3 # $Id: cf.data.pre,v 1.205 2001/01/07 23:36:37 hno Exp $
6 # SQUID Internet Object Cache http://squid.nlanr.net/Squid/
7 # ----------------------------------------------------------
9 # Squid is the result of efforts by numerous individuals from the
10 # Internet community. Development is led by Duane Wessels of the
11 # National Laboratory for Applied Network Research and funded by the
12 # National Science Foundation. Squid is Copyrighted (C) 1998 by
13 # the Regents of the University of California. Please see the
14 # COPYRIGHT file for full details. Squid incorporates software
15 # developed and/or copyrighted by other sources. Please see the
16 # CREDITS file for full details.
18 # This program is free software; you can redistribute it and/or modify
19 # it under the terms of the GNU General Public License as published by
20 # the Free Software Foundation; either version 2 of the License, or
21 # (at your option) any later version.
23 # This program is distributed in the hope that it will be useful,
24 # but WITHOUT ANY WARRANTY; without even the implied warranty of
25 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 # GNU General Public License for more details.
28 # You should have received a copy of the GNU General Public License
29 # along with this program; if not, write to the Free Software
30 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
37 This is the default Squid configuration file. You may wish
38 to look at the Squid home page (http://squid.nlanr.net/)
39 for the FAQ and other documentation.
41 The default Squid config file shows what the defaults for
42 various options happen to be. If you don't need to change the
43 default, you shouldn't uncomment the line. Doing so may cause
44 run-time problems. In some cases "none" refers to no default
45 setting at all, while in other cases it refers to a valid
46 option - the comments for that keyword indicate if this is the
53 -----------------------------------------------------------------------------
56 NAME: http_port ascii_port
57 TYPE: sockaddr_in_list
60 LOC: Config.Sockaddr.http
66 The socket addresses where Squid will listen for HTTP client
67 requests. You may specify multiple socket addresses.
68 There are three forms: port alone, hostname with port, and
69 IP address with port. If you specify a hostname or IP
70 address, then Squid binds the socket to that specific
71 address. This replaces the old 'tcp_incoming_address'
72 option. Most likely, you do not need to bind to a specific
73 address, so you can use the port number alone.
75 The default port number is 3128.
77 If you are running Squid in accelerator mode, then you
78 probably want to listen on port 80 also, or instead.
80 The -a command line option will override the *first* port
81 number listed here. That option will NOT override an IP
84 You may specify multiple socket addresses on multiple lines.
88 NAME: icp_port udp_port
93 The port number where Squid sends and receives ICP queries to
94 and from neighbor caches. Default is 3130. To disable use
95 "0". May be overridden with -u on the command line.
102 LOC: Config.Port.htcp
104 The port number where Squid sends and receives HTCP queries to
105 and from neighbor caches. Default is 4827. To disable use
108 To enable this option, you must use --enable-htcp with the
115 LOC: Config.mcast_group_list
118 This tag specifies a list of multicast groups which your server
119 should join to receive multicasted ICP queries.
121 NOTE! Be very careful what you put here! Be sure you
122 understand the difference between an ICP _query_ and an ICP
123 _reply_. This option is to be set only if you want to RECEIVE
124 multicast queries. Do NOT set this option to SEND multicast
125 ICP (use cache_peer for that). ICP replies are always sent via
126 unicast, so this option does not affect whether or not you will
127 receive replies from multicast group members.
129 You must be very careful to NOT use a multicast address which
130 is already in use by another group of caches.
132 If you are unsure about multicast, please read the Multicast
133 chapter in the Squid FAQ (http://squid.nlanr.net/Squid/FAQ/).
135 Usage: mcast_groups 239.128.16.128 224.0.1.20
137 By default, Squid doesn't listen on any multicast groups.
141 NAME: tcp_outgoing_address outbound_address
143 LOC: Config.Addrs.tcp_outgoing
144 DEFAULT: 255.255.255.255
147 NAME: udp_incoming_address
149 LOC:Config.Addrs.udp_incoming
153 NAME: udp_outgoing_address
155 LOC: Config.Addrs.udp_outgoing
156 DEFAULT: 255.255.255.255
158 Usage: tcp_incoming_address 10.20.30.40
159 udp_outgoing_address fully.qualified.domain.name
161 tcp_outgoing_address is used for connections made to remote
162 servers and other caches.
163 udp_incoming_address is used for the ICP socket receiving packets
165 udp_outgoing_address is used for ICP packets sent out to other
168 The default behavior is to not bind to any specific address.
170 A *_incoming_address value of 0.0.0.0 indicates that Squid should
171 listen on all available interfaces.
173 If udp_outgoing_address is set to 255.255.255.255 (the default)
174 then it will use the same socket as udp_incoming_address. Only
175 change this if you want to have ICP queries sent using another
176 address than where this Squid listens for ICP queries from other
179 NOTE, udp_incoming_address and udp_outgoing_address can not
180 have the same value since they both use port 3130.
182 NOTE, tcp_incoming_address has been removed. You can now
183 specify IP addresses on the 'http_port' line.
187 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
188 -----------------------------------------------------------------------------
196 To specify other caches in a hierarchy, use the format:
198 cache_peer hostname type http_port icp_port
203 # hostname type port port options
204 # -------------------- -------- ----- ----- -----------
205 cache_peer parent.foo.net parent 3128 3130 [proxy-only]
206 cache_peer sib1.foo.net sibling 3128 3130 [proxy-only]
207 cache_peer sib2.foo.net sibling 3128 3130 [proxy-only]
209 type: either 'parent', 'sibling', or 'multicast'.
211 proxy_port: The port number where the cache listens for proxy
214 icp_port: Used for querying neighbor caches about
215 objects. To have a non-ICP neighbor
216 specify '7' for the ICP port and make sure the
217 neighbor machine has the UDP echo port
218 enabled in its /etc/inetd.conf file.
231 login=user:password|PASS
236 use 'proxy-only' to specify that objects fetched
237 from this cache should not be saved locally.
239 use 'weight=n' to specify a weighted parent.
240 The weight must be an integer. The default weight
241 is 1, larger weights are favored more.
243 use 'ttl=n' to specify a IP multicast TTL to use
244 when sending an ICP queries to this address.
245 Only useful when sending to a multicast group.
246 Because we don't accept ICP replies from random
247 hosts, you must configure other group members as
248 peers with the 'multicast-responder' option below.
250 use 'no-query' to NOT send ICP queries to this
253 use 'default' if this is a parent cache which can
254 be used as a "last-resort." You should probably
255 only use 'default' in situations where you cannot
256 use ICP with your parent cache(s).
258 use 'round-robin' to define a set of parents which
259 should be used in a round-robin fashion in the
260 absence of any ICP queries.
262 'multicast-responder' indicates that the named peer
263 is a member of a multicast group. ICP queries will
264 not be sent directly to the peer, but ICP replies
265 will be accepted from it.
267 'closest-only' indicates that, for ICP_OP_MISS
268 replies, we'll only forward CLOSEST_PARENT_MISSes
269 and never FIRST_PARENT_MISSes.
271 use 'no-digest' to NOT request cache digests from
274 'no-netdb-exchange' disables requesting ICMP
275 RTT database (NetDB) from the neighbor.
277 use 'no-delay' to prevent access to this neighbor
278 from influencing the delay pools.
280 use 'login=user:password' if this is a personal/workgroup
281 proxy and your parent requires proxy authentication.
283 use 'login=PASS' if users must authenticate against
284 the upstream proxy. Note: To combine this with
285 proxy_auth both proxies must share the same user
286 database as HTTP only allows for one proxy login.
287 Also be warned that this will expose your users proxy
288 password to the parent. USE WITH CAUTION
290 use 'connect-timeout=nn' to specify a peer
291 specific connect timeout (also see the
292 peer_connect_timeout directive)
294 use 'digest-url=url' to tell Squid to fetch the cache
295 digest (if digests are enabled) for this host from
296 the specified URL rather than the Squid default
299 use 'allow-miss' to disable Squid's use of only-if-cached
300 when forwarding requests to siblings. This is primarily
301 useful when icp_hit_stale is used by the sibling. To
302 extensive use of this option may result in forwarding
303 loops, and you should avoid having two-way peerings
304 with this option. (for example to deny peer usage on
305 requests from peer by denying cache_peer_access if the
308 NOTE: non-ICP neighbors must be specified as 'parent'.
311 NAME: cache_peer_domain cache_host_domain
316 Use to limit the domains for which a neighbor cache will be
319 cache_peer_domain cache-host domain [domain ...]
320 cache_peer_domain cache-host !domain
322 For example, specifying
324 cache_peer_domain parent.foo.net .edu
326 has the effect such that UDP query packets are sent to
327 'bigserver' only when the requested object exists on a
328 server in the .edu domain. Prefixing the domainname
329 with '!' means that the cache will be queried for objects
332 NOTE: * Any number of domains may be given for a cache-host,
333 either on the same or separate lines.
334 * When multiple domains are given for a particular
335 cache-host, the first matched domain is applied.
336 * Cache hosts with no domain restrictions are queried
338 * There are no defaults.
339 * There is also a 'cache_peer_access' tag in the ACL
344 NAME: neighbor_type_domain
349 usage: neighbor_type_domain parent|sibling domain domain ...
351 Modifying the neighbor type for specific domains is now
352 possible. You can treat some domains differently than the the
353 default neighbor type specified on the 'cache_peer' line.
354 Normally it should only be necessary to list domains which
355 should be treated differently because the default neighbor type
356 applies for hostnames which do not match domains listed here.
359 cache_peer parent cache.foo.org 3128 3130
360 neighbor_type_domain cache.foo.org sibling .com .net
361 neighbor_type_domain cache.foo.org sibling .au .de
364 NAME: icp_query_timeout
368 LOC: Config.Timeout.icp_query
370 Normally Squid will automatically determine an optimal ICP
371 query timeout value based on the round-trip-time of recent ICP
372 queries. If you want to override the value determined by
373 Squid, set this 'icp_query_timeout' to a non-zero value. This
374 value is specified in MILLISECONDS, so, to use a 2-second
375 timeout (the old default), you would write:
377 icp_query_timeout 2000
380 NAME: maximum_icp_query_timeout
384 LOC: Config.Timeout.icp_query_max
386 Normally the ICP query timeout is determined dynamically. But
387 sometimes it can lead to very large values (say 5 seconds).
388 Use this option to put an upper limit on the dynamic timeout
389 value. Do NOT use this option to always use a fixed (instead
390 of a dynamic) timeout value.
392 If 'icp_query_timeout' is set to zero, then this value is
396 NAME: mcast_icp_query_timeout
400 LOC: Config.Timeout.mcast_icp_query
402 For Multicast peers, Squid regularly sends out ICP "probes" to
403 count how many other peers are listening on the given multicast
404 address. This value specifies how long Squid should wait to
405 count all the replies. The default is 2000 msec, or 2
409 NAME: dead_peer_timeout
413 LOC: Config.Timeout.deadPeer
415 This controls how long Squid waits to declare a peer cache
416 as "dead." If there are no ICP replies received in this
417 amount of time, Squid will declare the peer dead and not
418 expect to receive any further ICP replies. However, it
419 continues to send ICP queries, and will mark the peer as
420 alive upon receipt of the first subsequent ICP reply.
