]> git.ipfire.org Git - thirdparty/squid.git/blame - src/cf.data.pre
Bug #1718: warning: the address of 'strerror_buf' will always evaluate as 'true'
[thirdparty/squid.git] / src / cf.data.pre
CommitLineData
3a278cb8 1
9cef6668 2#
f67332d3 3# $Id: cf.data.pre,v 1.420 2006/07/31 13:17:57 serassio Exp $
9cef6668 4#
5#
6845f129 6# SQUID Web Proxy Cache http://www.squid-cache.org/
9cef6668 7# ----------------------------------------------------------
8#
2b6662ba 9# Squid is the result of efforts by numerous individuals from
10# the Internet community; see the CONTRIBUTORS file for full
11# details. Many organizations have provided support for Squid's
12# development; see the SPONSORS file for full details. Squid is
13# Copyrighted (C) 2000 by the Regents of the University of
14# California; see the COPYRIGHT file for full details. Squid
15# incorporates software developed and/or copyrighted by other
16# sources; see the CREDITS file for full details.
9cef6668 17#
18# This program is free software; you can redistribute it and/or modify
19# it under the terms of the GNU General Public License as published by
20# the Free Software Foundation; either version 2 of the License, or
21# (at your option) any later version.
96d88dcb 22#
9cef6668 23# This program is distributed in the hope that it will be useful,
24# but WITHOUT ANY WARRANTY; without even the implied warranty of
25# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26# GNU General Public License for more details.
96d88dcb 27#
9cef6668 28# You should have received a copy of the GNU General Public License
29# along with this program; if not, write to the Free Software
30# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
31#
32
0f74202c 33COMMENT_START
cccac0a2 34 WELCOME TO SQUID @VERSION@
35 ----------------------------
3a278cb8 36
cccac0a2 37 This is the default Squid configuration file. You may wish
38 to look at the Squid home page (http://www.squid-cache.org/)
39 for the FAQ and other documentation.
3a278cb8 40
cccac0a2 41 The default Squid config file shows what the defaults for
42 various options happen to be. If you don't need to change the
43 default, you shouldn't uncomment the line. Doing so may cause
44 run-time problems. In some cases "none" refers to no default
45 setting at all, while in other cases it refers to a valid
46 option - the comments for that keyword indicate if this is the
47 case.
debd9a31 48
cccac0a2 49COMMENT_END
3a278cb8 50
cccac0a2 51COMMENT_START
52 NETWORK OPTIONS
53 -----------------------------------------------------------------------------
54COMMENT_END
55
56NAME: http_port ascii_port
57TYPE: http_port_list
58DEFAULT: none
59LOC: Config.Sockaddr.http
60DOC_START
61 Usage: port [options]
62 hostname:port [options]
63 1.2.3.4:port [options]
64
65 The socket addresses where Squid will listen for HTTP client
66 requests. You may specify multiple socket addresses.
67 There are three forms: port alone, hostname with port, and
68 IP address with port. If you specify a hostname or IP
7f7db318 69 address, Squid binds the socket to that specific
cccac0a2 70 address. This replaces the old 'tcp_incoming_address'
71 option. Most likely, you do not need to bind to a specific
72 address, so you can use the port number alone.
73
7f7db318 74 If you are running Squid in accelerator mode, you
cccac0a2 75 probably want to listen on port 80 also, or instead.
76
77 The -a command line option will override the *first* port
78 number listed here. That option will NOT override an IP
79 address, however.
80
81 You may specify multiple socket addresses on multiple lines.
82
116c6cca 83 Options:
84
85 transparent Support for transparent proxies
86
87 accel Accelerator mode. Also set implicit by the other
88 accelerator directives
89
90 vhost Accelerator mode using Host header for virtual
91 domain support
92
93 vport Accelerator with IP based virtual host support
94
95 vport=NN As above, but uses specified port number rather
96 than the http_port number
97
98 defaultsite= Main web site name for accelerators
99
100 protocol= Protocol to reconstruct accelerated requests with.
101 Defaults to http
cccac0a2 102
5529ca8a 103 disable-pmtu-discovery=
6845f129 104 Control Path-MTU discovery usage:
105 off lets OS decide on what to do (default).
106 transparent disable PMTU discovery when transparent
107 support is enabled.
108 always disable always PMTU discovery.
5529ca8a 109
110 In many setups of transparently intercepting proxies Path-MTU
111 discovery can not work on traffic towards the clients. This is
112 the case when the intercepting device does not fully track
113 connections and fails to forward ICMP must fragment messages
114 to the cache server. If you have such setup and experience that
115 certain clients sporadically hang or never complete requests set
116 disable-pmtu-discovery option to 'transparent'.
117
cccac0a2 118 If you run Squid on a dual-homed machine with an internal
7f7db318 119 and an external interface we recommend you to specify the
cccac0a2 120 internal address:port in http_port. This way Squid will only be
121 visible on the internal address.
122NOCOMMENT_START
123# Squid normally listens to port 3128
58c1507a 124http_port @DEFAULT_HTTP_PORT@
cccac0a2 125NOCOMMENT_END
126DOC_END
127
128NAME: https_port
129IFDEF: USE_SSL
130TYPE: https_port_list
131DEFAULT: none
132LOC: Config.Sockaddr.https
133DOC_START
6845f129 134 Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
cccac0a2 135
6845f129 136 The socket address where Squid will listen for HTTPS client
137 requests.
cccac0a2 138
6845f129 139 This is really only useful for situations where you are running
140 squid in accelerator mode and you want to do the SSL work at the
141 accelerator level.
cccac0a2 142
143 You may specify multiple socket addresses on multiple lines,
144 each with their own SSL certificate and/or options.
b8c0c06d 145
cccac0a2 146 Options:
147
148 defaultsite= The name of the https site presented on
116c6cca 149 this port
cccac0a2 150
151 protocol= Protocol to reconstruct accelerated requests
116c6cca 152 with. Defaults to https
cccac0a2 153
154 cert= Path to SSL certificate (PEM format)
7f7db318 155
cccac0a2 156 key= Path to SSL private key file (PEM format)
157 if not specified, the certificate file is
158 assumed to be a combined certificate and
159 key file
160
161 version= The version of SSL/TLS supported
162 1 automatic (default)
163 2 SSLv2 only
164 3 SSLv3 only
165 4 TLSv1 only
166
167 cipher= Colon separated list of supported ciphers
168
5ac1a5b3 169 options= Various SSL engine options. The most important
cccac0a2 170 being:
171 NO_SSLv2 Disallow the use of SSLv2
172 NO_SSLv3 Disallow the use of SSLv3
173 NO_TLSv1 Disallow the use of TLSv1
174 SINGLE_DH_USE Always create a new key when using
175 temporary/ephemeral DH key exchanges
176 See src/ssl_support.c or OpenSSL SSL_CTX_set_options
116c6cca 177 documentation for a complete list of options
cccac0a2 178
179 clientca= File containing the list of CAs to use when
180 requesting a client certificate
181
182 cafile= File containing additional CA certificates to
183 use when verifying client certificates. If unset
116c6cca 184 clientca will be used
cccac0a2 185
186 capath= Directory containing additional CA certificates
a82a4fe4 187 and CRL lists to use when verifying client certificates
188
189 crlfile= File of additional CRL lists to use when verifying
190 the client certificate, in addition to CRLs stored in
191 the capath. Implies VERIFY_CRL flag below.
cccac0a2 192
193 dhparams= File containing DH parameters for temporary/ephemeral
194 DH key exchanges
195
196 sslflags= Various flags modifying the use of SSL:
197 DELAYED_AUTH
198 Don't request client certificates
199 immediately, but wait until acl processing
a82a4fe4 200 requires a certificate (not yet implemented)
7f7db318 201 NO_DEFAULT_CA
a82a4fe4 202 Don't use the default CA lists built in
116c6cca 203 to OpenSSL
b13877cc 204 NO_SESSION_REUSE
205 Don't allow for session reuse. Each connection
206 will result in a new SSL session.
a82a4fe4 207 VERIFY_CRL
208 Verify CRL lists when accepting client
209 certificates
210 VERIFY_CRL_ALL
211 Verify CRL lists for all certificates in the
212 client certificate chain
116c6cca 213
6b2936d5 214 sslcontext= SSL session ID context identifier.
215
116c6cca 216 accel Accelerator mode. Also set implicit by the other
217 accelerator directives
218
219 vhost Accelerator mode using Host header for virtual
220 domain support
221
222 vport Accelerator with IP based virtual host support
223
224 vport=NN As above, but uses specified port number rather
225 than the https_port number
cccac0a2 226
227DOC_END
228
229NAME: ssl_unclean_shutdown
230IFDEF: USE_SSL
231TYPE: onoff
232DEFAULT: off
233LOC: Config.SSL.unclean_shutdown
234DOC_START
235 Some browsers (especially MSIE) bugs out on SSL shutdown
236 messages.
237DOC_END
238
239NAME: ssl_engine
240IFDEF: USE_SSL
241TYPE: string
242LOC: Config.SSL.ssl_engine
243DEFAULT: none
244DOC_START
245 The openssl engine to use. You will need to set this if you
246 would like to use hardware SSL acceleration for example.
247DOC_END
248
249NAME: sslproxy_client_certificate
250IFDEF: USE_SSL
251DEFAULT: none
252LOC: Config.ssl_client.cert
253TYPE: string
254DOC_START
255 Client SSL Certificate to use when proxying https:// URLs
256DOC_END
257
258NAME: sslproxy_client_key
259IFDEF: USE_SSL
260DEFAULT: none
261LOC: Config.ssl_client.key
262TYPE: string
263DOC_START
264 Client SSL Key to use when proxying https:// URLs
265DOC_END
266
267NAME: sslproxy_version
268IFDEF: USE_SSL
269DEFAULT: 1
270LOC: Config.ssl_client.version
271TYPE: int
272DOC_START
273 SSL version level to use when proxying https:// URLs
274DOC_END
275
276NAME: sslproxy_options
277IFDEF: USE_SSL
278DEFAULT: none
279LOC: Config.ssl_client.options
280TYPE: string
281DOC_START
282 SSL engine options to use when proxying https:// URLs
283DOC_END
284
285NAME: sslproxy_cipher
286IFDEF: USE_SSL
287DEFAULT: none
288LOC: Config.ssl_client.cipher
289TYPE: string
290DOC_START
291 SSL cipher list to use when proxying https:// URLs
292DOC_END
293
294NAME: sslproxy_cafile
295IFDEF: USE_SSL
296DEFAULT: none
297LOC: Config.ssl_client.cafile
298TYPE: string
299DOC_START
300 file containing CA certificates to use when verifying server
301 certificates while proxying https:// URLs
302DOC_END
303
304NAME: sslproxy_capath
305IFDEF: USE_SSL
306DEFAULT: none
307LOC: Config.ssl_client.capath
308TYPE: string
309DOC_START
310 directory containing CA certificates to use when verifying
311 server certificates while proxying https:// URLs
312DOC_END
313
314NAME: sslproxy_flags
315IFDEF: USE_SSL
316DEFAULT: none
317LOC: Config.ssl_client.flags
318TYPE: string
319DOC_START
320 Various flags modifying the use of SSL while proxying https:// URLs:
321 DONT_VERIFY_PEER Accept certificates even if they fail to
322 verify.
323 NO_DEFAULT_CA Don't use the default CA list built in
324 to OpenSSL.
325DOC_END
326
307b83b7 327NAME: sslpassword_program
328IFDEF: USE_SSL
329DEFAULT: none
330LOC: Config.Program.ssl_password
331TYPE: string
332DOC_START
333 Specify a program used for entering SSL key passphrases
334 when using encrypted SSL certificate keys. If not specified
335 keys must either be unencrypted, or Squid started with the -N
336 option to allow it to query interactively for the passphrase.
337DOC_END
338
cccac0a2 339NAME: icp_port udp_port
340TYPE: ushort
341DEFAULT: 0
342LOC: Config.Port.icp
343DOC_START
344 The port number where Squid sends and receives ICP queries to
345 and from neighbor caches. The standard UDP port for ICP is 3130.
346 Default is disabled (0).
347NOCOMMENT_START
58c1507a 348icp_port @DEFAULT_ICP_PORT@
cccac0a2 349NOCOMMENT_END
350DOC_END
351
352NAME: htcp_port
353IFDEF: USE_HTCP
354TYPE: ushort
355DEFAULT: 4827
356LOC: Config.Port.htcp
357DOC_START
358 The port number where Squid sends and receives HTCP queries to
359 and from neighbor caches. Default is 4827. To disable use
360 "0".
361DOC_END
362
363
364NAME: mcast_groups
365TYPE: wordlist
366LOC: Config.mcast_group_list
367DEFAULT: none
368DOC_START
369 This tag specifies a list of multicast groups which your server
370 should join to receive multicasted ICP queries.
371
372 NOTE! Be very careful what you put here! Be sure you
373 understand the difference between an ICP _query_ and an ICP
374 _reply_. This option is to be set only if you want to RECEIVE
375 multicast queries. Do NOT set this option to SEND multicast
376 ICP (use cache_peer for that). ICP replies are always sent via
377 unicast, so this option does not affect whether or not you will
378 receive replies from multicast group members.
379
380 You must be very careful to NOT use a multicast address which
381 is already in use by another group of caches.
382
383 If you are unsure about multicast, please read the Multicast
384 chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
385
386 Usage: mcast_groups 239.128.16.128 224.0.1.20
387
388 By default, Squid doesn't listen on any multicast groups.
389DOC_END
390
391
392NAME: udp_incoming_address
393TYPE: address
394LOC:Config.Addrs.udp_incoming
395DEFAULT: 0.0.0.0
396DOC_NONE
397
398NAME: udp_outgoing_address
399TYPE: address
400LOC: Config.Addrs.udp_outgoing
401DEFAULT: 255.255.255.255
402DOC_START
403 udp_incoming_address is used for the ICP socket receiving packets
404 from other caches.
405 udp_outgoing_address is used for ICP packets sent out to other
406 caches.
407
408 The default behavior is to not bind to any specific address.
409
f939c0ca 410 A udp_incoming_address value of 0.0.0.0 indicates Squid
411 should listen for UDP messages on all available interfaces.
cccac0a2 412
413 If udp_outgoing_address is set to 255.255.255.255 (the default)
7f7db318 414 it will use the same socket as udp_incoming_address. Only
cccac0a2 415 change this if you want to have ICP queries sent using another
416 address than where this Squid listens for ICP queries from other
417 caches.
418
419 NOTE, udp_incoming_address and udp_outgoing_address can not
420 have the same value since they both use port 3130.
421DOC_END
9e7dbc51 422
cccac0a2 423COMMENT_START
424 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
425 -----------------------------------------------------------------------------
426COMMENT_END
9e7dbc51 427
cccac0a2 428NAME: cache_peer
429TYPE: peer
430DEFAULT: none
431LOC: Config.peers
432DOC_START
433 To specify other caches in a hierarchy, use the format:
9e7dbc51 434
cccac0a2 435 cache_peer hostname type http_port icp_port [options]
0fdafae7 436
cccac0a2 437 For example,
d1b63fc8 438
cccac0a2 439 # proxy icp
440 # hostname type port port options
441 # -------------------- -------- ----- ----- -----------
442 cache_peer parent.foo.net parent 3128 3130 [proxy-only]
443 cache_peer sib1.foo.net sibling 3128 3130 [proxy-only]
444 cache_peer sib2.foo.net sibling 3128 3130 [proxy-only]
445
446 type: either 'parent', 'sibling', or 'multicast'.
447
448 proxy_port: The port number where the cache listens for proxy
449 requests.
450
451 icp_port: Used for querying neighbor caches about
452 objects. To have a non-ICP neighbor
453 specify '7' for the ICP port and make sure the
454 neighbor machine has the UDP echo port
455 enabled in its /etc/inetd.conf file.
456
457 options: proxy-only
458 weight=n
459 basetime=n
460 ttl=n
461 no-query
462 background-ping
463 default
464 round-robin
465 weighted-round-robin
466 carp
467 multicast-responder
468 closest-only
469 no-digest
470 no-netdb-exchange
471 no-delay
472 login=user:password | PASS | *:password
473 connect-timeout=nn
474 digest-url=url
475 allow-miss
476 max-conn
477 htcp
527ee50d 478 htcp-oldsquid
cccac0a2 479 originserver
480 name=xxx
481 forceddomain=name
482 ssl
483 sslcert=/path/to/ssl/certificate
484 sslkey=/path/to/ssl/key
485 sslversion=1|2|3|4
486 sslcipher=...
487 ssloptions=...
488 front-end-https[=on|auto]
b8c0c06d 489
7f7db318 490 use 'proxy-only' to specify objects fetched
cccac0a2 491 from this cache should not be saved locally.
492
493 use 'weight=n' to specify a weighted parent.
494 The weight must be an integer. The default weight
495 is 1, larger weights are favored more.
496
497 use 'basetime=n' to specify a base amount to
498 be subtracted from round trip times of parents.
499 It is subtracted before division by weight in calculating
500 which parent to fectch from. If the rtt is less than the
7f7db318 501 base time the rtt is set to a minimal value.
cccac0a2 502
503 use 'ttl=n' to specify a IP multicast TTL to use
504 when sending an ICP queries to this address.
505 Only useful when sending to a multicast group.
506 Because we don't accept ICP replies from random
507 hosts, you must configure other group members as
508 peers with the 'multicast-responder' option below.
509
510 use 'no-query' to NOT send ICP queries to this
511 neighbor.
512
513 use 'background-ping' to only send ICP queries to this
7f7db318 514 neighbor infrequently. This is used to keep the neighbor
515 round trip time updated and is usually used in
cccac0a2 516 conjunction with weighted-round-robin.
517
518 use 'default' if this is a parent cache which can
519 be used as a "last-resort." You should probably
520 only use 'default' in situations where you cannot
521 use ICP with your parent cache(s).
522
523 use 'round-robin' to define a set of parents which
524 should be used in a round-robin fashion in the
525 absence of any ICP queries.
526
7f7db318 527 use 'weighted-round-robin' to define a set of parents
528 which should be used in a round-robin fashion with the
529 frequency of each parent being based on the round trip
530 time. Closer parents are used more often.
cccac0a2 531 Usually used for background-ping parents.
532
533 use 'carp' to define a set of parents which should
7f7db318 534 be used as a CARP array. The requests will be
cccac0a2 535 distributed among the parents based on the CARP load
536 balancing hash function based on their weigth.
537
7f7db318 538 'multicast-responder' indicates the named peer
cccac0a2 539 is a member of a multicast group. ICP queries will
540 not be sent directly to the peer, but ICP replies
541 will be accepted from it.
542
543 'closest-only' indicates that, for ICP_OP_MISS
544 replies, we'll only forward CLOSEST_PARENT_MISSes
545 and never FIRST_PARENT_MISSes.
546
547 use 'no-digest' to NOT request cache digests from
548 this neighbor.
549
550 'no-netdb-exchange' disables requesting ICMP
551 RTT database (NetDB) from the neighbor.
552
553 use 'no-delay' to prevent access to this neighbor
554 from influencing the delay pools.
555
556 use 'login=user:password' if this is a personal/workgroup
557 proxy and your parent requires proxy authentication.
558 Note: The string can include URL escapes (i.e. %20 for
7f7db318 559 spaces). This also means % must be written as %%.
cccac0a2 560
561 use 'login=PASS' if users must authenticate against
65fca573 562 the upstream proxy or in the case of a reverse proxy
563 configuration, the origin web server. This will pass
564 the users credentials as they are to the peer.
565 This only works for the Basic HTTP authentication scheme.
566 Note: To combine this with proxy_auth both proxies must
567 share the same user database as HTTP only allows for
568 one proxy login.
7f7db318 569 Also be warned this will expose your users proxy
cccac0a2 570 password to the peer. USE WITH CAUTION
571
572 use 'login=*:password' to pass the username to the
573 upstream cache, but with a fixed password. This is meant
574 to be used when the peer is in another administrative
575 domain, but it is still needed to identify each user.
576 The star can optionally be followed by some extra
577 information which is added to the username. This can
578 be used to identify this proxy to the peer, similar to
579 the login=username:password option above.
580
581 use 'connect-timeout=nn' to specify a peer
582 specific connect timeout (also see the
583 peer_connect_timeout directive)
584
585 use 'digest-url=url' to tell Squid to fetch the cache
586 digest (if digests are enabled) for this host from
587 the specified URL rather than the Squid default
588 location.
589
590 use 'allow-miss' to disable Squid's use of only-if-cached
591 when forwarding requests to siblings. This is primarily
592 useful when icp_hit_stale is used by the sibling. To
593 extensive use of this option may result in forwarding
594 loops, and you should avoid having two-way peerings
595 with this option. (for example to deny peer usage on
596 requests from peer by denying cache_peer_access if the
597 source is a peer)
598
599 use 'max-conn' to limit the amount of connections Squid
600 may open to this peer.
601
602 use 'htcp' to send HTCP, instead of ICP, queries
603 to the neighbor. You probably also want to
604 set the "icp port" to 4827 instead of 3130.
d3803853 605
527ee50d 606 use 'htcp-oldsquid' to send HTCP to old Squid versions
607
cccac0a2 608 'originserver' causes this parent peer to be contacted as
609 a origin server. Meant to be used in accelerator setups.
610
611 use 'name=xxx' if you have multiple peers on the same
7f7db318 612 host but different ports. This name can be used to
cccac0a2 613 differentiate the peers in cache_peer_access and similar
614 directives.
615
616 use 'forceddomain=name' to forcibly set the Host header
617 of requests forwarded to this peer. Useful in accelerator
618 setups where the server (peer) expects a certain domain
619 name and using redirectors to feed this domainname
620 is not feasible.
621
7f7db318 622 use 'ssl' to indicate connections to this peer should
cccac0a2 623 bs SSL/TLS encrypted.
624
625 use 'sslcert=/path/to/ssl/certificate' to specify a client
626 SSL certificate to use when connecting to this peer.
627
628 use 'sslkey=/path/to/ssl/key' to specify the private SSL
629 key corresponding to sslcert above. If 'sslkey' is not
7f7db318 630 specified 'sslcert' is assumed to reference a
cccac0a2 631 combined file containing both the certificate and the key.
632
633 use sslversion=1|2|3|4 to specify the SSL version to use
634 when connecting to this peer
635 1 = automatic (default)
636 2 = SSL v2 only
637 3 = SSL v3 only
638 4 = TLS v1 only
639
640 use sslcipher=... to specify the list of valid SSL chipers
641 to use when connecting to this peer
642
643 use ssloptions=... to specify various SSL engine options:
644 NO_SSLv2 Disallow the use of SSLv2
645 NO_SSLv3 Disallow the use of SSLv3
646 NO_TLSv1 Disallow the use of TLSv1
647 See src/ssl_support.c or the OpenSSL documentation for
648 a more complete list.
649
650 use cafile=... to specify a file containing additional
651 CA certificates to use when verifying the peer certificate
652
653 use capath=... to specify a directory containing additional
654 CA certificates to use when verifying the peer certificate
655
656 use sslflags=... to specify various flags modifying the
657 SSL implementation:
658 DONT_VERIFY_PEER
659 Accept certificates even if they fail to
660 verify.
