| blob | d5d63d2f1858eeb8d955fdf0a9e4bcff67106660 |
1 # WELCOME TO SQUID 3.1.6
2 # ----------------------------
3 #
4 # This is the default Squid configuration file. You may wish
5 # to look at the Squid home page (http://www.squid-cache.org/)
6 # for the FAQ and other documentation.
7 #
8 # The default Squid config file shows what the defaults for
9 # various options happen to be. If you don't need to change the
10 # default, you shouldn't uncomment the line. Doing so may cause
11 # run-time problems. In some cases "none" refers to no default
12 # setting at all, while in other cases it refers to a valid
13 # option - the comments for that keyword indicate if this is the
14 # case.
15 #
17 # =( Red Educativa del Principado de Asturias )==========================
18 # If you need to modify this file, change it at /etc/templates/
19 # Otherwise your changes will be overwritten when the system is started
20 # =======================================================================
22 # Configuration options can be included using the "include" directive.
23 # Include takes a list of files to include. Quoting and wildcards is
24 # supported.
25 #
26 # For example,
27 #
28 # include /path/to/included/file/squid.acl.config
29 #
30 # Includes can be nested up to a hard-coded depth of 16 levels.
31 # This arbitrary restriction is to prevent recursive include references
32 # from causing Squid entering an infinite loop whilst trying to load
33 # configuration files.
35 # OPTIONS FOR AUTHENTICATION
36 # -----------------------------------------------------------------------------
38 # TAG: auth_param
39 # This is used to define parameters for the various authentication
40 # schemes supported by Squid.
41 #
42 # format: auth_param scheme parameter [setting]
43 #
44 # The order in which authentication schemes are presented to the client is
45 # dependent on the order the scheme first appears in config file. IE
46 # has a bug (it's not RFC 2617 compliant) in that it will use the basic
47 # scheme if basic is the first entry presented, even if more secure
48 # schemes are presented. For now use the order in the recommended
49 # settings section below. If other browsers have difficulties (don't
50 # recognize the schemes offered even if you are using basic) either
51 # put basic first, or disable the other schemes (by commenting out their
52 # program entry).
53 #
54 # Once an authentication scheme is fully configured, it can only be
55 # shutdown by shutting squid down and restarting. Changes can be made on
56 # the fly and activated with a reconfigure. I.E. You can change to a
57 # different helper, but not unconfigure the helper completely.
58 #
59 # Please note that while this directive defines how Squid processes
60 # authentication it does not automatically activate authentication.
61 # To use authentication you must in addition make use of ACLs based
62 # on login name in http_access (proxy_auth, proxy_auth_regex or
63 # external with %LOGIN used in the format tag). The browser will be
64 # challenged for authentication on the first such acl encountered
65 # in http_access processing and will also be re-challenged for new
66 # login credentials if the request is being denied by a proxy_auth
67 # type acl.
68 #
69 # WARNING: authentication can't be used in a transparently intercepting
70 # proxy as the client then thinks it is talking to an origin server and
71 # not the proxy. This is a limitation of bending the TCP/IP protocol to
72 # transparently intercepting port 80, not a limitation in Squid.
73 # Ports flagged 'transparent', 'intercept', or 'tproxy' have
74 # authentication disabled.
75 #
76 # === Parameters for the basic scheme follow. ===
77 #
78 # "program" cmdline
79 # Specify the command for the external authenticator. Such a program
80 # reads a line containing "username password" and replies "OK" or
81 # "ERR" in an endless loop. "ERR" responses may optionally be followed
82 # by a error description available as %m in the returned error page.
83 # If you use an authenticator, make sure you have 1 acl of type
84 # proxy_auth.
85 #
86 # By default, the basic authentication scheme is not used unless a
87 # program is specified.
88 #
89 # If you want to use the traditional NCSA proxy authentication, set
90 # this line to something like
91 #
92 # auth_param basic program /usr/lib/squid3/ncsa_auth /usr/etc/passwd
93 #
94 # "utf8" on|off
95 # HTTP uses iso-latin-1 as characterset, while some authentication
96 # backends such as LDAP expects UTF-8. If this is set to on Squid will
97 # translate the HTTP iso-latin-1 charset to UTF-8 before sending the
98 # username & password to the helper.
99 #
100 # "children" numberofchildren
101 # The number of authenticator processes to spawn. If you start too few
102 # Squid will have to wait for them to process a backlog of credential
103 # verifications, slowing it down. When password verifications are
104 # done via a (slow) network you are likely to need lots of
105 # authenticator processes.
106 # auth_param basic children 5
107 #
108 # "concurrency" concurrency
109 # The number of concurrent requests the helper can process.
110 # The default of 0 is used for helpers who only supports
111 # one request at a time. Setting this changes the protocol used to
112 # include a channel number first on the request/response line, allowing
113 # multiple requests to be sent to the same helper in parallell without
114 # wating for the response.
115 # Must not be set unless it's known the helper supports this.
116 # auth_param basic concurrency 0
117 #
118 # "realm" realmstring
119 # Specifies the realm name which is to be reported to the
120 # client for the basic proxy authentication scheme (part of
121 # the text the user will see when prompted their username and
122 # password). There is no default.
123 # auth_param basic realm Squid proxy-caching web server
124 #
125 # "credentialsttl" timetolive
126 # Specifies how long squid assumes an externally validated
127 # username:password pair is valid for - in other words how
128 # often the helper program is called for that user. Set this
129 # low to force revalidation with short lived passwords. Note
130 # setting this high does not impact your susceptibility
131 # to replay attacks unless you are using an one-time password
132 # system (such as SecureID). If you are using such a system,
133 # you will be vulnerable to replay attacks unless you also
134 # use the max_user_ip ACL in an http_access rule.
135 #
136 # "casesensitive" on|off
137 # Specifies if usernames are case sensitive. Most user databases are
138 # case insensitive allowing the same username to be spelled using both
139 # lower and upper case letters, but some are case sensitive. This
140 # makes a big difference for user_max_ip ACL processing and similar.
141 # auth_param basic casesensitive off
142 #
143 # === Parameters for the digest scheme follow ===
144 #
145 # "program" cmdline
146 # Specify the command for the external authenticator. Such
147 # a program reads a line containing "username":"realm" and
148 # replies with the appropriate H(A1) value hex encoded or
149 # ERR if the user (or his H(A1) hash) does not exists.
150 # See rfc 2616 for the definition of H(A1).
151 # "ERR" responses may optionally be followed by a error description
152 # available as %m in the returned error page.
153 #
154 # By default, the digest authentication scheme is not used unless a
155 # program is specified.
156 #
157 # If you want to use a digest authenticator, set this line to
158 # something like
159 #
160 # auth_param digest program /usr/lib/squid3/digest_pw_auth /usr/etc/digpass
161 #
162 # "utf8" on|off
163 # HTTP uses iso-latin-1 as characterset, while some authentication
164 # backends such as LDAP expects UTF-8. If this is set to on Squid will
165 # translate the HTTP iso-latin-1 charset to UTF-8 before sending the
166 # username & password to the helper.
167 #
168 # "children" numberofchildren
169 # The number of authenticator processes to spawn (no default).
170 # If you start too few Squid will have to wait for them to
171 # process a backlog of H(A1) calculations, slowing it down.
172 # When the H(A1) calculations are done via a (slow) network
173 # you are likely to need lots of authenticator processes.
174 # auth_param digest children 5
175 #
176 # "realm" realmstring
177 # Specifies the realm name which is to be reported to the
178 # client for the digest proxy authentication scheme (part of
179 # the text the user will see when prompted their username and
180 # password). There is no default.
181 # auth_param digest realm Squid proxy-caching web server
182 #
183 # "nonce_garbage_interval" timeinterval
184 # Specifies the interval that nonces that have been issued
185 # to client_agent's are checked for validity.
186 #
187 # "nonce_max_duration" timeinterval
188 # Specifies the maximum length of time a given nonce will be
189 # valid for.
190 #
191 # "nonce_max_count" number
192 # Specifies the maximum number of times a given nonce can be
193 # used.
194 #
195 # "nonce_strictness" on|off
196 # Determines if squid requires strict increment-by-1 behavior
197 # for nonce counts, or just incrementing (off - for use when
198 # useragents generate nonce counts that occasionally miss 1
199 # (ie, 1,2,4,6)). Default off.
200 #
201 # "check_nonce_count" on|off
202 # This directive if set to off can disable the nonce count check
203 # completely to work around buggy digest qop implementations in
204 # certain mainstream browser versions. Default on to check the
205 # nonce count to protect from authentication replay attacks.
206 #
207 # "post_workaround" on|off
208 # This is a workaround to certain buggy browsers who sends
209 # an incorrect request digest in POST requests when reusing
210 # the same nonce as acquired earlier on a GET request.
211 #
212 # === NTLM scheme options follow ===
213 #
214 # "program" cmdline
215 # Specify the command for the external NTLM authenticator.
216 # Such a program reads exchanged NTLMSSP packets with
217 # the browser via Squid until authentication is completed.
218 # If you use an NTLM authenticator, make sure you have 1 acl
219 # of type proxy_auth. By default, the NTLM authenticator_program
220 # is not used.
221 #
222 # auth_param ntlm program /usr/lib/squid3/ntlm_auth
223 #
224 # "children" numberofchildren
225 # The number of authenticator processes to spawn (no default).
226 # If you start too few Squid will have to wait for them to
227 # process a backlog of credential verifications, slowing it
228 # down. When credential verifications are done via a (slow)
229 # network you are likely to need lots of authenticator
230 # processes.
231 #
232 # auth_param ntlm children 5
233 #
234 # "keep_alive" on|off
235 # If you experience problems with PUT/POST requests when using the
236 # Negotiate authentication scheme then you can try setting this to
237 # off. This will cause Squid to forcibly close the connection on
238 # the initial requests where the browser asks which schemes are
239 # supported by the proxy.
240 #
241 # auth_param ntlm keep_alive on
242 #
243 # === Options for configuring the NEGOTIATE auth-scheme follow ===
244 #
245 # "program" cmdline
246 # Specify the command for the external Negotiate authenticator.
247 # This protocol is used in Microsoft Active-Directory enabled setups with
248 # the Microsoft Internet Explorer or Mozilla Firefox browsers.
249 # Its main purpose is to exchange credentials with the Squid proxy
250 # using the Kerberos mechanisms.
251 # If you use a Negotiate authenticator, make sure you have at least
252 # one acl of type proxy_auth active. By default, the negotiate
253 # authenticator_program is not used.
254 # The only supported program for this role is the ntlm_auth
255 # program distributed as part of Samba, version 4 or later.
256 #
257 # auth_param negotiate program /usr/lib/squid3/ntlm_auth --helper-protocol=gss-spnego
258 #
259 # "children" numberofchildren
260 # The number of authenticator processes to spawn (no default).
261 # If you start too few Squid will have to wait for them to
262 # process a backlog of credential verifications, slowing it
263 # down. When crendential verifications are done via a (slow)
264 # network you are likely to need lots of authenticator
265 # processes.
266 # auth_param negotiate children 5
267 #
268 # "keep_alive" on|off
269 # If you experience problems with PUT/POST requests when using the
270 # Negotiate authentication scheme then you can try setting this to
271 # off. This will cause Squid to forcibly close the connection on
272 # the initial requests where the browser asks which schemes are
273 # supported by the proxy.
274 #
275 # auth_param negotiate keep_alive on
276 #
277 #
278 # Examples:
279 #
280 ##Recommended minimum configuration per scheme:
281 ##auth_param negotiate program <uncomment and complete this line to activate>
282 ##auth_param negotiate children 5
283 ##auth_param negotiate keep_alive on
284 ##
285 ##auth_param ntlm program <uncomment and complete this line to activate>
286 ##auth_param ntlm children 5
287 ##auth_param ntlm keep_alive on
288 ##
289 ##auth_param digest program <uncomment and complete this line>
290 ##auth_param digest children 5
291 ##auth_param digest realm Squid proxy-caching web server
292 ##auth_param digest nonce_garbage_interval 5 minutes
293 ##auth_param digest nonce_max_duration 30 minutes
294 ##auth_param digest nonce_max_count 50
295 ##
296 ##auth_param basic program <uncomment and complete this line>
297 ##auth_param basic children 5
298 ##auth_param basic realm Squid proxy-caching web server
299 ##auth_param basic credentialsttl 2 hours
300 #Default:
301 # none
303 # TAG: authenticate_cache_garbage_interval
304 # The time period between garbage collection across the username cache.
305 # This is a tradeoff between memory utilization (long intervals - say
306 # 2 days) and CPU (short intervals - say 1 minute). Only change if you
307 # have good reason to.
308 #Default:
309 # authenticate_cache_garbage_interval 1 hour
311 # TAG: authenticate_ttl
312 # The time a user & their credentials stay in the logged in
313 # user cache since their last request. When the garbage
314 # interval passes, all user credentials that have passed their
315 # TTL are removed from memory.
316 #Default:
317 # authenticate_ttl 1 hour
319 # TAG: authenticate_ip_ttl
320 # If you use proxy authentication and the 'max_user_ip' ACL,
321 # this directive controls how long Squid remembers the IP
322 # addresses associated with each user. Use a small value
323 # (e.g., 60 seconds) if your users might change addresses
324 # quickly, as is the case with dialups. You might be safe
325 # using a larger value (e.g., 2 hours) in a corporate LAN
326 # environment with relatively static address assignments.
327 #Default:
328 # authenticate_ip_ttl 0 seconds
330 # ACCESS CONTROLS
331 # -----------------------------------------------------------------------------
333 # TAG: external_acl_type
334 # This option defines external acl classes using a helper program
335 # to look up the status
336 #
337 # external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
338 #
339 # Options:
340 #
341 # ttl=n TTL in seconds for cached results (defaults to 3600
342 # for 1 hour)
343 # negative_ttl=n
344 # TTL for cached negative lookups (default same
345 # as ttl)
346 # children=n Number of acl helper processes spawn to service
347 # external acl lookups of this type. (default 5)
348 # concurrency=n concurrency level per process. Only used with helpers
349 # capable of processing more than one query at a time.
350 # cache=n result cache size, 0 is unbounded (default)
351 # grace=n Percentage remaining of TTL where a refresh of a
352 # cached entry should be initiated without needing to
353 # wait for a new reply. (default 0 for no grace period)
354 # protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
355 # ipv4 / ipv6 IP-mode used to communicate to this helper.
356 # For compatability with older configurations and helpers
357 # the default is currently 'ipv4'.
358 #
359 # FORMAT specifications
360 #
361 # %LOGIN Authenticated user login name
362 # %EXT_USER Username from external acl
363 # %IDENT Ident user name
364 # %SRC Client IP
365 # %SRCPORT Client source port
366 # %URI Requested URI
367 # %DST Requested host
368 # %PROTO Requested protocol
369 # %PORT Requested port
370 # %PATH Requested URL path
371 # %METHOD Request method
372 # %MYADDR Squid interface address
373 # %MYPORT Squid http_port number
374 # %PATH Requested URL-path (including query-string if any)
375 # %USER_CERT SSL User certificate in PEM format
376 # %USER_CERTCHAIN SSL User certificate chain in PEM format
377 # %USER_CERT_xx SSL User certificate subject attribute xx
378 # %USER_CA_xx SSL User certificate issuer attribute xx
379 #
380 # %>{Header} HTTP request header "Header"
381 # %>{Hdr:member}
382 # HTTP request header "Hdr" list member "member"
383 # %>{Hdr:;member}
384 # HTTP request header list member using ; as
385 # list separator. ; can be any non-alphanumeric
386 # character.
387 #
388 # %<{Header} HTTP reply header "Header"
389 # %<{Hdr:member}
390 # HTTP reply header "Hdr" list member "member"
391 # %<{Hdr:;member}
392 # HTTP reply header list member using ; as
393 # list separator. ; can be any non-alphanumeric
394 # character.
395 #
396 # In addition to the above, any string specified in the referencing
397 # acl will also be included in the helper request line, after the
398 # specified formats (see the "acl external" directive)
399 #
400 # The helper receives lines per the above format specification,
401 # and returns lines starting with OK or ERR indicating the validity
402 # of the request and optionally followed by additional keywords with
403 # more details.
404 #
405 # General result syntax:
406 #
407 # OK/ERR keyword=value ...
408 #
409 # Defined keywords:
410 #
411 # user= The users name (login)
412 # password= The users password (for login= cache_peer option)
413 # message= Message describing the reason. Available as %o
414 # in error pages
415 # tag= Apply a tag to a request (for both ERR and OK results)
416 # Only sets a tag, does not alter existing tags.
417 # log= String to be logged in access.log. Available as
418 # %ea in logformat specifications
419 #
420 # If protocol=3.0 (the default) then URL escaping is used to protect
421 # each value in both requests and responses.
422 #
423 # If using protocol=2.5 then all values need to be enclosed in quotes
424 # if they may contain whitespace, or the whitespace escaped using \.
425 # And quotes or \ characters within the keyword value must be \ escaped.
426 #
427 # When using the concurrency= option the protocol is changed by
428 # introducing a query channel tag infront of the request/response.
429 # The query channel tag is a number between 0 and concurrency-1.
430 #Default:
431 # none
433 # TAG: acl
434 # Defining an Access List
435 #
436 # Every access list definition must begin with an aclname and acltype,
437 # followed by either type-specific arguments or a quoted filename that
438 # they are read from.
439 #
440 # acl aclname acltype argument ...
441 # acl aclname acltype "file" ...
442 #
443 # When using "file", the file should contain one item per line.
444 #
445 # By default, regular expressions are CASE-SENSITIVE. To make
446 # them case-insensitive, use the -i option.
447 #
448 # Some acl types require suspending the current request in order
449 # to access some external data source.
450 # Those which do are marked with the tag [slow], those which
451 # don't are marked as [fast].
452 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl
453 # for further information
454 #
455 # ***** ACL TYPES AVAILABLE *****
456 #
457 # acl aclname src ip-address/netmask ... # clients IP address [fast]
458 # acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
459 # acl aclname dst ip-address/netmask ... # URL host's IP address [slow]
460 # acl aclname myip ip-address/netmask ... # local socket IP address [fast]
461 #
462 # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
463 # # The arp ACL requires the special configure option --enable-arp-acl.
464 # # Furthermore, the ARP ACL code is not portable to all operating systems.
465 # # It works on Linux, Solaris, Windows, FreeBSD, and some
466 # # other *BSD variants.
467 # # [fast]
468 # #
469 # # NOTE: Squid can only determine the MAC address for clients that are on
470 # # the same subnet. If the client is on a different subnet,
471 # # then Squid cannot find out its MAC address.
472 #
473 # acl aclname srcdomain .foo.com ...
474 # # reverse lookup, from client IP [slow]
475 # acl aclname dstdomain .foo.com ...
476 # # Destination server from URL [fast]
477 # acl aclname srcdom_regex [-i] \.foo\.com ...
478 # # regex matching client name [slow]
479 # acl aclname dstdom_regex [-i] \.foo\.com ...
480 # # regex matching server [fast]
481 # #
482 # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
483 # # based URL is used and no match is found. The name "none" is used
484 # # if the reverse lookup fails.
485 #
486 # acl aclname src_as number ...
487 # acl aclname dst_as number ...
488 # # [fast]
489 # # Except for access control, AS numbers can be used for
490 # # routing of requests to specific caches. Here's an
491 # # example for routing all requests for AS#1241 and only
492 # # those to mycache.mydomain.net:
493 # # acl asexample dst_as 1241
494 # # cache_peer_access mycache.mydomain.net allow asexample
495 # # cache_peer_access mycache_mydomain.net deny all
496 #
497 # acl aclname peername myPeer ...
498 # # [fast]
499 # # match against a named cache_peer entry
500 # # set unique name= on cache_peer lines for reliable use.
501 #
502 # acl aclname time [day-abbrevs] [h1:m1-h2:m2]
503 # # [fast]
504 # # day-abbrevs:
505 # # S - Sunday
506 # # M - Monday
507 # # T - Tuesday
508 # # W - Wednesday
509 # # H - Thursday
510 # # F - Friday
511 # # A - Saturday
512 # # h1:m1 must be less than h2:m2
513 #
514 # acl aclname url_regex [-i] ^http:// ...
515 # # regex matching on whole URL [fast]
516 # acl aclname urlpath_regex [-i] \.gif$ ...
517 # # regex matching on URL path [fast]
518 #
519 # acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
520 # # ranges are alloed
521 # acl aclname myport 3128 ... # local socket TCP port [fast]
522 # acl aclname myportname 3128 ... # http(s)_port name [fast]
523 #
524 # acl aclname proto HTTP FTP ... # request protocol [fast]
525 #
526 # acl aclname method GET POST ... # HTTP request method [fast]
527 #
528 # acl aclname http_status 200 301 500- 400-403 ...
529 # # status code in reply [fast]
530 #
531 # acl aclname browser [-i] regexp ...
532 # # pattern match on User-Agent header (see also req_header below) [fast]
533 #
534 # acl aclname referer_regex [-i] regexp ...
535 # # pattern match on Referer header [fast]
536 # # Referer is highly unreliable, so use with care
537 #
538 # acl aclname ident username ...
539 # acl aclname ident_regex [-i] pattern ...
540 # # string match on ident output [slow]
541 # # use REQUIRED to accept any non-null ident.
542 #
543 # acl aclname proxy_auth [-i] username ...
544 # acl aclname proxy_auth_regex [-i] pattern ...
545 # # perform http authentication challenge to the client and match against
546 # # supplied credentials [slow]
547 # #
548 # # takes a list of allowed usernames.
549 # # use REQUIRED to accept any valid username.
550 # #
551 # # Will use proxy authentication in forward-proxy scenarios, and plain
552 # # http authenticaiton in reverse-proxy scenarios
553 # #
554 # # NOTE: when a Proxy-Authentication header is sent but it is not
555 # # needed during ACL checking the username is NOT logged
556 # # in access.log.
557 # #
558 # # NOTE: proxy_auth requires a EXTERNAL authentication program
559 # # to check username/password combinations (see
560 # # auth_param directive).
561 # #
562 # # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
563 # # as the browser needs to be configured for using a proxy in order
564 # # to respond to proxy authentication.
565 #
566 # acl aclname snmp_community string ...
567 # # A community string to limit access to your SNMP Agent [fast]
568 # # Example:
569 # #
570 # # acl snmppublic snmp_community public
571 #
572 # acl aclname maxconn number
573 # # This will be matched when the client's IP address has
574 # # more than <number> HTTP connections established. [fast]
575 #
576 # acl aclname max_user_ip [-s] number
577 # # This will be matched when the user attempts to log in from more
578 # # than <number> different ip addresses. The authenticate_ip_ttl
579 # # parameter controls the timeout on the ip entries. [fast]
580 # # If -s is specified the limit is strict, denying browsing
581 # # from any further IP addresses until the ttl has expired. Without
582 # # -s Squid will just annoy the user by "randomly" denying requests.
583 # # (the counter is reset each time the limit is reached and a
584 # # request is denied)
585 # # NOTE: in acceleration mode or where there is mesh of child proxies,
586 # # clients may appear to come from multiple addresses if they are
587 # # going through proxy farms, so a limit of 1 may cause user problems.
588 #
589 # acl aclname req_mime_type [-i] mime-type ...
590 # # regex match against the mime type of the request generated
591 # # by the client. Can be used to detect file upload or some
592 # # types HTTP tunneling requests [fast]
593 # # NOTE: This does NOT match the reply. You cannot use this
594 # # to match the returned file type.
595 #
596 # acl aclname req_header header-name [-i] any\.regex\.here
597 # # regex match against any of the known request headers. May be
598 # # thought of as a superset of "browser", "referer" and "mime-type"
599 # # ACL [fast]
600 #
601 # acl aclname rep_mime_type [-i] mime-type ...
602 # # regex match against the mime type of the reply received by
603 # # squid. Can be used to detect file download or some
604 # # types HTTP tunneling requests. [fast]
605 # # NOTE: This has no effect in http_access rules. It only has
606 # # effect in rules that affect the reply data stream such as
607 # # http_reply_access.
608 #
609 # acl aclname rep_header header-name [-i] any\.regex\.here
610 # # regex match against any of the known reply headers. May be
611 # # thought of as a superset of "browser", "referer" and "mime-type"
612 # # ACLs [fast]
613 #
614 # acl aclname external class_name [arguments...]
615 # # external ACL lookup via a helper class defined by the
616 # # external_acl_type directive [slow]
617 #
618 # acl aclname user_cert attribute values...
619 # # match against attributes in a user SSL certificate
620 # # attribute is one of DN/C/O/CN/L/ST [fast]
621 #
622 # acl aclname ca_cert attribute values...
623 # # match against attributes a users issuing CA SSL certificate
624 # # attribute is one of DN/C/O/CN/L/ST [fast]
625 #
626 # acl aclname ext_user username ...
627 # acl aclname ext_user_regex [-i] pattern ...
628 # # string match on username returned by external acl helper [slow]
629 # # use REQUIRED to accept any non-null user name.
630 #
631 # acl aclname tag tagvalue ...
632 # # string match on tag returned by external acl helper [slow]
633 #
634 # Examples:
635 # acl macaddress arp 09:00:2b:23:45:67
636 # acl myexample dst_as 1241
637 # acl password proxy_auth REQUIRED
638 # acl fileupload req_mime_type -i ^multipart/form-data$
639 # acl javascript rep_mime_type -i ^application/x-javascript$
640 #
641 #Default:
642 # acl all src all
643 #
644 #
645 # Recommended minimum configuration:
646 #
647 acl manager proto cache_object
648 acl localhost src 127.0.0.1/32 ::1
649 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
651 # Example rule allowing access from your local networks.
