914 # For each requested URL, the rewriter will receive on line with the format
2915 #
2916 # URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
2917 #
2918 # In the future, the rewriter interface will be extended with
2919 # key=value pairs ("kvpairs" shown above). Rewriter programs
2920 # should be prepared to receive and possibly ignore additional
2921 # whitespace-separated tokens on each input line.
2922 #
2923 # And the rewriter may return a rewritten URL. The other components of
2924 # the request line does not need to be returned (ignored if they are).
2925 #
2926 # The rewriter can also indicate that a client-side redirect should
2927 # be performed to the new URL. This is done by prefixing the returned
2928 # URL with "301:" (moved permanently) or 302: (moved temporarily), etc.
2929 #
2930 # By default, a URL rewriter is not used.
2931 #Default:
2932 # none
2934 # TAG: url_rewrite_children
2935 # The number of redirector processes to spawn. If you start
2936 # too few Squid will have to wait for them to process a backlog of
2937 # URLs, slowing it down. If you start too many they will use RAM
2938 # and other system resources.
2939 #Default:
2940 # url_rewrite_children 5
2942 # TAG: url_rewrite_concurrency
2943 # The number of requests each redirector helper can handle in
2944 # parallel. Defaults to 0 which indicates the redirector
2945 # is a old-style single threaded redirector.
2946 #
2947 # When this directive is set to a value >= 1 then the protocol
2948 # used to communicate with the helper is modified to include
2949 # a request ID in front of the request/response. The request
2950 # ID from the request must be echoed back with the response
2951 # to that request.
2952 #Default:
2953 # url_rewrite_concurrency 0
2955 # TAG: url_rewrite_host_header
2956 # By default Squid rewrites any Host: header in redirected
2957 # requests. If you are running an accelerator this may
2958 # not be a wanted effect of a redirector.
2959 #
2960 # WARNING: Entries are cached on the result of the URL rewriting
2961 # process, so be careful if you have domain-virtual hosts.
2962 #Default:
2963 # url_rewrite_host_header on
2965 # TAG: url_rewrite_access
2966 # If defined, this access list specifies which requests are
2967 # sent to the redirector processes. By default all requests
2968 # are sent.
2969 #
2970 # This clause supports both fast and slow acl types.
2971 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
2972 #Default:
2973 # none
2975 # TAG: url_rewrite_bypass
2976 # When this is 'on', a request will not go through the
2977 # redirector if all redirectors are busy. If this is 'off'
2978 # and the redirector queue grows too large, Squid will exit
2979 # with a FATAL error and ask you to increase the number of
2980 # redirectors. You should only enable this if the redirectors
2981 # are not critical to your caching system. If you use
2982 # redirectors for access control, and you enable this option,
2983 # users may have access to pages they should not
2984 # be allowed to request.
2985 #Default:
2986 # url_rewrite_bypass off
2988 # OPTIONS FOR TUNING THE CACHE
2989 # -----------------------------------------------------------------------------
2991 # TAG: cache
2992 # A list of ACL elements which, if matched and denied, cause the request to
2993 # not be satisfied from the cache and the reply to not be cached.
2994 # In other words, use this to force certain objects to never be cached.
2995 #
2996 # You must use the words 'allow' or 'deny' to indicate whether items
2997 # matching the ACL should be allowed or denied into the cache.
2998 #
2999 # Default is to allow all to be cached.
3000 #
3001 # This clause supports both fast and slow acl types.
3002 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3003 #Default:
3004 # none
3006 # TAG: refresh_pattern
3007 # usage: refresh_pattern [-i] regex min percent max [options]
3008 #
3009 # By default, regular expressions are CASE-SENSITIVE. To make
3010 # them case-insensitive, use the -i option.
3011 #
3012 # 'Min' is the time (in minutes) an object without an explicit
3013 # expiry time should be considered fresh. The recommended
3014 # value is 0, any higher values may cause dynamic applications
3015 # to be erroneously cached unless the application designer
3016 # has taken the appropriate actions.
3017 #
3018 # 'Percent' is a percentage of the objects age (time since last
3019 # modification age) an object without explicit expiry time
3020 # will be considered fresh.
3021 #
3022 # 'Max' is an upper limit on how long objects without an explicit
3023 # expiry time will be considered fresh.
3024 #
3025 # options: override-expire
3026 # override-lastmod
3027 # reload-into-ims
3028 # ignore-reload
3029 # ignore-no-cache
3030 # ignore-no-store
3031 # ignore-must-revalidate
3032 # ignore-private
3033 # ignore-auth
3034 # refresh-ims
3035 #
3036 # override-expire enforces min age even if the server
3037 # sent an explicit expiry time (e.g., with the
3038 # Expires: header or Cache-Control: max-age). Doing this
3039 # VIOLATES the HTTP standard. Enabling this feature
3040 # could make you liable for problems which it causes.
3041 #
3042 # Note: override-expire does not enforce staleness - it only extends
3043 # freshness / min. If the server returns a Expires time which
3044 # is longer than your max time, Squid will still consider
3045 # the object fresh for that period of time.
3046 #
3047 # override-lastmod enforces min age even on objects
3048 # that were modified recently.
3049 #
3050 # reload-into-ims changes client no-cache or ``reload''
3051 # to If-Modified-Since requests. Doing this VIOLATES the
3052 # HTTP standard. Enabling this feature could make you
3053 # liable for problems which it causes.
3054 #
3055 # ignore-reload ignores a client no-cache or ``reload''
3056 # header. Doing this VIOLATES the HTTP standard. Enabling
3057 # this feature could make you liable for problems which
3058 # it causes.
3059 #
3060 # ignore-no-cache ignores any ``Pragma: no-cache'' and
3061 # ``Cache-control: no-cache'' headers received from a server.
3062 # The HTTP RFC never allows the use of this (Pragma) header
3063 # from a server, only a client, though plenty of servers
3064 # send it anyway.
3065 #
3066 # ignore-no-store ignores any ``Cache-control: no-store''
3067 # headers received from a server. Doing this VIOLATES
3068 # the HTTP standard. Enabling this feature could make you
3069 # liable for problems which it causes.
3070 #
3071 # ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
3072 # headers received from a server. Doing this VIOLATES
3073 # the HTTP standard. Enabling this feature could make you
3074 # liable for problems which it causes.
3075 #
3076 # ignore-private ignores any ``Cache-control: private''
3077 # headers received from a server. Doing this VIOLATES
3078 # the HTTP standard. Enabling this feature could make you
3079 # liable for problems which it causes.
3080 #
3081 # ignore-auth caches responses to requests with authorization,
3082 # as if the originserver had sent ``Cache-control: public''
3083 # in the response header. Doing this VIOLATES the HTTP standard.
3084 # Enabling this feature could make you liable for problems which
3085 # it causes.
3086 #
3087 # refresh-ims causes squid to contact the origin server
3088 # when a client issues an If-Modified-Since request. This
3089 # ensures that the client will receive an updated version
3090 # if one is available.
3091 #
3092 # Basically a cached object is:
3093 #
3094 # FRESH if expires < now, else STALE
3095 # STALE if age > max
3096 # FRESH if lm-factor < percent, else STALE
3097 # FRESH if age < min
3098 # else STALE
3099 #
3100 # The refresh_pattern lines are checked in the order listed here.
3101 # The first entry which matches is used. If none of the entries
3102 # match the default will be used.
3103 #
3104 # Note, you must uncomment all the default lines if you want
3105 # to change one. The default setting is only active if none is
3106 # used.
3107 #
3108 #
3110 # Add any of your own refresh_pattern entries above these.
3111 refresh_pattern ^ftp: 1440 20% 10080
3112 refresh_pattern ^gopher: 1440 0% 1440
3113 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
3114 refresh_pattern . 0 20% 4320
3116 # TAG: quick_abort_min (KB)
3117 #Default:
3118 # quick_abort_min 16 KB
3120 # TAG: quick_abort_max (KB)
3121 #Default:
3122 # quick_abort_max 16 KB
3124 # TAG: quick_abort_pct (percent)
3125 # The cache by default continues downloading aborted requests
3126 # which are almost completed (less than 16 KB remaining). This
3127 # may be undesirable on slow (e.g. SLIP) links and/or very busy
3128 # caches. Impatient users may tie up file descriptors and
3129 # bandwidth by repeatedly requesting and immediately aborting
3130 # downloads.
3131 #
3132 # When the user aborts a request, Squid will check the
3133 # quick_abort values to the amount of data transfered until
3134 # then.
3135 #
3136 # If the transfer has less than 'quick_abort_min' KB remaining,
3137 # it will finish the retrieval.
3138 #
3139 # If the transfer has more than 'quick_abort_max' KB remaining,
3140 # it will abort the retrieval.
3141 #
3142 # If more than 'quick_abort_pct' of the transfer has completed,
3143 # it will finish the retrieval.
3144 #
3145 # If you do not want any retrieval to continue after the client
3146 # has aborted, set both 'quick_abort_min' and 'quick_abort_max'
3147 # to '0 KB'.
3148 #
3149 # If you want retrievals to always continue if they are being
3150 # cached set 'quick_abort_min' to '-1 KB'.
3151 #Default:
3152 # quick_abort_pct 95
3154 # TAG: read_ahead_gap buffer-size
3155 # The amount of data the cache will buffer ahead of what has been
3156 # sent to the client when retrieving an object from another server.
3157 #Default:
3158 # read_ahead_gap 16 KB
3160 # TAG: negative_ttl time-units
3161 # Set the Default Time-to-Live (TTL) for failed requests.
3162 # Certain types of failures (such as "connection refused" and
3163 # "404 Not Found") are able to be negatively-cached for a short time.
3164 # Modern web servers should provide Expires: header, however if they
3165 # do not this can provide a minimum TTL.
3166 # The default is not to cache errors with unknown expiry details.
3167 #
3168 # Note that this is different from negative caching of DNS lookups.
3169 #
3170 # WARNING: Doing this VIOLATES the HTTP standard. Enabling
3171 # this feature could make you liable for problems which it
3172 # causes.
3173 #Default:
3174 # negative_ttl 0 seconds
3176 # TAG: positive_dns_ttl time-units
3177 # Upper limit on how long Squid will cache positive DNS responses.
3178 # Default is 6 hours (360 minutes). This directive must be set
3179 # larger than negative_dns_ttl.
3180 #Default:
3181 # positive_dns_ttl 6 hours
3183 # TAG: negative_dns_ttl time-units
3184 # Time-to-Live (TTL) for negative caching of failed DNS lookups.
3185 # This also sets the lower cache limit on positive lookups.
3186 # Minimum value is 1 second, and it is not recommendable to go
3187 # much below 10 seconds.
3188 #Default:
3189 # negative_dns_ttl 1 minutes
3191 # TAG: range_offset_limit (bytes)
3192 # Sets a upper limit on how far into the the file a Range request
3193 # may be to cause Squid to prefetch the whole file. If beyond this
3194 # limit Squid forwards the Range request as it is and the result
3195 # is NOT cached.
3196 #
3197 # This is to stop a far ahead range request (lets say start at 17MB)
3198 # from making Squid fetch the whole object up to that point before
3199 # sending anything to the client.
3200 #
3201 # A value of 0 causes Squid to never fetch more than the
3202 # client requested. (default)
3203 #
3204 # A value of -1 causes Squid to always fetch the object from the
3205 # beginning so it may cache the result. (2.0 style)
3206 #
3207 # NP: Using -1 here will override any quick_abort settings that may
3208 # otherwise apply to the range request. The range request will
3209 # be fully fetched from start to finish regardless of the client
3210 # actions. This affects bandwidth usage.
3211 #Default:
3212 # range_offset_limit 0 KB
3214 # TAG: minimum_expiry_time (seconds)
3215 # The minimum caching time according to (Expires - Date)
3216 # Headers Squid honors if the object can't be revalidated
3217 # defaults to 60 seconds. In reverse proxy environments it
3218 # might be desirable to honor shorter object lifetimes. It
3219 # is most likely better to make your server return a
3220 # meaningful Last-Modified header however. In ESI environments
3221 # where page fragments often have short lifetimes, this will
3222 # often be best set to 0.
3223 #Default:
3224 # minimum_expiry_time 60 seconds
3226 # TAG: store_avg_object_size (kbytes)
3227 # Average object size, used to estimate number of objects your
3228 # cache can hold. The default is 13 KB.
3229 #Default:
3230 # store_avg_object_size 13 KB
3232 # TAG: store_objects_per_bucket
3233 # Target number of objects per bucket in the store hash table.
3234 # Lowering this value increases the total number of buckets and
3235 # also the storage maintenance rate. The default is 20.
3236 #Default:
3237 # store_objects_per_bucket 20
3239 # HTTP OPTIONS
3240 # -----------------------------------------------------------------------------
3242 # TAG: request_header_max_size (KB)
3243 # This specifies the maximum size for HTTP headers in a request.
3244 # Request headers are usually relatively small (about 512 bytes).
3245 # Placing a limit on the request header size will catch certain
3246 # bugs (for example with persistent connections) and possibly
3247 # buffer-overflow or denial-of-service attacks.
3248 #Default:
3249 # request_header_max_size 64 KB
3251 # TAG: reply_header_max_size (KB)
3252 # This specifies the maximum size for HTTP headers in a reply.
3253 # Reply headers are usually relatively small (about 512 bytes).