7f7db318 661 NO_DEFAULT_CA
cccac0a2 662 Don't use the default CA list built in
663 to OpenSSL.
664 DONT_VERIFY_DOMAIN
7f7db318 665 Don't verify the peer certificate
cccac0a2 666 matches the server name
667
668 use sslname= to specify the peer name as advertised
669 in it's certificate. Used for verifying the correctness
670 of the received peer certificate. If not specified the
671 peer hostname will be used.
672
673 use front-end-https to enable the "Front-End-Https: On"
674 header needed when using Squid as a SSL frontend infront
675 of Microsoft OWA. See MS KB document Q307347 for details
7f7db318 676 on this header. If set to auto the header will
cccac0a2 677 only be added if the request is forwarded as a https://
678 URL.
679
680 NOTE: non-ICP neighbors must be specified as 'parent'.
681DOC_END
682
683NAME: cache_peer_domain cache_host_domain
684TYPE: hostdomain
685DEFAULT: none
686LOC: none
687DOC_START
688 Use to limit the domains for which a neighbor cache will be
689 queried. Usage:
690
691 cache_peer_domain cache-host domain [domain ...]
692 cache_peer_domain cache-host !domain
693
694 For example, specifying
695
696 cache_peer_domain parent.foo.net .edu
697
698 has the effect such that UDP query packets are sent to
699 'bigserver' only when the requested object exists on a
700 server in the .edu domain. Prefixing the domainname
7f7db318 701 with '!' means the cache will be queried for objects
cccac0a2 702 NOT in that domain.
703
704 NOTE: * Any number of domains may be given for a cache-host,
705 either on the same or separate lines.
706 * When multiple domains are given for a particular
707 cache-host, the first matched domain is applied.
708 * Cache hosts with no domain restrictions are queried
709 for all requests.
710 * There are no defaults.
711 * There is also a 'cache_peer_access' tag in the ACL
712 section.
713DOC_END
714
715
716NAME: neighbor_type_domain
717TYPE: hostdomaintype
718DEFAULT: none
719LOC: none
720DOC_START
721 usage: neighbor_type_domain neighbor parent|sibling domain domain ...
722
723 Modifying the neighbor type for specific domains is now
724 possible. You can treat some domains differently than the the
725 default neighbor type specified on the 'cache_peer' line.
726 Normally it should only be necessary to list domains which
727 should be treated differently because the default neighbor type
728 applies for hostnames which do not match domains listed here.
729
730EXAMPLE:
731 cache_peer parent cache.foo.org 3128 3130
732 neighbor_type_domain cache.foo.org sibling .com .net
733 neighbor_type_domain cache.foo.org sibling .au .de
734DOC_END
735
736NAME: icp_query_timeout
737COMMENT: (msec)
738DEFAULT: 0
739TYPE: int
740LOC: Config.Timeout.icp_query
741DOC_START
742 Normally Squid will automatically determine an optimal ICP
743 query timeout value based on the round-trip-time of recent ICP
744 queries. If you want to override the value determined by
745 Squid, set this 'icp_query_timeout' to a non-zero value. This
746 value is specified in MILLISECONDS, so, to use a 2-second
747 timeout (the old default), you would write:
748
749 icp_query_timeout 2000
750DOC_END
751
752NAME: maximum_icp_query_timeout
753COMMENT: (msec)
754DEFAULT: 2000
755TYPE: int
756LOC: Config.Timeout.icp_query_max
757DOC_START
758 Normally the ICP query timeout is determined dynamically. But
759 sometimes it can lead to very large values (say 5 seconds).
760 Use this option to put an upper limit on the dynamic timeout
761 value. Do NOT use this option to always use a fixed (instead
762 of a dynamic) timeout value. To set a fixed timeout see the
763 'icp_query_timeout' directive.
764DOC_END
765
766NAME: minimum_icp_query_timeout
767COMMENT: (msec)
768DEFAULT: 5
769TYPE: int
770LOC: Config.Timeout.icp_query_min
771DOC_START
772 Normally the ICP query timeout is determined dynamically. But
773 sometimes it can lead to very small timeouts, even lower than
774 the normal latency variance on your link due to traffic.
775 Use this option to put an lower limit on the dynamic timeout
776 value. Do NOT use this option to always use a fixed (instead
777 of a dynamic) timeout value. To set a fixed timeout see the
778 'icp_query_timeout' directive.
779DOC_END
780
781NAME: mcast_icp_query_timeout
782COMMENT: (msec)
783DEFAULT: 2000
784TYPE: int
785LOC: Config.Timeout.mcast_icp_query
786DOC_START
787 For Multicast peers, Squid regularly sends out ICP "probes" to
788 count how many other peers are listening on the given multicast
789 address. This value specifies how long Squid should wait to
790 count all the replies. The default is 2000 msec, or 2
791 seconds.
792DOC_END
793
794NAME: dead_peer_timeout
795COMMENT: (seconds)
796DEFAULT: 10 seconds
797TYPE: time_t
798LOC: Config.Timeout.deadPeer
799DOC_START
800 This controls how long Squid waits to declare a peer cache
801 as "dead." If there are no ICP replies received in this
802 amount of time, Squid will declare the peer dead and not
803 expect to receive any further ICP replies. However, it
804 continues to send ICP queries, and will mark the peer as
805 alive upon receipt of the first subsequent ICP reply.
806
807 This timeout also affects when Squid expects to receive ICP
808 replies from peers. If more than 'dead_peer' seconds have
809 passed since the last ICP reply was received, Squid will not
810 expect to receive an ICP reply on the next query. Thus, if
811 your time between requests is greater than this timeout, you
812 will see a lot of requests sent DIRECT to origin servers
813 instead of to your parents.
814DOC_END
815
816
817NAME: hierarchy_stoplist
818TYPE: wordlist
819DEFAULT: none
820LOC: Config.hierarchy_stoplist
821DOC_START
822 A list of words which, if found in a URL, cause the object to
823 be handled directly by this cache. In other words, use this
824 to not query neighbor caches for certain objects. You may
825 list this option multiple times.
826NOCOMMENT_START
827#We recommend you to use at least the following line.
828hierarchy_stoplist cgi-bin ?
829NOCOMMENT_END
830DOC_END
934b03fc 831
6a566b9c 832
6192e873 833NAME: cache no_cache
cccac0a2 834TYPE: acl_access
835DEFAULT: none
836LOC: Config.accessList.noCache
837DOC_START
838 A list of ACL elements which, if matched, cause the request to
839 not be satisfied from the cache and the reply to not be cached.
840 In other words, use this to force certain objects to never be cached.
6a566b9c 841
cccac0a2 842 You must use the word 'DENY' to indicate the ACL names which should
843 NOT be cached.
1e5562e3 844
6192e873 845 Default is to allow all to be cached
cccac0a2 846NOCOMMENT_START
847#We recommend you to use the following two lines.
848acl QUERY urlpath_regex cgi-bin \?
6192e873 849cache deny QUERY
cccac0a2 850NOCOMMENT_END
851DOC_END
852
853NAME: background_ping_rate
854COMMENT: time-units
855TYPE: time_t
856DEFAULT: 10 seconds
857LOC: Config.backgroundPingRate
858DOC_START
859 Controls how often the ICP pings are sent to siblings that
860 have background-ping set.
861DOC_END
1e5562e3 862
934b03fc 863
cccac0a2 864COMMENT_START
865 OPTIONS WHICH AFFECT THE CACHE SIZE
866 -----------------------------------------------------------------------------
867COMMENT_END
868
869NAME: cache_mem
870COMMENT: (bytes)
871TYPE: b_size_t
872DEFAULT: 8 MB
873LOC: Config.memMaxSize
874DOC_START
875 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
876 IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
877 USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
878 THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
879
880 'cache_mem' specifies the ideal amount of memory to be used
881 for:
882 * In-Transit objects
883 * Hot Objects
884 * Negative-Cached objects
885
886 Data for these objects are stored in 4 KB blocks. This
887 parameter specifies the ideal upper limit on the total size of
888 4 KB blocks allocated. In-Transit objects take the highest
889 priority.
890
891 In-transit objects have priority over the others. When
892 additional space is needed for incoming data, negative-cached
893 and hot objects will be released. In other words, the
894 negative-cached and hot objects will fill up any unused space
895 not needed for in-transit objects.
896
897 If circumstances require, this limit will be exceeded.
898 Specifically, if your incoming request rate requires more than
899 'cache_mem' of memory to hold in-transit objects, Squid will
900 exceed this limit to satisfy the new requests. When the load
901 decreases, blocks will be freed until the high-water mark is
902 reached. Thereafter, blocks will be used to store hot
903 objects.
904DOC_END
905
906
907NAME: cache_swap_low
908COMMENT: (percent, 0-100)
909TYPE: int
910DEFAULT: 90
911LOC: Config.Swap.lowWaterMark
912DOC_NONE
913
914NAME: cache_swap_high
915COMMENT: (percent, 0-100)
916TYPE: int
917DEFAULT: 95
918LOC: Config.Swap.highWaterMark
919DOC_START
920
921 The low- and high-water marks for cache object replacement.
922 Replacement begins when the swap (disk) usage is above the
923 low-water mark and attempts to maintain utilization near the
924 low-water mark. As swap utilization gets close to high-water
925 mark object eviction becomes more aggressive. If utilization is
926 close to the low-water mark less replacement is done each time.
7f7db318 927
cccac0a2 928 Defaults are 90% and 95%. If you have a large cache, 5% could be
929 hundreds of MB. If this is the case you may wish to set these
930 numbers closer together.
931DOC_END
932
933NAME: maximum_object_size
934COMMENT: (bytes)
935TYPE: b_size_t
936DEFAULT: 4096 KB
937LOC: Config.Store.maxObjectSize
938DOC_START
939 Objects larger than this size will NOT be saved on disk. The
940 value is specified in kilobytes, and the default is 4MB. If
941 you wish to get a high BYTES hit ratio, you should probably
942 increase this (one 32 MB object hit counts for 3200 10KB
943 hits). If you wish to increase speed more than your want to
944 save bandwidth you should leave this low.
945
946 NOTE: if using the LFUDA replacement policy you should increase
947 this value to maximize the byte hit rate improvement of LFUDA!
948 See replacement_policy below for a discussion of this policy.
949DOC_END
950
951NAME: minimum_object_size
952COMMENT: (bytes)
953TYPE: b_size_t
954DEFAULT: 0 KB
955LOC: Config.Store.minObjectSize
956DOC_START
957 Objects smaller than this size will NOT be saved on disk. The
958 value is specified in kilobytes, and the default is 0 KB, which
959 means there is no minimum.
960DOC_END
961
962NAME: maximum_object_size_in_memory
963COMMENT: (bytes)
964TYPE: b_size_t
965DEFAULT: 8 KB
966LOC: Config.Store.maxInMemObjSize
967DOC_START
6845f129 968 Objects greater than this size will not be attempted to kept in
969 the memory cache. This should be set high enough to keep objects
970 accessed frequently in memory to improve performance whilst low
971 enough to keep larger objects from hoarding cache_mem .
cccac0a2 972DOC_END
973
974NAME: ipcache_size
975COMMENT: (number of entries)
976TYPE: int
977DEFAULT: 1024
978LOC: Config.ipcache.size
979DOC_NONE
980
981NAME: ipcache_low
982COMMENT: (percent)
983TYPE: int
984DEFAULT: 90
985LOC: Config.ipcache.low
986DOC_NONE
987
988NAME: ipcache_high
989COMMENT: (percent)
990TYPE: int
991DEFAULT: 95
992LOC: Config.ipcache.high
993DOC_START
994 The size, low-, and high-water marks for the IP cache.
995DOC_END
996
997NAME: fqdncache_size
998COMMENT: (number of entries)
999TYPE: int
1000DEFAULT: 1024
1001LOC: Config.fqdncache.size
1002DOC_START
1003 Maximum number of FQDN cache entries.
1004DOC_END
1005
1006NAME: cache_replacement_policy
1007TYPE: removalpolicy
1008LOC: Config.replPolicy
1009DEFAULT: lru
1010DOC_START
1011 The cache replacement policy parameter determines which
1012 objects are evicted (replaced) when disk space is needed.
1013
1014 lru : Squid's original list based LRU policy
1015 heap GDSF : Greedy-Dual Size Frequency
1016 heap LFUDA: Least Frequently Used with Dynamic Aging
1017 heap LRU : LRU policy implemented using a heap
1018
1019 Applies to any cache_dir lines listed below this.
1020
1021 The LRU policies keeps recently referenced objects.
1022
1023 The heap GDSF policy optimizes object hit rate by keeping smaller
1024 popular objects in cache so it has a better chance of getting a
1025 hit. It achieves a lower byte hit rate than LFUDA though since
1026 it evicts larger (possibly popular) objects.
1027
1028 The heap LFUDA policy keeps popular objects in cache regardless of
1029 their size and thus optimizes byte hit rate at the expense of
1030 hit rate since one large, popular object will prevent many
1031 smaller, slightly less popular objects from being cached.
1032
1033 Both policies utilize a dynamic aging mechanism that prevents
1034 cache pollution that can otherwise occur with frequency-based
1035 replacement policies.
1036
1037 NOTE: if using the LFUDA replacement policy you should increase
1038 the value of maximum_object_size above its default of 4096 KB to
1039 to maximize the potential byte hit rate improvement of LFUDA.
1040
1041 For more information about the GDSF and LFUDA cache replacement
1042 policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
1043 and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
1044DOC_END
1045
1046NAME: memory_replacement_policy
1047TYPE: removalpolicy
1048LOC: Config.memPolicy
1049DEFAULT: lru
1050DOC_START
1051 The memory replacement policy parameter determines which
1052 objects are purged from memory when memory space is needed.
1053
1054 See cache_replacement_policy for details.
1055DOC_END
934b03fc 1056
1f7c9178 1057
cccac0a2 1058COMMENT_START
1059 LOGFILE PATHNAMES AND CACHE DIRECTORIES
1060 -----------------------------------------------------------------------------
1061COMMENT_END
9bc73deb 1062
cccac0a2 1063NAME: cache_dir
1064TYPE: cachedir
1065DEFAULT: none
1066DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256
1067LOC: Config.cacheSwap
1068DOC_START
1069 Usage:
7f7db318 1070
cccac0a2 1071 cache_dir Type Directory-Name Fs-specific-data [options]
cf5cc17e 1072
cccac0a2 1073 You can specify multiple cache_dir lines to spread the
1074 cache among different disk partitions.
8e8d4f30 1075
cccac0a2 1076 Type specifies the kind of storage system to use. Only "ufs"
5ac1a5b3 1077 is built by default. To enable any of the other storage systems
cccac0a2 1078 see the --enable-storeio configure option.
934b03fc 1079
cccac0a2 1080 'Directory' is a top-level directory where cache swap
1081 files will be stored. If you want to use an entire disk
7f7db318 1082 for caching, this can be the mount-point directory.
cccac0a2 1083 The directory must exist and be writable by the Squid
1084 process. Squid will NOT create this directory for you.
1e5562e3 1085
cccac0a2 1086 The ufs store type:
1087
1088 "ufs" is the old well-known Squid storage format that has always
1089 been there.
1090
1091 cache_dir ufs Directory-Name Mbytes L1 L2 [options]
1092
1093 'Mbytes' is the amount of disk space (MB) to use under this
1094 directory. The default is 100 MB. Change this to suit your
1095 configuration. Do NOT put the size of your disk drive here.
1096 Instead, if you want Squid to use the entire disk drive,
1097 subtract 20% and use that value.
1098
1099 'Level-1' is the number of first-level subdirectories which
1100 will be created under the 'Directory'. The default is 16.
1101
1102 'Level-2' is the number of second-level subdirectories which
1103 will be created under each first-level directory. The default
1104 is 256.
1105
1106 The aufs store type:
1107
1108 "aufs" uses the same storage format as "ufs", utilizing
1109 POSIX-threads to avoid blocking the main Squid process on
1110 disk-I/O. This was formerly known in Squid as async-io.
1111
1112 cache_dir aufs Directory-Name Mbytes L1 L2 [options]
1113
1114 see argument descriptions under ufs above
1115
1116 The diskd store type:
1117
1118 "diskd" uses the same storage format as "ufs", utilizing a
1119 separate process to avoid blocking the main Squid process on
1120 disk-I/O.
1121
1122 cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
1123
1124 see argument descriptions under ufs above
1125
1126 Q1 specifies the number of unacknowledged I/O requests when Squid
1127 stops opening new files. If this many messages are in the queues,
1128 Squid won't open new files. Default is 64
1129
1130 Q2 specifies the number of unacknowledged messages when Squid
1131 starts blocking. If this many messages are in the queues,
44f991b5 1132 Squid blocks until it receives some replies. Default is 72
cccac0a2 1133
af9ad249 1134 When Q1 < Q2 (the default), the cache directory is optimized
1135 for lower response time at the expense of a decrease in hit
1136 ratio. If Q1 > Q2, the cache directory is optimized for
1137 higher hit ratio at the expense of an increase in response
1138 time.
1139
1a224843 1140 The coss store type:
1141
1142 block-size=n defines the "block size" for COSS cache_dir's.
1143 Squid uses file numbers as block numbers. Since file numbers
1144 are limited to 24 bits, the block size determines the maximum
1145 size of the COSS partition. The default is 512 bytes, which
1146 leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
7f7db318 1147 you should not change the coss block size after Squid
1a224843 1148 has written some objects to the cache_dir.
1149
b8c0c06d 1150 The coss file store has changed from 2.5. Now it uses a file
c8f4eac4 1151 called 'stripe' in the directory names in the config - and
1152 this will be created by squid -z.
1153
cccac0a2 1154 Common options:
1155
1156 read-only, this cache_dir is read only.
1157
1158 max-size=n, refers to the max object size this storedir supports.
1159 It is used to initially choose the storedir to dump the object.
1160 Note: To make optimal use of the max-size limits you should order
1161 the cache_dir lines with the smallest max-size value first and the
1162 ones with no max-size specification last.
1a224843 1163
7f7db318 1164 Note for coss, max-size must be less than COSS_MEMBUF_SZ,
1a224843 1165 which can be changed with the --with-coss-membuf-size=N configure
1166 option.
c8f4eac4 1167
1168 The null store type:
1169
1170 no options are allowed or required
cccac0a2 1171DOC_END
1172
1173
1174NAME: logformat
1175TYPE: logformat
1176LOC: Config.Log.logformats
1177DEFAULT: none
1178DOC_START
1179 Usage:
1180
1181 logformat <name> <format specification>
1182
1183 Defines an access log format.
1184
1185 The <format specification> is a string with embedded % format codes
7f7db318 1186
cccac0a2 1187 % format codes all follow the same basic structure where all but
fa38076e 1188 the formatcode is optional. Output strings are automatically escaped
cccac0a2 1189 as required according to their context and the output format
fa38076e 1190 modifiers are usually not needed, but can be specified if an explicit
1191 output format is desired.
cccac0a2 1192
1193 % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
7f7db318 1194
fa38076e 1195 " output in quoted string format
1196 [ output in squid text log format as used by log_mime_hdrs
1197 # output in URL quoted format
1198 ' output as-is
1199
cccac0a2 1200 - left aligned
7f7db318 1201 width field width. If starting with 0 the
cccac0a2 1202 output is zero padded
1203 {arg} argument such as header name etc
1204
1205 Format codes:
1206
1207 >a Client source IP address
1208 >A Client FQDN
1209 <A Server IP address or peer name
1210 la Local IP address (http_port)
1211 lp Local port number (http_port)
1212 ts Seconds since epoch
1213 tu subsecond time (milliseconds)
1214 tl Local time. Optional strftime format argument
1215 default %d/%b/%Y:%H:%M:S %z
1216 tg GMT time. Optional strftime format argument
1217 default %d/%b/%Y:%H:%M:S %z
1218 tr Response time (milliseconds)
1219 >h Request header. Optional header name argument
1220 on the format header[:[separator]element]
1221 <h Reply header. Optional header name argument
1222 as for >h
1223 un User name
1224 ul User login
1225 ui User ident
1226 ue User from external acl
1227 Hs HTTP status code
1228 Ss Squid request status (TCP_MISS etc)
1229 Sh Squid hierarchy status (DEFAULT_PARENT etc)
1230 mt MIME content type
1231 rm Request method (GET/POST etc)
1232 ru Request URL
1233 rv Request protocol version
1234 et Tag returned by external acl
1235 ea Log string returned by external acl
1236 <st Reply size including HTTP headers
6845f129 1237 <sH Reply high offset sent
03b29b6c 1238 <sS Upstream object size
cccac0a2 1239 % a literal % character
1240
1241logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
1242logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
1243logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
1244logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
1245DOC_END
1246
1247NAME: access_log cache_access_log
1248TYPE: access_log
1249LOC: Config.Log.accesslogs
1250DEFAULT: none
1251DEFAULT_IF_NONE: @DEFAULT_ACCESS_LOG@
1252DOC_START
1253 These files log client request activities. Has a line every HTTP or
1254 ICP request. The format is:
1255 access_log <filepath> [<logformat name> [acl acl ...]]
1256 access_log none [acl acl ...]]
1257
1258 Will log to the specified file using the specified format (which
1259 must be defined in a logformat directive) those entries which match
1260 ALL the acl's specified (which must be defined in acl clauses).
1261 If no acl is specified, all requests will be logged to this file.
7f7db318 1262
c33aa074 1263 To disable logging of a request use the filepath "none", in which case
1264 a logformat name should not be specified.
1265
9197cd13 1266 To log the request via syslog specify a filepath of "syslog":
1267
1268 access_log syslog[:facility|priority] [format [acl1 [acl2 ....]]]
1269 where facility could be any of:
1270 LOG_AUTHPRIV, LOG_DAEMON, LOG_LOCAL0 .. LOG_LOCAL7 or LOG_USER.
1271
1272 And priority could be any of:
1273 LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG.
cccac0a2 1274DOC_END
1275
1276
1277NAME: cache_log
1278TYPE: string
1279DEFAULT: @DEFAULT_CACHE_LOG@
1280LOC: Config.Log.log
1281DOC_START
1282 Cache logging file. This is where general information about
1283 your cache's behavior goes. You can increase the amount of data
1284 logged to this file with the "debug_options" tag below.
1285DOC_END
1286
1287
1288NAME: cache_store_log
1289TYPE: string
1290DEFAULT: @DEFAULT_STORE_LOG@
1291LOC: Config.Log.store
1292DOC_START
1293 Logs the activities of the storage manager. Shows which
1294 objects are ejected from the cache, and which objects are
1295 saved and for how long. To disable, enter "none". There are
1296 not really utilities to analyze this data, so you can safely
1297 disable it.
1298DOC_END
1299
1300
e2529a2c 1301NAME: cache_swap_state cache_swap_log
cccac0a2 1302TYPE: string
1303LOC: Config.Log.swap
1304DEFAULT: none
1305DOC_START
e2529a2c 1306 Location for the cache "swap.state" file. This index file holds
1307 the metadata of objects saved on disk. It is used to rebuild
1308 the cache during startup. Normally this file resides in each
cccac0a2 1309 'cache_dir' directory, but you may specify an alternate
1310 pathname here. Note you must give a full filename, not just
1311 a directory. Since this is the index for the whole object
1312 list you CANNOT periodically rotate it!