652 # Adapt to list your (internal) IP networks from where browsing
653 # should be allowed
654 #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
655 #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
656 #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
657 #acl localnet src fc00::/7 # RFC 4193 local private network range
658 #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
659 acl localnet src 10.139.2.0/24
661 acl own_ip src 10.139.2.220/32 # Own IP Address
663 acl SSL_ports port 443 # https
664 acl SSL_ports port 563 # snews
665 acl SSL_ports port 873 # rsync
666 acl Safe_ports port 80 # http
667 acl Safe_ports port 21 # ftp
668 acl Safe_ports port 443 # https
669 acl Safe_ports port 70 # gopher
670 acl Safe_ports port 210 # wais
671 acl Safe_ports port 1025-65535 # unregistered ports
672 acl Safe_ports port 280 # http-mgmt
673 acl Safe_ports port 488 # gss-http
674 acl Safe_ports port 591 # filemaker
675 acl Safe_ports port 777 # multiling http
676 acl Safe_ports port 631 # cups
677 acl Safe_ports port 873 # rsync
678 acl Safe_ports port 901 # SWAT
679 acl Safe_ports port 82 # Correo Educastur
680 acl purge method PURGE
681 acl CONNECT method CONNECT
683 # TAG: follow_x_forwarded_for
684 # Allowing or Denying the X-Forwarded-For header to be followed to
685 # find the original source of a request.
686 #
687 # Requests may pass through a chain of several other proxies
688 # before reaching us. The X-Forwarded-For header will contain a
689 # comma-separated list of the IP addresses in the chain, with the
690 # rightmost address being the most recent.
691 #
692 # If a request reaches us from a source that is allowed by this
693 # configuration item, then we consult the X-Forwarded-For header
694 # to see where that host received the request from. If the
695 # X-Forwarded-For header contains multiple addresses, we continue
696 # backtracking until we reach an address for which we are not allowed
697 # to follow the X-Forwarded-For header, or until we reach the first
698 # address in the list. For the purpose of ACL used in the
699 # follow_x_forwarded_for directive the src ACL type always matches
700 # the address we are testing and srcdomain matches its rDNS.
701 #
702 # The end result of this process is an IP address that we will
703 # refer to as the indirect client address. This address may
704 # be treated as the client address for access control, ICAP, delay
705 # pools and logging, depending on the acl_uses_indirect_client,
706 # icap_uses_indirect_client, delay_pool_uses_indirect_client and
707 # log_uses_indirect_client options.
708 #
709 # This clause only supports fast acl types.
710 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
711 #
712 # SECURITY CONSIDERATIONS:
713 #
714 # Any host for which we follow the X-Forwarded-For header
715 # can place incorrect information in the header, and Squid
716 # will use the incorrect information as if it were the
717 # source address of the request. This may enable remote
718 # hosts to bypass any access control restrictions that are
719 # based on the client's source addresses.
720 #
721 # For example:
722 #
723 # acl localhost src 127.0.0.1
724 # acl my_other_proxy srcdomain .proxy.example.com
725 # follow_x_forwarded_for allow localhost
726 # follow_x_forwarded_for allow my_other_proxy
727 #Default:
728 # follow_x_forwarded_for deny all
730 # TAG: acl_uses_indirect_client on|off
731 # Controls whether the indirect client address
732 # (see follow_x_forwarded_for) is used instead of the
733 # direct client address in acl matching.
734 #Default:
735 # acl_uses_indirect_client on
737 # TAG: delay_pool_uses_indirect_client on|off
738 # Controls whether the indirect client address
739 # (see follow_x_forwarded_for) is used instead of the
740 # direct client address in delay pools.
741 #Default:
742 # delay_pool_uses_indirect_client on
744 # TAG: log_uses_indirect_client on|off
745 # Controls whether the indirect client address
746 # (see follow_x_forwarded_for) is used instead of the
747 # direct client address in the access log.
748 #Default:
749 # log_uses_indirect_client on
751 # TAG: http_access
752 # Allowing or Denying access based on defined access lists
753 #
754 # Access to the HTTP port:
755 # http_access allow|deny [!]aclname ...
756 #
757 # NOTE on default values:
758 #
759 # If there are no "access" lines present, the default is to deny
760 # the request.
761 #
762 # If none of the "access" lines cause a match, the default is the
763 # opposite of the last line in the list. If the last line was
764 # deny, the default is allow. Conversely, if the last line
765 # is allow, the default will be deny. For these reasons, it is a
766 # good idea to have an "deny all" entry at the end of your access
767 # lists to avoid potential confusion.
768 #
769 # This clause supports both fast and slow acl types.
770 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
771 #
772 #Default:
773 # http_access deny all
774 #
776 #
777 # Recommended minimum Access Permission configuration:
778 #
779 # Only allow cachemgr access from localhost
780 http_access allow manager localhost
781 http_access deny manager
783 # Deny requests to certain unsafe ports
784 http_access deny !Safe_ports
786 # Deny CONNECT to other than secure SSL ports
787 http_access deny CONNECT !SSL_ports
789 # We strongly recommend the following be uncommented to protect innocent
790 # web applications running on the proxy server who think the only
791 # one who can access services on "localhost" is a local user
792 #http_access deny to_localhost
794 #
795 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
796 #
798 # Example rule allowing access from your local networks.
799 # Adapt localnet in the ACL section to list your (internal) IP networks
800 # from where browsing should be allowed
801 http_access allow localnet
802 http_access allow localhost
803 http_access allow own_ip
805 # And finally deny all other access to this proxy
806 http_access deny all
808 # TAG: adapted_http_access
809 # Allowing or Denying access based on defined access lists
810 #
811 # Essentially identical to http_access, but runs after redirectors
812 # and ICAP/eCAP adaptation. Allowing access control based on their
813 # output.
814 #
815 # If not set then only http_access is used.
816 #Default:
817 # none
819 # TAG: http_reply_access
820 # Allow replies to client requests. This is complementary to http_access.
821 #
822 # http_reply_access allow|deny [!] aclname ...
823 #
824 # NOTE: if there are no access lines present, the default is to allow
825 # all replies
826 #
827 # If none of the access lines cause a match the opposite of the
828 # last line will apply. Thus it is good practice to end the rules
829 # with an "allow all" or "deny all" entry.
830 #
831 # This clause supports both fast and slow acl types.
832 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
833 #Default:
834 # none
836 # TAG: icp_access
837 # Allowing or Denying access to the ICP port based on defined
838 # access lists
839 #
840 # icp_access allow|deny [!]aclname ...
841 #
842 # See http_access for details
843 #
844 # This clause only supports fast acl types.
845 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
846 #
847 ## Allow ICP queries from local networks only
848 ##icp_access allow localnet
849 ##icp_access deny all
850 #Default:
851 # icp_access deny all
853 # TAG: htcp_access
854 # Allowing or Denying access to the HTCP port based on defined
855 # access lists
856 #
857 # htcp_access allow|deny [!]aclname ...
858 #
859 # See http_access for details
860 #
861 # NOTE: The default if no htcp_access lines are present is to
862 # deny all traffic. This default may cause problems with peers
863 # using the htcp or htcp-oldsquid options.
864 #
865 # This clause only supports fast acl types.
866 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
867 #
868 ## Allow HTCP queries from local networks only
869 ##htcp_access allow localnet
870 ##htcp_access deny all
871 #Default:
872 # htcp_access deny all
874 # TAG: htcp_clr_access
875 # Allowing or Denying access to purge content using HTCP based
876 # on defined access lists
877 #
878 # htcp_clr_access allow|deny [!]aclname ...
879 #
880 # See http_access for details
881 #
882 # This clause only supports fast acl types.
883 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
884 #
885 ## Allow HTCP CLR requests from trusted peers
886 #acl htcp_clr_peer src 172.16.1.2
887 #htcp_clr_access allow htcp_clr_peer
888 #Default:
889 # htcp_clr_access deny all
891 # TAG: miss_access
892 # Use to force your neighbors to use you as a sibling instead of
893 # a parent. For example:
894 #
895 # acl localclients src 172.16.0.0/16
896 # miss_access allow localclients
897 # miss_access deny !localclients
898 #
899 # This means only your local clients are allowed to fetch
900 # MISSES and all other clients can only fetch HITS.
901 #
902 # By default, allow all clients who passed the http_access rules
903 # to fetch MISSES from us.
904 #
905 # This clause only supports fast acl types.
906 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
907 #Default:
908 # miss_access allow all
910 # TAG: ident_lookup_access
911 # A list of ACL elements which, if matched, cause an ident
912 # (RFC 931) lookup to be performed for this request. For
913 # example, you might choose to always perform ident lookups
914 # for your main multi-user Unix boxes, but not for your Macs
915 # and PCs. By default, ident lookups are not performed for
916 # any requests.
917 #
918 # To enable ident lookups for specific client addresses, you
919 # can follow this example:
920 #
921 # acl ident_aware_hosts src 198.168.1.0/24
922 # ident_lookup_access allow ident_aware_hosts
923 # ident_lookup_access deny all
924 #
925 # Only src type ACL checks are fully supported. A srcdomain
926 # ACL might work at times, but it will not always provide
927 # the correct result.
928 #
929 # This clause only supports fast acl types.
930 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
931 #Default:
932 # ident_lookup_access deny all
934 # TAG: reply_body_max_size size [acl acl...]
935 # This option specifies the maximum size of a reply body. It can be
936 # used to prevent users from downloading very large files, such as
937 # MP3's and movies. When the reply headers are received, the
938 # reply_body_max_size lines are processed, and the first line where
939 # all (if any) listed ACLs are true is used as the maximum body size
940 # for this reply.
941 #
942 # This size is checked twice. First when we get the reply headers,
943 # we check the content-length value. If the content length value exists
944 # and is larger than the allowed size, the request is denied and the
945 # user receives an error message that says "the request or reply
946 # is too large." If there is no content-length, and the reply
947 # size exceeds this limit, the client's connection is just closed
948 # and they will receive a partial reply.
949 #
950 # WARNING: downstream caches probably can not detect a partial reply
951 # if there is no content-length header, so they will cache
952 # partial responses and give them out as hits. You should NOT
953 # use this option if you have downstream caches.
954 #
955 # WARNING: A maximum size smaller than the size of squid's error messages
956 # will cause an infinite loop and crash squid. Ensure that the smallest
957 # non-zero value you use is greater that the maximum header size plus
958 # the size of your largest error page.
959 #
960 # If you set this parameter none (the default), there will be
961 # no limit imposed.
962 #
963 # Configuration Format is:
964 # reply_body_max_size SIZE UNITS [acl ...]
965 # ie.
966 # reply_body_max_size 10 MB
967 #
968 #Default:
969 # none
971 # NETWORK OPTIONS
972 # -----------------------------------------------------------------------------
974 # TAG: http_port
975 # Usage: port [options]
976 # hostname:port [options]
977 # 1.2.3.4:port [options]
978 #
979 # The socket addresses where Squid will listen for HTTP client
980 # requests. You may specify multiple socket addresses.
981 # There are three forms: port alone, hostname with port, and
982 # IP address with port. If you specify a hostname or IP
983 # address, Squid binds the socket to that specific
984 # address. This replaces the old 'tcp_incoming_address'
985 # option. Most likely, you do not need to bind to a specific
986 # address, so you can use the port number alone.
987 #
988 # If you are running Squid in accelerator mode, you
989 # probably want to listen on port 80 also, or instead.
990 #
991 # The -a command line option may be used to specify additional
992 # port(s) where Squid listens for proxy request. Such ports will
993 # be plain proxy ports with no options.
994 #
995 # You may specify multiple socket addresses on multiple lines.
996 #
997 # Options:
998 #
999 # intercept Support for IP-Layer interception of
1000 # outgoing requests without browser settings.
1001 # NP: disables authentication and IPv6 on the port.
1002 #
1003 # tproxy Support Linux TPROXY for spoofing outgoing
1004 # connections using the client IP address.
1005 # NP: disables authentication and maybe IPv6 on the port.
1006 #
1007 # accel Accelerator mode. Also needs at least one of
1008 # vhost / vport / defaultsite.
1009 #
1010 # allow-direct Allow direct forwarding in accelerator mode. Normally
1011 # accelerated requests are denied direct forwarding as if
1012 # never_direct was used.
1013 #
1014 # defaultsite=domainname
1015 # What to use for the Host: header if it is not present
1016 # in a request. Determines what site (not origin server)
1017 # accelerators should consider the default.
1018 # Implies accel.
1019 #
1020 # vhost Accelerator mode using Host header for virtual
1021 # domain support. Implies accel.
1022 #
1023 # vport Accelerator with IP based virtual host support.
1024 # Implies accel.
1025 #
1026 # vport=NN As above, but uses specified port number rather
1027 # than the http_port number. Implies accel.
1028 #
1029 # protocol= Protocol to reconstruct accelerated requests with.
1030 # Defaults to http.
1031 #
1032 # ignore-cc Ignore request Cache-Control headers.
1033 #
1034 # Warning: This option violates HTTP specifications if
1035 # used in non-accelerator setups.
1036 #
1037 # connection-auth[=on|off]
1038 # use connection-auth=off to tell Squid to prevent
1039 # forwarding Microsoft connection oriented authentication
1040 # (NTLM, Negotiate and Kerberos)
1041 #
1042 # disable-pmtu-discovery=
1043 # Control Path-MTU discovery usage:
1044 # off lets OS decide on what to do (default).
1045 # transparent disable PMTU discovery when transparent
1046 # support is enabled.
1047 # always disable always PMTU discovery.
1048 #
1049 # In many setups of transparently intercepting proxies
1050 # Path-MTU discovery can not work on traffic towards the
1051 # clients. This is the case when the intercepting device
1052 # does not fully track connections and fails to forward
1053 # ICMP must fragment messages to the cache server. If you
1054 # have such setup and experience that certain clients
1055 # sporadically hang or never complete requests set
1056 # disable-pmtu-discovery option to 'transparent'.
1057 #
1058 # sslBump Intercept each CONNECT request matching ssl_bump ACL,
1059 # establish secure connection with the client and with
1060 # the server, decrypt HTTP messages as they pass through
1061 # Squid, and treat them as unencrypted HTTP messages,
1062 # becoming the man-in-the-middle.
1063 #
1064 # When this option is enabled, additional options become
1065 # available to specify SSL-related properties of the
1066 # client-side connection: cert, key, version, cipher,
1067 # options, clientca, cafile, capath, crlfile, dhparams,
1068 # sslflags, and sslcontext. See the https_port directive
1069 # for more information on these options.
1070 #
1071 # The ssl_bump option is required to fully enable
1072 # the SslBump feature.
1073 #
1074 # name= Specifies a internal name for the port. Defaults to
1075 # the port specification (port or addr:port)
1076 #
1077 # tcpkeepalive[=idle,interval,timeout]
1078 # Enable TCP keepalive probes of idle connections.
1079 # In seconds; idle is the initial time before TCP starts
1080 # probing the connection, interval how often to probe, and
1081 # timeout the time before giving up.
1082 #
1083 # If you run Squid on a dual-homed machine with an internal
1084 # and an external interface we recommend you to specify the
1085 # internal address:port in http_port. This way Squid will only be
1086 # visible on the internal address.
1087 #
1088 #
1090 # Squid normally listens to port 3128
1091 #http_port 3128
1092 http_port 8080
1094 # TAG: https_port
1095 # Note: This option is only available if Squid is rebuilt with the
1096 # --enable-ssl option
1097 #
1098 # Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
1099 #
1100 # The socket address where Squid will listen for HTTPS client
1101 # requests.
1102 #
1103 # This is really only useful for situations where you are running
1104 # squid in accelerator mode and you want to do the SSL work at the
1105 # accelerator level.
1106 #
1107 # You may specify multiple socket addresses on multiple lines,
1108 # each with their own SSL certificate and/or options.
1109 #
1110 # Options:
1111 #
1112 # accel Accelerator mode. Also needs at least one of
1113 # defaultsite or vhost.
1114 #
1115 # defaultsite= The name of the https site presented on
1116 # this port. Implies accel.
1117 #
1118 # vhost Accelerator mode using Host header for virtual
1119 # domain support. Requires a wildcard certificate
1120 # or other certificate valid for more than one domain.
1121 # Implies accel.
1122 #
1123 # protocol= Protocol to reconstruct accelerated requests with.
1124 # Defaults to https.
1125 #
1126 # cert= Path to SSL certificate (PEM format).
1127 #
1128 # key= Path to SSL private key file (PEM format)
1129 # if not specified, the certificate file is
1130 # assumed to be a combined certificate and
1131 # key file.
1132 #
1133 # version= The version of SSL/TLS supported
1134 # 1 automatic (default)
1135 # 2 SSLv2 only
1136 # 3 SSLv3 only
1137 # 4 TLSv1 only
1138 #
1139 # cipher= Colon separated list of supported ciphers.
1140 #
1141 # options= Various SSL engine options. The most important
1142 # being:
1143 # NO_SSLv2 Disallow the use of SSLv2
1144 # NO_SSLv3 Disallow the use of SSLv3
1145 # NO_TLSv1 Disallow the use of TLSv1
1146 # SINGLE_DH_USE Always create a new key when using
1147 # temporary/ephemeral DH key exchanges
1148 # See src/ssl_support.c or OpenSSL SSL_CTX_set_options
1149 # documentation for a complete list of options.
1150 #
1151 # clientca= File containing the list of CAs to use when
1152 # requesting a client certificate.
1153 #
1154 # cafile= File containing additional CA certificates to
1155 # use when verifying client certificates. If unset
1156 # clientca will be used.
1157 #
1158 # capath= Directory containing additional CA certificates
1159 # and CRL lists to use when verifying client certificates.
1160 #
1161 # crlfile= File of additional CRL lists to use when verifying
1162 # the client certificate, in addition to CRLs stored in
1163 # the capath. Implies VERIFY_CRL flag below.
1164 #
1165 # dhparams= File containing DH parameters for temporary/ephemeral
1166 # DH key exchanges.
1167 #
1168 # sslflags= Various flags modifying the use of SSL:
1169 # DELAYED_AUTH
1170 # Don't request client certificates
1171 # immediately, but wait until acl processing
1172 # requires a certificate (not yet implemented).
1173 # NO_DEFAULT_CA
1174 # Don't use the default CA lists built in
1175 # to OpenSSL.
1176 # NO_SESSION_REUSE
1177 # Don't allow for session reuse. Each connection
1178 # will result in a new SSL session.
1179 # VERIFY_CRL
1180 # Verify CRL lists when accepting client
1181 # certificates.
1182 # VERIFY_CRL_ALL
1183 # Verify CRL lists for all certificates in the
1184 # client certificate chain.
1185 #
1186 # sslcontext= SSL session ID context identifier.
1187 #
1188 # vport Accelerator with IP based virtual host support.
1189 #
1190 # vport=NN As above, but uses specified port number rather
1191 # than the https_port number. Implies accel.
1192 #
1193 # name= Specifies a internal name for the port. Defaults to
1194 # the port specification (port or addr:port)
1195 #
1196 #Default:
1197 # none
1199 # TAG: tcp_outgoing_tos
1200 # Allows you to select a TOS/Diffserv value to mark outgoing
1201 # connections with, based on the username or source address
1202 # making the request.
1203 #
1204 # tcp_outgoing_tos ds-field [!]aclname ...
1205 #
1206 # Example where normal_service_net uses the TOS value 0x00
1207 # and good_service_net uses 0x20
1208 #
1209 # acl normal_service_net src 10.0.0.0/255.255.255.0
1210 # acl good_service_net src 10.0.1.0/255.255.255.0
1211 # tcp_outgoing_tos 0x00 normal_service_net
1212 # tcp_outgoing_tos 0x20 good_service_net
1213 #
1214 # TOS/DSCP values really only have local significance - so you should
1215 # know what you're specifying. For more information, see RFC2474,
1216 # RFC2475, and RFC3260.
1217 #
1218 # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
1219 # "default" to use whatever default your host has. Note that in
1220 # practice often only values 0 - 63 is usable as the two highest bits
1221 # have been redefined for use by ECN (RFC3168).
1222 #
1223 # Processing proceeds in the order specified, and stops at first fully
1224 # matching line.
1225 #
1226 # Note: The use of this directive using client dependent ACLs is
1227 # incompatible with the use of server side persistent connections. To
1228 # ensure correct results it is best to set server_persisten_connections
1229 # to off when using this directive in such configurations.
1230 #Default:
1231 # none
1233 # TAG: clientside_tos
1234 # Allows you to select a TOS/Diffserv value to mark client-side
1235 # connections with, based on the username or source address
1236 # making the request.
1237 #Default:
1238 # none
1240 # TAG: qos_flows
1241 # Note: This option is only available if Squid is rebuilt with the
1242 # --enable-zph-qos option
1243 #
1244 # Allows you to select a TOS/DSCP value to mark outgoing
1245 # connections with, based on where the reply was sourced.
1246 #
1247 # TOS values really only have local significance - so you should
1248 # know what you're specifying. For more information, see RFC2474,
1249 # RFC2475, and RFC3260.
1250 #
1251 # The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF.
1252 # Note that in practice often only values up to 0x3F are usable
1253 # as the two highest bits have been redefined for use by ECN
1254 # (RFC3168).
1255 #
1256 # This setting is configured by setting the source TOS values:
1257 #
1258 # local-hit=0xFF Value to mark local cache hits.
1259 #
1260 # sibling-hit=0xFF Value to mark hits from sibling peers.
1261 #
1262 # parent-hit=0xFF Value to mark hits from parent peers.
1263 #
1264 #
1265 # NOTE: 'miss' preserve feature is only possible on Linux at this time.
1266 #
1267 # For the following to work correctly, you will need to patch your
1268 # linux kernel with the TOS preserving ZPH patch.
1269 # The kernel patch can be downloaded from http://zph.bratcheda.org
1270 #
1271 # disable-preserve-miss
1272 # By default, the existing TOS value of the response coming
1273 # from the remote server will be retained and masked with
1274 # miss-mark. This option disables that feature.
1275 #
1276 # miss-mask=0xFF
1277 # Allows you to mask certain bits in the TOS received from the
1278 # remote server, before copying the value to the TOS sent
1279 # towards clients.
1280 # Default: 0xFF (TOS from server is not changed).
1281 #
1282 #Default:
1283 # none
1285 # TAG: tcp_outgoing_address
1286 # Allows you to map requests to different outgoing IP addresses
1287 # based on the username or source address of the user making
1288 # the request.
1289 #
1290 # tcp_outgoing_address ipaddr [[!]aclname] ...
1291 #
1292 # Example where requests from 10.0.0.0/24 will be forwarded
1293 # with source address 10.1.0.1, 10.0.2.0/24 forwarded with
1294 # source address 10.1.0.2 and the rest will be forwarded with
1295 # source address 10.1.0.3.
1296 #
1297 # acl normal_service_net src 10.0.0.0/24
1298 # acl good_service_net src 10.0.2.0/24
1299 # tcp_outgoing_address 10.1.0.1 normal_service_net
1300 # tcp_outgoing_address 10.1.0.2 good_service_net
1301 # tcp_outgoing_address 10.1.0.3
1302 #
1303 # Processing proceeds in the order specified, and stops at first fully
1304 # matching line.
1305 #
1306 # Note: The use of this directive using client dependent ACLs is
1307 # incompatible with the use of server side persistent connections. To
1308 # ensure correct results it is best to set server_persistent_connections
1309 # to off when using this directive in such configurations.
1310 #
1311 #
1312 # IPv6 Magic:
1313 #
1314 # Squid is built with a capability of bridging the IPv4 and IPv6
1315 # internets.
1316 # tcp_outgoing_address as exampled above breaks this bridging by forcing
1317 # all outbound traffic through a certain IPv4 which may be on the wrong
1318 # side of the IPv4/IPv6 boundary.
1319 #
1320 # To operate with tcp_outgoing_address and keep the bridging benefits
1321 # an additional ACL needs to be used which ensures the IPv6-bound traffic
1322 # is never forced or permitted out the IPv4 interface.
1323 #
1324 # acl to_ipv6 dst ipv6
1325 # tcp_outgoing_address 2002::c001 good_service_net to_ipv6
1326 # tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
1327 #
1328 # tcp_outgoing_address 2002::beef normal_service_net to_ipv6
1329 # tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
1330 #
1331 # tcp_outgoing_address 2002::1 to_ipv6
1332 # tcp_outgoing_address 10.1.0.3 !to_ipv6
1333 #
1334 # WARNING:
1335 # 'dst ipv6' bases its selection assuming DIRECT access.
1336 # If peers are used the peername ACL are needed to select outgoing
1337 # address which can link to the peer.
1338 #
1339 # 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used
1340 # previously in the http_access rules to locate the destination IP.
1341 # Some more magic may be needed for that:
1342 # http_access allow to_ipv6 !all
1343 # (meaning, allow if to IPv6 but not from anywhere ;)
1344 #
1345 #Default:
1346 # none
1348 # SSL OPTIONS
1349 # -----------------------------------------------------------------------------
1351 # TAG: ssl_unclean_shutdown
1352 # Note: This option is only available if Squid is rebuilt with the
1353 # --enable-ssl option
1354 #
1355 # Some browsers (especially MSIE) bugs out on SSL shutdown
1356 # messages.
1357 #Default:
1358 # ssl_unclean_shutdown off
1360 # TAG: ssl_engine
1361 # Note: This option is only available if Squid is rebuilt with the
1362 # --enable-ssl option
1363 #
1364 # The OpenSSL engine to use. You will need to set this if you
1365 # would like to use hardware SSL acceleration for example.
1366 #Default:
1367 # none
1369 # TAG: sslproxy_client_certificate
1370 # Note: This option is only available if Squid is rebuilt with the
1371 # --enable-ssl option
1372 #
1373 # Client SSL Certificate to use when proxying https:// URLs
1374 #Default:
1375 # none
1377 # TAG: sslproxy_client_key
1378 # Note: This option is only available if Squid is rebuilt with the
1379 # --enable-ssl option
1380 #
1381 # Client SSL Key to use when proxying https:// URLs
1382 #Default:
1383 # none
1385 # TAG: sslproxy_version
1386 # Note: This option is only available if Squid is rebuilt with the
1387 # --enable-ssl option
1388 #
1389 # SSL version level to use when proxying https:// URLs
1390 #Default:
1391 # sslproxy_version 1
1393 # TAG: sslproxy_options
1394 # Note: This option is only available if Squid is rebuilt with the
1395 # --enable-ssl option
1396 #
1397 # SSL engine options to use when proxying https:// URLs
1398 #
1399 # The most important being:
1400 #
1401 # NO_SSLv2 Disallow the use of SSLv2
1402 # NO_SSLv3 Disallow the use of SSLv3
1403 # NO_TLSv1 Disallow the use of TLSv1
1404 # SINGLE_DH_USE
1405 # Always create a new key when using
1406 # temporary/ephemeral DH key exchanges
1407 #
1408 # These options vary depending on your SSL engine.
1409 # See the OpenSSL SSL_CTX_set_options documentation for a
1410 # complete list of possible options.
