]> git.ipfire.org Git - thirdparty/squid.git/blame - src/cf.data.pre
projects / thirdparty / squid.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
SourceFormat Enforcement
[thirdparty/squid.git] / src / cf.data.pre
CommitLineData
9cef6668 1#
6845f129 2# SQUID Web Proxy Cache http://www.squid-cache.org/
9cef6668 3# ----------------------------------------------------------
4#
2b6662ba 5# Squid is the result of efforts by numerous individuals from
6# the Internet community; see the CONTRIBUTORS file for full
7# details. Many organizations have provided support for Squid's
8# development; see the SPONSORS file for full details. Squid is
9# Copyrighted (C) 2000 by the Regents of the University of
10# California; see the COPYRIGHT file for full details. Squid
11# incorporates software developed and/or copyrighted by other
12# sources; see the CREDITS file for full details.
9cef6668 13#
14# This program is free software; you can redistribute it and/or modify
15# it under the terms of the GNU General Public License as published by
16# the Free Software Foundation; either version 2 of the License, or
17# (at your option) any later version.
96d88dcb 18#
9cef6668 19# This program is distributed in the hope that it will be useful,
20# but WITHOUT ANY WARRANTY; without even the implied warranty of
21# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22# GNU General Public License for more details.
96d88dcb 23#
9cef6668 24# You should have received a copy of the GNU General Public License
25# along with this program; if not, write to the Free Software
26# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
27#
28
0f74202c 29COMMENT_START
ad12fb4b 30 WELCOME TO @SQUID@
cccac0a2 31 ----------------------------
3a278cb8 32
cccac0a2 33 This is the default Squid configuration file. You may wish
34 to look at the Squid home page (http://www.squid-cache.org/)
35 for the FAQ and other documentation.
3a278cb8 36
cccac0a2 37 The default Squid config file shows what the defaults for
38 various options happen to be. If you don't need to change the
39 default, you shouldn't uncomment the line. Doing so may cause
40 run-time problems. In some cases "none" refers to no default
41 setting at all, while in other cases it refers to a valid
42 option - the comments for that keyword indicate if this is the
43 case.
debd9a31 44
cccac0a2 45COMMENT_END
3a278cb8 46
592a09dc 47COMMENT_START
48 Configuration options can be included using the "include" directive.
49 Include takes a list of files to include. Quoting and wildcards is
50 supported.
51
52 For example,
53
54 include /path/to/included/file/squid.acl.config
55
56 Includes can be nested up to a hard-coded depth of 16 levels.
57 This arbitrary restriction is to prevent recursive include references
58 from causing Squid entering an infinite loop whilst trying to load
59 configuration files.
d4a3e179
AR		 60
61
5735d30b
AR		 62 Conditional configuration
63
64 If-statements can be used to make configuration directives
65 depend on conditions:
66
67 if <CONDITION>
68 ... regular configuration directives ...
69 [else
70 ... regular configuration directives ...]
71 endif
72
73 The else part is optional. The keywords "if", "else", and "endif"
74 must be typed on their own lines, as if they were regular
75 configuration directives.
76
77 These individual conditions types are supported:
78
79 true
80 Always evaluates to true.
81 false
82 Always evaluates to false.
83 <integer> = <integer>
84 Equality comparison of two integer numbers.
85
86
d4a3e179
AR		 87 SMP-Related Macros
88
89 The following SMP-related preprocessor macros can be used.
90
91 ${process_name} expands to the current Squid process "name"
92 (e.g., squid1, squid2, or cache1).
93
94 ${process_number} expands to the current Squid process
95 identifier, which is an integer number (e.g., 1, 2, 3) unique
96 across all Squid processes.
592a09dc 97COMMENT_END
98
5473c134 99COMMENT_START
41bd17a4 100 OPTIONS FOR AUTHENTICATION
5473c134 101 -----------------------------------------------------------------------------
102COMMENT_END
103
41bd17a4 104NAME: auth_param
105TYPE: authparam
5817ee13 106LOC: Auth::TheConfig
cccac0a2 107DEFAULT: none
108DOC_START
41bd17a4 109 This is used to define parameters for the various authentication
110 schemes supported by Squid.
cccac0a2 111
41bd17a4 112 format: auth_param scheme parameter [setting]
cccac0a2 113
41bd17a4 114 The order in which authentication schemes are presented to the client is
115 dependent on the order the scheme first appears in config file. IE
116 has a bug (it's not RFC 2617 compliant) in that it will use the basic
117 scheme if basic is the first entry presented, even if more secure
118 schemes are presented. For now use the order in the recommended
119 settings section below. If other browsers have difficulties (don't
120 recognize the schemes offered even if you are using basic) either
121 put basic first, or disable the other schemes (by commenting out their
122 program entry).
cccac0a2 123
41bd17a4 124 Once an authentication scheme is fully configured, it can only be
125 shutdown by shutting squid down and restarting. Changes can be made on
126 the fly and activated with a reconfigure. I.E. You can change to a
127 different helper, but not unconfigure the helper completely.
cccac0a2 128
41bd17a4 129 Please note that while this directive defines how Squid processes
130 authentication it does not automatically activate authentication.
131 To use authentication you must in addition make use of ACLs based
132 on login name in http_access (proxy_auth, proxy_auth_regex or
133 external with %LOGIN used in the format tag). The browser will be
134 challenged for authentication on the first such acl encountered
135 in http_access processing and will also be re-challenged for new
136 login credentials if the request is being denied by a proxy_auth
137 type acl.
cccac0a2 138
41bd17a4 139 WARNING: authentication can't be used in a transparently intercepting
140 proxy as the client then thinks it is talking to an origin server and
141 not the proxy. This is a limitation of bending the TCP/IP protocol to
142 transparently intercepting port 80, not a limitation in Squid.
b3567eb5
FC		 143 Ports flagged 'transparent', 'intercept', or 'tproxy' have
144 authentication disabled.
cccac0a2 145
41bd17a4 146 === Parameters for the basic scheme follow. ===
cccac0a2 147
41bd17a4 148 "program" cmdline
149 Specify the command for the external authenticator. Such a program
150 reads a line containing "username password" and replies "OK" or
151 "ERR" in an endless loop. "ERR" responses may optionally be followed
152 by a error description available as %m in the returned error page.
b3567eb5
FC		 153 If you use an authenticator, make sure you have 1 acl of type
154 proxy_auth.
cccac0a2 155
41bd17a4 156 By default, the basic authentication scheme is not used unless a
157 program is specified.
cccac0a2 158
41bd17a4 159 If you want to use the traditional NCSA proxy authentication, set
160 this line to something like
307b83b7 161
41bd17a4 162 auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
9e7dbc51 163
d2a89ac1
AJ		 164 "utf8" on|off
165 HTTP uses iso-latin-1 as characterset, while some authentication
166 backends such as LDAP expects UTF-8. If this is set to on Squid will
167 translate the HTTP iso-latin-1 charset to UTF-8 before sending the
168 username & password to the helper.
169
7353861b 170 "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
48d54e4d 171 The maximum number of authenticator processes to spawn. If you start too few
41bd17a4 172 Squid will have to wait for them to process a backlog of credential
173 verifications, slowing it down. When password verifications are
174 done via a (slow) network you are likely to need lots of
175 authenticator processes.
48d54e4d
AJ		 176
177 The startup= and idle= options permit some skew in the exact amount
178 run. A minimum of startup=N will begin during startup and reconfigure
179 and Squid will start more in groups of up to idle=N in an attempt to meet
180 traffic needs and to keep idle=N free above those traffic needs up to
181 the maximum.
182
7353861b
HN		 183 The concurrency= option sets the number of concurrent requests the
184 helper can process. The default of 0 is used for helpers who only
185 supports one request at a time. Setting this to a number greater than
186 0 changes the protocol used to include a channel number first on the
187 request/response line, allowing multiple requests to be sent to the
188 same helper in parallell without wating for the response.
41bd17a4 189 Must not be set unless it's known the helper supports this.
7353861b
HN		 190
191 auth_param basic children 20 startup=0 idle=1
0fdafae7 192
41bd17a4 193 "realm" realmstring
194 Specifies the realm name which is to be reported to the
195 client for the basic proxy authentication scheme (part of
196 the text the user will see when prompted their username and
197 password). There is no default.
198 auth_param basic realm Squid proxy-caching web server
d1b63fc8 199
41bd17a4 200 "credentialsttl" timetolive
201 Specifies how long squid assumes an externally validated
202 username:password pair is valid for - in other words how
203 often the helper program is called for that user. Set this
204 low to force revalidation with short lived passwords. Note
205 setting this high does not impact your susceptibility
206 to replay attacks unless you are using an one-time password
207 system (such as SecureID). If you are using such a system,
208 you will be vulnerable to replay attacks unless you also
209 use the max_user_ip ACL in an http_access rule.
cccac0a2 210
41bd17a4 211 "casesensitive" on|off
212 Specifies if usernames are case sensitive. Most user databases are
213 case insensitive allowing the same username to be spelled using both
214 lower and upper case letters, but some are case sensitive. This
215 makes a big difference for user_max_ip ACL processing and similar.
216 auth_param basic casesensitive off
cccac0a2 217
41bd17a4 218 === Parameters for the digest scheme follow ===
cccac0a2 219
41bd17a4 220 "program" cmdline
221 Specify the command for the external authenticator. Such
222 a program reads a line containing "username":"realm" and
223 replies with the appropriate H(A1) value hex encoded or
224 ERR if the user (or his H(A1) hash) does not exists.
225 See rfc 2616 for the definition of H(A1).
226 "ERR" responses may optionally be followed by a error description
227 available as %m in the returned error page.
cccac0a2 228
41bd17a4 229 By default, the digest authentication scheme is not used unless a
230 program is specified.
b8c0c06d 231
41bd17a4 232 If you want to use a digest authenticator, set this line to
233 something like
cccac0a2 234
7ce93108 235 auth_param digest program @DEFAULT_PREFIX@/bin/digest_pw_auth @DEFAULT_PREFIX@/etc/digpass
cccac0a2 236
d2a89ac1
AJ		 237 "utf8" on|off
238 HTTP uses iso-latin-1 as characterset, while some authentication
239 backends such as LDAP expects UTF-8. If this is set to on Squid will
240 translate the HTTP iso-latin-1 charset to UTF-8 before sending the
241 username & password to the helper.
242
7353861b 243 "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
48d54e4d 244 The maximum number of authenticator processes to spawn (default 5).
41bd17a4 245 If you start too few Squid will have to wait for them to
246 process a backlog of H(A1) calculations, slowing it down.
247 When the H(A1) calculations are done via a (slow) network
248 you are likely to need lots of authenticator processes.
48d54e4d
AJ		 249
250 The startup= and idle= options permit some skew in the exact amount
251 run. A minimum of startup=N will begin during startup and reconfigure
252 and Squid will start more in groups of up to idle=N in an attempt to meet
253 traffic needs and to keep idle=N free above those traffic needs up to
254 the maximum.
255
7353861b
HN		 256 The concurrency= option sets the number of concurrent requests the
257 helper can process. The default of 0 is used for helpers who only
258 supports one request at a time. Setting this to a number greater than
259 0 changes the protocol used to include a channel number first on the
260 request/response line, allowing multiple requests to be sent to the
261 same helper in parallell without wating for the response.
262 Must not be set unless it's known the helper supports this.
263
48d54e4d 264 auth_param digest children 20 startup=0 idle=1
cccac0a2 265
41bd17a4 266 "realm" realmstring
267 Specifies the realm name which is to be reported to the
268 client for the digest proxy authentication scheme (part of
269 the text the user will see when prompted their username and
270 password). There is no default.
271 auth_param digest realm Squid proxy-caching web server
cccac0a2 272
41bd17a4 273 "nonce_garbage_interval" timeinterval
274 Specifies the interval that nonces that have been issued
275 to client_agent's are checked for validity.
cccac0a2 276
41bd17a4 277 "nonce_max_duration" timeinterval
278 Specifies the maximum length of time a given nonce will be
279 valid for.
cccac0a2 280
41bd17a4 281 "nonce_max_count" number
282 Specifies the maximum number of times a given nonce can be
283 used.
cccac0a2 284
41bd17a4 285 "nonce_strictness" on|off
286 Determines if squid requires strict increment-by-1 behavior
287 for nonce counts, or just incrementing (off - for use when
288 useragents generate nonce counts that occasionally miss 1
289 (ie, 1,2,4,6)). Default off.
cccac0a2 290
41bd17a4 291 "check_nonce_count" on|off
292 This directive if set to off can disable the nonce count check
293 completely to work around buggy digest qop implementations in
294 certain mainstream browser versions. Default on to check the
295 nonce count to protect from authentication replay attacks.
cccac0a2 296
41bd17a4 297 "post_workaround" on|off
298 This is a workaround to certain buggy browsers who sends
299 an incorrect request digest in POST requests when reusing
300 the same nonce as acquired earlier on a GET request.
cccac0a2 301
41bd17a4 302 === NTLM scheme options follow ===
cccac0a2 303
41bd17a4 304 "program" cmdline
305 Specify the command for the external NTLM authenticator.
306 Such a program reads exchanged NTLMSSP packets with
307 the browser via Squid until authentication is completed.
308 If you use an NTLM authenticator, make sure you have 1 acl
309 of type proxy_auth. By default, the NTLM authenticator_program
310 is not used.
cccac0a2 311
41bd17a4 312 auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
cccac0a2 313
48d54e4d
AJ		 314 "children" numberofchildren [startup=N] [idle=N]
315 The maximum number of authenticator processes to spawn (default 5).
41bd17a4 316 If you start too few Squid will have to wait for them to
317 process a backlog of credential verifications, slowing it
318 down. When credential verifications are done via a (slow)
319 network you are likely to need lots of authenticator
320 processes.
cccac0a2 321
48d54e4d
AJ		 322 The startup= and idle= options permit some skew in the exact amount
323 run. A minimum of startup=N will begin during startup and reconfigure
324 and Squid will start more in groups of up to idle=N in an attempt to meet
325 traffic needs and to keep idle=N free above those traffic needs up to
326 the maximum.
327
328 auth_param ntlm children 20 startup=0 idle=1
cccac0a2 329
41bd17a4 330 "keep_alive" on|off
331 If you experience problems with PUT/POST requests when using the
332 Negotiate authentication scheme then you can try setting this to
333 off. This will cause Squid to forcibly close the connection on
334 the initial requests where the browser asks which schemes are
335 supported by the proxy.
cccac0a2 336
41bd17a4 337 auth_param ntlm keep_alive on
cccac0a2 338
41bd17a4 339 === Options for configuring the NEGOTIATE auth-scheme follow ===
cccac0a2 340
41bd17a4 341 "program" cmdline
342 Specify the command for the external Negotiate authenticator.
343 This protocol is used in Microsoft Active-Directory enabled setups with
344 the Microsoft Internet Explorer or Mozilla Firefox browsers.
345 Its main purpose is to exchange credentials with the Squid proxy
346 using the Kerberos mechanisms.
b3567eb5
FC		 347 If you use a Negotiate authenticator, make sure you have at least
348 one acl of type proxy_auth active. By default, the negotiate
349 authenticator_program is not used.
41bd17a4 350 The only supported program for this role is the ntlm_auth
351 program distributed as part of Samba, version 4 or later.
cccac0a2 352
41bd17a4 353 auth_param negotiate program @DEFAULT_PREFIX@/bin/ntlm_auth --helper-protocol=gss-spnego
cccac0a2 354
48d54e4d
AJ		 355 "children" numberofchildren [startup=N] [idle=N]
356 The maximum number of authenticator processes to spawn (default 5).
41bd17a4 357 If you start too few Squid will have to wait for them to
358 process a backlog of credential verifications, slowing it
359 down. When crendential verifications are done via a (slow)
360 network you are likely to need lots of authenticator
361 processes.
48d54e4d
AJ		 362
363 The startup= and idle= options permit some skew in the exact amount
364 run. A minimum of startup=N will begin during startup and reconfigure
365 and Squid will start more in groups of up to idle=N in an attempt to meet
366 traffic needs and to keep idle=N free above those traffic needs up to
367 the maximum.
368
369 auth_param negotiate children 20 startup=0 idle=1
d3803853 370
41bd17a4 371 "keep_alive" on|off
372 If you experience problems with PUT/POST requests when using the
373 Negotiate authentication scheme then you can try setting this to
374 off. This will cause Squid to forcibly close the connection on
375 the initial requests where the browser asks which schemes are
376 supported by the proxy.
527ee50d 377
41bd17a4 378 auth_param negotiate keep_alive on
cccac0a2 379
e0855596
AJ		 380
381 Examples:
382
41bd17a4 383#Recommended minimum configuration per scheme:
384#auth_param negotiate program <uncomment and complete this line to activate>
48d54e4d 385#auth_param negotiate children 20 startup=0 idle=1
41bd17a4 386#auth_param negotiate keep_alive on
e0855596 387#
41bd17a4 388#auth_param ntlm program <uncomment and complete this line to activate>
48d54e4d 389#auth_param ntlm children 20 startup=0 idle=1
41bd17a4 390#auth_param ntlm keep_alive on
e0855596 391#
41bd17a4 392#auth_param digest program <uncomment and complete this line>
48d54e4d 393#auth_param digest children 20 startup=0 idle=1
41bd17a4 394#auth_param digest realm Squid proxy-caching web server
395#auth_param digest nonce_garbage_interval 5 minutes
396#auth_param digest nonce_max_duration 30 minutes
397#auth_param digest nonce_max_count 50
e0855596 398#
41bd17a4 399#auth_param basic program <uncomment and complete this line>
48d54e4d 400#auth_param basic children 5 stratup=5 idle=1
41bd17a4 401#auth_param basic realm Squid proxy-caching web server
402#auth_param basic credentialsttl 2 hours
41bd17a4 403DOC_END
cccac0a2 404
41bd17a4 405NAME: authenticate_cache_garbage_interval
406TYPE: time_t
407DEFAULT: 1 hour
408LOC: Config.authenticateGCInterval
409DOC_START
410 The time period between garbage collection across the username cache.
411 This is a tradeoff between memory utilization (long intervals - say
412 2 days) and CPU (short intervals - say 1 minute). Only change if you
413 have good reason to.
414DOC_END
cccac0a2 415
41bd17a4 416NAME: authenticate_ttl
417TYPE: time_t
418DEFAULT: 1 hour
419LOC: Config.authenticateTTL
420DOC_START
421 The time a user & their credentials stay in the logged in
422 user cache since their last request. When the garbage
423 interval passes, all user credentials that have passed their
424 TTL are removed from memory.
425DOC_END
cccac0a2 426
41bd17a4 427NAME: authenticate_ip_ttl
428TYPE: time_t
429LOC: Config.authenticateIpTTL
430DEFAULT: 0 seconds
431DOC_START
432 If you use proxy authentication and the 'max_user_ip' ACL,
433 this directive controls how long Squid remembers the IP
434 addresses associated with each user. Use a small value
435 (e.g., 60 seconds) if your users might change addresses
436 quickly, as is the case with dialups. You might be safe
437 using a larger value (e.g., 2 hours) in a corporate LAN
438 environment with relatively static address assignments.
439DOC_END
cccac0a2 440
3d1e3e43 441COMMENT_START
442 ACCESS CONTROLS
443 -----------------------------------------------------------------------------
444COMMENT_END
445
41bd17a4 446NAME: external_acl_type
447TYPE: externalAclHelper
448LOC: Config.externalAclHelperList
cccac0a2 449DEFAULT: none
cccac0a2 450DOC_START
41bd17a4 451 This option defines external acl classes using a helper program
452 to look up the status
cccac0a2 453
41bd17a4 454 external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
cccac0a2 455
41bd17a4 456 Options:
cccac0a2 457
41bd17a4 458 ttl=n TTL in seconds for cached results (defaults to 3600
459 for 1 hour)
460 negative_ttl=n
461 TTL for cached negative lookups (default same
462 as ttl)
48d54e4d
AJ		 463 children-max=n
464 Maximum number of acl helper processes spawned to service
465 external acl lookups of this type. (default 20)
466 children-startup=n
467 Minimum number of acl helper processes to spawn during
468 startup and reconfigure to service external acl lookups
469 of this type. (default 0)
470 children-idle=n
471 Number of acl helper processes to keep ahead of traffic
472 loads. Squid will spawn this many at once whenever load
473 rises above the capabilities of existing processes.
474 Up to the value of children-max. (default 1)
41bd17a4 475 concurrency=n concurrency level per process. Only used with helpers
476 capable of processing more than one query at a time.
48d54e4d 477 cache=n limit the result cache size, default is unbounded.
41bd17a4 478 grace=n Percentage remaining of TTL where a refresh of a
479 cached entry should be initiated without needing to
48d54e4d 480 wait for a new reply. (default is for no grace period)
41bd17a4 481 protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
cc192b50 482 ipv4 / ipv6 IP-mode used to communicate to this helper.
483 For compatability with older configurations and helpers
055421ee 484 the default is currently 'ipv4'.
cccac0a2 485
41bd17a4 486 FORMAT specifications
cccac0a2 487
41bd17a4 488 %LOGIN Authenticated user login name
489 %EXT_USER Username from external acl
490 %IDENT Ident user name
491 %SRC Client IP
492 %SRCPORT Client source port
493 %URI Requested URI
494 %DST Requested host
495 %PROTO Requested protocol
496 %PORT Requested port
497 %PATH Requested URL path
498 %METHOD Request method
499 %MYADDR Squid interface address
500 %MYPORT Squid http_port number
501 %PATH Requested URL-path (including query-string if any)
502 %USER_CERT SSL User certificate in PEM format
503 %USER_CERTCHAIN SSL User certificate chain in PEM format
504 %USER_CERT_xx SSL User certificate subject attribute xx
505 %USER_CA_xx SSL User certificate issuer attribute xx
7b0ca1e8 506
c68c9682 507 %>{Header} HTTP request header "Header"
7b0ca1e8 508 %>{Hdr:member}
c68c9682 509 HTTP request header "Hdr" list member "member"
7b0ca1e8 510 %>{Hdr:;member}
41bd17a4 511 HTTP request header list member using ; as
512 list separator. ; can be any non-alphanumeric
513 character.
cccac0a2 514
c68c9682 515 %<{Header} HTTP reply header "Header"
7b0ca1e8 516 %<{Hdr:member}
c68c9682 517 HTTP reply header "Hdr" list member "member"
7b0ca1e8
AJ		 518 %<{Hdr:;member}
519 HTTP reply header list member using ; as
520 list separator. ; can be any non-alphanumeric
521 character.
522
41bd17a4 523 In addition to the above, any string specified in the referencing
524 acl will also be included in the helper request line, after the
525 specified formats (see the "acl external" directive)
cccac0a2 526
41bd17a4 527 The helper receives lines per the above format specification,
528 and returns lines starting with OK or ERR indicating the validity
529 of the request and optionally followed by additional keywords with
530 more details.
cccac0a2 531
41bd17a4 532 General result syntax:
cccac0a2 533
41bd17a4 534 OK/ERR keyword=value ...
cccac0a2 535
41bd17a4 536 Defined keywords:
cccac0a2 537
41bd17a4 538 user= The users name (login)
539 password= The users password (for login= cache_peer option)
540 message= Message describing the reason. Available as %o
541 in error pages
542 tag= Apply a tag to a request (for both ERR and OK results)
543 Only sets a tag, does not alter existing tags.
544 log= String to be logged in access.log. Available as
545 %ea in logformat specifications
934b03fc 546
41bd17a4 547 If protocol=3.0 (the default) then URL escaping is used to protect
548 each value in both requests and responses.
6a566b9c 549
41bd17a4 550 If using protocol=2.5 then all values need to be enclosed in quotes
551 if they may contain whitespace, or the whitespace escaped using \.
552 And quotes or \ characters within the keyword value must be \ escaped.
1e5562e3 553
41bd17a4 554 When using the concurrency= option the protocol is changed by
555 introducing a query channel tag infront of the request/response.
556 The query channel tag is a number between 0 and concurrency-1.
cccac0a2 557DOC_END
558
41bd17a4 559NAME: acl
560TYPE: acl
561LOC: Config.aclList
1f5bd0a4 562DEFAULT: all src all
cccac0a2 563DOC_START
41bd17a4 564 Defining an Access List
cccac0a2 565
375eeb3b
AJ		 566 Every access list definition must begin with an aclname and acltype,
567 followed by either type-specific arguments or a quoted filename that
568 they are read from.
cccac0a2 569
375eeb3b
AJ		 570 acl aclname acltype argument ...
571 acl aclname acltype "file" ...
cccac0a2 572
375eeb3b 573 When using "file", the file should contain one item per line.
cccac0a2 574
41bd17a4 575 By default, regular expressions are CASE-SENSITIVE. To make
576 them case-insensitive, use the -i option.
cccac0a2 577
b3567eb5
FC		 578 Some acl types require suspending the current request in order
579 to access some external data source.
580 Those which do are marked with the tag [slow], those which
581 don't are marked as [fast].
582 See http://wiki.squid-cache.org/SquidFaq/SquidAcl
583 for further information
e988aa40
AJ		 584
585 ***** ACL TYPES AVAILABLE *****
586
b3567eb5
FC		 587 acl aclname src ip-address/netmask ... # clients IP address [fast]
588 acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
589 acl aclname dst ip-address/netmask ... # URL host's IP address [slow]
590 acl aclname myip ip-address/netmask ... # local socket IP address [fast]
cccac0a2 591
41bd17a4 592 acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
593 # The arp ACL requires the special configure option --enable-arp-acl.
594 # Furthermore, the ARP ACL code is not portable to all operating systems.
b3567eb5
FC		 595 # It works on Linux, Solaris, Windows, FreeBSD, and some
596 # other *BSD variants.
597 # [fast]
41bd17a4 598 #
599 # NOTE: Squid can only determine the MAC address for clients that are on
b3567eb5
FC		 600 # the same subnet. If the client is on a different subnet,
601 # then Squid cannot find out its MAC address.
602
603 acl aclname srcdomain .foo.com ...
604 # reverse lookup, from client IP [slow]
605 acl aclname dstdomain .foo.com ...
e38c7724 606 # Destination server from URL [fast]
b3567eb5
FC		 607 acl aclname srcdom_regex [-i] \.foo\.com ...
608 # regex matching client name [slow]
609 acl aclname dstdom_regex [-i] \.foo\.com ...
e38c7724 610 # regex matching server [fast]
b3567eb5 611 #
41bd17a4 612 # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
613 # based URL is used and no match is found. The name "none" is used
614 # if the reverse lookup fails.
9bc73deb 615
375eeb3b
AJ		 616 acl aclname src_as number ...
617 acl aclname dst_as number ...
b3567eb5 618 # [fast]
e988aa40
AJ		 619 # Except for access control, AS numbers can be used for
620 # routing of requests to specific caches. Here's an
621 # example for routing all requests for AS#1241 and only
622 # those to mycache.mydomain.net:
623 # acl asexample dst_as 1241
624 # cache_peer_access mycache.mydomain.net allow asexample
625 # cache_peer_access mycache_mydomain.net deny all
7f7db318 626
6db78a1a 627 acl aclname peername myPeer ...
b3567eb5 628 # [fast]
6db78a1a
AJ		 629 # match against a named cache_peer entry
630 # set unique name= on cache_peer lines for reliable use.
631
375eeb3b 632 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
b3567eb5 633 # [fast]
375eeb3b
AJ		 634 # day-abbrevs:
635 # S - Sunday
636 # M - Monday
637 # T - Tuesday
638 # W - Wednesday
639 # H - Thursday
640 # F - Friday
641 # A - Saturday
642 # h1:m1 must be less than h2:m2
643
b3567eb5
FC		 644 acl aclname url_regex [-i] ^http:// ...
645 # regex matching on whole URL [fast]
646 acl aclname urlpath_regex [-i] \.gif$ ...
647 # regex matching on URL path [fast]
e988aa40 648
b3567eb5
FC		 649 acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
650 # ranges are alloed
651 acl aclname myport 3128 ... # local socket TCP port [fast]
652 acl aclname myportname 3128 ... # http(s)_port name [fast]
e988aa40 653
b3567eb5
FC		 654 acl aclname proto HTTP FTP ... # request protocol [fast]
655
656 acl aclname method GET POST ... # HTTP request method [fast]
e988aa40 657
b3567eb5
FC		 658 acl aclname http_status 200 301 500- 400-403 ...
659 # status code in reply [fast]
e988aa40 660
375eeb3b 661 acl aclname browser [-i] regexp ...
b3567eb5 662 # pattern match on User-Agent header (see also req_header below) [fast]
e988aa40 663
375eeb3b 664 acl aclname referer_regex [-i] regexp ...
b3567eb5 665 # pattern match on Referer header [fast]
41bd17a4 666 # Referer is highly unreliable, so use with care
e988aa40 667
375eeb3b 668 acl aclname ident username ...
41bd17a4 669 acl aclname ident_regex [-i] pattern ...
b3567eb5 670 # string match on ident output [slow]
41bd17a4 671 # use REQUIRED to accept any non-null ident.
cf5cc17e 672
41bd17a4 673 acl aclname proxy_auth [-i] username ...
674 acl aclname proxy_auth_regex [-i] pattern ...
b3567eb5
FC		 675 # perform http authentication challenge to the client and match against
676 # supplied credentials [slow]
677 #
678 # takes a list of allowed usernames.
41bd17a4 679 # use REQUIRED to accept any valid username.
680 #
b3567eb5
FC		 681 # Will use proxy authentication in forward-proxy scenarios, and plain
682 # http authenticaiton in reverse-proxy scenarios
683 #
41bd17a4 684 # NOTE: when a Proxy-Authentication header is sent but it is not
685 # needed during ACL checking the username is NOT logged
686 # in access.log.
687 #
688 # NOTE: proxy_auth requires a EXTERNAL authentication program
689 # to check username/password combinations (see
690 # auth_param directive).
691 #
e988aa40
AJ		 692 # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
693 # as the browser needs to be configured for using a proxy in order
41bd17a4 694 # to respond to proxy authentication.
8e8d4f30 695
41bd17a4 696 acl aclname snmp_community string ...
b3567eb5 697 # A community string to limit access to your SNMP Agent [fast]
41bd17a4 698 # Example:
699 #
700 # acl snmppublic snmp_community public
934b03fc 701
41bd17a4 702 acl aclname maxconn number
703 # This will be matched when the client's IP address has
b3567eb5 704 # more than <number> HTTP connections established. [fast]
1e5562e3 705
41bd17a4 706 acl aclname max_user_ip [-s] number
707 # This will be matched when the user attempts to log in from more
708 # than <number> different ip addresses. The authenticate_ip_ttl
b3567eb5 709 # parameter controls the timeout on the ip entries. [fast]
41bd17a4 710 # If -s is specified the limit is strict, denying browsing
711 # from any further IP addresses until the ttl has expired. Without
712 # -s Squid will just annoy the user by "randomly" denying requests.
713 # (the counter is reset each time the limit is reached and a
714 # request is denied)
715 # NOTE: in acceleration mode or where there is mesh of child proxies,
716 # clients may appear to come from multiple addresses if they are
717 # going through proxy farms, so a limit of 1 may cause user problems.
cccac0a2 718
cb1b906f
AJ		 719 acl aclname random probability
720 # Pseudo-randomly match requests. Based on the probability given.
721 # Probability may be written as a decimal (0.333), fraction (1/3)
722 # or ratio of matches:non-matches (3:5).
723
375eeb3b 724 acl aclname req_mime_type [-i] mime-type ...
41bd17a4 725 # regex match against the mime type of the request generated
726 # by the client. Can be used to detect file upload or some
b3567eb5 727 # types HTTP tunneling requests [fast]
41bd17a4 728 # NOTE: This does NOT match the reply. You cannot use this
729 # to match the returned file type.
cccac0a2 730
41bd17a4 731 acl aclname req_header header-name [-i] any\.regex\.here
732 # regex match against any of the known request headers. May be
733 # thought of as a superset of "browser", "referer" and "mime-type"
b3567eb5 734 # ACL [fast]
cccac0a2 735
375eeb3b 736 acl aclname rep_mime_type [-i] mime-type ...
41bd17a4 737 # regex match against the mime type of the reply received by
738 # squid. Can be used to detect file download or some
b3567eb5 739 # types HTTP tunneling requests. [fast]
41bd17a4 740 # NOTE: This has no effect in http_access rules. It only has
741 # effect in rules that affect the reply data stream such as
742 # http_reply_access.
cccac0a2 743
41bd17a4 744 acl aclname rep_header header-name [-i] any\.regex\.here
745 # regex match against any of the known reply headers. May be
746 # thought of as a superset of "browser", "referer" and "mime-type"
b3567eb5 747 # ACLs [fast]
cccac0a2 748
375eeb3b 749 acl aclname external class_name [arguments...]
41bd17a4 750 # external ACL lookup via a helper class defined by the
b3567eb5 751 # external_acl_type directive [slow]
cccac0a2 752
41bd17a4 753 acl aclname user_cert attribute values...
754 # match against attributes in a user SSL certificate
b3567eb5 755 # attribute is one of DN/C/O/CN/L/ST [fast]
cccac0a2 756
41bd17a4 757 acl aclname ca_cert attribute values...
758 # match against attributes a users issuing CA SSL certificate
b3567eb5 759 # attribute is one of DN/C/O/CN/L/ST [fast]
cccac0a2 760
41bd17a4 761 acl aclname ext_user username ...
762 acl aclname ext_user_regex [-i] pattern ...
b3567eb5 763 # string match on username returned by external acl helper [slow]
41bd17a4 764 # use REQUIRED to accept any non-null user name.
b3567eb5 765
0ab50441 766 acl aclname tag tagvalue ...
b3567eb5 767 # string match on tag returned by external acl helper [slow]
cccac0a2 768
bbaf2685
AJ		 769 acl aclname hier_code codename ...
770 # string match against squid hierarchy code(s); [fast]
771 # e.g., DIRECT, PARENT_HIT, NONE, etc.
772 #
773 # NOTE: This has no effect in http_access rules. It only has
774 # effect in rules that affect the reply data stream such as
775 # http_reply_access.
776
e0855596
AJ		 777 Examples:
778 acl macaddress arp 09:00:2b:23:45:67
779 acl myexample dst_as 1241
780 acl password proxy_auth REQUIRED
781 acl fileupload req_mime_type -i ^multipart/form-data$
782 acl javascript rep_mime_type -i ^application/x-javascript$
cccac0a2 783
41bd17a4 784NOCOMMENT_START
e0855596
AJ		 785#
786# Recommended minimum configuration:
787#
41bd17a4 788acl manager proto cache_object
055421ee
AJ		 789acl localhost src 127.0.0.1/32 ::1
790acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
e0855596 791
ee776778 792# Example rule allowing access from your local networks.
