]> git.ipfire.org Git - thirdparty/squid.git/blame - src/cf.data.pre
projects / thirdparty / squid.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Enforce forward_max_tries configuration option
[thirdparty/squid.git] / src / cf.data.pre
CommitLineData
9cef6668 1#
6845f129 2# SQUID Web Proxy Cache http://www.squid-cache.org/
9cef6668 3# ----------------------------------------------------------
4#
2b6662ba 5# Squid is the result of efforts by numerous individuals from
6# the Internet community; see the CONTRIBUTORS file for full
7# details. Many organizations have provided support for Squid's
8# development; see the SPONSORS file for full details. Squid is
9# Copyrighted (C) 2000 by the Regents of the University of
10# California; see the COPYRIGHT file for full details. Squid
11# incorporates software developed and/or copyrighted by other
12# sources; see the CREDITS file for full details.
9cef6668 13#
14# This program is free software; you can redistribute it and/or modify
15# it under the terms of the GNU General Public License as published by
16# the Free Software Foundation; either version 2 of the License, or
17# (at your option) any later version.
96d88dcb 18#
9cef6668 19# This program is distributed in the hope that it will be useful,
20# but WITHOUT ANY WARRANTY; without even the implied warranty of
21# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22# GNU General Public License for more details.
96d88dcb 23#
9cef6668 24# You should have received a copy of the GNU General Public License
25# along with this program; if not, write to the Free Software
26# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
27#
28
0f74202c 29COMMENT_START
ad12fb4b 30 WELCOME TO @SQUID@
cccac0a2 31 ----------------------------
3a278cb8 32
cccac0a2 33 This is the default Squid configuration file. You may wish
34 to look at the Squid home page (http://www.squid-cache.org/)
35 for the FAQ and other documentation.
3a278cb8 36
cccac0a2 37 The default Squid config file shows what the defaults for
38 various options happen to be. If you don't need to change the
39 default, you shouldn't uncomment the line. Doing so may cause
40 run-time problems. In some cases "none" refers to no default
41 setting at all, while in other cases it refers to a valid
42 option - the comments for that keyword indicate if this is the
43 case.
debd9a31 44
cccac0a2 45COMMENT_END
3a278cb8 46
592a09dc 47COMMENT_START
48 Configuration options can be included using the "include" directive.
49 Include takes a list of files to include. Quoting and wildcards is
50 supported.
51
52 For example,
53
54 include /path/to/included/file/squid.acl.config
55
56 Includes can be nested up to a hard-coded depth of 16 levels.
57 This arbitrary restriction is to prevent recursive include references
58 from causing Squid entering an infinite loop whilst trying to load
59 configuration files.
60COMMENT_END
61
5473c134 62COMMENT_START
41bd17a4 63 OPTIONS FOR AUTHENTICATION
5473c134 64 -----------------------------------------------------------------------------
65COMMENT_END
66
41bd17a4 67NAME: auth_param
68TYPE: authparam
5817ee13 69LOC: Auth::TheConfig
cccac0a2 70DEFAULT: none
71DOC_START
41bd17a4 72 This is used to define parameters for the various authentication
73 schemes supported by Squid.
cccac0a2 74
41bd17a4 75 format: auth_param scheme parameter [setting]
cccac0a2 76
41bd17a4 77 The order in which authentication schemes are presented to the client is
78 dependent on the order the scheme first appears in config file. IE
79 has a bug (it's not RFC 2617 compliant) in that it will use the basic
80 scheme if basic is the first entry presented, even if more secure
81 schemes are presented. For now use the order in the recommended
82 settings section below. If other browsers have difficulties (don't
83 recognize the schemes offered even if you are using basic) either
84 put basic first, or disable the other schemes (by commenting out their
85 program entry).
cccac0a2 86
41bd17a4 87 Once an authentication scheme is fully configured, it can only be
88 shutdown by shutting squid down and restarting. Changes can be made on
89 the fly and activated with a reconfigure. I.E. You can change to a
90 different helper, but not unconfigure the helper completely.
cccac0a2 91
41bd17a4 92 Please note that while this directive defines how Squid processes
93 authentication it does not automatically activate authentication.