3254 # Placing a limit on the reply header size will catch certain
3255 # bugs (for example with persistent connections) and possibly
3256 # buffer-overflow or denial-of-service attacks.
3257 #Default:
3258 # reply_header_max_size 64 KB
3260 # TAG: request_body_max_size (bytes)
3261 # This specifies the maximum size for an HTTP request body.
3262 # In other words, the maximum size of a PUT/POST request.
3263 # A user who attempts to send a request with a body larger
3264 # than this limit receives an "Invalid Request" error message.
3265 # If you set this parameter to a zero (the default), there will
3266 # be no limit imposed.
3267 #Default:
3268 # request_body_max_size 0 KB
3270 # TAG: client_request_buffer_max_size (bytes)
3271 # This specifies the maximum buffer size of a client request.
3272 # It prevents squid eating too much memory when somebody uploads
3273 # a large file.
3274 #Default:
3275 # client_request_buffer_max_size 512 KB
3277 # TAG: chunked_request_body_max_size (bytes)
3278 # A broken or confused HTTP/1.1 client may send a chunked HTTP
3279 # request to Squid. Squid does not have full support for that
3280 # feature yet. To cope with such requests, Squid buffers the
3281 # entire request and then dechunks request body to create a
3282 # plain HTTP/1.0 request with a known content length. The plain
3283 # request is then used by the rest of Squid code as usual.
3284 #
3285 # The option value specifies the maximum size of the buffer used
3286 # to hold the request before the conversion. If the chunked
3287 # request size exceeds the specified limit, the conversion
3288 # fails, and the client receives an "unsupported request" error,
3289 # as if dechunking was disabled.
3290 #
3291 # Dechunking is enabled by default. To disable conversion of
3292 # chunked requests, set the maximum to zero.
3293 #
3294 # Request dechunking feature and this option in particular are a
3295 # temporary hack. When chunking requests and responses are fully
3296 # supported, there will be no need to buffer a chunked request.
3297 #Default:
3298 # chunked_request_body_max_size 64 KB
3300 # TAG: broken_posts
3301 # A list of ACL elements which, if matched, causes Squid to send
3302 # an extra CRLF pair after the body of a PUT/POST request.
3303 #
3304 # Some HTTP servers has broken implementations of PUT/POST,
3305 # and rely on an extra CRLF pair sent by some WWW clients.
3306 #
3307 # Quote from RFC2616 section 4.1 on this matter:
3308 #
3309 # Note: certain buggy HTTP/1.0 client implementations generate an
3310 # extra CRLF's after a POST request. To restate what is explicitly
3311 # forbidden by the BNF, an HTTP/1.1 client must not preface or follow
3312 # a request with an extra CRLF.
3313 #
3314 # This clause only supports fast acl types.
3315 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3316 #
3317 #Example:
3318 # acl buggy_server url_regex ^http://....
3319 # broken_posts allow buggy_server
3320 #Default:
3321 # none
3323 # TAG: icap_uses_indirect_client on|off
3324 # Controls whether the indirect client IP address (instead of the direct
3325 # client IP address) is passed to adaptation services.
3326 #
3327 # See also: follow_x_forwarded_for adaptation_send_client_ip
3328 #Default:
3329 # icap_uses_indirect_client on
3331 # TAG: via on|off
3332 # If set (default), Squid will include a Via header in requests and
3333 # replies as required by RFC2616.
3334 #Default:
3335 # via on
3337 # TAG: ie_refresh on|off
3338 # Microsoft Internet Explorer up until version 5.5 Service
3339 # Pack 1 has an issue with transparent proxies, wherein it
3340 # is impossible to force a refresh. Turning this on provides
3341 # a partial fix to the problem, by causing all IMS-REFRESH
3342 # requests from older IE versions to check the origin server
3343 # for fresh content. This reduces hit ratio by some amount
3344 # (~10% in my experience), but allows users to actually get
3345 # fresh content when they want it. Note because Squid
3346 # cannot tell if the user is using 5.5 or 5.5SP1, the behavior
3347 # of 5.5 is unchanged from old versions of Squid (i.e. a
3348 # forced refresh is impossible). Newer versions of IE will,
3349 # hopefully, continue to have the new behavior and will be
3350 # handled based on that assumption. This option defaults to
3351 # the old Squid behavior, which is better for hit ratios but
3352 # worse for clients using IE, if they need to be able to
3353 # force fresh content.
3354 #Default:
3355 # ie_refresh off
3357 # TAG: vary_ignore_expire on|off
3358 # Many HTTP servers supporting Vary gives such objects
3359 # immediate expiry time with no cache-control header
3360 # when requested by a HTTP/1.0 client. This option
3361 # enables Squid to ignore such expiry times until
3362 # HTTP/1.1 is fully implemented.
3363 #
3364 # WARNING: If turned on this may eventually cause some
3365 # varying objects not intended for caching to get cached.
3366 #Default:
3367 # vary_ignore_expire off
3369 # TAG: request_entities
3370 # Squid defaults to deny GET and HEAD requests with request entities,
3371 # as the meaning of such requests are undefined in the HTTP standard
3372 # even if not explicitly forbidden.
3373 #
3374 # Set this directive to on if you have clients which insists
3375 # on sending request entities in GET or HEAD requests. But be warned
3376 # that there is server software (both proxies and web servers) which
3377 # can fail to properly process this kind of request which may make you
3378 # vulnerable to cache pollution attacks if enabled.
3379 #Default:
3380 # request_entities off
3382 # TAG: request_header_access
3383 # Usage: request_header_access header_name allow|deny [!]aclname ...
3384 #
3385 # WARNING: Doing this VIOLATES the HTTP standard. Enabling
3386 # this feature could make you liable for problems which it
3387 # causes.
3388 #
3389 # This option replaces the old 'anonymize_headers' and the
3390 # older 'http_anonymizer' option with something that is much
3391 # more configurable. This new method creates a list of ACLs
3392 # for each header, allowing you very fine-tuned header
3393 # mangling.
3394 #
3395 # This option only applies to request headers, i.e., from the
3396 # client to the server.
3397 #
3398 # You can only specify known headers for the header name.
3399 # Other headers are reclassified as 'Other'. You can also
3400 # refer to all the headers with 'All'.
3401 #
3402 # For example, to achieve the same behavior as the old
3403 # 'http_anonymizer standard' option, you should use:
3404 #
3405 # request_header_access From deny all
3406 # request_header_access Referer deny all
3407 # request_header_access Server deny all
3408 # request_header_access User-Agent deny all
3409 # request_header_access WWW-Authenticate deny all
3410 # request_header_access Link deny all
3411 #
3412 # Or, to reproduce the old 'http_anonymizer paranoid' feature
3413 # you should use:
3414 #
3415 # request_header_access Allow allow all
3416 # request_header_access Authorization allow all
3417 # request_header_access WWW-Authenticate allow all
3418 # request_header_access Proxy-Authorization allow all
3419 # request_header_access Proxy-Authenticate allow all
3420 # request_header_access Cache-Control allow all
3421 # request_header_access Content-Encoding allow all
3422 # request_header_access Content-Length allow all
3423 # request_header_access Content-Type allow all
3424 # request_header_access Date allow all
3425 # request_header_access Expires allow all
3426 # request_header_access Host allow all
3427 # request_header_access If-Modified-Since allow all
3428 # request_header_access Last-Modified allow all
3429 # request_header_access Location allow all
3430 # request_header_access Pragma allow all
3431 # request_header_access Accept allow all
3432 # request_header_access Accept-Charset allow all
3433 # request_header_access Accept-Encoding allow all
3434 # request_header_access Accept-Language allow all
3435 # request_header_access Content-Language allow all
3436 # request_header_access Mime-Version allow all
3437 # request_header_access Retry-After allow all
3438 # request_header_access Title allow all
3439 # request_header_access Connection allow all
3440 # request_header_access All deny all
3441 #
3442 # although many of those are HTTP reply headers, and so should be
3443 # controlled with the reply_header_access directive.
3444 #
3445 # By default, all headers are allowed (no anonymizing is
3446 # performed).
3447 #Default:
3448 # none
3450 # TAG: reply_header_access
3451 # Usage: reply_header_access header_name allow|deny [!]aclname ...
3452 #
3453 # WARNING: Doing this VIOLATES the HTTP standard. Enabling
3454 # this feature could make you liable for problems which it
3455 # causes.
3456 #
3457 # This option only applies to reply headers, i.e., from the
3458 # server to the client.
3459 #
3460 # This is the same as request_header_access, but in the other
3461 # direction.
3462 #
3463 # This option replaces the old 'anonymize_headers' and the
3464 # older 'http_anonymizer' option with something that is much
3465 # more configurable. This new method creates a list of ACLs
3466 # for each header, allowing you very fine-tuned header
3467 # mangling.
3468 #
3469 # You can only specify known headers for the header name.
3470 # Other headers are reclassified as 'Other'. You can also
3471 # refer to all the headers with 'All'.
3472 #
3473 # For example, to achieve the same behavior as the old
3474 # 'http_anonymizer standard' option, you should use:
3475 #
3476 # reply_header_access From deny all
3477 # reply_header_access Referer deny all
3478 # reply_header_access Server deny all
3479 # reply_header_access User-Agent deny all
3480 # reply_header_access WWW-Authenticate deny all
3481 # reply_header_access Link deny all
3482 #
3483 # Or, to reproduce the old 'http_anonymizer paranoid' feature
3484 # you should use:
3485 #
3486 # reply_header_access Allow allow all
3487 # reply_header_access Authorization allow all
3488 # reply_header_access WWW-Authenticate allow all
3489 # reply_header_access Proxy-Authorization allow all
3490 # reply_header_access Proxy-Authenticate allow all
3491 # reply_header_access Cache-Control allow all
3492 # reply_header_access Content-Encoding allow all
3493 # reply_header_access Content-Length allow all
3494 # reply_header_access Content-Type allow all
3495 # reply_header_access Date allow all
3496 # reply_header_access Expires allow all
3497 # reply_header_access Host allow all
3498 # reply_header_access If-Modified-Since allow all
3499 # reply_header_access Last-Modified allow all
3500 # reply_header_access Location allow all
3501 # reply_header_access Pragma allow all
3502 # reply_header_access Accept allow all
3503 # reply_header_access Accept-Charset allow all
3504 # reply_header_access Accept-Encoding allow all
3505 # reply_header_access Accept-Language allow all
3506 # reply_header_access Content-Language allow all
3507 # reply_header_access Mime-Version allow all
3508 # reply_header_access Retry-After allow all
3509 # reply_header_access Title allow all
3510 # reply_header_access Connection allow all
3511 # reply_header_access All deny all
3512 #
3513 # although the HTTP request headers won't be usefully controlled
3514 # by this directive -- see request_header_access for details.
3515 #
3516 # By default, all headers are allowed (no anonymizing is
3517 # performed).
3518 #Default:
3519 # none
3521 # TAG: request_header_replace
3522 # Usage: request_header_replace header_name message
3523 # Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
3524 #
3525 # This option allows you to change the contents of headers
3526 # denied with request_header_access above, by replacing them
3527 # with some fixed string. This replaces the old fake_user_agent
3528 # option.
3529 #
3530 # This only applies to request headers, not reply headers.
3531 #
3532 # By default, headers are removed if denied.
3533 #Default:
3534 # none
3536 # TAG: reply_header_replace
3537 # Usage: reply_header_replace header_name message
3538 # Example: reply_header_replace Server Foo/1.0
3539 #
3540 # This option allows you to change the contents of headers
3541 # denied with reply_header_access above, by replacing them
3542 # with some fixed string.
3543 #
3544 # This only applies to reply headers, not request headers.
3545 #
3546 # By default, headers are removed if denied.
3547 #Default:
3548 # none
3550 # TAG: relaxed_header_parser on|off|warn
3551 # In the default "on" setting Squid accepts certain forms
3552 # of non-compliant HTTP messages where it is unambiguous
3553 # what the sending application intended even if the message
3554 # is not correctly formatted. The messages is then normalized
3555 # to the correct form when forwarded by Squid.
3556 #
3557 # If set to "warn" then a warning will be emitted in cache.log
3558 # each time such HTTP error is encountered.
3559 #
3560 # If set to "off" then such HTTP errors will cause the request
3561 # or response to be rejected.
3562 #Default:
3563 # relaxed_header_parser on
3565 # TAG: ignore_expect_100 on|off
3566 # This option makes Squid ignore any Expect: 100-continue header present
3567 # in the request. RFC 2616 requires that Squid being unable to satisfy
3568 # the response expectation MUST return a 417 error.
3569 #
3570 # Note: Enabling this is a HTTP protocol violation, but some clients may
3571 # not handle it well..
3572 #Default:
3573 # ignore_expect_100 off
3575 # TIMEOUTS
3576 # -----------------------------------------------------------------------------
3578 # TAG: forward_timeout time-units
3579 # This parameter specifies how long Squid should at most attempt in
3580 # finding a forwarding path for the request before giving up.
3581 #Default:
3582 # forward_timeout 4 minutes
3584 # TAG: connect_timeout time-units
3585 # This parameter specifies how long to wait for the TCP connect to
3586 # the requested server or peer to complete before Squid should
3587 # attempt to find another path where to forward the request.
3588 #Default:
3589 # connect_timeout 1 minute
3591 # TAG: peer_connect_timeout time-units
3592 # This parameter specifies how long to wait for a pending TCP
3593 # connection to a peer cache. The default is 30 seconds. You
3594 # may also set different timeout values for individual neighbors
3595 # with the 'connect-timeout' option on a 'cache_peer' line.