1313
7f7db318 1314 If %s can be used in the file name it will be replaced with a
cccac0a2 1315 a representation of the cache_dir name where each / is replaced
1316 with '.'. This is needed to allow adding/removing cache_dir
1317 lines when cache_swap_log is being used.
7f7db318 1318
cccac0a2 1319 If have more than one 'cache_dir', and %s is not used in the name
7f7db318 1320 these swap logs will have names such as:
cccac0a2 1321
1322 cache_swap_log.00
1323 cache_swap_log.01
1324 cache_swap_log.02
1325
1326 The numbered extension (which is added automatically)
1327 corresponds to the order of the 'cache_dir' lines in this
1328 configuration file. If you change the order of the 'cache_dir'
7f7db318 1329 lines in this file, these log files will NOT correspond to
cccac0a2 1330 the correct 'cache_dir' entry (unless you manually rename
7f7db318 1331 them). We recommend you do NOT use this option. It is
cccac0a2 1332 better to keep these log files in each 'cache_dir' directory.
1333DOC_END
1334
1335
1336NAME: emulate_httpd_log
1337COMMENT: on|off
1338TYPE: onoff
1339DEFAULT: off
1340LOC: Config.onoff.common_log
1341DOC_START
1342 The Cache can emulate the log file format which many 'httpd'
1343 programs use. To disable/enable this emulation, set
1344 emulate_httpd_log to 'off' or 'on'. The default
1345 is to use the native log format since it includes useful
7f7db318 1346 information Squid-specific log analyzers use.
cccac0a2 1347DOC_END
1348
1349NAME: log_ip_on_direct
1350COMMENT: on|off
1351TYPE: onoff
1352DEFAULT: on
1353LOC: Config.onoff.log_ip_on_direct
1354DOC_START
1355 Log the destination IP address in the hierarchy log tag when going
1356 direct. Earlier Squid versions logged the hostname here. If you
1357 prefer the old way set this to off.
1358DOC_END
1359
1360NAME: mime_table
1361TYPE: string
1362DEFAULT: @DEFAULT_MIME_TABLE@
1363LOC: Config.mimeTablePathname
1364DOC_START
1365 Pathname to Squid's MIME table. You shouldn't need to change
1366 this, but the default file contains examples and formatting
1367 information if you do.
1368DOC_END
1369
1370
1371NAME: log_mime_hdrs
1372COMMENT: on|off
1373TYPE: onoff
1374LOC: Config.onoff.log_mime_hdrs
1375DEFAULT: off
1376DOC_START
1377 The Cache can record both the request and the response MIME
1378 headers for each HTTP transaction. The headers are encoded
1379 safely and will appear as two bracketed fields at the end of
1380 the access log (for either the native or httpd-emulated log
1381 formats). To enable this logging set log_mime_hdrs to 'on'.
1382DOC_END
1383
1384
1385NAME: useragent_log
1386TYPE: string
1387LOC: Config.Log.useragent
1388DEFAULT: none
1389IFDEF: USE_USERAGENT_LOG
1390DOC_START
1391 Squid will write the User-Agent field from HTTP requests
1392 to the filename specified here. By default useragent_log
1393 is disabled.
1394DOC_END
1395
1396
1397NAME: referer_log
1398TYPE: string
1399LOC: Config.Log.referer
1400DEFAULT: none
1401IFDEF: USE_REFERER_LOG
1402DOC_START
1403 Squid will write the Referer field from HTTP requests to the
1404 filename specified here. By default referer_log is disabled.
1405DOC_END
1406
1407
1408NAME: pid_filename
1409TYPE: string
1410DEFAULT: @DEFAULT_PID_FILE@
1411LOC: Config.pidFilename
1412DOC_START
1413 A filename to write the process-id to. To disable, enter "none".
1414DOC_END
1415
1416
1417NAME: debug_options
d9e04dc7 1418TYPE: debug
cccac0a2 1419DEFAULT: ALL,1
1420LOC: Config.debugOptions
1421DOC_START
1422 Logging options are set as section,level where each source file
1423 is assigned a unique section. Lower levels result in less
1424 output, Full debugging (level 9) can result in a very large
1425 log file, so be careful. The magic word "ALL" sets debugging
1426 levels for all sections. We recommend normally running with
1427 "ALL,1".
1428DOC_END
1429
1430
1431NAME: log_fqdn
1432COMMENT: on|off
1433TYPE: onoff
1434DEFAULT: off
1435LOC: Config.onoff.log_fqdn
1436DOC_START
1437 Turn this on if you wish to log fully qualified domain names
1438 in the access.log. To do this Squid does a DNS lookup of all
1439 IP's connecting to it. This can (in some situations) increase
1440 latency, which makes your cache seem slower for interactive
1441 browsing.
1442DOC_END
1443
1444
1445NAME: client_netmask
1446TYPE: address
1447LOC: Config.Addrs.client_netmask
1448DEFAULT: 255.255.255.255
1449DOC_START
1450 A netmask for client addresses in logfiles and cachemgr output.
1451 Change this to protect the privacy of your cache clients.
1452 A netmask of 255.255.255.0 will log all IP's in that range with
1453 the last digit set to '0'.
1454DOC_END
0976f8db 1455
0976f8db 1456
cccac0a2 1457COMMENT_START
1458 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
1459 -----------------------------------------------------------------------------
1460COMMENT_END
1461
1462NAME: ftp_user
1463TYPE: string
1464DEFAULT: Squid@
1465LOC: Config.Ftp.anon_user
1466DOC_START
1467 If you want the anonymous login password to be more informative
1468 (and enable the use of picky ftp servers), set this to something
1469 reasonable for your domain, like wwwuser@somewhere.net
1470
7f7db318 1471 The reason why this is domainless by default is the
cccac0a2 1472 request can be made on the behalf of a user in any domain,
1473 depending on how the cache is used.
7f7db318 1474 Some ftp server also validate the email address is valid
cccac0a2 1475 (for example perl.com).
1476DOC_END
1477
1478NAME: ftp_list_width
1479TYPE: size_t
1480DEFAULT: 32
1481LOC: Config.Ftp.list_width
1482DOC_START
1483 Sets the width of ftp listings. This should be set to fit in
1484 the width of a standard browser. Setting this too small
1485 can cut off long filenames when browsing ftp sites.
1486DOC_END
1487
1488NAME: ftp_passive
1489TYPE: onoff
1490DEFAULT: on
1491LOC: Config.Ftp.passive
1492DOC_START
1493 If your firewall does not allow Squid to use passive
7f7db318 1494 connections, turn off this option.
cccac0a2 1495DOC_END
1496
1497NAME: ftp_sanitycheck
1498TYPE: onoff
1499DEFAULT: on
1500LOC: Config.Ftp.sanitycheck
1501DOC_START
1502 For security and data integrity reasons Squid by default performs
1503 sanity checks of the addresses of FTP data connections ensure the
1504 data connection is to the requested server. If you need to allow
1505 FTP connections to servers using another IP address for the data
7f7db318 1506 connection turn this off.
cccac0a2 1507DOC_END
1508
1509NAME: check_hostnames
1510TYPE: onoff
1511DEFAULT: on
1512LOC: Config.onoff.check_hostnames
1513DOC_START
1514 For security and stability reasons Squid by default checks
1515 hostnames for Internet standard RFC compliance. If you do not want
7f7db318 1516 Squid to perform these checks turn this directive off.
cccac0a2 1517DOC_END
1518
dad0fe12 1519NAME: ftp_telnet_protocol
1520TYPE: onoff
1521DEFAULT: on
1522LOC: Config.Ftp.telnet
1523DOC_START
1524The FTP protocol is officially defined to use the telnet protocol
1525as transport channel for the control connection. However, many
5ac1a5b3 1526implementations are broken and does not respect this aspect of
dad0fe12 1527the FTP protocol.
1528
1529If you have trouble accessing files with ASCII code 255 in the
7f7db318 1530path or similar problems involving this ASCII code you can
1531try setting this directive to off. If that helps, report to the
dad0fe12 1532operator of the FTP server in question that their FTP server
1533is broken and does not follow the FTP standard.
1534DOC_END
1535
cccac0a2 1536NAME: cache_dns_program
1537TYPE: string
1538IFDEF: USE_DNSSERVERS
1539DEFAULT: @DEFAULT_DNSSERVER@
1540LOC: Config.Program.dnsserver
1541DOC_START
1542 Specify the location of the executable for dnslookup process.
1543DOC_END
1544
1545NAME: dns_children
1546TYPE: int
1547IFDEF: USE_DNSSERVERS
1548DEFAULT: 5
1549LOC: Config.dnsChildren
1550DOC_START
1551 The number of processes spawn to service DNS name lookups.
1552 For heavily loaded caches on large servers, you should
1553 probably increase this value to at least 10. The maximum
1554 is 32. The default is 5.
1555
1556 You must have at least one dnsserver process.
1557DOC_END
1558
1559NAME: dns_retransmit_interval
1560TYPE: time_t
1561DEFAULT: 5 seconds
1562LOC: Config.Timeout.idns_retransmit
1563IFDEF: !USE_DNSSERVERS
1564DOC_START
1565 Initial retransmit interval for DNS queries. The interval is
1566 doubled each time all configured DNS servers have been tried.
1567
1568DOC_END
1569
1570NAME: dns_timeout
1571TYPE: time_t
1572DEFAULT: 5 minutes
1573LOC: Config.Timeout.idns_query
1574IFDEF: !USE_DNSSERVERS
1575DOC_START
1576 DNS Query timeout. If no response is received to a DNS query
7f7db318 1577 within this time all DNS servers for the queried domain
1578 are assumed to be unavailable.
cccac0a2 1579DOC_END
1580
1581NAME: dns_defnames
1582COMMENT: on|off
cccac0a2 1583TYPE: onoff
1584DEFAULT: off
1585LOC: Config.onoff.res_defnames
cccac0a2 1586DOC_START
68836b58 1587 Normally the RES_DEFNAMES resolver option is disabled
1588 (see res_init(3)). This prevents caches in a hierarchy
cccac0a2 1589 from interpreting single-component hostnames locally. To allow
68836b58 1590 Squid to handle single-component names, enable this option.
cccac0a2 1591DOC_END
1592
1593NAME: dns_nameservers
1594TYPE: wordlist
1595DEFAULT: none
1596LOC: Config.dns_nameservers
1597DOC_START
1598 Use this if you want to specify a list of DNS name servers
1599 (IP addresses) to use instead of those given in your
1600 /etc/resolv.conf file.
1601 On Windows platforms, if no value is specified here or in
1602 the /etc/resolv.conf file, the list of DNS name servers are
1603 taken from the Windows registry, both static and dynamic DHCP
1604 configurations are supported.
1605
1606 Example: dns_nameservers 10.0.0.1 192.172.0.4
1607DOC_END
1608
1609NAME: hosts_file
1610TYPE: string
1611DEFAULT: @DEFAULT_HOSTS@
1612LOC: Config.etcHostsPath
1613DOC_START
1614 Location of the host-local IP name-address associations
1615 database. Most Operating Systems have such a file on different
7f7db318 1616 default locations:
cccac0a2 1617 - Un*X & Linux: /etc/hosts
1618 - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
6845f129 1619 (%SystemRoot% value install default is c:\winnt)
fc4d8ed8 1620 - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
6845f129 1621 (%SystemRoot% value install default is c:\windows)
cccac0a2 1622 - Windows 9x/Me: %windir%\hosts
6845f129 1623 (%windir% value is usually c:\windows)
1624 - Cygwin: /etc/hosts
cccac0a2 1625
1626 The file contains newline-separated definitions, in the
1627 form ip_address_in_dotted_form name [name ...] names are
5ac1a5b3 1628 whitespace-separated. Lines beginning with an hash (#)
cccac0a2 1629 character are comments.
1630
7f7db318 1631 The file is checked at startup and upon configuration.
cccac0a2 1632 If set to 'none', it won't be checked.
7f7db318 1633 If append_domain is used, that domain will be added to
cccac0a2 1634 domain-local (i.e. not containing any dot character) host
1635 definitions.
1636DOC_END
1637
1638NAME: diskd_program
1639TYPE: string
1640DEFAULT: @DEFAULT_DISKD@
1641LOC: Config.Program.diskd
1642DOC_START
1643 Specify the location of the diskd executable.
7f7db318 1644 Note this is only useful if you have compiled in
cccac0a2 1645 diskd as one of the store io modules.
1646DOC_END
1647
1648NAME: unlinkd_program
1649IFDEF: USE_UNLINKD
1650TYPE: string
1651DEFAULT: @DEFAULT_UNLINKD@
1652LOC: Config.Program.unlinkd
1653DOC_START
1654 Specify the location of the executable for file deletion process.
1655DOC_END
1656
1657NAME: pinger_program
1658TYPE: string
1659DEFAULT: @DEFAULT_PINGER@
1660LOC: Config.Program.pinger
1661IFDEF: USE_ICMP
1662DOC_START
1663 Specify the location of the executable for the pinger process.
1664DOC_END
1665
1666
346be6ad 1667NAME: url_rewrite_program redirect_program
cccac0a2 1668TYPE: wordlist
1669LOC: Config.Program.redirect
1670DEFAULT: none
1671DOC_START
1672 Specify the location of the executable for the URL redirector.
1673 Since they can perform almost any function there isn't one included.
1674 See the FAQ (section 15) for information on how to write one.
1675 By default, a redirector is not used.
1676DOC_END
1677
1678
dc62e7f7 1679NAME: url_rewrite_children redirect_children
cccac0a2 1680TYPE: int
1681DEFAULT: 5
1682LOC: Config.redirectChildren
1683DOC_START
1684 The number of redirector processes to spawn. If you start
1685 too few Squid will have to wait for them to process a backlog of
1686 URLs, slowing it down. If you start too many they will use RAM
1687 and other system resources.
1688DOC_END
1689
dc62e7f7 1690NAME: url_rewrite_concurrency redirect_concurrency
cccac0a2 1691TYPE: int
1692DEFAULT: 0
1693LOC: Config.redirectConcurrency
1694DOC_START
1695 The number of requests each redirector helper can handle in
7f7db318 1696 parallell. Defaults to 0 which indicates the redirector
cccac0a2 1697 is a old-style singlethreaded redirector.
1698DOC_END
1699
dc62e7f7 1700NAME: url_rewrite_host_header redirect_rewrites_host_header
cccac0a2 1701TYPE: onoff
1702DEFAULT: on
1703LOC: Config.onoff.redir_rewrites_host
1704DOC_START
1705 By default Squid rewrites any Host: header in redirected
7f7db318 1706 requests. If you are running an accelerator this may
cccac0a2 1707 not be a wanted effect of a redirector.
1708
1709 WARNING: Entries are cached on the result of the URL rewriting
1710 process, so be careful if you have domain-virtual hosts.
1711DOC_END
1712
1713NAME: redirector_access
1714TYPE: acl_access
1715DEFAULT: none
1716LOC: Config.accessList.redirector
1717DOC_START
1718 If defined, this access list specifies which requests are
1719 sent to the redirector processes. By default all requests
1720 are sent.
1721DOC_END
1722
1723NAME: auth_param
1724TYPE: authparam
1725LOC: Config.authConfiguration
1726DEFAULT: none
1727DOC_START
1728 This is used to pass parameters to the various authentication
1729 schemes.
1730 format: auth_param scheme parameter [setting]
7f7db318 1731
1732 auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
cccac0a2 1733 would tell the basic authentication scheme it's program parameter.
1734
7f7db318 1735 The order authentication prompts are presented to the client_agent
5ac1a5b3 1736 is dependent on the order the scheme first appears in config file.
cccac0a2 1737 IE has a bug (it's not rfc 2617 compliant) in that it will use the basic
1738 scheme if basic is the first entry presented, even if more secure schemes
1739 are presented. For now use the order in the file below. If other browsers
5ac1a5b3 1740 have difficulties (don't recognize the schemes offered even if you are using
7f7db318 1741 basic) either put basic first, or disable the other schemes (by commenting
cccac0a2 1742 out their program entry).
1743
1744 Once an authentication scheme is fully configured, it can only be shutdown
1745 by shutting squid down and restarting. Changes can be made on the fly and
1746 activated with a reconfigure. I.E. You can change to a different helper,
1747 but not unconfigure the helper completely.
1748
1749 === Parameters for the basic scheme follow. ===
7f7db318 1750
cccac0a2 1751 "program" cmdline
1752 Specify the command for the external authenticator. Such a
1753 program reads a line containing "username password" and replies
0a0c70cd 1754 "ERR" in an endless loop. "ERR" responses may optionally be followed
1755 by a error description available as %m in the returned error page.
1756 If you use an authenticator, make sure you have 1 acl of type proxy_auth.
1757 By default, the basic authentication scheme is not used unless a program
1758 is specified.
cccac0a2 1759
1760 If you want to use the traditional proxy authentication,
6845f129 1761 jump over to the ../helpers/basic_auth/NCSA directory and
cccac0a2 1762 type:
1763 % make
1764 % make install
1765
1766 Then, set this line to something like
1767
6845f129 1768 auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
cccac0a2 1769
1770 "children" numberofchildren
1771 The number of authenticator processes to spawn (no default).
1772 If you start too few Squid will have to wait for them to
1773 process a backlog of usercode/password verifications, slowing
1774 it down. When password verifications are done via a (slow)
1775 network you are likely to need lots of authenticator
1776 processes.
1777 auth_param basic children 5
1778
1779 "concurrency" concurrency
1780 The number of concurrent requests the helper can process.
1781 The default of 0 is used for helpers who only supports
1782 one request at a time.
1783 auth_param basic concurrency 0
1784
1785 "realm" realmstring
1786 Specifies the realm name which is to be reported to the
1787 client for the basic proxy authentication scheme (part of
1788 the text the user will see when prompted their username and
1789 password). There is no default.
1790 auth_param basic realm Squid proxy-caching web server
1791
1792 "credentialsttl" timetolive
1793 Specifies how long squid assumes an externally validated
1794 username:password pair is valid for - in other words how
1795 often the helper program is called for that user. Set this
1796 low to force revalidation with short lived passwords. Note
5ac1a5b3 1797 setting this high does not impact your susceptibility
cccac0a2 1798 to replay attacks unless you are using an one-time password
1799 system (such as SecureID). If you are using such a system,
1800 you will be vulnerable to replay attacks unless you also
1801 use the max_user_ip ACL in an http_access rule.
1802
6845f129 1803 "casesensitive" on|off
1804 Specifies if usernames are case sensitive. Most user databases are
1805 case insensitive allowing the same username to be spelled using both
1806 lower and upper case letters, but some are case sensitive. This
1807 makes a big difference for user_max_ip ACL processing and similar.
1808 auth_param basic casesensitive off
64658378 1809
cccac0a2 1810 === Parameters for the digest scheme follow ===
1811
1812 "program" cmdline
1813 Specify the command for the external authenticator. Such
1814 a program reads a line containing "username":"realm" and
4c9fa5d5 1815 replies with the appropriate H(A1) value base64 encoded or
1816 ERR if the user (or his H(A1) hash) does not exists.
1817 See rfc 2616 for the definition of H(A1).
0a0c70cd 1818 "ERR" responses may optionally be followed by a error description
1819 available as %m in the returned error page.
4c9fa5d5 1820
1821 By default, the digest authentication is not used unless a
1822 program is specified.
1823
1824 If you want to use a digest authenticator, jump over to the
6845f129 1825 helpers/digest_auth/ directory and choose the authenticator
4c9fa5d5 1826 to use. In it's directory type
6845f129 1827 % make
1828 % make install
cccac0a2 1829
1830 Then, set this line to something like
1831
1832 auth_param digest program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass
1833
1834
1835 "children" numberofchildren
1836 The number of authenticator processes to spawn (no default).
1837 If you start too few Squid will have to wait for them to
1838 process a backlog of H(A1) calculations, slowing it down.
1839 When the H(A1) calculations are done via a (slow) network
1840 you are likely to need lots of authenticator processes.
1841 auth_param digest children 5
1842
1843 "realm" realmstring
1844 Specifies the realm name which is to be reported to the
1845 client for the digest proxy authentication scheme (part of
1846 the text the user will see when prompted their username and
1847 password). There is no default.
1848 auth_param digest realm Squid proxy-caching web server
1849
1850 "nonce_garbage_interval" timeinterval
1851 Specifies the interval that nonces that have been issued
1852 to client_agent's are checked for validity.
1853
1854 "nonce_max_duration" timeinterval
1855 Specifies the maximum length of time a given nonce will be
1856 valid for.
1857
1858 "nonce_max_count" number
1859 Specifies the maximum number of times a given nonce can be
1860 used.
1861
1862 "nonce_strictness" on|off
5ac1a5b3 1863 Determines if squid requires strict increment-by-1 behavior
cccac0a2 1864 for nonce counts, or just incrementing (off - for use when
1865 useragents generate nonce counts that occasionally miss 1
1866 (ie, 1,2,4,6)). Default off.
1867
1868 "check_nonce_count" on|off
1869 This directive if set to off can disable the nonce count check
1870 completely to work around buggy digest qop implementations in
1871 certain mainstream browser versions. Default on to check the
1872 nonce count to protect from authentication replay attacks.
1873
1874 "post_workaround" on|off
1875 This is a workaround to certain buggy browsers who sends
1876 an incorrect request digest in POST requests when reusing
5ac1a5b3 1877 the same nonce as acquired earlier on a GET request.
cccac0a2 1878
cccac0a2 1879 === NTLM scheme options follow ===
1880
1881 "program" cmdline
5ac1a5b3 1882 Specify the command for the external NTLM authenticator.
bdf7e1b4 1883 Such a program reads exchanged NTLMSSP packets with
1884 the browser via Squid until authentication is completed.
5ac1a5b3 1885 If you use an NTLM authenticator, make sure you have 1 acl
1886 of type proxy_auth. By default, the NTLM authenticator_program
cccac0a2 1887 is not used.
1888
1889 auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
1890
1891 "children" numberofchildren
1892 The number of authenticator processes to spawn (no default).
1893 If you start too few Squid will have to wait for them to
1894 process a backlog of credential verifications, slowing it
5ac1a5b3 1895 down. When credential verifications are done via a (slow)
cccac0a2 1896 network you are likely to need lots of authenticator
1897 processes.
dd9b1776 1898
cccac0a2 1899 auth_param ntlm children 5
1900
dd9b1776 1901 "keep_alive" on|off
1902 If you experience problems with PUT/POST requests when using the
1903 Negotiate authentication scheme then you can try setting this to
1904 off. This will cause Squid to forcibly close the connection on
1905 the initial requests where the browser asks which schemes are
1906 supported by the proxy.
1907
1908 auth_param ntlm keep_alive on
1909
6bf4f823 1910 === Options for configuring the NEGOTIATE auth-scheme follow ===
cccac0a2 1911
6bf4f823 1912 "program" cmdline
1913 Specify the command for the external Negotiate authenticator.
1914 This protocol is used in Microsoft Active-Directory enabled setups with
1915 the Microsoft Internet Explorer or Mozilla Firefox browsers.
1916 Its main purpose is to exchange credentials with the Squid proxy
1917 using the Kerberos mechanisms.