94 To use authentication you must in addition make use of ACLs based
95 on login name in http_access (proxy_auth, proxy_auth_regex or
96 external with %LOGIN used in the format tag). The browser will be
97 challenged for authentication on the first such acl encountered
98 in http_access processing and will also be re-challenged for new
99 login credentials if the request is being denied by a proxy_auth
100 type acl.
cccac0a2 101
41bd17a4 102 WARNING: authentication can't be used in a transparently intercepting
103 proxy as the client then thinks it is talking to an origin server and
104 not the proxy. This is a limitation of bending the TCP/IP protocol to
105 transparently intercepting port 80, not a limitation in Squid.
b3567eb5
FC		 106 Ports flagged 'transparent', 'intercept', or 'tproxy' have
107 authentication disabled.
cccac0a2 108
41bd17a4 109 === Parameters for the basic scheme follow. ===
cccac0a2 110
41bd17a4 111 "program" cmdline
112 Specify the command for the external authenticator. Such a program
113 reads a line containing "username password" and replies "OK" or
114 "ERR" in an endless loop. "ERR" responses may optionally be followed
115 by a error description available as %m in the returned error page.
b3567eb5
FC		 116 If you use an authenticator, make sure you have 1 acl of type
117 proxy_auth.
cccac0a2 118
41bd17a4 119 By default, the basic authentication scheme is not used unless a
120 program is specified.
cccac0a2 121
41bd17a4 122 If you want to use the traditional NCSA proxy authentication, set
123 this line to something like
307b83b7 124
41bd17a4 125 auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
9e7dbc51 126
d2a89ac1
AJ		 127 "utf8" on|off
128 HTTP uses iso-latin-1 as characterset, while some authentication
129 backends such as LDAP expects UTF-8. If this is set to on Squid will
130 translate the HTTP iso-latin-1 charset to UTF-8 before sending the
131 username & password to the helper.
132
7353861b 133 "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
48d54e4d 134 The maximum number of authenticator processes to spawn. If you start too few
41bd17a4 135 Squid will have to wait for them to process a backlog of credential
136 verifications, slowing it down. When password verifications are
137 done via a (slow) network you are likely to need lots of
138 authenticator processes.
48d54e4d
AJ		 139
140 The startup= and idle= options permit some skew in the exact amount
141 run. A minimum of startup=N will begin during startup and reconfigure
142 and Squid will start more in groups of up to idle=N in an attempt to meet
143 traffic needs and to keep idle=N free above those traffic needs up to
144 the maximum.
145
7353861b
HN		 146 The concurrency= option sets the number of concurrent requests the
147 helper can process. The default of 0 is used for helpers who only
148 supports one request at a time. Setting this to a number greater than
149 0 changes the protocol used to include a channel number first on the
150 request/response line, allowing multiple requests to be sent to the
151 same helper in parallell without wating for the response.
41bd17a4 152 Must not be set unless it's known the helper supports this.
7353861b
HN		 153
154 auth_param basic children 20 startup=0 idle=1
0fdafae7 155
41bd17a4 156 "realm" realmstring
157 Specifies the realm name which is to be reported to the
158 client for the basic proxy authentication scheme (part of
159 the text the user will see when prompted their username and
160 password). There is no default.
161 auth_param basic realm Squid proxy-caching web server
d1b63fc8 162
41bd17a4 163 "credentialsttl" timetolive
164 Specifies how long squid assumes an externally validated
165 username:password pair is valid for - in other words how
166 often the helper program is called for that user. Set this
167 low to force revalidation with short lived passwords. Note
168 setting this high does not impact your susceptibility
169 to replay attacks unless you are using an one-time password
170 system (such as SecureID). If you are using such a system,
171 you will be vulnerable to replay attacks unless you also
172 use the max_user_ip ACL in an http_access rule.
cccac0a2 173
41bd17a4 174 "casesensitive" on|off
175 Specifies if usernames are case sensitive. Most user databases are
176 case insensitive allowing the same username to be spelled using both
177 lower and upper case letters, but some are case sensitive. This
178 makes a big difference for user_max_ip ACL processing and similar.
179 auth_param basic casesensitive off
cccac0a2 180
41bd17a4 181 === Parameters for the digest scheme follow ===
cccac0a2 182
41bd17a4 183 "program" cmdline
184 Specify the command for the external authenticator. Such
185 a program reads a line containing "username":"realm" and
186 replies with the appropriate H(A1) value hex encoded or
187 ERR if the user (or his H(A1) hash) does not exists.
188 See rfc 2616 for the definition of H(A1).
189 "ERR" responses may optionally be followed by a error description
190 available as %m in the returned error page.
cccac0a2 191
41bd17a4 192 By default, the digest authentication scheme is not used unless a
193 program is specified.
b8c0c06d 194
41bd17a4 195 If you want to use a digest authenticator, set this line to
196 something like
cccac0a2 197
7ce93108 198 auth_param digest program @DEFAULT_PREFIX@/bin/digest_pw_auth @DEFAULT_PREFIX@/etc/digpass
cccac0a2 199
d2a89ac1
AJ		 200 "utf8" on|off
201 HTTP uses iso-latin-1 as characterset, while some authentication
202 backends such as LDAP expects UTF-8. If this is set to on Squid will
203 translate the HTTP iso-latin-1 charset to UTF-8 before sending the
204 username & password to the helper.