3596 #Default:
3597 # peer_connect_timeout 30 seconds
3599 # TAG: read_timeout time-units
3600 # The read_timeout is applied on server-side connections. After
3601 # each successful read(), the timeout will be extended by this
3602 # amount. If no data is read again after this amount of time,
3603 # the request is aborted and logged with ERR_READ_TIMEOUT. The
3604 # default is 15 minutes.
3605 #Default:
3606 # read_timeout 15 minutes
3608 # TAG: request_timeout
3609 # How long to wait for complete HTTP request headers after initial
3610 # connection establishment.
3611 #Default:
3612 # request_timeout 5 minutes
3614 # TAG: persistent_request_timeout
3615 # How long to wait for the next HTTP request on a persistent
3616 # connection after the previous request completes.
3617 #Default:
3618 # persistent_request_timeout 2 minutes
3620 # TAG: client_lifetime time-units
3621 # The maximum amount of time a client (browser) is allowed to
3622 # remain connected to the cache process. This protects the Cache
3623 # from having a lot of sockets (and hence file descriptors) tied up
3624 # in a CLOSE_WAIT state from remote clients that go away without
3625 # properly shutting down (either because of a network failure or
3626 # because of a poor client implementation). The default is one
3627 # day, 1440 minutes.
3628 #
3629 # NOTE: The default value is intended to be much larger than any
3630 # client would ever need to be connected to your cache. You
3631 # should probably change client_lifetime only as a last resort.
3632 # If you seem to have many client connections tying up
3633 # filedescriptors, we recommend first tuning the read_timeout,
3634 # request_timeout, persistent_request_timeout and quick_abort values.
3635 #Default:
3636 # client_lifetime 1 day
3638 # TAG: half_closed_clients
3639 # Some clients may shutdown the sending side of their TCP
3640 # connections, while leaving their receiving sides open. Sometimes,
3641 # Squid can not tell the difference between a half-closed and a
3642 # fully-closed TCP connection.
3643 #
3644 # By default, Squid will immediately close client connections when
3645 # read(2) returns "no more data to read."
3646 #
3647 # Change this option to 'on' and Squid will keep open connections
3648 # until a read(2) or write(2) on the socket returns an error.
3649 # This may show some benefits for reverse proxies. But if not
3650 # it is recommended to leave OFF.
3651 #Default:
3652 # half_closed_clients off
3654 # TAG: pconn_timeout
3655 # Timeout for idle persistent connections to servers and other
3656 # proxies.
3657 #Default:
3658 # pconn_timeout 1 minute
3660 # TAG: ident_timeout
3661 # Maximum time to wait for IDENT lookups to complete.
3662 #
3663 # If this is too high, and you enabled IDENT lookups from untrusted
3664 # users, you might be susceptible to denial-of-service by having
3665 # many ident requests going at once.
3666 #Default:
3667 # ident_timeout 10 seconds
3669 # TAG: shutdown_lifetime time-units
3670 # When SIGTERM or SIGHUP is received, the cache is put into
3671 # "shutdown pending" mode until all active sockets are closed.
3672 # This value is the lifetime to set for all open descriptors
3673 # during shutdown mode. Any active clients after this many
3674 # seconds will receive a 'timeout' message.
3675 #Default:
3676 # shutdown_lifetime 30 seconds
3678 # ADMINISTRATIVE PARAMETERS
3679 # -----------------------------------------------------------------------------
3681 # TAG: cache_mgr
3682 # Email-address of local cache manager who will receive
3683 # mail if the cache dies. The default is "webmaster."
3684 #Default:
3685 # cache_mgr webmaster
3687 # TAG: mail_from
3688 # From: email-address for mail sent when the cache dies.
3689 # The default is to use 'appname@unique_hostname'.
3690 # Default appname value is "squid", can be changed into
3691 # src/globals.h before building squid.
3692 #Default:
3693 # none
3695 # TAG: mail_program
3696 # Email program used to send mail if the cache dies.
3697 # The default is "mail". The specified program must comply
3698 # with the standard Unix mail syntax:
3699 # mail-program recipient < mailfile
3700 #
3701 # Optional command line options can be specified.
3702 #Default:
3703 # mail_program mail
3705 # TAG: cache_effective_user
3706 # If you start Squid as root, it will change its effective/real
3707 # UID/GID to the user specified below. The default is to change
3708 # to UID of proxy.
3709 # see also; cache_effective_group
3710 #Default:
3711 # cache_effective_user proxy
3713 # TAG: cache_effective_group
3714 # Squid sets the GID to the effective user's default group ID
3715 # (taken from the password file) and supplementary group list
3716 # from the groups membership.
3717 #
3718 # If you want Squid to run with a specific GID regardless of
3719 # the group memberships of the effective user then set this
3720 # to the group (or GID) you want Squid to run as. When set
3721 # all other group privileges of the effective user are ignored
3722 # and only this GID is effective. If Squid is not started as
3723 # root the user starting Squid MUST be member of the specified
3724 # group.
3725 #
3726 # This option is not recommended by the Squid Team.
3727 # Our preference is for administrators to configure a secure
3728 # user account for squid with UID/GID matching system policies.
3729 #Default:
3730 # none
3732 # TAG: httpd_suppress_version_string on|off
3733 # Suppress Squid version string info in HTTP headers and HTML error pages.
3734 #Default:
3735 # httpd_suppress_version_string off
3737 # TAG: visible_hostname
3738 # If you want to present a special hostname in error messages, etc,
3739 # define this. Otherwise, the return value of gethostname()
3740 # will be used. If you have multiple caches in a cluster and
3741 # get errors about IP-forwarding you must set them to have individual
3742 # names with this setting.
3743 #Default:
3744 # visible_hostname localhost
3746 # TAG: unique_hostname
3747 # If you want to have multiple machines with the same
3748 # 'visible_hostname' you must give each machine a different
3749 # 'unique_hostname' so forwarding loops can be detected.
3750 #Default:
3751 # none
3753 # TAG: hostname_aliases
3754 # A list of other DNS names your cache has.
3755 #Default:
3756 # none
3758 # TAG: umask
3759 # Minimum umask which should be enforced while the proxy
3760 # is running, in addition to the umask set at startup.
3761 #
3762 # For a traditional octal representation of umasks, start
3763 # your value with 0.
3764 #Default:
3765 # umask 027
3767 # OPTIONS FOR THE CACHE REGISTRATION SERVICE
3768 # -----------------------------------------------------------------------------
3769 #
3770 # This section contains parameters for the (optional) cache
3771 # announcement service. This service is provided to help
3772 # cache administrators locate one another in order to join or
3773 # create cache hierarchies.
3774 #
3775 # An 'announcement' message is sent (via UDP) to the registration
3776 # service by Squid. By default, the announcement message is NOT
3777 # SENT unless you enable it with 'announce_period' below.
3778 #
3779 # The announcement message includes your hostname, plus the
3780 # following information from this configuration file:
3781 #
3782 # http_port
3783 # icp_port
3784 # cache_mgr
3785 #
3786 # All current information is processed regularly and made
3787 # available on the Web at http://www.ircache.net/Cache/Tracker/.
3789 # TAG: announce_period
3790 # This is how frequently to send cache announcements. The
3791 # default is `0' which disables sending the announcement
3792 # messages.
3793 #
3794 # To enable announcing your cache, just set an announce period.
3795 #
3796 # Example:
3797 # announce_period 1 day
3798 #Default:
3799 # announce_period 0
3801 # TAG: announce_host
3802 #Default:
3803 # announce_host tracker.ircache.net
3805 # TAG: announce_file
3806 #Default:
3807 # none
3809 # TAG: announce_port
3810 # announce_host and announce_port set the hostname and port
3811 # number where the registration message will be sent.
3812 #
3813 # Hostname will default to 'tracker.ircache.net' and port will
3814 # default default to 3131. If the 'filename' argument is given,
3815 # the contents of that file will be included in the announce
3816 # message.
3817 #Default:
3818 # announce_port 3131
3820 # HTTPD-ACCELERATOR OPTIONS
3821 # -----------------------------------------------------------------------------
3823 # TAG: httpd_accel_surrogate_id
3824 # Surrogates (http://www.esi.org/architecture_spec_1.0.html)
3825 # need an identification token to allow control targeting. Because
3826 # a farm of surrogates may all perform the same tasks, they may share
3827 # an identification token.
3828 #Default:
3829 # httpd_accel_surrogate_id unset-id
3831 # TAG: http_accel_surrogate_remote on|off
3832 # Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
3833 # Set this to on to have squid behave as a remote surrogate.
3834 #Default:
3835 # http_accel_surrogate_remote off
3837 # TAG: esi_parser libxml2|expat|custom
3838 # ESI markup is not strictly XML compatible. The custom ESI parser
3839 # will give higher performance, but cannot handle non ASCII character
3840 # encodings.
3841 #Default:
3842 # esi_parser custom
3844 # DELAY POOL PARAMETERS
3845 # -----------------------------------------------------------------------------
3847 # TAG: delay_pools
3848 # This represents the number of delay pools to be used. For example,
3849 # if you have one class 2 delay pool and one class 3 delays pool, you
3850 # have a total of 2 delay pools.
3851 #Default:
3852 # delay_pools 0
3854 # TAG: delay_class
3855 # This defines the class of each delay pool. There must be exactly one
3856 # delay_class line for each delay pool. For example, to define two
3857 # delay pools, one of class 2 and one of class 3, the settings above
3858 # and here would be:
3859 #
3860 # Example:
3861 # delay_pools 4 # 4 delay pools
3862 # delay_class 1 2 # pool 1 is a class 2 pool
3863 # delay_class 2 3 # pool 2 is a class 3 pool
3864 # delay_class 3 4 # pool 3 is a class 4 pool
3865 # delay_class 4 5 # pool 4 is a class 5 pool
3866 #
3867 # The delay pool classes are:
3868 #
3869 # class 1 Everything is limited by a single aggregate
3870 # bucket.
3871 #
3872 # class 2 Everything is limited by a single aggregate
3873 # bucket as well as an "individual" bucket chosen
3874 # from bits 25 through 32 of the IPv4 address.
3875 #
3876 # class 3 Everything is limited by a single aggregate
3877 # bucket as well as a "network" bucket chosen
3878 # from bits 17 through 24 of the IP address and a
3879 # "individual" bucket chosen from bits 17 through
3880 # 32 of the IPv4 address.
3881 #
3882 # class 4 Everything in a class 3 delay pool, with an
3883 # additional limit on a per user basis. This
3884 # only takes effect if the username is established
3885 # in advance - by forcing authentication in your
3886 # http_access rules.
3887 #
3888 # class 5 Requests are grouped according their tag (see
3889 # external_acl's tag= reply).
3890 #
3891 #
3892 # Each pool also requires a delay_parameters directive to configure the pool size
3893 # and speed limits used whenever the pool is applied to a request. Along with
3894 # a set of delay_access directives to determine when it is used.
3895 #
3896 # NOTE: If an IP address is a.b.c.d
3897 # -> bits 25 through 32 are "d"
3898 # -> bits 17 through 24 are "c"
3899 # -> bits 17 through 32 are "c * 256 + d"
3900 #
3901 # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
3902 # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
3903 #Default:
3904 # none
3906 # TAG: delay_access
3907 # This is used to determine which delay pool a request falls into.
3908 #
3909 # delay_access is sorted per pool and the matching starts with pool 1,
3910 # then pool 2, ..., and finally pool N. The first delay pool where the
3911 # request is allowed is selected for the request. If it does not allow
3912 # the request to any pool then the request is not delayed (default).
3913 #
3914 # For example, if you want some_big_clients in delay
3915 # pool 1 and lotsa_little_clients in delay pool 2:
3916 #
3917 #Example:
3918 # delay_access 1 allow some_big_clients
3919 # delay_access 1 deny all
3920 # delay_access 2 allow lotsa_little_clients
3921 # delay_access 2 deny all
3922 # delay_access 3 allow authenticated_clients
3923 #Default:
3924 # none
3926 # TAG: delay_parameters
3927 # This defines the parameters for a delay pool. Each delay pool has
3928 # a number of "buckets" associated with it, as explained in the
3929 # description of delay_class.
3930 #
3931 # For a class 1 delay pool, the syntax is:
3932 # delay_pools pool 1
3933 # delay_parameters pool aggregate
3934 #
3935 # For a class 2 delay pool:
3936 # delay_pools pool 2
3937 # delay_parameters pool aggregate individual
3938 #
3939 # For a class 3 delay pool:
3940 # delay_pools pool 3
3941 # delay_parameters pool aggregate network individual
3942 #
3943 # For a class 4 delay pool:
3944 # delay_pools pool 4
3945 # delay_parameters pool aggregate network individual user
3946 #
3947 # For a class 5 delay pool:
3948 # delay_pools pool 5
3949 # delay_parameters pool tagrate
3950 #
3951 # The option variables are:
3952 #
3953 # pool a pool number - ie, a number between 1 and the
3954 # number specified in delay_pools as used in
3955 # delay_class lines.
3956 #
3957 # aggregate the speed limit parameters for the aggregate bucket
3958 # (class 1, 2, 3).
3959 #
3960 # individual the speed limit parameters for the individual
3961 # buckets (class 2, 3).
3962 #
3963 # network the speed limit parameters for the network buckets
3964 # (class 3).