422 This timeout also affects when Squid expects to receive ICP
423 replies from peers. If more than 'dead_peer' seconds have
424 passed since the last ICP reply was received, Squid will not
425 expect to receive an ICP reply on the next query. Thus, if
426 your time between requests is greater than this timeout, you
427 will see a lot of requests sent DIRECT to origin servers
428 instead of to your parents.
432 NAME: hierarchy_stoplist
435 LOC: Config.hierarchy_stoplist
437 A list of words which, if found in a URL, cause the object to
438 be handled directly by this cache. In other words, use this
439 to not query neighbor caches for certain objects. You may
440 list this option multiple times.
443 #We recommend you to use at least the following line.
444 hierarchy_stoplist cgi-bin ?
452 LOC: Config.accessList.noCache
454 A list of ACL elements which, if matched, cause the reply to
455 immediately removed from the cache. In other words, use this
456 to force certain objects to never be cached.
458 You must use the word 'DENY' to indicate the ACL names which should
462 #We recommend you to use the following two lines.
463 acl QUERY urlpath_regex cgi-bin \?
470 OPTIONS WHICH AFFECT THE CACHE SIZE
471 -----------------------------------------------------------------------------
478 LOC: Config.memMaxSize
480 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS
481 SIZE. IT PLACES A LIMIT ON ONE ASPECT OF SQUID'S MEMORY
482 USAGE. SQUID USES MEMORY FOR OTHER THINGS AS WELL.
483 YOUR PROCESS WILL PROBABLY BECOME TWICE OR THREE TIMES
484 BIGGER THAN THE VALUE YOU PUT HERE
486 'cache_mem' specifies the ideal amount of memory to be used
490 * Negative-Cached objects
492 Data for these objects are stored in 4 KB blocks. This
493 parameter specifies the ideal upper limit on the total size of
494 4 KB blocks allocated. In-Transit objects take the highest
497 In-transit objects have priority over the others. When
498 additional space is needed for incoming data, negative-cached
499 and hot objects will be released. In other words, the
500 negative-cached and hot objects will fill up any unused space
501 not needed for in-transit objects.
503 If circumstances require, this limit will be exceeded.
504 Specifically, if your incoming request rate requires more than
505 'cache_mem' of memory to hold in-transit objects, Squid will
506 exceed this limit to satisfy the new requests. When the load
507 decreases, blocks will be freed until the high-water mark is
508 reached. Thereafter, blocks will be used to store hot
514 COMMENT: (percent, 0-100)
517 LOC: Config.Swap.lowWaterMark
520 NAME: cache_swap_high
521 COMMENT: (percent, 0-100)
524 LOC: Config.Swap.highWaterMark
527 The low- and high-water marks for cache object replacement.
528 Replacement begins when the swap (disk) usage is above the
529 low-water mark and attempts to maintain utilization near the
530 low-water mark. As swap utilization gets close to high-water
531 mark object eviction becomes more aggressive. If utilization is
532 close to the low-water mark less replacement is done each time.
534 Defaults are 90% and 95%. If you have a large cache, 5% could be
535 hundreds of MB. If this is the case you may wish to set these
536 numbers closer together.
539 NAME: maximum_object_size
543 LOC: Config.Store.maxObjectSize
545 Objects larger than this size will NOT be saved on disk. The
546 value is specified in kilobytes, and the default is 4MB. If
547 you wish to get a high BYTES hit ratio, you should probably
548 increase this (one 32 MB object hit counts for 3200 10KB
549 hits). If you wish to increase speed more than your want to
550 save bandwidth you should leave this low.
552 NOTE: if using the LFUDA replacement policy you should increase
553 this value to maximize the byte hit rate improvement of LFUDA!
554 See replacement_policy below for a discussion of this policy.
557 NAME: minimum_object_size
561 LOC: Config.Store.minObjectSize
563 Objects smaller than this size will NOT be saved on disk. The
564 value is specified in kilobytes, and the default is 0 KB, which
565 means there is no minimum.
568 NAME: maximum_object_size_in_memory
572 LOC: Config.Store.maxInMemObjSize
574 Objects greater than this size will not be attempted to kept in
575 the memory cache. This should be set high enough to keep objects
576 accessed frequently in memory to improve performance whilst low
577 enough to keep larger objects from hoarding cache_mem .
581 COMMENT: (number of entries)
584 LOC: Config.ipcache.size
591 LOC: Config.ipcache.low
598 LOC: Config.ipcache.high
600 The size, low-, and high-water marks for the IP cache.
604 COMMENT: (number of entries)
607 LOC: Config.fqdncache.size
609 Maximum number of FQDN cache entries.
612 NAME: cache_replacement_policy
614 LOC: Config.replPolicy
617 The cache replacement policy parameter determines which
618 objects are evicted (replaced) when disk space is needed.
620 lru : Squid's original list based LRU policy
621 heap GDSF : Greedy-Dual Size Frequency
622 heap LFUDA: Least Frequently Used with Dynamic Aging
623 heap LRU : LRU policy implemented using a heap
625 Applies to any cache_dir lines listed below this.
627 The LRU policies keeps recently referenced objects.
629 The heap GDSF policy optimizes object hit rate by keeping smaller
630 popular objects in cache so it has a better chance of getting a
631 hit. It achieves a lower byte hit rate than LFUDA though since
632 it evicts larger (possibly popular) objects.
634 The heap LFUDA policy keeps popular objects in cache regardless of
635 their size and thus optimizes byte hit rate at the expense of
636 hit rate since one large, popular object will prevent many
637 smaller, slightly less popular objects from being cached.
639 Both policies utilize a dynamic aging mechanism that prevents
640 cache pollution that can otherwise occur with frequency-based
641 replacement policies.
643 NOTE: if using the LFUDA replacement policy you should increase
644 the value of maximum_object_size above its default of 4096 KB to
645 to maximize the potential byte hit rate improvement of LFUDA.
647 For more information about the GDSF and LFUDA cache replacement
648 policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
649 and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
652 NAME: memory_replacement_policy
654 LOC: Config.memPolicy
657 The memory replacement policy parameter determines which
658 objects are purged from memory when memory space is needed.
660 See cache_replacement_policy for details.
665 LOGFILE PATHNAMES AND CACHE DIRECTORIES
666 -----------------------------------------------------------------------------
672 DEFAULT_IF_NONE: ufs -1 @DEFAULT_SWAP_DIR@ 100 16 256
673 LOC: Config.cacheSwap
677 cache_dir Type Maxobjsize Directory-Name Mbytes Level-1 Level2 [...]
681 cache_dir diskd Maxobjsize Directory-Name MB L1 L2 Q1 Q2
683 You can specify multiple cache_dir lines to spread the
684 cache among different disk partitions.
686 Type specifies the kind of storage system to use. Most
687 everyone will want to use "ufs" as the type. If you are using
688 Async I/O (--enable async-io) on Linux or Solaris, then you may
689 want to try "aufs" as the type. Async IO support may be
690 buggy, however, so beware.
692 Maxobjsize refers to the max object size this storedir supports.
693 It is used to initially choose the storedir to dump the object.
696 'Directory' is a top-level directory where cache swap
697 files will be stored. If you want to use an entire disk
698 for caching, then this can be the mount-point directory.
699 The directory must exist and be writable by the Squid
700 process. Squid will NOT create this directory for you.
702 If no 'cache_dir' lines are specified, the following
703 default will be used: @DEFAULT_SWAP_DIR@.
705 'Mbytes' is the amount of disk space (MB) to use under this
706 directory. The default is 100 MB. Change this to suit your
709 'Level-1' is the number of first-level subdirectories which
710 will be created under the 'Directory'. The default is 16.
712 'Level-2' is the number of second-level subdirectories which
713 will be created under each first-level directory. The default
716 For the diskd type, Q1 specifies the number of unacknowledged
717 I/O requests when Squid stops opening new files. If this
718 many messages are in the queues, Squid won't open new files.
719 Q2 specifies the number of unacknowledged messages when Squid
720 starts blocking. If this many messages are in the queues,
721 Squid blocks until it recevies some replies.
725 NAME: cache_access_log
727 DEFAULT: @DEFAULT_ACCESS_LOG@
728 LOC: Config.Log.access
730 Logs the client request activity. Contains an entry for
731 every HTTP and ICP queries received. To disable, enter "none".
737 DEFAULT: @DEFAULT_CACHE_LOG@
740 Cache logging file. This is where general information about
741 your cache's behavior goes. You can increase the amount of data
742 logged to this file with the "debug_options" tag below.
746 NAME: cache_store_log
748 DEFAULT: @DEFAULT_STORE_LOG@
749 LOC: Config.Log.store
751 Logs the activities of the storage manager. Shows which
752 objects are ejected from the cache, and which objects are
753 saved and for how long. To disable, enter "none". There are
754 not really utilities to analyze this data, so you can safely
764 Location for the cache "swap.log." This log file holds the
765 metadata of objects saved on disk. It is used to rebuild the
766 cache during startup. Normally this file resides in each
767 'cache_dir' directory, but you may specify an alternate
768 pathname here. Note you must give a full filename, not just
769 a directory. Since this is the index for the whole object
770 list you CANNOT periodically rotate it!
772 If %s can be used in the file name then it will be replaced with a
773 a representation of the cache_dir name where each / is replaced
774 with '.'. This is needed to allow adding/removing cache_dir
775 lines when cache_swap_log is being used.
777 If have more than one 'cache_dir', and %s is not used in the name
778 then these swap logs will have names such as:
784 The numbered extension (which is added automatically)
785 corresponds to the order of the 'cache_dir' lines in this
786 configuration file. If you change the order of the 'cache_dir'
787 lines in this file, then these log files will NOT correspond to
788 the correct 'cache_dir' entry (unless you manually rename
789 them). We recommend that you do NOT use this option. It is
790 better to keep these log files in each 'cache_dir' directory.
794 NAME: emulate_httpd_log
798 LOC: Config.onoff.common_log
800 The Cache can emulate the log file format which many 'httpd'
801 programs use. To disable/enable this emulation, set
802 emulate_httpd_log to 'off' or 'on'. The default
803 is to use the native log format since it includes useful
804 information that Squid-specific log analyzers use.
807 NAME: log_ip_on_direct
811 LOC: Config.onoff.log_ip_on_direct
813 Log the destination IP address in the hierarchy log tag when going
814 direct. Earlier Squid versions logged the hostname here. If you
815 prefer the old way set this to off.
820 DEFAULT: @DEFAULT_MIME_TABLE@
821 LOC: Config.mimeTablePathname
823 Pathname to Squid's MIME table. You shouldn't need to change
824 this, but the default file contains examples and formatting
825 information if you do.