1411 #Default:
1412 # none
1414 # TAG: sslproxy_cipher
1415 # Note: This option is only available if Squid is rebuilt with the
1416 # --enable-ssl option
1417 #
1418 # SSL cipher list to use when proxying https:// URLs
1419 #
1420 # Colon separated list of supported ciphers.
1421 #Default:
1422 # none
1424 # TAG: sslproxy_cafile
1425 # Note: This option is only available if Squid is rebuilt with the
1426 # --enable-ssl option
1427 #
1428 # file containing CA certificates to use when verifying server
1429 # certificates while proxying https:// URLs
1430 #Default:
1431 # none
1433 # TAG: sslproxy_capath
1434 # Note: This option is only available if Squid is rebuilt with the
1435 # --enable-ssl option
1436 #
1437 # directory containing CA certificates to use when verifying
1438 # server certificates while proxying https:// URLs
1439 #Default:
1440 # none
1442 # TAG: ssl_bump
1443 # Note: This option is only available if Squid is rebuilt with the
1444 # --enable-ssl option
1445 #
1446 # This ACL controls which CONNECT requests to an http_port
1447 # marked with an sslBump flag are actually "bumped". Please
1448 # see the sslBump flag of an http_port option for more details
1449 # about decoding proxied SSL connections.
1450 #
1451 # By default, no requests are bumped.
1452 #
1453 # See also: http_port sslBump
1454 #
1455 # This clause only supports fast acl types.
1456 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1457 #
1458 #
1459 # # Example: Bump all requests except those originating from localhost and
1460 # # those going to webax.com or example.com sites.
1461 #
1462 # acl localhost src 127.0.0.1/32
1463 # acl broken_sites dstdomain .webax.com
1464 # acl broken_sites dstdomain .example.com
1465 # ssl_bump deny localhost
1466 # ssl_bump deny broken_sites
1467 # ssl_bump allow all
1468 #Default:
1469 # none
1471 # TAG: sslproxy_flags
1472 # Note: This option is only available if Squid is rebuilt with the
1473 # --enable-ssl option
1474 #
1475 # Various flags modifying the use of SSL while proxying https:// URLs:
1476 # DONT_VERIFY_PEER Accept certificates that fail verification.
1477 # For refined control, see sslproxy_cert_error.
1478 # NO_DEFAULT_CA Don't use the default CA list built in
1479 # to OpenSSL.
1480 #Default:
1481 # none
1483 # TAG: sslproxy_cert_error
1484 # Note: This option is only available if Squid is rebuilt with the
1485 # --enable-ssl option
1486 #
1487 # Use this ACL to bypass server certificate validation errors.
1488 #
1489 # For example, the following lines will bypass all validation errors
1490 # when talking to servers located at 172.16.0.0/16. All other
1491 # validation errors will result in ERR_SECURE_CONNECT_FAIL error.
1492 #
1493 # acl BrokenServersAtTrustedIP dst 172.16.0.0/16
1494 # sslproxy_cert_error allow BrokenServersAtTrustedIP
1495 # sslproxy_cert_error deny all
1496 #
1497 # This clause only supports fast acl types.
1498 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1499 # Using slow acl types may result in server crashes
1500 #
1501 # Without this option, all server certificate validation errors
1502 # terminate the transaction. Bypassing validation errors is dangerous
1503 # because an error usually implies that the server cannot be trusted and
1504 # the connection may be insecure.
1505 #
1506 # See also: sslproxy_flags and DONT_VERIFY_PEER.
1507 #
1508 # Default setting: sslproxy_cert_error deny all
1509 #Default:
1510 # none
1512 # TAG: sslpassword_program
1513 # Note: This option is only available if Squid is rebuilt with the
1514 # --enable-ssl option
1515 #
1516 # Specify a program used for entering SSL key passphrases
1517 # when using encrypted SSL certificate keys. If not specified
1518 # keys must either be unencrypted, or Squid started with the -N
1519 # option to allow it to query interactively for the passphrase.
1520 #Default:
1521 # none
1523 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
1524 # -----------------------------------------------------------------------------
1526 # TAG: cache_peer
1527 # To specify other caches in a hierarchy, use the format:
1528 #
1529 # cache_peer hostname type http-port icp-port [options]
1530 #
1531 # For example,
1532 #
1533 # # proxy icp
1534 # # hostname type port port options
1535 # # -------------------- -------- ----- ----- -----------
1536 # cache_peer parent.foo.net parent 3128 3130 default
1537 # cache_peer sib1.foo.net sibling 3128 3130 proxy-only
1538 # cache_peer sib2.foo.net sibling 3128 3130 proxy-only
1539 # cache_peer example.com parent 80 0 no-query default
1540 # cache_peer cdn.example.com sibling 3128 0
1541 #
1542 # type: either 'parent', 'sibling', or 'multicast'.
1543 #
1544 # proxy-port: The port number where the peer accept HTTP requests.
1545 # For other Squid proxies this is usually 3128
1546 # For web servers this is usually 80
1547 #
1548 # icp-port: Used for querying neighbor caches about objects.
1549 # Set to 0 if the peer does not support ICP or HTCP.
1550 # See ICP and HTCP options below for additional details.
1551 #
1552 #
1553 # ==== ICP OPTIONS ====
1554 #
1555 # You MUST also set icp_port and icp_access explicitly when using these options.
1556 # The defaults will prevent peer traffic using ICP.
1557 #
1558 #
1559 # no-query Disable ICP queries to this neighbor.
1560 #
1561 # multicast-responder
1562 # Indicates the named peer is a member of a multicast group.
1563 # ICP queries will not be sent directly to the peer, but ICP
1564 # replies will be accepted from it.
1565 #
1566 # closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward
1567 # CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
1568 #
1569 # background-ping
1570 # To only send ICP queries to this neighbor infrequently.
1571 # This is used to keep the neighbor round trip time updated
1572 # and is usually used in conjunction with weighted-round-robin.
1573 #
1574 #
1575 # ==== HTCP OPTIONS ====
1576 #
1577 # You MUST also set htcp_port and htcp_access explicitly when using these options.
1578 # The defaults will prevent peer traffic using HTCP.
1579 #
1580 #
1581 # htcp Send HTCP, instead of ICP, queries to the neighbor.
1582 # You probably also want to set the "icp-port" to 4827
1583 # instead of 3130.
1584 #
1585 # htcp-oldsquid Send HTCP to old Squid versions.
1586 #
1587 # htcp-no-clr Send HTCP to the neighbor but without
1588 # sending any CLR requests. This cannot be used with
1589 # htcp-only-clr.
1590 #
1591 # htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests.
1592 # This cannot be used with htcp-no-clr.
1593 #
1594 # htcp-no-purge-clr
1595 # Send HTCP to the neighbor including CLRs but only when
1596 # they do not result from PURGE requests.
1597 #
1598 # htcp-forward-clr
1599 # Forward any HTCP CLR requests this proxy receives to the peer.
1600 #
1601 #
1602 # ==== PEER SELECTION METHODS ====
1603 #
1604 # The default peer selection method is ICP, with the first responding peer
1605 # being used as source. These options can be used for better load balancing.
1606 #
1607 #
1608 # default This is a parent cache which can be used as a "last-resort"
1609 # if a peer cannot be located by any of the peer-selection methods.
1610 # If specified more than once, only the first is used.
1611 #
1612 # round-robin Load-Balance parents which should be used in a round-robin
1613 # fashion in the absence of any ICP queries.
1614 # weight=N can be used to add bias.
1615 #
1616 # weighted-round-robin
1617 # Load-Balance parents which should be used in a round-robin
1618 # fashion with the frequency of each parent being based on the
1619 # round trip time. Closer parents are used more often.
1620 # Usually used for background-ping parents.
1621 # weight=N can be used to add bias.
1622 #
1623 # carp Load-Balance parents which should be used as a CARP array.
1624 # The requests will be distributed among the parents based on the
1625 # CARP load balancing hash function based on their weight.
1626 #
1627 # userhash Load-balance parents based on the client proxy_auth or ident username.
1628 #
1629 # sourcehash Load-balance parents based on the client source IP.
1630 #
1631 # multicast-siblings
1632 # To be used only for cache peers of type "multicast".
1633 # ALL members of this multicast group have "sibling"
1634 # relationship with it, not "parent". This is to a mulicast
1635 # group when the requested object would be fetched only from
1636 # a "parent" cache, anyway. It's useful, e.g., when
1637 # configuring a pool of redundant Squid proxies, being
1638 # members of the same multicast group.
1639 #
1640 #
1641 # ==== PEER SELECTION OPTIONS ====
1642 #
1643 # weight=N use to affect the selection of a peer during any weighted
1644 # peer-selection mechanisms.
1645 # The weight must be an integer; default is 1,
1646 # larger weights are favored more.
1647 # This option does not affect parent selection if a peering
1648 # protocol is not in use.
1649 #
1650 # basetime=N Specify a base amount to be subtracted from round trip
1651 # times of parents.
1652 # It is subtracted before division by weight in calculating
1653 # which parent to fectch from. If the rtt is less than the
1654 # base time the rtt is set to a minimal value.
1655 #
1656 # ttl=N Specify a IP multicast TTL to use when sending an ICP
1657 # queries to this address.
1658 # Only useful when sending to a multicast group.
1659 # Because we don't accept ICP replies from random
1660 # hosts, you must configure other group members as
1661 # peers with the 'multicast-responder' option.
1662 #
1663 # no-delay To prevent access to this neighbor from influencing the
1664 # delay pools.
1665 #
1666 # digest-url=URL Tell Squid to fetch the cache digest (if digests are
1667 # enabled) for this host from the specified URL rather
1668 # than the Squid default location.
1669 #
1670 #
1671 # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
1672 #
1673 # originserver Causes this parent to be contacted as an origin server.
1674 # Meant to be used in accelerator setups when the peer
1675 # is a web server.
1676 #
1677 # forceddomain=name
1678 # Set the Host header of requests forwarded to this peer.
1679 # Useful in accelerator setups where the server (peer)
1680 # expects a certain domain name but clients may request
1681 # others. ie example.com or www.example.com
1682 #
1683 # no-digest Disable request of cache digests.
1684 #
1685 # no-netdb-exchange
1686 # Disables requesting ICMP RTT database (NetDB).
1687 #
1688 #
1689 # ==== AUTHENTICATION OPTIONS ====
1690 #
1691 # login=user:password
1692 # If this is a personal/workgroup proxy and your parent
1693 # requires proxy authentication.
1694 #
1695 # Note: The string can include URL escapes (i.e. %20 for
1696 # spaces). This also means % must be written as %%.
1697 #
1698 # login=PROXYPASS
1699 # Send login details received from client to this peer.
1700 # Authentication is not required, nor changed.
1701 #
1702 # Note: This will pass any form of authentication but
1703 # only Basic auth will work through a proxy unless the
1704 # connection-auth options are also used.
1705 #
1706 # login=PASS Send login details received from client to this peer.
1707 # Authentication is not required by this option.
1708 # If there are no client-provided authentication headers
1709 # to pass on, but username and password are available
1710 # from either proxy login or an external ACL user= and
1711 # password= result tags they may be sent instead.
1712 #
1713 # Note: To combine this with proxy_auth both proxies must
1714 # share the same user database as HTTP only allows for
1715 # a single login (one for proxy, one for origin server).
1716 # Also be warned this will expose your users proxy
1717 # password to the peer. USE WITH CAUTION
1718 #
1719 # login=*:password
1720 # Send the username to the upstream cache, but with a
1721 # fixed password. This is meant to be used when the peer
1722 # is in another administrative domain, but it is still
1723 # needed to identify each user.
1724 # The star can optionally be followed by some extra
1725 # information which is added to the username. This can
1726 # be used to identify this proxy to the peer, similar to
1727 # the login=username:password option above.
1728 #
1729 # connection-auth=on|off
1730 # Tell Squid that this peer does or not support Microsoft
1731 # connection oriented authentication, and any such
1732 # challenges received from there should be ignored.
1733 # Default is auto to automatically determine the status
1734 # of the peer.
1735 #
1736 #
1737 # ==== SSL / HTTPS / TLS OPTIONS ====
1738 #
1739 # ssl Encrypt connections to this peer with SSL/TLS.
1740 #
1741 # sslcert=/path/to/ssl/certificate
1742 # A client SSL certificate to use when connecting to
1743 # this peer.
1744 #
1745 # sslkey=/path/to/ssl/key
1746 # The private SSL key corresponding to sslcert above.
1747 # If 'sslkey' is not specified 'sslcert' is assumed to
1748 # reference a combined file containing both the
1749 # certificate and the key.
1750 #
1751 # sslversion=1|2|3|4
1752 # The SSL version to use when connecting to this peer
1753 # 1 = automatic (default)
1754 # 2 = SSL v2 only
1755 # 3 = SSL v3 only
1756 # 4 = TLS v1 only
1757 #
1758 # sslcipher=... The list of valid SSL ciphers to use when connecting
1759 # to this peer.
1760 #
1761 # ssloptions=... Specify various SSL engine options:
1762 # NO_SSLv2 Disallow the use of SSLv2
1763 # NO_SSLv3 Disallow the use of SSLv3
1764 # NO_TLSv1 Disallow the use of TLSv1
1765 # See src/ssl_support.c or the OpenSSL documentation for
1766 # a more complete list.
1767 #
1768 # sslcafile=... A file containing additional CA certificates to use
1769 # when verifying the peer certificate.
1770 #
1771 # sslcapath=... A directory containing additional CA certificates to
1772 # use when verifying the peer certificate.
1773 #
1774 # sslcrlfile=... A certificate revocation list file to use when
1775 # verifying the peer certificate.
1776 #
1777 # sslflags=... Specify various flags modifying the SSL implementation:
1778 #
1779 # DONT_VERIFY_PEER
1780 # Accept certificates even if they fail to
1781 # verify.
1782 # NO_DEFAULT_CA
1783 # Don't use the default CA list built in
1784 # to OpenSSL.
1785 # DONT_VERIFY_DOMAIN
1786 # Don't verify the peer certificate
1787 # matches the server name
1788 #
1789 # ssldomain= The peer name as advertised in it's certificate.
1790 # Used for verifying the correctness of the received peer
1791 # certificate. If not specified the peer hostname will be
1792 # used.
1793 #
1794 # front-end-https
1795 # Enable the "Front-End-Https: On" header needed when
1796 # using Squid as a SSL frontend in front of Microsoft OWA.
1797 # See MS KB document Q307347 for details on this header.
1798 # If set to auto the header will only be added if the
1799 # request is forwarded as a https:// URL.
1800 #
1801 #
1802 # ==== GENERAL OPTIONS ====
1803 #
1804 # connect-timeout=N
1805 # A peer-specific connect timeout.
1806 # Also see the peer_connect_timeout directive.
1807 #
1808 # connect-fail-limit=N
1809 # How many times connecting to a peer must fail before
1810 # it is marked as down. Default is 10.
1811 #
1812 # allow-miss Disable Squid's use of only-if-cached when forwarding
1813 # requests to siblings. This is primarily useful when
1814 # icp_hit_stale is used by the sibling. To extensive use
1815 # of this option may result in forwarding loops, and you
1816 # should avoid having two-way peerings with this option.
1817 # For example to deny peer usage on requests from peer
1818 # by denying cache_peer_access if the source is a peer.
1819 #
1820 # max-conn=N Limit the amount of connections Squid may open to this
1821 # peer. see also
1822 #
1823 # name=xxx Unique name for the peer.
1824 # Required if you have multiple peers on the same host
1825 # but different ports.
1826 # This name can be used in cache_peer_access and similar
1827 # directives to dentify the peer.
1828 # Can be used by outgoing access controls through the
1829 # peername ACL type.
1830 #
1831 # no-tproxy Do not use the client-spoof TPROXY support when forwarding
1832 # requests to this peer. Use normal address selection instead.
1833 #
1834 # proxy-only objects fetched from the peer will not be stored locally.
1835 #
1836 #Default:
1837 # none
1839 cache_peer 192.168.14.100 parent 8080 0 default no-query no-digest
1841 # TAG: cache_peer_domain
1842 # Use to limit the domains for which a neighbor cache will be
1843 # queried. Usage:
1844 #
1845 # cache_peer_domain cache-host domain [domain ...]
1846 # cache_peer_domain cache-host !domain
1847 #
1848 # For example, specifying
1849 #
1850 # cache_peer_domain parent.foo.net .edu
1851 #
1852 # has the effect such that UDP query packets are sent to
1853 # 'bigserver' only when the requested object exists on a
1854 # server in the .edu domain. Prefixing the domainname
1855 # with '!' means the cache will be queried for objects
1856 # NOT in that domain.
1857 #
1858 # NOTE: * Any number of domains may be given for a cache-host,
1859 # either on the same or separate lines.
1860 # * When multiple domains are given for a particular
1861 # cache-host, the first matched domain is applied.
1862 # * Cache hosts with no domain restrictions are queried
1863 # for all requests.
1864 # * There are no defaults.
1865 # * There is also a 'cache_peer_access' tag in the ACL
1866 # section.
1867 #Default:
1868 # none
1870 cache_peer_domain 192.168.14.100 8080 !localnet
1872 # TAG: cache_peer_access
1873 # Similar to 'cache_peer_domain' but provides more flexibility by
1874 # using ACL elements.
1875 #
1876 # cache_peer_access cache-host allow|deny [!]aclname ...
1877 #
1878 # The syntax is identical to 'http_access' and the other lists of
1879 # ACL elements. See the comments for 'http_access' below, or
1880 # the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl).
1881 #Default:
1882 # none
1884 # TAG: neighbor_type_domain
1885 # usage: neighbor_type_domain neighbor parent|sibling domain domain ...
1886 #
1887 # Modifying the neighbor type for specific domains is now
1888 # possible. You can treat some domains differently than the the
1889 # default neighbor type specified on the 'cache_peer' line.
1890 # Normally it should only be necessary to list domains which
1891 # should be treated differently because the default neighbor type
1892 # applies for hostnames which do not match domains listed here.
1893 #
1894 #EXAMPLE:
1895 # cache_peer cache.foo.org parent 3128 3130
1896 # neighbor_type_domain cache.foo.org sibling .com .net
1897 # neighbor_type_domain cache.foo.org sibling .au .de
1898 #Default:
1899 # none
1901 # TAG: dead_peer_timeout (seconds)
1902 # This controls how long Squid waits to declare a peer cache
1903 # as "dead." If there are no ICP replies received in this
1904 # amount of time, Squid will declare the peer dead and not
1905 # expect to receive any further ICP replies. However, it
1906 # continues to send ICP queries, and will mark the peer as
1907 # alive upon receipt of the first subsequent ICP reply.
1908 #
1909 # This timeout also affects when Squid expects to receive ICP
1910 # replies from peers. If more than 'dead_peer' seconds have
1911 # passed since the last ICP reply was received, Squid will not
1912 # expect to receive an ICP reply on the next query. Thus, if
1913 # your time between requests is greater than this timeout, you
1914 # will see a lot of requests sent DIRECT to origin servers
1915 # instead of to your parents.
1916 #Default:
1917 # dead_peer_timeout 10 seconds
1919 # TAG: forward_max_tries
1920 # Controls how many different forward paths Squid will try
1921 # before giving up. See also forward_timeout.
1922 #Default:
1923 # forward_max_tries 10
1925 # TAG: hierarchy_stoplist
1926 # A list of words which, if found in a URL, cause the object to
1927 # be handled directly by this cache. In other words, use this
1928 # to not query neighbor caches for certain objects. You may
1929 # list this option multiple times.
1930 # Note: never_direct overrides this option.
1931 #
1933 # We recommend you to use at least the following line.
1934 hierarchy_stoplist cgi-bin ?
1936 # MEMORY CACHE OPTIONS
1937 # -----------------------------------------------------------------------------
1939 # TAG: cache_mem (bytes)
1940 # NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
1941 # IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
1942 # USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
1943 # THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
1944 #
1945 # 'cache_mem' specifies the ideal amount of memory to be used
1946 # for:
1947 # * In-Transit objects
1948 # * Hot Objects
1949 # * Negative-Cached objects
1950 #
1951 # Data for these objects are stored in 4 KB blocks. This
1952 # parameter specifies the ideal upper limit on the total size of
1953 # 4 KB blocks allocated. In-Transit objects take the highest
1954 # priority.
1955 #
1956 # In-transit objects have priority over the others. When
1957 # additional space is needed for incoming data, negative-cached
1958 # and hot objects will be released. In other words, the
1959 # negative-cached and hot objects will fill up any unused space
1960 # not needed for in-transit objects.
1961 #
1962 # If circumstances require, this limit will be exceeded.
1963 # Specifically, if your incoming request rate requires more than
1964 # 'cache_mem' of memory to hold in-transit objects, Squid will
1965 # exceed this limit to satisfy the new requests. When the load
1966 # decreases, blocks will be freed until the high-water mark is
1967 # reached. Thereafter, blocks will be used to store hot
1968 # objects.
1969 #Default:
1970 # cache_mem 256 MB
1972 # TAG: maximum_object_size_in_memory (bytes)
1973 # Objects greater than this size will not be attempted to kept in
1974 # the memory cache. This should be set high enough to keep objects
1975 # accessed frequently in memory to improve performance whilst low
1976 # enough to keep larger objects from hoarding cache_mem.
1977 #Default:
1978 # maximum_object_size_in_memory 512 KB
1980 # TAG: memory_replacement_policy
1981 # The memory replacement policy parameter determines which
1982 # objects are purged from memory when memory space is needed.
1983 #
1984 # See cache_replacement_policy for details.
1985 #Default:
1986 # memory_replacement_policy lru
1988 # DISK CACHE OPTIONS
1989 # -----------------------------------------------------------------------------
1991 # TAG: cache_replacement_policy
1992 # The cache replacement policy parameter determines which
1993 # objects are evicted (replaced) when disk space is needed.
1994 #
1995 # lru : Squid's original list based LRU policy
1996 # heap GDSF : Greedy-Dual Size Frequency
1997 # heap LFUDA: Least Frequently Used with Dynamic Aging
1998 # heap LRU : LRU policy implemented using a heap
1999 #
2000 # Applies to any cache_dir lines listed below this.
2001 #
2002 # The LRU policies keeps recently referenced objects.
2003 #
2004 # The heap GDSF policy optimizes object hit rate by keeping smaller
2005 # popular objects in cache so it has a better chance of getting a
2006 # hit. It achieves a lower byte hit rate than LFUDA though since
2007 # it evicts larger (possibly popular) objects.
2008 #
2009 # The heap LFUDA policy keeps popular objects in cache regardless of
2010 # their size and thus optimizes byte hit rate at the expense of
2011 # hit rate since one large, popular object will prevent many
2012 # smaller, slightly less popular objects from being cached.
2013 #
2014 # Both policies utilize a dynamic aging mechanism that prevents
2015 # cache pollution that can otherwise occur with frequency-based
2016 # replacement policies.
2017 #
2018 # NOTE: if using the LFUDA replacement policy you should increase
2019 # the value of maximum_object_size above its default of 4096 KB to
2020 # to maximize the potential byte hit rate improvement of LFUDA.
2021 #
2022 # For more information about the GDSF and LFUDA cache replacement
2023 # policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
2024 # and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
2025 #Default:
2026 # cache_replacement_policy lru
2028 # TAG: cache_dir
2029 # Usage:
2030 #
2031 # cache_dir Type Directory-Name Fs-specific-data [options]
2032 #
2033 # You can specify multiple cache_dir lines to spread the
2034 # cache among different disk partitions.
2035 #
2036 # Type specifies the kind of storage system to use. Only "ufs"
2037 # is built by default. To enable any of the other storage systems
2038 # see the --enable-storeio configure option.
2039 #
2040 # 'Directory' is a top-level directory where cache swap
2041 # files will be stored. If you want to use an entire disk
2042 # for caching, this can be the mount-point directory.
2043 # The directory must exist and be writable by the Squid
2044 # process. Squid will NOT create this directory for you.
2045 #
2046 # The ufs store type:
2047 #
2048 # "ufs" is the old well-known Squid storage format that has always
2049 # been there.
2050 #
2051 # cache_dir ufs Directory-Name Mbytes L1 L2 [options]
2052 #
2053 # 'Mbytes' is the amount of disk space (MB) to use under this
2054 # directory. The default is 100 MB. Change this to suit your
2055 # configuration. Do NOT put the size of your disk drive here.
2056 # Instead, if you want Squid to use the entire disk drive,
2057 # subtract 20% and use that value.
2058 #
2059 # 'Level-1' is the number of first-level subdirectories which
2060 # will be created under the 'Directory'. The default is 16.
2061 #
2062 # 'Level-2' is the number of second-level subdirectories which
2063 # will be created under each first-level directory. The default
2064 # is 256.
2065 #
2066 # The aufs store type:
2067 #
2068 # "aufs" uses the same storage format as "ufs", utilizing
2069 # POSIX-threads to avoid blocking the main Squid process on
2070 # disk-I/O. This was formerly known in Squid as async-io.
2071 #
2072 # cache_dir aufs Directory-Name Mbytes L1 L2 [options]
2073 #
2074 # see argument descriptions under ufs above
2075 #
2076 # The diskd store type:
2077 #
2078 # "diskd" uses the same storage format as "ufs", utilizing a
2079 # separate process to avoid blocking the main Squid process on
2080 # disk-I/O.
2081 #
2082 # cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
2083 #
2084 # see argument descriptions under ufs above
2085 #
2086 # Q1 specifies the number of unacknowledged I/O requests when Squid
2087 # stops opening new files. If this many messages are in the queues,
2088 # Squid won't open new files. Default is 64
2089 #
2090 # Q2 specifies the number of unacknowledged messages when Squid
2091 # starts blocking. If this many messages are in the queues,
2092 # Squid blocks until it receives some replies. Default is 72
2093 #
2094 # When Q1 < Q2 (the default), the cache directory is optimized
2095 # for lower response time at the expense of a decrease in hit
2096 # ratio. If Q1 > Q2, the cache directory is optimized for
2097 # higher hit ratio at the expense of an increase in response
2098 # time.
2099 #
2100 # The coss store type:
2101 #
2102 # NP: COSS filesystem in Squid-3 has been deemed too unstable for
2103 # production use and has thus been removed from this release.
2104 # We hope that it can be made usable again soon.