3965 #
3966 # user the speed limit parameters for the user buckets
3967 # (class 4).
3968 #
3969 # tagrate the speed limit parameters for the tag buckets
3970 # (class 5).
3971 #
3972 # A pair of delay parameters is written restore/maximum, where restore is
3973 # the number of bytes (not bits - modem and network speeds are usually
3974 # quoted in bits) per second placed into the bucket, and maximum is the
3975 # maximum number of bytes which can be in the bucket at any time.
3976 #
3977 # There must be one delay_parameters line for each delay pool.
3978 #
3979 #
3980 # For example, if delay pool number 1 is a class 2 delay pool as in the
3981 # above example, and is being used to strictly limit each host to 64Kbit/sec
3982 # (plus overheads), with no overall limit, the line is:
3983 #
3984 # delay_parameters 1 -1/-1 8000/8000
3985 #
3986 # Note that 8 x 8000 KByte/sec -> 64Kbit/sec.
3987 #
3988 # Note that the figure -1 is used to represent "unlimited".
3989 #
3990 #
3991 # And, if delay pool number 2 is a class 3 delay pool as in the above
3992 # example, and you want to limit it to a total of 256Kbit/sec (strict limit)
3993 # with each 8-bit network permitted 64Kbit/sec (strict limit) and each
3994 # individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
3995 # to permit a decent web page to be downloaded at a decent speed
3996 # (if the network is not being limited due to overuse) but slow down
3997 # large downloads more significantly:
3998 #
3999 # delay_parameters 2 32000/32000 8000/8000 600/8000
4000 #
4001 # Note that 8 x 32000 KByte/sec -> 256Kbit/sec.
4002 # 8 x 8000 KByte/sec -> 64Kbit/sec.
4003 # 8 x 600 Byte/sec -> 4800bit/sec.
4004 #
4005 #
4006 # Finally, for a class 4 delay pool as in the example - each user will
4007 # be limited to 128Kbits/sec no matter how many workstations they are logged into.:
4008 #
4009 # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
4010 #Default:
4011 # none
4013 # TAG: delay_initial_bucket_level (percent, 0-100)
4014 # The initial bucket percentage is used to determine how much is put
4015 # in each bucket when squid starts, is reconfigured, or first notices
4016 # a host accessing it (in class 2 and class 3, individual hosts and
4017 # networks only have buckets associated with them once they have been
4018 # "seen" by squid).
4019 #Default:
4020 # delay_initial_bucket_level 50
4022 # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
4023 # -----------------------------------------------------------------------------
4025 # TAG: wccp_router
4026 # Use this option to define your WCCP ``home'' router for
4027 # Squid.
4028 #
4029 # wccp_router supports a single WCCP(v1) router
4030 #
4031 # wccp2_router supports multiple WCCPv2 routers
4032 #
4033 # only one of the two may be used at the same time and defines
4034 # which version of WCCP to use.
4035 #Default:
4036 # wccp_router any_addr
4038 # TAG: wccp2_router
4039 # Use this option to define your WCCP ``home'' router for
4040 # Squid.
4041 #
4042 # wccp_router supports a single WCCP(v1) router
4043 #
4044 # wccp2_router supports multiple WCCPv2 routers
4045 #
4046 # only one of the two may be used at the same time and defines
4047 # which version of WCCP to use.
4048 #Default:
4049 # none
4051 # TAG: wccp_version
4052 # This directive is only relevant if you need to set up WCCP(v1)
4053 # to some very old and end-of-life Cisco routers. In all other
4054 # setups it must be left unset or at the default setting.
4055 # It defines an internal version in the WCCP(v1) protocol,
4056 # with version 4 being the officially documented protocol.
4057 #
4058 # According to some users, Cisco IOS 11.2 and earlier only
4059 # support WCCP version 3. If you're using that or an earlier
4060 # version of IOS, you may need to change this value to 3, otherwise
4061 # do not specify this parameter.
4062 #Default:
4063 # wccp_version 4
4065 # TAG: wccp2_rebuild_wait
4066 # If this is enabled Squid will wait for the cache dir rebuild to finish
4067 # before sending the first wccp2 HereIAm packet
4068 #Default:
4069 # wccp2_rebuild_wait on
4071 # TAG: wccp2_forwarding_method
4072 # WCCP2 allows the setting of forwarding methods between the
4073 # router/switch and the cache. Valid values are as follows:
4074 #
4075 # gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4076 # l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
4077 #
4078 # Currently (as of IOS 12.4) cisco routers only support GRE.
4079 # Cisco switches only support the L2 redirect assignment method.
4080 #Default:
4081 # wccp2_forwarding_method gre
4083 # TAG: wccp2_return_method
4084 # WCCP2 allows the setting of return methods between the
4085 # router/switch and the cache for packets that the cache
4086 # decides not to handle. Valid values are as follows:
4087 #
4088 # gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4089 # l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
4090 #
4091 # Currently (as of IOS 12.4) cisco routers only support GRE.
4092 # Cisco switches only support the L2 redirect assignment.
4093 #
4094 # If the "ip wccp redirect exclude in" command has been
4095 # enabled on the cache interface, then it is still safe for
4096 # the proxy server to use a l2 redirect method even if this
4097 # option is set to GRE.
4098 #Default:
4099 # wccp2_return_method gre
4101 # TAG: wccp2_assignment_method
4102 # WCCP2 allows the setting of methods to assign the WCCP hash
4103 # Valid values are as follows:
4104 #
4105 # hash - Hash assignment
4106 # mask - Mask assignment
4107 #
4108 # As a general rule, cisco routers support the hash assignment method
4109 # and cisco switches support the mask assignment method.
4110 #Default:
4111 # wccp2_assignment_method hash
4113 # TAG: wccp2_service
4114 # WCCP2 allows for multiple traffic services. There are two
4115 # types: "standard" and "dynamic". The standard type defines
4116 # one service id - http (id 0). The dynamic service ids can be from
4117 # 51 to 255 inclusive. In order to use a dynamic service id
4118 # one must define the type of traffic to be redirected; this is done
4119 # using the wccp2_service_info option.
4120 #
4121 # The "standard" type does not require a wccp2_service_info option,
4122 # just specifying the service id will suffice.
4123 #
4124 # MD5 service authentication can be enabled by adding
4125 # "password=<password>" to the end of this service declaration.
4126 #
4127 # Examples:
4128 #
4129 # wccp2_service standard 0 # for the 'web-cache' standard service
4130 # wccp2_service dynamic 80 # a dynamic service type which will be
4131 # # fleshed out with subsequent options.
4132 # wccp2_service standard 0 password=foo
4133 #Default:
4134 # wccp2_service standard 0
4136 # TAG: wccp2_service_info
4137 # Dynamic WCCPv2 services require further information to define the
4138 # traffic you wish to have diverted.
4139 #
4140 # The format is:
4141 #
4142 # wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
4143 # priority=<priority> ports=<port>,<port>..
4144 #
4145 # The relevant WCCPv2 flags:
4146 # + src_ip_hash, dst_ip_hash
4147 # + source_port_hash, dst_port_hash
4148 # + src_ip_alt_hash, dst_ip_alt_hash
4149 # + src_port_alt_hash, dst_port_alt_hash
4150 # + ports_source
4151 #
4152 # The port list can be one to eight entries.
4153 #
4154 # Example:
4155 #
4156 # wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
4157 # priority=240 ports=80
4158 #
4159 # Note: the service id must have been defined by a previous
4160 # 'wccp2_service dynamic <id>' entry.
4161 #Default:
4162 # none
4164 # TAG: wccp2_weight
4165 # Each cache server gets assigned a set of the destination
4166 # hash proportional to their weight.
4167 #Default:
4168 # wccp2_weight 10000
4170 # TAG: wccp_address
4171 #Default:
4172 # wccp_address 0.0.0.0
4174 # TAG: wccp2_address
4175 # Use this option if you require WCCP to use a specific
4176 # interface address.
4177 #
4178 # The default behavior is to not bind to any specific address.
4179 #Default:
4180 # wccp2_address 0.0.0.0
4182 # PERSISTENT CONNECTION HANDLING
4183 # -----------------------------------------------------------------------------
4184 #
4185 # Also see "pconn_timeout" in the TIMEOUTS section
4187 # TAG: client_persistent_connections
4188 #Default:
4189 # client_persistent_connections on
4191 # TAG: server_persistent_connections
4192 # Persistent connection support for clients and servers. By
4193 # default, Squid uses persistent connections (when allowed)
4194 # with its clients and servers. You can use these options to
4195 # disable persistent connections with clients and/or servers.
4196 #Default:
4197 # server_persistent_connections on
4199 # TAG: persistent_connection_after_error
4200 # With this directive the use of persistent connections after
4201 # HTTP errors can be disabled. Useful if you have clients
4202 # who fail to handle errors on persistent connections proper.
4203 #Default:
4204 # persistent_connection_after_error on
4206 # TAG: detect_broken_pconn
4207 # Some servers have been found to incorrectly signal the use
4208 # of HTTP/1.0 persistent connections even on replies not
4209 # compatible, causing significant delays. This server problem
4210 # has mostly been seen on redirects.
4211 #
4212 # By enabling this directive Squid attempts to detect such
4213 # broken replies and automatically assume the reply is finished
4214 # after 10 seconds timeout.
4215 #Default:
4216 # detect_broken_pconn off
4218 # CACHE DIGEST OPTIONS
4219 # -----------------------------------------------------------------------------
4221 # TAG: digest_generation
4222 # This controls whether the server will generate a Cache Digest
4223 # of its contents. By default, Cache Digest generation is
4224 # enabled if Squid is compiled with --enable-cache-digests defined.
4225 #Default:
4226 # digest_generation on
4228 # TAG: digest_bits_per_entry
4229 # This is the number of bits of the server's Cache Digest which
4230 # will be associated with the Digest entry for a given HTTP
4231 # Method and URL (public key) combination. The default is 5.
4232 #Default:
4233 # digest_bits_per_entry 5
4235 # TAG: digest_rebuild_period (seconds)
4236 # This is the wait time between Cache Digest rebuilds.
4237 #Default:
4238 # digest_rebuild_period 1 hour
4240 # TAG: digest_rewrite_period (seconds)
4241 # This is the wait time between Cache Digest writes to
4242 # disk.
4243 #Default:
4244 # digest_rewrite_period 1 hour
4246 # TAG: digest_swapout_chunk_size (bytes)
4247 # This is the number of bytes of the Cache Digest to write to
4248 # disk at a time. It defaults to 4096 bytes (4KB), the Squid
4249 # default swap page.
4250 #Default:
4251 # digest_swapout_chunk_size 4096 bytes
4253 # TAG: digest_rebuild_chunk_percentage (percent, 0-100)
4254 # This is the percentage of the Cache Digest to be scanned at a
4255 # time. By default it is set to 10% of the Cache Digest.
4256 #Default:
4257 # digest_rebuild_chunk_percentage 10
4259 # SNMP OPTIONS
4260 # -----------------------------------------------------------------------------
4262 # TAG: snmp_port
4263 # The port number where Squid listens for SNMP requests. To enable
4264 # SNMP support set this to a suitable port number. Port number
4265 # 3401 is often used for the Squid SNMP agent. By default it's
4266 # set to "0" (disabled)
4267 #
4268 # Example:
4269 # snmp_port 3401
4270 #Default:
4271 # snmp_port 0
4273 # TAG: snmp_access
4274 # Allowing or denying access to the SNMP port.
4275 #
4276 # All access to the agent is denied by default.
4277 # usage:
4278 #
4279 # snmp_access allow|deny [!]aclname ...
4280 #
4281 # This clause only supports fast acl types.
4282 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
4283 #Example:
4284 # snmp_access allow snmppublic localhost
4285 # snmp_access deny all
4286 #Default:
4287 # snmp_access deny all
4289 # TAG: snmp_incoming_address
4290 #Default:
4291 # snmp_incoming_address any_addr
4293 # TAG: snmp_outgoing_address
4294 # Just like 'udp_incoming_address', but for the SNMP port.
4295 #
4296 # snmp_incoming_address is used for the SNMP socket receiving
4297 # messages from SNMP agents.
4298 # snmp_outgoing_address is used for SNMP packets returned to SNMP
4299 # agents.
4300 #
4301 # The default snmp_incoming_address is to listen on all
4302 # available network interfaces.
4303 #
4304 # If snmp_outgoing_address is not set it will use the same socket
4305 # as snmp_incoming_address. Only change this if you want to have
4306 # SNMP replies sent using another address than where this Squid
4307 # listens for SNMP queries.
4308 #
4309 # NOTE, snmp_incoming_address and snmp_outgoing_address can not have
4310 # the same value since they both use port 3401.
4311 #Default:
4312 # snmp_outgoing_address no_addr
4314 # ICP OPTIONS
4315 # -----------------------------------------------------------------------------
4317 # TAG: icp_port
4318 # The port number where Squid sends and receives ICP queries to
4319 # and from neighbor caches. The standard UDP port for ICP is 3130.
4320 # Default is disabled (0).
4321 #
4322 # Example:
4323 # icp_port 3130
4324 #Default:
4325 # icp_port 0
4327 # TAG: htcp_port
4328 # The port number where Squid sends and receives HTCP queries to
4329 # and from neighbor caches. To turn it on you want to set it to
4330 # 4827. By default it is set to "0" (disabled).