832 LOC: Config.onoff.log_mime_hdrs
835 The Cache can record both the request and the response MIME
836 headers for each HTTP transaction. The headers are encoded
837 safely and will appear as two bracketed fields at the end of
838 the access log (for either the native or httpd-emulated log
839 formats). To enable this logging set log_mime_hdrs to 'on'.
845 LOC: Config.Log.useragent
847 IFDEF: USE_USERAGENT_LOG
849 Squid will write the User-Agent field from HTTP requests
850 to the filename specified here. By default useragent_log
857 LOC: Config.Log.referer
859 IFDEF: USE_REFERER_LOG
861 Squid will write the Referer field from HTTP requests to the
862 filename specified here. By default referer_log is disabled.
868 DEFAULT: @DEFAULT_PID_FILE@
869 LOC: Config.pidFilename
871 A filename to write the process-id to. To disable, enter "none".
878 LOC: Config.debugOptions
880 Logging options are set as section,level where each source file
881 is assigned a unique section. Lower levels result in less
882 output, Full debugging (level 9) can result in a very large
883 log file, so be careful. The magic word "ALL" sets debugging
884 levels for all sections. We recommend normally running with
893 LOC: Config.onoff.log_fqdn
895 Turn this on if you wish to log fully qualified domain names
896 in the access.log. To do this Squid does a DNS lookup of all
897 IP's connecting to it. This can (in some situations) increase
898 latency, which makes your cache seem slower for interactive
905 LOC: Config.Addrs.client_netmask
906 DEFAULT: 255.255.255.255
908 A netmask for client addresses in logfiles and cachemgr output.
909 Change this to protect the privacy of your cache clients.
910 A netmask of 255.255.255.0 will log all IP's in that range with
911 the last digit set to '0'.
916 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
917 -----------------------------------------------------------------------------
923 LOC: Config.Ftp.anon_user
925 If you want the anonymous login password to be more informative
926 (and enable the use of picky ftp servers), set this to something
927 reasonable for your domain, like wwwuser@somewhere.net
929 The reason why this is domainless by default is that the
930 request can be made on the behalf of a user in any domain,
931 depending on how the cache is used.
932 Some ftp server also validate that the email address is valid
933 (for example perl.com).
939 LOC: Config.Ftp.list_width
941 Sets the width of ftp listings. This should be set to fit in
942 the width of a standard browser. Setting this too small
943 can cut off long filenames when browsing ftp sites.
949 LOC: Config.Ftp.passive
951 If your firewall does not allow Squid to use passive
952 connections, then turn off this option.
955 NAME: cache_dns_program
957 IFDEF: USE_DNSSERVERS
958 DEFAULT: @DEFAULT_DNSSERVER@
959 LOC: Config.Program.dnsserver
961 Specify the location of the executable for dnslookup process.
966 IFDEF: USE_DNSSERVERS
968 LOC: Config.dnsChildren
970 The number of processes spawn to service DNS name lookups.
971 For heavily loaded caches on large servers, you should
972 probably increase this value to at least 10. The maximum
973 is 32. The default is 5.
975 You must have at least one dnsserver process.
978 NAME: dns_retransmit_interval
981 LOC: Config.Timeout.idns_retransmit
982 IFDEF: !USE_DNSSERVERS
984 Initial retransmit interval for DNS queries. The interval is
985 doubled each time all configured DNS servers have been tried.
992 LOC: Config.Timeout.idns_query
993 IFDEF: !USE_DNSSERVERS
995 DNS Query timeout. If no response is received to a DNS query
996 within this time then all DNS servers for the queried domain
997 is assumed to be unavailable.
1002 IFDEF: USE_DNSSERVERS
1005 LOC: Config.onoff.res_defnames
1006 IFDEF: USE_DNSSERVERS
1008 Normally the 'dnsserver' disables the RES_DEFNAMES resolver
1009 option (see res_init(3)). This prevents caches in a hierarchy
1010 from interpreting single-component hostnames locally. To allow
1011 dnsserver to handle single-component names, enable this
1015 NAME: dns_nameservers
1018 LOC: Config.dns_nameservers
1020 Use this if you want to specify a list of DNS name servers
1021 (IP addresses) to use instead of those given in your
1022 /etc/resolv.conf file.
1024 Example: dns_nameservers 10.0.0.1 192.172.0.4
1030 LOC: Config.etcHostsPath
1032 Location of the host-local IP name-address associations
1033 database. Most Operating Systems have such a file: under
1034 Un*X it's by default in /etc/hosts MS-Windows NT/2000 places
1035 that in %SystemRoot%(by default
1036 c:\winnt)\system32\drivers\etc\hosts, while Windows 9x/ME
1037 places that in %windir%(usually c:\windows)\hosts
1039 The file contains newline-separated definitions, in the
1040 form ip_address_in_dotted_form name [name ...] names are
1041 whitespace-separated. lines beginnng with an hash (#)
1042 character are comments.
1044 The file is checked at startup and upon configuration. If
1045 set to 'none', it won't be checked. If append_domain is
1046 used, that domain will be added to domain-local (i.e. not
1047 containing any dot character) host definitions.
1050 NAME: unlinkd_program
1053 DEFAULT: @DEFAULT_UNLINKD@
1054 LOC: Config.Program.unlinkd
1056 Specify the location of the executable for file deletion process.
1059 NAME: pinger_program
1061 DEFAULT: @DEFAULT_PINGER@
1062 LOC: Config.Program.pinger
1065 Specify the location of the executable for the pinger process.
1066 This is only useful if you configured Squid (during compilation)
1067 with the '--enable-icmp' option.
1071 NAME: redirect_program
1073 LOC: Config.Program.redirect
1076 Specify the location of the executable for the URL redirector.
1077 Since they can perform almost any function there isn't one included.
1078 See the Release-Notes for information on how to write one.
1079 By default, a redirector is not used.
1083 NAME: redirect_children
1086 LOC: Config.redirectChildren
1088 The number of redirector processes to spawn. If you start
1089 too few Squid will have to wait for them to process a backlog of
1090 URLs, slowing it down. If you start too many they will use RAM
1091 and other system resources.
1094 NAME: redirect_rewrites_host_header
1097 LOC: Config.onoff.redir_rewrites_host
1099 By default Squid rewrites any Host: header in redirected
1100 requests. If you are running a accelerator then this may
1101 not be a wanted effect of a redirector.
1104 NAME: redirector_access
1107 LOC: Config.accessList.redirector
1109 If defined, this access list specifies which requests are
1110 sent to the redirector processes. By default all requests
1116 LOC: Config.authConfig
1119 This is used to pass parameters to the various authentication
1121 format: auth_param scheme parameter [setting]
1123 auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
1124 would tell the basic authentication scheme it's program parameter.
1126 The order that authentication prompts are presented to the client_agent
1127 is dependant on the order the scheme first appears in config file.
1128 IE has a bug (it's not rfc 2617 compliant) in that it will use the basic
1129 scheme if basic is the first entry presented, even if more secure schemes
1130 are presented. For now use the order in the file below. If other browsers
1131 have difficulties (don't recognise the schemes offered even if you are using
1132 basic) then either put basic first, or disable the other schemes (by commenting
1133 out their program entry).
1135 === Parameters for the basic scheme follow. ===
1138 Specify the command for the external authenticator. Such a
1139 program reads a line containing "username password" and replies
1140 "OK" or "ERR" in an endless loop. If you use an authenticator,
1141 make sure you have 1 acl of type proxy_auth. By default, the
1142 authenticate_program is not used.
1144 If you want to use the traditional proxy authentication,
1145 jump over to the ../auth_modules/NCSA directory and
1150 Then, set this line to something like
1152 auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
1154 "children" numberofchildren
1155 The number of authenticator processes to spawn (no default). If you
1156 start too few Squid will have to wait for them to process a backlog
1157 of usercode/password verifications, slowing it down. When password
1158 verifications are done via a (slow) network you are likely to need
1159 lots of authenticator processes.
1160 auth_param basic children 5
1163 Specifies the realm name which is to be reported to the client for
1164 the basic proxy authentication scheme (part of the text the user will
1165 see when prompted their username and password). Their is no default.
1166 auth_param basic realm Squid proxy-caching web server
1168 "credentialsttl" timetolive
1169 Specifies how long squid assumes an externally validated username:password
1170 pair is valid for - in other words how often the helper program is called
1171 for that user. Set this low to force revalidation with short lived passwords.
1172 Note that setting this high does not impact your susceptability to replay
1173 attacks unless you are using a one-time password system (such as SecureID).
1174 If you are using such a system, you will be vulnerable to replay attacks
1175 unless you also enable the IP ttl is strict option.
1177 === NTLM scheme options follow ===
1180 Specify the command for the external ntlm authenticator. Such a
1181 program reads a line containing the uuencoded NEGOTIATE and replies
1182 with the ntlm CHALLENGE, then waits for the response and answers with
1183 "OK" or "ERR" in an endless loop. If you use an ntlm authenticator,
1184 make sure you have 1 acl of type proxy_auth. By default, the
1185 ntlm authenticator_program is not used.
1187 auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
1189 "children" numberofchildren
1190 The number of authenticator processes to spawn (no default). If you
1191 start too few Squid will have to wait for them to process a backlog
1192 of credential verifications, slowing it down. When crendential
1193 verifications are done via a (slow) network you are likely to need
1194 lots of authenticator processes.
1195 auth_param ntlm children 5
1197 "max_challenge_reuses" number
1198 The maximum number of times a challenge given by a ntlm authentication
1199 helper can be reused. Increasing this number increases your exposure
1200 to replay attacks on your network. 0 means use the challenge only once.
1201 (disable challenge caching)
1202 See max_ntlm_challenge_lifetime for more information.
1203 auth_param ntlm max_challenge_reuses 0
1205 "max_challenge_lifetime" timespan
1206 The maximum time period that a ntlm challenge is reused over.
1207 The actual period will be the minimum of this time AND the number of
1209 auth_param ntlm max_challenge_lifetime 2 minutes
1212 #Recommended minimum configuration:
1213 #auth_param ntlm program <uncomment and complete this line to activate>
1214 auth_param ntlm children 5
1215 auth_param ntlm max_challenge_reuses 0
1216 auth_param ntlm max_challenge_lifetime 2 minutes
1217 #auth_param basic program <uncomment and complete this line>
1218 auth_param basic children 5
1219 auth_param basic realm Squid proxy-caching web server
1220 auth_param basic credentialsttl 2 hours
1224 NAME: authenticate_cache_garbage_interval
1227 LOC: Config.authenticateGCInterval
1229 The time period between garbage collection across the username cache.
1230 This is a tradeoff between memory utilisation (long intervals - say
1231 2 days) and CPU (short intervals - say 1 minute). Only change if
1232 you have good reason to.
1235 NAME: authenticate_ttl
1238 LOC: Config.authenticateTTL
1240 The time a user & their credentials stay in the logged in user cache
1241 since their last request. When the garbage interval passes, all
1242 user credentials that have passed their TTL are removed from memory.