2105 #
2106 # block-size=n defines the "block size" for COSS cache_dir's.
2107 # Squid uses file numbers as block numbers. Since file numbers
2108 # are limited to 24 bits, the block size determines the maximum
2109 # size of the COSS partition. The default is 512 bytes, which
2110 # leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
2111 # you should not change the coss block size after Squid
2112 # has written some objects to the cache_dir.
2113 #
2114 # The coss file store has changed from 2.5. Now it uses a file
2115 # called 'stripe' in the directory names in the config - and
2116 # this will be created by squid -z.
2117 #
2118 # Common options:
2119 #
2120 # no-store, no new objects should be stored to this cache_dir
2121 #
2122 # max-size=n, refers to the max object size this storedir supports.
2123 # It is used to initially choose the storedir to dump the object.
2124 # Note: To make optimal use of the max-size limits you should order
2125 # the cache_dir lines with the smallest max-size value first and the
2126 # ones with no max-size specification last.
2127 #
2128 # Note for coss, max-size must be less than COSS_MEMBUF_SZ,
2129 # which can be changed with the --with-coss-membuf-size=N configure
2130 # option.
2131 #
2133 # Uncomment and adjust the following to add a disk cache directory.
2134 #cache_dir ufs /var/spool/squid3 100 16 256
2136 # TAG: store_dir_select_algorithm
2137 # Set this to 'round-robin' as an alternative.
2138 #Default:
2139 # store_dir_select_algorithm least-load
2141 # TAG: max_open_disk_fds
2142 # To avoid having disk as the I/O bottleneck Squid can optionally
2143 # bypass the on-disk cache if more than this amount of disk file
2144 # descriptors are open.
2145 #
2146 # A value of 0 indicates no limit.
2147 #Default:
2148 # max_open_disk_fds 0
2150 # TAG: minimum_object_size (bytes)
2151 # Objects smaller than this size will NOT be saved on disk. The
2152 # value is specified in kilobytes, and the default is 0 KB, which
2153 # means there is no minimum.
2154 #Default:
2155 # minimum_object_size 0 KB
2157 # TAG: maximum_object_size (bytes)
2158 # Objects larger than this size will NOT be saved on disk. The
2159 # value is specified in kilobytes, and the default is 4MB. If
2160 # you wish to get a high BYTES hit ratio, you should probably
2161 # increase this (one 32 MB object hit counts for 3200 10KB
2162 # hits). If you wish to increase speed more than your want to
2163 # save bandwidth you should leave this low.
2164 #
2165 # NOTE: if using the LFUDA replacement policy you should increase
2166 # this value to maximize the byte hit rate improvement of LFUDA!
2167 # See replacement_policy below for a discussion of this policy.
2168 #Default:
2169 # maximum_object_size 4096 KB
2171 # Videos are LARGE; make sure you aren't killing them as 'too big to save'
2172 # - squid defaults to 4MB, which is too small for videos and even some sound files
2173 # See: http://sigtar.com/2009/06/10/squid-optimizing-cache-hits/
2174 maximum_object_size 4 GB
2176 # TAG: cache_swap_low (percent, 0-100)
2177 # TAG: cache_swap_high (percent, 0-100)
2178 #
2179 # The low- and high-water marks for cache object replacement.
2180 # Replacement begins when the swap (disk) usage is above the
2181 # low-water mark and attempts to maintain utilization near the
2182 # low-water mark. As swap utilization gets close to high-water
2183 # mark object eviction becomes more aggressive. If utilization is
2184 # close to the low-water mark less replacement is done each time.
2185 #
2186 # Defaults are 90% and 95%. If you have a large cache, 5% could be
2187 # hundreds of MB. If this is the case you may wish to set these
2188 # numbers closer together.
2189 #Default:
2190 # cache_swap_low 90
2191 # cache_swap_high 95
2193 # LOGFILE OPTIONS
2194 # -----------------------------------------------------------------------------
2196 # TAG: logformat
2197 # Usage:
2198 #
2199 # logformat <name> <format specification>
2200 #
2201 # Defines an access log format.
2202 #
2203 # The <format specification> is a string with embedded % format codes
2204 #
2205 # % format codes all follow the same basic structure where all but
2206 # the formatcode is optional. Output strings are automatically escaped
2207 # as required according to their context and the output format
2208 # modifiers are usually not needed, but can be specified if an explicit
2209 # output format is desired.
2210 #
2211 # % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
2212 #
2213 # " output in quoted string format
2214 # [ output in squid text log format as used by log_mime_hdrs
2215 # # output in URL quoted format
2216 # ' output as-is
2217 #
2218 # - left aligned
2219 # width field width. If starting with 0 the
2220 # output is zero padded
2221 # {arg} argument such as header name etc
2222 #
2223 # Format codes:
2224 #
2225 # % a literal % character
2226 # >a Client source IP address
2227 # >A Client FQDN
2228 # >p Client source port
2229 # <A Server IP address or peer name
2230 # la Local IP address (http_port)
2231 # lp Local port number (http_port)
2232 # ts Seconds since epoch
2233 # tu subsecond time (milliseconds)
2234 # tl Local time. Optional strftime format argument
2235 # default %d/%b/%Y:%H:%M:%S %z
2236 # tg GMT time. Optional strftime format argument
2237 # default %d/%b/%Y:%H:%M:%S %z
2238 # tr Response time (milliseconds)
2239 # dt Total time spent making DNS lookups (milliseconds)
2240 #
2241 # HTTP cache related format codes:
2242 #
2243 # [http::]>h Original request header. Optional header name argument
2244 # on the format header[:[separator]element]
2245 # [http::]>ha The HTTP request headers after adaptation and redirection.
2246 # Optional header name argument as for >h
2247 # [http::]<h Reply header. Optional header name argument
2248 # as for >h
2249 # [http::]un User name
2250 # [http::]ul User name from authentication
2251 # [http::]ui User name from ident
2252 # [http::]us User name from SSL
2253 # [http::]ue User name from external acl helper
2254 # [http::]>Hs HTTP status code sent to the client
2255 # [http::]<Hs HTTP status code received from the next hop
2256 # [http::]Ss Squid request status (TCP_MISS etc)
2257 # [http::]Sh Squid hierarchy status (DEFAULT_PARENT etc)
2258 # [http::]mt MIME content type
2259 # [http::]rm Request method (GET/POST etc)
2260 # [http::]ru Request URL
2261 # [http::]rp Request URL-Path excluding hostname
2262 # [http::]rv Request protocol version
2263 # [http::]et Tag returned by external acl
2264 # [http::]ea Log string returned by external acl
2265 # [http::]<st Sent reply size including HTTP headers
2266 # [http::]>st Received request size including HTTP headers. In the
2267 # case of chunked requests the chunked encoding metadata
2268 # are not included
2269 # [http::]>sh Received HTTP request headers size
2270 # [http::]<sh Sent HTTP reply headers size
2271 # [http::]st Request+Reply size including HTTP headers
2272 # [http::]<sH Reply high offset sent
2273 # [http::]<sS Upstream object size
2274 # [http::]<pt Peer response time in milliseconds. The timer starts
2275 # when the last request byte is sent to the next hop
2276 # and stops when the last response byte is received.
2277 # [http::]<tt Total server-side time in milliseconds. The timer
2278 # starts with the first connect request (or write I/O)
2279 # sent to the first selected peer. The timer stops
2280 # with the last I/O with the last peer.
2281 #
2282 # If ICAP is enabled, the following two codes become available (as
2283 # well as ICAP log codes documented with the icap_log option):
2284 #
2285 # icap::tt Total ICAP processing time for the HTTP
2286 # transaction. The timer ticks when ICAP
2287 # ACLs are checked and when ICAP
2288 # transaction is in progress.
2289 #
2290 # icap::<last_h The header of the last ICAP response
2291 # related to the HTTP transaction. Like
2292 # <h, accepts an optional header name
2293 # argument. Will not change semantics
2294 # when multiple ICAP transactions per HTTP
2295 # transaction are supported.
2296 #
2297 # If adaptation is enabled the following two codes become available:
2298 #
2299 # adapt::sum_trs Summed adaptation transaction response
2300 # times recorded as a comma-separated list in
2301 # the order of transaction start time. Each time
2302 # value is recorded as an integer number,
2303 # representing response time of one or more
2304 # adaptation (ICAP or eCAP) transaction in
2305 # milliseconds. When a failed transaction is
2306 # being retried or repeated, its time is not
2307 # logged individually but added to the
2308 # replacement (next) transaction. See also:
2309 # adapt::all_trs.
2310 #
2311 # adapt::all_trs All adaptation transaction response times.
2312 # Same as adaptation_strs but response times of
2313 # individual transactions are never added
2314 # together. Instead, all transaction response
2315 # times are recorded individually.
2316 #
2317 # You can prefix adapt::*_trs format codes with adaptation
2318 # service name in curly braces to record response time(s) specific
2319 # to that service. For example: %{my_service}adapt::sum_trs
2320 #
2321 # The default formats available (which do not need re-defining) are:
2322 #
2323 #logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
2324 #logformat squidmime %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
2325 #logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
2326 #logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
2327 #Default:
2328 # none
2330 # TAG: access_log
2331 # These files log client request activities. Has a line every HTTP or
2332 # ICP request. The format is:
2333 # access_log <filepath> [<logformat name> [acl acl ...]]
2334 # access_log none [acl acl ...]]
2335 #
2336 # Will log to the specified file using the specified format (which
2337 # must be defined in a logformat directive) those entries which match
2338 # ALL the acl's specified (which must be defined in acl clauses).
2339 # If no acl is specified, all requests will be logged to this file.
2340 #
2341 # To disable logging of a request use the filepath "none", in which case
2342 # a logformat name should not be specified.
2343 #
2344 # To log the request via syslog specify a filepath of "syslog":
2345 #
2346 # access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]]
2347 # where facility could be any of:
2348 # authpriv, daemon, local0 .. local7 or user.
2349 #
2350 # And priority could be any of:
2351 # err, warning, notice, info, debug.
2352 #
2353 # Default:
2354 # access_log /var/log/squid3/access.log squid
2355 #Default:
2356 # access_log /var/log/squid3/access.log squid
2358 # TAG: icap_log
2359 # ICAP log files record ICAP transaction summaries, one line per
2360 # transaction.
2361 #
2362 # The icap_log option format is:
2363 # icap_log <filepath> [<logformat name> [acl acl ...]]
2364 # icap_log none [acl acl ...]]
2365 #
2366 # Please see access_log option documentation for details. The two
2367 # kinds of logs share the overall configuration approach and many
2368 # features.
2369 #
2370 # ICAP processing of a single HTTP message or transaction may
2371 # require multiple ICAP transactions. In such cases, multiple
2372 # ICAP transaction log lines will correspond to a single access
2373 # log line.
2374 #
2375 # ICAP log uses logformat codes that make sense for an ICAP
2376 # transaction. Header-related codes are applied to the HTTP header
2377 # embedded in an ICAP server response, with the following caveats:
2378 # For REQMOD, there is no HTTP response header unless the ICAP
2379 # server performed request satisfaction. For RESPMOD, the HTTP
2380 # request header is the header sent to the ICAP server. For
2381 # OPTIONS, there are no HTTP headers.
2382 #
2383 # The following format codes are also available for ICAP logs:
2384 #
2385 # icap::<A ICAP server IP address. Similar to <A.
2386 #
2387 # icap::<service_name ICAP service name from the icap_service
2388 # option in Squid configuration file.
2389 #
2390 # icap::ru ICAP Request-URI. Similar to ru.
2391 #
2392 # icap::rm ICAP request method (REQMOD, RESPMOD, or
2393 # OPTIONS). Similar to existing rm.
2394 #
2395 # icap::>st Bytes sent to the ICAP server (TCP payload
2396 # only; i.e., what Squid writes to the socket).
2397 #
2398 # icap::<st Bytes received from the ICAP server (TCP
2399 # payload only; i.e., what Squid reads from
2400 # the socket).
2401 #
2402 # icap::tr Transaction response time (in
2403 # milliseconds). The timer starts when
2404 # the ICAP transaction is created and
2405 # stops when the transaction is completed.
2406 # Similar to tr.
2407 #
2408 # icap::tio Transaction I/O time (in milliseconds). The
2409 # timer starts when the first ICAP request
2410 # byte is scheduled for sending. The timers
2411 # stops when the last byte of the ICAP response
2412 # is received.
2413 #
2414 # icap::to Transaction outcome: ICAP_ERR* for all
2415 # transaction errors, ICAP_OPT for OPTION
2416 # transactions, ICAP_ECHO for 204
2417 # responses, ICAP_MOD for message
2418 # modification, and ICAP_SAT for request
2419 # satisfaction. Similar to Ss.
2420 #
2421 # icap::Hs ICAP response status code. Similar to Hs.
2422 #
2423 # icap::>h ICAP request header(s). Similar to >h.
2424 #
2425 # icap::<h ICAP response header(s). Similar to <h.
2426 #
2427 # The default ICAP log format, which can be used without an explicit
2428 # definition, is called icap_squid:
2429 #
2430 #logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
2431 #
2432 # See also: logformat, log_icap, and %icap::<last_h
2433 #Default:
2434 # none
2436 # TAG: log_access allow|deny acl acl...
2437 # This options allows you to control which requests gets logged
2438 # to access.log (see access_log directive). Requests denied for
2439 # logging will also not be accounted for in performance counters.
2440 #
2441 # This clause only supports fast acl types.
2442 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
2443 #Default:
2444 # none
2446 # TAG: log_icap
2447 # This options allows you to control which requests get logged
2448 # to icap.log. See the icap_log directive for ICAP log details.
2449 #Default:
2450 # none
2452 # TAG: cache_store_log
2453 # Logs the activities of the storage manager. Shows which
2454 # objects are ejected from the cache, and which objects are
2455 # saved and for how long. To disable, enter "none" or remove the line.
2456 # There are not really utilities to analyze this data, so you can safely
2457 # disable it.
2458 #
2459 # Example:
2460 # cache_store_log /var/log/squid3/store.log
2461 #Default:
2462 # none
2464 # TAG: cache_swap_state
2465 # Location for the cache "swap.state" file. This index file holds
2466 # the metadata of objects saved on disk. It is used to rebuild
2467 # the cache during startup. Normally this file resides in each
2468 # 'cache_dir' directory, but you may specify an alternate
2469 # pathname here. Note you must give a full filename, not just
2470 # a directory. Since this is the index for the whole object
2471 # list you CANNOT periodically rotate it!
2472 #
2473 # If %s can be used in the file name it will be replaced with a
2474 # a representation of the cache_dir name where each / is replaced
2475 # with '.'. This is needed to allow adding/removing cache_dir
2476 # lines when cache_swap_log is being used.
2477 #
2478 # If have more than one 'cache_dir', and %s is not used in the name
2479 # these swap logs will have names such as:
2480 #
2481 # cache_swap_log.00
2482 # cache_swap_log.01
2483 # cache_swap_log.02
2484 #
2485 # The numbered extension (which is added automatically)
2486 # corresponds to the order of the 'cache_dir' lines in this
2487 # configuration file. If you change the order of the 'cache_dir'
2488 # lines in this file, these index files will NOT correspond to
2489 # the correct 'cache_dir' entry (unless you manually rename
2490 # them). We recommend you do NOT use this option. It is
2491 # better to keep these index files in each 'cache_dir' directory.
2492 #Default:
2493 # none
2495 # TAG: logfile_rotate
2496 # Specifies the number of logfile rotations to make when you
2497 # type 'squid -k rotate'. The default is 10, which will rotate
2498 # with extensions 0 through 9. Setting logfile_rotate to 0 will
2499 # disable the file name rotation, but the logfiles are still closed
2500 # and re-opened. This will enable you to rename the logfiles
2501 # yourself just before sending the rotate signal.
2502 #
2503 # Note, the 'squid -k rotate' command normally sends a USR1
2504 # signal to the running squid process. In certain situations
2505 # (e.g. on Linux with Async I/O), USR1 is used for other
2506 # purposes, so -k rotate uses another signal. It is best to get
2507 # in the habit of using 'squid -k rotate' instead of 'kill -USR1
2508 # <pid>'.
2509 #
2510 # Note, from Squid-3.1 this option has no effect on the cache.log,
2511 # that log can be rotated separately by using debug_options
2512 #
2513 # Note2, for Debian/Linux the default of logfile_rotate is
2514 # zero, since it includes external logfile-rotation methods.
2515 #Default:
2516 # logfile_rotate 0
2518 # TAG: emulate_httpd_log on|off
2519 # The Cache can emulate the log file format which many 'httpd'
2520 # programs use. To disable/enable this emulation, set
2521 # emulate_httpd_log to 'off' or 'on'. The default
2522 # is to use the native log format since it includes useful
2523 # information Squid-specific log analyzers use.
2524 #Default:
2525 # emulate_httpd_log off
2527 # TAG: log_ip_on_direct on|off
2528 # Log the destination IP address in the hierarchy log tag when going
2529 # direct. Earlier Squid versions logged the hostname here. If you
2530 # prefer the old way set this to off.
2531 #Default:
2532 # log_ip_on_direct on
2534 # TAG: mime_table
2535 # Pathname to Squid's MIME table. You shouldn't need to change
2536 # this, but the default file contains examples and formatting
2537 # information if you do.
2538 #Default:
2539 # mime_table /usr/share/squid3/mime.conf
2541 # TAG: log_mime_hdrs on|off
2542 # The Cache can record both the request and the response MIME
2543 # headers for each HTTP transaction. The headers are encoded
2544 # safely and will appear as two bracketed fields at the end of
2545 # the access log (for either the native or httpd-emulated log
2546 # formats). To enable this logging set log_mime_hdrs to 'on'.
2547 #Default:
2548 # log_mime_hdrs off
2550 # TAG: useragent_log
2551 # Note: This option is only available if Squid is rebuilt with the
2552 # --enable-useragent-log option
2553 #
2554 # Squid will write the User-Agent field from HTTP requests
2555 # to the filename specified here. By default useragent_log
2556 # is disabled.
2557 #Default:
2558 # none
2560 # TAG: referer_log
2561 # Note: This option is only available if Squid is rebuilt with the
2562 # --enable-referer-log option
2563 #
2564 # Squid will write the Referer field from HTTP requests to the
2565 # filename specified here. By default referer_log is disabled.
2566 # Note that "referer" is actually a misspelling of "referrer"
2567 # however the misspelt version has been accepted into the HTTP RFCs
2568 # and we accept both.
2569 #Default:
2570 # none
2572 # TAG: pid_filename
2573 # A filename to write the process-id to. To disable, enter "none".
2574 #Default:
2575 # pid_filename /var/run/squid3.pid
2577 # TAG: log_fqdn on|off
2578 # Turn this on if you wish to log fully qualified domain names
2579 # in the access.log. To do this Squid does a DNS lookup of all
2580 # IP's connecting to it. This can (in some situations) increase
2581 # latency, which makes your cache seem slower for interactive
2582 # browsing.
2583 #Default:
2584 # log_fqdn off
2586 # TAG: client_netmask
2587 # A netmask for client addresses in logfiles and cachemgr output.
2588 # Change this to protect the privacy of your cache clients.
2589 # A netmask of 255.255.255.0 will log all IP's in that range with
2590 # the last digit set to '0'.
2591 #Default:
2592 # client_netmask no_addr
2594 # TAG: forward_log
2595 # Note: This option is only available if Squid is rebuilt with the
2596 # -DWIP_FWD_LOG define
2597 #
2598 # Logs the server-side requests.
2599 #
2600 # This is currently work in progress.
2601 #Default:
2602 # none
2604 # TAG: strip_query_terms
2605 # By default, Squid strips query terms from requested URLs before
2606 # logging. This protects your user's privacy.
2607 #Default:
2608 # strip_query_terms on
2610 # TAG: buffered_logs on|off
2611 # cache.log log file is written with stdio functions, and as such
2612 # it can be buffered or unbuffered. By default it will be unbuffered.
2613 # Buffering it can speed up the writing slightly (though you are
2614 # unlikely to need to worry unless you run with tons of debugging
2615 # enabled in which case performance will suffer badly anyway..).
2616 #Default:
2617 # buffered_logs off
2619 # TAG: netdb_filename
2620 # Note: This option is only available if Squid is rebuilt with the
2621 # --enable-icmp option
2622 #
2623 # A filename where Squid stores it's netdb state between restarts.
2624 # To disable, enter "none".
2625 #Default:
2626 # netdb_filename /var/log/squid3/netdb.state
2628 # OPTIONS FOR TROUBLESHOOTING
2629 # -----------------------------------------------------------------------------
2631 # TAG: cache_log
2632 # Cache logging file. This is where general information about
2633 # your cache's behavior goes. You can increase the amount of data
2634 # logged to this file and how often its rotated with "debug_options"
2635 #Default:
2636 # cache_log /var/log/squid3/cache.log
2638 # TAG: debug_options
2639 # Logging options are set as section,level where each source file
2640 # is assigned a unique section. Lower levels result in less
2641 # output, Full debugging (level 9) can result in a very large
2642 # log file, so be careful.
2643 #
2644 # The magic word "ALL" sets debugging levels for all sections.
2645 # We recommend normally running with "ALL,1".
2646 #
2647 # The rotate=N option can be used to keep more or less of these logs
2648 # than would otherwise be kept by logfile_rotate.
2649 # For most uses a single log should be enough to monitor current
2650 # events affecting Squid.
2651 #Default:
2652 # debug_options ALL,1
2654 # TAG: coredump_dir
2655 # By default Squid leaves core files in the directory from where
2656 # it was started. If you set 'coredump_dir' to a directory
2657 # that exists, Squid will chdir() to that directory at startup
2658 # and coredump files will be left there.
2659 #
2660 #Default:
2661 # coredump_dir none
2662 #
2664 # Leave coredumps in the first cache dir
2665 coredump_dir /var/spool/squid3
2667 # OPTIONS FOR FTP GATEWAYING
2668 # -----------------------------------------------------------------------------
2670 # TAG: ftp_user
2671 # If you want the anonymous login password to be more informative
2672 # (and enable the use of picky ftp servers), set this to something
2673 # reasonable for your domain, like wwwuser@somewhere.net
2674 #
2675 # The reason why this is domainless by default is the
2676 # request can be made on the behalf of a user in any domain,
2677 # depending on how the cache is used.
2678 # Some ftp server also validate the email address is valid
2679 # (for example perl.com).
2680 #Default:
2681 # ftp_user Squid@
2683 # TAG: ftp_list_width
2684 # Sets the width of ftp listings. This should be set to fit in
2685 # the width of a standard browser. Setting this too small
2686 # can cut off long filenames when browsing ftp sites.
2687 #Default:
2688 # ftp_list_width 32
2690 # TAG: ftp_passive
2691 # If your firewall does not allow Squid to use passive
2692 # connections, turn off this option.
2693 #
2694 # Use of ftp_epsv_all option requires this to be ON.
2695 #Default:
2696 # ftp_passive on
2698 # TAG: ftp_epsv_all
2699 # FTP Protocol extensions permit the use of a special "EPSV ALL" command.
2700 #
2701 # NATs may be able to put the connection on a "fast path" through the
2702 # translator, as the EPRT command will never be used and therefore,
2703 # translation of the data portion of the segments will never be needed.
2704 #
2705 # When a client only expects to do two-way FTP transfers this may be
2706 # useful.
2707 # If squid finds that it must do a three-way FTP transfer after issuing
2708 # an EPSV ALL command, the FTP session will fail.
2709 #
2710 # If you have any doubts about this option do not use it.
2711 # Squid will nicely attempt all other connection methods.
2712 #
2713 # Requires ftp_passive to be ON (default) for any effect.
2714 #Default:
2715 # ftp_epsv_all off
2717 # TAG: ftp_epsv
2718 # FTP Protocol extensions permit the use of a special "EPSV" command.
2719 #
2720 # NATs may be able to put the connection on a "fast path" through the
2721 # translator using EPSV, as the EPRT command will never be used
2722 # and therefore, translation of the data portion of the segments
2723 # will never be needed.
2724 #
2725 # Turning this OFF will prevent EPSV being attempted.
2726 # WARNING: Doing so will convert Squid back to the old behavior with all
2727 # the related problems with external NAT devices/layers.
2728 #
2729 # Requires ftp_passive to be ON (default) for any effect.
2730 #Default:
2731 # ftp_epsv on
2733 # TAG: ftp_sanitycheck
2734 # For security and data integrity reasons Squid by default performs
2735 # sanity checks of the addresses of FTP data connections ensure the
2736 # data connection is to the requested server. If you need to allow
2737 # FTP connections to servers using another IP address for the data
2738 # connection turn this off.
2739 #Default:
2740 # ftp_sanitycheck on
2742 # TAG: ftp_telnet_protocol
2743 # The FTP protocol is officially defined to use the telnet protocol
2744 # as transport channel for the control connection. However, many
2745 # implementations are broken and does not respect this aspect of
2746 # the FTP protocol.
2747 #
2748 # If you have trouble accessing files with ASCII code 255 in the
2749 # path or similar problems involving this ASCII code you can
2750 # try setting this directive to off. If that helps, report to the
2751 # operator of the FTP server in question that their FTP server
2752 # is broken and does not follow the FTP standard.
2753 #Default:
2754 # ftp_telnet_protocol on
2756 # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
2757 # -----------------------------------------------------------------------------
2759 # TAG: diskd_program
2760 # Specify the location of the diskd executable.
2761 # Note this is only useful if you have compiled in
2762 # diskd as one of the store io modules.
2763 #Default:
2764 # diskd_program /usr/lib/squid3/diskd
2766 # TAG: unlinkd_program
2767 # Specify the location of the executable for file deletion process.
2768 #Default:
2769 # unlinkd_program /usr/lib/squid3/unlinkd
2771 # TAG: pinger_program
2772 # Note: This option is only available if Squid is rebuilt with the
2773 # --enable-icmp option
2774 #
2775 # Specify the location of the executable for the pinger process.
2776 #Default:
2777 # pinger_program /usr/lib/squid3/pinger
2779 # TAG: pinger_enable
2780 # Note: This option is only available if Squid is rebuilt with the
2781 # --enable-icmp option
2782 #
2783 # Control whether the pinger is active at run-time.
2784 # Enables turning ICMP pinger on and off with a simple
2785 # squid -k reconfigure.