4331 #
4332 # Example:
4333 # htcp_port 4827
4334 #Default:
4335 # htcp_port 0
4337 # TAG: log_icp_queries on|off
4338 # If set, ICP queries are logged to access.log. You may wish
4339 # do disable this if your ICP load is VERY high to speed things
4340 # up or to simplify log analysis.
4341 #Default:
4342 # log_icp_queries on
4344 # TAG: udp_incoming_address
4345 # udp_incoming_address is used for UDP packets received from other
4346 # caches.
4347 #
4348 # The default behavior is to not bind to any specific address.
4349 #
4350 # Only change this if you want to have all UDP queries received on
4351 # a specific interface/address.
4352 #
4353 # NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
4354 # modules. Altering it will affect all of them in the same manner.
4355 #
4356 # see also; udp_outgoing_address
4357 #
4358 # NOTE, udp_incoming_address and udp_outgoing_address can not
4359 # have the same value since they both use the same port.
4360 #Default:
4361 # udp_incoming_address any_addr
4363 # TAG: udp_outgoing_address
4364 # udp_outgoing_address is used for UDP packets sent out to other
4365 # caches.
4366 #
4367 # The default behavior is to not bind to any specific address.
4368 #
4369 # Instead it will use the same socket as udp_incoming_address.
4370 # Only change this if you want to have UDP queries sent using another
4371 # address than where this Squid listens for UDP queries from other
4372 # caches.
4373 #
4374 # NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
4375 # modules. Altering it will affect all of them in the same manner.
4376 #
4377 # see also; udp_incoming_address
4378 #
4379 # NOTE, udp_incoming_address and udp_outgoing_address can not
4380 # have the same value since they both use the same port.
4381 #Default:
4382 # udp_outgoing_address no_addr
4384 # TAG: icp_hit_stale on|off
4385 # If you want to return ICP_HIT for stale cache objects, set this
4386 # option to 'on'. If you have sibling relationships with caches
4387 # in other administrative domains, this should be 'off'. If you only
4388 # have sibling relationships with caches under your control,
4389 # it is probably okay to set this to 'on'.
4390 # If set to 'on', your siblings should use the option "allow-miss"
4391 # on their cache_peer lines for connecting to you.
4392 #Default:
4393 # icp_hit_stale off
4395 # TAG: minimum_direct_hops
4396 # If using the ICMP pinging stuff, do direct fetches for sites
4397 # which are no more than this many hops away.
4398 #Default:
4399 # minimum_direct_hops 4
4401 # TAG: minimum_direct_rtt
4402 # If using the ICMP pinging stuff, do direct fetches for sites
4403 # which are no more than this many rtt milliseconds away.
4404 #Default:
4405 # minimum_direct_rtt 400
4407 # TAG: netdb_low
4408 #Default:
4409 # netdb_low 900
4411 # TAG: netdb_high
4412 # The low and high water marks for the ICMP measurement
4413 # database. These are counts, not percents. The defaults are
4414 # 900 and 1000. When the high water mark is reached, database
4415 # entries will be deleted until the low mark is reached.
4416 #Default:
4417 # netdb_high 1000
4419 # TAG: netdb_ping_period
4420 # The minimum period for measuring a site. There will be at
4421 # least this much delay between successive pings to the same
4422 # network. The default is five minutes.
4423 #Default:
4424 # netdb_ping_period 5 minutes
4426 # TAG: query_icmp on|off
4427 # If you want to ask your peers to include ICMP data in their ICP
4428 # replies, enable this option.
4429 #
4430 # If your peer has configured Squid (during compilation) with
4431 # '--enable-icmp' that peer will send ICMP pings to origin server
4432 # sites of the URLs it receives. If you enable this option the
4433 # ICP replies from that peer will include the ICMP data (if available).
4434 # Then, when choosing a parent cache, Squid will choose the parent with
4435 # the minimal RTT to the origin server. When this happens, the
4436 # hierarchy field of the access.log will be
4437 # "CLOSEST_PARENT_MISS". This option is off by default.
4438 #Default:
4439 # query_icmp off
4441 # TAG: test_reachability on|off
4442 # When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
4443 # instead of ICP_MISS if the target host is NOT in the ICMP
4444 # database, or has a zero RTT.
4445 #Default:
4446 # test_reachability off
4448 # TAG: icp_query_timeout (msec)
4449 # Normally Squid will automatically determine an optimal ICP
4450 # query timeout value based on the round-trip-time of recent ICP
4451 # queries. If you want to override the value determined by
4452 # Squid, set this 'icp_query_timeout' to a non-zero value. This
4453 # value is specified in MILLISECONDS, so, to use a 2-second
4454 # timeout (the old default), you would write:
4455 #
4456 # icp_query_timeout 2000
4457 #Default:
4458 # icp_query_timeout 0
4460 # TAG: maximum_icp_query_timeout (msec)
4461 # Normally the ICP query timeout is determined dynamically. But
4462 # sometimes it can lead to very large values (say 5 seconds).
4463 # Use this option to put an upper limit on the dynamic timeout
4464 # value. Do NOT use this option to always use a fixed (instead
4465 # of a dynamic) timeout value. To set a fixed timeout see the
4466 # 'icp_query_timeout' directive.
4467 #Default:
4468 # maximum_icp_query_timeout 2000
4470 # TAG: minimum_icp_query_timeout (msec)
4471 # Normally the ICP query timeout is determined dynamically. But
4472 # sometimes it can lead to very small timeouts, even lower than
4473 # the normal latency variance on your link due to traffic.
4474 # Use this option to put an lower limit on the dynamic timeout
4475 # value. Do NOT use this option to always use a fixed (instead
4476 # of a dynamic) timeout value. To set a fixed timeout see the
4477 # 'icp_query_timeout' directive.
4478 #Default:
4479 # minimum_icp_query_timeout 5
4481 # TAG: background_ping_rate time-units
4482 # Controls how often the ICP pings are sent to siblings that
4483 # have background-ping set.
4484 #Default:
4485 # background_ping_rate 10 seconds
4487 # MULTICAST ICP OPTIONS
4488 # -----------------------------------------------------------------------------
4490 # TAG: mcast_groups
4491 # This tag specifies a list of multicast groups which your server
4492 # should join to receive multicasted ICP queries.
4493 #
4494 # NOTE! Be very careful what you put here! Be sure you
4495 # understand the difference between an ICP _query_ and an ICP
4496 # _reply_. This option is to be set only if you want to RECEIVE
4497 # multicast queries. Do NOT set this option to SEND multicast
4498 # ICP (use cache_peer for that). ICP replies are always sent via
4499 # unicast, so this option does not affect whether or not you will
4500 # receive replies from multicast group members.
4501 #
4502 # You must be very careful to NOT use a multicast address which
4503 # is already in use by another group of caches.
4504 #
4505 # If you are unsure about multicast, please read the Multicast
4506 # chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
4507 #
4508 # Usage: mcast_groups 239.128.16.128 224.0.1.20
4509 #
4510 # By default, Squid doesn't listen on any multicast groups.
4511 #Default:
4512 # none
4514 # TAG: mcast_miss_addr
4515 # Note: This option is only available if Squid is rebuilt with the
4516 # -DMULTICAST_MISS_STREAM define
4517 #
4518 # If you enable this option, every "cache miss" URL will
4519 # be sent out on the specified multicast address.
4520 #
4521 # Do not enable this option unless you are are absolutely
4522 # certain you understand what you are doing.
4523 #Default:
4524 # mcast_miss_addr no_addr
4526 # TAG: mcast_miss_ttl
4527 # Note: This option is only available if Squid is rebuilt with the
4528 # -DMULTICAST_MISS_STREAM define
4529 #
4530 # This is the time-to-live value for packets multicasted
4531 # when multicasting off cache miss URLs is enabled. By
4532 # default this is set to 'site scope', i.e. 16.
4533 #Default:
4534 # mcast_miss_ttl 16
4536 # TAG: mcast_miss_port
4537 # Note: This option is only available if Squid is rebuilt with the
4538 # -DMULTICAST_MISS_STREAM define
4539 #
4540 # This is the port number to be used in conjunction with
4541 # 'mcast_miss_addr'.
4542 #Default:
4543 # mcast_miss_port 3135
4545 # TAG: mcast_miss_encode_key
4546 # Note: This option is only available if Squid is rebuilt with the
4547 # -DMULTICAST_MISS_STREAM define
4548 #
4549 # The URLs that are sent in the multicast miss stream are
4550 # encrypted. This is the encryption key.
4551 #Default:
4552 # mcast_miss_encode_key XXXXXXXXXXXXXXXX
4554 # TAG: mcast_icp_query_timeout (msec)
4555 # For multicast peers, Squid regularly sends out ICP "probes" to
4556 # count how many other peers are listening on the given multicast
4557 # address. This value specifies how long Squid should wait to
4558 # count all the replies. The default is 2000 msec, or 2
4559 # seconds.
4560 #Default:
4561 # mcast_icp_query_timeout 2000
4563 # INTERNAL ICON OPTIONS
4564 # -----------------------------------------------------------------------------
4566 # TAG: icon_directory
4567 # Where the icons are stored. These are normally kept in
4568 # /usr/share/squid3/icons
4569 #Default:
4570 # icon_directory /usr/share/squid3/icons
4572 # TAG: global_internal_static
4573 # This directive controls is Squid should intercept all requests for
4574 # /squid-internal-static/ no matter which host the URL is requesting
4575 # (default on setting), or if nothing special should be done for
4576 # such URLs (off setting). The purpose of this directive is to make
4577 # icons etc work better in complex cache hierarchies where it may
4578 # not always be possible for all corners in the cache mesh to reach
4579 # the server generating a directory listing.
4580 #Default:
4581 # global_internal_static on
4583 # TAG: short_icon_urls
4584 # If this is enabled Squid will use short URLs for icons.
4585 # If disabled it will revert to the old behavior of including
4586 # it's own name and port in the URL.
4587 #
4588 # If you run a complex cache hierarchy with a mix of Squid and
4589 # other proxies you may need to disable this directive.
4590 #Default:
4591 # short_icon_urls on
4593 # ERROR PAGE OPTIONS
4594 # -----------------------------------------------------------------------------
4596 # TAG: error_directory
4597 # If you wish to create your own versions of the default
4598 # error files to customize them to suit your company copy
4599 # the error/template files to another directory and point
4600 # this tag at them.
4601 #
4602 # WARNING: This option will disable multi-language support
4603 # on error pages if used.
4604 #
4605 # The squid developers are interested in making squid available in
4606 # a wide variety of languages. If you are making translations for a
4607 # language that Squid does not currently provide please consider
4608 # contributing your translation back to the project.
4609 # http://wiki.squid-cache.org/Translations
4610 #
4611 # The squid developers working on translations are happy to supply drop-in
4612 # translated error files in exchange for any new language contributions.
4613 #Default:
4614 # none
4616 # TAG: error_default_language
4617 # Set the default language which squid will send error pages in
4618 # if no existing translation matches the clients language
4619 # preferences.
4620 #
4621 # If unset (default) generic English will be used.
4622 #
4623 # The squid developers are interested in making squid available in
4624 # a wide variety of languages. If you are interested in making
4625 # translations for any language see the squid wiki for details.
4626 # http://wiki.squid-cache.org/Translations
4627 #Default:
4628 # none
4630 # TAG: error_log_languages
4631 # Log to cache.log what languages users are attempting to
4632 # auto-negotiate for translations.
4633 #
4634 # Successful negotiations are not logged. Only failures
4635 # have meaning to indicate that Squid may need an upgrade
4636 # of its error page translations.
4637 #Default:
4638 # error_log_languages on
4640 # TAG: err_page_stylesheet
4641 # CSS Stylesheet to pattern the display of Squid default error pages.
4642 #
4643 # For information on CSS see http://www.w3.org/Style/CSS/
4644 #Default:
4645 # err_page_stylesheet /etc/squid3/errorpage.css
4647 # TAG: err_html_text
4648 # HTML text to include in error messages. Make this a "mailto"
4649 # URL to your admin address, or maybe just a link to your
4650 # organizations Web page.
4651 #
4652 # To include this in your error messages, you must rewrite
4653 # the error template files (found in the "errors" directory).
4654 # Wherever you want the 'err_html_text' line to appear,
4655 # insert a %L tag in the error template file.
4656 #Default:
4657 # none
4659 # TAG: email_err_data on|off
4660 # If enabled, information about the occurred error will be
4661 # included in the mailto links of the ERR pages (if %W is set)
4662 # so that the email body contains the data.
4663 # Syntax is <A HREF="mailto:%w%W">%w</A>
4664 #Default:
4665 # email_err_data on
4667 # TAG: deny_info
4668 # Usage: deny_info err_page_name acl
4669 # or deny_info http://... acl
4670 # or deny_info TCP_RESET acl
4671 #
4672 # This can be used to return a ERR_ page for requests which
4673 # do not pass the 'http_access' rules. Squid remembers the last
4674 # acl it evaluated in http_access, and if a 'deny_info' line exists
4675 # for that ACL Squid returns a corresponding error page.
4676 #
4677 # The acl is typically the last acl on the http_access deny line which
4678 # denied access. The exceptions to this rule are:
4679 # - When Squid needs to request authentication credentials. It's then
4680 # the first authentication related acl encountered
4681 # - When none of the http_access lines matches. It's then the last
4682 # acl processed on the last http_access line.