1245 NAME: authenticate_ip_ttl
1247 LOC: Config.authenticateIpTTL
1250 With this option you control how long a proxy authentication
1251 will be bound to a specific IP address. If a request using
1252 the same user name is received during this time then access
1253 will be denied and both users are required to reauthenticate
1254 them selves. The idea behind this is to make it annoying
1255 for people to share their password to their friends, but
1256 yet allow a dialup user to reconnect on a different dialup
1259 The default is 0 to disable the check. Recommended value
1260 if you have dialup users are no more than 60 seconds to allow
1261 the user to redial without hassle. If all your users are
1262 stationary then higher values may be used.
1264 See also authenticate_ip_ttl_is_strict
1267 NAME: authenticate_ip_ttl_is_strict
1269 LOC: Config.onoff.authenticateIpTTLStrict
1272 This option makes authenticate_ip_ttl a bit stricter. With this
1273 enabled authenticate_ip_ttl will deny all access from other IP
1274 addresses until the TTL has expired, and the IP address "owning"
1275 the userid will not be forced to reauthenticate.
1279 OPTIONS FOR TUNING THE CACHE
1280 -----------------------------------------------------------------------------
1283 NAME: wais_relay_host
1286 LOC: Config.Wais.relayHost
1289 NAME: wais_relay_port
1292 LOC: Config.Wais.relayPort
1294 Relay WAIS request to host (1st arg) at port (2 arg).
1298 NAME: request_header_max_size
1302 LOC: Config.maxRequestHeaderSize
1304 This specifies the maximum size for HTTP headers in a request.
1305 Request headers are usually relatively small (about 512 bytes).
1306 Placing a limit on the request header size will catch certain
1307 bugs (for example with persistent connections) and possibly
1308 buffer-overflow or denial-of-service attacks.
1311 NAME: request_body_max_size
1315 LOC: Config.maxRequestBodySize
1317 This specifies the maximum size for an HTTP request body.
1318 In other words, the maximum size of a PUT/POST request.
1319 A user who attempts to send a request with a body larger
1320 than this limit receives an "Invalid Request" error message.
1321 If you set this parameter to a zero, there will be no limit
1325 NAME: reply_body_max_size
1329 LOC: Config.maxReplyBodySize
1331 This option specifies the maximum size of a reply body. It
1332 can be used to prevent users from downloading very large files,
1333 such as MP3's and movies. The reply size is checked twice.
1334 First when we get the reply headers, we check the
1335 content-length value. If the content length value exists and
1336 is larger than this parameter, the request is denied and the
1337 user receives an error message that says "the request or reply
1338 is too large." If there is no content-length, and the reply
1339 size exceeds this limit, the client's connection is just closed
1340 and they will receive a partial reply.
1342 NOTE: downstream caches probably can not detect a partial reply
1343 if there is no content-length header, so they will cache
1344 partial responses and give them out as hits. You should NOT
1345 use this option if you have downstream caches.
1347 If you set this parameter to zero (the default), there will be
1352 NAME: refresh_pattern
1353 TYPE: refreshpattern
1356 DEFAULT_IF_NONE: ^ftp: 1440 20% 10080
1357 DEFAULT_IF_NONE: ^gopher: 1440 0% 1440
1358 DEFAULT_IF_NONE: . 0 20% 4320
1360 usage: refresh_pattern [-i] regex min percent max [options]
1362 By default, regular expressions are CASE-SENSITIVE. To make
1363 them case-insensitive, use the -i option.
1365 'Min' is the time (in minutes) an object without an explicit
1366 expiry time should be considered fresh. The recommended
1367 value is 0, any higher values may cause dynamic applications
1368 to be erroneously cached unless the application designer
1369 has taken the appropriate actions.
1371 'Percent' is a percentage of the objects age (time since last
1372 modification age) an object without explicit expiry time
1373 will be considered fresh.
1375 'Max' is an upper limit on how long objects without an explicit
1376 expiry time will be considered fresh.
1378 options: overrsde-expire
1383 override-expire enforces min age even if the server
1384 sent a Expires: header. Doing this VIOLATES the HTTP
1385 standard. Enabling this feature could make you liable
1386 for problems which it causes.
1388 override-lastmod enforces min age even on objects
1389 that was modified recently.
1391 reload-into-ims changes client no-cache or ``reload''
1392 to If-Modified-Since requests. Doing this VIOLATES the
1393 HTTP standard. Enabling this feature could make you
1394 liable for problems which it causes.
1396 ignore-reload ignores a client no-cache or ``reload''
1397 header. Doing this VIOLATES the HTTP standard. Enabling
1398 this feature could make you liable for problems which
1401 Please see the file doc/Release-Notes-1.1.txt for a full
1402 description of Squid's refresh algorithm. Basically a
1403 cached object is: (the order is changed from 1.1.X)
1405 FRESH if expires < now, else STALE
1407 FRESH if lm-factor < percent, else STALE
1411 The refresh_pattern lines are checked in the order listed here.
1412 The first entry which matches is used. If none of the entries
1413 match, then the default will be used.
1415 Note, you must uncomment all the default lines if you want
1416 to change one. The default setting is only active if none is
1422 LOC: Config.referenceAge
1425 As a part of normal operation, Squid performs Least Recently
1426 Used removal of cached objects. The LRU age for removal is
1427 computed dynamically, based on the amount of disk space in
1428 use. The dynamic value can be seen in the Cache Manager 'info'
1431 The 'reference_age' parameter defines the maximum LRU age. For
1432 example, setting reference_age to '1 week' will cause objects
1433 to be removed if they have not been accessed for a week or
1434 more. The default value is one year.
1436 Specify a number here, followed by units of time. For example:
1442 NOTE: this parameter is not used when using the enhanced
1443 replacement policies, GDSH or LFUDA.
1447 NAME: quick_abort_min
1451 LOC: Config.quickAbort.min
1454 NAME: quick_abort_max
1458 LOC: Config.quickAbort.max
1461 NAME: quick_abort_pct
1465 LOC: Config.quickAbort.pct
1467 The cache can be configured to continue downloading aborted
1468 requests. This may be undesirable on slow (e.g. SLIP) links
1469 and/or very busy caches. Impatient users may tie up file
1470 descriptors and bandwidth by repeatedly requesting and
1471 immediately aborting downloads.
1473 When the user aborts a request, Squid will check the
1474 quick_abort values to the amount of data transfered until
1477 If the transfer has less than 'quick_abort_min' KB remaining,
1478 it will finish the retrieval. Setting 'quick_abort_min' to -1
1479 will disable the quick_abort feature.
1481 If the transfer has more than 'quick_abort_max' KB remaining,
1482 it will abort the retrieval.
1484 If more than 'quick_abort_pct' of the transfer has completed,
1485 it will finish the retrieval.
1492 LOC: Config.negativeTtl
1495 Time-to-Live (TTL) for failed requests. Certain types of
1496 failures (such as "connection refused" and "404 Not Found") are
1497 negatively-cached for a configurable amount of time. The
1498 default is 5 minutes. Note that this is different from
1499 negative caching of DNS lookups.
1503 NAME: positive_dns_ttl
1506 LOC: Config.positiveDnsTtl
1509 Time-to-Live (TTL) for positive caching of successful DNS lookups.
1510 Default is 6 hours (360 minutes). If you want to minimize the
1511 use of Squid's ipcache, set this to 1, not 0.
1515 NAME: negative_dns_ttl
1518 LOC: Config.negativeDnsTtl
1521 Time-to-Live (TTL) for negative caching of failed DNS lookups.
1524 NAME: range_offset_limit
1527 LOC: Config.rangeOffsetLimit
1530 Sets a upper limit on how far into the the file a Range request
1531 may be to cause Squid to prefetch the whole file. If beyond this
1532 limit then Squid forwards the Range request as it is and the result
1535 This is to stop a far ahead range request (lets say start at 17MB)
1536 from making Squid fetch the whole object up to that point before
1537 sending anything to the client.
1539 A value of -1 causes Squid to always fetch the object from the
1540 beginning so that it may cache the result. (2.0 style)
1542 A value of 0 causes Squid to never fetch more than the
1543 client requested. (default)
1549 -----------------------------------------------------------------------------
1552 NAME: connect_timeout
1555 LOC: Config.Timeout.connect
1558 Some systems (notably Linux) can not be relied upon to properly
1559 time out connect(2) requests. Therefore the Squid process
1560 enforces its own timeout on server connections. This parameter
1561 specifies how long to wait for the connect to complete. The
1562 default is two minutes (120 seconds).
1565 NAME: peer_connect_timeout
1568 LOC: Config.Timeout.peer_connect
1571 This parameter specifies how long to wait for a pending TCP
1572 connection to a peer cache. The default is 30 seconds. You
1573 may also set different timeout values for individual neighbors
1574 with the 'connect-timeout' option on a 'cache_peer' line.
1577 NAME: siteselect_timeout
1580 LOC: Config.Timeout.siteSelect
1583 For URN to multiple URL's URL selection
1589 LOC: Config.Timeout.read
1592 The read_timeout is applied on server-side connections. After
1593 each successful read(), the timeout will be extended by this
1594 amount. If no data is read again after this amount of time,
1595 the request is aborted and logged with ERR_READ_TIMEOUT. The
1596 default is 15 minutes.
1600 NAME: request_timeout
1602 LOC: Config.Timeout.request
1605 How long to wait for an HTTP request after connection
1606 establishment. For persistent connections, wait this long
1607 after the previous request completes.
1611 NAME: client_lifetime
1614 LOC: Config.Timeout.lifetime
1617 The maximum amount of time that a client (browser) is allowed to
1618 remain connected to the cache process. This protects the Cache
1619 from having a lot of sockets (and hence file descriptors) tied up
1620 in a CLOSE_WAIT state from remote clients that go away without
1621 properly shutting down (either because of a network failure or
1622 because of a poor client implementation). The default is one
1625 NOTE: The default value is intended to be much larger than any
1626 client would ever need to be connected to your cache. You
1627 should probably change client_lifetime only as a last resort.
1628 If you seem to have many client connections tying up
1629 filedescriptors, we recommend first tuning the read_timeout,
1630 request_timeout, pconn_timeout and quick_abort values.
1633 NAME: half_closed_clients
1635 LOC: Config.onoff.half_closed_clients
1638 Some clients may shutdown the sending side of their TCP
1639 connections, while leaving their receiving sides open. Sometimes,
1640 Squid can not tell the difference between a half-closed and a
1641 fully-closed TCP connection. By default, half-closed client
1642 connections are kept open until a read(2) or write(2) on the
1643 socket returns an error. Change this option to 'off' and Squid
1644 will immediately close client connections when read(2) returns
1645 "no more data to read."
1650 LOC: Config.Timeout.pconn
1651 DEFAULT: 120 seconds
1653 Timeout for idle persistent connections to servers and other
1660 LOC: Config.Timeout.ident
1663 Maximum time to wait for IDENT requests. If this is too high,
1664 and you enabled 'ident_lookup', then you might be susceptible
1665 to denial-of-service by having many ident requests going at
1668 Only src type ACL checks are fully supported. A src_domain
1669 ACL might work at times, but it will not always provide
1672 This option may be disabled by using --disable-ident with
1673 the configure script.