793# Adapt to list your (internal) IP networks from where browsing
794# should be allowed
795acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
796acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
797acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
055421ee
AJ		 798acl localnet src fc00::/7 # RFC 4193 local private network range
799acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
e0855596 800
41bd17a4 801acl SSL_ports port 443
802acl Safe_ports port 80 # http
803acl Safe_ports port 21 # ftp
804acl Safe_ports port 443 # https
805acl Safe_ports port 70 # gopher
806acl Safe_ports port 210 # wais
807acl Safe_ports port 1025-65535 # unregistered ports
808acl Safe_ports port 280 # http-mgmt
809acl Safe_ports port 488 # gss-http
810acl Safe_ports port 591 # filemaker
811acl Safe_ports port 777 # multiling http
812acl CONNECT method CONNECT
813NOCOMMENT_END
814DOC_END
cccac0a2 815
3d674977
AJ		 816NAME: follow_x_forwarded_for
817TYPE: acl_access
818IFDEF: FOLLOW_X_FORWARDED_FOR
819LOC: Config.accessList.followXFF
820DEFAULT: none
821DEFAULT_IF_NONE: deny all
822DOC_START
823 Allowing or Denying the X-Forwarded-For header to be followed to
824 find the original source of a request.
825
826 Requests may pass through a chain of several other proxies
827 before reaching us. The X-Forwarded-For header will contain a
828 comma-separated list of the IP addresses in the chain, with the
829 rightmost address being the most recent.
830
831 If a request reaches us from a source that is allowed by this
832 configuration item, then we consult the X-Forwarded-For header
833 to see where that host received the request from. If the
2bf4e8fa
AJ		 834 X-Forwarded-For header contains multiple addresses, we continue
835 backtracking until we reach an address for which we are not allowed
836 to follow the X-Forwarded-For header, or until we reach the first
837 address in the list. For the purpose of ACL used in the
838 follow_x_forwarded_for directive the src ACL type always matches
839 the address we are testing and srcdomain matches its rDNS.
3d674977
AJ		 840
841 The end result of this process is an IP address that we will
842 refer to as the indirect client address. This address may
57d76dd4 843 be treated as the client address for access control, ICAP, delay
3d674977 844 pools and logging, depending on the acl_uses_indirect_client,
96d64448
AJ		 845 icap_uses_indirect_client, delay_pool_uses_indirect_client,
846 log_uses_indirect_client and tproxy_uses_indirect_client options.
3d674977 847
b3567eb5
FC		 848 This clause only supports fast acl types.
849 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
850
3d674977
AJ		 851 SECURITY CONSIDERATIONS:
852
853 Any host for which we follow the X-Forwarded-For header
854 can place incorrect information in the header, and Squid
855 will use the incorrect information as if it were the
856 source address of the request. This may enable remote
857 hosts to bypass any access control restrictions that are
858 based on the client's source addresses.
859
860 For example:
861
862 acl localhost src 127.0.0.1
863 acl my_other_proxy srcdomain .proxy.example.com
864 follow_x_forwarded_for allow localhost
865 follow_x_forwarded_for allow my_other_proxy
866DOC_END
867
868NAME: acl_uses_indirect_client
869COMMENT: on|off
870TYPE: onoff
871IFDEF: FOLLOW_X_FORWARDED_FOR
872DEFAULT: on
873LOC: Config.onoff.acl_uses_indirect_client
874DOC_START
875 Controls whether the indirect client address
876 (see follow_x_forwarded_for) is used instead of the
877 direct client address in acl matching.
878DOC_END
879
880NAME: delay_pool_uses_indirect_client
881COMMENT: on|off
882TYPE: onoff
0dae2bca 883IFDEF: FOLLOW_X_FORWARDED_FOR&&DELAY_POOLS
3d674977
AJ		 884DEFAULT: on
885LOC: Config.onoff.delay_pool_uses_indirect_client
886DOC_START
887 Controls whether the indirect client address
888 (see follow_x_forwarded_for) is used instead of the
889 direct client address in delay pools.
890DOC_END
891
892NAME: log_uses_indirect_client
893COMMENT: on|off
894TYPE: onoff
895IFDEF: FOLLOW_X_FORWARDED_FOR
896DEFAULT: on
897LOC: Config.onoff.log_uses_indirect_client
898DOC_START
899 Controls whether the indirect client address
900 (see follow_x_forwarded_for) is used instead of the
901 direct client address in the access log.
902DOC_END
903
96d64448
AJ		 904NAME: tproxy_uses_indirect_client
905COMMENT: on|off
906TYPE: onoff
907IFDEF: FOLLOW_X_FORWARDED_FOR&&LINUX_NETFILTER
4d7ab5a2 908DEFAULT: off
96d64448
AJ		 909LOC: Config.onoff.tproxy_uses_indirect_client
910DOC_START
911 Controls whether the indirect client address
912 (see follow_x_forwarded_for) is used instead of the
913 direct client address when spoofing the outgoing client.
4d7ab5a2
AJ		 914
915 This has no effect on requests arriving in non-tproxy
916 mode ports.
917
918 SECURITY WARNING: Usage of this option is dangerous
919 and should not be used trivially. Correct configuration
920 of folow_x_forewarded_for with a limited set of trusted
921 sources is required to prevent abuse of your proxy.
96d64448
AJ		 922DOC_END
923
41bd17a4 924NAME: http_access
925TYPE: acl_access
926LOC: Config.accessList.http
927DEFAULT: none
928DEFAULT_IF_NONE: deny all
929DOC_START
930 Allowing or Denying access based on defined access lists
cccac0a2 931
41bd17a4 932 Access to the HTTP port:
933 http_access allow|deny [!]aclname ...
cccac0a2 934
41bd17a4 935 NOTE on default values:
cccac0a2 936
41bd17a4 937 If there are no "access" lines present, the default is to deny
938 the request.
cccac0a2 939
41bd17a4 940 If none of the "access" lines cause a match, the default is the
941 opposite of the last line in the list. If the last line was
942 deny, the default is allow. Conversely, if the last line
943 is allow, the default will be deny. For these reasons, it is a
51ae86b2
HN		 944 good idea to have an "deny all" entry at the end of your access
945 lists to avoid potential confusion.
cccac0a2 946
b3567eb5
FC		 947 This clause supports both fast and slow acl types.
948 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
949
41bd17a4 950NOCOMMENT_START
e0855596
AJ		 951
952#
953# Recommended minimum Access Permission configuration:
41bd17a4 954#
955# Only allow cachemgr access from localhost
956http_access allow manager localhost
957http_access deny manager
e0855596
AJ		 958
959# Deny requests to certain unsafe ports
41bd17a4 960http_access deny !Safe_ports
e0855596
AJ		 961
962# Deny CONNECT to other than secure SSL ports
41bd17a4 963http_access deny CONNECT !SSL_ports
e0855596 964
41bd17a4 965# We strongly recommend the following be uncommented to protect innocent
966# web applications running on the proxy server who think the only
967# one who can access services on "localhost" is a local user
968#http_access deny to_localhost
e0855596 969
41bd17a4 970#
971# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
e0855596 972#
c8f4eac4 973
ee776778 974# Example rule allowing access from your local networks.
975# Adapt localnet in the ACL section to list your (internal) IP networks
976# from where browsing should be allowed
977http_access allow localnet
afb33856 978http_access allow localhost
7d90757b 979
41bd17a4 980# And finally deny all other access to this proxy
981http_access deny all
982NOCOMMENT_END
983DOC_END
7d90757b 984
533493da
AJ		 985NAME: adapted_http_access http_access2
986TYPE: acl_access
987LOC: Config.accessList.adapted_http
988DEFAULT: none
989DOC_START
990 Allowing or Denying access based on defined access lists
991
992 Essentially identical to http_access, but runs after redirectors
993 and ICAP/eCAP adaptation. Allowing access control based on their
994 output.
995
996 If not set then only http_access is used.
997DOC_END
998
41bd17a4 999NAME: http_reply_access
1000TYPE: acl_access
1001LOC: Config.accessList.reply
1002DEFAULT: none
1003DOC_START
1004 Allow replies to client requests. This is complementary to http_access.
cccac0a2 1005
41bd17a4 1006 http_reply_access allow|deny [!] aclname ...
cccac0a2 1007
41bd17a4 1008 NOTE: if there are no access lines present, the default is to allow
1009 all replies
1a224843 1010
41bd17a4 1011 If none of the access lines cause a match the opposite of the
1012 last line will apply. Thus it is good practice to end the rules
1013 with an "allow all" or "deny all" entry.
b3567eb5
FC		 1014
1015 This clause supports both fast and slow acl types.
1016 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
cccac0a2 1017DOC_END
1018
41bd17a4 1019NAME: icp_access
1020TYPE: acl_access
1021LOC: Config.accessList.icp
1022DEFAULT: none
1023DEFAULT_IF_NONE: deny all
5473c134 1024DOC_START
41bd17a4 1025 Allowing or Denying access to the ICP port based on defined
1026 access lists
5473c134 1027
41bd17a4 1028 icp_access allow|deny [!]aclname ...
5473c134 1029
41bd17a4 1030 See http_access for details
1031
b3567eb5
FC		 1032 This clause only supports fast acl types.
1033 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
e0855596
AJ		 1034
1035# Allow ICP queries from local networks only
df2eec10
AJ		 1036#icp_access allow localnet
1037#icp_access deny all
5473c134 1038DOC_END
1039
41bd17a4 1040NAME: htcp_access
1041IFDEF: USE_HTCP
1042TYPE: acl_access
1043LOC: Config.accessList.htcp
1044DEFAULT: none
1045DEFAULT_IF_NONE: deny all
5473c134 1046DOC_START
41bd17a4 1047 Allowing or Denying access to the HTCP port based on defined
1048 access lists
5473c134 1049
41bd17a4 1050 htcp_access allow|deny [!]aclname ...
5473c134 1051
41bd17a4 1052 See http_access for details
5473c134 1053
0b48417e 1054 NOTE: The default if no htcp_access lines are present is to
1055 deny all traffic. This default may cause problems with peers
18191440 1056 using the htcp option.
0b48417e 1057
b3567eb5
FC		 1058 This clause only supports fast acl types.
1059 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
e0855596
AJ		 1060
1061# Allow HTCP queries from local networks only
df2eec10
AJ		 1062#htcp_access allow localnet
1063#htcp_access deny all
41bd17a4 1064DOC_END
5473c134 1065
41bd17a4 1066NAME: htcp_clr_access
1067IFDEF: USE_HTCP
1068TYPE: acl_access
1069LOC: Config.accessList.htcp_clr
1070DEFAULT: none
1071DEFAULT_IF_NONE: deny all
1072DOC_START
1073 Allowing or Denying access to purge content using HTCP based
1074 on defined access lists
5473c134 1075
41bd17a4 1076 htcp_clr_access allow|deny [!]aclname ...
5473c134 1077
41bd17a4 1078 See http_access for details
5473c134 1079
b3567eb5
FC		 1080 This clause only supports fast acl types.
1081 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
e0855596
AJ		 1082
1083# Allow HTCP CLR requests from trusted peers
41bd17a4 1084acl htcp_clr_peer src 172.16.1.2
1085htcp_clr_access allow htcp_clr_peer
5473c134 1086DOC_END
1087
41bd17a4 1088NAME: miss_access
1089TYPE: acl_access
1090LOC: Config.accessList.miss
df2eec10 1091DEFAULT: allow all
5473c134 1092DOC_START
41bd17a4 1093 Use to force your neighbors to use you as a sibling instead of
1094 a parent. For example:
5473c134 1095
41bd17a4 1096 acl localclients src 172.16.0.0/16
1097 miss_access allow localclients
1098 miss_access deny !localclients
5473c134 1099
41bd17a4 1100 This means only your local clients are allowed to fetch
1101 MISSES and all other clients can only fetch HITS.
5473c134 1102
41bd17a4 1103 By default, allow all clients who passed the http_access rules
1104 to fetch MISSES from us.
b3567eb5
FC		 1105
1106 This clause only supports fast acl types.
1107 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 1108DOC_END
1109
1110NAME: ident_lookup_access
1111TYPE: acl_access
1112IFDEF: USE_IDENT
1113DEFAULT: none
1114DEFAULT_IF_NONE: deny all
4daaf3cb 1115LOC: Ident::TheConfig.identLookup
5473c134 1116DOC_START
41bd17a4 1117 A list of ACL elements which, if matched, cause an ident
1118 (RFC 931) lookup to be performed for this request. For
1119 example, you might choose to always perform ident lookups
1120 for your main multi-user Unix boxes, but not for your Macs
1121 and PCs. By default, ident lookups are not performed for
1122 any requests.
5473c134 1123
41bd17a4 1124 To enable ident lookups for specific client addresses, you
1125 can follow this example:
5473c134 1126
4daaf3cb 1127 acl ident_aware_hosts src 198.168.1.0/24
41bd17a4 1128 ident_lookup_access allow ident_aware_hosts
1129 ident_lookup_access deny all
5473c134 1130
4daaf3cb 1131 Only src type ACL checks are fully supported. A srcdomain
41bd17a4 1132 ACL might work at times, but it will not always provide
1133 the correct result.
b3567eb5
FC		 1134
1135 This clause only supports fast acl types.
1136 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 1137DOC_END
5473c134 1138
5b0f5383 1139NAME: reply_body_max_size
1140COMMENT: size [acl acl...]
1141TYPE: acl_b_size_t
1142DEFAULT: none
1143LOC: Config.ReplyBodySize
1144DOC_START
1145 This option specifies the maximum size of a reply body. It can be
1146 used to prevent users from downloading very large files, such as
1147 MP3's and movies. When the reply headers are received, the
1148 reply_body_max_size lines are processed, and the first line where
1149 all (if any) listed ACLs are true is used as the maximum body size
1150 for this reply.
1151
1152 This size is checked twice. First when we get the reply headers,
1153 we check the content-length value. If the content length value exists
1154 and is larger than the allowed size, the request is denied and the
1155 user receives an error message that says "the request or reply
1156 is too large." If there is no content-length, and the reply
1157 size exceeds this limit, the client's connection is just closed
1158 and they will receive a partial reply.
1159
1160 WARNING: downstream caches probably can not detect a partial reply
1161 if there is no content-length header, so they will cache
1162 partial responses and give them out as hits. You should NOT
1163 use this option if you have downstream caches.
1164
1165 WARNING: A maximum size smaller than the size of squid's error messages
1166 will cause an infinite loop and crash squid. Ensure that the smallest
1167 non-zero value you use is greater that the maximum header size plus
1168 the size of your largest error page.
1169
1170 If you set this parameter none (the default), there will be
1171 no limit imposed.
3bc32f2f
AJ		 1172
1173 Configuration Format is:
1174 reply_body_max_size SIZE UNITS [acl ...]
1175 ie.
1176 reply_body_max_size 10 MB
1177
5b0f5383 1178DOC_END
1179
1180COMMENT_START
1181 NETWORK OPTIONS
1182 -----------------------------------------------------------------------------
1183COMMENT_END
1184
1185NAME: http_port ascii_port
1186TYPE: http_port_list
1187DEFAULT: none
1188LOC: Config.Sockaddr.http
1189DOC_START
c7b1dd5d
AJ		 1190 Usage: port [mode] [options]
1191 hostname:port [mode] [options]
1192 1.2.3.4:port [mode] [options]
5b0f5383 1193
1194 The socket addresses where Squid will listen for HTTP client
1195 requests. You may specify multiple socket addresses.
1196 There are three forms: port alone, hostname with port, and
1197 IP address with port. If you specify a hostname or IP
1198 address, Squid binds the socket to that specific
c7b1dd5d 1199 address. Most likely, you do not need to bind to a specific
5b0f5383 1200 address, so you can use the port number alone.
1201
1202 If you are running Squid in accelerator mode, you
1203 probably want to listen on port 80 also, or instead.
1204
1205 The -a command line option may be used to specify additional
1206 port(s) where Squid listens for proxy request. Such ports will
1207 be plain proxy ports with no options.
1208
1209 You may specify multiple socket addresses on multiple lines.
1210
c7b1dd5d 1211 Modes:
5b0f5383 1212
e77bdb4e 1213 intercept Support for IP-Layer interception of
5b0f5383 1214 outgoing requests without browser settings.
13b5cd0c 1215 NP: disables authentication and IPv6 on the port.
5b0f5383 1216
1217 tproxy Support Linux TPROXY for spoofing outgoing
1218 connections using the client IP address.
6f05d9c8 1219 NP: disables authentication and maybe IPv6 on the port.
5b0f5383 1220
1221 accel Accelerator mode. Also needs at least one of
1222 vhost / vport / defaultsite.
1223
3a0c8eb5 1224 ssl-bump Intercept each CONNECT request matching ssl_bump ACL,
c7b1dd5d
AJ		 1225 establish secure connection with the client and with
1226 the server, decrypt HTTP messages as they pass through
1227 Squid, and treat them as unencrypted HTTP messages,
1228 becoming the man-in-the-middle.
1229
1230 The ssl_bump option is required to fully enable
1231 the SslBump feature.
1232
1233 Omitting the mode flag causes default forward proxy mode to be used.
1234
1235
1236 Accelerator Mode Options:
1237
7f7bdd96
AJ		 1238 allow-direct Allow direct forwarding in accelerator mode. Normally
1239 accelerated requests are denied direct forwarding as if
1240 never_direct was used.
1241
5b0f5383 1242 defaultsite=domainname
1243 What to use for the Host: header if it is not present
1244 in a request. Determines what site (not origin server)
1245 accelerators should consider the default.
1246 Implies accel.
1247
c7b1dd5d
AJ		 1248 vhost Using the Host header for virtual domain support.
1249 Also uses the port as specified in Host: header.
5b0f5383 1250
c7b1dd5d
AJ		 1251 vport IP based virtual host support. Using the http_port number
1252 in passed on Host: headers.
5b0f5383 1253
c7b1dd5d
AJ		 1254 vport=NN Uses the specified port number rather than the
1255 http_port number.
5b0f5383 1256
1257 protocol= Protocol to reconstruct accelerated requests with.
c7b1dd5d 1258 Defaults to http://.
5b0f5383 1259
432bc83c
HN		 1260 ignore-cc Ignore request Cache-Control headers.
1261
1262 Warning: This option violates HTTP specifications if
1263 used in non-accelerator setups.
1264
c7b1dd5d
AJ		 1265
1266 SSL Bump Mode Options:
1267
1268 cert= Path to SSL certificate (PEM format).
1269
1270 key= Path to SSL private key file (PEM format)
1271 if not specified, the certificate file is
1272 assumed to be a combined certificate and
1273 key file.
1274
1275 version= The version of SSL/TLS supported
1276 1 automatic (default)
1277 2 SSLv2 only
1278 3 SSLv3 only
1279 4 TLSv1 only
1280
1281 cipher= Colon separated list of supported ciphers.
1282
1283 options= Various SSL engine options. The most important
1284 being:
1285 NO_SSLv2 Disallow the use of SSLv2
1286 NO_SSLv3 Disallow the use of SSLv3
1287 NO_TLSv1 Disallow the use of TLSv1
1288 SINGLE_DH_USE Always create a new key when using
1289 temporary/ephemeral DH key exchanges
1290 See src/ssl_support.c or OpenSSL SSL_CTX_set_options
1291 documentation for a complete list of options.
1292
1293 clientca= File containing the list of CAs to use when
1294 requesting a client certificate.
1295
1296 cafile= File containing additional CA certificates to
1297 use when verifying client certificates. If unset
1298 clientca will be used.
1299
1300 capath= Directory containing additional CA certificates
1301 and CRL lists to use when verifying client certificates.
1302
1303 crlfile= File of additional CRL lists to use when verifying
1304 the client certificate, in addition to CRLs stored in
1305 the capath. Implies VERIFY_CRL flag below.
1306
1307 dhparams= File containing DH parameters for temporary/ephemeral
1308 DH key exchanges.
1309
1310 sslflags= Various flags modifying the use of SSL:
1311 DELAYED_AUTH
1312 Don't request client certificates
1313 immediately, but wait until acl processing
1314 requires a certificate (not yet implemented).
1315 NO_DEFAULT_CA
1316 Don't use the default CA lists built in
1317 to OpenSSL.
1318 NO_SESSION_REUSE
1319 Don't allow for session reuse. Each connection
1320 will result in a new SSL session.
1321 VERIFY_CRL
1322 Verify CRL lists when accepting client
1323 certificates.
1324 VERIFY_CRL_ALL
1325 Verify CRL lists for all certificates in the
1326 client certificate chain.
1327
1328 sslcontext= SSL session ID context identifier.
1329
1330
1331 Other Options:
1332
6b185b50
AJ		 1333 connection-auth[=on|off]
1334 use connection-auth=off to tell Squid to prevent
1335 forwarding Microsoft connection oriented authentication
d67acb4e
AJ		 1336 (NTLM, Negotiate and Kerberos)
1337
5b0f5383 1338 disable-pmtu-discovery=
1339 Control Path-MTU discovery usage:
1340 off lets OS decide on what to do (default).
1341 transparent disable PMTU discovery when transparent
1342 support is enabled.
1343 always disable always PMTU discovery.
1344
1345 In many setups of transparently intercepting proxies
1346 Path-MTU discovery can not work on traffic towards the
1347 clients. This is the case when the intercepting device
1348 does not fully track connections and fails to forward
1349 ICMP must fragment messages to the cache server. If you
1350 have such setup and experience that certain clients
1351 sporadically hang or never complete requests set
1352 disable-pmtu-discovery option to 'transparent'.
1353
81b6e9a7 1354 name= Specifies a internal name for the port. Defaults to
1355 the port specification (port or addr:port)
1356
68924b6d 1357 tcpkeepalive[=idle,interval,timeout]
fb6c6dbe
AJ		 1358 Enable TCP keepalive probes of idle connections.
1359 In seconds; idle is the initial time before TCP starts
1360 probing the connection, interval how often to probe, and
b2130d58 1361 timeout the time before giving up.
1362
5b0f5383 1363 If you run Squid on a dual-homed machine with an internal
1364 and an external interface we recommend you to specify the
1365 internal address:port in http_port. This way Squid will only be
1366 visible on the internal address.
1367
1368NOCOMMENT_START
e0855596 1369
5b0f5383 1370# Squid normally listens to port 3128
1371http_port @DEFAULT_HTTP_PORT@
1372NOCOMMENT_END
1373DOC_END
1374
1375NAME: https_port
1376IFDEF: USE_SSL
1377TYPE: https_port_list
1378DEFAULT: none
1379LOC: Config.Sockaddr.https
1380DOC_START
1381 Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
1382
1383 The socket address where Squid will listen for HTTPS client
1384 requests.
1385
1386 This is really only useful for situations where you are running
1387 squid in accelerator mode and you want to do the SSL work at the
1388 accelerator level.
1389
1390 You may specify multiple socket addresses on multiple lines,
1391 each with their own SSL certificate and/or options.
1392
1393 Options:
1394
1395 accel Accelerator mode. Also needs at least one of
1396 defaultsite or vhost.
1397
1398 defaultsite= The name of the https site presented on
1399 this port. Implies accel.
1400
1401 vhost Accelerator mode using Host header for virtual
1402 domain support. Requires a wildcard certificate
1403 or other certificate valid for more than one domain.
1404 Implies accel.
1405
1406 protocol= Protocol to reconstruct accelerated requests with.
1407 Defaults to https.
1408
1409 cert= Path to SSL certificate (PEM format).
1410
1411 key= Path to SSL private key file (PEM format)
1412 if not specified, the certificate file is
1413 assumed to be a combined certificate and
1414 key file.
1415
1416 version= The version of SSL/TLS supported
1417 1 automatic (default)
1418 2 SSLv2 only
1419 3 SSLv3 only
1420 4 TLSv1 only
1421
1422 cipher= Colon separated list of supported ciphers.
1423
1424 options= Various SSL engine options. The most important
1425 being:
1426 NO_SSLv2 Disallow the use of SSLv2
1427 NO_SSLv3 Disallow the use of SSLv3
1428 NO_TLSv1 Disallow the use of TLSv1
1429 SINGLE_DH_USE Always create a new key when using
1430 temporary/ephemeral DH key exchanges
1431 See src/ssl_support.c or OpenSSL SSL_CTX_set_options
1432 documentation for a complete list of options.
1433
1434 clientca= File containing the list of CAs to use when
1435 requesting a client certificate.
1436
1437 cafile= File containing additional CA certificates to
1438 use when verifying client certificates. If unset
1439 clientca will be used.
1440
1441 capath= Directory containing additional CA certificates
1442 and CRL lists to use when verifying client certificates.
1443
1444 crlfile= File of additional CRL lists to use when verifying
1445 the client certificate, in addition to CRLs stored in
1446 the capath. Implies VERIFY_CRL flag below.
1447
1448 dhparams= File containing DH parameters for temporary/ephemeral
1449 DH key exchanges.
1450
1451 sslflags= Various flags modifying the use of SSL:
1452 DELAYED_AUTH
1453 Don't request client certificates
1454 immediately, but wait until acl processing
1455 requires a certificate (not yet implemented).
1456 NO_DEFAULT_CA
1457 Don't use the default CA lists built in
1458 to OpenSSL.
1459 NO_SESSION_REUSE
1460 Don't allow for session reuse. Each connection
1461 will result in a new SSL session.
1462 VERIFY_CRL
1463 Verify CRL lists when accepting client
1464 certificates.
1465 VERIFY_CRL_ALL
1466 Verify CRL lists for all certificates in the
1467 client certificate chain.
1468
1469 sslcontext= SSL session ID context identifier.
1470
1471 vport Accelerator with IP based virtual host support.
1472
1473 vport=NN As above, but uses specified port number rather
1474 than the https_port number. Implies accel.
1475
81b6e9a7 1476 name= Specifies a internal name for the port. Defaults to
1477 the port specification (port or addr:port)
1478
5b0f5383 1479DOC_END
1480
41bd17a4 1481NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
1482TYPE: acl_tos
5473c134 1483DEFAULT: none
41bd17a4 1484LOC: Config.accessList.outgoing_tos
5473c134 1485DOC_START
41bd17a4 1486 Allows you to select a TOS/Diffserv value to mark outgoing
1487 connections with, based on the username or source address
1488 making the request.
5473c134 1489
41bd17a4 1490 tcp_outgoing_tos ds-field [!]aclname ...
cccac0a2 1491
41bd17a4 1492 Example where normal_service_net uses the TOS value 0x00
7def7206 1493 and good_service_net uses 0x20
cccac0a2 1494
41bd17a4 1495 acl normal_service_net src 10.0.0.0/255.255.255.0
1496 acl good_service_net src 10.0.1.0/255.255.255.0
2c73de90 1497 tcp_outgoing_tos 0x00 normal_service_net
41bd17a4 1498 tcp_outgoing_tos 0x20 good_service_net
fa38076e 1499
41bd17a4 1500 TOS/DSCP values really only have local significance - so you should
575cb927
AJ		 1501 know what you're specifying. For more information, see RFC2474,
1502 RFC2475, and RFC3260.
cccac0a2 1503
41bd17a4 1504 The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
1505 "default" to use whatever default your host has. Note that in
1506 practice often only values 0 - 63 is usable as the two highest bits
1507 have been redefined for use by ECN (RFC3168).
cccac0a2 1508
41bd17a4 1509 Processing proceeds in the order specified, and stops at first fully
1510 matching line.
cccac0a2 1511
41bd17a4 1512 Note: The use of this directive using client dependent ACLs is
1513 incompatible with the use of server side persistent connections. To
1514 ensure correct results it is best to set server_persisten_connections
1515 to off when using this directive in such configurations.
cccac0a2 1516DOC_END
1517
41bd17a4 1518NAME: clientside_tos
1519TYPE: acl_tos
cccac0a2 1520DEFAULT: none
41bd17a4 1521LOC: Config.accessList.clientside_tos
cccac0a2 1522DOC_START
41bd17a4 1523 Allows you to select a TOS/Diffserv value to mark client-side
1524 connections with, based on the username or source address
1525 making the request.
1526DOC_END
cccac0a2 1527
575cb927
AJ		 1528NAME: qos_flows
1529TYPE: QosConfig
7172612f 1530IFDEF: USE_ZPH_QOS
575cb927 1531DEFAULT: none
b7ac5457 1532LOC: Ip::Qos::TheConfig
7172612f 1533DOC_START
575cb927
AJ		 1534 Allows you to select a TOS/DSCP value to mark outgoing
1535 connections with, based on where the reply was sourced.
7172612f 1536
575cb927
AJ		 1537 TOS values really only have local significance - so you should
1538 know what you're specifying. For more information, see RFC2474,
1539 RFC2475, and RFC3260.
7172612f 1540
575cb927
AJ		 1541 The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF.
1542 Note that in practice often only values up to 0x3F are usable
1543 as the two highest bits have been redefined for use by ECN
1544 (RFC3168).
7172612f 1545
575cb927
AJ		 1546 This setting is configured by setting the source TOS values:
1547
1548 local-hit=0xFF Value to mark local cache hits.
1549
1550 sibling-hit=0xFF Value to mark hits from sibling peers.
1551
1552 parent-hit=0xFF Value to mark hits from parent peers.
1553
1554
2201bec6
AJ		 1555 NOTE: 'miss' preserve feature is only possible on Linux at this time.
1556
575cb927
AJ		 1557 For the following to work correctly, you will need to patch your
1558 linux kernel with the TOS preserving ZPH patch.
1559 The kernel patch can be downloaded from http://zph.bratcheda.org
1560
575cb927 1561 disable-preserve-miss
1754d37e
AJ		 1562 By default, the existing TOS value of the response coming
1563 from the remote server will be retained and masked with
1564 miss-mark. This option disables that feature.
575cb927
AJ		 1565
1566 miss-mask=0xFF
1567 Allows you to mask certain bits in the TOS received from the
1568 remote server, before copying the value to the TOS sent
1569 towards clients.
1570 Default: 0xFF (TOS from server is not changed).
7172612f 1571
7172612f
AJ		 1572DOC_END
1573
41bd17a4 1574NAME: tcp_outgoing_address
1575TYPE: acl_address
1576DEFAULT: none
1577LOC: Config.accessList.outgoing_address
1578DOC_START
1579 Allows you to map requests to different outgoing IP addresses
1580 based on the username or source address of the user making
1581 the request.
7f7db318 1582
41bd17a4 1583 tcp_outgoing_address ipaddr [[!]aclname] ...
c33aa074 1584
41bd17a4 1585 Example where requests from 10.0.0.0/24 will be forwarded
1586 with source address 10.1.0.1, 10.0.2.0/24 forwarded with
1587 source address 10.1.0.2 and the rest will be forwarded with
1588 source address 10.1.0.3.
9197cd13 1589
17148b2f 1590 acl normal_service_net src 10.0.0.0/24
1591 acl good_service_net src 10.0.2.0/24
1592 tcp_outgoing_address 10.1.0.1 normal_service_net
1593 tcp_outgoing_address 10.1.0.2 good_service_net
1594 tcp_outgoing_address 10.1.0.3
9197cd13 1595
41bd17a4 1596 Processing proceeds in the order specified, and stops at first fully
1597 matching line.
cccac0a2 1598
41bd17a4 1599 Note: The use of this directive using client dependent ACLs is
1600 incompatible with the use of server side persistent connections. To
1601 ensure correct results it is best to set server_persistent_connections
1602 to off when using this directive in such configurations.
cc192b50 1603
4ed968be
AJ		 1604 Note: The use of this directive to set a local IP on outgoing TCP links
1605 is incompatible with using TPROXY to set client IP out outbound TCP links.
1606 When needing to contact peers use the no-tproxy cache_peer option to
1607 re-enable normal forwarding such as this.
cc192b50 1608
1609 IPv6 Magic:
1610
b3567eb5
FC		 1611 Squid is built with a capability of bridging the IPv4 and IPv6
1612 internets.
cc192b50 1613 tcp_outgoing_address as exampled above breaks this bridging by forcing
1614 all outbound traffic through a certain IPv4 which may be on the wrong
1615 side of the IPv4/IPv6 boundary.
1616
1617 To operate with tcp_outgoing_address and keep the bridging benefits
1618 an additional ACL needs to be used which ensures the IPv6-bound traffic
1619 is never forced or permitted out the IPv4 interface.
1620
1621 acl to_ipv6 dst ipv6
1622 tcp_outgoing_address 2002::c001 good_service_net to_ipv6
17148b2f 1623 tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
cc192b50 1624
1625 tcp_outgoing_address 2002::beef normal_service_net to_ipv6
17148b2f 1626 tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
cc192b50 1627
1628 tcp_outgoing_address 2002::1 to_ipv6
17148b2f 1629 tcp_outgoing_address 10.1.0.3 !to_ipv6
6db78a1a
AJ		 1630
1631 WARNING:
1632 'dst ipv6' bases its selection assuming DIRECT access.
1633 If peers are used the peername ACL are needed to select outgoing
1634 address which can link to the peer.
1635
6b185b50
AJ		 1636 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used
1637 previously in the http_access rules to locate the destination IP.