1918 If you use a Negotiate authenticator, make sure you have at least one acl
1919 of type proxy_auth active. By default, the negotiate authenticator_program
1920 is not used.
1921 The only supported program for this role is the ntlm_auth
26819f1e 1922 program distributed as part of Samba, version 4 or later.
6bf4f823 1923
1924 auth_param negotiate program @DEFAULT_PREFIX@/bin/ntlm_auth --helper-protocol=gss-spnego
1925
1926 "children" numberofchildren
1927 The number of authenticator processes to spawn (no default).
1928 If you start too few Squid will have to wait for them to
1929 process a backlog of credential verifications, slowing it
1930 down. When crendential verifications are done via a (slow)
1931 network you are likely to need lots of authenticator
1932 processes.
1933 auth_param negotiate children 5
1934
1935 "keep_alive" on|off
1936 If you experience problems with PUT/POST requests when using the
1937 Negotiate authentication scheme then you can try setting this to
1938 off. This will cause Squid to forcibly close the connection on
1939 the initial requests where the browser asks which schemes are
1940 supported by the proxy.
1941
1942 auth_param negotiate keep_alive on
cccac0a2 1943
1944NOCOMMENT_START
6845f129 1945#Recommended minimum configuration per scheme:
6bf4f823 1946#auth_param negotiate program <uncomment and complete this line to activate>
1947#auth_param negotiate children 5
1948#auth_param negotiate keep_alive on
26819f1e 1949#auth_param ntlm program <uncomment and complete this line to activate>
1950#auth_param ntlm children 5
1951#auth_param ntlm keep_alive on
2d70df72 1952#auth_param digest program <uncomment and complete this line>
1953#auth_param digest children 5
1954#auth_param digest realm Squid proxy-caching web server
1955#auth_param digest nonce_garbage_interval 5 minutes
1956#auth_param digest nonce_max_duration 30 minutes
1957#auth_param digest nonce_max_count 50
94439e4e 1958#auth_param basic program <uncomment and complete this line>
6845f129 1959#auth_param basic children 5
1960#auth_param basic realm Squid proxy-caching web server
1961#auth_param basic credentialsttl 2 hours
6b698a21 1962NOCOMMENT_END
1963DOC_END
0976f8db 1964
6b698a21 1965NAME: authenticate_cache_garbage_interval
1966TYPE: time_t
1967DEFAULT: 1 hour
1968LOC: Config.authenticateGCInterval
1969DOC_START
1970 The time period between garbage collection across the
5ac1a5b3 1971 username cache. This is a tradeoff between memory utilization
6b698a21 1972 (long intervals - say 2 days) and CPU (short intervals -
1973 say 1 minute). Only change if you have good reason to.
1974DOC_END
0976f8db 1975
6b698a21 1976NAME: authenticate_ttl
1977TYPE: time_t
1978DEFAULT: 1 hour
1979LOC: Config.authenticateTTL
1980DOC_START
1981 The time a user & their credentials stay in the logged in
1982 user cache since their last request. When the garbage
1983 interval passes, all user credentials that have passed their
1984 TTL are removed from memory.
1985DOC_END
0976f8db 1986
6b698a21 1987NAME: authenticate_ip_ttl
1988TYPE: time_t
1989LOC: Config.authenticateIpTTL
1990DEFAULT: 0 seconds
1991DOC_START
1992 If you use proxy authentication and the 'max_user_ip' ACL,
1993 this directive controls how long Squid remembers the IP
1994 addresses associated with each user. Use a small value
1995 (e.g., 60 seconds) if your users might change addresses
1996 quickly, as is the case with dialups. You might be safe
1997 using a larger value (e.g., 2 hours) in a corporate LAN
1998 environment with relatively static address assignments.
1999DOC_END
0976f8db 2000
6b698a21 2001NAME: external_acl_type
2002TYPE: externalAclHelper
2003LOC: Config.externalAclHelperList
2004DEFAULT: none
2005DOC_START
2006 This option defines external acl classes using a helper program
2007 to look up the status
7f7db318 2008
6b698a21 2009 external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
7f7db318 2010
6b698a21 2011 Options:
0976f8db 2012
6b698a21 2013 ttl=n TTL in seconds for cached results (defaults to 3600
2014 for 1 hour)
2015 negative_ttl=n
2016 TTL for cached negative lookups (default same
2017 as ttl)
2018 children=n Number of acl helper processes spawn to service
2019 external acl lookups of this type.
2020 concurrency=n concurrency level per process. Use 0 for old style
2021 helpers who can only process a single request at a
2022 time.
2023 cache=n result cache size, 0 is unbounded (default)
2024 grace=n Percentage remaining of TTL where a refresh of a
2025 cached entry should be initiated without needing to
2026 wait for a new reply. (default 0 for no grace period)
dc1af3cf 2027 protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
7f7db318 2028
6b698a21 2029 FORMAT specifications
2030
2031 %LOGIN Authenticated user login name
66b4345b 2032 %EXT_USER Username from external acl
6b698a21 2033 %IDENT Ident user name
2034 %SRC Client IP
2035 %SRCPORT Client source port
2036 %DST Requested host
2037 %PROTO Requested protocol
2038 %PORT Requested port
2039 %PATH Requested URL path
2040 %METHOD Request method
2041 %MYADDR Squid interface address
2042 %MYPORT Squid http_port number
4ac9968f 2043 %USER_CERT SSL User certificate in PEM format
3d61c476 2044 %USER_CERTCHAIN SSL User certificate chain in PEM format
4ac9968f 2045 %USER_CERT_xx SSL User certificate subject attribute xx
2046 %USER_CA_xx SSL User certificate issuer attribute xx
6b698a21 2047 %{Header} HTTP request header
2048 %{Hdr:member} HTTP request header list member
2049 %{Hdr:;member}
2050 HTTP request header list member using ; as
2051 list separator. ; can be any non-alphanumeric
2052 character.
2053
2054 In addition, any string specified in the referencing acl will
2055 also be included in the helper request line, after the specified
2056 formats (see the "acl external" directive)
2057
2058 The helper receives lines per the above format specification,
2059 and returns lines starting with OK or ERR indicating the validity
2060 of the request and optionally followed by additional keywords with
dc1af3cf 2061 more details. To protect from odd characters the data is URL
2062 escaped.
6b698a21 2063
2064 General result syntax:
7f7db318 2065
6b698a21 2066 OK/ERR keyword=value ...
0976f8db 2067
6b698a21 2068 Defined keywords:
0976f8db 2069
6b698a21 2070 user= The users name (login)
2071 password= The users password (for login= cache_peer option)
2072 message= Message describing the reason. Available as %o
2073 in error pages
2074 tag= Apply a tag to a request (for both ERR and OK results)
2075 Only sets a tag, does not alter existing tags.
2076 log= String to be logged in access.log. Available as
2077 %ea in logformat specifications
0976f8db 2078
dc1af3cf 2079 Keyword values need to be URL escaped if they may contain
2080 contain whitespace or quotes.
2081
2082 In Squid-2.5 compatibility mode quoting using " and \ is used
2083 instead of URL escaping.
6b698a21 2084DOC_END
0976f8db 2085
6b698a21 2086COMMENT_START
2087 OPTIONS FOR TUNING THE CACHE
2088 -----------------------------------------------------------------------------
2089COMMENT_END
0976f8db 2090
6b698a21 2091NAME: wais_relay_host
2092TYPE: string
2093DEFAULT: none
2094LOC: Config.Wais.relayHost
2095DOC_NONE
0976f8db 2096
6b698a21 2097NAME: wais_relay_port
2098TYPE: ushort
2099DEFAULT: 0
2100LOC: Config.Wais.relayPort
2101DOC_START
2102 Relay WAIS request to host (1st arg) at port (2 arg).
2103DOC_END
0976f8db 2104
0976f8db 2105
6b698a21 2106NAME: request_header_max_size
2107COMMENT: (KB)
2108TYPE: b_size_t
5b648f60 2109DEFAULT: 20 KB
6b698a21 2110LOC: Config.maxRequestHeaderSize
2111DOC_START
2112 This specifies the maximum size for HTTP headers in a request.
2113 Request headers are usually relatively small (about 512 bytes).
2114 Placing a limit on the request header size will catch certain
2115 bugs (for example with persistent connections) and possibly
2116 buffer-overflow or denial-of-service attacks.
2117DOC_END
0976f8db 2118
6b698a21 2119NAME: request_body_max_size
2120COMMENT: (KB)
2121TYPE: b_size_t
2122DEFAULT: 0 KB
2123LOC: Config.maxRequestBodySize
2124DOC_START
2125 This specifies the maximum size for an HTTP request body.
2126 In other words, the maximum size of a PUT/POST request.
2127 A user who attempts to send a request with a body larger
2128 than this limit receives an "Invalid Request" error message.
2129 If you set this parameter to a zero (the default), there will
2130 be no limit imposed.
2131DOC_END
0976f8db 2132
6b698a21 2133NAME: refresh_pattern
2134TYPE: refreshpattern
2135LOC: Config.Refresh
2136DEFAULT: none
2137DOC_START
2138 usage: refresh_pattern [-i] regex min percent max [options]
0976f8db 2139
6b698a21 2140 By default, regular expressions are CASE-SENSITIVE. To make
2141 them case-insensitive, use the -i option.
0976f8db 2142
6b698a21 2143 'Min' is the time (in minutes) an object without an explicit
2144 expiry time should be considered fresh. The recommended
2145 value is 0, any higher values may cause dynamic applications
2146 to be erroneously cached unless the application designer
2147 has taken the appropriate actions.
0976f8db 2148
6b698a21 2149 'Percent' is a percentage of the objects age (time since last
2150 modification age) an object without explicit expiry time
2151 will be considered fresh.
0976f8db 2152
6b698a21 2153 'Max' is an upper limit on how long objects without an explicit
2154 expiry time will be considered fresh.
0976f8db 2155
6b698a21 2156 options: override-expire
2157 override-lastmod
2158 reload-into-ims
2159 ignore-reload
38f9c547 2160 ignore-no-cache
2161 ignore-no-store
2162 ignore-private
2163 ignore-auth
6845f129 2164 refresh-ims
0976f8db 2165
6b698a21 2166 override-expire enforces min age even if the server
2167 sent a Expires: header. Doing this VIOLATES the HTTP
2168 standard. Enabling this feature could make you liable
2169 for problems which it causes.
0976f8db 2170
6b698a21 2171 override-lastmod enforces min age even on objects
7f7db318 2172 that were modified recently.
0976f8db 2173
6b698a21 2174 reload-into-ims changes client no-cache or ``reload''
2175 to If-Modified-Since requests. Doing this VIOLATES the
2176 HTTP standard. Enabling this feature could make you
2177 liable for problems which it causes.
0976f8db 2178
6b698a21 2179 ignore-reload ignores a client no-cache or ``reload''
2180 header. Doing this VIOLATES the HTTP standard. Enabling
2181 this feature could make you liable for problems which
2182 it causes.
7f7db318 2183
6845f129 2184 ignore-no-cache ignores any ``Pragma: no-cache'' and
2185 ``Cache-control: no-cache'' headers received from a server.
2186 The HTTP RFC never allows the use of this (Pragma) header
2187 from a server, only a client, though plenty of servers
2188 send it anyway.
38f9c547 2189
6845f129 2190 ignore-no-store ignores any ``Cache-control: no-store''
2191 headers received from a server. Doing this VIOLATES
2192 the HTTP standard. Enabling this feature could make you
2193 liable for problems which it causes.
38f9c547 2194
6845f129 2195 ignore-private ignores any ``Cache-control: private''
2196 headers received from a server. Doing this VIOLATES
2197 the HTTP standard. Enabling this feature could make you
2198 liable for problems which it causes.
38f9c547 2199
6845f129 2200 ignore-auth caches responses to requests with authorization,
2201 irrespective of ``Cache-control'' headers received from
2202 a server. Doing this VIOLATES the HTTP standard. Enabling
2203 this feature could make you liable for problems which
2204 it causes.
38f9c547 2205
4c3ef9b2 2206 refresh-ims causes squid to contact the origin server
2207 when a client issues an If-Modified-Since request. This
2208 ensures that the client will receive an updated version
2209 if one is available.
2210
6b698a21 2211 Basically a cached object is:
0976f8db 2212
6b698a21 2213 FRESH if expires < now, else STALE
2214 STALE if age > max
2215 FRESH if lm-factor < percent, else STALE
2216 FRESH if age < min
2217 else STALE
0976f8db 2218
6b698a21 2219 The refresh_pattern lines are checked in the order listed here.
2220 The first entry which matches is used. If none of the entries
7f7db318 2221 match the default will be used.
0976f8db 2222
6b698a21 2223 Note, you must uncomment all the default lines if you want
2224 to change one. The default setting is only active if none is
2225 used.
0976f8db 2226
6b698a21 2227Suggested default:
2228NOCOMMENT_START
2229refresh_pattern ^ftp: 1440 20% 10080
2230refresh_pattern ^gopher: 1440 0% 1440
2231refresh_pattern . 0 20% 4320
2232NOCOMMENT_END
2233DOC_END
0976f8db 2234
6b698a21 2235NAME: quick_abort_min
2236COMMENT: (KB)
2237TYPE: kb_size_t
2238DEFAULT: 16 KB
2239LOC: Config.quickAbort.min
2240DOC_NONE
0976f8db 2241
6b698a21 2242NAME: quick_abort_max
2243COMMENT: (KB)
2244TYPE: kb_size_t
2245DEFAULT: 16 KB
2246LOC: Config.quickAbort.max
2247DOC_NONE
0976f8db 2248
6b698a21 2249NAME: quick_abort_pct
2250COMMENT: (percent)
2251TYPE: int
2252DEFAULT: 95
2253LOC: Config.quickAbort.pct
2254DOC_START
2255 The cache by default continues downloading aborted requests
2256 which are almost completed (less than 16 KB remaining). This
2257 may be undesirable on slow (e.g. SLIP) links and/or very busy
2258 caches. Impatient users may tie up file descriptors and
2259 bandwidth by repeatedly requesting and immediately aborting
2260 downloads.
0976f8db 2261
6b698a21 2262 When the user aborts a request, Squid will check the
2263 quick_abort values to the amount of data transfered until
2264 then.
0976f8db 2265
6b698a21 2266 If the transfer has less than 'quick_abort_min' KB remaining,
2267 it will finish the retrieval.
0976f8db 2268
6b698a21 2269 If the transfer has more than 'quick_abort_max' KB remaining,
2270 it will abort the retrieval.
0976f8db 2271
6b698a21 2272 If more than 'quick_abort_pct' of the transfer has completed,
2273 it will finish the retrieval.
0976f8db 2274
6b698a21 2275 If you do not want any retrieval to continue after the client
2276 has aborted, set both 'quick_abort_min' and 'quick_abort_max'
2277 to '0 KB'.
0976f8db 2278
6b698a21 2279 If you want retrievals to always continue if they are being
7f7db318 2280 cached set 'quick_abort_min' to '-1 KB'.
6b698a21 2281DOC_END
0976f8db 2282
6b698a21 2283NAME: read_ahead_gap
2284COMMENT: buffer-size
2285TYPE: kb_size_t
2286LOC: Config.readAheadGap
2287DEFAULT: 16 KB
2288DOC_START
2289 The amount of data the cache will buffer ahead of what has been
2290 sent to the client when retrieving an object from another server.
2291DOC_END
0976f8db 2292
6b698a21 2293NAME: negative_ttl
2294COMMENT: time-units
2295TYPE: time_t
2296LOC: Config.negativeTtl
2297DEFAULT: 5 minutes
2298DOC_START
2299 Time-to-Live (TTL) for failed requests. Certain types of
2300 failures (such as "connection refused" and "404 Not Found") are
2301 negatively-cached for a configurable amount of time. The
2302 default is 5 minutes. Note that this is different from
2303 negative caching of DNS lookups.
2304DOC_END
0976f8db 2305
0976f8db 2306
6b698a21 2307NAME: positive_dns_ttl
2308COMMENT: time-units
2309TYPE: time_t
2310LOC: Config.positiveDnsTtl
2311DEFAULT: 6 hours
2312DOC_START
2313 Time-to-Live (TTL) for positive caching of successful DNS lookups.
2314 Default is 6 hours (360 minutes). If you want to minimize the
2315 use of Squid's ipcache, set this to 1, not 0.
2316DOC_END
0976f8db 2317
0976f8db 2318
6b698a21 2319NAME: negative_dns_ttl
2320COMMENT: time-units
2321TYPE: time_t
2322LOC: Config.negativeDnsTtl
2323DEFAULT: 5 minutes
2324DOC_START
2325 Time-to-Live (TTL) for negative caching of failed DNS lookups.
2326DOC_END
0976f8db 2327
6b698a21 2328NAME: range_offset_limit
2329COMMENT: (bytes)
2330TYPE: b_size_t
2331LOC: Config.rangeOffsetLimit
2332DEFAULT: 0 KB
2333DOC_START
2334 Sets a upper limit on how far into the the file a Range request
2335 may be to cause Squid to prefetch the whole file. If beyond this
7f7db318 2336 limit Squid forwards the Range request as it is and the result
6b698a21 2337 is NOT cached.
0976f8db 2338
6b698a21 2339 This is to stop a far ahead range request (lets say start at 17MB)
2340 from making Squid fetch the whole object up to that point before
2341 sending anything to the client.
0976f8db 2342
6b698a21 2343 A value of -1 causes Squid to always fetch the object from the
7f7db318 2344 beginning so it may cache the result. (2.0 style)
0976f8db 2345
6b698a21 2346 A value of 0 causes Squid to never fetch more than the
2347 client requested. (default)
2348DOC_END
0976f8db 2349
0976f8db 2350
6b698a21 2351COMMENT_START
2352 TIMEOUTS
2353 -----------------------------------------------------------------------------
2354COMMENT_END
0976f8db 2355
777831e0 2356NAME: forward_timeout
2357COMMENT: time-units
2358TYPE: time_t
2359LOC: Config.Timeout.forward
2360DEFAULT: 4 minutes
2361DOC_START
6845f129 2362 This parameter specifies how long Squid should at most attempt in
2363 finding a forwarding path for the request before giving up.
777831e0 2364DOC_END
2365
6b698a21 2366NAME: connect_timeout
2367COMMENT: time-units
2368TYPE: time_t
2369LOC: Config.Timeout.connect
777831e0 2370DEFAULT: 1 minute
6b698a21 2371DOC_START
6845f129 2372 This parameter specifies how long to wait for the TCP connect to
2373 the requested server or peer to complete before Squid should
2374 attempt to find another path where to forward the request.
6b698a21 2375DOC_END
0976f8db 2376
6b698a21 2377NAME: peer_connect_timeout
2378COMMENT: time-units
2379TYPE: time_t
2380LOC: Config.Timeout.peer_connect
2381DEFAULT: 30 seconds
2382DOC_START
2383 This parameter specifies how long to wait for a pending TCP
2384 connection to a peer cache. The default is 30 seconds. You
2385 may also set different timeout values for individual neighbors
2386 with the 'connect-timeout' option on a 'cache_peer' line.
2387DOC_END
0976f8db 2388
6b698a21 2389NAME: read_timeout
2390COMMENT: time-units
2391TYPE: time_t
2392LOC: Config.Timeout.read
2393DEFAULT: 15 minutes
2394DOC_START
2395 The read_timeout is applied on server-side connections. After
2396 each successful read(), the timeout will be extended by this
2397 amount. If no data is read again after this amount of time,
2398 the request is aborted and logged with ERR_READ_TIMEOUT. The
2399 default is 15 minutes.
2400DOC_END
0976f8db 2401
0976f8db 2402
6b698a21 2403NAME: request_timeout
2404TYPE: time_t
2405LOC: Config.Timeout.request
2406DEFAULT: 5 minutes
2407DOC_START
2408 How long to wait for an HTTP request after initial
2409 connection establishment.
2410DOC_END
0976f8db 2411
0976f8db 2412
6b698a21 2413NAME: persistent_request_timeout
2414TYPE: time_t
2415LOC: Config.Timeout.persistent_request
2416DEFAULT: 1 minute
2417DOC_START
2418 How long to wait for the next HTTP request on a persistent
2419 connection after the previous request completes.
2420DOC_END
0976f8db 2421
0976f8db 2422
6b698a21 2423NAME: client_lifetime
2424COMMENT: time-units
2425TYPE: time_t
2426LOC: Config.Timeout.lifetime
2427DEFAULT: 1 day
2428DOC_START
7f7db318 2429 The maximum amount of time a client (browser) is allowed to
6b698a21 2430 remain connected to the cache process. This protects the Cache
2431 from having a lot of sockets (and hence file descriptors) tied up
2432 in a CLOSE_WAIT state from remote clients that go away without
2433 properly shutting down (either because of a network failure or
2434 because of a poor client implementation). The default is one
2435 day, 1440 minutes.
2436
2437 NOTE: The default value is intended to be much larger than any
2438 client would ever need to be connected to your cache. You
2439 should probably change client_lifetime only as a last resort.
2440 If you seem to have many client connections tying up
2441 filedescriptors, we recommend first tuning the read_timeout,
2442 request_timeout, persistent_request_timeout and quick_abort values.
2443DOC_END
2444
2445NAME: half_closed_clients
2446TYPE: onoff
2447LOC: Config.onoff.half_closed_clients
2448DEFAULT: on
2449DOC_START
2450 Some clients may shutdown the sending side of their TCP
2451 connections, while leaving their receiving sides open. Sometimes,
2452 Squid can not tell the difference between a half-closed and a
2453 fully-closed TCP connection. By default, half-closed client
2454 connections are kept open until a read(2) or write(2) on the
2455 socket returns an error. Change this option to 'off' and Squid
2456 will immediately close client connections when read(2) returns
2457 "no more data to read."
2458DOC_END
0976f8db 2459
6b698a21 2460NAME: pconn_timeout
2461TYPE: time_t
2462LOC: Config.Timeout.pconn
2463DEFAULT: 120 seconds
2464DOC_START
2465 Timeout for idle persistent connections to servers and other
2466 proxies.
2467DOC_END
0976f8db 2468
6b698a21 2469NAME: ident_timeout
2470TYPE: time_t
2471IFDEF: USE_IDENT
2472LOC: Config.Timeout.ident
2473DEFAULT: 10 seconds
2474DOC_START
2475 Maximum time to wait for IDENT lookups to complete.
7f7db318 2476
6b698a21 2477 If this is too high, and you enabled IDENT lookups from untrusted
7f7db318 2478 users, you might be susceptible to denial-of-service by having
6b698a21 2479 many ident requests going at once.
2480DOC_END
0976f8db 2481
0976f8db 2482
6b698a21 2483NAME: shutdown_lifetime
2484COMMENT: time-units
2485TYPE: time_t
2486LOC: Config.shutdownLifetime
2487DEFAULT: 30 seconds
2488DOC_START
2489 When SIGTERM or SIGHUP is received, the cache is put into
2490 "shutdown pending" mode until all active sockets are closed.
2491 This value is the lifetime to set for all open descriptors
2492 during shutdown mode. Any active clients after this many
2493 seconds will receive a 'timeout' message.