4683 #
4684 # NP: If providing your own custom error pages with error_directory
4685 # you may also specify them by your custom file name:
4686 # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
4687 #
4688 # Alternatively you can specify an error URL. The browsers will
4689 # get redirected (302 or 307) to the specified URL. %s in the redirection
4690 # URL will be replaced by the requested URL.
4691 #
4692 # Alternatively you can tell Squid to reset the TCP connection
4693 # by specifying TCP_RESET.
4694 #Default:
4695 # none
4697 # OPTIONS INFLUENCING REQUEST FORWARDING
4698 # -----------------------------------------------------------------------------
4700 # TAG: nonhierarchical_direct
4701 # By default, Squid will send any non-hierarchical requests
4702 # (matching hierarchy_stoplist or not cacheable request type) direct
4703 # to origin servers.
4704 #
4705 # If you set this to off, Squid will prefer to send these
4706 # requests to parents.
4707 #
4708 # Note that in most configurations, by turning this off you will only
4709 # add latency to these request without any improvement in global hit
4710 # ratio.
4711 #
4712 # If you are inside an firewall see never_direct instead of
4713 # this directive.
4714 #Default:
4715 # nonhierarchical_direct on
4717 # TAG: prefer_direct
4718 # Normally Squid tries to use parents for most requests. If you for some
4719 # reason like it to first try going direct and only use a parent if
4720 # going direct fails set this to on.
4721 #
4722 # By combining nonhierarchical_direct off and prefer_direct on you
4723 # can set up Squid to use a parent as a backup path if going direct
4724 # fails.
4725 #
4726 # Note: If you want Squid to use parents for all requests see
4727 # the never_direct directive. prefer_direct only modifies how Squid
4728 # acts on cacheable requests.
4729 #Default:
4730 # prefer_direct off
4732 # TAG: always_direct
4733 # Usage: always_direct allow|deny [!]aclname ...
4734 #
4735 # Here you can use ACL elements to specify requests which should
4736 # ALWAYS be forwarded by Squid to the origin servers without using
4737 # any peers. For example, to always directly forward requests for
4738 # local servers ignoring any parents or siblings you may have use
4739 # something like:
4740 #
4741 # acl local-servers dstdomain my.domain.net
4742 # always_direct allow local-servers
4743 #
4744 # To always forward FTP requests directly, use
4745 #
4746 # acl FTP proto FTP
4747 # always_direct allow FTP
4748 #
4749 # NOTE: There is a similar, but opposite option named
4750 # 'never_direct'. You need to be aware that "always_direct deny
4751 # foo" is NOT the same thing as "never_direct allow foo". You
4752 # may need to use a deny rule to exclude a more-specific case of
4753 # some other rule. Example:
4754 #
4755 # acl local-external dstdomain external.foo.net
4756 # acl local-servers dstdomain .foo.net
4757 # always_direct deny local-external
4758 # always_direct allow local-servers
4759 #
4760 # NOTE: If your goal is to make the client forward the request
4761 # directly to the origin server bypassing Squid then this needs
4762 # to be done in the client configuration. Squid configuration
4763 # can only tell Squid how Squid should fetch the object.
4764 #
4765 # NOTE: This directive is not related to caching. The replies
4766 # is cached as usual even if you use always_direct. To not cache
4767 # the replies see the 'cache' directive.
4768 #
4769 # This clause supports both fast and slow acl types.
4770 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
4771 #Default:
4772 # none
4774 # TAG: never_direct
4775 # Usage: never_direct allow|deny [!]aclname ...
4776 #
4777 # never_direct is the opposite of always_direct. Please read
4778 # the description for always_direct if you have not already.
4779 #
4780 # With 'never_direct' you can use ACL elements to specify
4781 # requests which should NEVER be forwarded directly to origin
4782 # servers. For example, to force the use of a proxy for all
4783 # requests, except those in your local domain use something like:
4784 #
4785 # acl local-servers dstdomain .foo.net
4786 # never_direct deny local-servers
4787 # never_direct allow all
4788 #
4789 # or if Squid is inside a firewall and there are local intranet
4790 # servers inside the firewall use something like:
4791 #
4792 # acl local-intranet dstdomain .foo.net
4793 # acl local-external dstdomain external.foo.net
4794 # always_direct deny local-external
4795 # always_direct allow local-intranet
4796 # never_direct allow all
4797 #
4798 # This clause supports both fast and slow acl types.
4799 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
4800 #Default:
4801 # none
4803 # ADVANCED NETWORKING OPTIONS
4804 # -----------------------------------------------------------------------------
4806 # TAG: incoming_icp_average
4807 #Default:
4808 # incoming_icp_average 6
4810 # TAG: incoming_http_average
4811 #Default:
4812 # incoming_http_average 4
4814 # TAG: incoming_dns_average
4815 #Default:
4816 # incoming_dns_average 4
4818 # TAG: min_icp_poll_cnt
4819 #Default:
4820 # min_icp_poll_cnt 8
4822 # TAG: min_dns_poll_cnt
4823 #Default:
4824 # min_dns_poll_cnt 8
4826 # TAG: min_http_poll_cnt
4827 # Heavy voodoo here. I can't even believe you are reading this.
4828 # Are you crazy? Don't even think about adjusting these unless
4829 # you understand the algorithms in comm_select.c first!
4830 #Default:
4831 # min_http_poll_cnt 8
4833 # TAG: accept_filter
4834 # FreeBSD:
4835 #
4836 # The name of an accept(2) filter to install on Squid's
4837 # listen socket(s). This feature is perhaps specific to
4838 # FreeBSD and requires support in the kernel.
4839 #
4840 # The 'httpready' filter delays delivering new connections
4841 # to Squid until a full HTTP request has been received.
4842 # See the accf_http(9) man page for details.
4843 #
4844 # The 'dataready' filter delays delivering new connections
4845 # to Squid until there is some data to process.
4846 # See the accf_dataready(9) man page for details.
4847 #
4848 # Linux:
4849 #
4850 # The 'data' filter delays delivering of new connections
4851 # to Squid until there is some data to process by TCP_ACCEPT_DEFER.
4852 # You may optionally specify a number of seconds to wait by
4853 # 'data=N' where N is the number of seconds. Defaults to 30
4854 # if not specified. See the tcp(7) man page for details.
4855 #EXAMPLE:
4856 ## FreeBSD
4857 #accept_filter httpready
4858 ## Linux
4859 #accept_filter data
4860 #Default:
4861 # none
4863 # TAG: client_ip_max_connections
4864 # Set an absolute limit on the number of connections a single
4865 # client IP can use. Any more than this and Squid will begin to drop
4866 # new connections from the client until it closes some links.
4867 #
4868 # Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
4869 # connections from the client. For finer control use the ACL access controls.
4870 #
4871 # Requires client_db to be enabled (the default).
4872 #
4873 # WARNING: This may noticably slow down traffic received via external proxies
4874 # or NAT devices and cause them to rebound error messages back to their clients.
4875 #Default:
4876 # client_ip_max_connections -1
4878 # TAG: tcp_recv_bufsize (bytes)
4879 # Size of receive buffer to set for TCP sockets. Probably just
4880 # as easy to change your kernel's default. Set to zero to use
4881 # the default buffer size.
4882 #Default:
4883 # tcp_recv_bufsize 0 bytes
4885 # ICAP OPTIONS
4886 # -----------------------------------------------------------------------------
4888 # TAG: icap_enable on|off
4889 # If you want to enable the ICAP module support, set this to on.
4890 #Default:
4891 # icap_enable off
4893 # TAG: icap_connect_timeout
4894 # This parameter specifies how long to wait for the TCP connect to
4895 # the requested ICAP server to complete before giving up and either
4896 # terminating the HTTP transaction or bypassing the failure.
4897 #
4898 # The default for optional services is peer_connect_timeout.
4899 # The default for essential services is connect_timeout.
4900 # If this option is explicitly set, its value applies to all services.
4901 #Default:
4902 # none
4904 # TAG: icap_io_timeout time-units
4905 # This parameter specifies how long to wait for an I/O activity on
4906 # an established, active ICAP connection before giving up and
4907 # either terminating the HTTP transaction or bypassing the
4908 # failure.
4909 #
4910 # The default is read_timeout.
4911 #Default:
4912 # none
4914 # TAG: icap_service_failure_limit
4915 # The limit specifies the number of failures that Squid tolerates
4916 # when establishing a new TCP connection with an ICAP service. If
4917 # the number of failures exceeds the limit, the ICAP service is
4918 # not used for new ICAP requests until it is time to refresh its
4919 # OPTIONS. The per-service failure counter is reset to zero each
4920 # time Squid fetches new service OPTIONS.
4921 #
4922 # A negative value disables the limit. Without the limit, an ICAP
4923 # service will not be considered down due to connectivity failures
4924 # between ICAP OPTIONS requests.
4925 #Default:
4926 # icap_service_failure_limit 10
4928 # TAG: icap_service_revival_delay
4929 # The delay specifies the number of seconds to wait after an ICAP
4930 # OPTIONS request failure before requesting the options again. The
4931 # failed ICAP service is considered "down" until fresh OPTIONS are
4932 # fetched.
4933 #
4934 # The actual delay cannot be smaller than the hardcoded minimum
4935 # delay of 30 seconds.
4936 #Default:
4937 # icap_service_revival_delay 180
4939 # TAG: icap_preview_enable on|off
4940 # The ICAP Preview feature allows the ICAP server to handle the
4941 # HTTP message by looking only at the beginning of the message body
4942 # or even without receiving the body at all. In some environments,
4943 # previews greatly speedup ICAP processing.
4944 #
4945 # During an ICAP OPTIONS transaction, the server may tell Squid what
4946 # HTTP messages should be previewed and how big the preview should be.
4947 # Squid will not use Preview if the server did not request one.
4948 #
4949 # To disable ICAP Preview for all ICAP services, regardless of
4950 # individual ICAP server OPTIONS responses, set this option to "off".
4951 #Example:
4952 #icap_preview_enable off
4953 #Default:
4954 # icap_preview_enable on
4956 # TAG: icap_preview_size
4957 # The default size of preview data to be sent to the ICAP server.
4958 # -1 means no preview. This value might be overwritten on a per server
4959 # basis by OPTIONS requests.
4960 #Default:
4961 # icap_preview_size -1
4963 # TAG: icap_default_options_ttl
4964 # The default TTL value for ICAP OPTIONS responses that don't have
4965 # an Options-TTL header.
4966 #Default:
4967 # icap_default_options_ttl 60
4969 # TAG: icap_persistent_connections on|off
4970 # Whether or not Squid should use persistent connections to
4971 # an ICAP server.
4972 #Default:
4973 # icap_persistent_connections on
4975 # TAG: icap_send_client_ip on|off
4976 # If enabled, Squid shares HTTP client IP information with adaptation
4977 # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
4978 # For eCAP, Squid sets the libecap::metaClientIp transaction option.
4979 #
4980 # See also: adaptation_uses_indirect_client
4981 #Default:
4982 # icap_send_client_ip off
4984 # TAG: icap_send_client_username on|off
4985 # This sends authenticated HTTP client username (if available) to
4986 # the ICAP service. The username value is encoded based on the
4987 # icap_client_username_encode option and is sent using the header
4988 # specified by the icap_client_username_header option.
4989 #Default:
4990 # icap_send_client_username off
4992 # TAG: icap_client_username_header
4993 # ICAP request header name to use for send_client_username.
4994 #Default:
4995 # icap_client_username_header X-Client-Username
4997 # TAG: icap_client_username_encode on|off
4998 # Whether to base64 encode the authenticated client username.
4999 #Default:
5000 # icap_client_username_encode off
5002 # TAG: icap_service
5003 # Defines a single ICAP service using the following format:
5004 #
5005 # icap_service service_name vectoring_point [options] service_url
5006 #
5007 # service_name: ID
5008 # an opaque identifier which must be unique in squid.conf
5009 #
5010 # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
5011 # This specifies at which point of transaction processing the
5012 # ICAP service should be activated. *_postcache vectoring points
5013 # are not yet supported.
5014 #
5015 # service_url: icap://servername:port/servicepath
5016 # ICAP server and service location.
5017 #
5018 # ICAP does not allow a single service to handle both REQMOD and RESPMOD
5019 # transactions. Squid does not enforce that requirement. You can specify
5020 # services with the same service_url and different vectoring_points. You
5021 # can even specify multiple identical services as long as their
5022 # service_names differ.
5023 #
5024 #
5025 # Service options are separated by white space. ICAP services support
5026 # the following name=value options:
5027 #
5028 # bypass=on|off|1|0
5029 # If set to 'on' or '1', the ICAP service is treated as
5030 # optional. If the service cannot be reached or malfunctions,
5031 # Squid will try to ignore any errors and process the message as
5032 # if the service was not enabled. No all ICAP errors can be
5033 # bypassed. If set to 0, the ICAP service is treated as
5034 # essential and all ICAP errors will result in an error page
5035 # returned to the HTTP client.
5036 #
5037 # Bypass is off by default: services are treated as essential.
5038 #
5039 # routing=on|off|1|0
5040 # If set to 'on' or '1', the ICAP service is allowed to
5041 # dynamically change the current message adaptation plan by
5042 # returning a chain of services to be used next. The services
5043 # are specified using the X-Next-Services ICAP response header
5044 # value, formatted as a comma-separated list of service names.