1638 Some more magic may be needed for that:
1639 http_access allow to_ipv6 !all
1640 (meaning, allow if to IPv6 but not from anywhere ;)
1641
cccac0a2 1642DOC_END
1643
41bd17a4 1644COMMENT_START
1645 SSL OPTIONS
1646 -----------------------------------------------------------------------------
1647COMMENT_END
1648
1649NAME: ssl_unclean_shutdown
1650IFDEF: USE_SSL
cccac0a2 1651TYPE: onoff
1652DEFAULT: off
41bd17a4 1653LOC: Config.SSL.unclean_shutdown
cccac0a2 1654DOC_START
41bd17a4 1655 Some browsers (especially MSIE) bugs out on SSL shutdown
1656 messages.
cccac0a2 1657DOC_END
1658
41bd17a4 1659NAME: ssl_engine
1660IFDEF: USE_SSL
cccac0a2 1661TYPE: string
41bd17a4 1662LOC: Config.SSL.ssl_engine
1663DEFAULT: none
cccac0a2 1664DOC_START
41bd17a4 1665 The OpenSSL engine to use. You will need to set this if you
1666 would like to use hardware SSL acceleration for example.
cccac0a2 1667DOC_END
1668
41bd17a4 1669NAME: sslproxy_client_certificate
1670IFDEF: USE_SSL
cccac0a2 1671DEFAULT: none
41bd17a4 1672LOC: Config.ssl_client.cert
1673TYPE: string
cccac0a2 1674DOC_START
41bd17a4 1675 Client SSL Certificate to use when proxying https:// URLs
cccac0a2 1676DOC_END
1677
41bd17a4 1678NAME: sslproxy_client_key
1679IFDEF: USE_SSL
cccac0a2 1680DEFAULT: none
41bd17a4 1681LOC: Config.ssl_client.key
1682TYPE: string
cccac0a2 1683DOC_START
41bd17a4 1684 Client SSL Key to use when proxying https:// URLs
cccac0a2 1685DOC_END
1686
41bd17a4 1687NAME: sslproxy_version
1688IFDEF: USE_SSL
1689DEFAULT: 1
1690LOC: Config.ssl_client.version
1691TYPE: int
cccac0a2 1692DOC_START
41bd17a4 1693 SSL version level to use when proxying https:// URLs
cccac0a2 1694DOC_END
1695
41bd17a4 1696NAME: sslproxy_options
1697IFDEF: USE_SSL
1698DEFAULT: none
1699LOC: Config.ssl_client.options
1700TYPE: string
cccac0a2 1701DOC_START
41bd17a4 1702 SSL engine options to use when proxying https:// URLs
ab202e4c
AJ		 1703
1704 The most important being:
1705
1706 NO_SSLv2 Disallow the use of SSLv2
1707 NO_SSLv3 Disallow the use of SSLv3
1708 NO_TLSv1 Disallow the use of TLSv1
1709 SINGLE_DH_USE
1710 Always create a new key when using
1711 temporary/ephemeral DH key exchanges
1712
1713 These options vary depending on your SSL engine.
1714 See the OpenSSL SSL_CTX_set_options documentation for a
1715 complete list of possible options.
cccac0a2 1716DOC_END
1717
41bd17a4 1718NAME: sslproxy_cipher
1719IFDEF: USE_SSL
1720DEFAULT: none
1721LOC: Config.ssl_client.cipher
1722TYPE: string
cccac0a2 1723DOC_START
41bd17a4 1724 SSL cipher list to use when proxying https:// URLs
ab202e4c
AJ		 1725
1726 Colon separated list of supported ciphers.
cccac0a2 1727DOC_END
1728
41bd17a4 1729NAME: sslproxy_cafile
1730IFDEF: USE_SSL
1731DEFAULT: none
1732LOC: Config.ssl_client.cafile
1733TYPE: string
cccac0a2 1734DOC_START
41bd17a4 1735 file containing CA certificates to use when verifying server
1736 certificates while proxying https:// URLs
cccac0a2 1737DOC_END
0976f8db 1738
41bd17a4 1739NAME: sslproxy_capath
1740IFDEF: USE_SSL
5473c134 1741DEFAULT: none
41bd17a4 1742LOC: Config.ssl_client.capath
1743TYPE: string
5473c134 1744DOC_START
41bd17a4 1745 directory containing CA certificates to use when verifying
1746 server certificates while proxying https:// URLs
5473c134 1747DOC_END
1748
4c9da963 1749NAME: ssl_bump
1750IFDEF: USE_SSL
1751TYPE: acl_access
1752LOC: Config.accessList.ssl_bump
1753DEFAULT: none
1754DOC_START
1755 This ACL controls which CONNECT requests to an http_port
1756 marked with an sslBump flag are actually "bumped". Please
1757 see the sslBump flag of an http_port option for more details
1758 about decoding proxied SSL connections.
1759
1760 By default, no requests are bumped.
1761
1762 See also: http_port sslBump
1763
b3567eb5
FC		 1764 This clause only supports fast acl types.
1765 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
e0855596
AJ		 1766
1767
1768 # Example: Bump all requests except those originating from localhost and
1769 # those going to webax.com or example.com sites.
1770
1771 acl localhost src 127.0.0.1/32
1772 acl broken_sites dstdomain .webax.com
1773 acl broken_sites dstdomain .example.com
1774 ssl_bump deny localhost
1775 ssl_bump deny broken_sites
1776 ssl_bump allow all
4c9da963 1777DOC_END
1778
41bd17a4 1779NAME: sslproxy_flags
1780IFDEF: USE_SSL
1781DEFAULT: none
1782LOC: Config.ssl_client.flags
1783TYPE: string
5473c134 1784DOC_START
41bd17a4 1785 Various flags modifying the use of SSL while proxying https:// URLs:
4c9da963 1786 DONT_VERIFY_PEER Accept certificates that fail verification.
1787 For refined control, see sslproxy_cert_error.
41bd17a4 1788 NO_DEFAULT_CA Don't use the default CA list built in
1789 to OpenSSL.
5473c134 1790DOC_END
1791
4c9da963 1792
1793NAME: sslproxy_cert_error
1794IFDEF: USE_SSL
1795DEFAULT: none
1796LOC: Config.ssl_client.cert_error
1797TYPE: acl_access
1798DOC_START
1799 Use this ACL to bypass server certificate validation errors.
1800
1801 For example, the following lines will bypass all validation errors
1802 when talking to servers located at 172.16.0.0/16. All other
1803 validation errors will result in ERR_SECURE_CONNECT_FAIL error.
1804
1805 acl BrokenServersAtTrustedIP dst 172.16.0.0/16
1806 sslproxy_cert_error allow BrokenServersAtTrustedIP
1807 sslproxy_cert_error deny all
1808
b3567eb5
FC		 1809 This clause only supports fast acl types.
1810 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1811 Using slow acl types may result in server crashes
4c9da963 1812
1813 Without this option, all server certificate validation errors
1814 terminate the transaction. Bypassing validation errors is dangerous
1815 because an error usually implies that the server cannot be trusted and
1816 the connection may be insecure.
1817
1818 See also: sslproxy_flags and DONT_VERIFY_PEER.
1819
e0855596 1820 Default setting: sslproxy_cert_error deny all
4c9da963 1821DOC_END
1822
1823
1824
41bd17a4 1825NAME: sslpassword_program
1826IFDEF: USE_SSL
1827DEFAULT: none
1828LOC: Config.Program.ssl_password
1829TYPE: string
5473c134 1830DOC_START
41bd17a4 1831 Specify a program used for entering SSL key passphrases
1832 when using encrypted SSL certificate keys. If not specified
1833 keys must either be unencrypted, or Squid started with the -N
1834 option to allow it to query interactively for the passphrase.
7acb9ddd
HN		 1835
1836 The key file name is given as argument to the program allowing
1837 selection of the right password if you have multiple encrypted
1838 keys.
5473c134 1839DOC_END
1840
cccac0a2 1841COMMENT_START
41bd17a4 1842 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
cccac0a2 1843 -----------------------------------------------------------------------------
1844COMMENT_END
1845
41bd17a4 1846NAME: cache_peer
1847TYPE: peer
1848DEFAULT: none
1849LOC: Config.peers
cccac0a2 1850DOC_START
41bd17a4 1851 To specify other caches in a hierarchy, use the format:
2b94f655 1852
41bd17a4 1853 cache_peer hostname type http-port icp-port [options]
2b94f655 1854
41bd17a4 1855 For example,
2b94f655 1856
41bd17a4 1857 # proxy icp
1858 # hostname type port port options
1859 # -------------------- -------- ----- ----- -----------
2b94f655 1860 cache_peer parent.foo.net parent 3128 3130 default
41bd17a4 1861 cache_peer sib1.foo.net sibling 3128 3130 proxy-only
1862 cache_peer sib2.foo.net sibling 3128 3130 proxy-only
2b94f655
AJ		 1863 cache_peer example.com parent 80 0 no-query default
1864 cache_peer cdn.example.com sibling 3128 0
1865
1866 type: either 'parent', 'sibling', or 'multicast'.
1867
1868 proxy-port: The port number where the peer accept HTTP requests.
1869 For other Squid proxies this is usually 3128
1870 For web servers this is usually 80
1871
1872 icp-port: Used for querying neighbor caches about objects.
1873 Set to 0 if the peer does not support ICP or HTCP.
1874 See ICP and HTCP options below for additional details.
1875
1876
1877 ==== ICP OPTIONS ====
1878
1879 You MUST also set icp_port and icp_access explicitly when using these options.
1880 The defaults will prevent peer traffic using ICP.
1881
1882
1883 no-query Disable ICP queries to this neighbor.
1884
1885 multicast-responder
1886 Indicates the named peer is a member of a multicast group.
1887 ICP queries will not be sent directly to the peer, but ICP
1888 replies will be accepted from it.
1889
1890 closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward
1891 CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
1892
1893 background-ping
1894 To only send ICP queries to this neighbor infrequently.
1895 This is used to keep the neighbor round trip time updated
1896 and is usually used in conjunction with weighted-round-robin.
1897
1898
1899 ==== HTCP OPTIONS ====
1900
1901 You MUST also set htcp_port and htcp_access explicitly when using these options.
1902 The defaults will prevent peer traffic using HTCP.
1903
1904
1905 htcp Send HTCP, instead of ICP, queries to the neighbor.
1906 You probably also want to set the "icp-port" to 4827
18191440
AJ		 1907 instead of 3130. This directive accepts a comma separated
1908 list of options described below.
2b94f655 1909
18191440 1910 htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier).
2b94f655 1911
18191440 1912 htcp=no-clr Send HTCP to the neighbor but without
2b94f655 1913 sending any CLR requests. This cannot be used with
18191440 1914 only-clr.
2b94f655 1915
18191440
AJ		 1916 htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests.
1917 This cannot be used with no-clr.
2b94f655 1918
18191440 1919 htcp=no-purge-clr
2b94f655
AJ		 1920 Send HTCP to the neighbor including CLRs but only when
1921 they do not result from PURGE requests.
1922
18191440 1923 htcp=forward-clr
2b94f655
AJ		 1924 Forward any HTCP CLR requests this proxy receives to the peer.
1925
1926
1927 ==== PEER SELECTION METHODS ====
1928
1929 The default peer selection method is ICP, with the first responding peer
1930 being used as source. These options can be used for better load balancing.
1931
1932
1933 default This is a parent cache which can be used as a "last-resort"
1934 if a peer cannot be located by any of the peer-selection methods.
1935 If specified more than once, only the first is used.
1936
1937 round-robin Load-Balance parents which should be used in a round-robin
1938 fashion in the absence of any ICP queries.
1939 weight=N can be used to add bias.
1940
1941 weighted-round-robin
1942 Load-Balance parents which should be used in a round-robin
1943 fashion with the frequency of each parent being based on the
1944 round trip time. Closer parents are used more often.
1945 Usually used for background-ping parents.
1946 weight=N can be used to add bias.
1947
1948 carp Load-Balance parents which should be used as a CARP array.
1949 The requests will be distributed among the parents based on the
1950 CARP load balancing hash function based on their weight.
1951
1952 userhash Load-balance parents based on the client proxy_auth or ident username.
1953
1954 sourcehash Load-balance parents based on the client source IP.
8a368316
AJ		 1955
1956 multicast-siblings
1957 To be used only for cache peers of type "multicast".
1958 ALL members of this multicast group have "sibling"
1959 relationship with it, not "parent". This is to a mulicast
1960 group when the requested object would be fetched only from
1961 a "parent" cache, anyway. It's useful, e.g., when
1962 configuring a pool of redundant Squid proxies, being
1963 members of the same multicast group.
2b94f655
AJ		 1964
1965
1966 ==== PEER SELECTION OPTIONS ====
1967
1968 weight=N use to affect the selection of a peer during any weighted
1969 peer-selection mechanisms.
1970 The weight must be an integer; default is 1,
1971 larger weights are favored more.
1972 This option does not affect parent selection if a peering
1973 protocol is not in use.
1974
1975 basetime=N Specify a base amount to be subtracted from round trip
1976 times of parents.
1977 It is subtracted before division by weight in calculating
1978 which parent to fectch from. If the rtt is less than the
1979 base time the rtt is set to a minimal value.
1980
1981 ttl=N Specify a IP multicast TTL to use when sending an ICP
1982 queries to this address.
1983 Only useful when sending to a multicast group.
1984 Because we don't accept ICP replies from random
1985 hosts, you must configure other group members as
1986 peers with the 'multicast-responder' option.
1987
1988 no-delay To prevent access to this neighbor from influencing the
1989 delay pools.
1990
1991 digest-url=URL Tell Squid to fetch the cache digest (if digests are
1992 enabled) for this host from the specified URL rather
1993 than the Squid default location.
1994
1995
1996 ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
1997
1998 originserver Causes this parent to be contacted as an origin server.
1999 Meant to be used in accelerator setups when the peer
2000 is a web server.
2001
2002 forceddomain=name
2003 Set the Host header of requests forwarded to this peer.
2004 Useful in accelerator setups where the server (peer)
2005 expects a certain domain name but clients may request
2006 others. ie example.com or www.example.com
2007
2008 no-digest Disable request of cache digests.
2009
2010 no-netdb-exchange
2011 Disables requesting ICMP RTT database (NetDB).
2012
2013
2014 ==== AUTHENTICATION OPTIONS ====
2015
2016 login=user:password
2017 If this is a personal/workgroup proxy and your parent
2018 requires proxy authentication.
2019
2020 Note: The string can include URL escapes (i.e. %20 for
2021 spaces). This also means % must be written as %%.
2022
11e4c5e5
AJ		 2023 login=PASSTHRU
2024 Send login details received from client to this peer.
2025 Both Proxy- and WWW-Authorization headers are passed
2026 without alteration to the peer.
2027 Authentication is not required by Squid for this to work.
2028
2029 Note: This will pass any form of authentication but
2030 only Basic auth will work through a proxy unless the
2031 connection-auth options are also used.
ee0b94f4 2032
2b94f655
AJ		 2033 login=PASS Send login details received from client to this peer.
2034 Authentication is not required by this option.
11e4c5e5 2035
2b94f655
AJ		 2036 If there are no client-provided authentication headers
2037 to pass on, but username and password are available
ee0b94f4
HN		 2038 from an external ACL user= and password= result tags
2039 they may be sent instead.
2b94f655
AJ		 2040
2041 Note: To combine this with proxy_auth both proxies must
2042 share the same user database as HTTP only allows for
2043 a single login (one for proxy, one for origin server).
2044 Also be warned this will expose your users proxy
2045 password to the peer. USE WITH CAUTION
2046
2047 login=*:password
2048 Send the username to the upstream cache, but with a
2049 fixed password. This is meant to be used when the peer
2050 is in another administrative domain, but it is still
2051 needed to identify each user.
2052 The star can optionally be followed by some extra
2053 information which is added to the username. This can
2054 be used to identify this proxy to the peer, similar to
2055 the login=username:password option above.
2056
9ca29d23
AJ		 2057 login=NEGOTIATE
2058 If this is a personal/workgroup proxy and your parent
2059 requires a secure proxy authentication.
2060 The first principal from the default keytab or defined by
2061 the environment variable KRB5_KTNAME will be used.
2062
2063 login=NEGOTIATE:principal_name
2064 If this is a personal/workgroup proxy and your parent
2065 requires a secure proxy authentication.
2066 The principal principal_name from the default keytab or
2067 defined by the environment variable KRB5_KTNAME will be
2068 used.
2069
2b94f655
AJ		 2070 connection-auth=on|off
2071 Tell Squid that this peer does or not support Microsoft
2072 connection oriented authentication, and any such
2073 challenges received from there should be ignored.
2074 Default is auto to automatically determine the status
2075 of the peer.
2076
2077
2078 ==== SSL / HTTPS / TLS OPTIONS ====
2079
2080 ssl Encrypt connections to this peer with SSL/TLS.
2081
2082 sslcert=/path/to/ssl/certificate
2083 A client SSL certificate to use when connecting to
2084 this peer.
2085
2086 sslkey=/path/to/ssl/key
2087 The private SSL key corresponding to sslcert above.
2088 If 'sslkey' is not specified 'sslcert' is assumed to
2089 reference a combined file containing both the
2090 certificate and the key.
2091
2092 sslversion=1|2|3|4
2093 The SSL version to use when connecting to this peer
2094 1 = automatic (default)
2095 2 = SSL v2 only
2096 3 = SSL v3 only
2097 4 = TLS v1 only
2098
2099 sslcipher=... The list of valid SSL ciphers to use when connecting
2100 to this peer.
2101
2102 ssloptions=... Specify various SSL engine options:
2103 NO_SSLv2 Disallow the use of SSLv2
2104 NO_SSLv3 Disallow the use of SSLv3
2105 NO_TLSv1 Disallow the use of TLSv1
2106 See src/ssl_support.c or the OpenSSL documentation for
2107 a more complete list.
2108
2109 sslcafile=... A file containing additional CA certificates to use
2110 when verifying the peer certificate.
2111
2112 sslcapath=... A directory containing additional CA certificates to
2113 use when verifying the peer certificate.
2114
2115 sslcrlfile=... A certificate revocation list file to use when
2116 verifying the peer certificate.
2117
2118 sslflags=... Specify various flags modifying the SSL implementation:
2119
41bd17a4 2120 DONT_VERIFY_PEER
2121 Accept certificates even if they fail to
2122 verify.
2123 NO_DEFAULT_CA
2124 Don't use the default CA list built in
2125 to OpenSSL.
2126 DONT_VERIFY_DOMAIN
2127 Don't verify the peer certificate
2128 matches the server name
2b94f655
AJ		 2129
2130 ssldomain= The peer name as advertised in it's certificate.
2131 Used for verifying the correctness of the received peer
2132 certificate. If not specified the peer hostname will be
2133 used.
2134
2135 front-end-https
2136 Enable the "Front-End-Https: On" header needed when
2137 using Squid as a SSL frontend in front of Microsoft OWA.
2138 See MS KB document Q307347 for details on this header.
2139 If set to auto the header will only be added if the
2140 request is forwarded as a https:// URL.
2141
2142
2143 ==== GENERAL OPTIONS ====
2144
2145 connect-timeout=N
2146 A peer-specific connect timeout.
2147 Also see the peer_connect_timeout directive.
2148
2149 connect-fail-limit=N
2150 How many times connecting to a peer must fail before
2151 it is marked as down. Default is 10.
2152
2153 allow-miss Disable Squid's use of only-if-cached when forwarding
2154 requests to siblings. This is primarily useful when
2155 icp_hit_stale is used by the sibling. To extensive use
2156 of this option may result in forwarding loops, and you
2157 should avoid having two-way peerings with this option.
2158 For example to deny peer usage on requests from peer
2159 by denying cache_peer_access if the source is a peer.
2160
2161 max-conn=N Limit the amount of connections Squid may open to this
2162 peer. see also
2163
2164 name=xxx Unique name for the peer.
2165 Required if you have multiple peers on the same host
2166 but different ports.
2167 This name can be used in cache_peer_access and similar
2168 directives to dentify the peer.
2169 Can be used by outgoing access controls through the
2170 peername ACL type.
2171
b0758e04
AJ		 2172 no-tproxy Do not use the client-spoof TPROXY support when forwarding
2173 requests to this peer. Use normal address selection instead.
2174
2b94f655
AJ		 2175 proxy-only objects fetched from the peer will not be stored locally.
2176
41bd17a4 2177DOC_END
cccac0a2 2178
41bd17a4 2179NAME: cache_peer_domain cache_host_domain
2180TYPE: hostdomain
2181DEFAULT: none
2182LOC: none
2183DOC_START
2184 Use to limit the domains for which a neighbor cache will be
2185 queried. Usage:
cccac0a2 2186
41bd17a4 2187 cache_peer_domain cache-host domain [domain ...]
2188 cache_peer_domain cache-host !domain
cccac0a2 2189
41bd17a4 2190 For example, specifying
cccac0a2 2191
41bd17a4 2192 cache_peer_domain parent.foo.net .edu
cccac0a2 2193
41bd17a4 2194 has the effect such that UDP query packets are sent to
2195 'bigserver' only when the requested object exists on a
2196 server in the .edu domain. Prefixing the domainname
2197 with '!' means the cache will be queried for objects
2198 NOT in that domain.
cccac0a2 2199
41bd17a4 2200 NOTE: * Any number of domains may be given for a cache-host,
2201 either on the same or separate lines.
2202 * When multiple domains are given for a particular
2203 cache-host, the first matched domain is applied.
2204 * Cache hosts with no domain restrictions are queried
2205 for all requests.
2206 * There are no defaults.
2207 * There is also a 'cache_peer_access' tag in the ACL
2208 section.
2209DOC_END
dd9b1776 2210
41bd17a4 2211NAME: cache_peer_access
2212TYPE: peer_access
2213DEFAULT: none
2214LOC: none
2215DOC_START
2216 Similar to 'cache_peer_domain' but provides more flexibility by
2217 using ACL elements.
cccac0a2 2218
41bd17a4 2219 cache_peer_access cache-host allow|deny [!]aclname ...
dd9b1776 2220
41bd17a4 2221 The syntax is identical to 'http_access' and the other lists of
2222 ACL elements. See the comments for 'http_access' below, or
e314b7b9 2223 the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl).
41bd17a4 2224DOC_END
dd9b1776 2225
41bd17a4 2226NAME: neighbor_type_domain
2227TYPE: hostdomaintype
2228DEFAULT: none
2229LOC: none
2230DOC_START
2231 usage: neighbor_type_domain neighbor parent|sibling domain domain ...
cccac0a2 2232
41bd17a4 2233 Modifying the neighbor type for specific domains is now
11e3fa1c 2234 possible. You can treat some domains differently than the
41bd17a4 2235 default neighbor type specified on the 'cache_peer' line.
2236 Normally it should only be necessary to list domains which
2237 should be treated differently because the default neighbor type
2238 applies for hostnames which do not match domains listed here.
6bf4f823 2239
41bd17a4 2240EXAMPLE:
dbe3992d 2241 cache_peer cache.foo.org parent 3128 3130
41bd17a4 2242 neighbor_type_domain cache.foo.org sibling .com .net
2243 neighbor_type_domain cache.foo.org sibling .au .de
2244DOC_END
6bf4f823 2245
41bd17a4 2246NAME: dead_peer_timeout
2247COMMENT: (seconds)
2248DEFAULT: 10 seconds
2249TYPE: time_t
2250LOC: Config.Timeout.deadPeer
2251DOC_START
2252 This controls how long Squid waits to declare a peer cache
2253 as "dead." If there are no ICP replies received in this
2254 amount of time, Squid will declare the peer dead and not
2255 expect to receive any further ICP replies. However, it
2256 continues to send ICP queries, and will mark the peer as
2257 alive upon receipt of the first subsequent ICP reply.
699acd19 2258
41bd17a4 2259 This timeout also affects when Squid expects to receive ICP
2260 replies from peers. If more than 'dead_peer' seconds have
2261 passed since the last ICP reply was received, Squid will not
2262 expect to receive an ICP reply on the next query. Thus, if
2263 your time between requests is greater than this timeout, you
2264 will see a lot of requests sent DIRECT to origin servers
2265 instead of to your parents.
2266DOC_END
cccac0a2 2267
437823b4
AJ		 2268NAME: forward_max_tries
2269DEFAULT: 10
2270TYPE: int
2271LOC: Config.forward_max_tries
2272DOC_START
2273 Controls how many different forward paths Squid will try
2274 before giving up. See also forward_timeout.
2275DOC_END
2276
41bd17a4 2277NAME: hierarchy_stoplist
2278TYPE: wordlist
2279DEFAULT: none
2280LOC: Config.hierarchy_stoplist
2281DOC_START
2282 A list of words which, if found in a URL, cause the object to
2283 be handled directly by this cache. In other words, use this
2284 to not query neighbor caches for certain objects. You may
2285 list this option multiple times.
2286 Note: never_direct overrides this option.
cccac0a2 2287NOCOMMENT_START
e0855596
AJ		 2288
2289# We recommend you to use at least the following line.
41bd17a4 2290hierarchy_stoplist cgi-bin ?
6b698a21 2291NOCOMMENT_END
2292DOC_END
0976f8db 2293
41bd17a4 2294COMMENT_START
2295 MEMORY CACHE OPTIONS
2296 -----------------------------------------------------------------------------
2297COMMENT_END
2298
2299NAME: cache_mem
2300COMMENT: (bytes)
2301TYPE: b_size_t
df2eec10 2302DEFAULT: 256 MB
41bd17a4 2303LOC: Config.memMaxSize
6b698a21 2304DOC_START
41bd17a4 2305 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
2306 IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
2307 USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
2308 THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
2309
2310 'cache_mem' specifies the ideal amount of memory to be used
2311 for:
2312 * In-Transit objects
2313 * Hot Objects
2314 * Negative-Cached objects
2315
2316 Data for these objects are stored in 4 KB blocks. This
2317 parameter specifies the ideal upper limit on the total size of
2318 4 KB blocks allocated. In-Transit objects take the highest
2319 priority.
2320
2321 In-transit objects have priority over the others. When
2322 additional space is needed for incoming data, negative-cached
2323 and hot objects will be released. In other words, the
2324 negative-cached and hot objects will fill up any unused space
2325 not needed for in-transit objects.
2326
2327 If circumstances require, this limit will be exceeded.
2328 Specifically, if your incoming request rate requires more than
2329 'cache_mem' of memory to hold in-transit objects, Squid will
2330 exceed this limit to satisfy the new requests. When the load
2331 decreases, blocks will be freed until the high-water mark is
2332 reached. Thereafter, blocks will be used to store hot
2333 objects.
6b698a21 2334DOC_END
0976f8db 2335
41bd17a4 2336NAME: maximum_object_size_in_memory
2337COMMENT: (bytes)
2338TYPE: b_size_t
df2eec10 2339DEFAULT: 512 KB
41bd17a4 2340LOC: Config.Store.maxInMemObjSize
6b698a21 2341DOC_START
41bd17a4 2342 Objects greater than this size will not be attempted to kept in
2343 the memory cache. This should be set high enough to keep objects
2344 accessed frequently in memory to improve performance whilst low
2345 enough to keep larger objects from hoarding cache_mem.
6b698a21 2346DOC_END
0976f8db 2347
ea21d497
HN		 2348NAME: memory_cache_mode
2349TYPE: memcachemode
2350LOC: Config
2351DEFAULT: always
ff4b33f4 2352DOC_START
ea21d497 2353 Controls which objects to keep in the memory cache (cache_mem)
ff4b33f4 2354
ea21d497
HN		 2355 always Keep most recently fetched objects in memory (default)
2356
2357 disk Only disk cache hits are kept in memory, which means
2358 an object must first be cached on disk and then hit
2359 a second time before cached in memory.
2360
2361 network Only objects fetched from network is kept in memory
ff4b33f4
HN		 2362DOC_END
2363
41bd17a4 2364NAME: memory_replacement_policy
2365TYPE: removalpolicy
2366LOC: Config.memPolicy
2367DEFAULT: lru
6b698a21 2368DOC_START
41bd17a4 2369 The memory replacement policy parameter determines which
2370 objects are purged from memory when memory space is needed.
7f7db318 2371
41bd17a4 2372 See cache_replacement_policy for details.
2373DOC_END
6b698a21 2374
41bd17a4 2375COMMENT_START
2376 DISK CACHE OPTIONS
2377 -----------------------------------------------------------------------------
2378COMMENT_END
6b698a21 2379
41bd17a4 2380NAME: cache_replacement_policy
2381TYPE: removalpolicy
2382LOC: Config.replPolicy
2383DEFAULT: lru
2384DOC_START
2385 The cache replacement policy parameter determines which
2386 objects are evicted (replaced) when disk space is needed.
6b698a21 2387
41bd17a4 2388 lru : Squid's original list based LRU policy
2389 heap GDSF : Greedy-Dual Size Frequency
2390 heap LFUDA: Least Frequently Used with Dynamic Aging
2391 heap LRU : LRU policy implemented using a heap
6b698a21 2392
41bd17a4 2393 Applies to any cache_dir lines listed below this.
7f7db318 2394
41bd17a4 2395 The LRU policies keeps recently referenced objects.
0976f8db 2396
41bd17a4 2397 The heap GDSF policy optimizes object hit rate by keeping smaller
2398 popular objects in cache so it has a better chance of getting a
2399 hit. It achieves a lower byte hit rate than LFUDA though since
2400 it evicts larger (possibly popular) objects.
0976f8db 2401
41bd17a4 2402 The heap LFUDA policy keeps popular objects in cache regardless of
2403 their size and thus optimizes byte hit rate at the expense of
2404 hit rate since one large, popular object will prevent many
2405 smaller, slightly less popular objects from being cached.
0976f8db 2406
41bd17a4 2407 Both policies utilize a dynamic aging mechanism that prevents
2408 cache pollution that can otherwise occur with frequency-based
2409 replacement policies.
7d90757b 2410
41bd17a4 2411 NOTE: if using the LFUDA replacement policy you should increase
2412 the value of maximum_object_size above its default of 4096 KB to
2413 to maximize the potential byte hit rate improvement of LFUDA.
dc1af3cf 2414
41bd17a4 2415 For more information about the GDSF and LFUDA cache replacement
2416 policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
2417 and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
6b698a21 2418DOC_END
0976f8db 2419
41bd17a4 2420NAME: cache_dir
2421TYPE: cachedir
2422DEFAULT: none
41bd17a4 2423LOC: Config.cacheSwap
6b698a21 2424DOC_START
41bd17a4 2425 Usage:
0976f8db 2426
41bd17a4 2427 cache_dir Type Directory-Name Fs-specific-data [options]
0976f8db 2428
41bd17a4 2429 You can specify multiple cache_dir lines to spread the
2430 cache among different disk partitions.
0976f8db 2431
41bd17a4 2432 Type specifies the kind of storage system to use. Only "ufs"
2433 is built by default. To enable any of the other storage systems
2434 see the --enable-storeio configure option.
0976f8db 2435
41bd17a4 2436 'Directory' is a top-level directory where cache swap
2437 files will be stored. If you want to use an entire disk
2438 for caching, this can be the mount-point directory.
2439 The directory must exist and be writable by the Squid
2440 process. Squid will NOT create this directory for you.
0976f8db 2441
41bd17a4 2442 The ufs store type:
0976f8db 2443
41bd17a4 2444 "ufs" is the old well-known Squid storage format that has always
2445 been there.
0976f8db 2446
41bd17a4 2447 cache_dir ufs Directory-Name Mbytes L1 L2 [options]
0976f8db 2448
41bd17a4 2449 'Mbytes' is the amount of disk space (MB) to use under this
2450 directory. The default is 100 MB. Change this to suit your
2451 configuration. Do NOT put the size of your disk drive here.
2452 Instead, if you want Squid to use the entire disk drive,
2453 subtract 20% and use that value.
0976f8db 2454
56fba4d0 2455 'L1' is the number of first-level subdirectories which
41bd17a4 2456 will be created under the 'Directory'. The default is 16.
0976f8db 2457
56fba4d0 2458 'L2' is the number of second-level subdirectories which
41bd17a4 2459 will be created under each first-level directory. The default
2460 is 256.
0976f8db 2461
41bd17a4 2462 The aufs store type:
7f7db318 2463
41bd17a4 2464 "aufs" uses the same storage format as "ufs", utilizing
2465 POSIX-threads to avoid blocking the main Squid process on
2466 disk-I/O. This was formerly known in Squid as async-io.
38f9c547 2467
41bd17a4 2468 cache_dir aufs Directory-Name Mbytes L1 L2 [options]
38f9c547 2469
41bd17a4 2470 see argument descriptions under ufs above
38f9c547 2471
41bd17a4 2472 The diskd store type:
38f9c547 2473
41bd17a4 2474 "diskd" uses the same storage format as "ufs", utilizing a
2475 separate process to avoid blocking the main Squid process on
2476 disk-I/O.
4c3ef9b2 2477
41bd17a4 2478 cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
0976f8db 2479
41bd17a4 2480 see argument descriptions under ufs above
0976f8db 2481
41bd17a4 2482 Q1 specifies the number of unacknowledged I/O requests when Squid
2483 stops opening new files. If this many messages are in the queues,
2484 Squid won't open new files. Default is 64
0976f8db 2485
41bd17a4 2486 Q2 specifies the number of unacknowledged messages when Squid
2487 starts blocking. If this many messages are in the queues,
2488 Squid blocks until it receives some replies. Default is 72
0976f8db 2489
41bd17a4 2490 When Q1 < Q2 (the default), the cache directory is optimized
2491 for lower response time at the expense of a decrease in hit
2492 ratio. If Q1 > Q2, the cache directory is optimized for
2493 higher hit ratio at the expense of an increase in response
2494 time.
0976f8db 2495
41bd17a4 2496 The coss store type:
0976f8db 2497
db263d62
AJ		 2498 NP: COSS filesystem in Squid-3 has been deemed too unstable for
2499 production use and has thus been removed from this release.
2500 We hope that it can be made usable again soon.
2501
41bd17a4 2502 block-size=n defines the "block size" for COSS cache_dir's.
2503 Squid uses file numbers as block numbers. Since file numbers
2504 are limited to 24 bits, the block size determines the maximum
2505 size of the COSS partition. The default is 512 bytes, which
2506 leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
2507 you should not change the coss block size after Squid
2508 has written some objects to the cache_dir.
0976f8db 2509
41bd17a4 2510 The coss file store has changed from 2.5. Now it uses a file
2511 called 'stripe' in the directory names in the config - and
2512 this will be created by squid -z.
0976f8db 2513
41bd17a4 2514 Common options:
0976f8db 2515
41bd17a4 2516 no-store, no new objects should be stored to this cache_dir
0976f8db 2517
41bd17a4 2518 max-size=n, refers to the max object size this storedir supports.
2519 It is used to initially choose the storedir to dump the object.
2520 Note: To make optimal use of the max-size limits you should order
2521 the cache_dir lines with the smallest max-size value first and the
2522 ones with no max-size specification last.
0976f8db 2523
41bd17a4 2524 Note for coss, max-size must be less than COSS_MEMBUF_SZ,
2525 which can be changed with the --with-coss-membuf-size=N configure
2526 option.
bebc043b 2527NOCOMMENT_START
e0855596
AJ		 2528
2529# Uncomment and adjust the following to add a disk cache directory.
2530#cache_dir ufs @DEFAULT_SWAP_DIR@ 100 16 256
bebc043b 2531NOCOMMENT_END
6b698a21 2532DOC_END
0976f8db 2533
41bd17a4 2534NAME: store_dir_select_algorithm
2535TYPE: string
2536LOC: Config.store_dir_select_algorithm
2537DEFAULT: least-load
6b698a21 2538DOC_START
41bd17a4 2539 Set this to 'round-robin' as an alternative.
6b698a21 2540DOC_END
0976f8db 2541
41bd17a4 2542NAME: max_open_disk_fds
2543TYPE: int
2544LOC: Config.max_open_disk_fds
2545DEFAULT: 0
6b698a21 2546DOC_START
41bd17a4 2547 To avoid having disk as the I/O bottleneck Squid can optionally
2548 bypass the on-disk cache if more than this amount of disk file
2549 descriptors are open.
2550
2551 A value of 0 indicates no limit.
6b698a21 2552DOC_END
0976f8db 2553
41bd17a4 2554NAME: minimum_object_size
6b698a21 2555COMMENT: (bytes)
47f6e231 2556TYPE: b_int64_t
6b698a21 2557DEFAULT: 0 KB
41bd17a4 2558LOC: Config.Store.minObjectSize
6b698a21 2559DOC_START
41bd17a4 2560 Objects smaller than this size will NOT be saved on disk. The
2561 value is specified in kilobytes, and the default is 0 KB, which
2562 means there is no minimum.
6b698a21 2563DOC_END
0976f8db 2564
41bd17a4 2565NAME: maximum_object_size
2566COMMENT: (bytes)
2567TYPE: b_int64_t
2568DEFAULT: 4096 KB
2569LOC: Config.Store.maxObjectSize
777831e0 2570DOC_START
41bd17a4 2571 Objects larger than this size will NOT be saved on disk. The
2572 value is specified in kilobytes, and the default is 4MB. If
2573 you wish to get a high BYTES hit ratio, you should probably
2574 increase this (one 32 MB object hit counts for 3200 10KB
2575 hits). If you wish to increase speed more than your want to
2576 save bandwidth you should leave this low.