2494DOC_END
9e7dbc51 2495
6b698a21 2496COMMENT_START
2497 ACCESS CONTROLS
2498 -----------------------------------------------------------------------------
2499COMMENT_END
9e7dbc51 2500
6b698a21 2501NAME: acl
2502TYPE: acl
2503LOC: Config.aclList
2504DEFAULT: none
2505DOC_START
2506 Defining an Access List
9e7dbc51 2507
6b698a21 2508 acl aclname acltype string1 ...
2509 acl aclname acltype "file" ...
9e7dbc51 2510
6b698a21 2511 when using "file", the file should contain one item per line
9e7dbc51 2512
6b698a21 2513 acltype is one of the types described below
9e7dbc51 2514
6b698a21 2515 By default, regular expressions are CASE-SENSITIVE. To make
2516 them case-insensitive, use the -i option.
9e7dbc51 2517
6b698a21 2518 acl aclname src ip-address/netmask ... (clients IP address)
2519 acl aclname src addr1-addr2/netmask ... (range of addresses)
2520 acl aclname dst ip-address/netmask ... (URL host's IP address)
2521 acl aclname myip ip-address/netmask ... (local socket IP address)
9e7dbc51 2522
5b807763 2523 acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
2524 # The arp ACL requires the special configure option --enable-arp-acl.
2525 # Furthermore, the ARP ACL code is not portable to all operating systems.
5cb988c7 2526 # It works on Linux, Solaris, Windows, FreeBSD, and some other *BSD variants.
5b807763 2527 #
2528 # NOTE: Squid can only determine the MAC address for clients that are on
2529 # the same subnet. If the client is on a different subnet, then Squid cannot
2530 # find out its MAC address.
2531
6b698a21 2532 acl aclname srcdomain .foo.com ... # reverse lookup, client IP
2533 acl aclname dstdomain .foo.com ... # Destination server from URL
2534 acl aclname srcdom_regex [-i] xxx ... # regex matching client name
2535 acl aclname dstdom_regex [-i] xxx ... # regex matching server
7660b45d 2536 # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
2537 # based URL is used and no match is found. The name "none" is used
2538 # if the reverse lookup fails.
9e7dbc51 2539
a0ec9f68 2540 acl aclname http_status 200 301 500- 400-403 ... # status code in reply
2541
6b698a21 2542 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
2543 day-abbrevs:
2544 S - Sunday
2545 M - Monday
2546 T - Tuesday
2547 W - Wednesday
2548 H - Thursday
2549 F - Friday
2550 A - Saturday
2551 h1:m1 must be less than h2:m2
2552 acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
2553 acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
2554 acl aclname port 80 70 21 ...
2555 acl aclname port 0-1024 ... # ranges allowed
2556 acl aclname myport 3128 ... # (local socket TCP port)
2557 acl aclname proto HTTP FTP ...
2558 acl aclname method GET POST ...
2559 acl aclname browser [-i] regexp ...
00634927 2560 # pattern match on User-Agent header (see also req_header below)
6845f129 2561 acl aclname referer_regex [-i] regexp ...
2562 # pattern match on Referer header
2563 # Referer is highly unreliable, so use with care
6b698a21 2564 acl aclname ident username ...
2565 acl aclname ident_regex [-i] pattern ...
2566 # string match on ident output.
9e7dbc51 2567 # use REQUIRED to accept any non-null ident.
6b698a21 2568 acl aclname src_as number ...
2569 acl aclname dst_as number ...
2570 # Except for access control, AS numbers can be used for
9e7dbc51 2571 # routing of requests to specific caches. Here's an
2572 # example for routing all requests for AS#1241 and only
6468fe10 2573 # those to mycache.mydomain.net:
2574 # acl asexample dst_as 1241
d87ebd78 2575 # cache_peer_access mycache.mydomain.net allow asexample
2576 # cache_peer_access mycache_mydomain.net deny all
6468fe10 2577
6b698a21 2578 acl aclname proxy_auth [-i] username ...
2579 acl aclname proxy_auth_regex [-i] pattern ...
2580 # list of valid usernames
c68e9c6b 2581 # use REQUIRED to accept any valid username.
73e67ee0 2582 #
2583 # NOTE: when a Proxy-Authentication header is sent but it is not
2584 # needed during ACL checking the username is NOT logged
2585 # in access.log.
c68e9c6b 2586 #
2587 # NOTE: proxy_auth requires a EXTERNAL authentication program
2588 # to check username/password combinations (see
f7d2a450 2589 # auth_param directive).
c68e9c6b 2590 #
d048c262 2591 # NOTE: proxy_auth can't be used in a transparent proxy as
2592 # the browser needs to be configured for using a proxy in order
2593 # to respond to proxy authentication.
934b03fc 2594
6b698a21 2595 acl aclname snmp_community string ...
2596 # A community string to limit access to your SNMP Agent
dba79ac5 2597 # Example:
96d88dcb 2598 #
dba79ac5 2599 # acl snmppublic snmp_community public
2600
6b698a21 2601 acl aclname maxconn number
2602 # This will be matched when the client's IP address has
9bc73deb 2603 # more than <number> HTTP connections established.
2604
6b698a21 2605 acl aclname max_user_ip [-s] number
2606 # This will be matched when the user attempts to log in from more
c23e89cd 2607 # than <number> different ip addresses. The authenticate_ip_ttl
60d096f4 2608 # parameter controls the timeout on the ip entries.
7f7db318 2609 # If -s is specified the limit is strict, denying browsing
be5caa55 2610 # from any further IP addresses until the ttl has expired. Without
c23e89cd 2611 # -s Squid will just annoy the user by "randomly" denying requests.
7f7db318 2612 # (the counter is reset each time the limit is reached and a
be5caa55 2613 # request is denied)
2614 # NOTE: in acceleration mode or where there is mesh of child proxies,
c23e89cd 2615 # clients may appear to come from multiple addresses if they are
be5caa55 2616 # going through proxy farms, so a limit of 1 may cause user problems.
60d096f4 2617
cccac0a2 2618 acl aclname req_mime_type mime-type1 ...
2619 # regex match agains the mime type of the request generated
ba2b31a8 2620 # by the client. Can be used to detect file upload or some
5ac1a5b3 2621 # types HTTP tunneling requests.
ba2b31a8 2622 # NOTE: This does NOT match the reply. You cannot use this
2623 # to match the returned file type.
c68e9c6b 2624
00634927 2625 acl aclname req_header header-name [-i] any\.regex\.here
2626 # regex match against any of the known request headers. May be
2627 # thought of as a superset of "browser", "referer" and "mime-type"
2628 # ACLs.
2629
cccac0a2 2630 acl aclname rep_mime_type mime-type1 ...
5ac1a5b3 2631 # regex match against the mime type of the reply received by
c4ab8329 2632 # squid. Can be used to detect file download or some
5ac1a5b3 2633 # types HTTP tunneling requests.
c4ab8329 2634 # NOTE: This has no effect in http_access rules. It only has
2635 # effect in rules that affect the reply data stream such as
2636 # http_reply_access.
2637
00634927 2638 acl aclname req_header header-name [-i] any\.regex\.here
2639 # regex match against any of the known request headers. May be
2640 # thought of as a superset of "browser", "referer" and "mime-type"
2641 # ACLs.
2642
cccac0a2 2643 acl acl_name external class_name [arguments...]
2644 # external ACL lookup via a helper class defined by the
d9572179 2645 # external_acl_type directive.
c4ab8329 2646
cccac0a2 2647 acl aclname user_cert attribute values...
2648 # match against attributes in a user SSL certificate
a7ad6e4e 2649 # attribute is one of DN/C/O/CN/L/ST
2650
cccac0a2 2651 acl aclname ca_cert attribute values...
2652 # match against attributes a users issuing CA SSL certificate
a7ad6e4e 2653 # attribute is one of DN/C/O/CN/L/ST
2654
cccac0a2 2655 acl aclname ext_user username ...
2656 acl aclname ext_user_regex [-i] pattern ...
2657 # string match on username returned by external acl processing
d95b862f 2658 # use REQUIRED to accept any non-null user name.
2659
cccac0a2 2660Examples:
5b807763 2661acl macaddress arp 09:00:2b:23:45:67
cccac0a2 2662acl myexample dst_as 1241
2663acl password proxy_auth REQUIRED
2664acl fileupload req_mime_type -i ^multipart/form-data$
2665acl javascript rep_mime_type -i ^application/x-javascript$
c68e9c6b 2666
cccac0a2 2667NOCOMMENT_START
6b53c392 2668#Recommended minimum configuration:
cccac0a2 2669acl all src 0.0.0.0/0.0.0.0
2670acl manager proto cache_object
2671acl localhost src 127.0.0.1/255.255.255.255
2672acl to_localhost dst 127.0.0.0/8
2673acl SSL_ports port 443 563
2674acl Safe_ports port 80 # http
2675acl Safe_ports port 21 # ftp
2676acl Safe_ports port 443 563 # https, snews
2677acl Safe_ports port 70 # gopher
2678acl Safe_ports port 210 # wais
2679acl Safe_ports port 1025-65535 # unregistered ports
2680acl Safe_ports port 280 # http-mgmt
2681acl Safe_ports port 488 # gss-http
2682acl Safe_ports port 591 # filemaker
2683acl Safe_ports port 777 # multiling http
2684acl CONNECT method CONNECT
2685NOCOMMENT_END
2686DOC_END
2687
2688NAME: http_access
2689TYPE: acl_access
2690LOC: Config.accessList.http
2691DEFAULT: none
2692DEFAULT_IF_NONE: deny all
2693DOC_START
2694 Allowing or Denying access based on defined access lists
2695
2696 Access to the HTTP port:
2697 http_access allow|deny [!]aclname ...
2698
2699 NOTE on default values:
2700
2701 If there are no "access" lines present, the default is to deny
2702 the request.
2703
2704 If none of the "access" lines cause a match, the default is the
2705 opposite of the last line in the list. If the last line was
7f7db318 2706 deny, the default is allow. Conversely, if the last line
cccac0a2 2707 is allow, the default will be deny. For these reasons, it is a
2708 good idea to have an "deny all" or "allow all" entry at the end
2709 of your access lists to avoid potential confusion.
2710
2711NOCOMMENT_START
6b53c392 2712#Recommended minimum configuration:
2713#
2714# Only allow cachemgr access from localhost
cccac0a2 2715http_access allow manager localhost
2716http_access deny manager
6b53c392 2717# Deny requests to unknown ports
cccac0a2 2718http_access deny !Safe_ports
6b53c392 2719# Deny CONNECT to other than SSL ports
cccac0a2 2720http_access deny CONNECT !SSL_ports
c68e9c6b 2721#
7f7db318 2722# We strongly recommend the following be uncommented to protect innocent
2723# web applications running on the proxy server who think the only
4cc6eb12 2724# one who can access services on "localhost" is a local user
2725#http_access deny to_localhost
c68e9c6b 2726#
4cc6eb12 2727# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
2728
59f4a63e 2729# Example rule allowing access from your local networks. Adapt
b9d7fe3e 2730# to list your (internal) IP networks from where browsing should
2731# be allowed
2732#acl our_networks src 192.168.1.0/24 192.168.2.0/24
2733#http_access allow our_networks
2734
6b53c392 2735# And finally deny all other access to this proxy
cccac0a2 2736http_access deny all
2737NOCOMMENT_END
2738DOC_END
c4ab8329 2739
cccac0a2 2740NAME: http_reply_access
2741TYPE: acl_access
2742LOC: Config.accessList.reply
2743DEFAULT: none
2744DEFAULT_IF_NONE: allow all
2745DOC_START
6845f129 2746 Allow replies to client requests. This is complementary to http_access.
c4ab8329 2747
6845f129 2748 http_reply_access allow|deny [!] aclname ...
0976f8db 2749
6845f129 2750 NOTE: if there are no access lines present, the default is to allow
cccac0a2 2751 all replies
0976f8db 2752
6845f129 2753 If none of the access lines cause a match the opposite of the
2754 last line will apply. Thus it is good practice to end the rules
2755 with an "allow all" or "deny all" entry.
0976f8db 2756
cccac0a2 2757NOCOMMENT_START
c4ab8329 2758#Recommended minimum configuration:
2759#
2760# Insert your own rules here.
2761#
2762#
2763# and finally allow by default
cccac0a2 2764http_reply_access allow all
2765NOCOMMENT_END
2766DOC_END
6b53c392 2767
6b53c392 2768
cccac0a2 2769NAME: icp_access
2770TYPE: acl_access
2771LOC: Config.accessList.icp
2772DEFAULT: none
2773DEFAULT_IF_NONE: deny all
2774DOC_START
2775 Allowing or Denying access to the ICP port based on defined
2776 access lists
934b03fc 2777
cccac0a2 2778 icp_access allow|deny [!]aclname ...
0976f8db 2779
cccac0a2 2780 See http_access for details
0976f8db 2781
cccac0a2 2782NOCOMMENT_START
403b5e7b 2783#Allow ICP queries from everyone
cccac0a2 2784icp_access allow all
2785NOCOMMENT_END
2786DOC_END
934b03fc 2787
2788
cccac0a2 2789NAME: miss_access
2790TYPE: acl_access
2791LOC: Config.accessList.miss
2792DEFAULT: none
2793DOC_START
2794 Use to force your neighbors to use you as a sibling instead of
2795 a parent. For example:
934b03fc 2796
cccac0a2 2797 acl localclients src 172.16.0.0/16
2798 miss_access allow localclients
2799 miss_access deny !localclients
934b03fc 2800
7f7db318 2801 This means only your local clients are allowed to fetch
cccac0a2 2802 MISSES and all other clients can only fetch HITS.
934b03fc 2803
cccac0a2 2804 By default, allow all clients who passed the http_access rules
2805 to fetch MISSES from us.
6b53c392 2806
cccac0a2 2807NOCOMMENT_START
6b53c392 2808#Default setting:
2809# miss_access allow all
cccac0a2 2810NOCOMMENT_END
2811DOC_END
2812
2813
2814NAME: cache_peer_access
2815TYPE: peer_access
2816DEFAULT: none
2817LOC: none
2818DOC_START
2819 Similar to 'cache_peer_domain' but provides more flexibility by
2820 using ACL elements.
2821
2822 cache_peer_access cache-host allow|deny [!]aclname ...
2823
2824 The syntax is identical to 'http_access' and the other lists of
2825 ACL elements. See the comments for 'http_access' below, or
2826 the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html).
2827DOC_END
2828
2829NAME: ident_lookup_access
2830TYPE: acl_access
2831IFDEF: USE_IDENT
2832DEFAULT: none
2833DEFAULT_IF_NONE: deny all
2834LOC: Config.accessList.identLookup
2835DOC_START
2836 A list of ACL elements which, if matched, cause an ident
2837 (RFC 931) lookup to be performed for this request. For
2838 example, you might choose to always perform ident lookups
2839 for your main multi-user Unix boxes, but not for your Macs
2840 and PCs. By default, ident lookups are not performed for
2841 any requests.
2842
2843 To enable ident lookups for specific client addresses, you
2844 can follow this example:
2845
2846 acl ident_aware_hosts src 198.168.1.0/255.255.255.0
2847 ident_lookup_access allow ident_aware_hosts
2848 ident_lookup_access deny all
2849
2850 Only src type ACL checks are fully supported. A src_domain
2851 ACL might work at times, but it will not always provide
2852 the correct result.
2853DOC_END
2854
2855NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
2856TYPE: acl_tos
2857DEFAULT: none
2858LOC: Config.accessList.outgoing_tos
2859DOC_START
2860 Allows you to select a TOS/Diffserv value to mark outgoing
2861 connections with, based on the username or source address
2862 making the request.
2863
2864 tcp_outgoing_tos ds-field [!]aclname ...
2865
2866 Example where normal_service_net uses the TOS value 0x00
2867 and normal_service_net uses 0x20
2868
2869 acl normal_service_net src 10.0.0.0/255.255.255.0
2870 acl good_service_net src 10.0.1.0/255.255.255.0
2871 tcp_outgoing_tos 0x00 normal_service_net 0x00
2872 tcp_outgoing_tos 0x20 good_service_net
2873
2874 TOS/DSCP values really only have local significance - so you should
2875 know what you're specifying. For more, see RFC 2474
2876
2877 The TOS/DSCP byte must be exactly that - a byte, value 0 - 255, or
2878 "default" to use whatever default your host has.
2879
2880 Processing proceeds in the order specified, and stops at first fully
2881 matching line.
2882DOC_END
2883
2884NAME: tcp_outgoing_address
2885TYPE: acl_address
2886DEFAULT: none
2887LOC: Config.accessList.outgoing_address
2888DOC_START
2889 Allows you to map requests to different outgoing IP addresses
2890 based on the username or sourceaddress of the user making
2891 the request.
7f7db318 2892
cccac0a2 2893 tcp_outgoing_address ipaddr [[!]aclname] ...
2894
5ac1a5b3 2895 Example where requests from 10.0.0.0/24 will be forwarded
7f7db318 2896 with source address 10.1.0.1, 10.0.2.0/24 forwarded with
cccac0a2 2897 source address 10.1.0.2 and the rest will be forwarded with
2898 source address 10.1.0.3.
2899
2900 acl normal_service_net src 10.0.0.0/255.255.255.0
2901 acl good_service_net src 10.0.1.0/255.255.255.0
2902 tcp_outgoing_address 10.0.0.1 normal_service_net
2903 tcp_outgoing_address 10.0.0.2 good_service_net
2904 tcp_outgoing_address 10.0.0.3
2905
2906 Processing proceeds in the order specified, and stops at first fully
2907 matching line.
2908DOC_END
2909
4eb368f9 2910NAME: reply_header_max_size
2911COMMENT: (KB)
2912TYPE: b_size_t
2913DEFAULT: 20 KB
2914LOC: Config.maxReplyHeaderSize
2915DOC_START
2916 This specifies the maximum size for HTTP headers in a reply.
2917 Reply headers are usually relatively small (about 512 bytes).
2918 Placing a limit on the reply header size will catch certain
2919 bugs (for example with persistent connections) and possibly
2920 buffer-overflow or denial-of-service attacks.
2921DOC_END
2922
cccac0a2 2923NAME: reply_body_max_size
2924COMMENT: size [acl acl...]
2925TYPE: acl_b_size_t
2926DEFAULT: none
2927LOC: Config.ReplyBodySize
2928DOC_START
6845f129 2929 This option specifies the maximum size of a reply body. It can be
cccac0a2 2930 used to prevent users from downloading very large files, such as
5ac1a5b3 2931 MP3's and movies. When the reply headers are received, the
cccac0a2 2932 reply_body_max_size lines are processed, and the first line where
5ac1a5b3 2933 all (if any) listed ACLs are true is used as the maximum body size
cccac0a2 2934 for this reply.
2935
7f7db318 2936 This size is checked twice. First when we get the reply headers,
cccac0a2 2937 we check the content-length value. If the content length value exists
2938 and is larger than the allowed size, the request is denied and the
2939 user receives an error message that says "the request or reply
2940 is too large." If there is no content-length, and the reply
2941 size exceeds this limit, the client's connection is just closed
2942 and they will receive a partial reply.
2943
2944 WARNING: downstream caches probably can not detect a partial reply
2945 if there is no content-length header, so they will cache
2946 partial responses and give them out as hits. You should NOT
2947 use this option if you have downstream caches.
2948
2949 WARNING: A maximum size smaller than the size of squid's error messages
2950 will cause an infinite loop and crash squid. Ensure that the smallest
2951 non-zero value you use is greater that the maximum header size plus
2952 the size of your largest error page.
2953
2954 If you set this parameter none (the default), there will be
2955 no limit imposed.
2956DOC_END
2957
2958NAME: log_access
2959TYPE: acl_access
2960LOC: Config.accessList.log
2961DEFAULT: none
2962COMMENT: allow|deny acl acl...
2963DOC_START
6845f129 2964 This options allows you to control which requests gets logged
cccac0a2 2965 to access.log (see access_log directive). Requests denied for
2966 logging will also not be accounted for in performance counters.
2967DOC_END
0976f8db 2968
cccac0a2 2969COMMENT_START
2970 ADMINISTRATIVE PARAMETERS
2971 -----------------------------------------------------------------------------
2972COMMENT_END
2973
2974NAME: cache_mgr
2975TYPE: string
2976DEFAULT: webmaster
2977LOC: Config.adminEmail
2978DOC_START
2979 Email-address of local cache manager who will receive
2980 mail if the cache dies. The default is "webmaster."
2981DOC_END
2982
2983
abacf776 2984NAME: mail_from
2985TYPE: string
2986DEFAULT: none
2987LOC: Config.EmailFrom
2988DOC_START
2989 From: email-address for mail sent when the cache dies.
2990 The default is to use 'appname@unique_hostname'.
b8c0c06d 2991 Default appname value is "squid", can be changed into
abacf776 2992 src/globals.h before building squid.
2993DOC_END
2994
2995
d084bf20 2996NAME: mail_program
2997TYPE: eol
2998DEFAULT: mail
2999LOC: Config.EmailProgram
3000DOC_START
3001 Email program used to send mail if the cache dies.
3002 The default is "mail". The specified program must complain
3003 with the standard Unix mail syntax:
3004 mail_program recipient < mailfile
3005 Optional command line options can be specified.
3006DOC_END
3007
3008
cccac0a2 3009NAME: cache_effective_user
3010TYPE: string
3011DEFAULT: nobody
3012LOC: Config.effectiveUser
e3d74828 3013DOC_START
3014 If you start Squid as root, it will change its effective/real
3015 UID/GID to the user specified below. The default is to change
3016 to UID to nobody. If you define cache_effective_user, but not
3017 cache_effective_group, Squid sets the GID to the effective
3018 user's default group ID (taken from the password file) and
3019 supplementary group list from the from groups membership of
3020 cache_effective_user.
3021DOC_END
3022
cccac0a2 3023
3024NAME: cache_effective_group
3025TYPE: string
3026DEFAULT: none
3027LOC: Config.effectiveGroup
3028DOC_START
e3d74828 3029 If you want Squid to run with a specific GID regardless of
3030 the group memberships of the effective user then set this
3031 to the group (or GID) you want Squid to run as. When set
3032 all other group privileges of the effective user is ignored
3033 and only this GID is effective. If Squid is not started as
3034 root the user starting Squid must be member of the specified
3035 group.
cccac0a2 3036DOC_END
3037
3038
d3caee79 3039NAME: httpd_suppress_version_string
3040COMMENT: on|off
3041TYPE: onoff
3042DEFAULT: off
3043LOC: Config.onoff.httpd_suppress_version_string
3044DOC_START
3045 Suppress Squid version string info in HTTP headers and HTML error pages.
3046DOC_END
3047
3048
cccac0a2 3049NAME: visible_hostname
3050TYPE: string
3051LOC: Config.visibleHostname
3052DEFAULT: none
3053DOC_START
3054 If you want to present a special hostname in error messages, etc,
7f7db318 3055 define this. Otherwise, the return value of gethostname()
cccac0a2 3056 will be used. If you have multiple caches in a cluster and
3057 get errors about IP-forwarding you must set them to have individual
3058 names with this setting.