1677 NAME: shutdown_lifetime
1680 LOC: Config.shutdownLifetime
1683 When SIGTERM or SIGHUP is received, the cache is put into
1684 "shutdown pending" mode until all active sockets are closed.
1685 This value is the lifetime to set for all open descriptors
1686 during shutdown mode. Any active clients after this many
1687 seconds will receive a 'timeout' message.
1692 -----------------------------------------------------------------------------
1700 Defining an Access List
1702 acl aclname acltype string1 ...
1703 acl aclname acltype "file" ...
1705 when using "file", the file should contain one item per line
1707 acltype is one of src dst srcdomain dstdomain url_pattern
1708 urlpath_pattern time port proto method browser user
1710 By default, regular expressions are CASE-SENSITIVE. To make
1711 them case-insensitive, use the -i option.
1713 acl aclname src ip-address/netmask ... (clients IP address)
1714 acl aclname src addr1-addr2/netmask ... (range of addresses)
1715 acl aclname dst ip-address/netmask ... (URL host's IP address)
1716 acl aclname myip ip-address/netmask ... (local socket IP address)
1718 acl aclname srcdomain .foo.com ... # reverse lookup, client IP
1719 acl aclname dstdomain .foo.com ... # Destination server from URL
1720 acl aclname srcdom_regex [-i] xxx ... # regex matching client name
1721 acl aclname dstdom_regex [-i] xxx ... # regex matching server
1722 # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
1723 # based URL is used. The name "none" is used if the reverse lookup
1726 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
1735 h1:m1 must be less than h2:m2
1736 acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
1737 acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
1738 acl aclname port 80 70 21 ...
1739 acl aclname port 0-1024 ... # ranges allowed
1740 acl aclname myport 3128 ... # (local socket TCP port)
1741 acl aclname proto HTTP FTP ...
1742 acl aclname method GET POST ...
1743 acl aclname browser [-i] regexp
1744 # pattern match on User-Agent header
1745 acl aclname ident username ...
1746 acl aclname ident_regex [-i] pattern ...
1747 # string match on ident output.
1748 # use REQUIRED to accept any non-null ident.
1749 acl aclname src_as number ...
1750 acl aclname dst_as number ...
1751 # Except for access control, AS numbers can be used for
1752 # routing of requests to specific caches. Here's an
1753 # example for routing all requests for AS#1241 and only
1754 # those to mycache.mydomain.net:
1755 # acl asexample dst_as 1241
1756 # cache_peer_access mycache.mydomain.net allow asexample
1757 # cache_peer_access mycache_mydomain.net deny all
1759 acl aclname proxy_auth username ...
1760 acl aclname proxy_auth_regex [-i] pattern ...
1761 # list of valid usernames
1762 # use REQUIRED to accept any valid username.
1764 # NOTE: when a Proxy-Authentication header is sent but it is not
1765 # needed during ACL checking the username is NOT logged
1768 # NOTE: proxy_auth requires a EXTERNAL authentication program
1769 # to check username/password combinations (see
1770 # authenticate_program).
1772 # WARNING: proxy_auth can't be used in a transparent proxy. It
1773 # collides with any authentication done by origin servers. It may
1774 # seem like it works at first, but it doesn't.
1776 acl aclname snmp_community string ...
1777 # A community string to limit access to your SNMP Agent
1780 # acl snmppublic snmp_community public
1782 acl aclname maxconn number
1783 # This will be matched when the client's IP address has
1784 # more than <number> HTTP connections established.
1786 acl req_mime_type mime-type1 ...
1787 # regex match agains the mime type of the request generated
1788 # by the client. Can be used to detect file upload or some
1789 # types HTTP tunelling requests.
1790 # NOTE: This does NOT match the reply. You cannot use this
1791 # to match the returned file type.
1794 acl myexample dst_as 1241
1795 acl password proxy_auth REQUIRED
1796 acl fileupload req_mime_type -i ^multipart/form-data$
1799 #Recommended minimum configuration:
1800 acl all src 0.0.0.0/0.0.0.0
1801 acl manager proto cache_object
1802 acl localhost src 127.0.0.1/255.255.255.255
1803 acl SSL_ports port 443 563
1804 acl Safe_ports port 80 # http
1805 acl Safe_ports port 21 # ftp
1806 acl Safe_ports port 443 563 # https, snews
1807 acl Safe_ports port 70 # gopher
1808 acl Safe_ports port 210 # wais
1809 acl Safe_ports port 1025-65535 # unregistered ports
1810 acl Safe_ports port 280 # http-mgmt
1811 acl Safe_ports port 488 # gss-http
1812 acl Safe_ports port 591 # filemaker
1813 acl Safe_ports port 777 # multiling http
1814 acl CONNECT method CONNECT
1820 LOC: Config.accessList.http
1822 DEFAULT_IF_NONE: deny all
1824 Allowing or Denying access based on defined access lists
1826 Access to the HTTP port:
1827 http_access allow|deny [!]aclname ...
1829 NOTE on default values:
1831 If there are no "access" lines present, the default is to deny
1834 If none of the "access" lines cause a match, the default is the
1835 opposite of the last line in the list. If the last line was
1836 deny, then the default is allow. Conversely, if the last line
1837 is allow, the default will be deny. For these reasons, it is a
1838 good idea to have an "deny all" or "allow all" entry at the end
1839 of your access lists to avoid potential confusion.
1842 #Recommended minimum configuration:
1844 # Only allow cachemgr access from localhost
1845 http_access allow manager localhost
1846 http_access deny manager
1847 # Deny requests to unknown ports
1848 http_access deny !Safe_ports
1849 # Deny CONNECT to other than SSL ports
1850 http_access deny CONNECT !SSL_ports
1852 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
1854 # And finally deny all other access to this proxy
1855 http_access deny all
1862 LOC: Config.accessList.icp
1864 DEFAULT_IF_NONE: deny all
1866 Allowing or Denying access to the ICP port based on defined
1869 icp_access allow|deny [!]aclname ...
1871 See http_access for details
1874 #Allow ICP queries from eveyone
1875 icp_access allow all
1882 LOC: Config.accessList.miss
1885 Use to force your neighbors to use you as a sibling instead of
1886 a parent. For example:
1888 acl localclients src 172.16.0.0/16
1889 miss_access allow localclients
1890 miss_access deny !localclients
1892 This means that only your local clients are allowed to fetch
1893 MISSES and all other clients can only fetch HITS.
1895 By default, allow all clients who passed the http_access rules
1896 to fetch MISSES from us.
1900 # miss_access allow all
1905 NAME: cache_peer_access
1910 Similar to 'cache_peer_domain' but provides more flexibility by
1913 cache_peer_access cache-host allow|deny [!]aclname ...
1915 The syntax is identical to 'http_access' and the other lists of
1916 ACL elements. See the comments for 'http_access' below, or
1917 the Squid FAQ (http://squid.nlanr.net/Squid/FAQ/FAQ-10.html).
1920 NAME: ident_lookup_access
1924 DEFAULT_IF_NONE: deny all
1925 LOC: Config.accessList.identLookup
1927 A list of ACL elements which, if matched, cause an ident
1928 (RFC 931) lookup to be performed for this request. For
1929 example, you might choose to always perform ident lookups
1930 for your main multi-user Unix boxes, but not for your Macs
1931 and PCs. By default, ident lookups are not performed for
1934 To enable ident lookups for specific client addresses, you
1935 can follow this example:
1937 acl ident_aware_hosts src 198.168.1.0/255.255.255.0
1938 ident_lookup_access allow ident_aware_hosts
1939 ident_lookup_access deny all
1941 This option may be disabled by using --disable-ident with
1942 the configure script.
1947 ADMINISTRATIVE PARAMETERS
1948 -----------------------------------------------------------------------------
1954 LOC: Config.adminEmail
1956 Email-address of local cache manager who will receive
1957 mail if the cache dies. The default is "webmaster."
1961 NAME: cache_effective_user
1964 LOC: Config.effectiveUser
1967 NAME: cache_effective_group
1970 LOC: Config.effectiveGroup
1973 If the cache is run as root, it will change its effective/real
1974 UID/GID to the UID/GID specified below. The default is to
1975 change to UID to nobody and GID to nogroup.
1977 If Squid is not started as root, the default is to keep the
1978 current UID/GID. Note that if Squid is not started as root then
1979 you cannot set http_port to a value lower than 1024.
1983 NAME: visible_hostname
1985 LOC: Config.visibleHostname
1988 If you want to present a special hostname in error messages, etc,
1989 then define this. Otherwise, the return value of gethostname()
1990 will be used. If you have multiple caches in a cluster and
1991 get errors about IP-forwarding you must set them to have individual
1992 names with this setting.
1996 NAME: unique_hostname
1998 LOC: Config.uniqueHostname
2001 If you want to have multiple machines with the same
2002 'visible_hostname' then you must give each machine a different
2003 'unique_hostname' so that forwarding loops can be detected.
2007 NAME: hostname_aliases
2009 LOC: Config.hostnameAliases
2012 A list of other DNS names that your cache has.
2016 OPTIONS FOR THE CACHE REGISTRATION SERVICE
2017 -----------------------------------------------------------------------------
2019 This section contains parameters for the (optional) cache
2020 announcement service. This service is provided to help
2021 cache administrators locate one another in order to join or
2022 create cache hierarchies.
2024 An 'announcement' message is sent (via UDP) to the registration
2025 service by Squid. By default, the announcement message is NOT
2026 SENT unless you enable it with 'announce_period' below.
2028 The announcement message includes your hostname, plus the
2029 following information from this configuration file:
2035 All current information is processed regularly and made
2036 available on the Web at http://ircache.nlanr.net/Cache/Tracker/.
2039 NAME: announce_period
2041 LOC: Config.Announce.period
2044 This is how frequently to send cache announcements. The
2045 default is `0' which disables sending the announcement
2048 To enable announcing your cache, just uncomment the line
2052 #To enable announcing your cache, just uncomment the line below.
2053 #announce_period 1 day
2060 DEFAULT: tracker.ircache.net
2061 LOC: Config.Announce.host
2067 LOC: Config.Announce.file
2073 LOC: Config.Announce.port
2075 announce_host and announce_port set the hostname and port
2076 number where the registration message will be sent.
2078 Hostname will default to 'tracker.ircache.net' and port will
2079 default default to 3131. If the 'filename' argument is given,
2080 the contents of that file will be included in the announce
2085 HTTPD-ACCELERATOR OPTIONS
2086 -----------------------------------------------------------------------------
2089 NAME: httpd_accel_host
2091 LOC: Config.Accel.host
2095 NAME: httpd_accel_port
2097 LOC: Config.Accel.port
2100 If you want to run Squid as an httpd accelerator, define the
2101 host name and port number where the real HTTP server is.
2103 If you want virtual host support then specify the hostname
2106 If you want virtual port support then specify the port as "0".
2108 NOTE: enabling httpd_accel_host disables proxy-caching and
2109 ICP. If you want these features enabled also, then set
2110 the 'httpd_accel_with_proxy' option.