777831e0 2577
41bd17a4 2578 NOTE: if using the LFUDA replacement policy you should increase
2579 this value to maximize the byte hit rate improvement of LFUDA!
2580 See replacement_policy below for a discussion of this policy.
6b698a21 2581DOC_END
0976f8db 2582
41bd17a4 2583NAME: cache_swap_low
2584COMMENT: (percent, 0-100)
5473c134 2585TYPE: int
41bd17a4 2586DEFAULT: 90
2587LOC: Config.Swap.lowWaterMark
2588DOC_NONE
2589
2590NAME: cache_swap_high
2591COMMENT: (percent, 0-100)
2592TYPE: int
2593DEFAULT: 95
2594LOC: Config.Swap.highWaterMark
6b698a21 2595DOC_START
41bd17a4 2596
2597 The low- and high-water marks for cache object replacement.
2598 Replacement begins when the swap (disk) usage is above the
2599 low-water mark and attempts to maintain utilization near the
2600 low-water mark. As swap utilization gets close to high-water
2601 mark object eviction becomes more aggressive. If utilization is
2602 close to the low-water mark less replacement is done each time.
2603
2604 Defaults are 90% and 95%. If you have a large cache, 5% could be
2605 hundreds of MB. If this is the case you may wish to set these
2606 numbers closer together.
6b698a21 2607DOC_END
0976f8db 2608
5473c134 2609COMMENT_START
41bd17a4 2610 LOGFILE OPTIONS
5473c134 2611 -----------------------------------------------------------------------------
2612COMMENT_END
0976f8db 2613
41bd17a4 2614NAME: logformat
2615TYPE: logformat
2616LOC: Config.Log.logformats
5473c134 2617DEFAULT: none
6b698a21 2618DOC_START
41bd17a4 2619 Usage:
0976f8db 2620
41bd17a4 2621 logformat <name> <format specification>
0976f8db 2622
41bd17a4 2623 Defines an access log format.
6b698a21 2624
41bd17a4 2625 The <format specification> is a string with embedded % format codes
5473c134 2626
41bd17a4 2627 % format codes all follow the same basic structure where all but
2628 the formatcode is optional. Output strings are automatically escaped
2629 as required according to their context and the output format
2630 modifiers are usually not needed, but can be specified if an explicit
2631 output format is desired.
6b698a21 2632
41bd17a4 2633 % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
0976f8db 2634
41bd17a4 2635 " output in quoted string format
2636 [ output in squid text log format as used by log_mime_hdrs
2637 # output in URL quoted format
2638 ' output as-is
5473c134 2639
41bd17a4 2640 - left aligned
2641 width field width. If starting with 0 the
2642 output is zero padded
2643 {arg} argument such as header name etc
5473c134 2644
41bd17a4 2645 Format codes:
5473c134 2646
3ff65596 2647 % a literal % character
41bd17a4 2648 >a Client source IP address
2649 >A Client FQDN
2650 >p Client source port
2651 <A Server IP address or peer name
2652 la Local IP address (http_port)
2653 lp Local port number (http_port)
152e24b3 2654 <lp Local port number of the last server or peer connection
17fde513 2655 sn Unique sequence number per log line entry
41bd17a4 2656 ts Seconds since epoch
2657 tu subsecond time (milliseconds)
2658 tl Local time. Optional strftime format argument
3ff65596 2659 default %d/%b/%Y:%H:%M:%S %z
41bd17a4 2660 tg GMT time. Optional strftime format argument
3ff65596 2661 default %d/%b/%Y:%H:%M:%S %z
41bd17a4 2662 tr Response time (milliseconds)
3ff65596
AR		 2663 dt Total time spent making DNS lookups (milliseconds)
2664
2665 HTTP cache related format codes:
2666
ca2e92d8 2667 [http::]>h Original request header. Optional header name argument
3ff65596 2668 on the format header[:[separator]element]
6fca33e0
CT		 2669 [http::]>ha The HTTP request headers after adaptation and redirection.
2670 Optional header name argument as for >h
3ff65596
AR		 2671 [http::]<h Reply header. Optional header name argument
2672 as for >h
2673 [http::]un User name
2674 [http::]ul User name from authentication
2675 [http::]ui User name from ident
2676 [http::]us User name from SSL
2677 [http::]ue User name from external acl helper
2678 [http::]>Hs HTTP status code sent to the client
2679 [http::]<Hs HTTP status code received from the next hop
bae917ac
CT		 2680 [http::]<bs Number of HTTP-equivalent message body bytes
2681 received from the next hop, excluding chunked
2682 transfer encoding and control messages.
2683 Generated FTP/Gopher listings are treated as
2684 received bodies.
3ff65596
AR		 2685 [http::]Ss Squid request status (TCP_MISS etc)
2686 [http::]Sh Squid hierarchy status (DEFAULT_PARENT etc)
2687 [http::]mt MIME content type
2688 [http::]rm Request method (GET/POST etc)
2689 [http::]ru Request URL
2690 [http::]rp Request URL-Path excluding hostname
2691 [http::]rv Request protocol version
2692 [http::]et Tag returned by external acl
2693 [http::]ea Log string returned by external acl
2694 [http::]<st Sent reply size including HTTP headers
2695 [http::]>st Received request size including HTTP headers. In the
2696 case of chunked requests the chunked encoding metadata
2697 are not included
2698 [http::]>sh Received HTTP request headers size
2699 [http::]<sh Sent HTTP reply headers size
2700 [http::]st Request+Reply size including HTTP headers
2701 [http::]<sH Reply high offset sent
2702 [http::]<sS Upstream object size
2703 [http::]<pt Peer response time in milliseconds. The timer starts
2704 when the last request byte is sent to the next hop
2705 and stops when the last response byte is received.
2706 [http::]<tt Total server-side time in milliseconds. The timer
2707 starts with the first connect request (or write I/O)
2708 sent to the first selected peer. The timer stops
2709 with the last I/O with the last peer.
2710
2711 If ICAP is enabled, the following two codes become available (as
2712 well as ICAP log codes documented with the icap_log option):
2713
2714 icap::tt Total ICAP processing time for the HTTP
2715 transaction. The timer ticks when ICAP
2716 ACLs are checked and when ICAP
2717 transaction is in progress.
2718
2719 icap::<last_h The header of the last ICAP response
2720 related to the HTTP transaction. Like
2721 <h, accepts an optional header name
2722 argument. Will not change semantics
2723 when multiple ICAP transactions per HTTP
2724 transaction are supported.
2725
2726 If adaptation is enabled the following two codes become available:
2727
2728 adapt::sum_trs Summed adaptation transaction response
2729 times recorded as a comma-separated list in
2730 the order of transaction start time. Each time
2731 value is recorded as an integer number,
2732 representing response time of one or more
2733 adaptation (ICAP or eCAP) transaction in
2734 milliseconds. When a failed transaction is
2735 being retried or repeated, its time is not
2736 logged individually but added to the
2737 replacement (next) transaction. See also:
2738 adapt::all_trs.
2739
2740 adapt::all_trs All adaptation transaction response times.
2741 Same as adaptation_strs but response times of
2742 individual transactions are never added
2743 together. Instead, all transaction response
2744 times are recorded individually.
2745
2746 You can prefix adapt::*_trs format codes with adaptation
2747 service name in curly braces to record response time(s) specific
2748 to that service. For example: %{my_service}adapt::sum_trs
5473c134 2749
7d9acc3c
AJ		 2750 The default formats available (which do not need re-defining) are:
2751
3ff65596
AR		 2752logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
2753logformat squidmime %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
2754logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
2755logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
5473c134 2756DOC_END
2757
41bd17a4 2758NAME: access_log cache_access_log
2759TYPE: access_log
2760LOC: Config.Log.accesslogs
02424612 2761DEFAULT: none
82b7abe3 2762DEFAULT_IF_NONE: daemon:@DEFAULT_ACCESS_LOG@ squid
5473c134 2763DOC_START
41bd17a4 2764 These files log client request activities. Has a line every HTTP or
2765 ICP request. The format is:
82b7abe3 2766 access_log <module>:<place> [<logformat name> [acl acl ...]]
41bd17a4 2767 access_log none [acl acl ...]]
82b7abe3
AJ		 2768
2769 Will log to the specified module:place using the specified format (which
41bd17a4 2770 must be defined in a logformat directive) those entries which match
2771 ALL the acl's specified (which must be defined in acl clauses).
82b7abe3
AJ		 2772 If no acl is specified, all requests will be logged to this destination.
2773
2774 ===== Modules Currently available =====
2775
2776 none Do not log any requests matchign these ACL.
2777 Do not specify Place or logformat name.
2778
2779 stdio Write each log line to disk immediately at the completion of
2780 each request.
2781 Place: the filename and path to be written.
2782
2783 daemon Very similar to stdio. But instead of writing to disk the log
2784 line is passed to a daemon helper for asychronous handling instead.
2785 Place: varies depending on the daemon.
2786
2787 log_file_daemon Place: the file name and path to be written.
2788
2789 syslog To log each request via syslog facility.
2790 Place: The syslog facility and priority level for these entries.
2791 Place Format: facility.priority
5473c134 2792
82b7abe3
AJ		 2793 where facility could be any of:
2794 authpriv, daemon, local0 ... local7 or user.
5473c134 2795
82b7abe3
AJ		 2796 And priority could be any of:
2797 err, warning, notice, info, debug.
2798
2799 udp To send each log line as text data to a UDP receiver.
2800 Place: The destination host name or IP and port.
2801 Place Format: \\host:port
df2eec10 2802
2bf4e8fa
AJ		 2803 tcp To send each log line as text data to a TCP receiver.
2804 Place: The destination host name or IP and port.
2805 Place Format: \\host:port
df2eec10
AJ		 2806
2807 Default:
82b7abe3 2808 access_log daemon:@DEFAULT_ACCESS_LOG@ squid
41bd17a4 2809DOC_END
5473c134 2810
3ff65596
AR		 2811NAME: icap_log
2812TYPE: access_log
2813IFDEF: ICAP_CLIENT
2814LOC: Config.Log.icaplogs
2815DEFAULT: none
2816DOC_START
2817 ICAP log files record ICAP transaction summaries, one line per
2818 transaction.
2819
2820 The icap_log option format is:
2821 icap_log <filepath> [<logformat name> [acl acl ...]]
2822 icap_log none [acl acl ...]]
2823
2824 Please see access_log option documentation for details. The two
2825 kinds of logs share the overall configuration approach and many
2826 features.
2827
2828 ICAP processing of a single HTTP message or transaction may
2829 require multiple ICAP transactions. In such cases, multiple
2830 ICAP transaction log lines will correspond to a single access
2831 log line.
2832
2833 ICAP log uses logformat codes that make sense for an ICAP
2834 transaction. Header-related codes are applied to the HTTP header
2835 embedded in an ICAP server response, with the following caveats:
2836 For REQMOD, there is no HTTP response header unless the ICAP
2837 server performed request satisfaction. For RESPMOD, the HTTP
2838 request header is the header sent to the ICAP server. For
2839 OPTIONS, there are no HTTP headers.
2840
2841 The following format codes are also available for ICAP logs:
2842
2843 icap::<A ICAP server IP address. Similar to <A.
2844
2845 icap::<service_name ICAP service name from the icap_service
2846 option in Squid configuration file.
2847
2848 icap::ru ICAP Request-URI. Similar to ru.
2849
2850 icap::rm ICAP request method (REQMOD, RESPMOD, or
2851 OPTIONS). Similar to existing rm.
2852
2853 icap::>st Bytes sent to the ICAP server (TCP payload
2854 only; i.e., what Squid writes to the socket).
2855
2856 icap::<st Bytes received from the ICAP server (TCP
2857 payload only; i.e., what Squid reads from
2858 the socket).
2859
bae917ac
CT		 2860 icap::<bs Number of message body bytes received from the
2861 ICAP server. ICAP message body, if any, usually
2862 includes encapsulated HTTP message headers and
2863 possibly encapsulated HTTP message body. The
2864 HTTP body part is dechunked before its size is
2865 computed.
2866
3ff65596
AR		 2867 icap::tr Transaction response time (in
2868 milliseconds). The timer starts when
2869 the ICAP transaction is created and
2870 stops when the transaction is completed.
2871 Similar to tr.
2872
2873 icap::tio Transaction I/O time (in milliseconds). The
2874 timer starts when the first ICAP request
2875 byte is scheduled for sending. The timers
2876 stops when the last byte of the ICAP response
2877 is received.
2878
2879 icap::to Transaction outcome: ICAP_ERR* for all
2880 transaction errors, ICAP_OPT for OPTION
2881 transactions, ICAP_ECHO for 204
2882 responses, ICAP_MOD for message
2883 modification, and ICAP_SAT for request
2884 satisfaction. Similar to Ss.
2885
2886 icap::Hs ICAP response status code. Similar to Hs.
2887
2888 icap::>h ICAP request header(s). Similar to >h.
2889
2890 icap::<h ICAP response header(s). Similar to <h.
2891
2892 The default ICAP log format, which can be used without an explicit
2893 definition, is called icap_squid:
2894
2895logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
2896
2897 See also: logformat, log_icap, and %icap::<last_h
2898DOC_END
2899
82b7abe3
AJ		 2900NAME: logfile_daemon
2901TYPE: string
2902DEFAULT: @DEFAULT_LOGFILED@
2903LOC: Log::TheConfig.logfile_daemon
2904DOC_START
2905 Specify the path to the logfile-writing daemon. This daemon is
2906 used to write the access and store logs, if configured.
14b24caf
HN		 2907
2908 Squid sends a number of commands to the log daemon:
2909 L<data>\n - logfile data
2910 R\n - rotate file
2911 T\n - truncate file
2912 O\n - repoen file
2913 F\n - flush file
2914 r<n>\n - set rotate count to <n>
2915 b<n>\n - 1 = buffer output, 0 = don't buffer output
2916
2917 No responses is expected.
82b7abe3
AJ		 2918DOC_END
2919
5b0f5383 2920NAME: log_access
2921TYPE: acl_access
2922LOC: Config.accessList.log
2923DEFAULT: none
2924COMMENT: allow|deny acl acl...
2925DOC_START
2926 This options allows you to control which requests gets logged
2927 to access.log (see access_log directive). Requests denied for
2928 logging will also not be accounted for in performance counters.
b3567eb5
FC		 2929
2930 This clause only supports fast acl types.
2931 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5b0f5383 2932DOC_END
2933
3ff65596
AR		 2934NAME: log_icap
2935TYPE: acl_access
2936IFDEF: ICAP_CLIENT
2937LOC: Config.accessList.icap
2938DEFAULT: none
2939DOC_START
2940 This options allows you to control which requests get logged
2941 to icap.log. See the icap_log directive for ICAP log details.
2942DOC_END
2943
41bd17a4 2944NAME: cache_store_log
2945TYPE: string
df2eec10 2946DEFAULT: none
41bd17a4 2947LOC: Config.Log.store
2948DOC_START
2949 Logs the activities of the storage manager. Shows which
2950 objects are ejected from the cache, and which objects are
df2eec10
AJ		 2951 saved and for how long. To disable, enter "none" or remove the line.
2952 There are not really utilities to analyze this data, so you can safely
41bd17a4 2953 disable it.
e0855596
AJ		 2954
2955 Example:
2956 cache_store_log @DEFAULT_STORE_LOG@
5473c134 2957DOC_END
2958
41bd17a4 2959NAME: cache_swap_state cache_swap_log
2960TYPE: string
2961LOC: Config.Log.swap
5473c134 2962DEFAULT: none
2963DOC_START
41bd17a4 2964 Location for the cache "swap.state" file. This index file holds
2965 the metadata of objects saved on disk. It is used to rebuild
2966 the cache during startup. Normally this file resides in each
2967 'cache_dir' directory, but you may specify an alternate
2968 pathname here. Note you must give a full filename, not just
2969 a directory. Since this is the index for the whole object
2970 list you CANNOT periodically rotate it!
5473c134 2971
41bd17a4 2972 If %s can be used in the file name it will be replaced with a
2973 a representation of the cache_dir name where each / is replaced
2974 with '.'. This is needed to allow adding/removing cache_dir
2975 lines when cache_swap_log is being used.
5473c134 2976
41bd17a4 2977 If have more than one 'cache_dir', and %s is not used in the name
2978 these swap logs will have names such as:
5473c134 2979
41bd17a4 2980 cache_swap_log.00
2981 cache_swap_log.01
2982 cache_swap_log.02
5473c134 2983
41bd17a4 2984 The numbered extension (which is added automatically)
2985 corresponds to the order of the 'cache_dir' lines in this
2986 configuration file. If you change the order of the 'cache_dir'
2987 lines in this file, these index files will NOT correspond to
2988 the correct 'cache_dir' entry (unless you manually rename
2989 them). We recommend you do NOT use this option. It is
2990 better to keep these index files in each 'cache_dir' directory.
5473c134 2991DOC_END
2992
41bd17a4 2993NAME: logfile_rotate
2994TYPE: int
2995DEFAULT: 10
2996LOC: Config.Log.rotateNumber
5473c134 2997DOC_START
41bd17a4 2998 Specifies the number of logfile rotations to make when you
2999 type 'squid -k rotate'. The default is 10, which will rotate
3000 with extensions 0 through 9. Setting logfile_rotate to 0 will
3001 disable the file name rotation, but the logfiles are still closed
3002 and re-opened. This will enable you to rename the logfiles
3003 yourself just before sending the rotate signal.
5473c134 3004
41bd17a4 3005 Note, the 'squid -k rotate' command normally sends a USR1
3006 signal to the running squid process. In certain situations
3007 (e.g. on Linux with Async I/O), USR1 is used for other
3008 purposes, so -k rotate uses another signal. It is best to get
3009 in the habit of using 'squid -k rotate' instead of 'kill -USR1
3010 <pid>'.
62493678
AJ		 3011
3012 Note, from Squid-3.1 this option has no effect on the cache.log,
3013 that log can be rotated separately by using debug_options
41bd17a4 3014DOC_END
5473c134 3015
41bd17a4 3016NAME: emulate_httpd_log
3017COMMENT: on|off
3018TYPE: onoff
3019DEFAULT: off
3020LOC: Config.onoff.common_log
3021DOC_START
3022 The Cache can emulate the log file format which many 'httpd'
3023 programs use. To disable/enable this emulation, set
3024 emulate_httpd_log to 'off' or 'on'. The default
3025 is to use the native log format since it includes useful
3026 information Squid-specific log analyzers use.
5473c134 3027DOC_END
3028
41bd17a4 3029NAME: log_ip_on_direct
3030COMMENT: on|off
3031TYPE: onoff
5473c134 3032DEFAULT: on
41bd17a4 3033LOC: Config.onoff.log_ip_on_direct
5473c134 3034DOC_START
41bd17a4 3035 Log the destination IP address in the hierarchy log tag when going
3036 direct. Earlier Squid versions logged the hostname here. If you
3037 prefer the old way set this to off.
3038DOC_END
5473c134 3039
41bd17a4 3040NAME: mime_table
3041TYPE: string
3042DEFAULT: @DEFAULT_MIME_TABLE@
3043LOC: Config.mimeTablePathname
3044DOC_START
3045 Pathname to Squid's MIME table. You shouldn't need to change
3046 this, but the default file contains examples and formatting
3047 information if you do.
5473c134 3048DOC_END
3049
41bd17a4 3050NAME: log_mime_hdrs
3051COMMENT: on|off
3052TYPE: onoff
3053LOC: Config.onoff.log_mime_hdrs
3054DEFAULT: off
3055DOC_START
3056 The Cache can record both the request and the response MIME
3057 headers for each HTTP transaction. The headers are encoded
3058 safely and will appear as two bracketed fields at the end of
3059 the access log (for either the native or httpd-emulated log
3060 formats). To enable this logging set log_mime_hdrs to 'on'.
3061DOC_END
5473c134 3062
41bd17a4 3063NAME: useragent_log
3064TYPE: string
3065LOC: Config.Log.useragent
3066DEFAULT: none
3067IFDEF: USE_USERAGENT_LOG
5473c134 3068DOC_START
41bd17a4 3069 Squid will write the User-Agent field from HTTP requests
3070 to the filename specified here. By default useragent_log
3071 is disabled.
5473c134 3072DOC_END
3073
41bd17a4 3074NAME: referer_log referrer_log
3075TYPE: string
3076LOC: Config.Log.referer
3077DEFAULT: none
3078IFDEF: USE_REFERER_LOG
5473c134 3079DOC_START
41bd17a4 3080 Squid will write the Referer field from HTTP requests to the
3081 filename specified here. By default referer_log is disabled.
3082 Note that "referer" is actually a misspelling of "referrer"
3083 however the misspelt version has been accepted into the HTTP RFCs
3084 and we accept both.
5473c134 3085DOC_END
3086
41bd17a4 3087NAME: pid_filename
3088TYPE: string
3089DEFAULT: @DEFAULT_PID_FILE@
3090LOC: Config.pidFilename
5473c134 3091DOC_START
41bd17a4 3092 A filename to write the process-id to. To disable, enter "none".
5473c134 3093DOC_END
3094
41bd17a4 3095NAME: log_fqdn
3096COMMENT: on|off
3097TYPE: onoff
3098DEFAULT: off
3099LOC: Config.onoff.log_fqdn
5473c134 3100DOC_START
41bd17a4 3101 Turn this on if you wish to log fully qualified domain names
3102 in the access.log. To do this Squid does a DNS lookup of all
3103 IP's connecting to it. This can (in some situations) increase
3104 latency, which makes your cache seem slower for interactive
3105 browsing.
5473c134 3106DOC_END
3107
41bd17a4 3108NAME: client_netmask
3109TYPE: address
3110LOC: Config.Addrs.client_netmask
0eb08770 3111DEFAULT: no_addr
5473c134 3112DOC_START
41bd17a4 3113 A netmask for client addresses in logfiles and cachemgr output.
3114 Change this to protect the privacy of your cache clients.
3115 A netmask of 255.255.255.0 will log all IP's in that range with
3116 the last digit set to '0'.
5473c134 3117DOC_END
3118
41bd17a4 3119NAME: forward_log
3120IFDEF: WIP_FWD_LOG
3121TYPE: string
3122DEFAULT: none
3123LOC: Config.Log.forward
5473c134 3124DOC_START
41bd17a4 3125 Logs the server-side requests.
5473c134 3126
41bd17a4 3127 This is currently work in progress.
5473c134 3128DOC_END
3129
41bd17a4 3130NAME: strip_query_terms
5473c134 3131TYPE: onoff
41bd17a4 3132LOC: Config.onoff.strip_query_terms
5473c134 3133DEFAULT: on
3134DOC_START
41bd17a4 3135 By default, Squid strips query terms from requested URLs before
3136 logging. This protects your user's privacy.
5473c134 3137DOC_END
3138
41bd17a4 3139NAME: buffered_logs
3140COMMENT: on|off
3141TYPE: onoff
3142DEFAULT: off
3143LOC: Config.onoff.buffered_logs
5473c134 3144DOC_START
41bd17a4 3145 cache.log log file is written with stdio functions, and as such
3146 it can be buffered or unbuffered. By default it will be unbuffered.
3147 Buffering it can speed up the writing slightly (though you are
3148 unlikely to need to worry unless you run with tons of debugging
3149 enabled in which case performance will suffer badly anyway..).
6b698a21 3150DOC_END
0976f8db 3151
2b753521 3152NAME: netdb_filename
3153TYPE: string
3154DEFAULT: @DEFAULT_NETDB_FILE@
3155LOC: Config.netdbFilename
fb6a61d1 3156IFDEF: USE_ICMP
2b753521 3157DOC_START
3158 A filename where Squid stores it's netdb state between restarts.
3159 To disable, enter "none".
3160DOC_END
3161
62493678
AJ		 3162COMMENT_START
3163 OPTIONS FOR TROUBLESHOOTING
3164 -----------------------------------------------------------------------------
3165COMMENT_END
3166
3167NAME: cache_log
3168TYPE: string
3169DEFAULT: none
3170DEFAULT_IF_NONE: @DEFAULT_CACHE_LOG@
3171LOC: Debug::cache_log
3172DOC_START
3173 Cache logging file. This is where general information about
3174 your cache's behavior goes. You can increase the amount of data
3175 logged to this file and how often its rotated with "debug_options"
3176DOC_END
3177
3178NAME: debug_options
3179TYPE: eol
47df1aa7 3180DEFAULT: ALL,1
62493678
AJ		 3181LOC: Debug::debugOptions
3182DOC_START
3183 Logging options are set as section,level where each source file
3184 is assigned a unique section. Lower levels result in less
3185 output, Full debugging (level 9) can result in a very large
3186 log file, so be careful.
3187
3188 The magic word "ALL" sets debugging levels for all sections.
3189 We recommend normally running with "ALL,1".
3190
47df1aa7
AJ		 3191 The rotate=N option can be used to keep more or less of these logs
3192 than would otherwise be kept by logfile_rotate.
62493678
AJ		 3193 For most uses a single log should be enough to monitor current
3194 events affecting Squid.
3195DOC_END
3196
3197NAME: coredump_dir
3198TYPE: string
3199LOC: Config.coredump_dir
3200DEFAULT: none
3201DEFAULT_IF_NONE: none
3202DOC_START
3203 By default Squid leaves core files in the directory from where
3204 it was started. If you set 'coredump_dir' to a directory
3205 that exists, Squid will chdir() to that directory at startup
3206 and coredump files will be left there.
3207
3208NOCOMMENT_START
e0855596 3209
62493678
AJ		 3210# Leave coredumps in the first cache dir
3211coredump_dir @DEFAULT_SWAP_DIR@
3212NOCOMMENT_END
3213DOC_END
3214
3215
41bd17a4 3216COMMENT_START
3217 OPTIONS FOR FTP GATEWAYING
3218 -----------------------------------------------------------------------------
3219COMMENT_END
3220
3221NAME: ftp_user
3222TYPE: string
3223DEFAULT: Squid@
3224LOC: Config.Ftp.anon_user
6b698a21 3225DOC_START
41bd17a4 3226 If you want the anonymous login password to be more informative
3227 (and enable the use of picky ftp servers), set this to something
3228 reasonable for your domain, like wwwuser@somewhere.net
7f7db318 3229
41bd17a4 3230 The reason why this is domainless by default is the
3231 request can be made on the behalf of a user in any domain,
3232 depending on how the cache is used.
3233 Some ftp server also validate the email address is valid
3234 (for example perl.com).
6b698a21 3235DOC_END
0976f8db 3236
41bd17a4 3237NAME: ftp_passive
3238TYPE: onoff
3239DEFAULT: on
3240LOC: Config.Ftp.passive
6b698a21 3241DOC_START
41bd17a4 3242 If your firewall does not allow Squid to use passive
3243 connections, turn off this option.
a689bd4e 3244
3245 Use of ftp_epsv_all option requires this to be ON.
3246DOC_END
3247
3248NAME: ftp_epsv_all
3249TYPE: onoff
3250DEFAULT: off
3251LOC: Config.Ftp.epsv_all
3252DOC_START
3253 FTP Protocol extensions permit the use of a special "EPSV ALL" command.
3254
3255 NATs may be able to put the connection on a "fast path" through the
3256 translator, as the EPRT command will never be used and therefore,
3257 translation of the data portion of the segments will never be needed.
3258
b3567eb5
FC		 3259 When a client only expects to do two-way FTP transfers this may be
3260 useful.
a689bd4e 3261 If squid finds that it must do a three-way FTP transfer after issuing
3262 an EPSV ALL command, the FTP session will fail.
3263
3264 If you have any doubts about this option do not use it.
3265 Squid will nicely attempt all other connection methods.
3266
51ee534d
AJ		 3267 Requires ftp_passive to be ON (default) for any effect.
3268DOC_END
3269
3270NAME: ftp_epsv
3271TYPE: onoff
3272DEFAULT: on
3273LOC: Config.Ftp.epsv
3274DOC_START
3275 FTP Protocol extensions permit the use of a special "EPSV" command.
3276
3277 NATs may be able to put the connection on a "fast path" through the
b3567eb5
FC		 3278 translator using EPSV, as the EPRT command will never be used
3279 and therefore, translation of the data portion of the segments
3280 will never be needed.
51ee534d
AJ		 3281
3282 Turning this OFF will prevent EPSV being attempted.
3283 WARNING: Doing so will convert Squid back to the old behavior with all
3284 the related problems with external NAT devices/layers.
3285
3286 Requires ftp_passive to be ON (default) for any effect.
41bd17a4 3287DOC_END
9e7dbc51 3288
41bd17a4 3289NAME: ftp_sanitycheck
3290TYPE: onoff
3291DEFAULT: on
3292LOC: Config.Ftp.sanitycheck
3293DOC_START
3294 For security and data integrity reasons Squid by default performs
3295 sanity checks of the addresses of FTP data connections ensure the
3296 data connection is to the requested server. If you need to allow
3297 FTP connections to servers using another IP address for the data
3298 connection turn this off.
3299DOC_END
9e7dbc51 3300
41bd17a4 3301NAME: ftp_telnet_protocol
3302TYPE: onoff
3303DEFAULT: on
3304LOC: Config.Ftp.telnet
3305DOC_START
3306 The FTP protocol is officially defined to use the telnet protocol
3307 as transport channel for the control connection. However, many
3308 implementations are broken and does not respect this aspect of
3309 the FTP protocol.
3310
3311 If you have trouble accessing files with ASCII code 255 in the
3312 path or similar problems involving this ASCII code you can
3313 try setting this directive to off. If that helps, report to the
3314 operator of the FTP server in question that their FTP server
3315 is broken and does not follow the FTP standard.
3316DOC_END
3317
3318COMMENT_START
3319 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
3320 -----------------------------------------------------------------------------
3321COMMENT_END
3322
3323NAME: diskd_program
3324TYPE: string
3325DEFAULT: @DEFAULT_DISKD@
3326LOC: Config.Program.diskd
3327DOC_START
3328 Specify the location of the diskd executable.
3329 Note this is only useful if you have compiled in
3330 diskd as one of the store io modules.
3331DOC_END
3332
3333NAME: unlinkd_program
3334IFDEF: USE_UNLINKD
3335TYPE: string
3336DEFAULT: @DEFAULT_UNLINKD@
3337LOC: Config.Program.unlinkd
3338DOC_START
3339 Specify the location of the executable for file deletion process.
3340DOC_END
3341
3342NAME: pinger_program
3343TYPE: string
3344DEFAULT: @DEFAULT_PINGER@
cc192b50 3345LOC: Config.pinger.program
41bd17a4 3346IFDEF: USE_ICMP
3347DOC_START
3348 Specify the location of the executable for the pinger process.
3349DOC_END
3350
cc192b50 3351NAME: pinger_enable
3352TYPE: onoff
3353DEFAULT: on
3354LOC: Config.pinger.enable
3355IFDEF: USE_ICMP
3356DOC_START
3357 Control whether the pinger is active at run-time.
b3567eb5
FC		 3358 Enables turning ICMP pinger on and off with a simple
3359 squid -k reconfigure.
cc192b50 3360DOC_END
3361
3362
41bd17a4 3363COMMENT_START
3364 OPTIONS FOR URL REWRITING
3365 -----------------------------------------------------------------------------
3366COMMENT_END
3367
3368NAME: url_rewrite_program redirect_program
3369TYPE: wordlist
3370LOC: Config.Program.redirect
3371DEFAULT: none
3372DOC_START
3373 Specify the location of the executable for the URL rewriter.
3374 Since they can perform almost any function there isn't one included.
3375
3376 For each requested URL rewriter will receive on line with the format
3377
c71adec1 3378 URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
3379
3380 In the future, the rewriter interface will be extended with
3381 key=value pairs ("kvpairs" shown above). Rewriter programs
3382 should be prepared to receive and possibly ignore additional
3383 whitespace-separated tokens on each input line.
41bd17a4 3384
3385 And the rewriter may return a rewritten URL. The other components of
3386 the request line does not need to be returned (ignored if they are).
3387
3388 The rewriter can also indicate that a client-side redirect should
3389 be performed to the new URL. This is done by prefixing the returned
3390 URL with "301:" (moved permanently) or 302: (moved temporarily).
3391
3392 By default, a URL rewriter is not used.
3393DOC_END
3394
3395NAME: url_rewrite_children redirect_children
48d54e4d 3396TYPE: HelperChildConfig
5b708d95 3397DEFAULT: 20 startup=0 idle=1 concurrency=0
41bd17a4 3398LOC: Config.redirectChildren
3399DOC_START
48d54e4d
AJ		 3400 The maximum number of redirector processes to spawn. If you limit
3401 it too few Squid will have to wait for them to process a backlog of
3402 URLs, slowing it down. If you allow too many they will use RAM
3403 and other system resources noticably.
3404
3405 The startup= and idle= options allow some measure of skew in your
3406 tuning.
3407
3408 startup=
3409
3410 Sets a minimum of how many processes are to be spawned when Squid
3411 starts or reconfigures. When set to zero the first request will
3412 cause spawning of the first child process to handle it.
3413
3414 Starting too few will cause an initial slowdown in traffic as Squid
3415 attempts to simultaneously spawn enough processes to cope.
3416
3417 idle=
3418
3419 Sets a minimum of how many processes Squid is to try and keep available
3420 at all times. When traffic begins to rise above what the existing
3421 processes can handle this many more will be spawned up to the maximum
3422 configured. A minimum setting of 1 is required.
3423
3424 concurrency=
41bd17a4 3425
41bd17a4 3426 The number of requests each redirector helper can handle in
3427 parallel. Defaults to 0 which indicates the redirector
3428 is a old-style single threaded redirector.
6a171502
AJ		 3429
3430 When this directive is set to a value >= 1 then the protocol
3431 used to communicate with the helper is modified to include
3432 a request ID in front of the request/response. The request
3433 ID from the request must be echoed back with the response
3434 to that request.
41bd17a4 3435DOC_END
3436
3437NAME: url_rewrite_host_header redirect_rewrites_host_header
3438TYPE: onoff
3439DEFAULT: on
3440LOC: Config.onoff.redir_rewrites_host
3441DOC_START
3442 By default Squid rewrites any Host: header in redirected
3443 requests. If you are running an accelerator this may
3444 not be a wanted effect of a redirector.
3445
3446 WARNING: Entries are cached on the result of the URL rewriting
3447 process, so be careful if you have domain-virtual hosts.
3448DOC_END
3449
3450NAME: url_rewrite_access redirector_access
3451TYPE: acl_access
3452DEFAULT: none
3453LOC: Config.accessList.redirector
3454DOC_START
3455 If defined, this access list specifies which requests are
3456 sent to the redirector processes. By default all requests
3457 are sent.
b3567eb5
FC		 3458
3459 This clause supports both fast and slow acl types.
3460 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 3461DOC_END
3462
3463NAME: url_rewrite_bypass redirector_bypass
3464TYPE: onoff
3465LOC: Config.onoff.redirector_bypass
3466DEFAULT: off
3467DOC_START
3468 When this is 'on', a request will not go through the
3469 redirector if all redirectors are busy. If this is 'off'
3470 and the redirector queue grows too large, Squid will exit
3471 with a FATAL error and ask you to increase the number of
3472 redirectors. You should only enable this if the redirectors
3473 are not critical to your caching system. If you use
3474 redirectors for access control, and you enable this option,
3475 users may have access to pages they should not
3476 be allowed to request.