3059DOC_END
3060
3061
3062NAME: unique_hostname
3063TYPE: string
3064LOC: Config.uniqueHostname
3065DEFAULT: none
3066DOC_START
3067 If you want to have multiple machines with the same
7f7db318 3068 'visible_hostname' you must give each machine a different
3069 'unique_hostname' so forwarding loops can be detected.
cccac0a2 3070DOC_END
3071
3072
3073NAME: hostname_aliases
3074TYPE: wordlist
3075LOC: Config.hostnameAliases
3076DEFAULT: none
3077DOC_START
7f7db318 3078 A list of other DNS names your cache has.
cccac0a2 3079DOC_END
0976f8db 3080
cccac0a2 3081COMMENT_START
3082 OPTIONS FOR THE CACHE REGISTRATION SERVICE
3083 -----------------------------------------------------------------------------
3084
3085 This section contains parameters for the (optional) cache
3086 announcement service. This service is provided to help
3087 cache administrators locate one another in order to join or
3088 create cache hierarchies.
3089
3090 An 'announcement' message is sent (via UDP) to the registration
3091 service by Squid. By default, the announcement message is NOT
3092 SENT unless you enable it with 'announce_period' below.
3093
3094 The announcement message includes your hostname, plus the
3095 following information from this configuration file:
3096
3097 http_port
3098 icp_port
3099 cache_mgr
3100
3101 All current information is processed regularly and made
3102 available on the Web at http://www.ircache.net/Cache/Tracker/.
3103COMMENT_END
3104
3105NAME: announce_period
3106TYPE: time_t
3107LOC: Config.Announce.period
3108DEFAULT: 0
3109DOC_START
3110 This is how frequently to send cache announcements. The
3111 default is `0' which disables sending the announcement
3112 messages.
3113
3114 To enable announcing your cache, just uncomment the line
3115 below.
3116
3117NOCOMMENT_START
9e7dbc51 3118#To enable announcing your cache, just uncomment the line below.
3119#announce_period 1 day
cccac0a2 3120NOCOMMENT_END
3121DOC_END
3122
3123
3124NAME: announce_host
3125TYPE: string
3126DEFAULT: tracker.ircache.net
3127LOC: Config.Announce.host
3128DOC_NONE
3129
3130NAME: announce_file
3131TYPE: string
3132DEFAULT: none
3133LOC: Config.Announce.file
3134DOC_NONE
3135
3136NAME: announce_port
3137TYPE: ushort
3138DEFAULT: 3131
3139LOC: Config.Announce.port
3140DOC_START
3141 announce_host and announce_port set the hostname and port
3142 number where the registration message will be sent.
3143
3144 Hostname will default to 'tracker.ircache.net' and port will
3145 default default to 3131. If the 'filename' argument is given,
3146 the contents of that file will be included in the announce
3147 message.
3148DOC_END
3149
3150NAME: httpd_accel_surrogate_id
3151IFDEF: ESI
3152TYPE: string
3153LOC: Config.Accel.surrogate_id
3154DEFAULT: unset-id
3155DOC_START
3156 Surrogates (http://www.esi.org/architecture_spec_1.0.html)
3157 need an identification token to allow control targeting. Because
3158 a farm of surrogates may all perform the same tasks, they may share
3159 an identification token.
3160DOC_END
3161
3162NAME: http_accel_surrogate_remote
3163IFDEF: ESI
3164COMMENT: on|off
3165TYPE: onoff
3166DEFAULT: off
3167LOC: Config.onoff.surrogate_is_remote
3168DOC_START
3169 Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
3170 Set this to on to have squid behave as a remote surrogate.
3171DOC_END
3172
3173NAME: esi_parser
3174IFDEF: ESI
964b44c3 3175COMMENT: libxml2|expat|custom
cccac0a2 3176TYPE: string
3177LOC: ESIParser::Type
3178DEFAULT: custom
3179DOC_START
3180 ESI markup is not strictly XML compatible. The custom ESI parser
3181 will give higher performance, but cannot handle non ASCII character
3182 encodings.
3183DOC_END
0976f8db 3184
cccac0a2 3185COMMENT_START
3186 MISCELLANEOUS
3187 -----------------------------------------------------------------------------
3188COMMENT_END
3189
3190NAME: dns_testnames
3191TYPE: wordlist
3192LOC: Config.dns_testname_list
3193DEFAULT: none
3194DEFAULT_IF_NONE: netscape.com internic.net nlanr.net microsoft.com
3195DOC_START
3196 The DNS tests exit as soon as the first site is successfully looked up
3197
3198 This test can be disabled with the -D command line option.
3199DOC_END
3200
3201
3202NAME: logfile_rotate
3203TYPE: int
3204DEFAULT: 10
3205LOC: Config.Log.rotateNumber
3206DOC_START
3207 Specifies the number of logfile rotations to make when you
87d69285 3208 type 'squid -k rotate'. The default is 10, which will rotate
3209 with extensions 0 through 9. Setting logfile_rotate to 0 will
3210 disable the file name rotation, but the logfiles are still closed
3211 and re-opened. This will enable you to rename the logfiles
cccac0a2 3212 yourself just before sending the rotate signal.
3213
3214 Note, the 'squid -k rotate' command normally sends a USR1
3215 signal to the running squid process. In certain situations
3216 (e.g. on Linux with Async I/O), USR1 is used for other
3217 purposes, so -k rotate uses another signal. It is best to get
3218 in the habit of using 'squid -k rotate' instead of 'kill -USR1
3219 <pid>'.
3220DOC_END
3221
3222
3223NAME: append_domain
3224TYPE: string
3225LOC: Config.appendDomain
3226DEFAULT: none
3227DOC_START
3228 Appends local domain name to hostnames without any dots in
3229 them. append_domain must begin with a period.
3230
7f7db318 3231 Be warned there are now Internet names with no dots in
cccac0a2 3232 them using only top-domain names, so setting this may
3233 cause some Internet sites to become unavailable.
3234
3235Example:
3236 append_domain .yourdomain.com
3237DOC_END
3238
3239
3240NAME: tcp_recv_bufsize
3241COMMENT: (bytes)
3242TYPE: b_size_t
3243DEFAULT: 0 bytes
3244LOC: Config.tcpRcvBufsz
3245DOC_START
3246 Size of receive buffer to set for TCP sockets. Probably just
3247 as easy to change your kernel's default. Set to zero to use
3248 the default buffer size.
3249DOC_END
3250
3251NAME: err_html_text
3252TYPE: eol
3253LOC: Config.errHtmlText
3254DEFAULT: none
3255DOC_START
3256 HTML text to include in error messages. Make this a "mailto"
3257 URL to your admin address, or maybe just a link to your
3258 organizations Web page.
3259
3260 To include this in your error messages, you must rewrite
3261 the error template files (found in the "errors" directory).
3262 Wherever you want the 'err_html_text' line to appear,
3263 insert a %L tag in the error template file.
3264DOC_END
3265
3266NAME: email_err_data
3267COMMENT: on|off
3268TYPE: onoff
3269LOC: Config.onoff.emailErrData
3270DEFAULT: on
3271DOC_START
3272 If enabled, information about the occurred error will be
3273 included in the mailto links of the ERR pages (if %W is set)
7f7db318 3274 so that the email body contains the data.
cccac0a2 3275 Syntax is <A HREF="mailto:%w%W">%w</A>
3276DOC_END
3277
3278
3279NAME: deny_info
3280TYPE: denyinfo
3281LOC: Config.denyInfoList
3282DEFAULT: none
3283DOC_START
3284 Usage: deny_info err_page_name acl
3285 or deny_info http://... acl
3286 Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
3287
3288 This can be used to return a ERR_ page for requests which
3289 do not pass the 'http_access' rules. A single ACL will cause
3290 the http_access check to fail. If a 'deny_info' line exists
7f7db318 3291 for that ACL Squid returns a corresponding error page.
cccac0a2 3292
3293 You may use ERR_ pages that come with Squid or create your own pages
3294 and put them into the configured errors/ directory.
3295
7f7db318 3296 Alternatively you can specify an error URL. The browsers will
cccac0a2 3297 get redirected (302) to the specified URL. %s in the redirection
3298 URL will be replaced by the requested URL.
3299
3300 Alternatively you can tell Squid to reset the TCP connection
3301 by specifying TCP_RESET.
3302DOC_END
3303
3304NAME: memory_pools
3305COMMENT: on|off
3306TYPE: onoff
3307DEFAULT: on
3308LOC: Config.onoff.mem_pools
3309DOC_START
3310 If set, Squid will keep pools of allocated (but unused) memory
3311 available for future use. If memory is a premium on your
3312 system and you believe your malloc library outperforms Squid
3313 routines, disable this.
3314DOC_END
3315
3316NAME: memory_pools_limit
3317COMMENT: (bytes)
3318TYPE: b_size_t
e838cf2f 3319DEFAULT: 5 MB
cccac0a2 3320LOC: Config.MemPools.limit
3321DOC_START
3322 Used only with memory_pools on:
3323 memory_pools_limit 50 MB
3324
3325 If set to a non-zero value, Squid will keep at most the specified
3326 limit of allocated (but unused) memory in memory pools. All free()
3327 requests that exceed this limit will be handled by your malloc
3328 library. Squid does not pre-allocate any memory, just safe-keeps
3329 objects that otherwise would be free()d. Thus, it is safe to set
3330 memory_pools_limit to a reasonably high value even if your
3331 configuration will use less memory.
3332
7e7e02e1 3333 If set to zero, Squid will keep all memory it can. That is, there
3334 will be no limit on the total amount of memory used for safe-keeping.
cccac0a2 3335
3336 To disable memory allocation optimization, do not set
3337 memory_pools_limit to 0. Set memory_pools to "off" instead.
3338
3339 An overhead for maintaining memory pools is not taken into account
3340 when the limit is checked. This overhead is close to four bytes per
3341 object kept. However, pools may actually _save_ memory because of
3342 reduced memory thrashing in your malloc library.
3343DOC_END
3344
3345NAME: via
3346IFDEF: HTTP_VIOLATIONS
3347COMMENT: on|off
3348TYPE: onoff
3349DEFAULT: on
3350LOC: Config.onoff.via
3351DOC_START
3352 If set (default), Squid will include a Via header in requests and
3353 replies as required by RFC2616.
3354DOC_END
3355
3356NAME: forwarded_for
3357COMMENT: on|off
3358TYPE: onoff
3359DEFAULT: on
3360LOC: opt_forwarded_for
3361DOC_START
3362 If set, Squid will include your system's IP address or name
3363 in the HTTP requests it forwards. By default it looks like
3364 this:
3365
3366 X-Forwarded-For: 192.1.2.3
3367
3368 If you disable this, it will appear as
3369
3370 X-Forwarded-For: unknown
3371DOC_END
3372
3373NAME: log_icp_queries
3374COMMENT: on|off
3375TYPE: onoff
3376DEFAULT: on
3377LOC: Config.onoff.log_udp
3378DOC_START
3379 If set, ICP queries are logged to access.log. You may wish
3380 do disable this if your ICP load is VERY high to speed things
3381 up or to simplify log analysis.
3382DOC_END
3383
3384NAME: icp_hit_stale
3385COMMENT: on|off
3386TYPE: onoff
3387DEFAULT: off
3388LOC: Config.onoff.icp_hit_stale
3389DOC_START
3390 If you want to return ICP_HIT for stale cache objects, set this
3391 option to 'on'. If you have sibling relationships with caches
3392 in other administrative domains, this should be 'off'. If you only
7f7db318 3393 have sibling relationships with caches under your control,
cccac0a2 3394 it is probably okay to set this to 'on'.
7f7db318 3395 If set to 'on', your siblings should use the option "allow-miss"
cccac0a2 3396 on their cache_peer lines for connecting to you.
3397DOC_END
3398
3399
3400NAME: minimum_direct_hops
3401TYPE: int
3402DEFAULT: 4
3403LOC: Config.minDirectHops
3404DOC_START
3405 If using the ICMP pinging stuff, do direct fetches for sites
3406 which are no more than this many hops away.
3407DOC_END
3408
3409NAME: minimum_direct_rtt
3410TYPE: int
3411DEFAULT: 400
3412LOC: Config.minDirectRtt
3413DOC_START
3414 If using the ICMP pinging stuff, do direct fetches for sites
3415 which are no more than this many rtt milliseconds away.
3416DOC_END
3417
3418NAME: cachemgr_passwd
3419TYPE: cachemgrpasswd
3420DEFAULT: none
3421LOC: Config.passwd_list
3422DOC_START
3423 Specify passwords for cachemgr operations.
3424
3425 Usage: cachemgr_passwd password action action ...
3426
3427 Some valid actions are (see cache manager menu for a full list):
3428 5min
3429 60min
3430 asndb
3431 authenticator
3432 cbdata
3433 client_list
3434 comm_incoming
3435 config *
3436 counters
3437 delay
3438 digest_stats
3439 dns
3440 events
3441 filedescriptors
3442 fqdncache
3443 histograms
3444 http_headers
3445 info
3446 io
3447 ipcache
3448 mem
3449 menu
3450 netdb
3451 non_peers
3452 objects
3453 offline_toggle *
3454 pconn
3455 peer_select
3456 redirector
3457 refresh
3458 server_list
3459 shutdown *
3460 store_digest
3461 storedir
3462 utilization
3463 via_headers
3464 vm_objects
3465
3466 * Indicates actions which will not be performed without a
3467 valid password, others can be performed if not listed here.
3468
3469 To disable an action, set the password to "disable".
3470 To allow performing an action without a password, set the
3471 password to "none".
3472
3473 Use the keyword "all" to set the same password for all actions.
3474
3475Example:
3476 cachemgr_passwd secret shutdown
3477 cachemgr_passwd lesssssssecret info stats/objects
3478 cachemgr_passwd disable all
3479DOC_END
3480
3481NAME: store_avg_object_size
3482COMMENT: (kbytes)
3483TYPE: kb_size_t
3484DEFAULT: 13 KB
3485LOC: Config.Store.avgObjectSize
3486DOC_START
3487 Average object size, used to estimate number of objects your
3488 cache can hold. See doc/Release-Notes-1.1.txt. The default is
3489 13 KB.
3490DOC_END
3491
3492NAME: store_objects_per_bucket
3493TYPE: int
3494DEFAULT: 20
3495LOC: Config.Store.objectsPerBucket
3496DOC_START
3497 Target number of objects per bucket in the store hash table.
3498 Lowering this value increases the total number of buckets and
c8f4eac4 3499 also the storage maintenance rate. The default is 20.
cccac0a2 3500DOC_END
3501
3502NAME: client_db
3503COMMENT: on|off
3504TYPE: onoff
3505DEFAULT: on
3506LOC: Config.onoff.client_db
3507DOC_START
7f7db318 3508 If you want to disable collecting per-client statistics,
cccac0a2 3509 turn off client_db here.
3510DOC_END
3511
3512
3513NAME: netdb_low
3514TYPE: int
3515DEFAULT: 900
3516LOC: Config.Netdb.low
3517DOC_NONE
3518
3519NAME: netdb_high
3520TYPE: int
3521DEFAULT: 1000
3522LOC: Config.Netdb.high
3523DOC_START
3524 The low and high water marks for the ICMP measurement
3525 database. These are counts, not percents. The defaults are
3526 900 and 1000. When the high water mark is reached, database
3527 entries will be deleted until the low mark is reached.
3528DOC_END
3529
3530
3531NAME: netdb_ping_period
3532TYPE: time_t
3533LOC: Config.Netdb.period
3534DEFAULT: 5 minutes
3535DOC_START
3536 The minimum period for measuring a site. There will be at
3537 least this much delay between successive pings to the same
3538 network. The default is five minutes.
3539DOC_END
3540
3541
3542NAME: query_icmp
3543COMMENT: on|off
3544TYPE: onoff
3545DEFAULT: off
3546LOC: Config.onoff.query_icmp
3547DOC_START
3548 If you want to ask your peers to include ICMP data in their ICP
3549 replies, enable this option.
3550
3551 If your peer has configured Squid (during compilation) with
7f7db318 3552 '--enable-icmp' that peer will send ICMP pings to origin server
3553 sites of the URLs it receives. If you enable this option the
cccac0a2 3554 ICP replies from that peer will include the ICMP data (if available).
3555 Then, when choosing a parent cache, Squid will choose the parent with
3556 the minimal RTT to the origin server. When this happens, the
3557 hierarchy field of the access.log will be
3558 "CLOSEST_PARENT_MISS". This option is off by default.
3559DOC_END
3560
3561NAME: test_reachability
3562COMMENT: on|off
3563TYPE: onoff
3564DEFAULT: off
3565LOC: Config.onoff.test_reachability
3566DOC_START
3567 When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
3568 instead of ICP_MISS if the target host is NOT in the ICMP
3569 database, or has a zero RTT.
3570DOC_END
3571
3572NAME: buffered_logs
3573COMMENT: on|off
3574TYPE: onoff
3575DEFAULT: off
3576LOC: Config.onoff.buffered_logs
3577DOC_START
3578 cache.log log file is written with stdio functions, and as such
3579 it can be buffered or unbuffered. By default it will be unbuffered.
3580 Buffering it can speed up the writing slightly (though you are
3581 unlikely to need to worry unless you run with tons of debugging
3582 enabled in which case performance will suffer badly anyway..).
3583DOC_END
3584
4c3ef9b2 3585NAME: refresh_all_ims
3586COMMENT: on|off
3587TYPE: onoff
3588DEFAULT: off
3589LOC: Config.onoff.refresh_all_ims
3590DOC_START
3591 When you enable this option, squid will always check
3592 the origin server for an update when a client sends an
3593 If-Modified-Since request. Many browsers use IMS
3594 requests when the user requests a reload, and this
3595 ensures those clients receive the latest version.
3596
3597 By default (off), squid may return a Not Modified response
3598 based on the age of the cached version.
3599DOC_END
3600
cccac0a2 3601NAME: reload_into_ims
3602IFDEF: HTTP_VIOLATIONS
3603COMMENT: on|off
3604TYPE: onoff
3605DEFAULT: off
3606LOC: Config.onoff.reload_into_ims
3607DOC_START
3608 When you enable this option, client no-cache or ``reload''
3609 requests will be changed to If-Modified-Since requests.
3610 Doing this VIOLATES the HTTP standard. Enabling this
3611 feature could make you liable for problems which it
3612 causes.
7f7db318 3613
cccac0a2 3614 see also refresh_pattern for a more selective approach.
3615DOC_END
3616
3617NAME: always_direct
3618TYPE: acl_access
3619LOC: Config.accessList.AlwaysDirect
3620DEFAULT: none
3621DOC_START
3622 Usage: always_direct allow|deny [!]aclname ...
3623
3624 Here you can use ACL elements to specify requests which should
3625 ALWAYS be forwarded directly to origin servers. For example,
3626 to always directly forward requests for local servers use
3627 something like:
3628
3629 acl local-servers dstdomain my.domain.net
3630 always_direct allow local-servers
3631
3632 To always forward FTP requests directly, use
3633
3634 acl FTP proto FTP
3635 always_direct allow FTP
3636
3637 NOTE: There is a similar, but opposite option named
3638 'never_direct'. You need to be aware that "always_direct deny
3639 foo" is NOT the same thing as "never_direct allow foo". You
3640 may need to use a deny rule to exclude a more-specific case of
3641 some other rule. Example:
3642
3643 acl local-external dstdomain external.foo.net
3644 acl local-servers dstdomain .foo.net
3645 always_direct deny local-external
3646 always_direct allow local-servers
3647
3648 This option replaces some v1.1 options such as local_domain
3649 and local_ip.
3650DOC_END
3651
3652NAME: never_direct
3653TYPE: acl_access
3654LOC: Config.accessList.NeverDirect
3655DEFAULT: none
3656DOC_START
3657 Usage: never_direct allow|deny [!]aclname ...
3658
3659 never_direct is the opposite of always_direct. Please read
3660 the description for always_direct if you have not already.
3661
3662 With 'never_direct' you can use ACL elements to specify
3663 requests which should NEVER be forwarded directly to origin
3664 servers. For example, to force the use of a proxy for all
3665 requests, except those in your local domain use something like:
3666
3667 acl local-servers dstdomain .foo.net
3668 acl all src 0.0.0.0/0.0.0.0
3669 never_direct deny local-servers
3670 never_direct allow all
7f7db318 3671
3672 or if Squid is inside a firewall and there are local intranet
f939c0ca 3673 servers inside the firewall use something like:
cccac0a2 3674
3675 acl local-intranet dstdomain .foo.net
3676 acl local-external dstdomain external.foo.net
3677 always_direct deny local-external
3678 always_direct allow local-intranet
3679 never_direct allow all
7f7db318 3680
cccac0a2 3681 This option replaces some v1.1 options such as inside_firewall
3682 and firewall_ip.
3683DOC_END
3684
8c01ada0 3685NAME: request_header_access
cccac0a2 3686IFDEF: HTTP_VIOLATIONS
3687TYPE: http_header_access[]
8c01ada0 3688LOC: Config.request_header_access
cccac0a2 3689DEFAULT: none
3690DOC_START
8c01ada0 3691 Usage: request_header_access header_name allow|deny [!]aclname ...
cccac0a2 3692
3693 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3694 this feature could make you liable for problems which it
3695 causes.
3696
3697 This option replaces the old 'anonymize_headers' and the
3698 older 'http_anonymizer' option with something that is much
3699 more configurable. This new method creates a list of ACLs
3700 for each header, allowing you very fine-tuned header
3701 mangling.
3702
8c01ada0 3703 This option only applies to request headers, i.e., from the
3704 client to the server.
3705
cccac0a2 3706 You can only specify known headers for the header name.
3707 Other headers are reclassified as 'Other'. You can also
3708 refer to all the headers with 'All'.
3709
5ac1a5b3 3710 For example, to achieve the same behavior as the old
cccac0a2 3711 'http_anonymizer standard' option, you should use:
3712
8c01ada0 3713 request_header_access From deny all
3714 request_header_access Referer deny all
3715 request_header_access Server deny all
3716 request_header_access User-Agent deny all
3717 request_header_access WWW-Authenticate deny all
3718 request_header_access Link deny all
cccac0a2 3719
3720 Or, to reproduce the old 'http_anonymizer paranoid' feature
3721 you should use:
3722
8c01ada0 3723 request_header_access Allow allow all
3724 request_header_access Authorization allow all
3725 request_header_access WWW-Authenticate allow all
141ab88c 3726 request_header_access Proxy-Authorization allow all
3727 request_header_access Proxy-Authenticate allow all
8c01ada0 3728 request_header_access Cache-Control allow all
3729 request_header_access Content-Encoding allow all
3730 request_header_access Content-Length allow all
3731 request_header_access Content-Type allow all
3732 request_header_access Date allow all
3733 request_header_access Expires allow all
3734 request_header_access Host allow all
3735 request_header_access If-Modified-Since allow all
3736 request_header_access Last-Modified allow all
3737 request_header_access Location allow all
3738 request_header_access Pragma allow all
3739 request_header_access Accept allow all
3740 request_header_access Accept-Charset allow all
3741 request_header_access Accept-Encoding allow all
3742 request_header_access Accept-Language allow all
3743 request_header_access Content-Language allow all
3744 request_header_access Mime-Version allow all
3745 request_header_access Retry-After allow all
3746 request_header_access Title allow all
3747 request_header_access Connection allow all
3748 request_header_access Proxy-Connection allow all
3749 request_header_access All deny all
3750
3751 although many of those are HTTP reply headers, and so should be
3752 controlled with the reply_header_access directive.