2786 #Default:
2787 # pinger_enable off
2789 # OPTIONS FOR URL REWRITING
2790 # -----------------------------------------------------------------------------
2792 # TAG: url_rewrite_program
2793 # Specify the location of the executable for the URL rewriter.
2794 # Since they can perform almost any function there isn't one included.
2795 #
2796 # For each requested URL rewriter will receive on line with the format
2797 #
2798 # URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
2799 #
2800 # In the future, the rewriter interface will be extended with
2801 # key=value pairs ("kvpairs" shown above). Rewriter programs
2802 # should be prepared to receive and possibly ignore additional
2803 # whitespace-separated tokens on each input line.
2804 #
2805 # And the rewriter may return a rewritten URL. The other components of
2806 # the request line does not need to be returned (ignored if they are).
2807 #
2808 # The rewriter can also indicate that a client-side redirect should
2809 # be performed to the new URL. This is done by prefixing the returned
2810 # URL with "301:" (moved permanently) or 302: (moved temporarily).
2811 #
2812 # By default, a URL rewriter is not used.
2813 #Default:
2814 # none
2816 # TAG: url_rewrite_children
2817 # The number of redirector processes to spawn. If you start
2818 # too few Squid will have to wait for them to process a backlog of
2819 # URLs, slowing it down. If you start too many they will use RAM
2820 # and other system resources.
2821 #Default:
2822 # url_rewrite_children 5
2824 # TAG: url_rewrite_concurrency
2825 # The number of requests each redirector helper can handle in
2826 # parallel. Defaults to 0 which indicates the redirector
2827 # is a old-style single threaded redirector.
2828 #
2829 # When this directive is set to a value >= 1 then the protocol
2830 # used to communicate with the helper is modified to include
2831 # a request ID in front of the request/response. The request
2832 # ID from the request must be echoed back with the response
2833 # to that request.
2834 #Default:
2835 # url_rewrite_concurrency 0
2837 # TAG: url_rewrite_host_header
2838 # By default Squid rewrites any Host: header in redirected
2839 # requests. If you are running an accelerator this may
2840 # not be a wanted effect of a redirector.
2841 #
2842 # WARNING: Entries are cached on the result of the URL rewriting
2843 # process, so be careful if you have domain-virtual hosts.
2844 #Default:
2845 # url_rewrite_host_header on
2847 # TAG: url_rewrite_access
2848 # If defined, this access list specifies which requests are
2849 # sent to the redirector processes. By default all requests
2850 # are sent.
2851 #
2852 # This clause supports both fast and slow acl types.
2853 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
2854 #Default:
2855 # none
2857 # TAG: url_rewrite_bypass
2858 # When this is 'on', a request will not go through the
2859 # redirector if all redirectors are busy. If this is 'off'
2860 # and the redirector queue grows too large, Squid will exit
2861 # with a FATAL error and ask you to increase the number of
2862 # redirectors. You should only enable this if the redirectors
2863 # are not critical to your caching system. If you use
2864 # redirectors for access control, and you enable this option,
2865 # users may have access to pages they should not
2866 # be allowed to request.
2867 #Default:
2868 # url_rewrite_bypass off
2870 # OPTIONS FOR TUNING THE CACHE
2871 # -----------------------------------------------------------------------------
2873 # TAG: cache
2874 # A list of ACL elements which, if matched and denied, cause the request to
2875 # not be satisfied from the cache and the reply to not be cached.
2876 # In other words, use this to force certain objects to never be cached.
2877 #
2878 # You must use the words 'allow' or 'deny' to indicate whether items
2879 # matching the ACL should be allowed or denied into the cache.
2880 #
2881 # Default is to allow all to be cached.
2882 #
2883 # This clause supports both fast and slow acl types.
2884 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
2885 #Default:
2886 # none
2888 # TAG: refresh_pattern
2889 # usage: refresh_pattern [-i] regex min percent max [options]
2890 #
2891 # By default, regular expressions are CASE-SENSITIVE. To make
2892 # them case-insensitive, use the -i option.
2893 #
2894 # 'Min' is the time (in minutes) an object without an explicit
2895 # expiry time should be considered fresh. The recommended
2896 # value is 0, any higher values may cause dynamic applications
2897 # to be erroneously cached unless the application designer
2898 # has taken the appropriate actions.
2899 #
2900 # 'Percent' is a percentage of the objects age (time since last
2901 # modification age) an object without explicit expiry time
2902 # will be considered fresh.
2903 #
2904 # 'Max' is an upper limit on how long objects without an explicit
2905 # expiry time will be considered fresh.
2906 #
2907 # options: override-expire
2908 # override-lastmod
2909 # reload-into-ims
2910 # ignore-reload
2911 # ignore-no-cache
2912 # ignore-no-store
2913 # ignore-must-revalidate
2914 # ignore-private
2915 # ignore-auth
2916 # refresh-ims
2917 #
2918 # override-expire enforces min age even if the server
2919 # sent an explicit expiry time (e.g., with the
2920 # Expires: header or Cache-Control: max-age). Doing this
2921 # VIOLATES the HTTP standard. Enabling this feature
2922 # could make you liable for problems which it causes.
2923 #
2924 # Note: override-expire does not enforce staleness - it only extends
2925 # freshness / min. If the server returns a Expires time which
2926 # is longer than your max time, Squid will still consider
2927 # the object fresh for that period of time.
2928 #
2929 # override-lastmod enforces min age even on objects
2930 # that were modified recently.
2931 #
2932 # reload-into-ims changes client no-cache or ``reload''
2933 # to If-Modified-Since requests. Doing this VIOLATES the
2934 # HTTP standard. Enabling this feature could make you
2935 # liable for problems which it causes.
2936 #
2937 # ignore-reload ignores a client no-cache or ``reload''
2938 # header. Doing this VIOLATES the HTTP standard. Enabling
2939 # this feature could make you liable for problems which
2940 # it causes.
2941 #
2942 # ignore-no-cache ignores any ``Pragma: no-cache'' and
2943 # ``Cache-control: no-cache'' headers received from a server.
2944 # The HTTP RFC never allows the use of this (Pragma) header
2945 # from a server, only a client, though plenty of servers
2946 # send it anyway.
2947 #
2948 # ignore-no-store ignores any ``Cache-control: no-store''
2949 # headers received from a server. Doing this VIOLATES
2950 # the HTTP standard. Enabling this feature could make you
2951 # liable for problems which it causes.
2952 #
2953 # ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
2954 # headers received from a server. Doing this VIOLATES
2955 # the HTTP standard. Enabling this feature could make you
2956 # liable for problems which it causes.
2957 #
2958 # ignore-private ignores any ``Cache-control: private''
2959 # headers received from a server. Doing this VIOLATES
2960 # the HTTP standard. Enabling this feature could make you
2961 # liable for problems which it causes.
2962 #
2963 # ignore-auth caches responses to requests with authorization,
2964 # as if the originserver had sent ``Cache-control: public''
2965 # in the response header. Doing this VIOLATES the HTTP standard.
2966 # Enabling this feature could make you liable for problems which
2967 # it causes.
2968 #
2969 # refresh-ims causes squid to contact the origin server
2970 # when a client issues an If-Modified-Since request. This
2971 # ensures that the client will receive an updated version
2972 # if one is available.
2973 #
2974 # Basically a cached object is:
2975 #
2976 # FRESH if expires < now, else STALE
2977 # STALE if age > max
2978 # FRESH if lm-factor < percent, else STALE
2979 # FRESH if age < min
2980 # else STALE
2981 #
2982 # The refresh_pattern lines are checked in the order listed here.
2983 # The first entry which matches is used. If none of the entries
2984 # match the default will be used.
2985 #
2986 # Note, you must uncomment all the default lines if you want
2987 # to change one. The default setting is only active if none is
2988 # used.
2989 #
2990 #
2992 # Add any of your own refresh_pattern entries above these.
2993 #refresh_pattern ^ftp: 1440 20% 10080
2994 #refresh_pattern ^gopher: 1440 0% 1440
2995 #refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2996 #refresh_pattern . 0 20% 4320
2998 # Refresh patterns are of the format: refresh_pattern [-i] regex min percent max [options]
2999 # where min and max are time values in minutes and percent is a percentage figure. The options are:
3000 # override-expire -- ignores the expire header from the Web server.
3001 # override-lastmod -- ignores the last modified date header from the Web server.
3002 # reload-into-ims -- a reload request from a client is converted into an If-Modified-Since request.
3003 # ignore-reload -- a client's no-cache or "reload from origin server" directive is ignored. The request can therefore be satisfied from the cache if available.
3004 # ignore-no-cache -- a no-cache directive from the Web server which makes an object non-cacheable is ignored.
3005 # ignore-no-store -- a no-store directive from the Web server which makes an object non-cacheable is ignored.
3006 # ignore-private -- a private directive from the Web server which makes an object non-cacheable is ignored.
3007 # ignore-auth -- objects requiring authorisation are non-cacheable. This option overrides this limitation.
3008 # refresh-ims -- a refresh request from a client is converted into an If-Modified-Since request.
3009 # See: http://archive09.linux.com/feature/153221 and http://sigtar.com/2009/06/10/squid-optimizing-cache-hits/
3011 refresh_pattern ^ftp: 1440 20% 10080
3012 refresh_pattern ^gopher: 1440 0% 1440
3013 refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
3014 refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
3015 refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
3016 refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
3017 refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
3018 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
3019 refresh_pattern . 0 40% 40320
3021 refresh_pattern -i youtube.com/.* 10080 90% 43200
3023 # TAG: quick_abort_min (KB)
3024 # TAG: quick_abort_max (KB)
3025 # TAG: quick_abort_pct (percent)
3026 # The cache by default continues downloading aborted requests
3027 # which are almost completed (less than 16 KB remaining). This
3028 # may be undesirable on slow (e.g. SLIP) links and/or very busy
3029 # caches. Impatient users may tie up file descriptors and
3030 # bandwidth by repeatedly requesting and immediately aborting
3031 # downloads.
3032 #
3033 # When the user aborts a request, Squid will check the
3034 # quick_abort values to the amount of data transfered until
3035 # then.
3036 #
3037 # If the transfer has less than 'quick_abort_min' KB remaining,
3038 # it will finish the retrieval.
3039 #
3040 # If the transfer has more than 'quick_abort_max' KB remaining,
3041 # it will abort the retrieval.
3042 #
3043 # If more than 'quick_abort_pct' of the transfer has completed,
3044 # it will finish the retrieval.
3045 #
3046 # If you do not want any retrieval to continue after the client
3047 # has aborted, set both 'quick_abort_min' and 'quick_abort_max'
3048 # to '0 KB'.
3049 #
3050 # If you want retrievals to always continue if they are being
3051 # cached set 'quick_abort_min' to '-1 KB'.
3052 #Default:
3053 # quick_abort_min 16 KB
3054 # quick_abort_max 16 KB
3055 # quick_abort_pct 95
3057 # Apparently youtube.com use 'Range' requests
3058 # - not seen, but presumably when a video is stopped for a long while then resumed, (or fast-forwarded).
3059 # - convert range requests into a full-file request, so squid can cache it
3060 # NP: BUT slows down their _first_ load time.
3061 # See: http://sigtar.com/2009/06/10/squid-optimizing-cache-hits/
3062 #quick_abort_min -1 KB
3064 # TAG: read_ahead_gap buffer-size
3065 # The amount of data the cache will buffer ahead of what has been
3066 # sent to the client when retrieving an object from another server.
3067 #Default:
3068 # read_ahead_gap 16 KB
3070 # TAG: negative_ttl time-units
3071 # Set the Default Time-to-Live (TTL) for failed requests.
3072 # Certain types of failures (such as "connection refused" and
3073 # "404 Not Found") are able to be negatively-cached for a short time.
3074 # Modern web servers should provide Expires: header, however if they
3075 # do not this can provide a minimum TTL.
3076 # The default is not to cache errors with unknown expiry details.
3077 #
3078 # Note that this is different from negative caching of DNS lookups.
3079 #
3080 # WARNING: Doing this VIOLATES the HTTP standard. Enabling
3081 # this feature could make you liable for problems which it
3082 # causes.
3083 #Default:
3084 # negative_ttl 0 seconds
3086 # TAG: positive_dns_ttl time-units
3087 # Upper limit on how long Squid will cache positive DNS responses.
3088 # Default is 6 hours (360 minutes). This directive must be set
3089 # larger than negative_dns_ttl.
3090 #Default:
3091 # positive_dns_ttl 6 hours
3093 # TAG: negative_dns_ttl time-units
3094 # Time-to-Live (TTL) for negative caching of failed DNS lookups.
3095 # This also sets the lower cache limit on positive lookups.
3096 # Minimum value is 1 second, and it is not recommendable to go
3097 # much below 10 seconds.
3098 #Default:
3099 # negative_dns_ttl 1 minutes
3101 # TAG: range_offset_limit (bytes)
3102 # Sets a upper limit on how far into the the file a Range request
3103 # may be to cause Squid to prefetch the whole file. If beyond this
3104 # limit Squid forwards the Range request as it is and the result
3105 # is NOT cached.
3106 #
3107 # This is to stop a far ahead range request (lets say start at 17MB)
3108 # from making Squid fetch the whole object up to that point before
3109 # sending anything to the client.
3110 #
3111 # A value of 0 causes Squid to never fetch more than the
3112 # client requested. (default)
3113 #
3114 # A value of -1 causes Squid to always fetch the object from the
3115 # beginning so it may cache the result. (2.0 style)
3116 #
3117 # NP: Using -1 here will override any quick_abort settings that may
3118 # otherwise apply to the range request. The range request will
3119 # be fully fetched from start to finish regardless of the client
3120 # actions. This affects bandwidth usage.
3121 #Default:
3122 # range_offset_limit 0 KB
3124 # TAG: minimum_expiry_time (seconds)
3125 # The minimum caching time according to (Expires - Date)
3126 # Headers Squid honors if the object can't be revalidated
3127 # defaults to 60 seconds. In reverse proxy environments it
3128 # might be desirable to honor shorter object lifetimes. It
3129 # is most likely better to make your server return a
3130 # meaningful Last-Modified header however. In ESI environments
3131 # where page fragments often have short lifetimes, this will
3132 # often be best set to 0.
3133 #Default:
3134 # minimum_expiry_time 60 seconds
3136 # TAG: store_avg_object_size (kbytes)
3137 # Average object size, used to estimate number of objects your
3138 # cache can hold. The default is 13 KB.
3139 #Default:
3140 # store_avg_object_size 13 KB
3142 # TAG: store_objects_per_bucket
3143 # Target number of objects per bucket in the store hash table.
3144 # Lowering this value increases the total number of buckets and
3145 # also the storage maintenance rate. The default is 20.
3146 #Default:
3147 # store_objects_per_bucket 20
3149 # HTTP OPTIONS
3150 # -----------------------------------------------------------------------------
3152 # TAG: request_header_max_size (KB)
3153 # This specifies the maximum size for HTTP headers in a request.
3154 # Request headers are usually relatively small (about 512 bytes).
3155 # Placing a limit on the request header size will catch certain
3156 # bugs (for example with persistent connections) and possibly
3157 # buffer-overflow or denial-of-service attacks.
3158 #Default:
3159 # request_header_max_size 64 KB
3161 # TAG: reply_header_max_size (KB)
3162 # This specifies the maximum size for HTTP headers in a reply.
3163 # Reply headers are usually relatively small (about 512 bytes).
3164 # Placing a limit on the reply header size will catch certain
3165 # bugs (for example with persistent connections) and possibly
3166 # buffer-overflow or denial-of-service attacks.
3167 #Default:
3168 # reply_header_max_size 64 KB
3170 # TAG: request_body_max_size (bytes)
3171 # This specifies the maximum size for an HTTP request body.
3172 # In other words, the maximum size of a PUT/POST request.
3173 # A user who attempts to send a request with a body larger
3174 # than this limit receives an "Invalid Request" error message.
3175 # If you set this parameter to a zero (the default), there will
3176 # be no limit imposed.
3177 #Default:
3178 # request_body_max_size 0 KB
3180 # TAG: chunked_request_body_max_size (bytes)
3181 # A broken or confused HTTP/1.1 client may send a chunked HTTP
3182 # request to Squid. Squid does not have full support for that
3183 # feature yet. To cope with such requests, Squid buffers the
3184 # entire request and then dechunks request body to create a
3185 # plain HTTP/1.0 request with a known content length. The plain
3186 # request is then used by the rest of Squid code as usual.
3187 #
3188 # The option value specifies the maximum size of the buffer used
3189 # to hold the request before the conversion. If the chunked
3190 # request size exceeds the specified limit, the conversion
3191 # fails, and the client receives an "unsupported request" error,
3192 # as if dechunking was disabled.
3193 #
3194 # Dechunking is enabled by default. To disable conversion of
3195 # chunked requests, set the maximum to zero.
3196 #
3197 # Request dechunking feature and this option in particular are a
3198 # temporary hack. When chunking requests and responses are fully
3199 # supported, there will be no need to buffer a chunked request.
3200 #Default:
3201 # chunked_request_body_max_size 64 KB
3203 # TAG: broken_posts
3204 # A list of ACL elements which, if matched, causes Squid to send
3205 # an extra CRLF pair after the body of a PUT/POST request.
3206 #
3207 # Some HTTP servers has broken implementations of PUT/POST,
3208 # and rely on an extra CRLF pair sent by some WWW clients.
3209 #
3210 # Quote from RFC2616 section 4.1 on this matter:
3211 #
3212 # Note: certain buggy HTTP/1.0 client implementations generate an
3213 # extra CRLF's after a POST request. To restate what is explicitly
3214 # forbidden by the BNF, an HTTP/1.1 client must not preface or follow
3215 # a request with an extra CRLF.
3216 #
3217 # This clause only supports fast acl types.
3218 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3219 #
3220 #Example:
3221 # acl buggy_server url_regex ^http://....
3222 # broken_posts allow buggy_server
3223 #Default:
3224 # none
3226 # TAG: icap_uses_indirect_client on|off
3227 # Controls whether the indirect client address
3228 # (see follow_x_forwarded_for) instead of the
3229 # direct client address is passed to an ICAP
3230 # server as "X-Client-IP".
3231 #Default:
3232 # icap_uses_indirect_client on
3234 # TAG: via on|off
3235 # If set (default), Squid will include a Via header in requests and
3236 # replies as required by RFC2616.
3237 #Default:
3238 # via on
3240 # TAG: ie_refresh on|off
3241 # Microsoft Internet Explorer up until version 5.5 Service
3242 # Pack 1 has an issue with transparent proxies, wherein it
3243 # is impossible to force a refresh. Turning this on provides
3244 # a partial fix to the problem, by causing all IMS-REFRESH
3245 # requests from older IE versions to check the origin server
3246 # for fresh content. This reduces hit ratio by some amount
3247 # (~10% in my experience), but allows users to actually get
3248 # fresh content when they want it. Note because Squid
3249 # cannot tell if the user is using 5.5 or 5.5SP1, the behavior
3250 # of 5.5 is unchanged from old versions of Squid (i.e. a
3251 # forced refresh is impossible). Newer versions of IE will,
3252 # hopefully, continue to have the new behavior and will be
3253 # handled based on that assumption. This option defaults to
3254 # the old Squid behavior, which is better for hit ratios but
3255 # worse for clients using IE, if they need to be able to
3256 # force fresh content.
3257 #Default:
3258 # ie_refresh off
3260 # TAG: vary_ignore_expire on|off
3261 # Many HTTP servers supporting Vary gives such objects
3262 # immediate expiry time with no cache-control header
3263 # when requested by a HTTP/1.0 client. This option
3264 # enables Squid to ignore such expiry times until
3265 # HTTP/1.1 is fully implemented.
3266 #
3267 # WARNING: If turned on this may eventually cause some
3268 # varying objects not intended for caching to get cached.
3269 #Default:
3270 # vary_ignore_expire off
3272 # TAG: request_entities
3273 # Squid defaults to deny GET and HEAD requests with request entities,
3274 # as the meaning of such requests are undefined in the HTTP standard
3275 # even if not explicitly forbidden.
3276 #
3277 # Set this directive to on if you have clients which insists
3278 # on sending request entities in GET or HEAD requests. But be warned
3279 # that there is server software (both proxies and web servers) which
3280 # can fail to properly process this kind of request which may make you
3281 # vulnerable to cache pollution attacks if enabled.
3282 #Default:
3283 # request_entities off
3285 # TAG: request_header_access
3286 # Usage: request_header_access header_name allow|deny [!]aclname ...
3287 #
3288 # WARNING: Doing this VIOLATES the HTTP standard. Enabling
3289 # this feature could make you liable for problems which it
3290 # causes.
3291 #
3292 # This option replaces the old 'anonymize_headers' and the
3293 # older 'http_anonymizer' option with something that is much
3294 # more configurable. This new method creates a list of ACLs
3295 # for each header, allowing you very fine-tuned header
3296 # mangling.
3297 #
3298 # This option only applies to request headers, i.e., from the
3299 # client to the server.
3300 #
3301 # You can only specify known headers for the header name.
3302 # Other headers are reclassified as 'Other'. You can also
3303 # refer to all the headers with 'All'.
3304 #
3305 # For example, to achieve the same behavior as the old
3306 # 'http_anonymizer standard' option, you should use:
3307 #
3308 # request_header_access From deny all
3309 # request_header_access Referer deny all
3310 # request_header_access Server deny all
3311 # request_header_access User-Agent deny all
3312 # request_header_access WWW-Authenticate deny all
3313 # request_header_access Link deny all
3314 #
3315 # Or, to reproduce the old 'http_anonymizer paranoid' feature
3316 # you should use:
3317 #
3318 # request_header_access Allow allow all
3319 # request_header_access Authorization allow all
3320 # request_header_access WWW-Authenticate allow all
3321 # request_header_access Proxy-Authorization allow all
3322 # request_header_access Proxy-Authenticate allow all
3323 # request_header_access Cache-Control allow all
3324 # request_header_access Content-Encoding allow all
3325 # request_header_access Content-Length allow all
3326 # request_header_access Content-Type allow all
3327 # request_header_access Date allow all
3328 # request_header_access Expires allow all
3329 # request_header_access Host allow all
3330 # request_header_access If-Modified-Since allow all
3331 # request_header_access Last-Modified allow all
3332 # request_header_access Location allow all
3333 # request_header_access Pragma allow all
3334 # request_header_access Accept allow all
3335 # request_header_access Accept-Charset allow all
3336 # request_header_access Accept-Encoding allow all
3337 # request_header_access Accept-Language allow all
3338 # request_header_access Content-Language allow all
3339 # request_header_access Mime-Version allow all
3340 # request_header_access Retry-After allow all
3341 # request_header_access Title allow all
3342 # request_header_access Connection allow all
3343 # request_header_access Proxy-Connection allow all
3344 # request_header_access All deny all
3345 #
3346 # although many of those are HTTP reply headers, and so should be
3347 # controlled with the reply_header_access directive.
3348 #
3349 # By default, all headers are allowed (no anonymizing is
3350 # performed).
3351 #Default:
3352 # none
3354 # TAG: reply_header_access
3355 # Usage: reply_header_access header_name allow|deny [!]aclname ...
3356 #
3357 # WARNING: Doing this VIOLATES the HTTP standard. Enabling
3358 # this feature could make you liable for problems which it
3359 # causes.
3360 #
3361 # This option only applies to reply headers, i.e., from the
3362 # server to the client.
3363 #
3364 # This is the same as request_header_access, but in the other
3365 # direction.
3366 #
3367 # This option replaces the old 'anonymize_headers' and the
3368 # older 'http_anonymizer' option with something that is much
3369 # more configurable. This new method creates a list of ACLs
3370 # for each header, allowing you very fine-tuned header
3371 # mangling.
3372 #
3373 # You can only specify known headers for the header name.
3374 # Other headers are reclassified as 'Other'. You can also
3375 # refer to all the headers with 'All'.
3376 #
3377 # For example, to achieve the same behavior as the old
3378 # 'http_anonymizer standard' option, you should use:
3379 #
3380 # reply_header_access From deny all
3381 # reply_header_access Referer deny all
3382 # reply_header_access Server deny all
3383 # reply_header_access User-Agent deny all
3384 # reply_header_access WWW-Authenticate deny all
3385 # reply_header_access Link deny all
3386 #
3387 # Or, to reproduce the old 'http_anonymizer paranoid' feature
3388 # you should use:
3389 #
3390 # reply_header_access Allow allow all
3391 # reply_header_access Authorization allow all
3392 # reply_header_access WWW-Authenticate allow all
3393 # reply_header_access Proxy-Authorization allow all
3394 # reply_header_access Proxy-Authenticate allow all
3395 # reply_header_access Cache-Control allow all
3396 # reply_header_access Content-Encoding allow all
3397 # reply_header_access Content-Length allow all
3398 # reply_header_access Content-Type allow all
3399 # reply_header_access Date allow all
3400 # reply_header_access Expires allow all
3401 # reply_header_access Host allow all
3402 # reply_header_access If-Modified-Since allow all
3403 # reply_header_access Last-Modified allow all
3404 # reply_header_access Location allow all
3405 # reply_header_access Pragma allow all
3406 # reply_header_access Accept allow all
3407 # reply_header_access Accept-Charset allow all
3408 # reply_header_access Accept-Encoding allow all
3409 # reply_header_access Accept-Language allow all
3410 # reply_header_access Content-Language allow all
3411 # reply_header_access Mime-Version allow all
3412 # reply_header_access Retry-After allow all
3413 # reply_header_access Title allow all
3414 # reply_header_access Connection allow all
3415 # reply_header_access Proxy-Connection allow all
3416 # reply_header_access All deny all
3417 #
3418 # although the HTTP request headers won't be usefully controlled
3419 # by this directive -- see request_header_access for details.
3420 #
3421 # By default, all headers are allowed (no anonymizing is
3422 # performed).
3423 #Default:
3424 # none
3426 # TAG: header_replace
3427 # Usage: header_replace header_name message
3428 # Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
3429 #
3430 # This option allows you to change the contents of headers
3431 # denied with header_access above, by replacing them with
3432 # some fixed string. This replaces the old fake_user_agent
3433 # option.
3434 #
3435 # This only applies to request headers, not reply headers.
3436 #
3437 # By default, headers are removed if denied.