3477DOC_END
3478
3479COMMENT_START
3480 OPTIONS FOR TUNING THE CACHE
3481 -----------------------------------------------------------------------------
3482COMMENT_END
3483
f04b37d8 3484NAME: cache no_cache
3485TYPE: acl_access
3486DEFAULT: none
3487LOC: Config.accessList.noCache
41bd17a4 3488DOC_START
240887f0 3489 A list of ACL elements which, if matched and denied, cause the request to
f04b37d8 3490 not be satisfied from the cache and the reply to not be cached.
3491 In other words, use this to force certain objects to never be cached.
41bd17a4 3492
240887f0 3493 You must use the words 'allow' or 'deny' to indicate whether items
3494 matching the ACL should be allowed or denied into the cache.
f04b37d8 3495
240887f0 3496 Default is to allow all to be cached.
b3567eb5
FC		 3497
3498 This clause supports both fast and slow acl types.
3499 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 3500DOC_END
3501
3502NAME: refresh_pattern
3503TYPE: refreshpattern
3504LOC: Config.Refresh
3505DEFAULT: none
3506DOC_START
3507 usage: refresh_pattern [-i] regex min percent max [options]
9e7dbc51 3508
6b698a21 3509 By default, regular expressions are CASE-SENSITIVE. To make
3510 them case-insensitive, use the -i option.
9e7dbc51 3511
41bd17a4 3512 'Min' is the time (in minutes) an object without an explicit
3513 expiry time should be considered fresh. The recommended
3514 value is 0, any higher values may cause dynamic applications
3515 to be erroneously cached unless the application designer
3516 has taken the appropriate actions.
9e7dbc51 3517
41bd17a4 3518 'Percent' is a percentage of the objects age (time since last
3519 modification age) an object without explicit expiry time
3520 will be considered fresh.
5b807763 3521
41bd17a4 3522 'Max' is an upper limit on how long objects without an explicit
3523 expiry time will be considered fresh.
9e7dbc51 3524
41bd17a4 3525 options: override-expire
3526 override-lastmod
3527 reload-into-ims
3528 ignore-reload
3529 ignore-no-cache
3530 ignore-no-store
4ca08219 3531 ignore-must-revalidate
41bd17a4 3532 ignore-private
3533 ignore-auth
3534 refresh-ims
3d8b6ba4 3535 store-stale
a0ec9f68 3536
41bd17a4 3537 override-expire enforces min age even if the server
9b2ad080
HN		 3538 sent an explicit expiry time (e.g., with the
3539 Expires: header or Cache-Control: max-age). Doing this
3540 VIOLATES the HTTP standard. Enabling this feature
3541 could make you liable for problems which it causes.
6468fe10 3542
04925576
AJ		 3543 Note: override-expire does not enforce staleness - it only extends
3544 freshness / min. If the server returns a Expires time which
3545 is longer than your max time, Squid will still consider
3546 the object fresh for that period of time.
3547
41bd17a4 3548 override-lastmod enforces min age even on objects
3549 that were modified recently.
934b03fc 3550
41bd17a4 3551 reload-into-ims changes client no-cache or ``reload''
3552 to If-Modified-Since requests. Doing this VIOLATES the
3553 HTTP standard. Enabling this feature could make you
3554 liable for problems which it causes.
dba79ac5 3555
41bd17a4 3556 ignore-reload ignores a client no-cache or ``reload''
3557 header. Doing this VIOLATES the HTTP standard. Enabling
3558 this feature could make you liable for problems which
3559 it causes.
9bc73deb 3560
41bd17a4 3561 ignore-no-cache ignores any ``Pragma: no-cache'' and
3562 ``Cache-control: no-cache'' headers received from a server.
3563 The HTTP RFC never allows the use of this (Pragma) header
3564 from a server, only a client, though plenty of servers
3565 send it anyway.
3566
3567 ignore-no-store ignores any ``Cache-control: no-store''
3568 headers received from a server. Doing this VIOLATES
3569 the HTTP standard. Enabling this feature could make you
3570 liable for problems which it causes.
3571
4ca08219
AJ		 3572 ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
3573 headers received from a server. Doing this VIOLATES
3574 the HTTP standard. Enabling this feature could make you
3575 liable for problems which it causes.
3576
41bd17a4 3577 ignore-private ignores any ``Cache-control: private''
3578 headers received from a server. Doing this VIOLATES
3579 the HTTP standard. Enabling this feature could make you
3580 liable for problems which it causes.
3581
3582 ignore-auth caches responses to requests with authorization,
3583 as if the originserver had sent ``Cache-control: public''
3584 in the response header. Doing this VIOLATES the HTTP standard.
3585 Enabling this feature could make you liable for problems which
3586 it causes.
3587
3588 refresh-ims causes squid to contact the origin server
3589 when a client issues an If-Modified-Since request. This
3590 ensures that the client will receive an updated version
3591 if one is available.
3592
3d8b6ba4
AJ		 3593 store-stale stores responses even if they don't have explicit
3594 freshness or a validator (i.e., Last-Modified or an ETag)
3595 present, or if they're already stale. By default, Squid will
3596 not cache such responses because they usually can't be
3597 reused. Note that such responses will be stale by default.
3598
41bd17a4 3599 Basically a cached object is:
3600
3601 FRESH if expires < now, else STALE
3602 STALE if age > max
3603 FRESH if lm-factor < percent, else STALE
3604 FRESH if age < min
3605 else STALE
3606
3607 The refresh_pattern lines are checked in the order listed here.
3608 The first entry which matches is used. If none of the entries
3609 match the default will be used.
3610
3611 Note, you must uncomment all the default lines if you want
3612 to change one. The default setting is only active if none is
3613 used.
3614
41bd17a4 3615NOCOMMENT_START
e0855596
AJ		 3616
3617# Add any of your own refresh_pattern entries above these.
41bd17a4 3618refresh_pattern ^ftp: 1440 20% 10080
3619refresh_pattern ^gopher: 1440 0% 1440
89db45fa 3620refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
41bd17a4 3621refresh_pattern . 0 20% 4320
3622NOCOMMENT_END
3623DOC_END
3624
3625NAME: quick_abort_min
3626COMMENT: (KB)
3627TYPE: kb_int64_t
3628DEFAULT: 16 KB
3629LOC: Config.quickAbort.min
3630DOC_NONE
3631
3632NAME: quick_abort_max
3633COMMENT: (KB)
3634TYPE: kb_int64_t
3635DEFAULT: 16 KB
3636LOC: Config.quickAbort.max
3637DOC_NONE
3638
3639NAME: quick_abort_pct
3640COMMENT: (percent)
3641TYPE: int
3642DEFAULT: 95
3643LOC: Config.quickAbort.pct
3644DOC_START
3645 The cache by default continues downloading aborted requests
3646 which are almost completed (less than 16 KB remaining). This
3647 may be undesirable on slow (e.g. SLIP) links and/or very busy
3648 caches. Impatient users may tie up file descriptors and
3649 bandwidth by repeatedly requesting and immediately aborting
3650 downloads.
3651
3652 When the user aborts a request, Squid will check the
3653 quick_abort values to the amount of data transfered until
3654 then.
3655
3656 If the transfer has less than 'quick_abort_min' KB remaining,
3657 it will finish the retrieval.
3658
3659 If the transfer has more than 'quick_abort_max' KB remaining,
3660 it will abort the retrieval.
3661
3662 If more than 'quick_abort_pct' of the transfer has completed,
3663 it will finish the retrieval.
3664
3665 If you do not want any retrieval to continue after the client
3666 has aborted, set both 'quick_abort_min' and 'quick_abort_max'
3667 to '0 KB'.
3668
3669 If you want retrievals to always continue if they are being
3670 cached set 'quick_abort_min' to '-1 KB'.
3671DOC_END
60d096f4 3672
41bd17a4 3673NAME: read_ahead_gap
3674COMMENT: buffer-size
3675TYPE: b_int64_t
3676LOC: Config.readAheadGap
3677DEFAULT: 16 KB
3678DOC_START
3679 The amount of data the cache will buffer ahead of what has been
3680 sent to the client when retrieving an object from another server.
3681DOC_END
53e738c6 3682
41bd17a4 3683NAME: negative_ttl
626096be 3684IFDEF: USE_HTTP_VIOLATIONS
41bd17a4 3685COMMENT: time-units
3686TYPE: time_t
3687LOC: Config.negativeTtl
ac9cc053 3688DEFAULT: 0 seconds
41bd17a4 3689DOC_START
ac9cc053
AJ		 3690 Set the Default Time-to-Live (TTL) for failed requests.
3691 Certain types of failures (such as "connection refused" and
3692 "404 Not Found") are able to be negatively-cached for a short time.
3693 Modern web servers should provide Expires: header, however if they
3694 do not this can provide a minimum TTL.
3695 The default is not to cache errors with unknown expiry details.
3696
3697 Note that this is different from negative caching of DNS lookups.
39956c7c
AJ		 3698
3699 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3700 this feature could make you liable for problems which it
3701 causes.
41bd17a4 3702DOC_END
53e738c6 3703
41bd17a4 3704NAME: positive_dns_ttl
3705COMMENT: time-units
3706TYPE: time_t
3707LOC: Config.positiveDnsTtl
3708DEFAULT: 6 hours
3709DOC_START
3710 Upper limit on how long Squid will cache positive DNS responses.
3711 Default is 6 hours (360 minutes). This directive must be set
3712 larger than negative_dns_ttl.
3713DOC_END
c4ab8329 3714
41bd17a4 3715NAME: negative_dns_ttl
3716COMMENT: time-units
3717TYPE: time_t
3718LOC: Config.negativeDnsTtl
3719DEFAULT: 1 minutes
3720DOC_START
3721 Time-to-Live (TTL) for negative caching of failed DNS lookups.
3722 This also sets the lower cache limit on positive lookups.
3723 Minimum value is 1 second, and it is not recommendable to go
3724 much below 10 seconds.
3725DOC_END
7df0bfd7 3726
41bd17a4 3727NAME: range_offset_limit
11e3fa1c
AJ		 3728COMMENT: size [acl acl...]
3729TYPE: acl_b_size_t
41bd17a4 3730LOC: Config.rangeOffsetLimit
11e3fa1c 3731DEFAULT: none
41bd17a4 3732DOC_START
11e3fa1c
AJ		 3733 usage: (size) [units] [[!]aclname]
3734
3735 Sets an upper limit on how far (number of bytes) into the file
3736 a Range request may be to cause Squid to prefetch the whole file.
3737 If beyond this limit, Squid forwards the Range request as it is and
3738 the result is NOT cached.
3739
41bd17a4 3740 This is to stop a far ahead range request (lets say start at 17MB)
3741 from making Squid fetch the whole object up to that point before
3742 sending anything to the client.
11e3fa1c
AJ		 3743
3744 Multiple range_offset_limit lines may be specified, and they will
3745 be searched from top to bottom on each request until a match is found.
3746 The first match found will be used. If no line matches a request, the
3747 default limit of 0 bytes will be used.
3748
3749 'size' is the limit specified as a number of units.
3750
3751 'units' specifies whether to use bytes, KB, MB, etc.
3752 If no units are specified bytes are assumed.
3753
3754 A size of 0 causes Squid to never fetch more than the
ab275c7b 3755 client requested. (default)
11e3fa1c
AJ		 3756
3757 A size of 'none' causes Squid to always fetch the object from the
41bd17a4 3758 beginning so it may cache the result. (2.0 style)
11e3fa1c
AJ		 3759
3760 'aclname' is the name of a defined ACL.
3761
3762 NP: Using 'none' as the byte value here will override any quick_abort settings
3763 that may otherwise apply to the range request. The range request will
ab275c7b
AJ		 3764 be fully fetched from start to finish regardless of the client
3765 actions. This affects bandwidth usage.
41bd17a4 3766DOC_END
d95b862f 3767
41bd17a4 3768NAME: minimum_expiry_time
3769COMMENT: (seconds)
3770TYPE: time_t
3771LOC: Config.minimum_expiry_time
3772DEFAULT: 60 seconds
3773DOC_START
3774 The minimum caching time according to (Expires - Date)
3775 Headers Squid honors if the object can't be revalidated
649fa918 3776 defaults to 60 seconds. In reverse proxy environments it
41bd17a4 3777 might be desirable to honor shorter object lifetimes. It
3778 is most likely better to make your server return a
3779 meaningful Last-Modified header however. In ESI environments
3780 where page fragments often have short lifetimes, this will
3781 often be best set to 0.
3782DOC_END
c68e9c6b 3783
41bd17a4 3784NAME: store_avg_object_size
3785COMMENT: (kbytes)
3e62bd58 3786TYPE: kb_int64_t
41bd17a4 3787DEFAULT: 13 KB
3788LOC: Config.Store.avgObjectSize
3789DOC_START
3790 Average object size, used to estimate number of objects your
3791 cache can hold. The default is 13 KB.
cccac0a2 3792DOC_END
3793
41bd17a4 3794NAME: store_objects_per_bucket
3795TYPE: int
3796DEFAULT: 20
3797LOC: Config.Store.objectsPerBucket
3798DOC_START
3799 Target number of objects per bucket in the store hash table.
3800 Lowering this value increases the total number of buckets and
3801 also the storage maintenance rate. The default is 20.
3802DOC_END
3803
3804COMMENT_START
3805 HTTP OPTIONS
3806 -----------------------------------------------------------------------------
3807COMMENT_END
3808
f04b37d8 3809NAME: request_header_max_size
3810COMMENT: (KB)
3811TYPE: b_size_t
df2eec10 3812DEFAULT: 64 KB
f04b37d8 3813LOC: Config.maxRequestHeaderSize
3814DOC_START
3815 This specifies the maximum size for HTTP headers in a request.
3816 Request headers are usually relatively small (about 512 bytes).
3817 Placing a limit on the request header size will catch certain
3818 bugs (for example with persistent connections) and possibly
3819 buffer-overflow or denial-of-service attacks.
3820DOC_END
3821
3822NAME: reply_header_max_size
3823COMMENT: (KB)
3824TYPE: b_size_t
df2eec10 3825DEFAULT: 64 KB
f04b37d8 3826LOC: Config.maxReplyHeaderSize
3827DOC_START
3828 This specifies the maximum size for HTTP headers in a reply.
3829 Reply headers are usually relatively small (about 512 bytes).
3830 Placing a limit on the reply header size will catch certain
3831 bugs (for example with persistent connections) and possibly
3832 buffer-overflow or denial-of-service attacks.
3833DOC_END
3834
3835NAME: request_body_max_size
3836COMMENT: (bytes)
3837TYPE: b_int64_t
3838DEFAULT: 0 KB
3839LOC: Config.maxRequestBodySize
3840DOC_START
3841 This specifies the maximum size for an HTTP request body.
3842 In other words, the maximum size of a PUT/POST request.
3843 A user who attempts to send a request with a body larger
3844 than this limit receives an "Invalid Request" error message.
3845 If you set this parameter to a zero (the default), there will
3846 be no limit imposed.
3847DOC_END
3848
3ff65596
AR		 3849NAME: chunked_request_body_max_size
3850COMMENT: (bytes)
3851TYPE: b_int64_t
3852DEFAULT: 64 KB
3853LOC: Config.maxChunkedRequestBodySize
3854DOC_START
3855 A broken or confused HTTP/1.1 client may send a chunked HTTP
3856 request to Squid. Squid does not have full support for that
3857 feature yet. To cope with such requests, Squid buffers the
3858 entire request and then dechunks request body to create a
3859 plain HTTP/1.0 request with a known content length. The plain
3860 request is then used by the rest of Squid code as usual.
3861
3862 The option value specifies the maximum size of the buffer used
3863 to hold the request before the conversion. If the chunked
3864 request size exceeds the specified limit, the conversion
3865 fails, and the client receives an "unsupported request" error,
3866 as if dechunking was disabled.
3867
3868 Dechunking is enabled by default. To disable conversion of
3869 chunked requests, set the maximum to zero.
3870
3871 Request dechunking feature and this option in particular are a
3872 temporary hack. When chunking requests and responses are fully
3873 supported, there will be no need to buffer a chunked request.
3874DOC_END
3875
41bd17a4 3876NAME: broken_posts
626096be 3877IFDEF: USE_HTTP_VIOLATIONS
cccac0a2 3878TYPE: acl_access
cccac0a2 3879DEFAULT: none
41bd17a4 3880LOC: Config.accessList.brokenPosts
cccac0a2 3881DOC_START
41bd17a4 3882 A list of ACL elements which, if matched, causes Squid to send
3883 an extra CRLF pair after the body of a PUT/POST request.
cccac0a2 3884
41bd17a4 3885 Some HTTP servers has broken implementations of PUT/POST,
3886 and rely on an extra CRLF pair sent by some WWW clients.
cccac0a2 3887
41bd17a4 3888 Quote from RFC2616 section 4.1 on this matter:
cccac0a2 3889
41bd17a4 3890 Note: certain buggy HTTP/1.0 client implementations generate an
3891 extra CRLF's after a POST request. To restate what is explicitly
3892 forbidden by the BNF, an HTTP/1.1 client must not preface or follow
3893 a request with an extra CRLF.
cccac0a2 3894
b3567eb5
FC		 3895 This clause only supports fast acl types.
3896 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3897
41bd17a4 3898Example:
3899 acl buggy_server url_regex ^http://....
3900 broken_posts allow buggy_server
3901DOC_END
cccac0a2 3902
57d76dd4
AJ		 3903NAME: icap_uses_indirect_client
3904COMMENT: on|off
3905TYPE: onoff
0dae2bca 3906IFDEF: FOLLOW_X_FORWARDED_FOR&&ICAP_CLIENT
57d76dd4
AJ		 3907DEFAULT: on
3908LOC: Adaptation::Icap::TheConfig.icap_uses_indirect_client
3909DOC_START
3910 Controls whether the indirect client address
3911 (see follow_x_forwarded_for) instead of the
3912 direct client address is passed to an ICAP
3913 server as "X-Client-IP".
3914DOC_END
3915
41bd17a4 3916NAME: via
626096be 3917IFDEF: USE_HTTP_VIOLATIONS
41bd17a4 3918COMMENT: on|off
3919TYPE: onoff
3920DEFAULT: on
3921LOC: Config.onoff.via
3922DOC_START
3923 If set (default), Squid will include a Via header in requests and
3924 replies as required by RFC2616.
3925DOC_END
4cc6eb12 3926
41bd17a4 3927NAME: ie_refresh
3928COMMENT: on|off
3929TYPE: onoff
3930LOC: Config.onoff.ie_refresh
3931DEFAULT: off
3932DOC_START
3933 Microsoft Internet Explorer up until version 5.5 Service
3934 Pack 1 has an issue with transparent proxies, wherein it
3935 is impossible to force a refresh. Turning this on provides
3936 a partial fix to the problem, by causing all IMS-REFRESH
3937 requests from older IE versions to check the origin server
3938 for fresh content. This reduces hit ratio by some amount
3939 (~10% in my experience), but allows users to actually get
3940 fresh content when they want it. Note because Squid
3941 cannot tell if the user is using 5.5 or 5.5SP1, the behavior
3942 of 5.5 is unchanged from old versions of Squid (i.e. a
3943 forced refresh is impossible). Newer versions of IE will,
3944 hopefully, continue to have the new behavior and will be
3945 handled based on that assumption. This option defaults to
3946 the old Squid behavior, which is better for hit ratios but
3947 worse for clients using IE, if they need to be able to
3948 force fresh content.
3949DOC_END
b9d7fe3e 3950
41bd17a4 3951NAME: vary_ignore_expire
3952COMMENT: on|off
3953TYPE: onoff
3954LOC: Config.onoff.vary_ignore_expire
3955DEFAULT: off
3956DOC_START
3957 Many HTTP servers supporting Vary gives such objects
3958 immediate expiry time with no cache-control header
3959 when requested by a HTTP/1.0 client. This option
3960 enables Squid to ignore such expiry times until
3961 HTTP/1.1 is fully implemented.
7e73cd78
AJ		 3962
3963 WARNING: If turned on this may eventually cause some
3964 varying objects not intended for caching to get cached.
cccac0a2 3965DOC_END
c4ab8329 3966
41bd17a4 3967NAME: request_entities
3968TYPE: onoff
3969LOC: Config.onoff.request_entities
3970DEFAULT: off
3971DOC_START
3972 Squid defaults to deny GET and HEAD requests with request entities,
3973 as the meaning of such requests are undefined in the HTTP standard
3974 even if not explicitly forbidden.
0976f8db 3975
41bd17a4 3976 Set this directive to on if you have clients which insists
3977 on sending request entities in GET or HEAD requests. But be warned
3978 that there is server software (both proxies and web servers) which
3979 can fail to properly process this kind of request which may make you
3980 vulnerable to cache pollution attacks if enabled.
cccac0a2 3981DOC_END
6b53c392 3982
41bd17a4 3983NAME: request_header_access
626096be 3984IFDEF: USE_HTTP_VIOLATIONS
41bd17a4 3985TYPE: http_header_access[]
3986LOC: Config.request_header_access
cccac0a2 3987DEFAULT: none
cccac0a2 3988DOC_START
41bd17a4 3989 Usage: request_header_access header_name allow|deny [!]aclname ...
0976f8db 3990
41bd17a4 3991 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3992 this feature could make you liable for problems which it
3993 causes.
0976f8db 3994
41bd17a4 3995 This option replaces the old 'anonymize_headers' and the
3996 older 'http_anonymizer' option with something that is much
3997 more configurable. This new method creates a list of ACLs
3998 for each header, allowing you very fine-tuned header
3999 mangling.
934b03fc 4000
41bd17a4 4001 This option only applies to request headers, i.e., from the
4002 client to the server.
5401aa8d 4003
41bd17a4 4004 You can only specify known headers for the header name.
4005 Other headers are reclassified as 'Other'. You can also
4006 refer to all the headers with 'All'.
5401aa8d 4007
41bd17a4 4008 For example, to achieve the same behavior as the old
4009 'http_anonymizer standard' option, you should use:
5401aa8d 4010
41bd17a4 4011 request_header_access From deny all
4012 request_header_access Referer deny all
4013 request_header_access Server deny all
4014 request_header_access User-Agent deny all
4015 request_header_access WWW-Authenticate deny all
4016 request_header_access Link deny all
5401aa8d 4017
41bd17a4 4018 Or, to reproduce the old 'http_anonymizer paranoid' feature
4019 you should use:
5401aa8d 4020
41bd17a4 4021 request_header_access Allow allow all
4022 request_header_access Authorization allow all
4023 request_header_access WWW-Authenticate allow all
4024 request_header_access Proxy-Authorization allow all
4025 request_header_access Proxy-Authenticate allow all
4026 request_header_access Cache-Control allow all
4027 request_header_access Content-Encoding allow all
4028 request_header_access Content-Length allow all
4029 request_header_access Content-Type allow all
4030 request_header_access Date allow all
4031 request_header_access Expires allow all
4032 request_header_access Host allow all
4033 request_header_access If-Modified-Since allow all
4034 request_header_access Last-Modified allow all
4035 request_header_access Location allow all
4036 request_header_access Pragma allow all
4037 request_header_access Accept allow all
4038 request_header_access Accept-Charset allow all
4039 request_header_access Accept-Encoding allow all
4040 request_header_access Accept-Language allow all
4041 request_header_access Content-Language allow all
4042 request_header_access Mime-Version allow all
4043 request_header_access Retry-After allow all
4044 request_header_access Title allow all
4045 request_header_access Connection allow all
41bd17a4 4046 request_header_access All deny all
5401aa8d 4047
41bd17a4 4048 although many of those are HTTP reply headers, and so should be
4049 controlled with the reply_header_access directive.
5401aa8d 4050
41bd17a4 4051 By default, all headers are allowed (no anonymizing is
4052 performed).
5401aa8d 4053DOC_END
4054
41bd17a4 4055NAME: reply_header_access
626096be 4056IFDEF: USE_HTTP_VIOLATIONS
41bd17a4 4057TYPE: http_header_access[]
4058LOC: Config.reply_header_access
cccac0a2 4059DEFAULT: none
4060DOC_START
41bd17a4 4061 Usage: reply_header_access header_name allow|deny [!]aclname ...
934b03fc 4062
41bd17a4 4063 WARNING: Doing this VIOLATES the HTTP standard. Enabling
4064 this feature could make you liable for problems which it
4065 causes.
934b03fc 4066
41bd17a4 4067 This option only applies to reply headers, i.e., from the
4068 server to the client.
934b03fc 4069
41bd17a4 4070 This is the same as request_header_access, but in the other
4071 direction.
6b53c392 4072
41bd17a4 4073 This option replaces the old 'anonymize_headers' and the
4074 older 'http_anonymizer' option with something that is much
4075 more configurable. This new method creates a list of ACLs
4076 for each header, allowing you very fine-tuned header
4077 mangling.
cccac0a2 4078
41bd17a4 4079 You can only specify known headers for the header name.
4080 Other headers are reclassified as 'Other'. You can also
4081 refer to all the headers with 'All'.
cccac0a2 4082
41bd17a4 4083 For example, to achieve the same behavior as the old
4084 'http_anonymizer standard' option, you should use:
cccac0a2 4085
41bd17a4 4086 reply_header_access From deny all
4087 reply_header_access Referer deny all
4088 reply_header_access Server deny all
4089 reply_header_access User-Agent deny all
4090 reply_header_access WWW-Authenticate deny all
4091 reply_header_access Link deny all
cccac0a2 4092
41bd17a4 4093 Or, to reproduce the old 'http_anonymizer paranoid' feature
4094 you should use:
cccac0a2 4095
41bd17a4 4096 reply_header_access Allow allow all
4097 reply_header_access Authorization allow all
4098 reply_header_access WWW-Authenticate allow all
4099 reply_header_access Proxy-Authorization allow all
4100 reply_header_access Proxy-Authenticate allow all
4101 reply_header_access Cache-Control allow all
4102 reply_header_access Content-Encoding allow all
4103 reply_header_access Content-Length allow all
4104 reply_header_access Content-Type allow all
4105 reply_header_access Date allow all
4106 reply_header_access Expires allow all
4107 reply_header_access Host allow all
4108 reply_header_access If-Modified-Since allow all
4109 reply_header_access Last-Modified allow all
4110 reply_header_access Location allow all
4111 reply_header_access Pragma allow all
4112 reply_header_access Accept allow all
4113 reply_header_access Accept-Charset allow all
4114 reply_header_access Accept-Encoding allow all
4115 reply_header_access Accept-Language allow all
4116 reply_header_access Content-Language allow all
4117 reply_header_access Mime-Version allow all
4118 reply_header_access Retry-After allow all
4119 reply_header_access Title allow all
4120 reply_header_access Connection allow all
41bd17a4 4121 reply_header_access All deny all
cccac0a2 4122
41bd17a4 4123 although the HTTP request headers won't be usefully controlled
4124 by this directive -- see request_header_access for details.
cccac0a2 4125
41bd17a4 4126 By default, all headers are allowed (no anonymizing is
4127 performed).
cccac0a2 4128DOC_END
4129
41bd17a4 4130NAME: header_replace
626096be 4131IFDEF: USE_HTTP_VIOLATIONS
41bd17a4 4132TYPE: http_header_replace[]
4133LOC: Config.request_header_access
cccac0a2 4134DEFAULT: none
41bd17a4 4135DOC_START
4136 Usage: header_replace header_name message
4137 Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
cccac0a2 4138
41bd17a4 4139 This option allows you to change the contents of headers
4140 denied with header_access above, by replacing them with
4141 some fixed string. This replaces the old fake_user_agent
4142 option.
cccac0a2 4143
41bd17a4 4144 This only applies to request headers, not reply headers.
cccac0a2 4145
41bd17a4 4146 By default, headers are removed if denied.
4147DOC_END
cccac0a2 4148
41bd17a4 4149NAME: relaxed_header_parser
4150COMMENT: on|off|warn
4151TYPE: tristate
4152LOC: Config.onoff.relaxed_header_parser
4153DEFAULT: on
4154DOC_START
4155 In the default "on" setting Squid accepts certain forms
4156 of non-compliant HTTP messages where it is unambiguous
4157 what the sending application intended even if the message
4158 is not correctly formatted. The messages is then normalized
4159 to the correct form when forwarded by Squid.
cccac0a2 4160
41bd17a4 4161 If set to "warn" then a warning will be emitted in cache.log
4162 each time such HTTP error is encountered.
cccac0a2 4163
41bd17a4 4164 If set to "off" then such HTTP errors will cause the request
4165 or response to be rejected.
4166DOC_END
7d90757b 4167
52b601ff
AJ		 4168NAME: ignore_expect_100
4169COMMENT: on|off
626096be 4170IFDEF: USE_HTTP_VIOLATIONS
52b601ff
AJ		 4171TYPE: onoff
4172LOC: Config.onoff.ignore_expect_100
4173DEFAULT: off
4174DOC_START
4175 This option makes Squid ignore any Expect: 100-continue header present
4176 in the request. RFC 2616 requires that Squid being unable to satisfy
4177 the response expectation MUST return a 417 error.
4178
4179 Note: Enabling this is a HTTP protocol violation, but some clients may
4180 not handle it well..
4181DOC_END
4182
41bd17a4 4183COMMENT_START
4184 TIMEOUTS
4185 -----------------------------------------------------------------------------
4186COMMENT_END
4187
4188NAME: forward_timeout
4189COMMENT: time-units
4190TYPE: time_t
4191LOC: Config.Timeout.forward
4192DEFAULT: 4 minutes
4193DOC_START
4194 This parameter specifies how long Squid should at most attempt in
4195 finding a forwarding path for the request before giving up.
cccac0a2 4196DOC_END
4197
41bd17a4 4198NAME: connect_timeout
4199COMMENT: time-units
4200TYPE: time_t
4201LOC: Config.Timeout.connect
4202DEFAULT: 1 minute
057f5854 4203DOC_START
41bd17a4 4204 This parameter specifies how long to wait for the TCP connect to
4205 the requested server or peer to complete before Squid should
4206 attempt to find another path where to forward the request.
057f5854 4207DOC_END
4208
41bd17a4 4209NAME: peer_connect_timeout
4210COMMENT: time-units
4211TYPE: time_t
4212LOC: Config.Timeout.peer_connect
4213DEFAULT: 30 seconds
cccac0a2 4214DOC_START
41bd17a4 4215 This parameter specifies how long to wait for a pending TCP
4216 connection to a peer cache. The default is 30 seconds. You
4217 may also set different timeout values for individual neighbors
4218 with the 'connect-timeout' option on a 'cache_peer' line.
4219DOC_END
7f7db318 4220
41bd17a4 4221NAME: read_timeout
4222COMMENT: time-units
4223TYPE: time_t
4224LOC: Config.Timeout.read
4225DEFAULT: 15 minutes
4226DOC_START
4227 The read_timeout is applied on server-side connections. After
4228 each successful read(), the timeout will be extended by this
4229 amount. If no data is read again after this amount of time,
4230 the request is aborted and logged with ERR_READ_TIMEOUT. The
4231 default is 15 minutes.
4232DOC_END
cccac0a2 4233
5ef5e5cc
AJ		 4234NAME: write_timeout
4235COMMENT: time-units
4236TYPE: time_t
4237LOC: Config.Timeout.write
4238DEFAULT: 15 minutes
4239DOC_START
4240 This timeout is tracked for all connections that have data
4241 available for writing and are waiting for the socket to become
4242 ready. After each successful write, the timeout is extended by
4243 the configured amount. If Squid has data to write but the
4244 connection is not ready for the configured duration, the
4245 transaction associated with the connection is terminated. The
4246 default is 15 minutes.
4247DOC_END
4248
41bd17a4 4249NAME: request_timeout
4250TYPE: time_t
4251LOC: Config.Timeout.request
4252DEFAULT: 5 minutes
4253DOC_START
4254 How long to wait for an HTTP request after initial
4255 connection establishment.
4256DOC_END
cccac0a2 4257
41bd17a4 4258NAME: persistent_request_timeout
4259TYPE: time_t
4260LOC: Config.Timeout.persistent_request
4261DEFAULT: 2 minutes
4262DOC_START
4263 How long to wait for the next HTTP request on a persistent
4264 connection after the previous request completes.
4265DOC_END
cccac0a2 4266
41bd17a4 4267NAME: client_lifetime
4268COMMENT: time-units
4269TYPE: time_t
4270LOC: Config.Timeout.lifetime
4271DEFAULT: 1 day
4272DOC_START
4273 The maximum amount of time a client (browser) is allowed to
4274 remain connected to the cache process. This protects the Cache
4275 from having a lot of sockets (and hence file descriptors) tied up
4276 in a CLOSE_WAIT state from remote clients that go away without
4277 properly shutting down (either because of a network failure or
4278 because of a poor client implementation). The default is one
4279 day, 1440 minutes.
7d90757b 4280
41bd17a4 4281 NOTE: The default value is intended to be much larger than any
4282 client would ever need to be connected to your cache. You
4283 should probably change client_lifetime only as a last resort.
4284 If you seem to have many client connections tying up
4285 filedescriptors, we recommend first tuning the read_timeout,
4286 request_timeout, persistent_request_timeout and quick_abort values.
cccac0a2 4287DOC_END
4288
41bd17a4 4289NAME: half_closed_clients
4290TYPE: onoff
4291LOC: Config.onoff.half_closed_clients
0c2f5c4f 4292DEFAULT: off
4eb368f9 4293DOC_START
41bd17a4 4294 Some clients may shutdown the sending side of their TCP
4295 connections, while leaving their receiving sides open. Sometimes,
4296 Squid can not tell the difference between a half-closed and a
0c2f5c4f
AJ		 4297 fully-closed TCP connection.
4298
4299 By default, Squid will immediately close client connections when
4300 read(2) returns "no more data to read."
4301
abdf1651 4302 Change this option to 'on' and Squid will keep open connections
0c2f5c4f
AJ		 4303 until a read(2) or write(2) on the socket returns an error.
4304 This may show some benefits for reverse proxies. But if not
4305 it is recommended to leave OFF.
4eb368f9 4306DOC_END
4307
41bd17a4 4308NAME: pconn_timeout
4309TYPE: time_t
4310LOC: Config.Timeout.pconn
4311DEFAULT: 1 minute
cccac0a2 4312DOC_START
41bd17a4 4313 Timeout for idle persistent connections to servers and other
4314 proxies.