2113 NAME: httpd_accel_single_host
2116 LOC: Config.Accel.single_host
2119 If you are running Squid as a accelerator and have a single backend
2120 server then set this to on. This causes Squid to forward the request
2121 to this server irregardles of what any redirectors or Host headers
2124 Leave this at off if you have multiple backend servers, and use a
2125 redirector (or host table or private DNS) to map the requests to the
2126 appropriate backend servers. Note that the mapping needs to be a
2127 1-1 mapping between requested and backend (from redirector) domain
2128 names or caching will fail, as cacing is performed using the
2129 URL returned from the redirector.
2131 See also redirect_rewrites_host_header.
2134 NAME: httpd_accel_with_proxy
2138 LOC: Config.onoff.accel_with_proxy
2140 If you want to use Squid as both a local httpd accelerator
2141 and as a proxy, change this to 'on'. Note however that your
2142 proxy users may have trouble to reach the accelerated domains
2143 unless their browsers are configured not to use this proxy for
2144 those domains (for example via the no_proxy browser configuration
2148 NAME: httpd_accel_uses_host_header
2152 LOC: opt_accel_uses_host
2154 HTTP/1.1 requests include a Host: header which is basically the
2155 hostname from the URL. Squid can be an accelerator for
2156 different HTTP servers by looking at this header. However,
2157 Squid does NOT check the value of the Host header, so it opens
2158 a big security hole. We recommend that this option remain
2159 disabled unless you are sure of what you are doing.
2161 However, you will need to enable this option if you run Squid
2162 as a transparent proxy. Otherwise, virtual servers which
2163 require the Host: header will not be properly cached.
2168 -----------------------------------------------------------------------------
2173 LOC: Config.dns_testname_list
2175 DEFAULT_IF_NONE: netscape.com internic.net nlanr.net microsoft.com
2177 The DNS tests exit as soon as the first site is successfully looked up
2179 This test can be disabled with the -D command line option.
2183 NAME: logfile_rotate
2186 LOC: Config.Log.rotateNumber
2188 Specifies the number of logfile rotations to make when you
2189 type 'squid -k rotate'. The default is 10, which will rotate
2190 with extensions 0 through 9. Setting logfile_rotate to 0 will
2191 disable the rotation, but the logfiles are still closed and
2192 re-opened. This will enable you to rename the logfiles
2193 yourself just before sending the rotate signal.
2195 Note, the 'squid -k rotate' command normally sends a USR1
2196 signal to the running squid process. In certain situations
2197 (e.g. on Linux with Async I/O), USR1 is used for other
2198 purposes, so -k rotate uses another signal. It is best to get
2199 in the habit of using 'squid -k rotate' instead of 'kill -USR1
2206 LOC: Config.appendDomain
2209 Appends local domain name to hostnames without any dots in
2210 them. append_domain must begin with a period.
2213 append_domain .yourdomain.com
2217 NAME: tcp_recv_bufsize
2221 LOC: Config.tcpRcvBufsz
2223 Size of receive buffer to set for TCP sockets. Probably just
2224 as easy to change your kernel's default. Set to zero to use
2225 the default buffer size.
2230 LOC: Config.errHtmlText
2233 HTML text to include in error messages. Make this a "mailto"
2234 URL to your admin address, or maybe just a link to your
2235 organizations Web page.
2237 To include this in your error messages, you must rewrite
2238 the error template files (found in the "errors" directory).
2239 Wherever you want the 'err_html_text' line to appear,
2240 insert a %L tag in the error template file.
2246 LOC: Config.denyInfoList
2249 Usage: deny_info err_page_name acl
2250 Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
2252 This can be used to return a ERR_ page for requests which
2253 do not pass the 'http_access' rules. A single ACL will cause
2254 the http_access check to fail. If a 'deny_info' line exists
2255 for that ACL then Squid returns a corresponding error page.
2257 You may use ERR_ pages that come with Squid or create your own pages
2258 and put them into the configured errors/ directory.
2265 LOC: Config.onoff.mem_pools
2267 If set, Squid will keep pools of allocated (but unused) memory
2268 available for future use. If memory is a premium on your
2269 system and you believe your malloc library outperforms Squid
2270 routines, disable this.
2273 NAME: memory_pools_limit
2277 LOC: Config.MemPools.limit
2279 Used only with memory_pools on:
2280 memory_pools_limit 50 MB
2282 If set to a non-zero value, Squid will keep at most the specified
2283 limit of allocated (but unused) memory in memory pools. All free()
2284 requests that exceed this limit will be handled by your malloc
2285 library. Squid does not pre-allocate any memory, just safe-keeps
2286 objects that otherwise would be free()d. Thus, it is safe to set
2287 memory_pools_limit to a reasonably high value even if your
2288 configuration will use less memory.
2290 If not set (default) or set to zero, Squid will keep all memory it
2291 can. That is, there will be no limit on the total amount of memory
2292 used for safe-keeping.
2294 To disable memory allocation optimization, do not set
2295 memory_pools_limit to 0. Set memory_pools to "off" instead.
2297 An overhead for maintaining memory pools is not taken into account
2298 when the limit is checked. This overhead is close to four bytes per
2299 object kept. However, pools may actually _save_ memory because of
2300 reduced memory thrashing in your malloc library.
2307 LOC: opt_forwarded_for
2309 If set, Squid will include your system's IP address or name
2310 in the HTTP requests it forwards. By default it looks like
2313 X-Forwarded-For: 192.1.2.3
2315 If you disable this, it will appear as
2317 X-Forwarded-For: unknown
2320 NAME: log_icp_queries
2324 LOC: Config.onoff.log_udp
2326 If set, ICP queries are logged to access.log. You may wish
2327 do disable this if your ICP load is VERY high to speed things
2328 up or to simplify log analysis.
2335 LOC: Config.onoff.icp_hit_stale
2337 If you want to return ICP_HIT for stale cache objects, set this
2338 option to 'on'. If you have sibling relationships with caches
2339 in other administrative domains, this should be 'off'. If you only
2340 have sibling relationships with caches under your control, then
2341 it is probably okay to set this to 'on'.
2345 NAME: minimum_direct_hops
2348 LOC: Config.minDirectHops
2350 If using the ICMP pinging stuff, do direct fetches for sites
2351 which are no more than this many hops away.
2354 NAME: minimum_direct_rtt
2357 LOC: Config.minDirectRtt
2359 If using the ICMP pinging stuff, do direct fetches for sites
2360 which are no more than this many rtt milliseconds away.
2363 NAME: cachemgr_passwd
2364 TYPE: cachemgrpasswd
2366 LOC: Config.passwd_list
2368 Specify passwords for cachemgr operations.
2370 Usage: cachemgr_passwd password action action ...
2372 Some valid actions are (see cache manager menu for a full list):
2410 * Indicates actions which will not be performed without a
2411 valid password, others can be performed if not listed here.
2413 To disable an action, set the password to "disable".
2414 To allow performing an action without a password, set the
2417 Use the keyword "all" to set the same password for all actions.
2420 cachemgr_passwd secret shutdown
2421 cachemgr_passwd lesssssssecret info stats/objects
2422 cachemgr_passwd disable all
2425 NAME: store_avg_object_size
2429 LOC: Config.Store.avgObjectSize
2431 Average object size, used to estimate number of objects your
2432 cache can hold. See doc/Release-Notes-1.1.txt. The default is
2436 NAME: store_objects_per_bucket
2439 LOC: Config.Store.objectsPerBucket
2441 Target number of objects per bucket in the store hash table.
2442 Lowering this value increases the total number of buckets and
2443 also the storage maintenance rate. The default is 50.
2450 LOC: Config.onoff.client_db
2452 If you want to disable collecting per-client statistics, then
2453 turn off client_db here.
2460 LOC: Config.Netdb.low
2466 LOC: Config.Netdb.high
2468 The low and high water marks for the ICMP measurement
2469 database. These are counts, not percents. The defaults are
2470 900 and 1000. When the high water mark is reached, database
2471 entries will be deleted until the low mark is reached.
2475 NAME: netdb_ping_period
2477 LOC: Config.Netdb.period
2480 The minimum period for measuring a site. There will be at
2481 least this much delay between successive pings to the same
2482 network. The default is five minutes.
2490 LOC: Config.onoff.query_icmp
2492 If you want to ask your peers to include ICMP data in their ICP
2493 replies, enable this option.
2495 If your peer has configured Squid (during compilation) with
2496 '--enable-icmp' then that peer will send ICMP pings to origin server
2497 sites of the URLs it receives. If you enable this option then the
2498 ICP replies from that peer will include the ICMP data (if available).
2499 Then, when choosing a parent cache, Squid will choose the parent with
2500 the minimal RTT to the origin server. When this happens, the
2501 hierarchy field of the access.log will be
2502 "CLOSEST_PARENT_MISS". This option is off by default.
2505 NAME: test_reachability
2509 LOC: Config.onoff.test_reachability
2511 When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
2512 instead of ICP_MISS if the target host is NOT in the ICMP
2513 database, or has a zero RTT.
2520 LOC: Config.onoff.buffered_logs
2522 Some log files (cache.log, useragent.log) are written with
2523 stdio functions, and as such they can be buffered or
2524 unbuffered. By default they will be unbuffered. Buffering them
2525 can speed up the writing slightly (though you are unlikely to
2529 NAME: reload_into_ims
2530 IFDEF: HTTP_VIOLATIONS
2534 LOC: Config.onoff.reload_into_ims
2536 When you enable this option, client no-cache or ``reload''
2537 requests will be changed to If-Modified-Since requests.
2538 Doing this VIOLATES the HTTP standard. Enabling this
2539 feature could make you liable for problems which it
2542 see also refresh_pattern for a more selective approach.
2544 This option may be disabled by using --disable-http-violations
2545 with the configure script.
2550 LOC: Config.accessList.AlwaysDirect
2553 Usage: always_direct allow|deny [!]aclname ...
2555 Here you can use ACL elements to specify requests which should
2556 ALWAYS be forwarded directly to origin servers. For example,
2557 to always directly forward requests for local servers use
2560 acl local-servers dstdomain my.domain.net
2561 always_direct allow local-servers
2563 To always forward FTP requests directly, use
2566 always_direct allow FTP
2568 NOTE: There is a similar, but opposite option named
2569 'never_direct'. You need to be aware that "always_direct deny
2570 foo" is NOT the same thing as "never_direct allow foo". You
2571 may need to use a deny rule to exclude a more-specific case of
2572 some other rule. Example:
2574 acl local-external dstdomain external.foo.net
2575 acl local-servers dstdomain foo.net
2576 always_direct deny local-external
2577 always_direct allow local-servers
2579 This option replaces some v1.1 options such as local_domain
2585 LOC: Config.accessList.NeverDirect
2588 Usage: never_direct allow|deny [!]aclname ...
2590 never_direct is the opposite of always_direct. Please read
2591 the description for always_direct if you have not already.