3438 #Default:
3439 # none
3441 # TAG: relaxed_header_parser on|off|warn
3442 # In the default "on" setting Squid accepts certain forms
3443 # of non-compliant HTTP messages where it is unambiguous
3444 # what the sending application intended even if the message
3445 # is not correctly formatted. The messages is then normalized
3446 # to the correct form when forwarded by Squid.
3447 #
3448 # If set to "warn" then a warning will be emitted in cache.log
3449 # each time such HTTP error is encountered.
3450 #
3451 # If set to "off" then such HTTP errors will cause the request
3452 # or response to be rejected.
3453 #Default:
3454 # relaxed_header_parser on
3456 # TAG: ignore_expect_100 on|off
3457 # This option makes Squid ignore any Expect: 100-continue header present
3458 # in the request. RFC 2616 requires that Squid being unable to satisfy
3459 # the response expectation MUST return a 417 error.
3460 #
3461 # Note: Enabling this is a HTTP protocol violation, but some clients may
3462 # not handle it well..
3463 #Default:
3464 # ignore_expect_100 off
3466 # TIMEOUTS
3467 # -----------------------------------------------------------------------------
3469 # TAG: forward_timeout time-units
3470 # This parameter specifies how long Squid should at most attempt in
3471 # finding a forwarding path for the request before giving up.
3472 #Default:
3473 # forward_timeout 4 minutes
3475 # TAG: connect_timeout time-units
3476 # This parameter specifies how long to wait for the TCP connect to
3477 # the requested server or peer to complete before Squid should
3478 # attempt to find another path where to forward the request.
3479 #Default:
3480 # connect_timeout 1 minute
3482 # TAG: peer_connect_timeout time-units
3483 # This parameter specifies how long to wait for a pending TCP
3484 # connection to a peer cache. The default is 30 seconds. You
3485 # may also set different timeout values for individual neighbors
3486 # with the 'connect-timeout' option on a 'cache_peer' line.
3487 #Default:
3488 # peer_connect_timeout 30 seconds
3490 # TAG: read_timeout time-units
3491 # The read_timeout is applied on server-side connections. After
3492 # each successful read(), the timeout will be extended by this
3493 # amount. If no data is read again after this amount of time,
3494 # the request is aborted and logged with ERR_READ_TIMEOUT. The
3495 # default is 15 minutes.
3496 #Default:
3497 # read_timeout 15 minutes
3499 # TAG: request_timeout
3500 # How long to wait for an HTTP request after initial
3501 # connection establishment.
3502 #Default:
3503 # request_timeout 5 minutes
3505 # TAG: persistent_request_timeout
3506 # How long to wait for the next HTTP request on a persistent
3507 # connection after the previous request completes.
3508 #Default:
3509 # persistent_request_timeout 2 minutes
3511 # TAG: client_lifetime time-units
3512 # The maximum amount of time a client (browser) is allowed to
3513 # remain connected to the cache process. This protects the Cache
3514 # from having a lot of sockets (and hence file descriptors) tied up
3515 # in a CLOSE_WAIT state from remote clients that go away without
3516 # properly shutting down (either because of a network failure or
3517 # because of a poor client implementation). The default is one
3518 # day, 1440 minutes.
3519 #
3520 # NOTE: The default value is intended to be much larger than any
3521 # client would ever need to be connected to your cache. You
3522 # should probably change client_lifetime only as a last resort.
3523 # If you seem to have many client connections tying up
3524 # filedescriptors, we recommend first tuning the read_timeout,
3525 # request_timeout, persistent_request_timeout and quick_abort values.
3526 #Default:
3527 # client_lifetime 1 day
3529 # TAG: half_closed_clients
3530 # Some clients may shutdown the sending side of their TCP
3531 # connections, while leaving their receiving sides open. Sometimes,
3532 # Squid can not tell the difference between a half-closed and a
3533 # fully-closed TCP connection.
3534 #
3535 # By default, Squid will immediately close client connections when
3536 # read(2) returns "no more data to read."
3537 #
3538 # Change this option to 'on' and Squid will keep open connections
3539 # until a read(2) or write(2) on the socket returns an error.
3540 # This may show some benefits for reverse proxies. But if not
3541 # it is recommended to leave OFF.
3542 #Default:
3543 # half_closed_clients off
3545 # TAG: pconn_timeout
3546 # Timeout for idle persistent connections to servers and other
3547 # proxies.
3548 #Default:
3549 # pconn_timeout 1 minute
3551 # TAG: ident_timeout
3552 # Maximum time to wait for IDENT lookups to complete.
3553 #
3554 # If this is too high, and you enabled IDENT lookups from untrusted
3555 # users, you might be susceptible to denial-of-service by having
3556 # many ident requests going at once.
3557 #Default:
3558 # ident_timeout 10 seconds
3560 # TAG: shutdown_lifetime time-units
3561 # When SIGTERM or SIGHUP is received, the cache is put into
3562 # "shutdown pending" mode until all active sockets are closed.
3563 # This value is the lifetime to set for all open descriptors
3564 # during shutdown mode. Any active clients after this many
3565 # seconds will receive a 'timeout' message.
3566 #Default:
3567 # shutdown_lifetime 30 seconds
3569 # ADMINISTRATIVE PARAMETERS
3570 # -----------------------------------------------------------------------------
3572 # TAG: cache_mgr
3573 # Email-address of local cache manager who will receive
3574 # mail if the cache dies. The default is "webmaster."
3575 #Default:
3576 # cache_mgr webmaster
3578 # TAG: mail_from
3579 # From: email-address for mail sent when the cache dies.
3580 # The default is to use 'appname@unique_hostname'.
3581 # Default appname value is "squid", can be changed into
3582 # src/globals.h before building squid.
3583 #Default:
3584 # none
3586 # TAG: mail_program
3587 # Email program used to send mail if the cache dies.
3588 # The default is "mail". The specified program must comply
3589 # with the standard Unix mail syntax:
3590 # mail-program recipient < mailfile
3591 #
3592 # Optional command line options can be specified.
3593 #Default:
3594 # mail_program mail
3596 # TAG: cache_effective_user
3597 # If you start Squid as root, it will change its effective/real
3598 # UID/GID to the user specified below. The default is to change
3599 # to UID of proxy.
3600 # see also; cache_effective_group
3601 #Default:
3602 # cache_effective_user proxy
3604 # TAG: cache_effective_group
3605 # Squid sets the GID to the effective user's default group ID
3606 # (taken from the password file) and supplementary group list
3607 # from the groups membership.
3608 #
3609 # If you want Squid to run with a specific GID regardless of
3610 # the group memberships of the effective user then set this
3611 # to the group (or GID) you want Squid to run as. When set
3612 # all other group privileges of the effective user are ignored
3613 # and only this GID is effective. If Squid is not started as
3614 # root the user starting Squid MUST be member of the specified
3615 # group.
3616 #
3617 # This option is not recommended by the Squid Team.
3618 # Our preference is for administrators to configure a secure
3619 # user account for squid with UID/GID matching system policies.
3620 #Default:
3621 # none
3623 # TAG: httpd_suppress_version_string on|off
3624 # Suppress Squid version string info in HTTP headers and HTML error pages.
3625 #Default:
3626 # httpd_suppress_version_string off
3628 # TAG: visible_hostname
3629 # If you want to present a special hostname in error messages, etc,
3630 # define this. Otherwise, the return value of gethostname()
3631 # will be used. If you have multiple caches in a cluster and
3632 # get errors about IP-forwarding you must set them to have individual
3633 # names with this setting.
3634 #Default:
3635 # visible_hostname localhost
3637 # TAG: unique_hostname
3638 # If you want to have multiple machines with the same
3639 # 'visible_hostname' you must give each machine a different
3640 # 'unique_hostname' so forwarding loops can be detected.
3641 #Default:
3642 # none
3644 # TAG: hostname_aliases
3645 # A list of other DNS names your cache has.
3646 #Default:
3647 # none
3649 # TAG: umask
3650 # Minimum umask which should be enforced while the proxy
3651 # is running, in addition to the umask set at startup.
3652 #
3653 # For a traditional octal representation of umasks, start
3654 # your value with 0.
3655 #Default:
3656 # umask 027
3658 # OPTIONS FOR THE CACHE REGISTRATION SERVICE
3659 # -----------------------------------------------------------------------------
3660 #
3661 # This section contains parameters for the (optional) cache
3662 # announcement service. This service is provided to help
3663 # cache administrators locate one another in order to join or
3664 # create cache hierarchies.
3665 #
3666 # An 'announcement' message is sent (via UDP) to the registration
3667 # service by Squid. By default, the announcement message is NOT
3668 # SENT unless you enable it with 'announce_period' below.
3669 #
3670 # The announcement message includes your hostname, plus the
3671 # following information from this configuration file:
3672 #
3673 # http_port
3674 # icp_port
3675 # cache_mgr
3676 #
3677 # All current information is processed regularly and made
3678 # available on the Web at http://www.ircache.net/Cache/Tracker/.
3680 # TAG: announce_period
3681 # This is how frequently to send cache announcements. The
3682 # default is `0' which disables sending the announcement
3683 # messages.
3684 #
3685 # To enable announcing your cache, just set an announce period.
3686 #
3687 # Example:
3688 # announce_period 1 day
3689 #Default:
3690 # announce_period 0
3692 # TAG: announce_host
3693 # TAG: announce_file
3694 # TAG: announce_port
3695 # announce_host and announce_port set the hostname and port
3696 # number where the registration message will be sent.
3697 #
3698 # Hostname will default to 'tracker.ircache.net' and port will
3699 # default default to 3131. If the 'filename' argument is given,
3700 # the contents of that file will be included in the announce
3701 # message.
3702 #Default:
3703 # announce_host tracker.ircache.net
3704 # announce_port 3131
3706 # HTTPD-ACCELERATOR OPTIONS
3707 # -----------------------------------------------------------------------------
3709 # TAG: httpd_accel_surrogate_id
3710 # Surrogates (http://www.esi.org/architecture_spec_1.0.html)
3711 # need an identification token to allow control targeting. Because
3712 # a farm of surrogates may all perform the same tasks, they may share
3713 # an identification token.
3714 #Default:
3715 # httpd_accel_surrogate_id unset-id
3717 # TAG: http_accel_surrogate_remote on|off
3718 # Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
3719 # Set this to on to have squid behave as a remote surrogate.
3720 #Default:
3721 # http_accel_surrogate_remote off
3723 # TAG: esi_parser libxml2|expat|custom
3724 # ESI markup is not strictly XML compatible. The custom ESI parser
3725 # will give higher performance, but cannot handle non ASCII character
3726 # encodings.
3727 #Default:
3728 # esi_parser custom
3730 # DELAY POOL PARAMETERS
3731 # -----------------------------------------------------------------------------
3733 # TAG: delay_pools
3734 # This represents the number of delay pools to be used. For example,
3735 # if you have one class 2 delay pool and one class 3 delays pool, you
3736 # have a total of 2 delay pools.
3737 #Default:
3738 # delay_pools 0
3740 # TAG: delay_class
3741 # This defines the class of each delay pool. There must be exactly one
3742 # delay_class line for each delay pool. For example, to define two
3743 # delay pools, one of class 2 and one of class 3, the settings above
3744 # and here would be:
3745 #
3746 # Example:
3747 # delay_pools 4 # 4 delay pools
3748 # delay_class 1 2 # pool 1 is a class 2 pool
3749 # delay_class 2 3 # pool 2 is a class 3 pool
3750 # delay_class 3 4 # pool 3 is a class 4 pool
3751 # delay_class 4 5 # pool 4 is a class 5 pool
3752 #
3753 # The delay pool classes are:
3754 #
3755 # class 1 Everything is limited by a single aggregate
3756 # bucket.
3757 #
3758 # class 2 Everything is limited by a single aggregate
3759 # bucket as well as an "individual" bucket chosen
3760 # from bits 25 through 32 of the IPv4 address.
3761 #
3762 # class 3 Everything is limited by a single aggregate
3763 # bucket as well as a "network" bucket chosen
3764 # from bits 17 through 24 of the IP address and a
3765 # "individual" bucket chosen from bits 17 through
3766 # 32 of the IPv4 address.
3767 #
3768 # class 4 Everything in a class 3 delay pool, with an
3769 # additional limit on a per user basis. This
3770 # only takes effect if the username is established
3771 # in advance - by forcing authentication in your
3772 # http_access rules.
3773 #
3774 # class 5 Requests are grouped according their tag (see
3775 # external_acl's tag= reply).
3776 #
3777 # NOTE: If an IP address is a.b.c.d
3778 # -> bits 25 through 32 are "d"
3779 # -> bits 17 through 24 are "c"
3780 # -> bits 17 through 32 are "c * 256 + d"
3781 #
3782 # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
3783 # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
3784 #Default:
3785 # none
3787 # TAG: delay_access
3788 # This is used to determine which delay pool a request falls into.
3789 #
3790 # delay_access is sorted per pool and the matching starts with pool 1,
3791 # then pool 2, ..., and finally pool N. The first delay pool where the
3792 # request is allowed is selected for the request. If it does not allow
3793 # the request to any pool then the request is not delayed (default).
3794 #
3795 # For example, if you want some_big_clients in delay
3796 # pool 1 and lotsa_little_clients in delay pool 2:
3797 #
3798 #Example:
3799 # delay_access 1 allow some_big_clients
3800 # delay_access 1 deny all
3801 # delay_access 2 allow lotsa_little_clients
3802 # delay_access 2 deny all
3803 # delay_access 3 allow authenticated_clients
3804 #Default:
3805 # none
3807 # TAG: delay_parameters
3808 # This defines the parameters for a delay pool. Each delay pool has
3809 # a number of "buckets" associated with it, as explained in the
3810 # description of delay_class. For a class 1 delay pool, the syntax is:
3811 #
3812 #delay_parameters pool aggregate
3813 #
3814 # For a class 2 delay pool:
3815 #
3816 #delay_parameters pool aggregate individual
3817 #
3818 # For a class 3 delay pool:
3819 #
3820 #delay_parameters pool aggregate network individual
3821 #
3822 # For a class 4 delay pool:
3823 #
3824 #delay_parameters pool aggregate network individual user
3825 #
3826 # For a class 5 delay pool:
3827 #
3828 #delay_parameters pool tag
3829 #
3830 # The variables here are:
3831 #
3832 # pool a pool number - ie, a number between 1 and the
3833 # number specified in delay_pools as used in
3834 # delay_class lines.
3835 #
3836 # aggregate the "delay parameters" for the aggregate bucket
3837 # (class 1, 2, 3).
3838 #
3839 # individual the "delay parameters" for the individual
3840 # buckets (class 2, 3).
3841 #
3842 # network the "delay parameters" for the network buckets
3843 # (class 3).
3844 #
3845 # user the delay parameters for the user buckets
3846 # (class 4).
3847 #
3848 # tag the delay parameters for the tag buckets
3849 # (class 5).
3850 #
3851 # A pair of delay parameters is written restore/maximum, where restore is
3852 # the number of bytes (not bits - modem and network speeds are usually
3853 # quoted in bits) per second placed into the bucket, and maximum is the
3854 # maximum number of bytes which can be in the bucket at any time.
3855 #
3856 # For example, if delay pool number 1 is a class 2 delay pool as in the
3857 # above example, and is being used to strictly limit each host to 64kbps
3858 # (plus overheads), with no overall limit, the line is:
3859 #
3860 #delay_parameters 1 -1/-1 8000/8000
3861 #
3862 # Note that the figure -1 is used to represent "unlimited".
3863 #
3864 # And, if delay pool number 2 is a class 3 delay pool as in the above
3865 # example, and you want to limit it to a total of 256kbps (strict limit)
3866 # with each 8-bit network permitted 64kbps (strict limit) and each
3867 # individual host permitted 4800bps with a bucket maximum size of 64kb
3868 # to permit a decent web page to be downloaded at a decent speed
3869 # (if the network is not being limited due to overuse) but slow down
3870 # large downloads more significantly:
3871 #
3872 #delay_parameters 2 32000/32000 8000/8000 600/8000
3873 #
3874 # There must be one delay_parameters line for each delay pool.
3875 #
3876 # Finally, for a class 4 delay pool as in the example - each user will
3877 # be limited to 128Kb no matter how many workstations they are logged into.:
3878 #
3879 #delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
3880 #Default:
3881 # none
3883 # TAG: delay_initial_bucket_level (percent, 0-100)
3884 # The initial bucket percentage is used to determine how much is put
3885 # in each bucket when squid starts, is reconfigured, or first notices
3886 # a host accessing it (in class 2 and class 3, individual hosts and
3887 # networks only have buckets associated with them once they have been
3888 # "seen" by squid).
3889 #Default:
3890 # delay_initial_bucket_level 50
3892 # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
3893 # -----------------------------------------------------------------------------
3895 # TAG: wccp_router
3896 # Use this option to define your WCCP ``home'' router for
3897 # Squid.
3898 #
3899 # wccp_router supports a single WCCP(v1) router
3900 #
3901 # wccp2_router supports multiple WCCPv2 routers
3902 #
3903 # only one of the two may be used at the same time and defines
3904 # which version of WCCP to use.
3905 #Default:
3906 # wccp_router any_addr
3908 # TAG: wccp2_router
3909 # Use this option to define your WCCP ``home'' router for
3910 # Squid.
3911 #
3912 # wccp_router supports a single WCCP(v1) router
3913 #
3914 # wccp2_router supports multiple WCCPv2 routers
3915 #
3916 # only one of the two may be used at the same time and defines
3917 # which version of WCCP to use.
3918 #Default:
3919 # none
3921 # TAG: wccp_version
3922 # This directive is only relevant if you need to set up WCCP(v1)
3923 # to some very old and end-of-life Cisco routers. In all other
3924 # setups it must be left unset or at the default setting.
3925 # It defines an internal version in the WCCP(v1) protocol,
3926 # with version 4 being the officially documented protocol.
3927 #
3928 # According to some users, Cisco IOS 11.2 and earlier only
3929 # support WCCP version 3. If you're using that or an earlier
3930 # version of IOS, you may need to change this value to 3, otherwise
3931 # do not specify this parameter.
3932 #Default:
3933 # wccp_version 4
3935 # TAG: wccp2_rebuild_wait
3936 # If this is enabled Squid will wait for the cache dir rebuild to finish
3937 # before sending the first wccp2 HereIAm packet
3938 #Default:
3939 # wccp2_rebuild_wait on
3941 # TAG: wccp2_forwarding_method
3942 # WCCP2 allows the setting of forwarding methods between the
3943 # router/switch and the cache. Valid values are as follows:
3944 #
3945 # gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
3946 # l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
3947 #
3948 # Currently (as of IOS 12.4) cisco routers only support GRE.
3949 # Cisco switches only support the L2 redirect assignment method.
3950 #Default:
3951 # wccp2_forwarding_method gre
3953 # TAG: wccp2_return_method
3954 # WCCP2 allows the setting of return methods between the
3955 # router/switch and the cache for packets that the cache
3956 # decides not to handle. Valid values are as follows:
3957 #
3958 # gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
3959 # l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
3960 #
3961 # Currently (as of IOS 12.4) cisco routers only support GRE.
3962 # Cisco switches only support the L2 redirect assignment.
3963 #
3964 # If the "ip wccp redirect exclude in" command has been
3965 # enabled on the cache interface, then it is still safe for
3966 # the proxy server to use a l2 redirect method even if this
3967 # option is set to GRE.
3968 #Default:
3969 # wccp2_return_method gre
3971 # TAG: wccp2_assignment_method
3972 # WCCP2 allows the setting of methods to assign the WCCP hash
3973 # Valid values are as follows:
3974 #
3975 # hash - Hash assignment
3976 # mask - Mask assignment
3977 #
3978 # As a general rule, cisco routers support the hash assignment method
3979 # and cisco switches support the mask assignment method.
3980 #Default:
3981 # wccp2_assignment_method hash
3983 # TAG: wccp2_service
3984 # WCCP2 allows for multiple traffic services. There are two
3985 # types: "standard" and "dynamic". The standard type defines
3986 # one service id - http (id 0). The dynamic service ids can be from
3987 # 51 to 255 inclusive. In order to use a dynamic service id
3988 # one must define the type of traffic to be redirected; this is done
3989 # using the wccp2_service_info option.
3990 #
3991 # The "standard" type does not require a wccp2_service_info option,
3992 # just specifying the service id will suffice.
3993 #
3994 # MD5 service authentication can be enabled by adding
3995 # "password=<password>" to the end of this service declaration.
3996 #
3997 # Examples:
3998 #
3999 # wccp2_service standard 0 # for the 'web-cache' standard service
4000 # wccp2_service dynamic 80 # a dynamic service type which will be
4001 # # fleshed out with subsequent options.
4002 # wccp2_service standard 0 password=foo
4003 #Default:
4004 # wccp2_service standard 0
4006 # TAG: wccp2_service_info
4007 # Dynamic WCCPv2 services require further information to define the
4008 # traffic you wish to have diverted.
4009 #
4010 # The format is:
4011 #
4012 # wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
4013 # priority=<priority> ports=<port>,<port>..
4014 #
4015 # The relevant WCCPv2 flags:
4016 # + src_ip_hash, dst_ip_hash
4017 # + source_port_hash, dst_port_hash
4018 # + src_ip_alt_hash, dst_ip_alt_hash
4019 # + src_port_alt_hash, dst_port_alt_hash
4020 # + ports_source
4021 #
4022 # The port list can be one to eight entries.
4023 #
4024 # Example:
4025 #
4026 # wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
4027 # priority=240 ports=80
4028 #
4029 # Note: the service id must have been defined by a previous
4030 # 'wccp2_service dynamic <id>' entry.
4031 #Default:
4032 # none
4034 # TAG: wccp2_weight
4035 # Each cache server gets assigned a set of the destination
4036 # hash proportional to their weight.
4037 #Default:
4038 # wccp2_weight 10000
4040 # TAG: wccp_address
4041 # TAG: wccp2_address
4042 # Use this option if you require WCCP to use a specific
4043 # interface address.
4044 #
4045 # The default behavior is to not bind to any specific address.
4046 #Default:
4047 # wccp_address 0.0.0.0
4048 # wccp2_address 0.0.0.0
4050 # PERSISTENT CONNECTION HANDLING
4051 # -----------------------------------------------------------------------------
4052 #
4053 # Also see "pconn_timeout" in the TIMEOUTS section
4055 # TAG: client_persistent_connections
4056 # TAG: server_persistent_connections
4057 # Persistent connection support for clients and servers. By
4058 # default, Squid uses persistent connections (when allowed)
4059 # with its clients and servers. You can use these options to
4060 # disable persistent connections with clients and/or servers.
4061 #Default:
4062 # client_persistent_connections on
4063 # server_persistent_connections on
4065 # TAG: persistent_connection_after_error
4066 # With this directive the use of persistent connections after
4067 # HTTP errors can be disabled. Useful if you have clients
4068 # who fail to handle errors on persistent connections proper.
4069 #Default:
4070 # persistent_connection_after_error on
4072 # TAG: detect_broken_pconn
4073 # Some servers have been found to incorrectly signal the use
4074 # of HTTP/1.0 persistent connections even on replies not
4075 # compatible, causing significant delays. This server problem
4076 # has mostly been seen on redirects.
4077 #
4078 # By enabling this directive Squid attempts to detect such
4079 # broken replies and automatically assume the reply is finished
4080 # after 10 seconds timeout.
4081 #Default:
4082 # detect_broken_pconn off
4084 # CACHE DIGEST OPTIONS
4085 # -----------------------------------------------------------------------------
4087 # TAG: digest_generation
4088 # This controls whether the server will generate a Cache Digest
4089 # of its contents. By default, Cache Digest generation is
4090 # enabled if Squid is compiled with --enable-cache-digests defined.
4091 #Default:
4092 # digest_generation on
4094 # TAG: digest_bits_per_entry
4095 # This is the number of bits of the server's Cache Digest which
4096 # will be associated with the Digest entry for a given HTTP
4097 # Method and URL (public key) combination. The default is 5.
4098 #Default:
4099 # digest_bits_per_entry 5
4101 # TAG: digest_rebuild_period (seconds)
4102 # This is the wait time between Cache Digest rebuilds.
4103 #Default:
4104 # digest_rebuild_period 1 hour
4106 # TAG: digest_rewrite_period (seconds)
4107 # This is the wait time between Cache Digest writes to
4108 # disk.
4109 #Default:
4110 # digest_rewrite_period 1 hour
4112 # TAG: digest_swapout_chunk_size (bytes)
4113 # This is the number of bytes of the Cache Digest to write to
4114 # disk at a time. It defaults to 4096 bytes (4KB), the Squid
4115 # default swap page.
4116 #Default:
4117 # digest_swapout_chunk_size 4096 bytes
4119 # TAG: digest_rebuild_chunk_percentage (percent, 0-100)
4120 # This is the percentage of the Cache Digest to be scanned at a
4121 # time. By default it is set to 10% of the Cache Digest.
4122 #Default:
4123 # digest_rebuild_chunk_percentage 10
4125 # SNMP OPTIONS
4126 # -----------------------------------------------------------------------------
4128 # TAG: snmp_port
4129 # The port number where Squid listens for SNMP requests. To enable
4130 # SNMP support set this to a suitable port number. Port number
4131 # 3401 is often used for the Squid SNMP agent. By default it's
4132 # set to "0" (disabled)
4133 #
4134 # Example:
4135 # snmp_port 3401
4136 #Default:
4137 # snmp_port 0
4139 # TAG: snmp_access
4140 # Allowing or denying access to the SNMP port.
4141 #
4142 # All access to the agent is denied by default.
4143 # usage:
4144 #
4145 # snmp_access allow|deny [!]aclname ...
4146 #
4147 # This clause only supports fast acl types.
4148 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
4149 #Example:
4150 # snmp_access allow snmppublic localhost
4151 # snmp_access deny all
4152 #Default:
4153 # snmp_access deny all
4155 # TAG: snmp_incoming_address
4156 # TAG: snmp_outgoing_address
4157 # Just like 'udp_incoming_address', but for the SNMP port.
4158 #
4159 # snmp_incoming_address is used for the SNMP socket receiving
4160 # messages from SNMP agents.
4161 # snmp_outgoing_address is used for SNMP packets returned to SNMP
4162 # agents.
4163 #
4164 # The default snmp_incoming_address is to listen on all
4165 # available network interfaces.