4315DOC_END
cccac0a2 4316
41bd17a4 4317NAME: ident_timeout
4318TYPE: time_t
4319IFDEF: USE_IDENT
4daaf3cb 4320LOC: Ident::TheConfig.timeout
41bd17a4 4321DEFAULT: 10 seconds
4322DOC_START
4323 Maximum time to wait for IDENT lookups to complete.
cccac0a2 4324
41bd17a4 4325 If this is too high, and you enabled IDENT lookups from untrusted
4326 users, you might be susceptible to denial-of-service by having
4327 many ident requests going at once.
cccac0a2 4328DOC_END
4329
41bd17a4 4330NAME: shutdown_lifetime
4331COMMENT: time-units
4332TYPE: time_t
4333LOC: Config.shutdownLifetime
4334DEFAULT: 30 seconds
cccac0a2 4335DOC_START
41bd17a4 4336 When SIGTERM or SIGHUP is received, the cache is put into
4337 "shutdown pending" mode until all active sockets are closed.
4338 This value is the lifetime to set for all open descriptors
4339 during shutdown mode. Any active clients after this many
4340 seconds will receive a 'timeout' message.
cccac0a2 4341DOC_END
0976f8db 4342
cccac0a2 4343COMMENT_START
4344 ADMINISTRATIVE PARAMETERS
4345 -----------------------------------------------------------------------------
4346COMMENT_END
4347
4348NAME: cache_mgr
4349TYPE: string
4350DEFAULT: webmaster
4351LOC: Config.adminEmail
4352DOC_START
4353 Email-address of local cache manager who will receive
4354 mail if the cache dies. The default is "webmaster."
4355DOC_END
4356
abacf776 4357NAME: mail_from
4358TYPE: string
4359DEFAULT: none
4360LOC: Config.EmailFrom
4361DOC_START
4362 From: email-address for mail sent when the cache dies.
4363 The default is to use 'appname@unique_hostname'.
b8c0c06d 4364 Default appname value is "squid", can be changed into
abacf776 4365 src/globals.h before building squid.
4366DOC_END
4367
d084bf20 4368NAME: mail_program
4369TYPE: eol
4370DEFAULT: mail
4371LOC: Config.EmailProgram
4372DOC_START
4373 Email program used to send mail if the cache dies.
846a5e31 4374 The default is "mail". The specified program must comply
d084bf20 4375 with the standard Unix mail syntax:
846a5e31 4376 mail-program recipient < mailfile
4377
d084bf20 4378 Optional command line options can be specified.
4379DOC_END
4380
cccac0a2 4381NAME: cache_effective_user
4382TYPE: string
5483d916 4383DEFAULT: @DEFAULT_CACHE_EFFECTIVE_USER@
cccac0a2 4384LOC: Config.effectiveUser
e3d74828 4385DOC_START
4386 If you start Squid as root, it will change its effective/real
4387 UID/GID to the user specified below. The default is to change
5483d916 4388 to UID of @DEFAULT_CACHE_EFFECTIVE_USER@.
64e288bd 4389 see also; cache_effective_group
e3d74828 4390DOC_END
4391
cccac0a2 4392NAME: cache_effective_group
4393TYPE: string
4394DEFAULT: none
4395LOC: Config.effectiveGroup
4396DOC_START
64e288bd 4397 Squid sets the GID to the effective user's default group ID
4398 (taken from the password file) and supplementary group list
4399 from the groups membership.
4400
e3d74828 4401 If you want Squid to run with a specific GID regardless of
4402 the group memberships of the effective user then set this
4403 to the group (or GID) you want Squid to run as. When set
64e288bd 4404 all other group privileges of the effective user are ignored
e3d74828 4405 and only this GID is effective. If Squid is not started as
64e288bd 4406 root the user starting Squid MUST be member of the specified
e3d74828 4407 group.
64e288bd 4408
4409 This option is not recommended by the Squid Team.
4410 Our preference is for administrators to configure a secure
4411 user account for squid with UID/GID matching system policies.
cccac0a2 4412DOC_END
4413
d3caee79 4414NAME: httpd_suppress_version_string
4415COMMENT: on|off
4416TYPE: onoff
4417DEFAULT: off
4418LOC: Config.onoff.httpd_suppress_version_string
4419DOC_START
4420 Suppress Squid version string info in HTTP headers and HTML error pages.
4421DOC_END
4422
cccac0a2 4423NAME: visible_hostname
4424TYPE: string
4425LOC: Config.visibleHostname
4426DEFAULT: none
4427DOC_START
4428 If you want to present a special hostname in error messages, etc,
7f7db318 4429 define this. Otherwise, the return value of gethostname()
cccac0a2 4430 will be used. If you have multiple caches in a cluster and
4431 get errors about IP-forwarding you must set them to have individual
4432 names with this setting.
4433DOC_END
4434
cccac0a2 4435NAME: unique_hostname
4436TYPE: string
4437LOC: Config.uniqueHostname
4438DEFAULT: none
4439DOC_START
4440 If you want to have multiple machines with the same
7f7db318 4441 'visible_hostname' you must give each machine a different
4442 'unique_hostname' so forwarding loops can be detected.
cccac0a2 4443DOC_END
4444
cccac0a2 4445NAME: hostname_aliases
4446TYPE: wordlist
4447LOC: Config.hostnameAliases
4448DEFAULT: none
4449DOC_START
7f7db318 4450 A list of other DNS names your cache has.
cccac0a2 4451DOC_END
0976f8db 4452
c642c141
AJ		 4453NAME: umask
4454TYPE: int
4455LOC: Config.umask
4456DEFAULT: 027
4457DOC_START
4458 Minimum umask which should be enforced while the proxy
4459 is running, in addition to the umask set at startup.
4460
4461 For a traditional octal representation of umasks, start
4462 your value with 0.
4463DOC_END
4464
cccac0a2 4465COMMENT_START
4466 OPTIONS FOR THE CACHE REGISTRATION SERVICE
4467 -----------------------------------------------------------------------------
4468
4469 This section contains parameters for the (optional) cache
4470 announcement service. This service is provided to help
4471 cache administrators locate one another in order to join or
4472 create cache hierarchies.
4473
4474 An 'announcement' message is sent (via UDP) to the registration
4475 service by Squid. By default, the announcement message is NOT
4476 SENT unless you enable it with 'announce_period' below.
4477
4478 The announcement message includes your hostname, plus the
4479 following information from this configuration file:
4480
4481 http_port
4482 icp_port
4483 cache_mgr
4484
4485 All current information is processed regularly and made
4486 available on the Web at http://www.ircache.net/Cache/Tracker/.
4487COMMENT_END
4488
4489NAME: announce_period
4490TYPE: time_t
4491LOC: Config.Announce.period
4492DEFAULT: 0
4493DOC_START
4494 This is how frequently to send cache announcements. The
4495 default is `0' which disables sending the announcement
4496 messages.
4497
e0855596 4498 To enable announcing your cache, just set an announce period.
cccac0a2 4499
e0855596
AJ		 4500 Example:
4501 announce_period 1 day
cccac0a2 4502DOC_END
4503
cccac0a2 4504NAME: announce_host
4505TYPE: string
4506DEFAULT: tracker.ircache.net
4507LOC: Config.Announce.host
4508DOC_NONE
4509
4510NAME: announce_file
4511TYPE: string
4512DEFAULT: none
4513LOC: Config.Announce.file
4514DOC_NONE
4515
4516NAME: announce_port
4517TYPE: ushort
4518DEFAULT: 3131
4519LOC: Config.Announce.port
4520DOC_START
4521 announce_host and announce_port set the hostname and port
4522 number where the registration message will be sent.
4523
4524 Hostname will default to 'tracker.ircache.net' and port will
4525 default default to 3131. If the 'filename' argument is given,
4526 the contents of that file will be included in the announce
4527 message.
4528DOC_END
4529
8d6275c0 4530COMMENT_START
4531 HTTPD-ACCELERATOR OPTIONS
4532 -----------------------------------------------------------------------------
4533COMMENT_END
4534
cccac0a2 4535NAME: httpd_accel_surrogate_id
cccac0a2 4536TYPE: string
b2b40d8c 4537DEFAULT: none
cccac0a2 4538LOC: Config.Accel.surrogate_id
cccac0a2 4539DOC_START
4540 Surrogates (http://www.esi.org/architecture_spec_1.0.html)
4541 need an identification token to allow control targeting. Because
4542 a farm of surrogates may all perform the same tasks, they may share
4543 an identification token.
b2b40d8c
AJ		 4544
4545 The default ID is the visible_hostname
cccac0a2 4546DOC_END
4547
4548NAME: http_accel_surrogate_remote
cccac0a2 4549COMMENT: on|off
4550TYPE: onoff
4551DEFAULT: off
4552LOC: Config.onoff.surrogate_is_remote
4553DOC_START
4554 Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
4555 Set this to on to have squid behave as a remote surrogate.
4556DOC_END
4557
4558NAME: esi_parser
f41735ea 4559IFDEF: USE_SQUID_ESI
964b44c3 4560COMMENT: libxml2|expat|custom
cccac0a2 4561TYPE: string
4562LOC: ESIParser::Type
4563DEFAULT: custom
4564DOC_START
4565 ESI markup is not strictly XML compatible. The custom ESI parser
4566 will give higher performance, but cannot handle non ASCII character
4567 encodings.
4568DOC_END
0976f8db 4569
9edd9041 4570COMMENT_START
8d6275c0 4571 DELAY POOL PARAMETERS
9edd9041 4572 -----------------------------------------------------------------------------
4573COMMENT_END
4574
4575NAME: delay_pools
4576TYPE: delay_pool_count
4577DEFAULT: 0
4578IFDEF: DELAY_POOLS
4579LOC: Config.Delay
4580DOC_START
4581 This represents the number of delay pools to be used. For example,
4582 if you have one class 2 delay pool and one class 3 delays pool, you
4583 have a total of 2 delay pools.
4584DOC_END
4585
4586NAME: delay_class
4587TYPE: delay_pool_class
4588DEFAULT: none
4589IFDEF: DELAY_POOLS
4590LOC: Config.Delay
4591DOC_START
4592 This defines the class of each delay pool. There must be exactly one
4593 delay_class line for each delay pool. For example, to define two
4594 delay pools, one of class 2 and one of class 3, the settings above
4595 and here would be:
4596
b1fb3348
AJ		 4597 Example:
4598 delay_pools 4 # 4 delay pools
4599 delay_class 1 2 # pool 1 is a class 2 pool
4600 delay_class 2 3 # pool 2 is a class 3 pool
4601 delay_class 3 4 # pool 3 is a class 4 pool
4602 delay_class 4 5 # pool 4 is a class 5 pool
9edd9041 4603
4604 The delay pool classes are:
4605
4606 class 1 Everything is limited by a single aggregate
4607 bucket.
4608
4609 class 2 Everything is limited by a single aggregate
4610 bucket as well as an "individual" bucket chosen
b1fb3348 4611 from bits 25 through 32 of the IPv4 address.
9edd9041 4612
4613 class 3 Everything is limited by a single aggregate
4614 bucket as well as a "network" bucket chosen
4615 from bits 17 through 24 of the IP address and a
4616 "individual" bucket chosen from bits 17 through
b1fb3348 4617 32 of the IPv4 address.
9edd9041 4618
4619 class 4 Everything in a class 3 delay pool, with an
4620 additional limit on a per user basis. This
4621 only takes effect if the username is established
4622 in advance - by forcing authentication in your
4623 http_access rules.
4624
4625 class 5 Requests are grouped according their tag (see
4626 external_acl's tag= reply).
4627
4628 NOTE: If an IP address is a.b.c.d
4629 -> bits 25 through 32 are "d"
4630 -> bits 17 through 24 are "c"
4631 -> bits 17 through 32 are "c * 256 + d"
b1fb3348
AJ		 4632
4633 NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
4634 IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
9edd9041 4635DOC_END
4636
4637NAME: delay_access
4638TYPE: delay_pool_access
4639DEFAULT: none
4640IFDEF: DELAY_POOLS
4641LOC: Config.Delay
4642DOC_START
4643 This is used to determine which delay pool a request falls into.
4644
4645 delay_access is sorted per pool and the matching starts with pool 1,
4646 then pool 2, ..., and finally pool N. The first delay pool where the
4647 request is allowed is selected for the request. If it does not allow
4648 the request to any pool then the request is not delayed (default).
4649
4650 For example, if you want some_big_clients in delay
4651 pool 1 and lotsa_little_clients in delay pool 2:
4652
4653Example:
4654 delay_access 1 allow some_big_clients
4655 delay_access 1 deny all
4656 delay_access 2 allow lotsa_little_clients
4657 delay_access 2 deny all
4658 delay_access 3 allow authenticated_clients
4659DOC_END
4660
4661NAME: delay_parameters
4662TYPE: delay_pool_rates
4663DEFAULT: none
4664IFDEF: DELAY_POOLS
4665LOC: Config.Delay
4666DOC_START
4667 This defines the parameters for a delay pool. Each delay pool has
4668 a number of "buckets" associated with it, as explained in the
4669 description of delay_class. For a class 1 delay pool, the syntax is:
4670
4671delay_parameters pool aggregate
4672
4673 For a class 2 delay pool:
4674
4675delay_parameters pool aggregate individual
4676
4677 For a class 3 delay pool:
4678
4679delay_parameters pool aggregate network individual
4680
4681 For a class 4 delay pool:
4682
4683delay_parameters pool aggregate network individual user
4684
4685 For a class 5 delay pool:
4686
4687delay_parameters pool tag
4688
4689 The variables here are:
4690
4691 pool a pool number - ie, a number between 1 and the
4692 number specified in delay_pools as used in
4693 delay_class lines.
4694
4695 aggregate the "delay parameters" for the aggregate bucket
4696 (class 1, 2, 3).
4697
4698 individual the "delay parameters" for the individual
4699 buckets (class 2, 3).
4700
4701 network the "delay parameters" for the network buckets
4702 (class 3).
4703
4704 user the delay parameters for the user buckets
4705 (class 4).
4706
4707 tag the delay parameters for the tag buckets
4708 (class 5).
4709
4710 A pair of delay parameters is written restore/maximum, where restore is
4711 the number of bytes (not bits - modem and network speeds are usually
4712 quoted in bits) per second placed into the bucket, and maximum is the
4713 maximum number of bytes which can be in the bucket at any time.
4714
4715 For example, if delay pool number 1 is a class 2 delay pool as in the
4716 above example, and is being used to strictly limit each host to 64kbps
4717 (plus overheads), with no overall limit, the line is:
4718
4719delay_parameters 1 -1/-1 8000/8000
4720
4721 Note that the figure -1 is used to represent "unlimited".
4722
4723 And, if delay pool number 2 is a class 3 delay pool as in the above
4724 example, and you want to limit it to a total of 256kbps (strict limit)
4725 with each 8-bit network permitted 64kbps (strict limit) and each
4726 individual host permitted 4800bps with a bucket maximum size of 64kb
4727 to permit a decent web page to be downloaded at a decent speed
4728 (if the network is not being limited due to overuse) but slow down
4729 large downloads more significantly:
4730
4731delay_parameters 2 32000/32000 8000/8000 600/8000
4732
4733 There must be one delay_parameters line for each delay pool.
4734
4735 Finally, for a class 4 delay pool as in the example - each user will
4736 be limited to 128Kb no matter how many workstations they are logged into.:
4737
4738delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
4739DOC_END
4740
4741NAME: delay_initial_bucket_level
4742COMMENT: (percent, 0-100)
4743TYPE: ushort
4744DEFAULT: 50
4745IFDEF: DELAY_POOLS
4746LOC: Config.Delay.initial
4747DOC_START
4748 The initial bucket percentage is used to determine how much is put
4749 in each bucket when squid starts, is reconfigured, or first notices
4750 a host accessing it (in class 2 and class 3, individual hosts and
4751 networks only have buckets associated with them once they have been
4752 "seen" by squid).
4753DOC_END
4754
cccac0a2 4755COMMENT_START
8d6275c0 4756 WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
cccac0a2 4757 -----------------------------------------------------------------------------
4758COMMENT_END
4759
8d6275c0 4760NAME: wccp_router
4761TYPE: address
4762LOC: Config.Wccp.router
0eb08770 4763DEFAULT: any_addr
8d6275c0 4764IFDEF: USE_WCCP
e313ab0a
AJ		 4765DOC_START
4766 Use this option to define your WCCP ``home'' router for
4767 Squid.
4768
4769 wccp_router supports a single WCCP(v1) router
4770
4771 wccp2_router supports multiple WCCPv2 routers
4772
4773 only one of the two may be used at the same time and defines
4774 which version of WCCP to use.
4775DOC_END
df2eec10 4776
8d6275c0 4777NAME: wccp2_router
9fb4efad 4778TYPE: IpAddress_list
8d6275c0 4779LOC: Config.Wccp2.router
cccac0a2 4780DEFAULT: none
8d6275c0 4781IFDEF: USE_WCCPv2
cccac0a2 4782DOC_START
8d6275c0 4783 Use this option to define your WCCP ``home'' router for
4784 Squid.
cccac0a2 4785
8d6275c0 4786 wccp_router supports a single WCCP(v1) router
cccac0a2 4787
8d6275c0 4788 wccp2_router supports multiple WCCPv2 routers
cccac0a2 4789
8d6275c0 4790 only one of the two may be used at the same time and defines
4791 which version of WCCP to use.
4792DOC_END
4793
4794NAME: wccp_version
cccac0a2 4795TYPE: int
8d6275c0 4796LOC: Config.Wccp.version
4797DEFAULT: 4
4798IFDEF: USE_WCCP
cccac0a2 4799DOC_START
8d6275c0 4800 This directive is only relevant if you need to set up WCCP(v1)
4801 to some very old and end-of-life Cisco routers. In all other
4802 setups it must be left unset or at the default setting.
4803 It defines an internal version in the WCCP(v1) protocol,
4804 with version 4 being the officially documented protocol.
cccac0a2 4805
8d6275c0 4806 According to some users, Cisco IOS 11.2 and earlier only
4807 support WCCP version 3. If you're using that or an earlier
4808 version of IOS, you may need to change this value to 3, otherwise
4809 do not specify this parameter.
cccac0a2 4810DOC_END
4811
8d6275c0 4812NAME: wccp2_rebuild_wait
4813TYPE: onoff
4814LOC: Config.Wccp2.rebuildwait
4815DEFAULT: on
4816IFDEF: USE_WCCPv2
4817DOC_START
4818 If this is enabled Squid will wait for the cache dir rebuild to finish
4819 before sending the first wccp2 HereIAm packet
4820DOC_END
cccac0a2 4821
8d6275c0 4822NAME: wccp2_forwarding_method
e313ab0a 4823TYPE: wccp2_method
8d6275c0 4824LOC: Config.Wccp2.forwarding_method
451c4786 4825DEFAULT: gre
8d6275c0 4826IFDEF: USE_WCCPv2
cccac0a2 4827DOC_START
699acd19 4828 WCCP2 allows the setting of forwarding methods between the
8d6275c0 4829 router/switch and the cache. Valid values are as follows:
cccac0a2 4830
451c4786
AJ		 4831 gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4832 l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
cccac0a2 4833
8d6275c0 4834 Currently (as of IOS 12.4) cisco routers only support GRE.
4835 Cisco switches only support the L2 redirect assignment method.
cccac0a2 4836DOC_END
4837
8d6275c0 4838NAME: wccp2_return_method
e313ab0a 4839TYPE: wccp2_method
8d6275c0 4840LOC: Config.Wccp2.return_method
451c4786 4841DEFAULT: gre
8d6275c0 4842IFDEF: USE_WCCPv2
cccac0a2 4843DOC_START
699acd19 4844 WCCP2 allows the setting of return methods between the
8d6275c0 4845 router/switch and the cache for packets that the cache
4846 decides not to handle. Valid values are as follows:
cccac0a2 4847
451c4786
AJ		 4848 gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4849 l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
cccac0a2 4850
8d6275c0 4851 Currently (as of IOS 12.4) cisco routers only support GRE.
4852 Cisco switches only support the L2 redirect assignment.
cccac0a2 4853
699acd19 4854 If the "ip wccp redirect exclude in" command has been
8d6275c0 4855 enabled on the cache interface, then it is still safe for
4856 the proxy server to use a l2 redirect method even if this
4857 option is set to GRE.
cccac0a2 4858DOC_END
4859
8d6275c0 4860NAME: wccp2_assignment_method
451c4786 4861TYPE: wccp2_amethod
8d6275c0 4862LOC: Config.Wccp2.assignment_method
451c4786 4863DEFAULT: hash
8d6275c0 4864IFDEF: USE_WCCPv2
cccac0a2 4865DOC_START
8d6275c0 4866 WCCP2 allows the setting of methods to assign the WCCP hash
4867 Valid values are as follows:
cccac0a2 4868
451c4786
AJ		 4869 hash - Hash assignment
4870 mask - Mask assignment
cccac0a2 4871
8d6275c0 4872 As a general rule, cisco routers support the hash assignment method
4873 and cisco switches support the mask assignment method.
4874DOC_END
cccac0a2 4875
8d6275c0 4876NAME: wccp2_service
4877TYPE: wccp2_service
4878LOC: Config.Wccp2.info
4879DEFAULT: none
4880DEFAULT_IF_NONE: standard 0
4881IFDEF: USE_WCCPv2
4882DOC_START
4883 WCCP2 allows for multiple traffic services. There are two
4884 types: "standard" and "dynamic". The standard type defines
4885 one service id - http (id 0). The dynamic service ids can be from
4886 51 to 255 inclusive. In order to use a dynamic service id
4887 one must define the type of traffic to be redirected; this is done
4888 using the wccp2_service_info option.
4889
4890 The "standard" type does not require a wccp2_service_info option,
4891 just specifying the service id will suffice.
4892
4893 MD5 service authentication can be enabled by adding
4894 "password=<password>" to the end of this service declaration.
4895
4896 Examples:
4897
4898 wccp2_service standard 0 # for the 'web-cache' standard service
4899 wccp2_service dynamic 80 # a dynamic service type which will be
4900 # fleshed out with subsequent options.
4901 wccp2_service standard 0 password=foo
8d6275c0 4902DOC_END
4903
4904NAME: wccp2_service_info
4905TYPE: wccp2_service_info
4906LOC: Config.Wccp2.info
4907DEFAULT: none
4908IFDEF: USE_WCCPv2
4909DOC_START
4910 Dynamic WCCPv2 services require further information to define the
4911 traffic you wish to have diverted.
4912
4913 The format is:
4914
4915 wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
4916 priority=<priority> ports=<port>,<port>..
4917
4918 The relevant WCCPv2 flags:
4919 + src_ip_hash, dst_ip_hash
005fe566 4920 + source_port_hash, dst_port_hash
8d6275c0 4921 + src_ip_alt_hash, dst_ip_alt_hash
4922 + src_port_alt_hash, dst_port_alt_hash
4923 + ports_source
4924
4925 The port list can be one to eight entries.
4926
4927 Example:
4928
4929 wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
4930 priority=240 ports=80
4931
4932 Note: the service id must have been defined by a previous
4933 'wccp2_service dynamic <id>' entry.
4934DOC_END
4935
4936NAME: wccp2_weight
4937TYPE: int
4938LOC: Config.Wccp2.weight
4939DEFAULT: 10000
4940IFDEF: USE_WCCPv2
4941DOC_START
4942 Each cache server gets assigned a set of the destination
4943 hash proportional to their weight.
4944DOC_END
4945
4946NAME: wccp_address
4947TYPE: address
4948LOC: Config.Wccp.address
4949DEFAULT: 0.0.0.0
4950IFDEF: USE_WCCP
4951DOC_NONE
df2eec10 4952
8d6275c0 4953NAME: wccp2_address
4954TYPE: address
4955LOC: Config.Wccp2.address
4956DEFAULT: 0.0.0.0
4957IFDEF: USE_WCCPv2
4958DOC_START
4959 Use this option if you require WCCP to use a specific
4960 interface address.
4961
4962 The default behavior is to not bind to any specific address.
4963DOC_END
4964
4965COMMENT_START
4966 PERSISTENT CONNECTION HANDLING
4967 -----------------------------------------------------------------------------
4968
4969 Also see "pconn_timeout" in the TIMEOUTS section
4970COMMENT_END
4971
4972NAME: client_persistent_connections
4973TYPE: onoff
4974LOC: Config.onoff.client_pconns
4975DEFAULT: on
4976DOC_NONE
4977
4978NAME: server_persistent_connections
4979TYPE: onoff
4980LOC: Config.onoff.server_pconns
4981DEFAULT: on
4982DOC_START
4983 Persistent connection support for clients and servers. By
4984 default, Squid uses persistent connections (when allowed)
4985 with its clients and servers. You can use these options to
4986 disable persistent connections with clients and/or servers.
4987DOC_END
4988
4989NAME: persistent_connection_after_error
4990TYPE: onoff
4991LOC: Config.onoff.error_pconns
0fccfb7f 4992DEFAULT: on
8d6275c0 4993DOC_START
4994 With this directive the use of persistent connections after
4995 HTTP errors can be disabled. Useful if you have clients
4996 who fail to handle errors on persistent connections proper.
4997DOC_END
4998
4999NAME: detect_broken_pconn
5000TYPE: onoff
5001LOC: Config.onoff.detect_broken_server_pconns
5002DEFAULT: off
5003DOC_START
5004 Some servers have been found to incorrectly signal the use
5005 of HTTP/1.0 persistent connections even on replies not
5006 compatible, causing significant delays. This server problem
5007 has mostly been seen on redirects.
5008
5009 By enabling this directive Squid attempts to detect such
5010 broken replies and automatically assume the reply is finished
5011 after 10 seconds timeout.
5012DOC_END
5013
5014COMMENT_START
5015 CACHE DIGEST OPTIONS
5016 -----------------------------------------------------------------------------
5017COMMENT_END
5018
5019NAME: digest_generation
5020IFDEF: USE_CACHE_DIGESTS
5021TYPE: onoff
5022LOC: Config.onoff.digest_generation
5023DEFAULT: on
5024DOC_START
5025 This controls whether the server will generate a Cache Digest
5026 of its contents. By default, Cache Digest generation is
13e917b5 5027 enabled if Squid is compiled with --enable-cache-digests defined.
8d6275c0 5028DOC_END
5029
5030NAME: digest_bits_per_entry
5031IFDEF: USE_CACHE_DIGESTS
5032TYPE: int
5033LOC: Config.digest.bits_per_entry
5034DEFAULT: 5
5035DOC_START
5036 This is the number of bits of the server's Cache Digest which
5037 will be associated with the Digest entry for a given HTTP
5038 Method and URL (public key) combination. The default is 5.
5039DOC_END
5040
5041NAME: digest_rebuild_period
5042IFDEF: USE_CACHE_DIGESTS
5043COMMENT: (seconds)
5044TYPE: time_t
5045LOC: Config.digest.rebuild_period
5046DEFAULT: 1 hour
5047DOC_START
749ceff8 5048 This is the wait time between Cache Digest rebuilds.
8d6275c0 5049DOC_END
5050
5051NAME: digest_rewrite_period
5052COMMENT: (seconds)
5053IFDEF: USE_CACHE_DIGESTS
5054TYPE: time_t
5055LOC: Config.digest.rewrite_period
5056DEFAULT: 1 hour
5057DOC_START
749ceff8 5058 This is the wait time between Cache Digest writes to
8d6275c0 5059 disk.
5060DOC_END
5061
5062NAME: digest_swapout_chunk_size
5063COMMENT: (bytes)
5064TYPE: b_size_t
5065IFDEF: USE_CACHE_DIGESTS
5066LOC: Config.digest.swapout_chunk_size
5067DEFAULT: 4096 bytes
5068DOC_START
5069 This is the number of bytes of the Cache Digest to write to
5070 disk at a time. It defaults to 4096 bytes (4KB), the Squid
5071 default swap page.
5072DOC_END
5073
5074NAME: digest_rebuild_chunk_percentage
5075COMMENT: (percent, 0-100)
5076IFDEF: USE_CACHE_DIGESTS
5077TYPE: int
5078LOC: Config.digest.rebuild_chunk_percentage
5079DEFAULT: 10
5080DOC_START
5081 This is the percentage of the Cache Digest to be scanned at a
5082 time. By default it is set to 10% of the Cache Digest.
5083DOC_END
5084
1db9eacd 5085COMMENT_START
5473c134 5086 SNMP OPTIONS
1db9eacd 5087 -----------------------------------------------------------------------------
5088COMMENT_END
5089
5473c134 5090NAME: snmp_port
5091TYPE: ushort
5092LOC: Config.Port.snmp
87630341 5093DEFAULT: 0
5473c134 5094IFDEF: SQUID_SNMP
8d6275c0 5095DOC_START
87630341 5096 The port number where Squid listens for SNMP requests. To enable
5097 SNMP support set this to a suitable port number. Port number
5098 3401 is often used for the Squid SNMP agent. By default it's
5099 set to "0" (disabled)
e0855596
AJ		 5100
5101 Example:
5102 snmp_port 3401
8d6275c0 5103DOC_END
5104
5473c134 5105NAME: snmp_access
5106TYPE: acl_access
5107LOC: Config.accessList.snmp
8d6275c0 5108DEFAULT: none
5473c134 5109DEFAULT_IF_NONE: deny all
5110IFDEF: SQUID_SNMP
8d6275c0 5111DOC_START
5473c134 5112 Allowing or denying access to the SNMP port.
8d6275c0 5113
5473c134 5114 All access to the agent is denied by default.
5115 usage:
8d6275c0 5116
5473c134 5117 snmp_access allow|deny [!]aclname ...
8d6275c0 5118
b3567eb5
FC		 5119 This clause only supports fast acl types.
5120 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5473c134 5121Example:
5122 snmp_access allow snmppublic localhost
5123 snmp_access deny all
cccac0a2 5124DOC_END
5125
5473c134 5126NAME: snmp_incoming_address
5127TYPE: address
5128LOC: Config.Addrs.snmp_incoming
0eb08770 5129DEFAULT: any_addr
5473c134 5130IFDEF: SQUID_SNMP
5131DOC_NONE
df2eec10 5132
5473c134 5133NAME: snmp_outgoing_address
5134TYPE: address
5135LOC: Config.Addrs.snmp_outgoing
0eb08770 5136DEFAULT: no_addr
5473c134 5137IFDEF: SQUID_SNMP
cccac0a2 5138DOC_START
df2eec10 5139 Just like 'udp_incoming_address', but for the SNMP port.
cccac0a2 5140
5473c134 5141 snmp_incoming_address is used for the SNMP socket receiving
5142 messages from SNMP agents.
5143 snmp_outgoing_address is used for SNMP packets returned to SNMP
5144 agents.
cccac0a2 5145
0eb08770 5146 The default snmp_incoming_address is to listen on all
5473c134 5147 available network interfaces.
cccac0a2 5148
0eb08770
HN		 5149 If snmp_outgoing_address is not set it will use the same socket
5150 as snmp_incoming_address. Only change this if you want to have
5151 SNMP replies sent using another address than where this Squid
5152 listens for SNMP queries.
cccac0a2 5153
5473c134 5154 NOTE, snmp_incoming_address and snmp_outgoing_address can not have
5155 the same value since they both use port 3401.
cccac0a2 5156DOC_END
5157
5473c134 5158COMMENT_START
5159 ICP OPTIONS
5160 -----------------------------------------------------------------------------
5161COMMENT_END
5162
5163NAME: icp_port udp_port
5164TYPE: ushort
5165DEFAULT: 0
5166LOC: Config.Port.icp
cccac0a2 5167DOC_START
5473c134 5168 The port number where Squid sends and receives ICP queries to
5169 and from neighbor caches. The standard UDP port for ICP is 3130.
5170 Default is disabled (0).
e0855596
AJ		 5171
5172 Example:
5173 icp_port @DEFAULT_ICP_PORT@
cccac0a2 5174DOC_END
5175
5473c134 5176NAME: htcp_port
5177IFDEF: USE_HTCP
5178TYPE: ushort
87630341 5179DEFAULT: 0
5473c134 5180LOC: Config.Port.htcp
cccac0a2 5181DOC_START
5473c134 5182 The port number where Squid sends and receives HTCP queries to
87630341 5183 and from neighbor caches. To turn it on you want to set it to
5184 4827. By default it is set to "0" (disabled).
e0855596
AJ		 5185
5186 Example:
5187 htcp_port 4827
cccac0a2 5188DOC_END
5189
5190NAME: log_icp_queries
5191COMMENT: on|off
5192TYPE: onoff
5193DEFAULT: on
5194LOC: Config.onoff.log_udp
5195DOC_START
5196 If set, ICP queries are logged to access.log. You may wish
5197 do disable this if your ICP load is VERY high to speed things
5198 up or to simplify log analysis.
5199DOC_END
5200
5473c134 5201NAME: udp_incoming_address
5202TYPE: address
5203LOC:Config.Addrs.udp_incoming
0eb08770 5204DEFAULT: any_addr
8524d4b2 5205DOC_START
5206 udp_incoming_address is used for UDP packets received from other
5207 caches.
5208
5209 The default behavior is to not bind to any specific address.
5210
5211 Only change this if you want to have all UDP queries received on
5212 a specific interface/address.
5213
5214 NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
5215 modules. Altering it will affect all of them in the same manner.
5216
5217 see also; udp_outgoing_address
5218
5219 NOTE, udp_incoming_address and udp_outgoing_address can not
5220 have the same value since they both use the same port.
5221DOC_END
cccac0a2 5222
5473c134 5223NAME: udp_outgoing_address
5224TYPE: address
5225LOC: Config.Addrs.udp_outgoing
0eb08770 5226DEFAULT: no_addr
cccac0a2 5227DOC_START
8524d4b2 5228 udp_outgoing_address is used for UDP packets sent out to other
5473c134 5229 caches.
cccac0a2 5230
5473c134 5231 The default behavior is to not bind to any specific address.
cccac0a2 5232
8524d4b2 5233 Instead it will use the same socket as udp_incoming_address.
5234 Only change this if you want to have UDP queries sent using another
5235 address than where this Squid listens for UDP queries from other
5473c134 5236 caches.
5237
8524d4b2 5238 NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
5239 modules. Altering it will affect all of them in the same manner.
5240
5241 see also; udp_incoming_address
5242
5473c134 5243 NOTE, udp_incoming_address and udp_outgoing_address can not
8524d4b2 5244 have the same value since they both use the same port.
cccac0a2 5245DOC_END
5246
3d1e3e43 5247NAME: icp_hit_stale
5248COMMENT: on|off
5249TYPE: onoff
5250DEFAULT: off
5251LOC: Config.onoff.icp_hit_stale
5252DOC_START
5253 If you want to return ICP_HIT for stale cache objects, set this
5254 option to 'on'. If you have sibling relationships with caches
5255 in other administrative domains, this should be 'off'. If you only
5256 have sibling relationships with caches under your control,
5257 it is probably okay to set this to 'on'.
5258 If set to 'on', your siblings should use the option "allow-miss"
5259 on their cache_peer lines for connecting to you.