205
7353861b 206 "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
48d54e4d 207 The maximum number of authenticator processes to spawn (default 5).
41bd17a4 208 If you start too few Squid will have to wait for them to
209 process a backlog of H(A1) calculations, slowing it down.
210 When the H(A1) calculations are done via a (slow) network
211 you are likely to need lots of authenticator processes.
48d54e4d
AJ		 212
213 The startup= and idle= options permit some skew in the exact amount
214 run. A minimum of startup=N will begin during startup and reconfigure
215 and Squid will start more in groups of up to idle=N in an attempt to meet
216 traffic needs and to keep idle=N free above those traffic needs up to
217 the maximum.
218
7353861b
HN		 219 The concurrency= option sets the number of concurrent requests the
220 helper can process. The default of 0 is used for helpers who only
221 supports one request at a time. Setting this to a number greater than
222 0 changes the protocol used to include a channel number first on the
223 request/response line, allowing multiple requests to be sent to the
224 same helper in parallell without wating for the response.
225 Must not be set unless it's known the helper supports this.
226
48d54e4d 227 auth_param digest children 20 startup=0 idle=1
cccac0a2 228
41bd17a4 229 "realm" realmstring
230 Specifies the realm name which is to be reported to the
231 client for the digest proxy authentication scheme (part of
232 the text the user will see when prompted their username and
233 password). There is no default.
234 auth_param digest realm Squid proxy-caching web server
cccac0a2 235
41bd17a4 236 "nonce_garbage_interval" timeinterval
237 Specifies the interval that nonces that have been issued
238 to client_agent's are checked for validity.
cccac0a2 239
41bd17a4 240 "nonce_max_duration" timeinterval
241 Specifies the maximum length of time a given nonce will be
242 valid for.
cccac0a2 243
41bd17a4 244 "nonce_max_count" number
245 Specifies the maximum number of times a given nonce can be
246 used.
cccac0a2 247
41bd17a4 248 "nonce_strictness" on|off
249 Determines if squid requires strict increment-by-1 behavior
250 for nonce counts, or just incrementing (off - for use when
251 useragents generate nonce counts that occasionally miss 1
252 (ie, 1,2,4,6)). Default off.
cccac0a2 253
41bd17a4 254 "check_nonce_count" on|off
255 This directive if set to off can disable the nonce count check
256 completely to work around buggy digest qop implementations in
257 certain mainstream browser versions. Default on to check the
258 nonce count to protect from authentication replay attacks.
cccac0a2 259
41bd17a4 260 "post_workaround" on|off
261 This is a workaround to certain buggy browsers who sends
262 an incorrect request digest in POST requests when reusing
263 the same nonce as acquired earlier on a GET request.
cccac0a2 264
41bd17a4 265 === NTLM scheme options follow ===
cccac0a2 266
41bd17a4 267 "program" cmdline
268 Specify the command for the external NTLM authenticator.
269 Such a program reads exchanged NTLMSSP packets with
270 the browser via Squid until authentication is completed.
271 If you use an NTLM authenticator, make sure you have 1 acl
272 of type proxy_auth. By default, the NTLM authenticator_program
273 is not used.
cccac0a2 274
41bd17a4 275 auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
cccac0a2 276
48d54e4d
AJ		 277 "children" numberofchildren [startup=N] [idle=N]
278 The maximum number of authenticator processes to spawn (default 5).
41bd17a4 279 If you start too few Squid will have to wait for them to
280 process a backlog of credential verifications, slowing it
281 down. When credential verifications are done via a (slow)
282 network you are likely to need lots of authenticator
283 processes.
cccac0a2 284
48d54e4d
AJ		 285 The startup= and idle= options permit some skew in the exact amount
286 run. A minimum of startup=N will begin during startup and reconfigure
287 and Squid will start more in groups of up to idle=N in an attempt to meet
288 traffic needs and to keep idle=N free above those traffic needs up to
289 the maximum.