5045 # Each named service should be configured in squid.conf and
5046 # should have the same method and vectoring point as the current
5047 # ICAP transaction. Services violating these rules are ignored.
5048 # An empty X-Next-Services value results in an empty plan which
5049 # ends the current adaptation.
5050 #
5051 # Routing is not allowed by default: the ICAP X-Next-Services
5052 # response header is ignored.
5053 #
5054 # ipv6=on|off
5055 # Only has effect on split-stack systems. The default on those systems
5056 # is to use IPv4-only connections. When set to 'on' this option will
5057 # make Squid use IPv6-only connections to contact this ICAP service.
5058 #
5059 # Older icap_service format without optional named parameters is
5060 # deprecated but supported for backward compatibility.
5061 #
5062 #Example:
5063 #icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod
5064 #icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod
5065 #Default:
5066 # none
5068 # TAG: icap_class
5069 # This deprecated option was documented to define an ICAP service
5070 # chain, even though it actually defined a set of similar, redundant
5071 # services, and the chains were not supported.
5072 #
5073 # To define a set of redundant services, please use the
5074 # adaptation_service_set directive. For service chains, use
5075 # adaptation_service_chain.
5076 #Default:
5077 # none
5079 # TAG: icap_access
5080 # This option is deprecated. Please use adaptation_access, which
5081 # has the same ICAP functionality, but comes with better
5082 # documentation, and eCAP support.
5083 #Default:
5084 # none
5086 # eCAP OPTIONS
5087 # -----------------------------------------------------------------------------
5089 # TAG: ecap_enable on|off
5090 # Note: This option is only available if Squid is rebuilt with the
5091 # --enable-ecap option
5092 #
5093 # Controls whether eCAP support is enabled.
5094 #Default:
5095 # ecap_enable off
5097 # TAG: ecap_service
5098 # Note: This option is only available if Squid is rebuilt with the
5099 # --enable-ecap option
5100 #
5101 # Defines a single eCAP service
5102 #
5103 # ecap_service servicename vectoring_point bypass service_url
5104 #
5105 # vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
5106 # This specifies at which point of transaction processing the
5107 # eCAP service should be activated. *_postcache vectoring points
5108 # are not yet supported.
5109 # bypass = 1|0
5110 # If set to 1, the eCAP service is treated as optional. If the
5111 # service cannot be reached or malfunctions, Squid will try to
5112 # ignore any errors and process the message as if the service
5113 # was not enabled. No all eCAP errors can be bypassed.
5114 # If set to 0, the eCAP service is treated as essential and all
5115 # eCAP errors will result in an error page returned to the
5116 # HTTP client.
5117 # service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional
5118 #
5119 #Example:
5120 #ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
5121 #ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
5122 #Default:
5123 # none
5125 # TAG: loadable_modules
5126 # Instructs Squid to load the specified dynamic module(s) or activate
5127 # preloaded module(s).
5128 #Example:
5129 #loadable_modules /usr/lib/MinimalAdapter.so
5130 #Default:
5131 # none
5133 # MESSAGE ADAPTATION OPTIONS
5134 # -----------------------------------------------------------------------------
5136 # TAG: adaptation_service_set
5137 #
5138 # Configures an ordered set of similar, redundant services. This is
5139 # useful when hot standby or backup adaptation servers are available.
5140 #
5141 # adaptation_service_set set_name service_name1 service_name2 ...
5142 #
5143 # The named services are used in the set declaration order. The first
5144 # applicable adaptation service from the set is used first. The next
5145 # applicable service is tried if and only if the transaction with the
5146 # previous service fails and the message waiting to be adapted is still
5147 # intact.
5148 #
5149 # When adaptation starts, broken services are ignored as if they were
5150 # not a part of the set. A broken service is a down optional service.
5151 #
5152 # The services in a set must be attached to the same vectoring point
5153 # (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
5154 #
5155 # If all services in a set are optional then adaptation failures are
5156 # bypassable. If all services in the set are essential, then a
5157 # transaction failure with one service may still be retried using
5158 # another service from the set, but when all services fail, the master
5159 # transaction fails as well.
5160 #
5161 # A set may contain a mix of optional and essential services, but that
5162 # is likely to lead to surprising results because broken services become
5163 # ignored (see above), making previously bypassable failures fatal.
5164 # Technically, it is the bypassability of the last failed service that
5165 # matters.
5166 #
5167 # See also: adaptation_access adaptation_service_chain
5168 #
5169 #Example:
5170 #adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
5171 #adaptation service_set svcLogger loggerLocal loggerRemote
5172 #Default:
5173 # none
5175 # TAG: adaptation_service_chain
5176 #
5177 # Configures a list of complementary services that will be applied
5178 # one-by-one, forming an adaptation chain or pipeline. This is useful
5179 # when Squid must perform different adaptations on the same message.
5180 #
5181 # adaptation_service_chain chain_name service_name1 svc_name2 ...
5182 #
5183 # The named services are used in the chain declaration order. The first
5184 # applicable adaptation service from the chain is used first. The next
5185 # applicable service is applied to the successful adaptation results of
5186 # the previous service in the chain.
5187 #
5188 # When adaptation starts, broken services are ignored as if they were
5189 # not a part of the chain. A broken service is a down optional service.
5190 #
5191 # Request satisfaction terminates the adaptation chain because Squid
5192 # does not currently allow declaration of RESPMOD services at the
5193 # "reqmod_precache" vectoring point (see icap_service or ecap_service).
5194 #
5195 # The services in a chain must be attached to the same vectoring point
5196 # (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
5197 #
5198 # A chain may contain a mix of optional and essential services. If an
5199 # essential adaptation fails (or the failure cannot be bypassed for
5200 # other reasons), the master transaction fails. Otherwise, the failure
5201 # is bypassed as if the failed adaptation service was not in the chain.
5202 #
5203 # See also: adaptation_access adaptation_service_set
5204 #
5205 #Example:
5206 #adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
5207 #Default:
5208 # none
5210 # TAG: adaptation_access
5211 # Sends an HTTP transaction to an ICAP or eCAP adaptation service.
5212 #
5213 # adaptation_access service_name allow|deny [!]aclname...
5214 # adaptation_access set_name allow|deny [!]aclname...
5215 #
5216 # At each supported vectoring point, the adaptation_access
5217 # statements are processed in the order they appear in this
5218 # configuration file. Statements pointing to the following services
5219 # are ignored (i.e., skipped without checking their ACL):
5220 #
5221 # - services serving different vectoring points
5222 # - "broken-but-bypassable" services
5223 # - "up" services configured to ignore such transactions
5224 # (e.g., based on the ICAP Transfer-Ignore header).
5225 #
5226 # When a set_name is used, all services in the set are checked
5227 # using the same rules, to find the first applicable one. See
5228 # adaptation_service_set for details.
5229 #
5230 # If an access list is checked and there is a match, the
5231 # processing stops: For an "allow" rule, the corresponding
5232 # adaptation service is used for the transaction. For a "deny"
5233 # rule, no adaptation service is activated.
5234 #
5235 # It is currently not possible to apply more than one adaptation
5236 # service at the same vectoring point to the same HTTP transaction.
5237 #
5238 # See also: icap_service and ecap_service
5239 #
5240 #Example:
5241 #adaptation_access service_1 allow all
5242 #Default:
5243 # none
5245 # TAG: adaptation_service_iteration_limit
5246 # Limits the number of iterations allowed when applying adaptation
5247 # services to a message. If your longest adaptation set or chain
5248 # may have more than 16 services, increase the limit beyond its
5249 # default value of 16. If detecting infinite iteration loops sooner
5250 # is critical, make the iteration limit match the actual number
5251 # of services in your longest adaptation set or chain.
5252 #
5253 # Infinite adaptation loops are most likely with routing services.
5254 #
5255 # See also: icap_service routing=1
5256 #Default:
5257 # adaptation_service_iteration_limit 16
5259 # TAG: adaptation_masterx_shared_names
5260 # For each master transaction (i.e., the HTTP request and response
5261 # sequence, including all related ICAP and eCAP exchanges), Squid
5262 # maintains a table of metadata. The table entries are (name, value)
5263 # pairs shared among eCAP and ICAP exchanges. The table is destroyed
5264 # with the master transaction.
5265 #
5266 # This option specifies the table entry names that Squid must accept
5267 # from and forward to the adaptation transactions.
5268 #
5269 # An ICAP REQMOD or RESPMOD transaction may set an entry in the
5270 # shared table by returning an ICAP header field with a name
5271 # specified in adaptation_masterx_shared_names. Squid will store
5272 # and forward that ICAP header field to subsequent ICAP
5273 # transactions within the same master transaction scope.
5274 #
5275 # Only one shared entry name is supported at this time.
5276 #
5277 #Example:
5278 ## share authentication information among ICAP services
5279 #adaptation_masterx_shared_names X-Subscriber-ID
5280 #Default:
5281 # none
5283 # TAG: icap_retry
5284 # This ACL determines which retriable ICAP transactions are
5285 # retried. Transactions that received a complete ICAP response
5286 # and did not have to consume or produce HTTP bodies to receive
5287 # that response are usually retriable.
5288 #
5289 # icap_retry allow|deny [!]aclname ...
5290 #
5291 # Squid automatically retries some ICAP I/O timeouts and errors
5292 # due to persistent connection race conditions.
5293 #
5294 # See also: icap_retry_limit
5295 #Default:
5296 # icap_retry deny all
5298 # TAG: icap_retry_limit
5299 # Limits the number of retries allowed. When set to zero (default),
5300 # no retries are allowed.
5301 #
5302 # Communication errors due to persistent connection race
5303 # conditions are unavoidable, automatically retried, and do not
5304 # count against this limit.
5305 #
5306 # See also: icap_retry
5307 #Default:
5308 # icap_retry_limit 0
5310 # DNS OPTIONS
5311 # -----------------------------------------------------------------------------
5313 # TAG: check_hostnames
5314 # For security and stability reasons Squid can check
5315 # hostnames for Internet standard RFC compliance. If you want
5316 # Squid to perform these checks turn this directive on.
5317 #Default:
5318 # check_hostnames off
5320 # TAG: allow_underscore
5321 # Underscore characters is not strictly allowed in Internet hostnames
5322 # but nevertheless used by many sites. Set this to off if you want
5323 # Squid to be strict about the standard.
5324 # This check is performed only when check_hostnames is set to on.
5325 #Default:
5326 # allow_underscore on
5328 # TAG: cache_dns_program
5329 # Note: This option is only available if Squid is rebuilt with the
5330 # --disable-internal-dns option
5331 #
5332 # Specify the location of the executable for dnslookup process.
5333 #Default:
5334 # cache_dns_program /usr/lib/squid3/dnsserver
5336 # TAG: dns_children
5337 # Note: This option is only available if Squid is rebuilt with the
5338 # --disable-internal-dns option
5339 #
5340 # The number of processes spawn to service DNS name lookups.
5341 # For heavily loaded caches on large servers, you should
5342 # probably increase this value to at least 10. The maximum
5343 # is 32. The default is 5.
5344 #
5345 # You must have at least one dnsserver process.
5346 #Default:
5347 # dns_children 5
5349 # TAG: dns_retransmit_interval
5350 # Initial retransmit interval for DNS queries. The interval is
5351 # doubled each time all configured DNS servers have been tried.
5352 #
5353 #Default:
5354 # dns_retransmit_interval 5 seconds
5356 # TAG: dns_timeout
5357 # DNS Query timeout. If no response is received to a DNS query
5358 # within this time all DNS servers for the queried domain
5359 # are assumed to be unavailable.
5360 #Default:
5361 # dns_timeout 2 minutes
5363 # TAG: dns_defnames on|off
5364 # Normally the RES_DEFNAMES resolver option is disabled
5365 # (see res_init(3)). This prevents caches in a hierarchy
5366 # from interpreting single-component hostnames locally. To allow
5367 # Squid to handle single-component names, enable this option.
5368 #Default:
5369 # dns_defnames off
5371 # TAG: dns_nameservers
5372 # Use this if you want to specify a list of DNS name servers
5373 # (IP addresses) to use instead of those given in your
5374 # /etc/resolv.conf file.
5375 # On Windows platforms, if no value is specified here or in
5376 # the /etc/resolv.conf file, the list of DNS name servers are
5377 # taken from the Windows registry, both static and dynamic DHCP
5378 # configurations are supported.
5379 #
5380 # Example: dns_nameservers 10.0.0.1 192.172.0.4
5381 #Default:
5382 # none
5384 # TAG: hosts_file
5385 # Location of the host-local IP name-address associations
5386 # database. Most Operating Systems have such a file on different
5387 # default locations:
5388 # - Un*X & Linux: /etc/hosts
5389 # - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
5390 # (%SystemRoot% value install default is c:\winnt)
5391 # - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
5392 # (%SystemRoot% value install default is c:\windows)
5393 # - Windows 9x/Me: %windir%\hosts
5394 # (%windir% value is usually c:\windows)
5395 # - Cygwin: /etc/hosts
5396 #
5397 # The file contains newline-separated definitions, in the
5398 # form ip_address_in_dotted_form name [name ...] names are
5399 # whitespace-separated. Lines beginning with an hash (#)
5400 # character are comments.
5401 #
5402 # The file is checked at startup and upon configuration.
5403 # If set to 'none', it won't be checked.
5404 # If append_domain is used, that domain will be added to
5405 # domain-local (i.e. not containing any dot character) host
5406 # definitions.