5260DOC_END
5261
5473c134 5262NAME: minimum_direct_hops
cccac0a2 5263TYPE: int
5473c134 5264DEFAULT: 4
5265LOC: Config.minDirectHops
cccac0a2 5266DOC_START
5473c134 5267 If using the ICMP pinging stuff, do direct fetches for sites
5268 which are no more than this many hops away.
cccac0a2 5269DOC_END
5270
5473c134 5271NAME: minimum_direct_rtt
5272TYPE: int
5273DEFAULT: 400
5274LOC: Config.minDirectRtt
cccac0a2 5275DOC_START
5473c134 5276 If using the ICMP pinging stuff, do direct fetches for sites
5277 which are no more than this many rtt milliseconds away.
cccac0a2 5278DOC_END
5279
cccac0a2 5280NAME: netdb_low
5281TYPE: int
5282DEFAULT: 900
5283LOC: Config.Netdb.low
5284DOC_NONE
5285
5286NAME: netdb_high
5287TYPE: int
5288DEFAULT: 1000
5289LOC: Config.Netdb.high
5290DOC_START
5291 The low and high water marks for the ICMP measurement
5292 database. These are counts, not percents. The defaults are
5293 900 and 1000. When the high water mark is reached, database
5294 entries will be deleted until the low mark is reached.
5295DOC_END
5296
cccac0a2 5297NAME: netdb_ping_period
5298TYPE: time_t
5299LOC: Config.Netdb.period
5300DEFAULT: 5 minutes
5301DOC_START
5302 The minimum period for measuring a site. There will be at
5303 least this much delay between successive pings to the same
5304 network. The default is five minutes.
5305DOC_END
5306
cccac0a2 5307NAME: query_icmp
5308COMMENT: on|off
5309TYPE: onoff
5310DEFAULT: off
5311LOC: Config.onoff.query_icmp
5312DOC_START
5313 If you want to ask your peers to include ICMP data in their ICP
5314 replies, enable this option.
5315
5316 If your peer has configured Squid (during compilation) with
7f7db318 5317 '--enable-icmp' that peer will send ICMP pings to origin server
5318 sites of the URLs it receives. If you enable this option the
cccac0a2 5319 ICP replies from that peer will include the ICMP data (if available).
5320 Then, when choosing a parent cache, Squid will choose the parent with
5321 the minimal RTT to the origin server. When this happens, the
5322 hierarchy field of the access.log will be
5323 "CLOSEST_PARENT_MISS". This option is off by default.
5324DOC_END
5325
5326NAME: test_reachability
5327COMMENT: on|off
5328TYPE: onoff
5329DEFAULT: off
5330LOC: Config.onoff.test_reachability
5331DOC_START
5332 When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
5333 instead of ICP_MISS if the target host is NOT in the ICMP
5334 database, or has a zero RTT.
5335DOC_END
5336
5473c134 5337NAME: icp_query_timeout
5338COMMENT: (msec)
5339DEFAULT: 0
5340TYPE: int
5341LOC: Config.Timeout.icp_query
4c3ef9b2 5342DOC_START
5473c134 5343 Normally Squid will automatically determine an optimal ICP
5344 query timeout value based on the round-trip-time of recent ICP
5345 queries. If you want to override the value determined by
5346 Squid, set this 'icp_query_timeout' to a non-zero value. This
5347 value is specified in MILLISECONDS, so, to use a 2-second
5348 timeout (the old default), you would write:
4c3ef9b2 5349
5473c134 5350 icp_query_timeout 2000
4c3ef9b2 5351DOC_END
5352
5473c134 5353NAME: maximum_icp_query_timeout
5354COMMENT: (msec)
5355DEFAULT: 2000
5356TYPE: int
5357LOC: Config.Timeout.icp_query_max
cccac0a2 5358DOC_START
5473c134 5359 Normally the ICP query timeout is determined dynamically. But
5360 sometimes it can lead to very large values (say 5 seconds).
5361 Use this option to put an upper limit on the dynamic timeout
5362 value. Do NOT use this option to always use a fixed (instead
5363 of a dynamic) timeout value. To set a fixed timeout see the
5364 'icp_query_timeout' directive.
cccac0a2 5365DOC_END
5366
5473c134 5367NAME: minimum_icp_query_timeout
5368COMMENT: (msec)
5369DEFAULT: 5
5370TYPE: int
5371LOC: Config.Timeout.icp_query_min
cccac0a2 5372DOC_START
5473c134 5373 Normally the ICP query timeout is determined dynamically. But
5374 sometimes it can lead to very small timeouts, even lower than
5375 the normal latency variance on your link due to traffic.
5376 Use this option to put an lower limit on the dynamic timeout
5377 value. Do NOT use this option to always use a fixed (instead
5378 of a dynamic) timeout value. To set a fixed timeout see the
5379 'icp_query_timeout' directive.
cccac0a2 5380DOC_END
5381
5473c134 5382NAME: background_ping_rate
5383COMMENT: time-units
5384TYPE: time_t
5385DEFAULT: 10 seconds
5386LOC: Config.backgroundPingRate
cccac0a2 5387DOC_START
5473c134 5388 Controls how often the ICP pings are sent to siblings that
5389 have background-ping set.
cccac0a2 5390DOC_END
5391
5473c134 5392COMMENT_START
5393 MULTICAST ICP OPTIONS
5394 -----------------------------------------------------------------------------
5395COMMENT_END
5396
5397NAME: mcast_groups
5398TYPE: wordlist
5399LOC: Config.mcast_group_list
8c01ada0 5400DEFAULT: none
5401DOC_START
5473c134 5402 This tag specifies a list of multicast groups which your server
5403 should join to receive multicasted ICP queries.
8c01ada0 5404
5473c134 5405 NOTE! Be very careful what you put here! Be sure you
5406 understand the difference between an ICP _query_ and an ICP
5407 _reply_. This option is to be set only if you want to RECEIVE
5408 multicast queries. Do NOT set this option to SEND multicast
5409 ICP (use cache_peer for that). ICP replies are always sent via
5410 unicast, so this option does not affect whether or not you will
5411 receive replies from multicast group members.
8c01ada0 5412
5473c134 5413 You must be very careful to NOT use a multicast address which
5414 is already in use by another group of caches.
8c01ada0 5415
5473c134 5416 If you are unsure about multicast, please read the Multicast
5417 chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
8c01ada0 5418
5473c134 5419 Usage: mcast_groups 239.128.16.128 224.0.1.20
8c01ada0 5420
5473c134 5421 By default, Squid doesn't listen on any multicast groups.
5422DOC_END
8c01ada0 5423
5473c134 5424NAME: mcast_miss_addr
5425IFDEF: MULTICAST_MISS_STREAM
5426TYPE: address
5427LOC: Config.mcast_miss.addr
0eb08770 5428DEFAULT: no_addr
5473c134 5429DOC_START
5430 If you enable this option, every "cache miss" URL will
5431 be sent out on the specified multicast address.
cccac0a2 5432
5473c134 5433 Do not enable this option unless you are are absolutely
5434 certain you understand what you are doing.
cccac0a2 5435DOC_END
5436
5473c134 5437NAME: mcast_miss_ttl
5438IFDEF: MULTICAST_MISS_STREAM
5439TYPE: ushort
5440LOC: Config.mcast_miss.ttl
5441DEFAULT: 16
cccac0a2 5442DOC_START
5473c134 5443 This is the time-to-live value for packets multicasted
5444 when multicasting off cache miss URLs is enabled. By
5445 default this is set to 'site scope', i.e. 16.
5446DOC_END
cccac0a2 5447
5473c134 5448NAME: mcast_miss_port
5449IFDEF: MULTICAST_MISS_STREAM
5450TYPE: ushort
5451LOC: Config.mcast_miss.port
5452DEFAULT: 3135
5453DOC_START
5454 This is the port number to be used in conjunction with
5455 'mcast_miss_addr'.
5456DOC_END
cccac0a2 5457
5473c134 5458NAME: mcast_miss_encode_key
5459IFDEF: MULTICAST_MISS_STREAM
5460TYPE: string
5461LOC: Config.mcast_miss.encode_key
5462DEFAULT: XXXXXXXXXXXXXXXX
5463DOC_START
5464 The URLs that are sent in the multicast miss stream are
5465 encrypted. This is the encryption key.
5466DOC_END
8c01ada0 5467
5473c134 5468NAME: mcast_icp_query_timeout
5469COMMENT: (msec)
5470DEFAULT: 2000
5471TYPE: int
5472LOC: Config.Timeout.mcast_icp_query
5473DOC_START
5474 For multicast peers, Squid regularly sends out ICP "probes" to
5475 count how many other peers are listening on the given multicast
5476 address. This value specifies how long Squid should wait to
5477 count all the replies. The default is 2000 msec, or 2
5478 seconds.
cccac0a2 5479DOC_END
5480
5473c134 5481COMMENT_START
5482 INTERNAL ICON OPTIONS
5483 -----------------------------------------------------------------------------
5484COMMENT_END
5485
cccac0a2 5486NAME: icon_directory
5487TYPE: string
5488LOC: Config.icons.directory
5489DEFAULT: @DEFAULT_ICON_DIR@
5490DOC_START
5491 Where the icons are stored. These are normally kept in
5492 @DEFAULT_ICON_DIR@
5493DOC_END
5494
f024c970 5495NAME: global_internal_static
5496TYPE: onoff
5497LOC: Config.onoff.global_internal_static
5498DEFAULT: on
5499DOC_START
5500 This directive controls is Squid should intercept all requests for
5501 /squid-internal-static/ no matter which host the URL is requesting
5502 (default on setting), or if nothing special should be done for
5503 such URLs (off setting). The purpose of this directive is to make
5504 icons etc work better in complex cache hierarchies where it may
5505 not always be possible for all corners in the cache mesh to reach
5506 the server generating a directory listing.
5507DOC_END
5508
5473c134 5509NAME: short_icon_urls
5510TYPE: onoff
5511LOC: Config.icons.use_short_names
5512DEFAULT: on
5513DOC_START
5514 If this is enabled Squid will use short URLs for icons.
5515 If disabled it will revert to the old behavior of including
5516 it's own name and port in the URL.
5517
5518 If you run a complex cache hierarchy with a mix of Squid and
5519 other proxies you may need to disable this directive.
5520DOC_END
5521
5522COMMENT_START
5523 ERROR PAGE OPTIONS
5524 -----------------------------------------------------------------------------
5525COMMENT_END
5526
5527NAME: error_directory
5528TYPE: string
5529LOC: Config.errorDirectory
43000484 5530DEFAULT: none
5473c134 5531DOC_START
5532 If you wish to create your own versions of the default
43000484
AJ		 5533 error files to customize them to suit your company copy
5534 the error/template files to another directory and point
5535 this tag at them.
5536
5537 WARNING: This option will disable multi-language support
5538 on error pages if used.
5473c134 5539
5540 The squid developers are interested in making squid available in
5541 a wide variety of languages. If you are making translations for a
43000484 5542 language that Squid does not currently provide please consider
5473c134 5543 contributing your translation back to the project.
43000484
AJ		 5544 http://wiki.squid-cache.org/Translations
5545
5546 The squid developers working on translations are happy to supply drop-in
5547 translated error files in exchange for any new language contributions.
5548DOC_END
5549
5550NAME: error_default_language
5551IFDEF: USE_ERR_LOCALES
5552TYPE: string
5553LOC: Config.errorDefaultLanguage
5554DEFAULT: none
5555DOC_START
5556 Set the default language which squid will send error pages in
5557 if no existing translation matches the clients language
5558 preferences.
5559
5560 If unset (default) generic English will be used.
5561
5562 The squid developers are interested in making squid available in
5563 a wide variety of languages. If you are interested in making
5564 translations for any language see the squid wiki for details.
5565 http://wiki.squid-cache.org/Translations
5473c134 5566DOC_END
5567
c411820c
AJ		 5568NAME: error_log_languages
5569IFDEF: USE_ERR_LOCALES
5570TYPE: onoff
5571LOC: Config.errorLogMissingLanguages
5572DEFAULT: on
5573DOC_START
5574 Log to cache.log what languages users are attempting to
5575 auto-negotiate for translations.
5576
5577 Successful negotiations are not logged. Only failures
5578 have meaning to indicate that Squid may need an upgrade
0c49f10e 5579 of its error page translations.
c411820c
AJ		 5580DOC_END
5581
5b52cb6c
AJ		 5582NAME: err_page_stylesheet
5583TYPE: string
5584LOC: Config.errorStylesheet
5585DEFAULT: @DEFAULT_CONFIG_DIR@/errorpage.css
5586DOC_START
5587 CSS Stylesheet to pattern the display of Squid default error pages.
5588
5589 For information on CSS see http://www.w3.org/Style/CSS/
5590DOC_END
5591
5473c134 5592NAME: err_html_text
5593TYPE: eol
5594LOC: Config.errHtmlText
5595DEFAULT: none
5596DOC_START
5597 HTML text to include in error messages. Make this a "mailto"
5598 URL to your admin address, or maybe just a link to your
5599 organizations Web page.
5600
5601 To include this in your error messages, you must rewrite
5602 the error template files (found in the "errors" directory).
5603 Wherever you want the 'err_html_text' line to appear,
5604 insert a %L tag in the error template file.
5605DOC_END
5606
5607NAME: email_err_data
5608COMMENT: on|off
5609TYPE: onoff
5610LOC: Config.onoff.emailErrData
5611DEFAULT: on
5612DOC_START
5613 If enabled, information about the occurred error will be
5614 included in the mailto links of the ERR pages (if %W is set)
5615 so that the email body contains the data.
5616 Syntax is <A HREF="mailto:%w%W">%w</A>
5617DOC_END
5618
5619NAME: deny_info
5620TYPE: denyinfo
5621LOC: Config.denyInfoList
5622DEFAULT: none
5623DOC_START
5624 Usage: deny_info err_page_name acl
5625 or deny_info http://... acl
43000484 5626 or deny_info TCP_RESET acl
5473c134 5627
5628 This can be used to return a ERR_ page for requests which
5629 do not pass the 'http_access' rules. Squid remembers the last
5630 acl it evaluated in http_access, and if a 'deny_info' line exists
5631 for that ACL Squid returns a corresponding error page.
5632
5633 The acl is typically the last acl on the http_access deny line which
5634 denied access. The exceptions to this rule are:
5635 - When Squid needs to request authentication credentials. It's then
5636 the first authentication related acl encountered
5637 - When none of the http_access lines matches. It's then the last
5638 acl processed on the last http_access line.
5639
43000484
AJ		 5640 NP: If providing your own custom error pages with error_directory
5641 you may also specify them by your custom file name:
5642 Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
5473c134 5643
5473c134 5644 Alternatively you can tell Squid to reset the TCP connection
5645 by specifying TCP_RESET.
15b02e9a
AJ		 5646
5647 Or you can specify an error URL or URL pattern. The browsers will
5648 get redirected (302) to the specified URL after formattgin tags have
5649 been replaced.
5650
5651 URL FORMAT TAGS:
5652 %a - username (if available. Password NOT included)
5653 %B - FTP path URL
5654 %e - Error number
5655 %E - Error description
5656 %h - Squid hostname
5657 %H - Request domain name
5658 %i - Client IP Address
5659 %M - Request Method
5660 %o - Message result from external ACL helper
5661 %p - Request Port number
5662 %P - Request Protocol name
5663 %R - Request URL path
5664 %T - Timestamp in RFC 1123 format
5665 %U - Full canonical URL from client
5666 (HTTPS URLs terminate with *)
5667 %u - Full canonical URL from client
5668 %w - Admin email from squid.conf
5669 %% - Literal percent (%) code
5670
5473c134 5671DOC_END
5672
5673COMMENT_START
5674 OPTIONS INFLUENCING REQUEST FORWARDING
5675 -----------------------------------------------------------------------------
5676COMMENT_END
5677
5678NAME: nonhierarchical_direct
e72a0ec0 5679TYPE: onoff
5473c134 5680LOC: Config.onoff.nonhierarchical_direct
e72a0ec0 5681DEFAULT: on
5682DOC_START
5473c134 5683 By default, Squid will send any non-hierarchical requests
5684 (matching hierarchy_stoplist or not cacheable request type) direct
5685 to origin servers.
e72a0ec0 5686
5473c134 5687 If you set this to off, Squid will prefer to send these
5688 requests to parents.
0b0cfcf2 5689
5473c134 5690 Note that in most configurations, by turning this off you will only
5691 add latency to these request without any improvement in global hit
5692 ratio.
0b0cfcf2 5693
5473c134 5694 If you are inside an firewall see never_direct instead of
5695 this directive.
8d6275c0 5696DOC_END
0b0cfcf2 5697
5473c134 5698NAME: prefer_direct
8d6275c0 5699TYPE: onoff
5473c134 5700LOC: Config.onoff.prefer_direct
8d6275c0 5701DEFAULT: off
5702DOC_START
5473c134 5703 Normally Squid tries to use parents for most requests. If you for some
5704 reason like it to first try going direct and only use a parent if
5705 going direct fails set this to on.
0b0cfcf2 5706
5473c134 5707 By combining nonhierarchical_direct off and prefer_direct on you
5708 can set up Squid to use a parent as a backup path if going direct
5709 fails.
5710
5711 Note: If you want Squid to use parents for all requests see
5712 the never_direct directive. prefer_direct only modifies how Squid
5713 acts on cacheable requests.
cccac0a2 5714DOC_END
5715
5473c134 5716NAME: always_direct
8d6275c0 5717TYPE: acl_access
5473c134 5718LOC: Config.accessList.AlwaysDirect
0b0cfcf2 5719DEFAULT: none
0b0cfcf2 5720DOC_START
5473c134 5721 Usage: always_direct allow|deny [!]aclname ...
0b0cfcf2 5722
5473c134 5723 Here you can use ACL elements to specify requests which should
5724 ALWAYS be forwarded by Squid to the origin servers without using
5725 any peers. For example, to always directly forward requests for
5726 local servers ignoring any parents or siblings you may have use
5727 something like:
0b0cfcf2 5728
5473c134 5729 acl local-servers dstdomain my.domain.net
5730 always_direct allow local-servers
0b0cfcf2 5731
5473c134 5732 To always forward FTP requests directly, use
f16fbc82 5733
5473c134 5734 acl FTP proto FTP
5735 always_direct allow FTP
cccac0a2 5736
5473c134 5737 NOTE: There is a similar, but opposite option named
5738 'never_direct'. You need to be aware that "always_direct deny
5739 foo" is NOT the same thing as "never_direct allow foo". You
5740 may need to use a deny rule to exclude a more-specific case of
5741 some other rule. Example:
8d6275c0 5742
5473c134 5743 acl local-external dstdomain external.foo.net
5744 acl local-servers dstdomain .foo.net
5745 always_direct deny local-external
5746 always_direct allow local-servers
8d6275c0 5747
5473c134 5748 NOTE: If your goal is to make the client forward the request
5749 directly to the origin server bypassing Squid then this needs
5750 to be done in the client configuration. Squid configuration
5751 can only tell Squid how Squid should fetch the object.
8d6275c0 5752
5473c134 5753 NOTE: This directive is not related to caching. The replies
5754 is cached as usual even if you use always_direct. To not cache
b3567eb5 5755 the replies see the 'cache' directive.
5473c134 5756
b3567eb5
FC		 5757 This clause supports both fast and slow acl types.
5758 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
cccac0a2 5759DOC_END
0976f8db 5760
5473c134 5761NAME: never_direct
5762TYPE: acl_access
5763LOC: Config.accessList.NeverDirect
5764DEFAULT: none
8d6275c0 5765DOC_START
5473c134 5766 Usage: never_direct allow|deny [!]aclname ...
5767
5768 never_direct is the opposite of always_direct. Please read
5769 the description for always_direct if you have not already.
5770
5771 With 'never_direct' you can use ACL elements to specify
5772 requests which should NEVER be forwarded directly to origin
5773 servers. For example, to force the use of a proxy for all
5774 requests, except those in your local domain use something like:
5775
5776 acl local-servers dstdomain .foo.net
5473c134 5777 never_direct deny local-servers
5778 never_direct allow all
5779
5780 or if Squid is inside a firewall and there are local intranet
5781 servers inside the firewall use something like:
5782
5783 acl local-intranet dstdomain .foo.net
5784 acl local-external dstdomain external.foo.net
5785 always_direct deny local-external
5786 always_direct allow local-intranet
5787 never_direct allow all
5788
b3567eb5
FC		 5789 This clause supports both fast and slow acl types.
5790 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
8d6275c0 5791DOC_END
0976f8db 5792
5473c134 5793COMMENT_START
5794 ADVANCED NETWORKING OPTIONS
5795 -----------------------------------------------------------------------------
5796COMMENT_END
5797
cccac0a2 5798NAME: incoming_icp_average
5799TYPE: int
5800DEFAULT: 6
5801LOC: Config.comm_incoming.icp_average
5802DOC_NONE
5803
5804NAME: incoming_http_average
5805TYPE: int
5806DEFAULT: 4
5807LOC: Config.comm_incoming.http_average
5808DOC_NONE
5809
5810NAME: incoming_dns_average
5811TYPE: int
5812DEFAULT: 4
5813LOC: Config.comm_incoming.dns_average
5814DOC_NONE
5815
5816NAME: min_icp_poll_cnt
5817TYPE: int
5818DEFAULT: 8
5819LOC: Config.comm_incoming.icp_min_poll
5820DOC_NONE
5821
5822NAME: min_dns_poll_cnt
5823TYPE: int
5824DEFAULT: 8
5825LOC: Config.comm_incoming.dns_min_poll
5826DOC_NONE
5827
5828NAME: min_http_poll_cnt
5829TYPE: int
5830DEFAULT: 8
5831LOC: Config.comm_incoming.http_min_poll
5832DOC_START
5473c134 5833 Heavy voodoo here. I can't even believe you are reading this.
5834 Are you crazy? Don't even think about adjusting these unless
5835 you understand the algorithms in comm_select.c first!
5836DOC_END
5837
5838NAME: accept_filter
5473c134 5839TYPE: string
5840DEFAULT: none
5841LOC: Config.accept_filter
5842DOC_START
0b4d4be5 5843 FreeBSD:
5844
5473c134 5845 The name of an accept(2) filter to install on Squid's
5846 listen socket(s). This feature is perhaps specific to
5847 FreeBSD and requires support in the kernel.
5848
5849 The 'httpready' filter delays delivering new connections
2324cda2 5850 to Squid until a full HTTP request has been received.
0b4d4be5 5851 See the accf_http(9) man page for details.
5852
5853 The 'dataready' filter delays delivering new connections
5854 to Squid until there is some data to process.
5855 See the accf_dataready(9) man page for details.
5856
5857 Linux:
5858
5859 The 'data' filter delays delivering of new connections
5860 to Squid until there is some data to process by TCP_ACCEPT_DEFER.
5861 You may optionally specify a number of seconds to wait by
5862 'data=N' where N is the number of seconds. Defaults to 30
5863 if not specified. See the tcp(7) man page for details.
5473c134 5864EXAMPLE:
0b4d4be5 5865# FreeBSD
5473c134 5866accept_filter httpready
0b4d4be5 5867# Linux
5868accept_filter data
5473c134 5869DOC_END
5870
ab2ecb0e
AJ		 5871NAME: client_ip_max_connections
5872TYPE: int
5873LOC: Config.client_ip_max_connections
5874DEFAULT: -1
5875DOC_START
5876 Set an absolute limit on the number of connections a single
5877 client IP can use. Any more than this and Squid will begin to drop
5878 new connections from the client until it closes some links.
5879
5880 Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
5881 connections from the client. For finer control use the ACL access controls.
5882
5883 Requires client_db to be enabled (the default).
5884
5885 WARNING: This may noticably slow down traffic received via external proxies
5886 or NAT devices and cause them to rebound error messages back to their clients.
5887DOC_END
5888
5473c134 5889NAME: tcp_recv_bufsize
5890COMMENT: (bytes)
5891TYPE: b_size_t
5892DEFAULT: 0 bytes
5893LOC: Config.tcpRcvBufsz
5894DOC_START
5895 Size of receive buffer to set for TCP sockets. Probably just
5896 as easy to change your kernel's default. Set to zero to use
5897 the default buffer size.
5898DOC_END
5899
5900COMMENT_START
5901 ICAP OPTIONS
5902 -----------------------------------------------------------------------------
5903COMMENT_END
5904
5905NAME: icap_enable
5906TYPE: onoff
5907IFDEF: ICAP_CLIENT
5908COMMENT: on|off
26cc52cb 5909LOC: Adaptation::Icap::TheConfig.onoff
5473c134 5910DEFAULT: off
5911DOC_START
53e738c6 5912 If you want to enable the ICAP module support, set this to on.
5473c134 5913DOC_END
5914
5915NAME: icap_connect_timeout
5916TYPE: time_t
5917DEFAULT: none
26cc52cb 5918LOC: Adaptation::Icap::TheConfig.connect_timeout_raw
5473c134 5919IFDEF: ICAP_CLIENT
5920DOC_START
5921 This parameter specifies how long to wait for the TCP connect to
5922 the requested ICAP server to complete before giving up and either
5923 terminating the HTTP transaction or bypassing the failure.
5924
5925 The default for optional services is peer_connect_timeout.
5926 The default for essential services is connect_timeout.
5927 If this option is explicitly set, its value applies to all services.
5928DOC_END
5929
5930NAME: icap_io_timeout
5931COMMENT: time-units
5932TYPE: time_t
5933DEFAULT: none
26cc52cb 5934LOC: Adaptation::Icap::TheConfig.io_timeout_raw
5473c134 5935IFDEF: ICAP_CLIENT
5936DOC_START
5937 This parameter specifies how long to wait for an I/O activity on
5938 an established, active ICAP connection before giving up and
5939 either terminating the HTTP transaction or bypassing the
5940 failure.
5941
5942 The default is read_timeout.
5943DOC_END
5944
5945NAME: icap_service_failure_limit
8277060a
CT		 5946COMMENT: limit [in memory-depth time-units]
5947TYPE: icap_service_failure_limit
5473c134 5948IFDEF: ICAP_CLIENT
8277060a 5949LOC: Adaptation::Icap::TheConfig
5473c134 5950DEFAULT: 10
5951DOC_START
5952 The limit specifies the number of failures that Squid tolerates
5953 when establishing a new TCP connection with an ICAP service. If
5954 the number of failures exceeds the limit, the ICAP service is
5955 not used for new ICAP requests until it is time to refresh its
8277060a 5956 OPTIONS.
5473c134 5957
5958 A negative value disables the limit. Without the limit, an ICAP
5959 service will not be considered down due to connectivity failures
5960 between ICAP OPTIONS requests.
8277060a
CT		 5961
5962 Squid forgets ICAP service failures older than the specified
5963 value of memory-depth. The memory fading algorithm
5964 is approximate because Squid does not remember individual
5965 errors but groups them instead, splitting the option
5966 value into ten time slots of equal length.
5967
5968 When memory-depth is 0 and by default this option has no
5969 effect on service failure expiration.
5970
5971 Squid always forgets failures when updating service settings
5972 using an ICAP OPTIONS transaction, regardless of this option
5973 setting.
5974
5975 For example,
5976 # suspend service usage after 10 failures in 5 seconds:
5977 icap_service_failure_limit 10 in 5 seconds
cccac0a2 5978DOC_END
5979
5473c134 5980NAME: icap_service_revival_delay
cccac0a2 5981TYPE: int
5473c134 5982IFDEF: ICAP_CLIENT
26cc52cb 5983LOC: Adaptation::Icap::TheConfig.service_revival_delay
5473c134 5984DEFAULT: 180
cccac0a2 5985DOC_START
5473c134 5986 The delay specifies the number of seconds to wait after an ICAP
5987 OPTIONS request failure before requesting the options again. The
5988 failed ICAP service is considered "down" until fresh OPTIONS are
5989 fetched.
cccac0a2 5990
5473c134 5991 The actual delay cannot be smaller than the hardcoded minimum
5992 delay of 30 seconds.
cccac0a2 5993DOC_END
5994
5473c134 5995NAME: icap_preview_enable
cccac0a2 5996TYPE: onoff
5473c134 5997IFDEF: ICAP_CLIENT
5998COMMENT: on|off
26cc52cb 5999LOC: Adaptation::Icap::TheConfig.preview_enable
ac7a62f9 6000DEFAULT: on
cccac0a2 6001DOC_START
ac7a62f9 6002 The ICAP Preview feature allows the ICAP server to handle the
6003 HTTP message by looking only at the beginning of the message body
6004 or even without receiving the body at all. In some environments,
6005 previews greatly speedup ICAP processing.
6006
6007 During an ICAP OPTIONS transaction, the server may tell Squid what
6008 HTTP messages should be previewed and how big the preview should be.
6009 Squid will not use Preview if the server did not request one.
6010
6011 To disable ICAP Preview for all ICAP services, regardless of
6012 individual ICAP server OPTIONS responses, set this option to "off".
6013Example:
6014icap_preview_enable off
cccac0a2 6015DOC_END
6016
5473c134 6017NAME: icap_preview_size
6018TYPE: int
6019IFDEF: ICAP_CLIENT
26cc52cb 6020LOC: Adaptation::Icap::TheConfig.preview_size
5473c134 6021DEFAULT: -1
cccac0a2 6022DOC_START
53e738c6 6023 The default size of preview data to be sent to the ICAP server.
6024 -1 means no preview. This value might be overwritten on a per server
6025 basis by OPTIONS requests.
cccac0a2 6026DOC_END
6027
83c51da9
CT		 6028NAME: icap_206_enable
6029TYPE: onoff
6030IFDEF: ICAP_CLIENT
6031COMMENT: on|off
6032LOC: Adaptation::Icap::TheConfig.allow206_enable
6033DEFAULT: on
6034DOC_START
6035 206 (Partial Content) responses is an ICAP extension that allows the
6036 ICAP agents to optionally combine adapted and original HTTP message
6037 content. The decision to combine is postponed until the end of the
6038 ICAP response. Squid supports Partial Content extension by default.
6039
6040 Activation of the Partial Content extension is negotiated with each
6041 ICAP service during OPTIONS exchange. Most ICAP servers should handle
6042 negotation correctly even if they do not support the extension, but
6043 some might fail. To disable Partial Content support for all ICAP
6044 services and to avoid any negotiation, set this option to "off".
6045
6046 Example:
6047 icap_206_enable off
6048DOC_END
6049
5473c134 6050NAME: icap_default_options_ttl
6051TYPE: int
6052IFDEF: ICAP_CLIENT
26cc52cb 6053LOC: Adaptation::Icap::TheConfig.default_options_ttl
5473c134 6054DEFAULT: 60
cccac0a2 6055DOC_START
53e738c6 6056 The default TTL value for ICAP OPTIONS responses that don't have
5473c134 6057 an Options-TTL header.
cccac0a2 6058DOC_END
6059
5473c134 6060NAME: icap_persistent_connections
6061TYPE: onoff
6062IFDEF: ICAP_CLIENT
6063COMMENT: on|off
26cc52cb 6064LOC: Adaptation::Icap::TheConfig.reuse_connections
5473c134 6065DEFAULT: on
cccac0a2 6066DOC_START
5473c134 6067 Whether or not Squid should use persistent connections to
6068 an ICAP server.
cccac0a2 6069DOC_END
6070
5473c134 6071NAME: icap_send_client_ip
6072TYPE: onoff
6073IFDEF: ICAP_CLIENT
6074COMMENT: on|off
26cc52cb 6075LOC: Adaptation::Icap::TheConfig.send_client_ip
5473c134 6076DEFAULT: off
cccac0a2 6077DOC_START
53e738c6 6078 This adds the header "X-Client-IP" to ICAP requests.
cccac0a2 6079DOC_END
6080
5473c134 6081NAME: icap_send_client_username
6082TYPE: onoff
6083IFDEF: ICAP_CLIENT
6084COMMENT: on|off
26cc52cb 6085LOC: Adaptation::Icap::TheConfig.send_client_username
5473c134 6086DEFAULT: off
cccac0a2 6087DOC_START
5473c134 6088 This sends authenticated HTTP client username (if available) to
6089 the ICAP service. The username value is encoded based on the
6090 icap_client_username_encode option and is sent using the header
6091 specified by the icap_client_username_header option.
cccac0a2 6092DOC_END
6093
5473c134 6094NAME: icap_client_username_header
cccac0a2 6095TYPE: string
5473c134 6096IFDEF: ICAP_CLIENT
26cc52cb 6097LOC: Adaptation::Icap::TheConfig.client_username_header
5473c134 6098DEFAULT: X-Client-Username
cccac0a2 6099DOC_START
5473c134 6100 ICAP request header name to use for send_client_username.
cccac0a2 6101DOC_END
6102
5473c134 6103NAME: icap_client_username_encode
cccac0a2 6104TYPE: onoff
5473c134 6105IFDEF: ICAP_CLIENT
6106COMMENT: on|off
26cc52cb 6107LOC: Adaptation::Icap::TheConfig.client_username_encode
5473c134 6108DEFAULT: off
cccac0a2 6109DOC_START
5473c134 6110 Whether to base64 encode the authenticated client username.
cccac0a2 6111DOC_END
6112
5473c134 6113NAME: icap_service
6114TYPE: icap_service_type
6115IFDEF: ICAP_CLIENT
26cc52cb 6116LOC: Adaptation::Icap::TheConfig
5473c134 6117DEFAULT: none
cccac0a2 6118DOC_START
a22e6cd3 6119 Defines a single ICAP service using the following format:
cccac0a2 6120
a22e6cd3 6121 icap_service service_name vectoring_point [options] service_url
7d90757b 6122
a22e6cd3
AR		 6123 service_name: ID
6124 an opaque identifier which must be unique in squid.conf
6125
6126 vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
f3db09e2 6127 This specifies at which point of transaction processing the
6128 ICAP service should be activated. *_postcache vectoring points
6129 are not yet supported.
a22e6cd3
AR		 6130
6131 service_url: icap://servername:port/servicepath
6132 ICAP server and service location.
6133
6134 ICAP does not allow a single service to handle both REQMOD and RESPMOD
6135 transactions. Squid does not enforce that requirement. You can specify
6136 services with the same service_url and different vectoring_points. You
6137 can even specify multiple identical services as long as their
6138 service_names differ.
6139
6140
6141 Service options are separated by white space. ICAP services support
6142 the following name=value options:
6143
6144 bypass=on|off|1|0
6145 If set to 'on' or '1', the ICAP service is treated as
6146 optional. If the service cannot be reached or malfunctions,
6147 Squid will try to ignore any errors and process the message as
6148 if the service was not enabled. No all ICAP errors can be
6149 bypassed. If set to 0, the ICAP service is treated as
6150 essential and all ICAP errors will result in an error page
6151 returned to the HTTP client.
6152
6153 Bypass is off by default: services are treated as essential.
6154
6155 routing=on|off|1|0
6156 If set to 'on' or '1', the ICAP service is allowed to
6157 dynamically change the current message adaptation plan by
6158 returning a chain of services to be used next. The services
6159 are specified using the X-Next-Services ICAP response header
6160 value, formatted as a comma-separated list of service names.
6161 Each named service should be configured in squid.conf and
6162 should have the same method and vectoring point as the current
6163 ICAP transaction. Services violating these rules are ignored.
6164 An empty X-Next-Services value results in an empty plan which
6165 ends the current adaptation.
6166
6167 Routing is not allowed by default: the ICAP X-Next-Services
6168 response header is ignored.