4166 #
4167 # If snmp_outgoing_address is not set it will use the same socket
4168 # as snmp_incoming_address. Only change this if you want to have
4169 # SNMP replies sent using another address than where this Squid
4170 # listens for SNMP queries.
4171 #
4172 # NOTE, snmp_incoming_address and snmp_outgoing_address can not have
4173 # the same value since they both use port 3401.
4174 #Default:
4175 # snmp_incoming_address any_addr
4176 # snmp_outgoing_address no_addr
4178 # ICP OPTIONS
4179 # -----------------------------------------------------------------------------
4181 # TAG: icp_port
4182 # The port number where Squid sends and receives ICP queries to
4183 # and from neighbor caches. The standard UDP port for ICP is 3130.
4184 # Default is disabled (0).
4185 #
4186 # Example:
4187 # icp_port 3130
4188 #Default:
4189 # icp_port 0
4191 # TAG: htcp_port
4192 # The port number where Squid sends and receives HTCP queries to
4193 # and from neighbor caches. To turn it on you want to set it to
4194 # 4827. By default it is set to "0" (disabled).
4195 #
4196 # Example:
4197 # htcp_port 4827
4198 #Default:
4199 # htcp_port 0
4201 # TAG: log_icp_queries on|off
4202 # If set, ICP queries are logged to access.log. You may wish
4203 # do disable this if your ICP load is VERY high to speed things
4204 # up or to simplify log analysis.
4205 #Default:
4206 # log_icp_queries on
4208 # TAG: udp_incoming_address
4209 # udp_incoming_address is used for UDP packets received from other
4210 # caches.
4211 #
4212 # The default behavior is to not bind to any specific address.
4213 #
4214 # Only change this if you want to have all UDP queries received on
4215 # a specific interface/address.
4216 #
4217 # NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
4218 # modules. Altering it will affect all of them in the same manner.
4219 #
4220 # see also; udp_outgoing_address
4221 #
4222 # NOTE, udp_incoming_address and udp_outgoing_address can not
4223 # have the same value since they both use the same port.
4224 #Default:
4225 # udp_incoming_address any_addr
4227 # TAG: udp_outgoing_address
4228 # udp_outgoing_address is used for UDP packets sent out to other
4229 # caches.
4230 #
4231 # The default behavior is to not bind to any specific address.
4232 #
4233 # Instead it will use the same socket as udp_incoming_address.
4234 # Only change this if you want to have UDP queries sent using another
4235 # address than where this Squid listens for UDP queries from other
4236 # caches.
4237 #
4238 # NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
4239 # modules. Altering it will affect all of them in the same manner.
4240 #
4241 # see also; udp_incoming_address
4242 #
4243 # NOTE, udp_incoming_address and udp_outgoing_address can not
4244 # have the same value since they both use the same port.
4245 #Default:
4246 # udp_outgoing_address no_addr
4248 # TAG: icp_hit_stale on|off
4249 # If you want to return ICP_HIT for stale cache objects, set this
4250 # option to 'on'. If you have sibling relationships with caches
4251 # in other administrative domains, this should be 'off'. If you only
4252 # have sibling relationships with caches under your control,
4253 # it is probably okay to set this to 'on'.
4254 # If set to 'on', your siblings should use the option "allow-miss"
4255 # on their cache_peer lines for connecting to you.
4256 #Default:
4257 # icp_hit_stale off
4259 # TAG: minimum_direct_hops
4260 # If using the ICMP pinging stuff, do direct fetches for sites
4261 # which are no more than this many hops away.
4262 #Default:
4263 # minimum_direct_hops 4
4265 # TAG: minimum_direct_rtt
4266 # If using the ICMP pinging stuff, do direct fetches for sites
4267 # which are no more than this many rtt milliseconds away.
4268 #Default:
4269 # minimum_direct_rtt 400
4271 # TAG: netdb_low
4272 # TAG: netdb_high
4273 # The low and high water marks for the ICMP measurement
4274 # database. These are counts, not percents. The defaults are
4275 # 900 and 1000. When the high water mark is reached, database
4276 # entries will be deleted until the low mark is reached.
4277 #Default:
4278 # netdb_low 900
4279 # netdb_high 1000
4281 # TAG: netdb_ping_period
4282 # The minimum period for measuring a site. There will be at
4283 # least this much delay between successive pings to the same
4284 # network. The default is five minutes.
4285 #Default:
4286 # netdb_ping_period 5 minutes
4288 # TAG: query_icmp on|off
4289 # If you want to ask your peers to include ICMP data in their ICP
4290 # replies, enable this option.
4291 #
4292 # If your peer has configured Squid (during compilation) with
4293 # '--enable-icmp' that peer will send ICMP pings to origin server
4294 # sites of the URLs it receives. If you enable this option the
4295 # ICP replies from that peer will include the ICMP data (if available).
4296 # Then, when choosing a parent cache, Squid will choose the parent with
4297 # the minimal RTT to the origin server. When this happens, the
4298 # hierarchy field of the access.log will be
4299 # "CLOSEST_PARENT_MISS". This option is off by default.
4300 #Default:
4301 # query_icmp off
4303 # TAG: test_reachability on|off
4304 # When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
4305 # instead of ICP_MISS if the target host is NOT in the ICMP
4306 # database, or has a zero RTT.
4307 #Default:
4308 # test_reachability off
4310 # TAG: icp_query_timeout (msec)
4311 # Normally Squid will automatically determine an optimal ICP
4312 # query timeout value based on the round-trip-time of recent ICP
4313 # queries. If you want to override the value determined by
4314 # Squid, set this 'icp_query_timeout' to a non-zero value. This
4315 # value is specified in MILLISECONDS, so, to use a 2-second
4316 # timeout (the old default), you would write:
4317 #
4318 # icp_query_timeout 2000
4319 #Default:
4320 # icp_query_timeout 0
4322 # TAG: maximum_icp_query_timeout (msec)
4323 # Normally the ICP query timeout is determined dynamically. But
4324 # sometimes it can lead to very large values (say 5 seconds).
4325 # Use this option to put an upper limit on the dynamic timeout
4326 # value. Do NOT use this option to always use a fixed (instead
4327 # of a dynamic) timeout value. To set a fixed timeout see the
4328 # 'icp_query_timeout' directive.
4329 #Default:
4330 # maximum_icp_query_timeout 2000
4332 # TAG: minimum_icp_query_timeout (msec)
4333 # Normally the ICP query timeout is determined dynamically. But
4334 # sometimes it can lead to very small timeouts, even lower than
4335 # the normal latency variance on your link due to traffic.
4336 # Use this option to put an lower limit on the dynamic timeout
4337 # value. Do NOT use this option to always use a fixed (instead
4338 # of a dynamic) timeout value. To set a fixed timeout see the
4339 # 'icp_query_timeout' directive.
4340 #Default:
4341 # minimum_icp_query_timeout 5
4343 # TAG: background_ping_rate time-units
4344 # Controls how often the ICP pings are sent to siblings that
4345 # have background-ping set.
4346 #Default:
4347 # background_ping_rate 10 seconds
4349 # MULTICAST ICP OPTIONS
4350 # -----------------------------------------------------------------------------
4352 # TAG: mcast_groups
4353 # This tag specifies a list of multicast groups which your server
4354 # should join to receive multicasted ICP queries.
4355 #
4356 # NOTE! Be very careful what you put here! Be sure you
4357 # understand the difference between an ICP _query_ and an ICP
4358 # _reply_. This option is to be set only if you want to RECEIVE
4359 # multicast queries. Do NOT set this option to SEND multicast
4360 # ICP (use cache_peer for that). ICP replies are always sent via
4361 # unicast, so this option does not affect whether or not you will
4362 # receive replies from multicast group members.
4363 #
4364 # You must be very careful to NOT use a multicast address which
4365 # is already in use by another group of caches.
4366 #
4367 # If you are unsure about multicast, please read the Multicast
4368 # chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
4369 #
4370 # Usage: mcast_groups 239.128.16.128 224.0.1.20
4371 #
4372 # By default, Squid doesn't listen on any multicast groups.
4373 #Default:
4374 # none
4376 # TAG: mcast_miss_addr
4377 # Note: This option is only available if Squid is rebuilt with the
4378 # -DMULTICAST_MISS_STREAM define
4379 #
4380 # If you enable this option, every "cache miss" URL will
4381 # be sent out on the specified multicast address.
4382 #
4383 # Do not enable this option unless you are are absolutely
4384 # certain you understand what you are doing.
4385 #Default:
4386 # mcast_miss_addr no_addr
4388 # TAG: mcast_miss_ttl
4389 # Note: This option is only available if Squid is rebuilt with the
4390 # -DMULTICAST_MISS_STREAM define
4391 #
4392 # This is the time-to-live value for packets multicasted
4393 # when multicasting off cache miss URLs is enabled. By
4394 # default this is set to 'site scope', i.e. 16.
4395 #Default:
4396 # mcast_miss_ttl 16
4398 # TAG: mcast_miss_port
4399 # Note: This option is only available if Squid is rebuilt with the
4400 # -DMULTICAST_MISS_STREAM define
4401 #
4402 # This is the port number to be used in conjunction with
4403 # 'mcast_miss_addr'.
4404 #Default:
4405 # mcast_miss_port 3135
4407 # TAG: mcast_miss_encode_key
4408 # Note: This option is only available if Squid is rebuilt with the
4409 # -DMULTICAST_MISS_STREAM define
4410 #
4411 # The URLs that are sent in the multicast miss stream are
4412 # encrypted. This is the encryption key.
4413 #Default:
4414 # mcast_miss_encode_key XXXXXXXXXXXXXXXX
4416 # TAG: mcast_icp_query_timeout (msec)
4417 # For multicast peers, Squid regularly sends out ICP "probes" to
4418 # count how many other peers are listening on the given multicast
4419 # address. This value specifies how long Squid should wait to
4420 # count all the replies. The default is 2000 msec, or 2
4421 # seconds.
4422 #Default:
4423 # mcast_icp_query_timeout 2000
4425 # INTERNAL ICON OPTIONS
4426 # -----------------------------------------------------------------------------
4428 # TAG: icon_directory
4429 # Where the icons are stored. These are normally kept in
4430 # /usr/share/squid3/icons
4431 #Default:
4432 # icon_directory /usr/share/squid3/icons
4434 # TAG: global_internal_static
4435 # This directive controls is Squid should intercept all requests for
4436 # /squid-internal-static/ no matter which host the URL is requesting
4437 # (default on setting), or if nothing special should be done for
4438 # such URLs (off setting). The purpose of this directive is to make
4439 # icons etc work better in complex cache hierarchies where it may
4440 # not always be possible for all corners in the cache mesh to reach
4441 # the server generating a directory listing.
4442 #Default:
4443 # global_internal_static on
4445 # TAG: short_icon_urls
4446 # If this is enabled Squid will use short URLs for icons.
4447 # If disabled it will revert to the old behavior of including
4448 # it's own name and port in the URL.
4449 #
4450 # If you run a complex cache hierarchy with a mix of Squid and
4451 # other proxies you may need to disable this directive.
4452 #Default:
4453 # short_icon_urls on
4455 # ERROR PAGE OPTIONS
4456 # -----------------------------------------------------------------------------
4458 # TAG: error_directory
4459 # If you wish to create your own versions of the default
4460 # error files to customize them to suit your company copy
4461 # the error/template files to another directory and point
4462 # this tag at them.
4463 #
4464 # WARNING: This option will disable multi-language support
4465 # on error pages if used.
4466 #
4467 # The squid developers are interested in making squid available in
4468 # a wide variety of languages. If you are making translations for a
4469 # language that Squid does not currently provide please consider
4470 # contributing your translation back to the project.
4471 # http://wiki.squid-cache.org/Translations
4472 #
4473 # The squid developers working on translations are happy to supply drop-in
4474 # translated error files in exchange for any new language contributions.
4475 #Default:
4476 # none
4478 # TAG: error_default_language
4479 # Set the default language which squid will send error pages in
4480 # if no existing translation matches the clients language
4481 # preferences.
4482 #
4483 # If unset (default) generic English will be used.
4484 #
4485 # The squid developers are interested in making squid available in
4486 # a wide variety of languages. If you are interested in making
4487 # translations for any language see the squid wiki for details.
4488 # http://wiki.squid-cache.org/Translations
4489 #Default:
4490 # none
4492 # TAG: error_log_languages
4493 # Log to cache.log what languages users are attempting to
4494 # auto-negotiate for translations.
4495 #
4496 # Successful negotiations are not logged. Only failures
4497 # have meaning to indicate that Squid may need an upgrade
4498 # of its error page translations.
4499 #Default:
4500 # error_log_languages on
4502 # TAG: err_page_stylesheet
4503 # CSS Stylesheet to pattern the display of Squid default error pages.
4504 #
4505 # For information on CSS see http://www.w3.org/Style/CSS/
4506 #Default:
4507 # err_page_stylesheet /etc/squid3/errorpage.css
4509 # TAG: err_html_text
4510 # HTML text to include in error messages. Make this a "mailto"
4511 # URL to your admin address, or maybe just a link to your
4512 # organizations Web page.
4513 #
4514 # To include this in your error messages, you must rewrite
4515 # the error template files (found in the "errors" directory).
4516 # Wherever you want the 'err_html_text' line to appear,
4517 # insert a %L tag in the error template file.
4518 #Default:
4519 # none
4521 # TAG: email_err_data on|off
4522 # If enabled, information about the occurred error will be
4523 # included in the mailto links of the ERR pages (if %W is set)
4524 # so that the email body contains the data.
4525 # Syntax is <A HREF="mailto:%w%W">%w</A>
4526 #Default:
4527 # email_err_data on
4529 # TAG: deny_info
4530 # Usage: deny_info err_page_name acl
4531 # or deny_info http://... acl
4532 # or deny_info TCP_RESET acl
4533 #
4534 # This can be used to return a ERR_ page for requests which
4535 # do not pass the 'http_access' rules. Squid remembers the last
4536 # acl it evaluated in http_access, and if a 'deny_info' line exists
4537 # for that ACL Squid returns a corresponding error page.
4538 #
4539 # The acl is typically the last acl on the http_access deny line which
4540 # denied access. The exceptions to this rule are:
4541 # - When Squid needs to request authentication credentials. It's then
4542 # the first authentication related acl encountered
4543 # - When none of the http_access lines matches. It's then the last
4544 # acl processed on the last http_access line.
4545 #
4546 # NP: If providing your own custom error pages with error_directory
4547 # you may also specify them by your custom file name:
4548 # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
4549 #
4550 # Alternatively you can specify an error URL. The browsers will
4551 # get redirected (302) to the specified URL. %s in the redirection
4552 # URL will be replaced by the requested URL.
4553 #
4554 # Alternatively you can tell Squid to reset the TCP connection
4555 # by specifying TCP_RESET.
4556 #Default:
4557 # none
4559 # OPTIONS INFLUENCING REQUEST FORWARDING
4560 # -----------------------------------------------------------------------------
4562 # TAG: nonhierarchical_direct
4563 # By default, Squid will send any non-hierarchical requests
4564 # (matching hierarchy_stoplist or not cacheable request type) direct
4565 # to origin servers.
4566 #
4567 # If you set this to off, Squid will prefer to send these
4568 # requests to parents.
4569 #
4570 # Note that in most configurations, by turning this off you will only
4571 # add latency to these request without any improvement in global hit
4572 # ratio.
4573 #
4574 # If you are inside an firewall see never_direct instead of
4575 # this directive.
4576 #Default:
4577 # nonhierarchical_direct on
4579 # TAG: prefer_direct
4580 # Normally Squid tries to use parents for most requests. If you for some
4581 # reason like it to first try going direct and only use a parent if
4582 # going direct fails set this to on.
4583 #
4584 # By combining nonhierarchical_direct off and prefer_direct on you
4585 # can set up Squid to use a parent as a backup path if going direct
4586 # fails.
4587 #
4588 # Note: If you want Squid to use parents for all requests see
4589 # the never_direct directive. prefer_direct only modifies how Squid
4590 # acts on cacheable requests.
4591 #Default:
4592 # prefer_direct off
4594 # TAG: always_direct
4595 # Usage: always_direct allow|deny [!]aclname ...
4596 #
4597 # Here you can use ACL elements to specify requests which should
4598 # ALWAYS be forwarded by Squid to the origin servers without using
4599 # any peers. For example, to always directly forward requests for
4600 # local servers ignoring any parents or siblings you may have use
4601 # something like:
4602 #
4603 # acl local-servers dstdomain my.domain.net
4604 # always_direct allow local-servers
4605 #
4606 # To always forward FTP requests directly, use
4607 #
4608 # acl FTP proto FTP
4609 # always_direct allow FTP
4610 #
4611 # NOTE: There is a similar, but opposite option named
4612 # 'never_direct'. You need to be aware that "always_direct deny
4613 # foo" is NOT the same thing as "never_direct allow foo". You
4614 # may need to use a deny rule to exclude a more-specific case of
4615 # some other rule. Example:
4616 #
4617 # acl local-external dstdomain external.foo.net
4618 # acl local-servers dstdomain .foo.net
4619 # always_direct deny local-external
4620 # always_direct allow local-servers
4621 #
4622 # NOTE: If your goal is to make the client forward the request
4623 # directly to the origin server bypassing Squid then this needs
4624 # to be done in the client configuration. Squid configuration
4625 # can only tell Squid how Squid should fetch the object.
4626 #
4627 # NOTE: This directive is not related to caching. The replies
4628 # is cached as usual even if you use always_direct. To not cache
4629 # the replies see the 'cache' directive.
4630 #
4631 # This clause supports both fast and slow acl types.
4632 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
4633 #Default:
4634 # none
4636 # TAG: never_direct
4637 # Usage: never_direct allow|deny [!]aclname ...
4638 #
4639 # never_direct is the opposite of always_direct. Please read
4640 # the description for always_direct if you have not already.
4641 #
4642 # With 'never_direct' you can use ACL elements to specify
4643 # requests which should NEVER be forwarded directly to origin
4644 # servers. For example, to force the use of a proxy for all
4645 # requests, except those in your local domain use something like:
4646 #
4647 # acl local-servers dstdomain .foo.net
4648 # never_direct deny local-servers
4649 # never_direct allow all
4650 #
4651 # or if Squid is inside a firewall and there are local intranet
4652 # servers inside the firewall use something like:
4653 #
4654 # acl local-intranet dstdomain .foo.net
4655 # acl local-external dstdomain external.foo.net
4656 # always_direct deny local-external
4657 # always_direct allow local-intranet
4658 # never_direct allow all
4659 #
4660 # This clause supports both fast and slow acl types.
4661 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
4662 #Default:
4663 # none
4665 # ADVANCED NETWORKING OPTIONS
4666 # -----------------------------------------------------------------------------
4668 # TAG: incoming_icp_average
4669 # TAG: incoming_http_average
4670 # TAG: incoming_dns_average
4671 # TAG: min_icp_poll_cnt
4672 # TAG: min_dns_poll_cnt
4673 # TAG: min_http_poll_cnt
4674 # Heavy voodoo here. I can't even believe you are reading this.
4675 # Are you crazy? Don't even think about adjusting these unless
4676 # you understand the algorithms in comm_select.c first!
4677 #Default:
4678 # incoming_icp_average 6
4679 # incoming_http_average 4
4680 # incoming_dns_average 4
4681 # min_icp_poll_cnt 8
4682 # min_dns_poll_cnt 8
4683 # min_http_poll_cnt 8
4685 # TAG: accept_filter
4686 # FreeBSD:
4687 #
4688 # The name of an accept(2) filter to install on Squid's
4689 # listen socket(s). This feature is perhaps specific to
4690 # FreeBSD and requires support in the kernel.
4691 #
4692 # The 'httpready' filter delays delivering new connections
4693 # to Squid until a full HTTP request has been received.
4694 # See the accf_http(9) man page for details.
4695 #
4696 # The 'dataready' filter delays delivering new connections
4697 # to Squid until there is some data to process.
4698 # See the accf_dataready(9) man page for details.
4699 #
4700 # Linux:
4701 #
4702 # The 'data' filter delays delivering of new connections
4703 # to Squid until there is some data to process by TCP_ACCEPT_DEFER.
4704 # You may optionally specify a number of seconds to wait by
4705 # 'data=N' where N is the number of seconds. Defaults to 30
4706 # if not specified. See the tcp(7) man page for details.
4707 #EXAMPLE:
4708 ## FreeBSD
4709 #accept_filter httpready
4710 ## Linux
4711 #accept_filter data
4712 #Default:
4713 # none
4715 # TAG: client_ip_max_connections
4716 # Set an absolute limit on the number of connections a single
4717 # client IP can use. Any more than this and Squid will begin to drop
4718 # new connections from the client until it closes some links.
4719 #
4720 # Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
4721 # connections from the client. For finer control use the ACL access controls.
4722 #
4723 # Requires client_db to be enabled (the default).
4724 #
4725 # WARNING: This may noticably slow down traffic received via external proxies
4726 # or NAT devices and cause them to rebound error messages back to their clients.
4727 #Default:
4728 # client_ip_max_connections -1
4730 # TAG: tcp_recv_bufsize (bytes)
4731 # Size of receive buffer to set for TCP sockets. Probably just
4732 # as easy to change your kernel's default. Set to zero to use
4733 # the default buffer size.
4734 #Default:
4735 # tcp_recv_bufsize 0 bytes
4737 # ICAP OPTIONS
4738 # -----------------------------------------------------------------------------
4740 # TAG: icap_enable on|off
4741 # If you want to enable the ICAP module support, set this to on.
4742 #Default:
4743 # icap_enable off
4745 # TAG: icap_connect_timeout
4746 # This parameter specifies how long to wait for the TCP connect to
4747 # the requested ICAP server to complete before giving up and either
4748 # terminating the HTTP transaction or bypassing the failure.
4749 #
4750 # The default for optional services is peer_connect_timeout.
4751 # The default for essential services is connect_timeout.
4752 # If this option is explicitly set, its value applies to all services.
4753 #Default:
4754 # none
4756 # TAG: icap_io_timeout time-units
4757 # This parameter specifies how long to wait for an I/O activity on
4758 # an established, active ICAP connection before giving up and
4759 # either terminating the HTTP transaction or bypassing the
4760 # failure.
4761 #
4762 # The default is read_timeout.
4763 #Default:
4764 # none
4766 # TAG: icap_service_failure_limit
4767 # The limit specifies the number of failures that Squid tolerates
4768 # when establishing a new TCP connection with an ICAP service. If
4769 # the number of failures exceeds the limit, the ICAP service is
4770 # not used for new ICAP requests until it is time to refresh its
4771 # OPTIONS. The per-service failure counter is reset to zero each
4772 # time Squid fetches new service OPTIONS.
4773 #
4774 # A negative value disables the limit. Without the limit, an ICAP
4775 # service will not be considered down due to connectivity failures
4776 # between ICAP OPTIONS requests.
4777 #Default:
4778 # icap_service_failure_limit 10
4780 # TAG: icap_service_revival_delay
4781 # The delay specifies the number of seconds to wait after an ICAP
4782 # OPTIONS request failure before requesting the options again. The
4783 # failed ICAP service is considered "down" until fresh OPTIONS are
4784 # fetched.
4785 #
4786 # The actual delay cannot be smaller than the hardcoded minimum
4787 # delay of 30 seconds.
4788 #Default:
4789 # icap_service_revival_delay 180
4791 # TAG: icap_preview_enable on|off
4792 # The ICAP Preview feature allows the ICAP server to handle the
4793 # HTTP message by looking only at the beginning of the message body
4794 # or even without receiving the body at all. In some environments,
4795 # previews greatly speedup ICAP processing.
4796 #
4797 # During an ICAP OPTIONS transaction, the server may tell Squid what
4798 # HTTP messages should be previewed and how big the preview should be.
4799 # Squid will not use Preview if the server did not request one.
4800 #
4801 # To disable ICAP Preview for all ICAP services, regardless of
4802 # individual ICAP server OPTIONS responses, set this option to "off".
4803 #Example:
4804 #icap_preview_enable off
4805 #Default:
4806 # icap_preview_enable on
4808 # TAG: icap_preview_size
4809 # The default size of preview data to be sent to the ICAP server.
4810 # -1 means no preview. This value might be overwritten on a per server
4811 # basis by OPTIONS requests.
4812 #Default:
4813 # icap_preview_size -1
4815 # TAG: icap_default_options_ttl
4816 # The default TTL value for ICAP OPTIONS responses that don't have
4817 # an Options-TTL header.
4818 #Default:
4819 # icap_default_options_ttl 60
4821 # TAG: icap_persistent_connections on|off
4822 # Whether or not Squid should use persistent connections to
4823 # an ICAP server.
4824 #Default:
4825 # icap_persistent_connections on
4827 # TAG: icap_send_client_ip on|off
4828 # This adds the header "X-Client-IP" to ICAP requests.
4829 #Default:
4830 # icap_send_client_ip off
4832 # TAG: icap_send_client_username on|off
4833 # This sends authenticated HTTP client username (if available) to
4834 # the ICAP service. The username value is encoded based on the
4835 # icap_client_username_encode option and is sent using the header
4836 # specified by the icap_client_username_header option.
4837 #Default:
4838 # icap_send_client_username off
4840 # TAG: icap_client_username_header
4841 # ICAP request header name to use for send_client_username.
4842 #Default:
4843 # icap_client_username_header X-Client-Username
4845 # TAG: icap_client_username_encode on|off
4846 # Whether to base64 encode the authenticated client username.
4847 #Default:
4848 # icap_client_username_encode off
4850 # TAG: icap_service
4851 # Defines a single ICAP service using the following format:
4852 #
4853 # icap_service service_name vectoring_point [options] service_url
4854 #
4855 # service_name: ID
4856 # an opaque identifier which must be unique in squid.conf
4857 #
4858 # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
4859 # This specifies at which point of transaction processing the
4860 # ICAP service should be activated. *_postcache vectoring points
4861 # are not yet supported.
4862 #
4863 # service_url: icap://servername:port/servicepath
4864 # ICAP server and service location.
4865 #
4866 # ICAP does not allow a single service to handle both REQMOD and RESPMOD
4867 # transactions. Squid does not enforce that requirement. You can specify
4868 # services with the same service_url and different vectoring_points. You
4869 # can even specify multiple identical services as long as their
4870 # service_names differ.