5407 #Default:
5408 # hosts_file /etc/hosts
5410 # TAG: append_domain
5411 # Appends local domain name to hostnames without any dots in
5412 # them. append_domain must begin with a period.
5413 #
5414 # Be warned there are now Internet names with no dots in
5415 # them using only top-domain names, so setting this may
5416 # cause some Internet sites to become unavailable.
5417 #
5418 #Example:
5419 # append_domain .yourdomain.com
5420 #Default:
5421 # none
5423 # TAG: ignore_unknown_nameservers
5424 # By default Squid checks that DNS responses are received
5425 # from the same IP addresses they are sent to. If they
5426 # don't match, Squid ignores the response and writes a warning
5427 # message to cache.log. You can allow responses from unknown
5428 # nameservers by setting this option to 'off'.
5429 #Default:
5430 # ignore_unknown_nameservers on
5432 # TAG: dns_v4_fallback
5433 # Standard practice with DNS is to lookup either A or AAAA records
5434 # and use the results if it succeeds. Only looking up the other if
5435 # the first attempt fails or otherwise produces no results.
5436 #
5437 # That policy however will cause squid to produce error pages for some
5438 # servers that advertise AAAA but are unreachable over IPv6.
5439 #
5440 # If this is ON squid will always lookup both AAAA and A, using both.
5441 # If this is OFF squid will lookup AAAA and only try A if none found.
5442 #
5443 # WARNING: There are some possibly unwanted side-effects with this on:
5444 # *) Doubles the load placed by squid on the DNS network.
5445 # *) May negatively impact connection delay times.
5446 #Default:
5447 # dns_v4_fallback on
5449 # TAG: dns_v4_first
5450 # With the IPv6 Internet being as fast or faster than IPv4 Internet
5451 # for most networks Squid prefers to contact websites over IPv6.
5452 #
5453 # This option reverses the order of preference to make Squid contact
5454 # dual-stack websites over IPv4 first. Squid will still perform both
5455 # IPv6 and IPv4 DNS lookups before connecting.
5456 #
5457 # WARNING:
5458 # This option will restrict the situations under which IPv6
5459 # connectivity is used (and tested), potentially hiding network
5460 # problem swhich would otherwise be detected and warned about.
5461 #Default:
5462 # dns_v4_first off
5464 # TAG: ipcache_size (number of entries)
5465 #Default:
5466 # ipcache_size 1024
5468 # TAG: ipcache_low (percent)
5469 #Default:
5470 # ipcache_low 90
5472 # TAG: ipcache_high (percent)
5473 # The size, low-, and high-water marks for the IP cache.
5474 #Default:
5475 # ipcache_high 95
5477 # TAG: fqdncache_size (number of entries)
5478 # Maximum number of FQDN cache entries.
5479 #Default:
5480 # fqdncache_size 1024
5482 # MISCELLANEOUS
5483 # -----------------------------------------------------------------------------
5485 # TAG: memory_pools on|off
5486 # If set, Squid will keep pools of allocated (but unused) memory
5487 # available for future use. If memory is a premium on your
5488 # system and you believe your malloc library outperforms Squid
5489 # routines, disable this.
5490 #Default:
5491 # memory_pools on
5493 # TAG: memory_pools_limit (bytes)
5494 # Used only with memory_pools on:
5495 # memory_pools_limit 50 MB
5496 #
5497 # If set to a non-zero value, Squid will keep at most the specified
5498 # limit of allocated (but unused) memory in memory pools. All free()
5499 # requests that exceed this limit will be handled by your malloc
5500 # library. Squid does not pre-allocate any memory, just safe-keeps
5501 # objects that otherwise would be free()d. Thus, it is safe to set
5502 # memory_pools_limit to a reasonably high value even if your
5503 # configuration will use less memory.
5504 #
5505 # If set to none, Squid will keep all memory it can. That is, there
5506 # will be no limit on the total amount of memory used for safe-keeping.
5507 #
5508 # To disable memory allocation optimization, do not set
5509 # memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
5510 #
5511 # An overhead for maintaining memory pools is not taken into account
5512 # when the limit is checked. This overhead is close to four bytes per
5513 # object kept. However, pools may actually _save_ memory because of
5514 # reduced memory thrashing in your malloc library.
5515 #Default:
5516 # memory_pools_limit 5 MB
5518 # TAG: forwarded_for on|off|transparent|truncate|delete
5519 # If set to "on", Squid will append your client's IP address
5520 # in the HTTP requests it forwards. By default it looks like:
5521 #
5522 # X-Forwarded-For: 192.1.2.3
5523 #
5524 # If set to "off", it will appear as
5525 #
5526 # X-Forwarded-For: unknown
5527 #
5528 # If set to "transparent", Squid will not alter the
5529 # X-Forwarded-For header in any way.
5530 #
5531 # If set to "delete", Squid will delete the entire
5532 # X-Forwarded-For header.
5533 #
5534 # If set to "truncate", Squid will remove all existing
5535 # X-Forwarded-For entries, and place itself as the sole entry.
5536 #Default:
5537 # forwarded_for on
5539 # TAG: cachemgr_passwd
5540 # Specify passwords for cachemgr operations.
5541 #
5542 # Usage: cachemgr_passwd password action action ...
5543 #
5544 # Some valid actions are (see cache manager menu for a full list):
5545 # 5min
5546 # 60min
5547 # asndb
5548 # authenticator
5549 # cbdata
5550 # client_list
5551 # comm_incoming
5552 # config *
5553 # counters
5554 # delay
5555 # digest_stats
5556 # dns
5557 # events
5558 # filedescriptors
5559 # fqdncache
5560 # histograms
5561 # http_headers
5562 # info
5563 # io
5564 # ipcache
5565 # mem
5566 # menu
5567 # netdb
5568 # non_peers
5569 # objects
5570 # offline_toggle *
5571 # pconn
5572 # peer_select
5573 # reconfigure *
5574 # redirector
5575 # refresh
5576 # server_list
5577 # shutdown *
5578 # store_digest
5579 # storedir
5580 # utilization
5581 # via_headers
5582 # vm_objects
5583 #
5584 # * Indicates actions which will not be performed without a
5585 # valid password, others can be performed if not listed here.
5586 #
5587 # To disable an action, set the password to "disable".
5588 # To allow performing an action without a password, set the
5589 # password to "none".
5590 #
5591 # Use the keyword "all" to set the same password for all actions.
5592 #
5593 #Example:
5594 # cachemgr_passwd secret shutdown
5595 # cachemgr_passwd lesssssssecret info stats/objects
5596 # cachemgr_passwd disable all
5597 #Default:
5598 # none
5600 # TAG: client_db on|off
5601 # If you want to disable collecting per-client statistics,
5602 # turn off client_db here.
5603 #Default:
5604 # client_db on
5606 # TAG: refresh_all_ims on|off
5607 # When you enable this option, squid will always check
5608 # the origin server for an update when a client sends an
5609 # If-Modified-Since request. Many browsers use IMS
5610 # requests when the user requests a reload, and this
5611 # ensures those clients receive the latest version.
5612 #
5613 # By default (off), squid may return a Not Modified response
5614 # based on the age of the cached version.
5615 #Default:
5616 # refresh_all_ims off
5618 # TAG: reload_into_ims on|off
5619 # When you enable this option, client no-cache or ``reload''
5620 # requests will be changed to If-Modified-Since requests.
5621 # Doing this VIOLATES the HTTP standard. Enabling this
5622 # feature could make you liable for problems which it
5623 # causes.
5624 #
5625 # see also refresh_pattern for a more selective approach.
5626 #Default:
5627 # reload_into_ims off
5629 # TAG: maximum_single_addr_tries
5630 # This sets the maximum number of connection attempts for a
5631 # host that only has one address (for multiple-address hosts,
5632 # each address is tried once).
5633 #
5634 # The default value is one attempt, the (not recommended)
5635 # maximum is 255 tries. A warning message will be generated
5636 # if it is set to a value greater than ten.
5637 #
5638 # Note: This is in addition to the request re-forwarding which
5639 # takes place if Squid fails to get a satisfying response.
5640 #Default:
5641 # maximum_single_addr_tries 1
5643 # TAG: retry_on_error
5644 # If set to ON Squid will automatically retry requests when
5645 # receiving an error response with status 403 (Forbidden),
5646 # 500 (Internal Error), 501 or 503 (Service not available).
5647 # Status 502 and 504 (Gateway errors) are always retried.
5648 #
5649 # This is mainly useful if you are in a complex cache hierarchy to
5650 # work around access control errors.
5651 #
5652 # NOTE: This retry will attempt to find another working destination.
5653 # Which is different from the server which just failed.
5654 #Default:
5655 # retry_on_error off
5657 # TAG: as_whois_server
5658 # WHOIS server to query for AS numbers. NOTE: AS numbers are
5659 # queried only when Squid starts up, not for every request.
5660 #Default:
5661 # as_whois_server whois.ra.net
5663 # TAG: offline_mode
5664 # Enable this option and Squid will never try to validate cached
5665 # objects.
5666 #Default:
5667 # offline_mode off
5669 # TAG: uri_whitespace
5670 # What to do with requests that have whitespace characters in the
5671 # URI. Options:
5672 #
5673 # strip: The whitespace characters are stripped out of the URL.
5674 # This is the behavior recommended by RFC2396.
5675 # deny: The request is denied. The user receives an "Invalid
5676 # Request" message.
5677 # allow: The request is allowed and the URI is not changed. The
5678 # whitespace characters remain in the URI. Note the
5679 # whitespace is passed to redirector processes if they
5680 # are in use.
5681 # encode: The request is allowed and the whitespace characters are
5682 # encoded according to RFC1738. This could be considered
5683 # a violation of the HTTP/1.1
5684 # RFC because proxies are not allowed to rewrite URI's.
5685 # chop: The request is allowed and the URI is chopped at the
5686 # first whitespace. This might also be considered a
5687 # violation.
5688 #Default:
5689 # uri_whitespace strip
5691 # TAG: chroot
5692 # Specifies a directory where Squid should do a chroot() while
5693 # initializing. This also causes Squid to fully drop root
5694 # privileges after initializing. This means, for example, if you
5695 # use a HTTP port less than 1024 and try to reconfigure, you may
5696 # get an error saying that Squid can not open the port.
5697 #Default:
5698 # none
5700 # TAG: balance_on_multiple_ip
5701 # Modern IP resolvers in squid sort lookup results by preferred access.
5702 # By default squid will use these IP in order and only rotates to
5703 # the next listed when the most preffered fails.
5704 #
5705 # Some load balancing servers based on round robin DNS have been
5706 # found not to preserve user session state across requests
5707 # to different IP addresses.
5708 #
5709 # Enabling this directive Squid rotates IP's per request.
5710 #Default:
5711 # balance_on_multiple_ip off
5713 # TAG: pipeline_prefetch
5714 # To boost the performance of pipelined requests to closer
5715 # match that of a non-proxied environment Squid can try to fetch
5716 # up to two requests in parallel from a pipeline.
5717 #
5718 # Defaults to off for bandwidth management and access logging
5719 # reasons.
5720 #
5721 # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
5722 #Default:
5723 # pipeline_prefetch off
5725 # TAG: high_response_time_warning (msec)
5726 # If the one-minute median response time exceeds this value,
5727 # Squid prints a WARNING with debug level 0 to get the
5728 # administrators attention. The value is in milliseconds.
5729 #Default:
5730 # high_response_time_warning 0
5732 # TAG: high_page_fault_warning
5733 # If the one-minute average page fault rate exceeds this
5734 # value, Squid prints a WARNING with debug level 0 to get
5735 # the administrators attention. The value is in page faults
5736 # per second.
5737 #Default:
5738 # high_page_fault_warning 0
5740 # TAG: high_memory_warning
5741 # If the memory usage (as determined by mallinfo) exceeds
5742 # this amount, Squid prints a WARNING with debug level 0 to get
5743 # the administrators attention.
5744 #Default:
5745 # high_memory_warning 0 KB
5747 # TAG: sleep_after_fork (microseconds)
5748 # When this is set to a non-zero value, the main Squid process
5749 # sleeps the specified number of microseconds after a fork()
5750 # system call. This sleep may help the situation where your
5751 # system reports fork() failures due to lack of (virtual)
5752 # memory. Note, however, if you have a lot of child
5753 # processes, these sleep delays will add up and your
5754 # Squid will not service requests for some amount of time
5755 # until all the child processes have been started.
5756 # On Windows value less then 1000 (1 milliseconds) are
5757 # rounded to 1000.
5758 #Default:
5759 # sleep_after_fork 0
5761 # TAG: windows_ipaddrchangemonitor on|off
5762 # On Windows Squid by default will monitor IP address changes and will
5763 # reconfigure itself after any detected event. This is very useful for
5764 # proxies connected to internet with dial-up interfaces.
5765 # In some cases (a Proxy server acting as VPN gateway is one) it could be
5766 # desiderable to disable this behaviour setting this to 'off'.
5767 # Note: after changing this, Squid service must be restarted.
5768 #Default:
5769 # windows_ipaddrchangemonitor on
5771 # TAG: max_filedescriptors
5772 # The maximum number of filedescriptors supported.
5773 #
5774 # The default "0" means Squid inherits the current ulimit setting.
5775 #
5776 # Note: Changing this requires a restart of Squid. Also
5777 # not all comm loops supports large values.
5778 #Default:
5779 # max_filedescriptors 0