3753
3754 By default, all headers are allowed (no anonymizing is
3755 performed).
3756DOC_END
3757
3758NAME: reply_header_access
3759IFDEF: HTTP_VIOLATIONS
3760TYPE: http_header_access[]
3761LOC: Config.reply_header_access
3762DEFAULT: none
3763DOC_START
3764 Usage: reply_header_access header_name allow|deny [!]aclname ...
3765
3766 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3767 this feature could make you liable for problems which it
3768 causes.
3769
3770 This option only applies to reply headers, i.e., from the
3771 server to the client.
3772
3773 This is the same as request_header_access, but in the other
3774 direction.
3775
3776 This option replaces the old 'anonymize_headers' and the
3777 older 'http_anonymizer' option with something that is much
3778 more configurable. This new method creates a list of ACLs
3779 for each header, allowing you very fine-tuned header
3780 mangling.
3781
3782 You can only specify known headers for the header name.
3783 Other headers are reclassified as 'Other'. You can also
3784 refer to all the headers with 'All'.
3785
5ac1a5b3 3786 For example, to achieve the same behavior as the old
8c01ada0 3787 'http_anonymizer standard' option, you should use:
3788
3789 reply_header_access From deny all
3790 reply_header_access Referer deny all
3791 reply_header_access Server deny all
3792 reply_header_access User-Agent deny all
3793 reply_header_access WWW-Authenticate deny all
3794 reply_header_access Link deny all
3795
3796 Or, to reproduce the old 'http_anonymizer paranoid' feature
3797 you should use:
3798
3799 reply_header_access Allow allow all
3800 reply_header_access Authorization allow all
3801 reply_header_access WWW-Authenticate allow all
141ab88c 3802 reply_header_access Proxy-Authorization allow all
3803 reply_header_access Proxy-Authenticate allow all
8c01ada0 3804 reply_header_access Cache-Control allow all
3805 reply_header_access Content-Encoding allow all
3806 reply_header_access Content-Length allow all
3807 reply_header_access Content-Type allow all
3808 reply_header_access Date allow all
3809 reply_header_access Expires allow all
3810 reply_header_access Host allow all
3811 reply_header_access If-Modified-Since allow all
3812 reply_header_access Last-Modified allow all
3813 reply_header_access Location allow all
3814 reply_header_access Pragma allow all
3815 reply_header_access Accept allow all
3816 reply_header_access Accept-Charset allow all
3817 reply_header_access Accept-Encoding allow all
3818 reply_header_access Accept-Language allow all
3819 reply_header_access Content-Language allow all
3820 reply_header_access Mime-Version allow all
3821 reply_header_access Retry-After allow all
3822 reply_header_access Title allow all
3823 reply_header_access Connection allow all
3824 reply_header_access Proxy-Connection allow all
3825 reply_header_access All deny all
3826
3827 although the HTTP request headers won't be usefully controlled
3828 by this directive -- see request_header_access for details.
cccac0a2 3829
3830 By default, all headers are allowed (no anonymizing is
3831 performed).
3832DOC_END
3833
3834NAME: header_replace
3835IFDEF: HTTP_VIOLATIONS
3836TYPE: http_header_replace[]
8c01ada0 3837LOC: Config.request_header_access
cccac0a2 3838DEFAULT: none
3839DOC_START
3840 Usage: header_replace header_name message
3841 Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
3842
3843 This option allows you to change the contents of headers
3844 denied with header_access above, by replacing them with
3845 some fixed string. This replaces the old fake_user_agent
3846 option.
3847
8c01ada0 3848 This only applies to request headers, not reply headers.
3849
cccac0a2 3850 By default, headers are removed if denied.
3851DOC_END
3852
3853NAME: icon_directory
3854TYPE: string
3855LOC: Config.icons.directory
3856DEFAULT: @DEFAULT_ICON_DIR@
3857DOC_START
3858 Where the icons are stored. These are normally kept in
3859 @DEFAULT_ICON_DIR@
3860DOC_END
3861
f024c970 3862NAME: global_internal_static
3863TYPE: onoff
3864LOC: Config.onoff.global_internal_static
3865DEFAULT: on
3866DOC_START
3867 This directive controls is Squid should intercept all requests for
3868 /squid-internal-static/ no matter which host the URL is requesting
3869 (default on setting), or if nothing special should be done for
3870 such URLs (off setting). The purpose of this directive is to make
3871 icons etc work better in complex cache hierarchies where it may
3872 not always be possible for all corners in the cache mesh to reach
3873 the server generating a directory listing.
3874DOC_END
3875
e72a0ec0 3876NAME: short_icon_urls
3877TYPE: onoff
3878LOC: Config.icons.use_short_names
3879DEFAULT: on
3880DOC_START
7f7db318 3881 If this is enabled Squid will use short URLs for icons.
5ac1a5b3 3882 If disabled it will revert to the old behavior of including
e72a0ec0 3883 it's own name and port in the URL.
3884
3885 If you run a complex cache hierarchy with a mix of Squid and
7f7db318 3886 other proxies you may need to disable this directive.
e72a0ec0 3887DOC_END
3888
cccac0a2 3889NAME: error_directory
3890TYPE: string
3891LOC: Config.errorDirectory
3892DEFAULT: @DEFAULT_ERROR_DIR@
3893DOC_START
3894 If you wish to create your own versions of the default
3895 (English) error files, either to customize them to suit your
3896 language or company copy the template English files to another
3897 directory and point this tag at them.
3898DOC_END
3899
3900NAME: maximum_single_addr_tries
3901TYPE: int
3902LOC: Config.retry.maxtries
4ed0e075 3903DEFAULT: 1
cccac0a2 3904DOC_START
3905 This sets the maximum number of connection attempts for a
3906 host that only has one address (for multiple-address hosts,
3907 each address is tried once).
3908
4ed0e075 3909 The default value is one attempt, the (not recommended)
cccac0a2 3910 maximum is 255 tries. A warning message will be generated
3911 if it is set to a value greater than ten.
4ed0e075 3912
5ac1a5b3 3913 Note: This is in addition to the request re-forwarding which
4ed0e075 3914 takes place if Squid fails to get a satisfying response.
cccac0a2 3915DOC_END
3916
5894ad28 3917NAME: retry_on_error
3918TYPE: onoff
3919LOC: Config.retry.onerror
3920DEFAULT: off
3921DOC_START
3922 If set to on Squid will automatically retry requests when
3923 receiving an error response. This is mainly useful if you
3924 are in a complex cache hierarchy to work around access
3925 control errors.
3926DOC_END
3927
cccac0a2 3928NAME: snmp_port
3929TYPE: ushort
3930LOC: Config.Port.snmp
3931DEFAULT: 3401
3932IFDEF: SQUID_SNMP
3933DOC_START
3934 Squid can now serve statistics and status information via SNMP.
3935 By default it listens to port 3401 on the machine. If you don't
3936 wish to use SNMP, set this to "0".
4ed0e075 3937
7f7db318 3938 Note: If you want Squid to use parents for all requests see
4ed0e075 3939 the never_direct directive. prefer_direct only modifies how Squid
3940 acts on cachable requests.
cccac0a2 3941DOC_END
3942
3943NAME: snmp_access
3944TYPE: acl_access
3945LOC: Config.accessList.snmp
3946DEFAULT: none
3947DEFAULT_IF_NONE: deny all
3948IFDEF: SQUID_SNMP
3949DOC_START
3950 Allowing or denying access to the SNMP port.
3951
3952 All access to the agent is denied by default.
3953 usage:
3954
3955 snmp_access allow|deny [!]aclname ...
3956
3957Example:
3958 snmp_access allow snmppublic localhost
3959 snmp_access deny all
3960DOC_END
3961
3962NAME: snmp_incoming_address
3963TYPE: address
3964LOC: Config.Addrs.snmp_incoming
3965DEFAULT: 0.0.0.0
3966IFDEF: SQUID_SNMP
3967DOC_NONE
3968NAME: snmp_outgoing_address
3969TYPE: address
3970LOC: Config.Addrs.snmp_outgoing
3971DEFAULT: 255.255.255.255
3972IFDEF: SQUID_SNMP
3973DOC_START
3974 Just like 'udp_incoming_address' above, but for the SNMP port.
3975
3976 snmp_incoming_address is used for the SNMP socket receiving
3977 messages from SNMP agents.
3978 snmp_outgoing_address is used for SNMP packets returned to SNMP
3979 agents.
3980
3981 The default snmp_incoming_address (0.0.0.0) is to listen on all
3982 available network interfaces.
3983
3984 If snmp_outgoing_address is set to 255.255.255.255 (the default)
7f7db318 3985 it will use the same socket as snmp_incoming_address. Only
cccac0a2 3986 change this if you want to have SNMP replies sent using another
3987 address than where this Squid listens for SNMP queries.
3988
3989 NOTE, snmp_incoming_address and snmp_outgoing_address can not have
3990 the same value since they both use port 3401.
3991DOC_END
3992
3993NAME: as_whois_server
3994TYPE: string
3995LOC: Config.as_whois_server
3996DEFAULT: whois.ra.net
3997DEFAULT_IF_NONE: whois.ra.net
3998DOC_START
3999 WHOIS server to query for AS numbers. NOTE: AS numbers are
4000 queried only when Squid starts up, not for every request.
4001DOC_END
4002
4003NAME: wccp_router
4004TYPE: address
4005LOC: Config.Wccp.router
4006DEFAULT: 0.0.0.0
4007IFDEF: USE_WCCP
0b0cfcf2 4008DOC_NONE
4009NAME: wccp2_router
4010TYPE: sockaddr_in_list
4011LOC: Config.Wccp2.router
4012DEFAULT: none
4013IFDEF: USE_WCCPv2
cccac0a2 4014DOC_START
4015 Use this option to define your WCCP ``home'' router for
0b0cfcf2 4016 Squid.
4017
4018 wccp_router supports a single WCCP(v1) router
4019
4020 wccp2_router supports multiple WCCPv2 routers
4021
4022 only one of the two may be used at the same time and defines
4023 which version of WCCP to use.
cccac0a2 4024DOC_END
4025
4026NAME: wccp_version
4027TYPE: int
4028LOC: Config.Wccp.version
4029DEFAULT: 4
4030IFDEF: USE_WCCP
4031DOC_START
0b0cfcf2 4032 This directive is only relevant if you need to set up WCCP(v1)
4033 to some very old and end-of-life Cisco routers. In all other
4034 setups it must be left unset or at the default setting.
4035 It defines an internal version in the WCCP(v1) protocol,
4036 with version 4 being the officially documented protocol.
4037
4038 According to some users, Cisco IOS 11.2 and earlier only
4039 support WCCP version 3. If you're using that or an earlier
4040 version of IOS, you may need to change this value to 3, otherwise
4041 do not specify this parameter.
4042DOC_END
4043
f67332d3 4044NAME: wccp2_rebuild_wait
4045TYPE: onoff
4046LOC: Config.Wccp2.rebuildwait
4047DEFAULT: on
4048IFDEF: USE_WCCPv2
4049DOC_START
4050 If this is enabled Squid will wait for the cache dir rebuild to finish
4051 before sending the first wccp2 HereIAm packet
4052DOC_END
4053
0b0cfcf2 4054NAME: wccp2_forwarding_method
4055TYPE: int
4056LOC: Config.Wccp2.forwarding_method
4057DEFAULT: 1
4058IFDEF: USE_WCCPv2
4059DOC_START
4060 WCCP2 allows the setting of forwarding methods between the
4061 router/switch and the cache. Valid values are as follows:
4062
4063 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4064 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
4065
4066 Currently (as of IOS 12.4) cisco routers only support GRE.
4067 Cisco switches only support the L2 redirect assignment method.
4068DOC_END
4069
4070NAME: wccp2_return_method
4071TYPE: int
4072LOC: Config.Wccp2.return_method
4073DEFAULT: 1
4074IFDEF: USE_WCCPv2
4075DOC_START
4076 WCCP2 allows the setting of return methods between the
4077 router/switch and the cache for packets that the cache
4078 decides not to handle. Valid values are as follows:
4079
4080 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4081 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
4082
4083 Currently (as of IOS 12.4) cisco routers only support GRE.
4084 Cisco switches only support the L2 redirect assignment.
4085
4086 If the "ip wccp redirect exclude in" command has been
4087 enabled on the cache interface, then it is still safe for
4088 the proxy server to use a l2 redirect method even if this
4089 option is set to GRE.
4090DOC_END
4091
4092NAME: wccp2_service
4093TYPE: wccp2_service
4094LOC: Config.Wccp2.info
4095DEFAULT: none
4096DEFAULT_IF_NONE: standard 0
4097IFDEF: USE_WCCPv2
4098DOC_START
4099 WCCP2 allows for multiple traffic services. There are two
4100 types: "standard" and "dynamic". The standard type defines
4101 one service id - http (id 0). The dynamic service ids can be from
4102 51 to 255 inclusive. In order to use a dynamic service id
4103 one must define the type of traffic to be redirected; this is done
4104 using the wccp2_service_info option.
4105
4106 The "standard" type does not require a wccp2_service_info option,
4107 just specifying the service id will suffice.
4108
4109 MD5 service authentication can be enabled by adding
4110 "password=<password>" to the end of this service declaration.
4111
4112 Examples:
4113
4114 wccp2_service standard 0 # for the 'web-cache' standard service
4115 wccp2_service dynamic 80 # a dynamic service type which will be
4116 # fleshed out with subsequent options.
4117 wccp2_service standard 0 password=foo
4118
cccac0a2 4119DOC_END
4120
0b0cfcf2 4121NAME: wccp2_service_info
4122TYPE: wccp2_service_info
4123LOC: Config.Wccp2.info
4124DEFAULT: none
4125IFDEF: USE_WCCPv2
4126DOC_START
4127 Dynamic WCCPv2 services require further information to define the
4128 traffic you wish to have diverted.
4129
4130 The format is:
4131
4132 wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
4133 priority=<priority> ports=<port>,<port>..
4134
4135 The relevant WCCPv2 flags:
4136 + src_ip_hash, dst_ip_hash
4137 + source_port_hash, dest_port_hash
4138 + src_ip_alt_hash, dst_ip_alt_hash
4139 + src_port_alt_hash, dst_port_alt_hash
4140 + ports_source
4141
4142 The port list can be one to eight entries.
4143
4144 Example:
4145
4146 wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
4147 priority=240 ports=80
4148
4149 Note: the service id must have been defined by a previous
4150 'wccp2_service dynamic <id>' entry.
4151DOC_END
4152
4153NAME: wccp_address
cccac0a2 4154TYPE: address
0b0cfcf2 4155LOC: Config.Wccp.address
cccac0a2 4156DEFAULT: 0.0.0.0
4157IFDEF: USE_WCCP
4158DOC_NONE
0b0cfcf2 4159NAME: wccp2_address
cccac0a2 4160TYPE: address
0b0cfcf2 4161LOC: Config.Wccp2.address
4162DEFAULT: 0.0.0.0
4163IFDEF: USE_WCCPv2
cccac0a2 4164DOC_START
0b0cfcf2 4165 Use this option if you require WCCP to use a specific
4166 interface address.
cccac0a2 4167
6845f129 4168 The default behavior is to not bind to any specific address.
cccac0a2 4169DOC_END
0976f8db 4170
0976f8db 4171
cccac0a2 4172COMMENT_START
4173 DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
4174 -----------------------------------------------------------------------------
4175COMMENT_END
4176
4177NAME: delay_pools
4178TYPE: delay_pool_count
4179DEFAULT: 0
4180IFDEF: DELAY_POOLS
4181LOC: Config.Delay
4182DOC_START
4183 This represents the number of delay pools to be used. For example,
4184 if you have one class 2 delay pool and one class 3 delays pool, you
4185 have a total of 2 delay pools.
4186DOC_END
4187
4188NAME: delay_class
4189TYPE: delay_pool_class
4190DEFAULT: none
4191IFDEF: DELAY_POOLS
4192LOC: Config.Delay
4193DOC_START
4194 This defines the class of each delay pool. There must be exactly one
4195 delay_class line for each delay pool. For example, to define two
4196 delay pools, one of class 2 and one of class 3, the settings above
4197 and here would be:
4198
4199Example:
4200 delay_pools 4 # 4 delay pools
4201 delay_class 1 2 # pool 1 is a class 2 pool
4202 delay_class 2 3 # pool 2 is a class 3 pool
4203 delay_class 3 4 # pool 3 is a class 4 pool
4204 delay_class 4 5 # pool 4 is a class 5 pool
4205
4206 The delay pool classes are:
4207
4208 class 1 Everything is limited by a single aggregate
4209 bucket.
4210
4211 class 2 Everything is limited by a single aggregate
4212 bucket as well as an "individual" bucket chosen
4213 from bits 25 through 32 of the IP address.
4214
4215 class 3 Everything is limited by a single aggregate
4216 bucket as well as a "network" bucket chosen
4217 from bits 17 through 24 of the IP address and a
4218 "individual" bucket chosen from bits 17 through
4219 32 of the IP address.
7f7db318 4220
4221 class 4 Everything in a class 3 delay pool, with an
cccac0a2 4222 additional limit on a per user basis. This
4223 only takes effect if the username is established
4224 in advance - by forcing authentication in your
4225 http_access rules.
4226
7f7db318 4227 class 5 Requests are grouped according their tag (see
cccac0a2 4228 external_acl's tag= reply).
4229
4230 NOTE: If an IP address is a.b.c.d
4231 -> bits 25 through 32 are "d"
4232 -> bits 17 through 24 are "c"
4233 -> bits 17 through 32 are "c * 256 + d"
4234DOC_END
4235
4236NAME: delay_access
4237TYPE: delay_pool_access
4238DEFAULT: none
4239IFDEF: DELAY_POOLS
4240LOC: Config.Delay
4241DOC_START
4242 This is used to determine which delay pool a request falls into.
8ed8fda3 4243
4244 delay_access is sorted per pool and the matching starts with pool 1,
4245 then pool 2, ..., and finally pool N. The first delay pool where the
4246 request is allowed is selected for the request. If it does not allow
4247 the request to any pool then the request is not delayed (default).
4248
4249 For example, if you want some_big_clients in delay
cccac0a2 4250 pool 1 and lotsa_little_clients in delay pool 2:
4251
4252Example:
4253 delay_access 1 allow some_big_clients
4254 delay_access 1 deny all
4255 delay_access 2 allow lotsa_little_clients
4256 delay_access 2 deny all
4257 delay_access 3 allow authenticated_clients
4258DOC_END
4259
4260NAME: delay_parameters
4261TYPE: delay_pool_rates
4262DEFAULT: none
4263IFDEF: DELAY_POOLS
4264LOC: Config.Delay
4265DOC_START
4266 This defines the parameters for a delay pool. Each delay pool has
4267 a number of "buckets" associated with it, as explained in the
4268 description of delay_class. For a class 1 delay pool, the syntax is:
4269
4270delay_parameters pool aggregate
4271
4272 For a class 2 delay pool:
4273
4274delay_parameters pool aggregate individual
4275
4276 For a class 3 delay pool:
4277
4278delay_parameters pool aggregate network individual
4279
4280 For a class 4 delay pool:
4281
4282delay_parameters pool aggregate network individual user
4283
4284 For a class 5 delay pool:
4285
4286delay_parameters pool tag
4287
4288 The variables here are:
4289
4290 pool a pool number - ie, a number between 1 and the
4291 number specified in delay_pools as used in
4292 delay_class lines.
4293
4294 aggregate the "delay parameters" for the aggregate bucket
4295 (class 1, 2, 3).
4296
4297 individual the "delay parameters" for the individual
4298 buckets (class 2, 3).
4299
4300 network the "delay parameters" for the network buckets
4301 (class 3).
4302
4303 user the delay parameters for the user buckets
4304 (class 4).
4305
4306 tag the delay parameters for the tag buckets
4307 (class 5).
4308
4309 A pair of delay parameters is written restore/maximum, where restore is
4310 the number of bytes (not bits - modem and network speeds are usually
4311 quoted in bits) per second placed into the bucket, and maximum is the
4312 maximum number of bytes which can be in the bucket at any time.
4313
4314 For example, if delay pool number 1 is a class 2 delay pool as in the
4315 above example, and is being used to strictly limit each host to 64kbps
4316 (plus overheads), with no overall limit, the line is:
4317
4318delay_parameters 1 -1/-1 8000/8000
4319
4320 Note that the figure -1 is used to represent "unlimited".
4321
4322 And, if delay pool number 2 is a class 3 delay pool as in the above
4323 example, and you want to limit it to a total of 256kbps (strict limit)
4324 with each 8-bit network permitted 64kbps (strict limit) and each
4325 individual host permitted 4800bps with a bucket maximum size of 64kb
4326 to permit a decent web page to be downloaded at a decent speed
4327 (if the network is not being limited due to overuse) but slow down
4328 large downloads more significantly:
4329
4330delay_parameters 2 32000/32000 8000/8000 600/8000
4331
4332 There must be one delay_parameters line for each delay pool.
4333
4334 Finally, for a class 4 delay pool as in the example - each user will
4335 be limited to 128Kb no matter how many workstations they are logged into.:
7f7db318 4336
cccac0a2 4337delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
4338DOC_END
4339
4340NAME: delay_initial_bucket_level
4341COMMENT: (percent, 0-100)
4342TYPE: ushort
4343DEFAULT: 50
4344IFDEF: DELAY_POOLS
4345LOC: Config.Delay.initial
4346DOC_START
4347 The initial bucket percentage is used to determine how much is put
4348 in each bucket when squid starts, is reconfigured, or first notices
4349 a host accessing it (in class 2 and class 3, individual hosts and
4350 networks only have buckets associated with them once they have been
4351 "seen" by squid).
4352DOC_END
4353
4354NAME: incoming_icp_average
4355TYPE: int
4356DEFAULT: 6
4357LOC: Config.comm_incoming.icp_average
4358DOC_NONE
4359
4360NAME: incoming_http_average
4361TYPE: int
4362DEFAULT: 4
4363LOC: Config.comm_incoming.http_average
4364DOC_NONE
4365
4366NAME: incoming_dns_average
4367TYPE: int
4368DEFAULT: 4
4369LOC: Config.comm_incoming.dns_average
4370DOC_NONE
4371
4372NAME: min_icp_poll_cnt
4373TYPE: int
4374DEFAULT: 8
4375LOC: Config.comm_incoming.icp_min_poll
4376DOC_NONE
4377
4378NAME: min_dns_poll_cnt
4379TYPE: int
4380DEFAULT: 8
4381LOC: Config.comm_incoming.dns_min_poll
4382DOC_NONE
4383
4384NAME: min_http_poll_cnt
4385TYPE: int
4386DEFAULT: 8
4387LOC: Config.comm_incoming.http_min_poll
4388DOC_START
4389 Heavy voodoo here. I can't even believe you are reading this.
4390 Are you crazy? Don't even think about adjusting these unless
4391 you understand the algorithms in comm_select.c first!
4392DOC_END
4393
4394NAME: max_open_disk_fds
4395TYPE: int
4396LOC: Config.max_open_disk_fds
4397DEFAULT: 0
4398DOC_START
4399 To avoid having disk as the I/O bottleneck Squid can optionally
4400 bypass the on-disk cache if more than this amount of disk file
4401 descriptors are open.