6169
e6713f4e
AJ		 6170 ipv6=on|off
6171 Only has effect on split-stack systems. The default on those systems
6172 is to use IPv4-only connections. When set to 'on' this option will
6173 make Squid use IPv6-only connections to contact this ICAP service.
6174
a22e6cd3
AR		 6175 Older icap_service format without optional named parameters is
6176 deprecated but supported for backward compatibility.
5473c134 6177
5473c134 6178Example:
a22e6cd3
AR		 6179icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod
6180icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod
cccac0a2 6181DOC_END
6182
5473c134 6183NAME: icap_class
6184TYPE: icap_class_type
6185IFDEF: ICAP_CLIENT
21a26d31 6186LOC: none
5473c134 6187DEFAULT: none
cccac0a2 6188DOC_START
a22e6cd3 6189 This deprecated option was documented to define an ICAP service
62c7f90e
AR		 6190 chain, even though it actually defined a set of similar, redundant
6191 services, and the chains were not supported.
5473c134 6192
62c7f90e 6193 To define a set of redundant services, please use the
a22e6cd3
AR		 6194 adaptation_service_set directive. For service chains, use
6195 adaptation_service_chain.
cccac0a2 6196DOC_END
6197
5473c134 6198NAME: icap_access
6199TYPE: icap_access_type
6200IFDEF: ICAP_CLIENT
21a26d31 6201LOC: none
cccac0a2 6202DEFAULT: none
cccac0a2 6203DOC_START
a22e6cd3 6204 This option is deprecated. Please use adaptation_access, which
62c7f90e
AR		 6205 has the same ICAP functionality, but comes with better
6206 documentation, and eCAP support.
cccac0a2 6207DOC_END
6208
57afc994
AR		 6209COMMENT_START
6210 eCAP OPTIONS
6211 -----------------------------------------------------------------------------
6212COMMENT_END
6213
21a26d31
AR		 6214NAME: ecap_enable
6215TYPE: onoff
6216IFDEF: USE_ECAP
6217COMMENT: on|off
574b508c 6218LOC: Adaptation::Ecap::TheConfig.onoff
21a26d31
AR		 6219DEFAULT: off
6220DOC_START
6221 Controls whether eCAP support is enabled.
6222DOC_END
6223
6224NAME: ecap_service
6225TYPE: ecap_service_type
6226IFDEF: USE_ECAP
574b508c 6227LOC: Adaptation::Ecap::TheConfig
21a26d31
AR		 6228DEFAULT: none
6229DOC_START
6230 Defines a single eCAP service
6231
6232 ecap_service servicename vectoring_point bypass service_url
6233
6234 vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
6235 This specifies at which point of transaction processing the
6236 eCAP service should be activated. *_postcache vectoring points
6237 are not yet supported.
6238 bypass = 1|0
6239 If set to 1, the eCAP service is treated as optional. If the
6240 service cannot be reached or malfunctions, Squid will try to
6241 ignore any errors and process the message as if the service
6242 was not enabled. No all eCAP errors can be bypassed.
6243 If set to 0, the eCAP service is treated as essential and all
6244 eCAP errors will result in an error page returned to the
6245 HTTP client.
6246 service_url = ecap://vendor/service_name?custom&cgi=style&parameters=optional
6247
6248Example:
6249ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
6250ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
6251DOC_END
6252
57afc994
AR		 6253NAME: loadable_modules
6254TYPE: wordlist
6255IFDEF: USE_LOADABLE_MODULES
6256LOC: Config.loadable_module_names
6257DEFAULT: none
6258DOC_START
6259 Instructs Squid to load the specified dynamic module(s) or activate
6260 preloaded module(s).
6261Example:
6262loadable_modules @DEFAULT_PREFIX@/lib/MinimalAdapter.so
6263DOC_END
6264
62c7f90e
AR		 6265COMMENT_START
6266 MESSAGE ADAPTATION OPTIONS
6267 -----------------------------------------------------------------------------
6268COMMENT_END
6269
6270NAME: adaptation_service_set
6271TYPE: adaptation_service_set_type
6272IFDEF: USE_ADAPTATION
6273LOC: none
6274DEFAULT: none
6275DOC_START
6276
a22e6cd3
AR		 6277 Configures an ordered set of similar, redundant services. This is
6278 useful when hot standby or backup adaptation servers are available.
6279
6280 adaptation_service_set set_name service_name1 service_name2 ...
6281
6282 The named services are used in the set declaration order. The first
6283 applicable adaptation service from the set is used first. The next
6284 applicable service is tried if and only if the transaction with the
6285 previous service fails and the message waiting to be adapted is still
6286 intact.
62c7f90e 6287
a22e6cd3
AR		 6288 When adaptation starts, broken services are ignored as if they were
6289 not a part of the set. A broken service is a down optional service.
62c7f90e 6290
a22e6cd3
AR		 6291 The services in a set must be attached to the same vectoring point
6292 (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
6293
6294 If all services in a set are optional then adaptation failures are
6295 bypassable. If all services in the set are essential, then a
6296 transaction failure with one service may still be retried using
6297 another service from the set, but when all services fail, the master
6298 transaction fails as well.
6299
6300 A set may contain a mix of optional and essential services, but that
6301 is likely to lead to surprising results because broken services become
6302 ignored (see above), making previously bypassable failures fatal.
6303 Technically, it is the bypassability of the last failed service that
6304 matters.
6305
6306 See also: adaptation_access adaptation_service_chain
62c7f90e
AR		 6307
6308Example:
6309adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
6310adaptation service_set svcLogger loggerLocal loggerRemote
6311DOC_END
6312
a22e6cd3
AR		 6313NAME: adaptation_service_chain
6314TYPE: adaptation_service_chain_type
6315IFDEF: USE_ADAPTATION
6316LOC: none
6317DEFAULT: none
6318DOC_START
6319
6320 Configures a list of complementary services that will be applied
6321 one-by-one, forming an adaptation chain or pipeline. This is useful
6322 when Squid must perform different adaptations on the same message.
6323
6324 adaptation_service_chain chain_name service_name1 svc_name2 ...
6325
6326 The named services are used in the chain declaration order. The first
6327 applicable adaptation service from the chain is used first. The next
6328 applicable service is applied to the successful adaptation results of
6329 the previous service in the chain.
6330
6331 When adaptation starts, broken services are ignored as if they were
6332 not a part of the chain. A broken service is a down optional service.
6333
6334 Request satisfaction terminates the adaptation chain because Squid
6335 does not currently allow declaration of RESPMOD services at the
6336 "reqmod_precache" vectoring point (see icap_service or ecap_service).
6337
6338 The services in a chain must be attached to the same vectoring point
6339 (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
6340
6341 A chain may contain a mix of optional and essential services. If an
6342 essential adaptation fails (or the failure cannot be bypassed for
6343 other reasons), the master transaction fails. Otherwise, the failure
6344 is bypassed as if the failed adaptation service was not in the chain.
6345
6346 See also: adaptation_access adaptation_service_set
6347
6348Example:
6349adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
6350DOC_END
6351
62c7f90e
AR		 6352NAME: adaptation_access
6353TYPE: adaptation_access_type
6354IFDEF: USE_ADAPTATION
6355LOC: none
6356DEFAULT: none
6357DOC_START
6358 Sends an HTTP transaction to an ICAP or eCAP adaptation service.
6359
6360 adaptation_access service_name allow|deny [!]aclname...
6361 adaptation_access set_name allow|deny [!]aclname...
6362
6363 At each supported vectoring point, the adaptation_access
6364 statements are processed in the order they appear in this
6365 configuration file. Statements pointing to the following services
6366 are ignored (i.e., skipped without checking their ACL):
6367
6368 - services serving different vectoring points
6369 - "broken-but-bypassable" services
6370 - "up" services configured to ignore such transactions
6371 (e.g., based on the ICAP Transfer-Ignore header).
6372
6373 When a set_name is used, all services in the set are checked
6374 using the same rules, to find the first applicable one. See
6375 adaptation_service_set for details.
6376
6377 If an access list is checked and there is a match, the
6378 processing stops: For an "allow" rule, the corresponding
6379 adaptation service is used for the transaction. For a "deny"
6380 rule, no adaptation service is activated.
6381
6382 It is currently not possible to apply more than one adaptation
6383 service at the same vectoring point to the same HTTP transaction.
6384
6385 See also: icap_service and ecap_service
6386
6387Example:
6388adaptation_access service_1 allow all
6389DOC_END
6390
a22e6cd3
AR		 6391NAME: adaptation_service_iteration_limit
6392TYPE: int
6393IFDEF: USE_ADAPTATION
6394LOC: Adaptation::Config::service_iteration_limit
6395DEFAULT: 16
6396DOC_START
6397 Limits the number of iterations allowed when applying adaptation
6398 services to a message. If your longest adaptation set or chain
6399 may have more than 16 services, increase the limit beyond its
6400 default value of 16. If detecting infinite iteration loops sooner
6401 is critical, make the iteration limit match the actual number
6402 of services in your longest adaptation set or chain.
6403
6404 Infinite adaptation loops are most likely with routing services.
6405
6406 See also: icap_service routing=1
6407DOC_END
6408
3ff65596
AR		 6409NAME: adaptation_masterx_shared_names
6410TYPE: string
6411IFDEF: USE_ADAPTATION
6412LOC: Adaptation::Config::masterx_shared_name
6413DEFAULT: none
6414DOC_START
6415 For each master transaction (i.e., the HTTP request and response
6416 sequence, including all related ICAP and eCAP exchanges), Squid
6417 maintains a table of metadata. The table entries are (name, value)
6418 pairs shared among eCAP and ICAP exchanges. The table is destroyed
6419 with the master transaction.
6420
6421 This option specifies the table entry names that Squid must accept
6422 from and forward to the adaptation transactions.
6423
6424 An ICAP REQMOD or RESPMOD transaction may set an entry in the
6425 shared table by returning an ICAP header field with a name
6426 specified in adaptation_masterx_shared_names. Squid will store
6427 and forward that ICAP header field to subsequent ICAP
6428 transactions within the same master transaction scope.
6429
6430 Only one shared entry name is supported at this time.
6431
6432Example:
6433# share authentication information among ICAP services
6434adaptation_masterx_shared_names X-Subscriber-ID
6435DOC_END
6436
6437NAME: icap_retry
6438TYPE: acl_access
6439IFDEF: ICAP_CLIENT
6440LOC: Adaptation::Icap::TheConfig.repeat
6441DEFAULT: none
6442DEFAULT_IF_NONE: deny all
6443DOC_START
6444 This ACL determines which retriable ICAP transactions are
6445 retried. Transactions that received a complete ICAP response
6446 and did not have to consume or produce HTTP bodies to receive
6447 that response are usually retriable.
6448
6449 icap_retry allow|deny [!]aclname ...
6450
6451 Squid automatically retries some ICAP I/O timeouts and errors
6452 due to persistent connection race conditions.
6453
6454 See also: icap_retry_limit
6455DOC_END
6456
6457NAME: icap_retry_limit
6458TYPE: int
6459IFDEF: ICAP_CLIENT
6460LOC: Adaptation::Icap::TheConfig.repeat_limit
6461DEFAULT: 0
6462DOC_START
6463 Limits the number of retries allowed. When set to zero (default),
6464 no retries are allowed.
6465
6466 Communication errors due to persistent connection race
6467 conditions are unavoidable, automatically retried, and do not
6468 count against this limit.
6469
6470 See also: icap_retry
6471DOC_END
6472
6473
5473c134 6474COMMENT_START
6475 DNS OPTIONS
6476 -----------------------------------------------------------------------------
6477COMMENT_END
6478
6479NAME: check_hostnames
cccac0a2 6480TYPE: onoff
cccac0a2 6481DEFAULT: off
5473c134 6482LOC: Config.onoff.check_hostnames
cccac0a2 6483DOC_START
5473c134 6484 For security and stability reasons Squid can check
6485 hostnames for Internet standard RFC compliance. If you want
6486 Squid to perform these checks turn this directive on.
cccac0a2 6487DOC_END
6488
5473c134 6489NAME: allow_underscore
cccac0a2 6490TYPE: onoff
cccac0a2 6491DEFAULT: on
5473c134 6492LOC: Config.onoff.allow_underscore
cccac0a2 6493DOC_START
5473c134 6494 Underscore characters is not strictly allowed in Internet hostnames
6495 but nevertheless used by many sites. Set this to off if you want
6496 Squid to be strict about the standard.
6497 This check is performed only when check_hostnames is set to on.
cccac0a2 6498DOC_END
6499
5473c134 6500NAME: cache_dns_program
cccac0a2 6501TYPE: string
5473c134 6502IFDEF: USE_DNSSERVERS
6503DEFAULT: @DEFAULT_DNSSERVER@
6504LOC: Config.Program.dnsserver
cccac0a2 6505DOC_START
5473c134 6506 Specify the location of the executable for dnslookup process.
cccac0a2 6507DOC_END
6508
5473c134 6509NAME: dns_children
48d54e4d 6510TYPE: HelperChildConfig
5473c134 6511IFDEF: USE_DNSSERVERS
48d54e4d 6512DEFAULT: 32 startup=1 idle=1
5473c134 6513LOC: Config.dnsChildren
58850d15 6514DOC_START
48d54e4d
AJ		 6515 The maximum number of processes spawn to service DNS name lookups.
6516 If you limit it too few Squid will have to wait for them to process
6517 a backlog of requests, slowing it down. If you allow too many they
6518 will use RAM and other system resources noticably.
6519 The maximum this may be safely set to is 32.
6520
6521 The startup= and idle= options allow some measure of skew in your
6522 tuning.
6523
6524 startup=
6525
6526 Sets a minimum of how many processes are to be spawned when Squid
6527 starts or reconfigures. When set to zero the first request will
6528 cause spawning of the first child process to handle it.
6529
6530 Starting too few will cause an initial slowdown in traffic as Squid
6531 attempts to simultaneously spawn enough processes to cope.
6532
6533 idle=
6534
6535 Sets a minimum of how many processes Squid is to try and keep available
6536 at all times. When traffic begins to rise above what the existing
6537 processes can handle this many more will be spawned up to the maximum
6538 configured. A minimum setting of 1 is required.
58850d15 6539DOC_END
6540
5473c134 6541NAME: dns_retransmit_interval
6542TYPE: time_t
6543DEFAULT: 5 seconds
6544LOC: Config.Timeout.idns_retransmit
6545IFDEF: !USE_DNSSERVERS
cccac0a2 6546DOC_START
5473c134 6547 Initial retransmit interval for DNS queries. The interval is
6548 doubled each time all configured DNS servers have been tried.
cccac0a2 6549DOC_END
6550
5473c134 6551NAME: dns_timeout
6552TYPE: time_t
6553DEFAULT: 2 minutes
6554LOC: Config.Timeout.idns_query
6555IFDEF: !USE_DNSSERVERS
cccac0a2 6556DOC_START
5473c134 6557 DNS Query timeout. If no response is received to a DNS query
6558 within this time all DNS servers for the queried domain
6559 are assumed to be unavailable.
cccac0a2 6560DOC_END
6561
5473c134 6562NAME: dns_defnames
6563COMMENT: on|off
cccac0a2 6564TYPE: onoff
cccac0a2 6565DEFAULT: off
5473c134 6566LOC: Config.onoff.res_defnames
cccac0a2 6567DOC_START
5473c134 6568 Normally the RES_DEFNAMES resolver option is disabled
6569 (see res_init(3)). This prevents caches in a hierarchy
6570 from interpreting single-component hostnames locally. To allow
6571 Squid to handle single-component names, enable this option.
cccac0a2 6572DOC_END
6573
5473c134 6574NAME: dns_nameservers
6575TYPE: wordlist
6576DEFAULT: none
6577LOC: Config.dns_nameservers
cccac0a2 6578DOC_START
5473c134 6579 Use this if you want to specify a list of DNS name servers
6580 (IP addresses) to use instead of those given in your
6581 /etc/resolv.conf file.
6582 On Windows platforms, if no value is specified here or in
6583 the /etc/resolv.conf file, the list of DNS name servers are
6584 taken from the Windows registry, both static and dynamic DHCP
6585 configurations are supported.
cccac0a2 6586
5473c134 6587 Example: dns_nameservers 10.0.0.1 192.172.0.4
cccac0a2 6588DOC_END
6589
5473c134 6590NAME: hosts_file
cccac0a2 6591TYPE: string
5473c134 6592DEFAULT: @DEFAULT_HOSTS@
6593LOC: Config.etcHostsPath
cccac0a2 6594DOC_START
5473c134 6595 Location of the host-local IP name-address associations
6596 database. Most Operating Systems have such a file on different
6597 default locations:
6598 - Un*X & Linux: /etc/hosts
6599 - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
6600 (%SystemRoot% value install default is c:\winnt)
6601 - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
6602 (%SystemRoot% value install default is c:\windows)
6603 - Windows 9x/Me: %windir%\hosts
6604 (%windir% value is usually c:\windows)
6605 - Cygwin: /etc/hosts
cccac0a2 6606
5473c134 6607 The file contains newline-separated definitions, in the
6608 form ip_address_in_dotted_form name [name ...] names are
6609 whitespace-separated. Lines beginning with an hash (#)
6610 character are comments.
cccac0a2 6611
5473c134 6612 The file is checked at startup and upon configuration.
6613 If set to 'none', it won't be checked.
6614 If append_domain is used, that domain will be added to
6615 domain-local (i.e. not containing any dot character) host
6616 definitions.
cccac0a2 6617DOC_END
6618
5473c134 6619NAME: append_domain
6620TYPE: string
6621LOC: Config.appendDomain
6622DEFAULT: none
6a2f3fcf 6623DOC_START
5473c134 6624 Appends local domain name to hostnames without any dots in
6625 them. append_domain must begin with a period.
6626
6627 Be warned there are now Internet names with no dots in
6628 them using only top-domain names, so setting this may
6629 cause some Internet sites to become unavailable.
6630
6631Example:
6632 append_domain .yourdomain.com
6a2f3fcf 6633DOC_END
6634
5473c134 6635NAME: ignore_unknown_nameservers
6636TYPE: onoff
6637LOC: Config.onoff.ignore_unknown_nameservers
df6fd596 6638DEFAULT: on
6639DOC_START
5473c134 6640 By default Squid checks that DNS responses are received
6641 from the same IP addresses they are sent to. If they
6642 don't match, Squid ignores the response and writes a warning
6643 message to cache.log. You can allow responses from unknown
6644 nameservers by setting this option to 'off'.
df6fd596 6645DOC_END
6646
cc192b50 6647NAME: dns_v4_fallback
6648TYPE: onoff
6649DEFAULT: on
6650LOC: Config.onoff.dns_require_A
6651DOC_START
6652 Standard practice with DNS is to lookup either A or AAAA records
6653 and use the results if it succeeds. Only looking up the other if
6654 the first attempt fails or otherwise produces no results.
6655
6656 That policy however will cause squid to produce error pages for some
6657 servers that advertise AAAA but are unreachable over IPv6.
6658
6659 If this is ON squid will always lookup both AAAA and A, using both.
6660 If this is OFF squid will lookup AAAA and only try A if none found.
6661
6662 WARNING: There are some possibly unwanted side-effects with this on:
6663 *) Doubles the load placed by squid on the DNS network.
6664 *) May negatively impact connection delay times.
6665DOC_END
6666
6bc15a4f 6667NAME: ipcache_size
6668COMMENT: (number of entries)
6669TYPE: int
6670DEFAULT: 1024
6671LOC: Config.ipcache.size
6672DOC_NONE
6673
6674NAME: ipcache_low
6675COMMENT: (percent)
6676TYPE: int
6677DEFAULT: 90
6678LOC: Config.ipcache.low
6679DOC_NONE
6680
6681NAME: ipcache_high
6682COMMENT: (percent)
6683TYPE: int
6684DEFAULT: 95
6685LOC: Config.ipcache.high
6686DOC_START
6687 The size, low-, and high-water marks for the IP cache.
6688DOC_END
6689
6690NAME: fqdncache_size
6691COMMENT: (number of entries)
6692TYPE: int
6693DEFAULT: 1024
6694LOC: Config.fqdncache.size
6695DOC_START
6696 Maximum number of FQDN cache entries.
6697DOC_END
6698
a58ff010 6699COMMENT_START
5473c134 6700 MISCELLANEOUS
a58ff010 6701 -----------------------------------------------------------------------------
6702COMMENT_END
6703
5473c134 6704NAME: memory_pools
a58ff010 6705COMMENT: on|off
5473c134 6706TYPE: onoff
6707DEFAULT: on
6708LOC: Config.onoff.mem_pools
a58ff010 6709DOC_START
5473c134 6710 If set, Squid will keep pools of allocated (but unused) memory
6711 available for future use. If memory is a premium on your
6712 system and you believe your malloc library outperforms Squid
6713 routines, disable this.
a58ff010 6714DOC_END
6715
5473c134 6716NAME: memory_pools_limit
6717COMMENT: (bytes)
70be1349 6718TYPE: b_int64_t
5473c134 6719DEFAULT: 5 MB
6720LOC: Config.MemPools.limit
ec1245f8 6721DOC_START
5473c134 6722 Used only with memory_pools on:
6723 memory_pools_limit 50 MB
ec1245f8 6724
5473c134 6725 If set to a non-zero value, Squid will keep at most the specified
6726 limit of allocated (but unused) memory in memory pools. All free()
6727 requests that exceed this limit will be handled by your malloc
6728 library. Squid does not pre-allocate any memory, just safe-keeps
6729 objects that otherwise would be free()d. Thus, it is safe to set
6730 memory_pools_limit to a reasonably high value even if your
6731 configuration will use less memory.
ec1245f8 6732
89646bd7 6733 If set to none, Squid will keep all memory it can. That is, there
5473c134 6734 will be no limit on the total amount of memory used for safe-keeping.
ec1245f8 6735
5473c134 6736 To disable memory allocation optimization, do not set
70be1349 6737 memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
5473c134 6738
6739 An overhead for maintaining memory pools is not taken into account
6740 when the limit is checked. This overhead is close to four bytes per
6741 object kept. However, pools may actually _save_ memory because of
6742 reduced memory thrashing in your malloc library.
ec1245f8 6743DOC_END
6744
5473c134 6745NAME: forwarded_for
67c06f0d
AJ		 6746COMMENT: on|off|transparent|truncate|delete
6747TYPE: string
5473c134 6748DEFAULT: on
6749LOC: opt_forwarded_for
5f8252d2 6750DOC_START
67c06f0d
AJ		 6751 If set to "on", Squid will append your client's IP address
6752 in the HTTP requests it forwards. By default it looks like:
5f8252d2 6753
5473c134 6754 X-Forwarded-For: 192.1.2.3
6755
67c06f0d 6756 If set to "off", it will appear as
5473c134 6757
6758 X-Forwarded-For: unknown
67c06f0d
AJ		 6759
6760 If set to "transparent", Squid will not alter the
6761 X-Forwarded-For header in any way.
6762
6763 If set to "delete", Squid will delete the entire
6764 X-Forwarded-For header.
6765
6766 If set to "truncate", Squid will remove all existing
6767 X-Forwarded-For entries, and place itself as the sole entry.
5f8252d2 6768DOC_END
6769
5473c134 6770NAME: cachemgr_passwd
6771TYPE: cachemgrpasswd
6772DEFAULT: none
6773LOC: Config.passwd_list
5f8252d2 6774DOC_START
5473c134 6775 Specify passwords for cachemgr operations.
5f8252d2 6776
5473c134 6777 Usage: cachemgr_passwd password action action ...
6778
6779 Some valid actions are (see cache manager menu for a full list):
6780 5min
6781 60min
6782 asndb
6783 authenticator
6784 cbdata
6785 client_list
6786 comm_incoming
6787 config *
6788 counters
6789 delay
6790 digest_stats
6791 dns
6792 events
6793 filedescriptors
6794 fqdncache
6795 histograms
6796 http_headers
6797 info
6798 io
6799 ipcache
6800 mem
6801 menu
6802 netdb
6803 non_peers
6804 objects
6805 offline_toggle *
6806 pconn
6807 peer_select
b360c477 6808 reconfigure *
5473c134 6809 redirector
6810 refresh
6811 server_list
6812 shutdown *
6813 store_digest
6814 storedir
6815 utilization
6816 via_headers
6817 vm_objects
6818
6819 * Indicates actions which will not be performed without a
6820 valid password, others can be performed if not listed here.
6821
6822 To disable an action, set the password to "disable".
6823 To allow performing an action without a password, set the
6824 password to "none".
6825
6826 Use the keyword "all" to set the same password for all actions.
6827
6828Example:
6829 cachemgr_passwd secret shutdown
6830 cachemgr_passwd lesssssssecret info stats/objects
6831 cachemgr_passwd disable all
5f8252d2 6832DOC_END
6833
5473c134 6834NAME: client_db
a58ff010 6835COMMENT: on|off
5473c134 6836TYPE: onoff
6837DEFAULT: on
6838LOC: Config.onoff.client_db
a58ff010 6839DOC_START
5473c134 6840 If you want to disable collecting per-client statistics,
6841 turn off client_db here.
a58ff010 6842DOC_END
6843
5473c134 6844NAME: refresh_all_ims
6845COMMENT: on|off
6846TYPE: onoff
6847DEFAULT: off
6848LOC: Config.onoff.refresh_all_ims
a58ff010 6849DOC_START
5473c134 6850 When you enable this option, squid will always check
6851 the origin server for an update when a client sends an
6852 If-Modified-Since request. Many browsers use IMS
6853 requests when the user requests a reload, and this
6854 ensures those clients receive the latest version.
a58ff010 6855
5473c134 6856 By default (off), squid may return a Not Modified response
6857 based on the age of the cached version.
78e8cfc4 6858DOC_END
6859
5473c134 6860NAME: reload_into_ims
626096be 6861IFDEF: USE_HTTP_VIOLATIONS
12b91c99 6862COMMENT: on|off
5473c134 6863TYPE: onoff
6864DEFAULT: off
6865LOC: Config.onoff.reload_into_ims
12b91c99 6866DOC_START
5473c134 6867 When you enable this option, client no-cache or ``reload''
6868 requests will be changed to If-Modified-Since requests.
6869 Doing this VIOLATES the HTTP standard. Enabling this
6870 feature could make you liable for problems which it
6871 causes.
6872
6873 see also refresh_pattern for a more selective approach.
12b91c99 6874DOC_END
6875
5473c134 6876NAME: maximum_single_addr_tries
6877TYPE: int
6878LOC: Config.retry.maxtries
6879DEFAULT: 1
a58ff010 6880DOC_START
5473c134 6881 This sets the maximum number of connection attempts for a
6882 host that only has one address (for multiple-address hosts,
6883 each address is tried once).
6884
6885 The default value is one attempt, the (not recommended)
6886 maximum is 255 tries. A warning message will be generated
6887 if it is set to a value greater than ten.
6888
6889 Note: This is in addition to the request re-forwarding which
6890 takes place if Squid fails to get a satisfying response.
a58ff010 6891DOC_END
6892
5473c134 6893NAME: retry_on_error
a58ff010 6894TYPE: onoff
5473c134 6895LOC: Config.retry.onerror
a58ff010 6896DEFAULT: off
6897DOC_START
5473c134 6898 If set to on Squid will automatically retry requests when
6899 receiving an error response. This is mainly useful if you
6900 are in a complex cache hierarchy to work around access
6901 control errors.
5f8252d2 6902DOC_END
6903
5473c134 6904NAME: as_whois_server
5f8252d2 6905TYPE: string
5473c134 6906LOC: Config.as_whois_server
6907DEFAULT: whois.ra.net
6908DEFAULT_IF_NONE: whois.ra.net
5f8252d2 6909DOC_START
5473c134 6910 WHOIS server to query for AS numbers. NOTE: AS numbers are
6911 queried only when Squid starts up, not for every request.
5f8252d2 6912DOC_END
6913
5473c134 6914NAME: offline_mode
5f8252d2 6915TYPE: onoff
5473c134 6916LOC: Config.onoff.offline
5f8252d2 6917DEFAULT: off
6918DOC_START
5473c134 6919 Enable this option and Squid will never try to validate cached
6920 objects.
a58ff010 6921DOC_END
6922
5473c134 6923NAME: uri_whitespace
6924TYPE: uri_whitespace
6925LOC: Config.uri_whitespace
6926DEFAULT: strip
a58ff010 6927DOC_START
5473c134 6928 What to do with requests that have whitespace characters in the
6929 URI. Options:
a58ff010 6930
5473c134 6931 strip: The whitespace characters are stripped out of the URL.
6932 This is the behavior recommended by RFC2396.
6933 deny: The request is denied. The user receives an "Invalid
6934 Request" message.
6935 allow: The request is allowed and the URI is not changed. The
6936 whitespace characters remain in the URI. Note the
6937 whitespace is passed to redirector processes if they
6938 are in use.
6939 encode: The request is allowed and the whitespace characters are
6940 encoded according to RFC1738. This could be considered
6941 a violation of the HTTP/1.1
6942 RFC because proxies are not allowed to rewrite URI's.
6943 chop: The request is allowed and the URI is chopped at the
6944 first whitespace. This might also be considered a
6945 violation.
6946DOC_END
a58ff010 6947
5473c134 6948NAME: chroot
6949TYPE: string
6950LOC: Config.chroot_dir
a58ff010 6951DEFAULT: none
6952DOC_START
9f37c18a 6953 Specifies a directory where Squid should do a chroot() while
2d89f399
HN		 6954 initializing. This also causes Squid to fully drop root
6955 privileges after initializing. This means, for example, if you
6956 use a HTTP port less than 1024 and try to reconfigure, you may
6957 get an error saying that Squid can not open the port.
5473c134 6958DOC_END
a58ff010 6959
5473c134 6960NAME: balance_on_multiple_ip
6961TYPE: onoff
6962LOC: Config.onoff.balance_on_multiple_ip
cc192b50 6963DEFAULT: off
5473c134 6964DOC_START
cc192b50 6965 Modern IP resolvers in squid sort lookup results by preferred access.
6966 By default squid will use these IP in order and only rotates to
6967 the next listed when the most preffered fails.
6968
5473c134 6969 Some load balancing servers based on round robin DNS have been
6970 found not to preserve user session state across requests
6971 to different IP addresses.
a58ff010 6972
cc192b50 6973 Enabling this directive Squid rotates IP's per request.
a58ff010 6974DOC_END
6975
5473c134 6976NAME: pipeline_prefetch
6977TYPE: onoff
6978LOC: Config.onoff.pipeline_prefetch
6979DEFAULT: off
a58ff010 6980DOC_START
5473c134 6981 To boost the performance of pipelined requests to closer
6982 match that of a non-proxied environment Squid can try to fetch
6983 up to two requests in parallel from a pipeline.
a58ff010 6984
5473c134 6985 Defaults to off for bandwidth management and access logging
6986 reasons.
6987DOC_END
a58ff010 6988
5473c134 6989NAME: high_response_time_warning
6990TYPE: int
6991COMMENT: (msec)
6992LOC: Config.warnings.high_rptm
6993DEFAULT: 0
6994DOC_START
6995 If the one-minute median response time exceeds this value,
6996 Squid prints a WARNING with debug level 0 to get the
6997 administrators attention. The value is in milliseconds.
a58ff010 6998DOC_END
6999
5473c134 7000NAME: high_page_fault_warning
7001TYPE: int
7002LOC: Config.warnings.high_pf
7003DEFAULT: 0
cc9f92d4 7004DOC_START
5473c134 7005 If the one-minute average page fault rate exceeds this
7006 value, Squid prints a WARNING with debug level 0 to get
7007 the administrators attention. The value is in page faults
7008 per second.
7009DOC_END
cc9f92d4 7010
5473c134 7011NAME: high_memory_warning
7012TYPE: b_size_t
7013LOC: Config.warnings.high_memory
904971da 7014DEFAULT: 0 KB
5473c134 7015DOC_START
7016 If the memory usage (as determined by mallinfo) exceeds
904971da 7017 this amount, Squid prints a WARNING with debug level 0 to get
5473c134 7018 the administrators attention.
7019DOC_END
cc9f92d4 7020
5473c134 7021NAME: sleep_after_fork
7022COMMENT: (microseconds)
7023TYPE: int
7024LOC: Config.sleep_after_fork
7025DEFAULT: 0
7026DOC_START
7027 When this is set to a non-zero value, the main Squid process
7028 sleeps the specified number of microseconds after a fork()
7029 system call. This sleep may help the situation where your
7030 system reports fork() failures due to lack of (virtual)
7031 memory. Note, however, if you have a lot of child
7032 processes, these sleep delays will add up and your
7033 Squid will not service requests for some amount of time
7034 until all the child processes have been started.
7035 On Windows value less then 1000 (1 milliseconds) are
7036 rounded to 1000.
cc9f92d4 7037DOC_END
7038
b6696974 7039NAME: windows_ipaddrchangemonitor
6b0516c6 7040IFDEF: _SQUID_MSWIN_
b6696974
GS		 7041COMMENT: on|off
7042TYPE: onoff
7043DEFAULT: on
7044LOC: Config.onoff.WIN32_IpAddrChangeMonitor
7045DOC_START
7046 On Windows Squid by default will monitor IP address changes and will
7047 reconfigure itself after any detected event. This is very useful for
7048 proxies connected to internet with dial-up interfaces.
7049 In some cases (a Proxy server acting as VPN gateway is one) it could be
7050 desiderable to disable this behaviour setting this to 'off'.
7051 Note: after changing this, Squid service must be restarted.
7052DOC_END
7053
a98c2da5
AJ		 7054NAME: eui_lookup
7055TYPE: onoff
7056IFDEF: USE_SQUID_EUI
7057DEFAULT: on
7058LOC: Eui::TheConfig.euiLookup
7059DOC_START
7060 Whether to lookup the EUI or MAC address of a connected client.
7061DOC_END
7062
f3f0f563
AJ		 7063NAME: max_filedescriptors max_filedesc
7064TYPE: int
7065DEFAULT: 0
7066LOC: Config.max_filedescriptors
7067DOC_START
7068 The maximum number of filedescriptors supported.
7069
7070 The default "0" means Squid inherits the current ulimit setting.
7071
7072 Note: Changing this requires a restart of Squid. Also
7073 not all comm loops supports large values.
7074DOC_END
7075
13aeac35 7076NAME: workers
007d775d 7077TYPE: int
13aeac35 7078LOC: Config.workers
007d775d
AR		 7079DEFAULT: 1
7080DOC_START
13aeac35 7081 Number of main Squid processes or "workers" to fork and maintain.
007d775d
AR		 7082 0: "no daemon" mode, like running "squid -N ..."
7083 1: "no SMP" mode, start one main Squid process daemon (default)
13aeac35
AR		 7084 N: start N main Squid process daemons (i.e., SMP mode)
7085
b87f6632
AR		 7086 In SMP mode, each worker does nearly all what a single Squid daemon
7087 does (e.g., listen on http_port and forward HTTP requests).
007d775d
AR		 7088DOC_END
7089
cccac0a2 7090EOF
Mirror of https://github.com/squid-cache/squid.git