2593 With 'never_direct' you can use ACL elements to specify
2594 requests which should NEVER be forwarded directly to origin
2595 servers. For example, to force the use of a proxy for all
2596 requests, except those in your local domain use something like:
2598 acl local-servers dstdomain foo.net
2599 acl all src 0.0.0.0/0.0.0.0
2600 never_direct deny local-servers
2601 never_direct allow all
2603 or if squid is inside a firewall and there is local intranet
2604 servers inside the firewall then use something like:
2606 acl local-intranet dstdomain foo.net
2607 acl local-external dstdomain external.foo.net
2608 always_direct deny local-external
2609 always_direct allow local-intranet
2610 never_direct allow all
2612 This option replaces some v1.1 options such as inside_firewall
2617 TYPE: http_header_access[]
2618 LOC: Config.header_access
2621 Usage: header_access header_name allow|deny [!]aclname ...
2623 This option replaces the old 'anonymize_headers' and the
2624 older 'http_anonymizer' option with something that is much
2625 more configurable. This new method creates a list of ACLs
2626 for each header, allowing you very fine-tuned header
2629 You can only specify known headers for the header name.
2630 Other headers are reclassified as 'Other'. You can also
2631 refer to all the headers with 'All'.
2633 For example, to achieve the same behaviour as the old
2634 'http_anonymizer standard' option, you should use:
2636 header_access From deny all
2637 header_access Referer deny all
2638 header_access Server deny all
2639 header_access User-Agent deny all
2640 header_access WWW-Authenticate deny all
2641 header_access Link deny all
2643 Or, to reproduce the old 'http_anonymizer paranoid' feature
2646 header_access Allow allow all
2647 header_access Authorization allow all
2648 header_access Cache-Control allow all
2649 header_access Content-Encoding allow all
2650 header_access Content-Length allow all
2651 header_access Content-Type allow all
2652 header_access Date allow all
2653 header_access Expires allow all
2654 header_access Host allow all
2655 header_access If-Modified-Since allow all
2656 header_access Last-Modified allow all
2657 header_access Location allow all
2658 header_access Pragma allow all
2659 header_access Accept allow all
2660 header_access Charset allow all
2661 header_access Accept-Encoding allow all
2662 header_access Accept-Language allow all
2663 header_access Content-Language allow all
2664 header_access Mime-Version allow all
2665 header_access Retry-After allow all
2666 header_access Title allow all
2667 header_access Connection allow all
2668 header_access Proxy-Connection allow all
2669 header_access All deny all
2671 By default, all headers are allowed (no anonymizing is
2675 NAME: header_replace
2676 TYPE: http_header_replace[]
2677 LOC: Config.header_access
2680 Usage: header_replace header_name message
2681 Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
2683 This option allows you to change the contents of headers
2684 denied with header_access above, by replacing them with
2685 some fixed string. This replaces the old fake_user_agent
2688 By default, headers are removed if denied.
2691 NAME: icon_directory
2693 LOC: Config.icons.directory
2694 DEFAULT: @DEFAULT_ICON_DIR@
2696 Where the icons are stored. These are normally kept in
2700 NAME: error_directory
2702 LOC: Config.errorDirectory
2703 DEFAULT: @DEFAULT_ERROR_DIR@
2705 If you wish to create your own versions of the default
2706 (English) error files, either to customize them to suit your
2707 language or company copy the template English files to another
2708 directory and point this tag at them.
2711 NAME: minimum_retry_timeout
2714 LOC: Config.retry.timeout
2717 This specifies the minimum connect timeout, for when the
2718 connect timeout is reduced to compensate for the availability
2719 of multiple IP addresses.
2721 When a connection to a host is initiated, and that host has
2722 several IP addresses, the default connection timeout is reduced
2723 by dividing it by the number of addresses. So, a site with 15
2724 addresses would then have a timeout of 8 seconds for each
2725 address attempted. To avoid having the timeout reduced to the
2726 point where even a working host would not have a chance to
2727 respond, this setting is provided. The default, and the
2728 minimum value, is five seconds, and the maximum value is sixty
2729 seconds, or half of connect_timeout, whichever is greater and
2730 less than connect_timeout.
2733 NAME: maximum_single_addr_tries
2735 LOC: Config.retry.maxtries
2738 This sets the maximum number of connection attempts for a
2739 host that only has one address (for multiple-address hosts,
2740 each address is tried once).
2742 The default value is three tries, the (not recommended)
2743 maximum is 255 tries. A warning message will be generated
2744 if it is set to a value greater than ten.
2749 LOC: Config.Port.snmp
2753 Squid can now serve statistics and status information via SNMP.
2754 By default it listens to port 3401 on the machine. If you don't
2755 wish to use SNMP, set this to "0".
2757 NOTE: SNMP support requires use the --enable-snmp configure
2758 command line option.
2763 LOC: Config.accessList.snmp
2765 DEFAULT_IF_NONE: deny all
2768 Allowing or denying access to the SNMP port.
2770 All access to the agent is denied by default.
2773 snmp_access allow|deny [!]aclname ...
2776 snmp_access allow snmppublic localhost
2777 snmp_access deny all
2780 NAME: snmp_incoming_address
2782 LOC: Config.Addrs.snmp_incoming
2786 NAME: snmp_outgoing_address
2788 LOC: Config.Addrs.snmp_outgoing
2789 DEFAULT: 255.255.255.255
2792 Just like 'udp_incoming_address' above, but for the SNMP port.
2794 snmp_incoming_address is used for the SNMP socket receiving
2795 messages from SNMP agents.
2796 snmp_outgoing_address is used for SNMP packets returned to SNMP
2799 The default snmp_incoming_address (0.0.0.0) is to listen on all
2800 available network interfaces.
2802 If snmp_outgoing_address is set to 255.255.255.255 (the default)
2803 then it will use the same socket as snmp_incoming_address. Only
2804 change this if you want to have SNMP replies sent using another
2805 address than where this Squid listens for SNMP queries.
2807 NOTE, snmp_incoming_address and snmp_outgoing_address can not have
2808 the same value since they both use port 3401.
2811 NAME: as_whois_server
2813 LOC: Config.as_whois_server
2814 DEFAULT: whois.ra.net
2815 DEFAULT_IF_NONE: whois.ra.net
2817 WHOIS server to query for AS numbers. NOTE: AS numbers are
2818 queried only when Squid starts up, not for every request.
2823 LOC: Config.Wccp.router
2827 Use this option to define your WCCP ``home'' router for
2828 Squid. Setting the 'wccp_router' to 0.0.0.0 (the default)
2834 LOC: Config.Wccp.version
2838 According to some users, Cisco IOS 11.2 only supports WCCP
2839 version 3. If you're using that version of IOS, change
2843 NAME: wccp_incoming_address
2845 LOC: Config.Wccp.incoming
2849 NAME: wccp_outgoing_address
2851 LOC: Config.Wccp.outgoing
2852 DEFAULT: 255.255.255.255
2855 wccp_incoming_address Use this option if you require WCCP
2856 messages to be received on only one
2857 interface. Do NOT use this option if
2858 you're unsure how many interfaces you
2859 have, or if you know you have only one
2862 wccp_outgoing_address Use this option if you require WCCP
2863 messages to be sent out on only one
2864 interface. Do NOT use this option if
2865 you're unsure how many interfaces you
2866 have, or if you know you have only one
2869 The default behavior is to not bind to any specific address.
2871 NOTE, wccp_incoming_address and wccp_outgoing_address can not have
2872 the same value since they both use port 2048.
2877 DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
2878 -----------------------------------------------------------------------------
2882 TYPE: delay_pool_count
2887 This represents the number of delay pools to be used. For example,
2888 if you have one class 2 delay pool and one class 3 delays pool, you
2889 have a total of 2 delay pools.
2891 To enable this option, you must use --enable-delay-pools with the
2896 TYPE: delay_pool_class
2901 This defines the class of each delay pool. There must be exactly one
2902 delay_class line for each delay pool. For example, to define two
2903 delay pools, one of class 2 and one of class 3, the settings above
2907 delay_pools 2 # 2 delay pools
2908 delay_class 1 2 # pool 1 is a class 2 pool
2909 delay_class 2 3 # pool 2 is a class 3 pool
2911 The delay pool classes are:
2913 class 1 Everything is limited by a single aggregate
2916 class 2 Everything is limited by a single aggregate
2917 bucket as well as an "individual" bucket chosen
2918 from bits 25 through 32 of the IP address.
2920 class 3 Everything is limited by a single aggregate
2921 bucket as well as a "network" bucket chosen
2922 from bits 17 through 24 of the IP address and a
2923 "individual" bucket chosen from bits 17 through
2924 32 of the IP address.
2926 NOTE: If an IP address is a.b.c.d
2927 -> bits 25 through 32 are "d"
2928 -> bits 17 through 24 are "c"
2929 -> bits 17 through 32 are "c * 256 + d"
2933 TYPE: delay_pool_access
2938 This is used to determine which delay pool a request falls into.
2939 The first matched delay pool is always used, i.e., if a request falls
2940 into delay pool number one, no more delay are checked, otherwise the
2941 rest are checked in order of their delay pool number until they have
2942 all been checked. For example, if you want some_big_clients in delay
2943 pool 1 and lotsa_little_clients in delay pool 2:
2946 delay_access 1 allow some_big_clients
2947 delay_access 1 deny all
2948 delay_access 2 allow lotsa_little_clients
2949 delay_access 2 deny all
2952 NAME: delay_parameters
2953 TYPE: delay_pool_rates
2958 This defines the parameters for a delay pool. Each delay pool has
2959 a number of "buckets" associated with it, as explained in the
2960 description of delay_class. For a class 1 delay pool, the syntax is:
2962 delay_parameters pool aggregate
2964 For a class 2 delay pool:
2966 delay_parameters pool aggregate individual
2968 For a class 3 delay pool:
2970 delay_parameters pool aggregate network individual
2972 The variables here are:
2974 pool a pool number - ie, a number between 1 and the
2975 number specified in delay_pools as used in
2978 aggregate the "delay parameters" for the aggregate bucket
2981 individual the "delay parameters" for the individual
2982 buckets (class 2, 3).
2984 network the "delay parameters" for the network buckets
2987 A pair of delay parameters is written restore/maximum, where restore is
2988 the number of bytes (not bits - modem and network speeds are usually
2989 quoted in bits) per second placed into the bucket, and maximum is the
2990 maximum number of bytes which can be in the bucket at any time.