4402
4403 A value of 0 indicates no limit.
4404DOC_END
4405
4406NAME: offline_mode
4407TYPE: onoff
4408LOC: Config.onoff.offline
4409DEFAULT: off
4410DOC_START
4411 Enable this option and Squid will never try to validate cached
4412 objects.
4413DOC_END
4414
4415NAME: uri_whitespace
4416TYPE: uri_whitespace
4417LOC: Config.uri_whitespace
4418DEFAULT: strip
4419DOC_START
4420 What to do with requests that have whitespace characters in the
4421 URI. Options:
4422
4423 strip: The whitespace characters are stripped out of the URL.
4424 This is the behavior recommended by RFC2396.
4425 deny: The request is denied. The user receives an "Invalid
4426 Request" message.
4427 allow: The request is allowed and the URI is not changed. The
4428 whitespace characters remain in the URI. Note the
4429 whitespace is passed to redirector processes if they
4430 are in use.
4431 encode: The request is allowed and the whitespace characters are
4432 encoded according to RFC1738. This could be considered
4433 a violation of the HTTP/1.1
4434 RFC because proxies are not allowed to rewrite URI's.
4435 chop: The request is allowed and the URI is chopped at the
4436 first whitespace. This might also be considered a
4437 violation.
4438DOC_END
4439
4440NAME: broken_posts
4441TYPE: acl_access
4442DEFAULT: none
4443LOC: Config.accessList.brokenPosts
4444DOC_START
4445 A list of ACL elements which, if matched, causes Squid to send
4446 an extra CRLF pair after the body of a PUT/POST request.
4447
4448 Some HTTP servers has broken implementations of PUT/POST,
4449 and rely on an extra CRLF pair sent by some WWW clients.
4450
4451 Quote from RFC 2068 section 4.1 on this matter:
4452
4453 Note: certain buggy HTTP/1.0 client implementations generate an
4454 extra CRLF's after a POST request. To restate what is explicitly
4455 forbidden by the BNF, an HTTP/1.1 client must not preface or follow
4456 a request with an extra CRLF.
4457
4458Example:
4459 acl buggy_server url_regex ^http://....
4460 broken_posts allow buggy_server
4461DOC_END
4462
4463NAME: mcast_miss_addr
4464IFDEF: MULTICAST_MISS_STREAM
4465TYPE: address
4466LOC: Config.mcast_miss.addr
4467DEFAULT: 255.255.255.255
4468DOC_START
4469 If you enable this option, every "cache miss" URL will
4470 be sent out on the specified multicast address.
4471
4472 Do not enable this option unless you are are absolutely
4473 certain you understand what you are doing.
4474DOC_END
4475
4476NAME: mcast_miss_ttl
964b44c3 4477IFDEF: MULTICAST_MISS_STREAM
cccac0a2 4478TYPE: ushort
4479LOC: Config.mcast_miss.ttl
4480DEFAULT: 16
4481DOC_START
4482 This is the time-to-live value for packets multicasted
4483 when multicasting off cache miss URLs is enabled. By
4484 default this is set to 'site scope', i.e. 16.
4485DOC_END
4486
4487NAME: mcast_miss_port
4488IFDEF: MULTICAST_MISS_STREAM
4489TYPE: ushort
4490LOC: Config.mcast_miss.port
4491DEFAULT: 3135
4492DOC_START
4493 This is the port number to be used in conjunction with
4494 'mcast_miss_addr'.
4495DOC_END
4496
4497NAME: mcast_miss_encode_key
4498IFDEF: MULTICAST_MISS_STREAM
4499TYPE: string
4500LOC: Config.mcast_miss.encode_key
4501DEFAULT: XXXXXXXXXXXXXXXX
4502DOC_START
4503 The URLs that are sent in the multicast miss stream are
4504 encrypted. This is the encryption key.
4505DOC_END
4506
4507NAME: nonhierarchical_direct
4508TYPE: onoff
4509LOC: Config.onoff.nonhierarchical_direct
4510DEFAULT: on
4511DOC_START
4512 By default, Squid will send any non-hierarchical requests
4513 (matching hierarchy_stoplist or not cachable request type) direct
4514 to origin servers.
4515
7f7db318 4516 If you set this to off, Squid will prefer to send these
cccac0a2 4517 requests to parents.
4518
4519 Note that in most configurations, by turning this off you will only
4520 add latency to these request without any improvement in global hit
4521 ratio.
4522
7f7db318 4523 If you are inside an firewall see never_direct instead of
cccac0a2 4524 this directive.
4525DOC_END
4526
4527NAME: prefer_direct
4528TYPE: onoff
4529LOC: Config.onoff.prefer_direct
4530DEFAULT: off
4531DOC_START
7f7db318 4532 Normally Squid tries to use parents for most requests. If you for some
cccac0a2 4533 reason like it to first try going direct and only use a parent if
7f7db318 4534 going direct fails set this to on.
cccac0a2 4535
4536 By combining nonhierarchical_direct off and prefer_direct on you
4537 can set up Squid to use a parent as a backup path if going direct
4538 fails.
4539DOC_END
4540
4541NAME: strip_query_terms
4542TYPE: onoff
4543LOC: Config.onoff.strip_query_terms
4544DEFAULT: on
4545DOC_START
4546 By default, Squid strips query terms from requested URLs before
4547 logging. This protects your user's privacy.
4548DOC_END
4549
4550NAME: coredump_dir
4551TYPE: string
4552LOC: Config.coredump_dir
4553DEFAULT: none
4554DEFAULT_IF_NONE: none
4555DOC_START
4556 By default Squid leaves core files in the directory from where
4557 it was started. If you set 'coredump_dir' to a directory
4558 that exists, Squid will chdir() to that directory at startup
4559 and coredump files will be left there.
4560
4561NOCOMMENT_START
5ff76111 4562# Leave coredumps in the first cache dir
cccac0a2 4563coredump_dir @DEFAULT_SWAP_DIR@
4564NOCOMMENT_END
4565DOC_END
4566
4567NAME: redirector_bypass
4568TYPE: onoff
4569LOC: Config.onoff.redirector_bypass
4570DEFAULT: off
4571DOC_START
4572 When this is 'on', a request will not go through the
4573 redirector if all redirectors are busy. If this is 'off'
4574 and the redirector queue grows too large, Squid will exit
4575 with a FATAL error and ask you to increase the number of
4576 redirectors. You should only enable this if the redirectors
4577 are not critical to your caching system. If you use
4578 redirectors for access control, and you enable this option,
7f7db318 4579 users may have access to pages they should not
cccac0a2 4580 be allowed to request.
4581DOC_END
4582
4583NAME: ignore_unknown_nameservers
4584TYPE: onoff
4585LOC: Config.onoff.ignore_unknown_nameservers
4586DEFAULT: on
4587DOC_START
4588 By default Squid checks that DNS responses are received
7f7db318 4589 from the same IP addresses they are sent to. If they
cccac0a2 4590 don't match, Squid ignores the response and writes a warning
4591 message to cache.log. You can allow responses from unknown
4592 nameservers by setting this option to 'off'.
4593DOC_END
4594
4595NAME: digest_generation
4596IFDEF: USE_CACHE_DIGESTS
4597TYPE: onoff
4598LOC: Config.onoff.digest_generation
4599DEFAULT: on
4600DOC_START
4601 This controls whether the server will generate a Cache Digest
4602 of its contents. By default, Cache Digest generation is
4603 enabled if Squid is compiled with USE_CACHE_DIGESTS defined.
4604DOC_END
4605
4606NAME: digest_bits_per_entry
4607IFDEF: USE_CACHE_DIGESTS
4608TYPE: int
4609LOC: Config.digest.bits_per_entry
4610DEFAULT: 5
4611DOC_START
4612 This is the number of bits of the server's Cache Digest which
4613 will be associated with the Digest entry for a given HTTP
4614 Method and URL (public key) combination. The default is 5.
4615DOC_END
4616
4617NAME: digest_rebuild_period
4618IFDEF: USE_CACHE_DIGESTS
4619COMMENT: (seconds)
4620TYPE: time_t
4621LOC: Config.digest.rebuild_period
4622DEFAULT: 1 hour
4623DOC_START
4624 This is the number of seconds between Cache Digest rebuilds.
4625DOC_END
4626
4627NAME: digest_rewrite_period
4628COMMENT: (seconds)
4629IFDEF: USE_CACHE_DIGESTS
4630TYPE: time_t
4631LOC: Config.digest.rewrite_period
4632DEFAULT: 1 hour
4633DOC_START
4634 This is the number of seconds between Cache Digest writes to
4635 disk.
4636DOC_END
4637
4638NAME: digest_swapout_chunk_size
4639COMMENT: (bytes)
4640TYPE: b_size_t
4641IFDEF: USE_CACHE_DIGESTS
4642LOC: Config.digest.swapout_chunk_size
4643DEFAULT: 4096 bytes
4644DOC_START
4645 This is the number of bytes of the Cache Digest to write to
4646 disk at a time. It defaults to 4096 bytes (4KB), the Squid
4647 default swap page.
4648DOC_END
4649
4650NAME: digest_rebuild_chunk_percentage
4651COMMENT: (percent, 0-100)
4652IFDEF: USE_CACHE_DIGESTS
4653TYPE: int
4654LOC: Config.digest.rebuild_chunk_percentage
4655DEFAULT: 10
4656DOC_START
4657 This is the percentage of the Cache Digest to be scanned at a
4658 time. By default it is set to 10% of the Cache Digest.
4659DOC_END
4660
4661NAME: chroot
4662TYPE: string
4663LOC: Config.chroot_dir
4664DEFAULT: none
4665DOC_START
4666 Use this to have Squid do a chroot() while initializing. This
4667 also causes Squid to fully drop root privileges after
7f7db318 4668 initializing. This means, for example, if you use a HTTP
cccac0a2 4669 port less than 1024 and try to reconfigure, you will get an
4670 error.
4671DOC_END
4672
4673NAME: client_persistent_connections
4674TYPE: onoff
4675LOC: Config.onoff.client_pconns
4676DEFAULT: on
4677DOC_NONE
4678
4679NAME: server_persistent_connections
4680TYPE: onoff
4681LOC: Config.onoff.server_pconns
4682DEFAULT: on
4683DOC_START
4684 Persistent connection support for clients and servers. By
4685 default, Squid uses persistent connections (when allowed)
4686 with its clients and servers. You can use these options to
4687 disable persistent connections with clients and/or servers.
4688DOC_END
4689
58850d15 4690NAME: persistent_connection_after_error
a12a049a 4691TYPE: onoff
58850d15 4692LOC: Config.onoff.error_pconns
4693DEFAULT: off
a12a049a 4694DOC_START
58850d15 4695 With this directive the use of persistent connections after
4696 HTTP errors can be disabled. Useful if you have clients
4697 who fail to handle errors on persistent connections proper.
a12a049a 4698DOC_END
4699
21b92762 4700NAME: detect_broken_pconn
4701TYPE: onoff
4702LOC: Config.onoff.detect_broken_server_pconns
4703DEFAULT: off
4704DOC_START
4705 Some servers have been found to incorrectly signal the use
4706 of HTTP/1.0 persistent connections even on replies not
4707 compatible, causing significant delays. This server problem
4708 has mostly been seen on redirects.
4709
4710 By enabling this directive Squid attempts to detect such
4711 broken replies and automatically assume the reply is finished
4712 after 10 seconds timeout.
4713DOC_END
4714
58850d15 4715NAME: balance_on_multiple_ip
4716TYPE: onoff
4717LOC: Config.onoff.balance_on_multiple_ip
4718DEFAULT: on
4719DOC_START
4720 Some load balancing servers based on round robin DNS have been
4721 found not to preserve user session state across requests
4722 to different IP addresses.
4723
4724 By default Squid rotates IP's per request. By disabling
4725 this directive only connection failure triggers rotation.
4726DOC_END
4727
cccac0a2 4728NAME: pipeline_prefetch
4729TYPE: onoff
4730LOC: Config.onoff.pipeline_prefetch
4731DEFAULT: off
4732DOC_START
4733 To boost the performance of pipelined requests to closer
4734 match that of a non-proxied environment Squid can try to fetch
5ac1a5b3 4735 up to two requests in parallel from a pipeline.
cccac0a2 4736
4737 Defaults to off for bandwidth management and access logging
4738 reasons.
4739DOC_END
4740
4741NAME: extension_methods
4742TYPE: wordlist
4743LOC: Config.ext_methods
4744DEFAULT: none
4745DOC_START
4746 Squid only knows about standardized HTTP request methods.
4747 You can add up to 20 additional "extension" methods here.
4748DOC_END
4749
4750NAME: request_entities
4751TYPE: onoff
4752LOC: Config.onoff.request_entities
4753DEFAULT: off
4754DOC_START
4755 Squid defaults to deny GET and HEAD requests with request entities,
4756 as the meaning of such requests are undefined in the HTTP standard
4757 even if not explicitly forbidden.
4758
4759 Set this directive to on if you have clients which insists
4760 on sending request entities in GET or HEAD requests.
4761DOC_END
4762
4763NAME: high_response_time_warning
4764TYPE: int
4765COMMENT: (msec)
4766LOC: Config.warnings.high_rptm
4767DEFAULT: 0
4768DOC_START
4769 If the one-minute median response time exceeds this value,
4770 Squid prints a WARNING with debug level 0 to get the
4771 administrators attention. The value is in milliseconds.
4772DOC_END
4773
4774NAME: high_page_fault_warning
4775TYPE: int
4776LOC: Config.warnings.high_pf
4777DEFAULT: 0
4778DOC_START
4779 If the one-minute average page fault rate exceeds this
4780 value, Squid prints a WARNING with debug level 0 to get
4781 the administrators attention. The value is in page faults
4782 per second.
4783DOC_END
4784
4785NAME: high_memory_warning
4786TYPE: b_size_t
4787LOC: Config.warnings.high_memory
4788DEFAULT: 0
4789DOC_START
4790 If the memory usage (as determined by mallinfo) exceeds
4791 value, Squid prints a WARNING with debug level 0 to get
4792 the administrators attention.
4793DOC_END
4794
4795NAME: store_dir_select_algorithm
4796TYPE: string
4797LOC: Config.store_dir_select_algorithm
4798DEFAULT: least-load
4799DOC_START
4800 Set this to 'round-robin' as an alternative.
4801DOC_END
4802
4803NAME: forward_log
4804IFDEF: WIP_FWD_LOG
4805TYPE: string
4806DEFAULT: none
4807LOC: Config.Log.forward
4808DOC_START
4809 Logs the server-side requests.
4810
4811 This is currently work in progress.
4812DOC_END
4813
4814NAME: ie_refresh
4815COMMENT: on|off
4816TYPE: onoff
4817LOC: Config.onoff.ie_refresh
4818DEFAULT: off
4819DOC_START
4820 Microsoft Internet Explorer up until version 5.5 Service
4821 Pack 1 has an issue with transparent proxies, wherein it
4822 is impossible to force a refresh. Turning this on provides
4823 a partial fix to the problem, by causing all IMS-REFRESH
4824 requests from older IE versions to check the origin server
4825 for fresh content. This reduces hit ratio by some amount
4826 (~10% in my experience), but allows users to actually get
7f7db318 4827 fresh content when they want it. Note because Squid
cccac0a2 4828 cannot tell if the user is using 5.5 or 5.5SP1, the behavior
4829 of 5.5 is unchanged from old versions of Squid (i.e. a
4830 forced refresh is impossible). Newer versions of IE will,
4831 hopefully, continue to have the new behavior and will be
4832 handled based on that assumption. This option defaults to
4833 the old Squid behavior, which is better for hit ratios but
4834 worse for clients using IE, if they need to be able to
4835 force fresh content.
4836DOC_END
4837
4838NAME: vary_ignore_expire
4839COMMENT: on|off
4840TYPE: onoff
4841LOC: Config.onoff.vary_ignore_expire
4842DEFAULT: off
4843DOC_START
4844 Many HTTP servers supporting Vary gives such objects
4845 immediate expiry time with no cache-control header
4846 when requested by a HTTP/1.0 client. This option
4847 enables Squid to ignore such expiry times until
4848 HTTP/1.1 is fully implemented.
4849 WARNING: This may eventually cause some varying
4850 objects not intended for caching to get cached.
4851DOC_END
4852
4853NAME: sleep_after_fork
4854COMMENT: (microseconds)
4855TYPE: int
4856LOC: Config.sleep_after_fork
4857DEFAULT: 0
4858DOC_START
4859 When this is set to a non-zero value, the main Squid process
4860 sleeps the specified number of microseconds after a fork()
4861 system call. This sleep may help the situation where your
4862 system reports fork() failures due to lack of (virtual)
7f7db318 4863 memory. Note, however, if you have a lot of child
4864 processes, these sleep delays will add up and your
cccac0a2 4865 Squid will not service requests for some amount of time
4866 until all the child processes have been started.
4867DOC_END
4868
6a2f3fcf 4869NAME: minimum_expiry_time
4870COMMENT: (seconds)
4871TYPE: time_t
4872LOC: Config.minimum_expiry_time
4873DEFAULT: 60 seconds
4874DOC_START
6845f129 4875 The minimum caching time according to (Expires - Date)
4876 Headers Squid honors if the object can't be revalidated
4877 defaults to 60 seconds. In reverse proxy enorinments it
4878 might be desirable to honor shorter object lifetimes. It
4879 is most likely better to make your server return a
4880 meaningful Last-Modified header however. In ESI environments
4c43e44e 4881 where page fragments often have short lifetimes, this will
4882 often be best set to 0.
6a2f3fcf 4883DOC_END
4884
df6fd596 4885NAME: relaxed_header_parser
4886COMMENT: on|off|warn
4887TYPE: tristate
4888LOC: Config.onoff.relaxed_header_parser
4889DEFAULT: on
4890DOC_START
4891 In the default "on" setting Squid accepts certain forms
4892 of non-compliant HTTP messages where it is unambiguous
4893 what the sending application intended even if the message
4894 is not correctly formatted. The messages is then normalized
4895 to the correct form when forwarded by Squid.
4896
4897 If set to "warn" then a warning will be emitted in cache.log
4898 each time such HTTP error is encountered.
4899
4900 If set to "off" then such HTTP errors will cause the request
4901 or response to be rejected.
4902DOC_END
4903
a58ff010 4904COMMENT_START
4905 ICAP OPTIONS
4906 -----------------------------------------------------------------------------
4907COMMENT_END
4908
4909NAME: icap_enable
4910TYPE: onoff
4911IFDEF: ICAP_CLIENT
4912COMMENT: on|off
4913LOC: TheICAPConfig.onoff
4914DEFAULT: off
4915DOC_START
4916 If you want to enable the ICAP module support, set this to on.
4917DOC_END
4918
4919NAME: icap_preview_enable
4920TYPE: onoff
4921IFDEF: ICAP_CLIENT
4922COMMENT: on|off
4923LOC: TheICAPConfig.preview_enable
4924DEFAULT: off
4925DOC_START
4926 Set this to 'on' if you want to enable the ICAP preview
4927 feature in Squid.
4928DOC_END
4929
4930NAME: icap_preview_size
4931TYPE: int
4932IFDEF: ICAP_CLIENT
4933LOC: TheICAPConfig.preview_size
4934DEFAULT: -1
4935DOC_START
4936 The default size of preview data to be sent to the ICAP server.
4937 -1 means no preview. This value might be overwritten on a per server
4938 basis by OPTIONS requests.
4939DOC_END
4940
78e8cfc4 4941NAME: icap_default_options_ttl
4942TYPE: int
4943IFDEF: ICAP_CLIENT
4944LOC: TheICAPConfig.default_options_ttl
4945DEFAULT: 60
4946DOC_START
4947 The default TTL value for ICAP OPTIONS responses that don't have
4948 an Options-TTL header.
4949DOC_END
4950
12b91c99 4951NAME: icap_persistent_connections
4952TYPE: onoff
4953IFDEF: ICAP_CLIENT
4954COMMENT: on|off
4955LOC: TheICAPConfig.reuse_connections
4956DEFAULT: on
4957DOC_START
4958 Whether or not Squid should use persistent connections to
4959 an ICAP server.
4960DOC_END
4961
a58ff010 4962NAME: icap_send_client_ip
4963TYPE: onoff
4964IFDEF: ICAP_CLIENT
4965COMMENT: on|off
4966LOC: TheICAPConfig.send_client_ip
4967DEFAULT: off
4968DOC_START
4969 This adds the header "X-Client-IP" to ICAP requests.
4970DOC_END
4971
12b91c99 4972NAME: icap_send_client_username
a58ff010 4973TYPE: onoff
4974IFDEF: ICAP_CLIENT
4975COMMENT: on|off
12b91c99 4976LOC: TheICAPConfig.send_client_username
a58ff010 4977DEFAULT: off
4978DOC_START
12b91c99 4979 This adds the header "X-Client-Username" to ICAP requests
a58ff010 4980 if proxy access is authentified.
4981DOC_END
4982
a58ff010 4983NAME: icap_service
4984TYPE: icap_service_type
4985IFDEF: ICAP_CLIENT
4986LOC: TheICAPConfig
4987DEFAULT: none
4988DOC_START
4989 Defines a single ICAP service
4990
4991 icap_service servicename vectoring_point bypass service_url
4992
4993 vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
4994 This specifies at which point of request processing the ICAP
4995 service should be plugged in.
4996 bypass = 1|0
4997 If set to 1 and the ICAP server cannot be reached, the request will go
4998 through without being processed by an ICAP server
4999 service_url = icap://servername:port/service
5000
5001 Note: reqmod_precache and respmod_postcache is not yet implemented
5002
5003Example:
5004icap_service service_1 reqmod_precache 0 icap://icap1.mydomain.net:1344/reqmod
5005icap_service service_2 respmod_precache 0 icap://icap2.mydomain.net:1344/respmod
5006DOC_END
5007
5008NAME: icap_class
5009TYPE: icap_class_type
5010IFDEF: ICAP_CLIENT
5011LOC: TheICAPConfig
5012DEFAULT: none
5013DOC_START
5014 Defines an ICAP service chain. If there are multiple services per
5015 vectoring point, they are processed in the specified order.
5016
5017 icap_class classname servicename...
5018
5019Example:
5020icap_class class_1 service_1 service_2
5021icap class class_2 service_1 service_3
5022DOC_END
5023
5024NAME: icap_access
5025TYPE: icap_access_type
5026IFDEF: ICAP_CLIENT
5027LOC: TheICAPConfig
5028DEFAULT: none
5029DOC_START
5030 Redirects a request through an ICAP service class, depending
5031 on given acls
5032
5033 icap_access classname allow|deny [!]aclname...
5034
5035 The icap_access statements are processed in the order they appear in
5036 this configuration file. If an access list matches, the processing stops.
5037 For an "allow" rule, the specified class is used for the request. A "deny"
5038 rule simply stops processing without using the class. You can also use the
5039 special classname "None".
5040
5041 For backward compatibility, it is also possible to use services
5042 directly here.
5043Example:
5044icap_access class_1 allow all
5045DOC_END
5046
cccac0a2 5047EOF