4871 #
4872 #
4873 # Service options are separated by white space. ICAP services support
4874 # the following name=value options:
4875 #
4876 # bypass=on|off|1|0
4877 # If set to 'on' or '1', the ICAP service is treated as
4878 # optional. If the service cannot be reached or malfunctions,
4879 # Squid will try to ignore any errors and process the message as
4880 # if the service was not enabled. No all ICAP errors can be
4881 # bypassed. If set to 0, the ICAP service is treated as
4882 # essential and all ICAP errors will result in an error page
4883 # returned to the HTTP client.
4884 #
4885 # Bypass is off by default: services are treated as essential.
4886 #
4887 # routing=on|off|1|0
4888 # If set to 'on' or '1', the ICAP service is allowed to
4889 # dynamically change the current message adaptation plan by
4890 # returning a chain of services to be used next. The services
4891 # are specified using the X-Next-Services ICAP response header
4892 # value, formatted as a comma-separated list of service names.
4893 # Each named service should be configured in squid.conf and
4894 # should have the same method and vectoring point as the current
4895 # ICAP transaction. Services violating these rules are ignored.
4896 # An empty X-Next-Services value results in an empty plan which
4897 # ends the current adaptation.
4898 #
4899 # Routing is not allowed by default: the ICAP X-Next-Services
4900 # response header is ignored.
4901 #
4902 # Older icap_service format without optional named parameters is
4903 # deprecated but supported for backward compatibility.
4904 #
4905 #Example:
4906 #icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod
4907 #icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod
4908 #Default:
4909 # none
4911 # TAG: icap_class
4912 # This deprecated option was documented to define an ICAP service
4913 # chain, even though it actually defined a set of similar, redundant
4914 # services, and the chains were not supported.
4915 #
4916 # To define a set of redundant services, please use the
4917 # adaptation_service_set directive. For service chains, use
4918 # adaptation_service_chain.
4919 #Default:
4920 # none
4922 # TAG: icap_access
4923 # This option is deprecated. Please use adaptation_access, which
4924 # has the same ICAP functionality, but comes with better
4925 # documentation, and eCAP support.
4926 #Default:
4927 # none
4929 # eCAP OPTIONS
4930 # -----------------------------------------------------------------------------
4932 # TAG: ecap_enable on|off
4933 # Note: This option is only available if Squid is rebuilt with the
4934 # --enable-ecap option
4935 #
4936 # Controls whether eCAP support is enabled.
4937 #Default:
4938 # ecap_enable off
4940 # TAG: ecap_service
4941 # Note: This option is only available if Squid is rebuilt with the
4942 # --enable-ecap option
4943 #
4944 # Defines a single eCAP service
4945 #
4946 # ecap_service servicename vectoring_point bypass service_url
4947 #
4948 # vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
4949 # This specifies at which point of transaction processing the
4950 # eCAP service should be activated. *_postcache vectoring points
4951 # are not yet supported.
4952 # bypass = 1|0
4953 # If set to 1, the eCAP service is treated as optional. If the
4954 # service cannot be reached or malfunctions, Squid will try to
4955 # ignore any errors and process the message as if the service
4956 # was not enabled. No all eCAP errors can be bypassed.
4957 # If set to 0, the eCAP service is treated as essential and all
4958 # eCAP errors will result in an error page returned to the
4959 # HTTP client.
4960 # service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional
4961 #
4962 #Example:
4963 #ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
4964 #ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
4965 #Default:
4966 # none
4968 # TAG: loadable_modules
4969 # Instructs Squid to load the specified dynamic module(s) or activate
4970 # preloaded module(s).
4971 #Example:
4972 #loadable_modules /usr/lib/MinimalAdapter.so
4973 #Default:
4974 # none
4976 # MESSAGE ADAPTATION OPTIONS
4977 # -----------------------------------------------------------------------------
4979 # TAG: adaptation_service_set
4980 #
4981 # Configures an ordered set of similar, redundant services. This is
4982 # useful when hot standby or backup adaptation servers are available.
4983 #
4984 # adaptation_service_set set_name service_name1 service_name2 ...
4985 #
4986 # The named services are used in the set declaration order. The first
4987 # applicable adaptation service from the set is used first. The next
4988 # applicable service is tried if and only if the transaction with the
4989 # previous service fails and the message waiting to be adapted is still
4990 # intact.
4991 #
4992 # When adaptation starts, broken services are ignored as if they were
4993 # not a part of the set. A broken service is a down optional service.
4994 #
4995 # The services in a set must be attached to the same vectoring point
4996 # (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
4997 #
4998 # If all services in a set are optional then adaptation failures are
4999 # bypassable. If all services in the set are essential, then a
5000 # transaction failure with one service may still be retried using
5001 # another service from the set, but when all services fail, the master
5002 # transaction fails as well.
5003 #
5004 # A set may contain a mix of optional and essential services, but that
5005 # is likely to lead to surprising results because broken services become
5006 # ignored (see above), making previously bypassable failures fatal.
5007 # Technically, it is the bypassability of the last failed service that
5008 # matters.
5009 #
5010 # See also: adaptation_access adaptation_service_chain
5011 #
5012 #Example:
5013 #adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
5014 #adaptation service_set svcLogger loggerLocal loggerRemote
5015 #Default:
5016 # none
5018 # TAG: adaptation_service_chain
5019 #
5020 # Configures a list of complementary services that will be applied
5021 # one-by-one, forming an adaptation chain or pipeline. This is useful
5022 # when Squid must perform different adaptations on the same message.
5023 #
5024 # adaptation_service_chain chain_name service_name1 svc_name2 ...
5025 #
5026 # The named services are used in the chain declaration order. The first
5027 # applicable adaptation service from the chain is used first. The next
5028 # applicable service is applied to the successful adaptation results of
5029 # the previous service in the chain.
5030 #
5031 # When adaptation starts, broken services are ignored as if they were
5032 # not a part of the chain. A broken service is a down optional service.
5033 #
5034 # Request satisfaction terminates the adaptation chain because Squid
5035 # does not currently allow declaration of RESPMOD services at the
5036 # "reqmod_precache" vectoring point (see icap_service or ecap_service).
5037 #
5038 # The services in a chain must be attached to the same vectoring point
5039 # (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
5040 #
5041 # A chain may contain a mix of optional and essential services. If an
5042 # essential adaptation fails (or the failure cannot be bypassed for
5043 # other reasons), the master transaction fails. Otherwise, the failure
5044 # is bypassed as if the failed adaptation service was not in the chain.
5045 #
5046 # See also: adaptation_access adaptation_service_set
5047 #
5048 #Example:
5049 #adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
5050 #Default:
5051 # none
5053 # TAG: adaptation_access
5054 # Sends an HTTP transaction to an ICAP or eCAP adaptation service.
5055 #
5056 # adaptation_access service_name allow|deny [!]aclname...
5057 # adaptation_access set_name allow|deny [!]aclname...
5058 #
5059 # At each supported vectoring point, the adaptation_access
5060 # statements are processed in the order they appear in this
5061 # configuration file. Statements pointing to the following services
5062 # are ignored (i.e., skipped without checking their ACL):
5063 #
5064 # - services serving different vectoring points
5065 # - "broken-but-bypassable" services
5066 # - "up" services configured to ignore such transactions
5067 # (e.g., based on the ICAP Transfer-Ignore header).
5068 #
5069 # When a set_name is used, all services in the set are checked
5070 # using the same rules, to find the first applicable one. See
5071 # adaptation_service_set for details.
5072 #
5073 # If an access list is checked and there is a match, the
5074 # processing stops: For an "allow" rule, the corresponding
5075 # adaptation service is used for the transaction. For a "deny"
5076 # rule, no adaptation service is activated.
5077 #
5078 # It is currently not possible to apply more than one adaptation
5079 # service at the same vectoring point to the same HTTP transaction.
5080 #
5081 # See also: icap_service and ecap_service
5082 #
5083 #Example:
5084 #adaptation_access service_1 allow all
5085 #Default:
5086 # none
5088 # TAG: adaptation_service_iteration_limit
5089 # Limits the number of iterations allowed when applying adaptation
5090 # services to a message. If your longest adaptation set or chain
5091 # may have more than 16 services, increase the limit beyond its
5092 # default value of 16. If detecting infinite iteration loops sooner
5093 # is critical, make the iteration limit match the actual number
5094 # of services in your longest adaptation set or chain.
5095 #
5096 # Infinite adaptation loops are most likely with routing services.
5097 #
5098 # See also: icap_service routing=1
5099 #Default:
5100 # adaptation_service_iteration_limit 16
5102 # TAG: adaptation_masterx_shared_names
5103 # For each master transaction (i.e., the HTTP request and response
5104 # sequence, including all related ICAP and eCAP exchanges), Squid
5105 # maintains a table of metadata. The table entries are (name, value)
5106 # pairs shared among eCAP and ICAP exchanges. The table is destroyed
5107 # with the master transaction.
5108 #
5109 # This option specifies the table entry names that Squid must accept
5110 # from and forward to the adaptation transactions.
5111 #
5112 # An ICAP REQMOD or RESPMOD transaction may set an entry in the
5113 # shared table by returning an ICAP header field with a name
5114 # specified in adaptation_masterx_shared_names. Squid will store
5115 # and forward that ICAP header field to subsequent ICAP
5116 # transactions within the same master transaction scope.
5117 #
5118 # Only one shared entry name is supported at this time.
5119 #
5120 #Example:
5121 ## share authentication information among ICAP services
5122 #adaptation_masterx_shared_names X-Subscriber-ID
5123 #Default:
5124 # none
5126 # TAG: icap_retry
5127 # This ACL determines which retriable ICAP transactions are
5128 # retried. Transactions that received a complete ICAP response
5129 # and did not have to consume or produce HTTP bodies to receive
5130 # that response are usually retriable.
5131 #
5132 # icap_retry allow|deny [!]aclname ...
5133 #
5134 # Squid automatically retries some ICAP I/O timeouts and errors
5135 # due to persistent connection race conditions.
5136 #
5137 # See also: icap_retry_limit
5138 #Default:
5139 # icap_retry deny all
5141 # TAG: icap_retry_limit
5142 # Limits the number of retries allowed. When set to zero (default),
5143 # no retries are allowed.
5144 #
5145 # Communication errors due to persistent connection race
5146 # conditions are unavoidable, automatically retried, and do not
5147 # count against this limit.
5148 #
5149 # See also: icap_retry
5150 #Default:
5151 # icap_retry_limit 0
5153 # DNS OPTIONS
5154 # -----------------------------------------------------------------------------
5156 # TAG: check_hostnames
5157 # For security and stability reasons Squid can check
5158 # hostnames for Internet standard RFC compliance. If you want
5159 # Squid to perform these checks turn this directive on.
5160 #Default:
5161 # check_hostnames off
5163 # TAG: allow_underscore
5164 # Underscore characters is not strictly allowed in Internet hostnames
5165 # but nevertheless used by many sites. Set this to off if you want
5166 # Squid to be strict about the standard.
5167 # This check is performed only when check_hostnames is set to on.
5168 #Default:
5169 # allow_underscore on
5171 # TAG: cache_dns_program
5172 # Note: This option is only available if Squid is rebuilt with the
5173 # --disable-internal-dns option
5174 #
5175 # Specify the location of the executable for dnslookup process.
5176 #Default:
5177 # cache_dns_program /usr/lib/squid3/dnsserver
5179 # TAG: dns_children
5180 # Note: This option is only available if Squid is rebuilt with the
5181 # --disable-internal-dns option
5182 #
5183 # The number of processes spawn to service DNS name lookups.
5184 # For heavily loaded caches on large servers, you should
5185 # probably increase this value to at least 10. The maximum
5186 # is 32. The default is 5.
5187 #
5188 # You must have at least one dnsserver process.
5189 #Default:
5190 # dns_children 5
5192 # TAG: dns_retransmit_interval
5193 # Initial retransmit interval for DNS queries. The interval is
5194 # doubled each time all configured DNS servers have been tried.
5195 #
5196 #Default:
5197 # dns_retransmit_interval 5 seconds
5199 # TAG: dns_timeout
5200 # DNS Query timeout. If no response is received to a DNS query
5201 # within this time all DNS servers for the queried domain
5202 # are assumed to be unavailable.
5203 #Default:
5204 # dns_timeout 2 minutes
5206 # TAG: dns_defnames on|off
5207 # Normally the RES_DEFNAMES resolver option is disabled
5208 # (see res_init(3)). This prevents caches in a hierarchy
5209 # from interpreting single-component hostnames locally. To allow
5210 # Squid to handle single-component names, enable this option.
5211 #Default:
5212 # dns_defnames off
5214 # TAG: dns_nameservers
5215 # Use this if you want to specify a list of DNS name servers
5216 # (IP addresses) to use instead of those given in your
5217 # /etc/resolv.conf file.
5218 # On Windows platforms, if no value is specified here or in
5219 # the /etc/resolv.conf file, the list of DNS name servers are
5220 # taken from the Windows registry, both static and dynamic DHCP
5221 # configurations are supported.
5222 #
5223 # Example: dns_nameservers 10.0.0.1 192.172.0.4
5224 #Default:
5225 # none
5227 # TAG: hosts_file
5228 # Location of the host-local IP name-address associations
5229 # database. Most Operating Systems have such a file on different
5230 # default locations:
5231 # - Un*X & Linux: /etc/hosts
5232 # - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
5233 # (%SystemRoot% value install default is c:\winnt)
5234 # - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
5235 # (%SystemRoot% value install default is c:\windows)
5236 # - Windows 9x/Me: %windir%\hosts
5237 # (%windir% value is usually c:\windows)
5238 # - Cygwin: /etc/hosts
5239 #
5240 # The file contains newline-separated definitions, in the
5241 # form ip_address_in_dotted_form name [name ...] names are
5242 # whitespace-separated. Lines beginning with an hash (#)
5243 # character are comments.
5244 #
5245 # The file is checked at startup and upon configuration.
5246 # If set to 'none', it won't be checked.
5247 # If append_domain is used, that domain will be added to
5248 # domain-local (i.e. not containing any dot character) host
5249 # definitions.
5250 #Default:
5251 # hosts_file /etc/hosts
5253 # TAG: append_domain
5254 # Appends local domain name to hostnames without any dots in
5255 # them. append_domain must begin with a period.
5256 #
5257 # Be warned there are now Internet names with no dots in
5258 # them using only top-domain names, so setting this may
5259 # cause some Internet sites to become unavailable.
5260 #
5261 #Example:
5262 # append_domain .yourdomain.com
5263 #Default:
5264 # none
5266 # TAG: ignore_unknown_nameservers
5267 # By default Squid checks that DNS responses are received
5268 # from the same IP addresses they are sent to. If they
5269 # don't match, Squid ignores the response and writes a warning
5270 # message to cache.log. You can allow responses from unknown
5271 # nameservers by setting this option to 'off'.
5272 #Default:
5273 # ignore_unknown_nameservers on
5275 # TAG: dns_v4_fallback
5276 # Standard practice with DNS is to lookup either A or AAAA records
5277 # and use the results if it succeeds. Only looking up the other if
5278 # the first attempt fails or otherwise produces no results.
5279 #
5280 # That policy however will cause squid to produce error pages for some
5281 # servers that advertise AAAA but are unreachable over IPv6.
5282 #
5283 # If this is ON squid will always lookup both AAAA and A, using both.
5284 # If this is OFF squid will lookup AAAA and only try A if none found.
5285 #
5286 # WARNING: There are some possibly unwanted side-effects with this on:
5287 # *) Doubles the load placed by squid on the DNS network.
5288 # *) May negatively impact connection delay times.
5289 #Default:
5290 # dns_v4_fallback on
5292 # TAG: ipcache_size (number of entries)
5293 # TAG: ipcache_low (percent)
5294 # TAG: ipcache_high (percent)
5295 # The size, low-, and high-water marks for the IP cache.
5296 #Default:
5297 # ipcache_size 1024
5298 # ipcache_low 90
5299 # ipcache_high 95
5301 # TAG: fqdncache_size (number of entries)
5302 # Maximum number of FQDN cache entries.
5303 #Default:
5304 # fqdncache_size 1024
5306 # MISCELLANEOUS
5307 # -----------------------------------------------------------------------------
5309 # TAG: memory_pools on|off
5310 # If set, Squid will keep pools of allocated (but unused) memory
5311 # available for future use. If memory is a premium on your
5312 # system and you believe your malloc library outperforms Squid
5313 # routines, disable this.
5314 #Default:
5315 # memory_pools on
5317 # TAG: memory_pools_limit (bytes)
5318 # Used only with memory_pools on:
5319 # memory_pools_limit 50 MB
5320 #
5321 # If set to a non-zero value, Squid will keep at most the specified
5322 # limit of allocated (but unused) memory in memory pools. All free()
5323 # requests that exceed this limit will be handled by your malloc
5324 # library. Squid does not pre-allocate any memory, just safe-keeps
5325 # objects that otherwise would be free()d. Thus, it is safe to set
5326 # memory_pools_limit to a reasonably high value even if your
5327 # configuration will use less memory.
5328 #
5329 # If set to none, Squid will keep all memory it can. That is, there
5330 # will be no limit on the total amount of memory used for safe-keeping.
5331 #
5332 # To disable memory allocation optimization, do not set
5333 # memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
5334 #
5335 # An overhead for maintaining memory pools is not taken into account
5336 # when the limit is checked. This overhead is close to four bytes per
5337 # object kept. However, pools may actually _save_ memory because of
5338 # reduced memory thrashing in your malloc library.
5339 #Default:
5340 # memory_pools_limit 5 MB
5342 # TAG: forwarded_for on|off|transparent|truncate|delete
5343 # If set to "on", Squid will append your client's IP address
5344 # in the HTTP requests it forwards. By default it looks like:
5345 #
5346 # X-Forwarded-For: 192.1.2.3
5347 #
5348 # If set to "off", it will appear as
5349 #
5350 # X-Forwarded-For: unknown
5351 #
5352 # If set to "transparent", Squid will not alter the
5353 # X-Forwarded-For header in any way.
5354 #
5355 # If set to "delete", Squid will delete the entire
5356 # X-Forwarded-For header.
5357 #
5358 # If set to "truncate", Squid will remove all existing
5359 # X-Forwarded-For entries, and place itself as the sole entry.
5360 #Default:
5361 # forwarded_for on
5363 # TAG: cachemgr_passwd
5364 # Specify passwords for cachemgr operations.
5365 #
5366 # Usage: cachemgr_passwd password action action ...
5367 #
5368 # Some valid actions are (see cache manager menu for a full list):
5369 # 5min
5370 # 60min
5371 # asndb
5372 # authenticator
5373 # cbdata
5374 # client_list
5375 # comm_incoming
5376 # config *
5377 # counters
5378 # delay
5379 # digest_stats
5380 # dns
5381 # events
5382 # filedescriptors
5383 # fqdncache
5384 # histograms
5385 # http_headers
5386 # info
5387 # io
5388 # ipcache
5389 # mem
5390 # menu
5391 # netdb
5392 # non_peers
5393 # objects
5394 # offline_toggle *
5395 # pconn
5396 # peer_select
5397 # reconfigure *
5398 # redirector
5399 # refresh
5400 # server_list
5401 # shutdown *
5402 # store_digest
5403 # storedir
5404 # utilization
5405 # via_headers
5406 # vm_objects
5407 #
5408 # * Indicates actions which will not be performed without a
5409 # valid password, others can be performed if not listed here.
5410 #
5411 # To disable an action, set the password to "disable".
5412 # To allow performing an action without a password, set the
5413 # password to "none".
5414 #
5415 # Use the keyword "all" to set the same password for all actions.
5416 #
5417 #Example:
5418 # cachemgr_passwd secret shutdown
5419 # cachemgr_passwd lesssssssecret info stats/objects
5420 # cachemgr_passwd disable all
5421 #Default:
5422 # none
5424 # TAG: client_db on|off
5425 # If you want to disable collecting per-client statistics,
5426 # turn off client_db here.
5427 #Default:
5428 # client_db on
5430 # TAG: refresh_all_ims on|off
5431 # When you enable this option, squid will always check
5432 # the origin server for an update when a client sends an
5433 # If-Modified-Since request. Many browsers use IMS
5434 # requests when the user requests a reload, and this
5435 # ensures those clients receive the latest version.
5436 #
5437 # By default (off), squid may return a Not Modified response
5438 # based on the age of the cached version.
5439 #Default:
5440 # refresh_all_ims off
5442 # TAG: reload_into_ims on|off
5443 # When you enable this option, client no-cache or ``reload''
5444 # requests will be changed to If-Modified-Since requests.
5445 # Doing this VIOLATES the HTTP standard. Enabling this
5446 # feature could make you liable for problems which it
5447 # causes.
5448 #
5449 # see also refresh_pattern for a more selective approach.
5450 #Default:
5451 # reload_into_ims off
5453 # TAG: maximum_single_addr_tries
5454 # This sets the maximum number of connection attempts for a
5455 # host that only has one address (for multiple-address hosts,
5456 # each address is tried once).
5457 #
5458 # The default value is one attempt, the (not recommended)
5459 # maximum is 255 tries. A warning message will be generated
5460 # if it is set to a value greater than ten.
5461 #
5462 # Note: This is in addition to the request re-forwarding which
5463 # takes place if Squid fails to get a satisfying response.
5464 #Default:
5465 # maximum_single_addr_tries 1
5467 # TAG: retry_on_error
5468 # If set to on Squid will automatically retry requests when
5469 # receiving an error response. This is mainly useful if you
5470 # are in a complex cache hierarchy to work around access
5471 # control errors.
5472 #Default:
5473 # retry_on_error off
5475 # TAG: as_whois_server
5476 # WHOIS server to query for AS numbers. NOTE: AS numbers are
5477 # queried only when Squid starts up, not for every request.
5478 #Default:
5479 # as_whois_server whois.ra.net
5480 # as_whois_server whois.ra.net
5482 # TAG: offline_mode
5483 # Enable this option and Squid will never try to validate cached
5484 # objects.
5485 #Default:
5486 # offline_mode off
5488 # TAG: uri_whitespace
5489 # What to do with requests that have whitespace characters in the
5490 # URI. Options:
5491 #
5492 # strip: The whitespace characters are stripped out of the URL.
5493 # This is the behavior recommended by RFC2396.
5494 # deny: The request is denied. The user receives an "Invalid
5495 # Request" message.
5496 # allow: The request is allowed and the URI is not changed. The
5497 # whitespace characters remain in the URI. Note the
5498 # whitespace is passed to redirector processes if they
5499 # are in use.
5500 # encode: The request is allowed and the whitespace characters are
5501 # encoded according to RFC1738. This could be considered
5502 # a violation of the HTTP/1.1
5503 # RFC because proxies are not allowed to rewrite URI's.
5504 # chop: The request is allowed and the URI is chopped at the
5505 # first whitespace. This might also be considered a
5506 # violation.
5507 #Default:
5508 # uri_whitespace strip
5510 # TAG: chroot
5511 # Specifies a directory where Squid should do a chroot() while
5512 # initializing. This also causes Squid to fully drop root
5513 # privileges after initializing. This means, for example, if you
5514 # use a HTTP port less than 1024 and try to reconfigure, you may
5515 # get an error saying that Squid can not open the port.
5516 #Default:
5517 # none
5519 # TAG: balance_on_multiple_ip
5520 # Modern IP resolvers in squid sort lookup results by preferred access.
5521 # By default squid will use these IP in order and only rotates to
5522 # the next listed when the most preffered fails.
5523 #
5524 # Some load balancing servers based on round robin DNS have been
5525 # found not to preserve user session state across requests
5526 # to different IP addresses.
5527 #
5528 # Enabling this directive Squid rotates IP's per request.
5529 #Default:
5530 # balance_on_multiple_ip off
5532 # TAG: pipeline_prefetch
5533 # To boost the performance of pipelined requests to closer
5534 # match that of a non-proxied environment Squid can try to fetch
5535 # up to two requests in parallel from a pipeline.
5536 #
5537 # Defaults to off for bandwidth management and access logging
5538 # reasons.
5539 #Default:
5540 # pipeline_prefetch off
5542 # TAG: high_response_time_warning (msec)
5543 # If the one-minute median response time exceeds this value,
5544 # Squid prints a WARNING with debug level 0 to get the
5545 # administrators attention. The value is in milliseconds.
5546 #Default:
5547 # high_response_time_warning 0
5549 # TAG: high_page_fault_warning
5550 # If the one-minute average page fault rate exceeds this
5551 # value, Squid prints a WARNING with debug level 0 to get
5552 # the administrators attention. The value is in page faults
5553 # per second.
5554 #Default:
5555 # high_page_fault_warning 0
5557 # TAG: high_memory_warning
5558 # If the memory usage (as determined by mallinfo) exceeds
5559 # this amount, Squid prints a WARNING with debug level 0 to get
5560 # the administrators attention.
5561 #Default:
5562 # high_memory_warning 0 KB
5564 # TAG: sleep_after_fork (microseconds)
5565 # When this is set to a non-zero value, the main Squid process
5566 # sleeps the specified number of microseconds after a fork()
5567 # system call. This sleep may help the situation where your
5568 # system reports fork() failures due to lack of (virtual)
5569 # memory. Note, however, if you have a lot of child
5570 # processes, these sleep delays will add up and your
5571 # Squid will not service requests for some amount of time
5572 # until all the child processes have been started.
5573 # On Windows value less then 1000 (1 milliseconds) are
5574 # rounded to 1000.
5575 #Default:
5576 # sleep_after_fork 0
5578 # TAG: windows_ipaddrchangemonitor on|off
5579 # On Windows Squid by default will monitor IP address changes and will
5580 # reconfigure itself after any detected event. This is very useful for
5581 # proxies connected to internet with dial-up interfaces.
5582 # In some cases (a Proxy server acting as VPN gateway is one) it could be
5583 # desiderable to disable this behaviour setting this to 'off'.
5584 # Note: after changing this, Squid service must be restarted.
5585 #Default:
5586 # windows_ipaddrchangemonitor on
5588 # TAG: max_filedescriptors
5589 # The maximum number of filedescriptors supported.
5590 #
5591 # The default "0" means Squid inherits the current ulimit setting.
5592 #
5593 # Note: Changing this requires a restart of Squid. Also
5594 # not all comm loops supports large values.
5595 #Default:
5596 # max_filedescriptors 0