2992 For example, if delay pool number 1 is a class 2 delay pool as in the
2993 above example, and is being used to strictly limit each host to 64kbps
2994 (plus overheads), with no overall limit, the line is:
2996 delay_parameters 1 -1/-1 8000/8000
2998 Note that the figure -1 is used to represent "unlimited".
3000 And, if delay pool number 2 is a class 3 delay pool as in the above
3001 example, and you want to limit it to a total of 256kbps (strict limit)
3002 with each 8-bit network permitted 64kbps (strict limit) and each
3003 individual host permitted 4800bps with a bucket maximum size of 64kb
3004 to permit a decent web page to be downloaded at a decent speed
3005 (if the network is not being limited due to overuse) but slow down
3006 large downloads more significantly:
3008 delay_parameters 2 32000/32000 8000/8000 600/64000
3010 There must be one delay_parameters line for each delay pool.
3013 NAME: delay_initial_bucket_level
3014 COMMENT: (percent, 0-100)
3018 LOC: Config.Delay.initial
3020 The initial bucket percentage is used to determine how much is put
3021 in each bucket when squid starts, is reconfigured, or first notices
3022 a host accessing it (in class 2 and class 3, individual hosts and
3023 networks only have buckets associated with them once they have been
3027 NAME: incoming_icp_average
3030 LOC: Config.comm_incoming.icp_average
3033 NAME: incoming_http_average
3036 LOC: Config.comm_incoming.http_average
3039 NAME: incoming_dns_average
3042 LOC: Config.comm_incoming.dns_average
3045 NAME: min_icp_poll_cnt
3048 LOC: Config.comm_incoming.icp_min_poll
3051 NAME: min_dns_poll_cnt
3054 LOC: Config.comm_incoming.dns_min_poll
3057 NAME: min_http_poll_cnt
3060 LOC: Config.comm_incoming.http_min_poll
3062 Heavy voodoo here. I can't even believe you are reading this.
3063 Are you crazy? Don't even think about adjusting these unless
3064 you understand the algorithms in comm_select.c first!
3067 NAME: max_open_disk_fds
3069 LOC: Config.max_open_disk_fds
3072 To avoid having disk as the I/O bottleneck Squid can optionally
3073 bypass the on-disk cache if more than this amount of disk file
3074 descriptors are open.
3076 A value of 0 indicates no limit.
3081 LOC: Config.onoff.offline
3084 Enable this option and Squid will never try to validate cached
3088 NAME: uri_whitespace
3089 TYPE: uri_whitespace
3090 LOC: Config.uri_whitespace
3093 What to do with requests that have whitespace characters in the
3096 strip: The whitespace characters are stripped out of the URL.
3097 This is the behavior recommended by RFC2616.
3098 deny: The request is denied. The user receives an "Invalid
3100 allow: The request is allowed and the URI is not changed. The
3101 whitespace characters remain in the URI. Note the
3102 whitespace is passed to redirector processes if they
3104 encode: The request is allowed and the whitespace characters are
3105 encoded according to RFC1738. This could be considered
3106 a violation of the HTTP/1.1
3107 RFC because proxies are not allowed to rewrite URI's.
3108 chop: The request is allowed and the URI is chopped at the
3109 first whitespace. This might also be considered a
3116 LOC: Config.accessList.brokenPosts
3118 A list of ACL elements which, if matched, causes Squid to send
3119 a extra CRLF pair after the body of a PUT/POST request.
3121 Some HTTP servers has broken implementations of PUT/POST,
3122 and rely on a extra CRLF pair sent by some WWW clients.
3124 Quote from RFC 2068 section 4.1 on this matter:
3126 Note: certain buggy HTTP/1.0 client implementations generate an
3127 extra CRLF's after a POST request. To restate what is explicitly
3128 forbidden by the BNF, an HTTP/1.1 client must not preface or follow
3129 a request with an extra CRLF.
3132 acl buggy_server url_regex ^http://....
3133 broken_posts allow buggy_server
3136 NAME: mcast_miss_addr
3137 IFDEF: MULTICAST_MISS_STREAM
3139 LOC: Config.mcast_miss.addr
3140 DEFAULT: 255.255.255.255
3142 If you enable this option, every "cache miss" URL will
3143 be sent out on the specified multicast address.
3145 Do not enable this option unless you are are absolutely
3146 certain you understand what you are doing.
3149 NAME: mcast_miss_ttl
3150 IFDEF: MULTICAST_MISS_TTL
3152 LOC: Config.mcast_miss.ttl
3155 This is the time-to-live value for packets multicasted
3156 when multicasting off cache miss URLs is enabled. By
3157 default this is set to 'site scope', i.e. 16.
3160 NAME: mcast_miss_port
3161 IFDEF: MULTICAST_MISS_STREAM
3163 LOC: Config.mcast_miss.port
3166 This is the port number to be used in conjunction with
3170 NAME: mcast_miss_encode_key
3171 IFDEF: MULTICAST_MISS_STREAM
3173 LOC: Config.mcast_miss.encode_key
3174 DEFAULT: XXXXXXXXXXXXXXXX
3176 The URLs that are sent in the multicast miss stream are
3177 encrypted. This is the encryption key.
3180 NAME: nonhierarchical_direct
3182 LOC: Config.onoff.nonhierarchical_direct
3185 By default, Squid will send any non-hierarchical requests
3186 (matching hierarchy_stoplist or not cachable request type) direct
3189 If you set this to off, then Squid will prefer to send these
3190 requests to parents.
3192 Note that in most configurations, by turning this off you will only
3193 add latency to these request without any improvement in global hit
3196 If you are inside an firewall then see never_direct instead of
3202 LOC: Config.onoff.prefer_direct
3205 Normally Squid tries to use parents for most requests. If you by some
3206 reason like it to first try going direct and only use a parent if
3207 going direct fails then set this to off.
3209 By combining nonhierarchical_direct off and prefer_direct on you
3210 can set up Squid to use a parent as a backup path if going direct
3214 NAME: strip_query_terms
3216 LOC: Config.onoff.strip_query_terms
3219 By default, Squid strips query terms from requested URLs before
3220 logging. This protects your user's privacy.
3225 LOC: Config.coredump_dir
3228 By default Squid leaves core files in the first cache_dir
3229 directory. If you set 'coredump_dir' to a directory
3230 that exists, Squid will chdir() to that directory at startup
3231 and coredump files will be left there.
3234 NAME: redirector_bypass
3236 LOC: Config.onoff.redirector_bypass
3239 When this is 'on', a request will not go through the
3240 redirector if all redirectors are busy. If this is 'off'
3241 and the redirector queue grows too large, Squid will exit
3242 with a FATAL error and ask you to increase the number of
3243 redirectors. You should only enable this if the redirectors
3244 are not critical to your caching system. If you use
3245 redirectors for access control, and you enable this option,
3246 then users may have access to pages that they should not
3247 be allowed to request.
3250 NAME: ignore_unknown_nameservers
3252 LOC: Config.onoff.ignore_unknown_nameservers
3255 By default Squid checks that DNS responses are received
3256 from the same IP addresses that they are sent to. If they
3257 don't match, Squid ignores the response and writes a warning
3258 message to cache.log. You can allow responses from unknown
3259 nameservers by setting this option to 'off'.
3262 NAME: digest_generation
3263 IFDEF: USE_CACHE_DIGESTS
3265 LOC: Config.onoff.digest_generation
3268 This controls whether the server will generate a Cache Digest
3269 of its contents. By default, Cache Digest generation is
3270 enabled if Squid is compiled with USE_CACHE_DIGESTS defined.
3273 NAME: digest_bits_per_entry
3274 IFDEF: USE_CACHE_DIGESTS
3276 LOC: Config.digest.bits_per_entry
3279 This is the number of bits of the server's Cache Digest which
3280 will be associated with the Digest entry for a given HTTP
3281 Method and URL (public key) combination. The default is 5.
3284 NAME: digest_rebuild_period
3285 IFDEF: USE_CACHE_DIGESTS
3288 LOC: Config.digest.rebuild_period
3291 This is the number of seconds between Cache Digest rebuilds.
3294 NAME: digest_rewrite_period
3296 IFDEF: USE_CACHE_DIGESTS
3298 LOC: Config.digest.rewrite_period
3301 This is the number of seconds between Cache Digest writes to
3305 NAME: digest_swapout_chunk_size
3308 IFDEF: USE_CACHE_DIGESTS
3309 LOC: Config.digest.swapout_chunk_size
3312 This is the number of bytes of the Cache Digest to write to
3313 disk at a time. It defaults to 4096 bytes (4KB), the Squid
3317 NAME: digest_rebuild_chunk_percentage
3318 COMMENT: (percent, 0-100)
3319 IFDEF: USE_CACHE_DIGESTS
3321 LOC: Config.digest.rebuild_chunk_percentage
3324 This is the percentage of the Cache Digest to be scanned at a
3325 time. By default it is set to 10% of the Cache Digest.
3330 LOC: Config.chroot_dir
3333 Use this to have Squid do a chroot() while initializing. This
3334 also causes Squid to fully drop root privileges after
3335 initializing. This means, for example, that if you use a HTTP
3336 port less than 1024 and try to reconfigure, you will get an
3340 NAME: client_persistent_connections
3342 LOC: Config.onoff.client_pconns
3346 NAME: server_persistent_connections
3348 LOC: Config.onoff.server_pconns
3351 Persistent connection support for clients and servers. By
3352 default, Squid uses persistent connections (when allowed)
3353 with its clients and servers. You can use these options to
3354 disable persistent connections with clients and/or servers.
3357 NAME: extension_methods
3359 LOC: Config.ext_methods
3362 Squid only knows about standardized HTTP request methods.
3363 You can add up to 20 additional "extension" methods here.
3366 NAME: high_response_time_warning
3369 LOC: Config.warnings.high_rptm
3372 If the one-minute median response time exceeds this value,
3373 Squid prints a WARNING with debug level 0 to get the
3374 administrators attention. The value is in milliseconds.
3377 NAME: high_page_fault_warning
3379 LOC: Config.warnings.high_pf
3382 If the one-minute average page fault rate exceeds this
3383 value, Squid prints a WARNING with debug level 0 to get
3384 the administrators attention. The value is in page faults
3388 NAME: high_memory_warning
3390 LOC: Config.warnings.high_memory
3393 If the memory usage (as determined by mallinfo) exceeds
3394 value, Squid prints a WARNING with debug level 0 to get
3395 the administrators attention.
3398 NAME: store_dir_select_algorithm
3400 LOC: Config.store_dir_select_algorithm
3403 Set this to 'round-robin' as an alternative.
3410 LOC: Config.Log.forward
3412 Logs the server-side requests.
3414 This is currently work in progress.
3420 LOC: Config.onoff.ie_refresh
3423 Microsoft Internet Explorer up until version 5.5 Service
3424 Pack 1 has an issue with transparent proxies, wherein it
3425 is impossible to force a refresh. Turning this on provides
3426 a partial fix to the problem, by causing all IMS-REFRESH
3427 requests from older IE versions to check the origin server
3428 for fresh content. This reduces hit ratio by some amount
3429 (~10% in my experience), but allows users to actually get
3430 fresh content when they want it. Note that because Squid
3431 cannot tell if the user is using 5.5 or 5.5SP1, the behavior
3432 of 5.5 is unchanged from old versions of Squid (i.e. a
3433 forced refresh is impossible). Newer versions of IE will,
3434 hopefully, continue to have the new behavior and will be
3435 handled based on that assumption. This option defaults to
3436 the old Squid behavior, which is better for hit ratios but
3437 worse for clients using IE, if they need to be able to
3438 force fresh content.