290
291 auth_param ntlm children 20 startup=0 idle=1
cccac0a2 292
41bd17a4 293 "keep_alive" on|off
294 If you experience problems with PUT/POST requests when using the
295 Negotiate authentication scheme then you can try setting this to
296 off. This will cause Squid to forcibly close the connection on
297 the initial requests where the browser asks which schemes are
298 supported by the proxy.
cccac0a2 299
41bd17a4 300 auth_param ntlm keep_alive on
cccac0a2 301
41bd17a4 302 === Options for configuring the NEGOTIATE auth-scheme follow ===
cccac0a2 303
41bd17a4 304 "program" cmdline
305 Specify the command for the external Negotiate authenticator.
306 This protocol is used in Microsoft Active-Directory enabled setups with
307 the Microsoft Internet Explorer or Mozilla Firefox browsers.
308 Its main purpose is to exchange credentials with the Squid proxy
309 using the Kerberos mechanisms.
b3567eb5
FC		 310 If you use a Negotiate authenticator, make sure you have at least
311 one acl of type proxy_auth active. By default, the negotiate
312 authenticator_program is not used.
41bd17a4 313 The only supported program for this role is the ntlm_auth
314 program distributed as part of Samba, version 4 or later.
cccac0a2 315
41bd17a4 316 auth_param negotiate program @DEFAULT_PREFIX@/bin/ntlm_auth --helper-protocol=gss-spnego
cccac0a2 317
48d54e4d
AJ		 318 "children" numberofchildren [startup=N] [idle=N]
319 The maximum number of authenticator processes to spawn (default 5).
41bd17a4 320 If you start too few Squid will have to wait for them to
321 process a backlog of credential verifications, slowing it
322 down. When crendential verifications are done via a (slow)
323 network you are likely to need lots of authenticator
324 processes.
48d54e4d
AJ		 325
326 The startup= and idle= options permit some skew in the exact amount
327 run. A minimum of startup=N will begin during startup and reconfigure
328 and Squid will start more in groups of up to idle=N in an attempt to meet
329 traffic needs and to keep idle=N free above those traffic needs up to
330 the maximum.
331
332 auth_param negotiate children 20 startup=0 idle=1
d3803853 333
41bd17a4 334 "keep_alive" on|off
335 If you experience problems with PUT/POST requests when using the
336 Negotiate authentication scheme then you can try setting this to
337 off. This will cause Squid to forcibly close the connection on
338 the initial requests where the browser asks which schemes are
339 supported by the proxy.
527ee50d 340
41bd17a4 341 auth_param negotiate keep_alive on
cccac0a2 342
e0855596
AJ		 343
344 Examples:
345
41bd17a4 346#Recommended minimum configuration per scheme:
347#auth_param negotiate program <uncomment and complete this line to activate>
48d54e4d 348#auth_param negotiate children 20 startup=0 idle=1
41bd17a4 349#auth_param negotiate keep_alive on
e0855596 350#
41bd17a4 351#auth_param ntlm program <uncomment and complete this line to activate>
48d54e4d 352#auth_param ntlm children 20 startup=0 idle=1
41bd17a4 353#auth_param ntlm keep_alive on
e0855596 354#
41bd17a4 355#auth_param digest program <uncomment and complete this line>
48d54e4d 356#auth_param digest children 20 startup=0 idle=1
41bd17a4 357#auth_param digest realm Squid proxy-caching web server
358#auth_param digest nonce_garbage_interval 5 minutes
359#auth_param digest nonce_max_duration 30 minutes
360#auth_param digest nonce_max_count 50
e0855596 361#
41bd17a4 362#auth_param basic program <uncomment and complete this line>
48d54e4d 363#auth_param basic children 5 stratup=5 idle=1
41bd17a4 364#auth_param basic realm Squid proxy-caching web server
365#auth_param basic credentialsttl 2 hours
41bd17a4 366DOC_END
cccac0a2 367
41bd17a4 368NAME: authenticate_cache_garbage_interval
369TYPE: time_t
370DEFAULT: 1 hour
371LOC: Config.authenticateGCInterval
372DOC_START
373 The time period between garbage collection across the username cache.
374 This is a tradeoff between memory utilization (long intervals - say
375 2 days) and CPU (short intervals - say 1 minute). Only change if you
376 have good reason to.
377DOC_END
cccac0a2 378
41bd17a4 379NAME: authenticate_ttl
380TYPE: time_t
381DEFAULT: 1 hour
382LOC: Config.authenticateTTL
383DOC_START
384 The time a user & their credentials stay in the logged in
385 user cache since their last request. When the garbage
386 interval passes, all user credentials that have passed their
387 TTL are removed from memory.
388DOC_END
cccac0a2 389
41bd17a4 390NAME: authenticate_ip_ttl
391TYPE: time_t
392LOC: Config.authenticateIpTTL
393DEFAULT: 0 seconds
394DOC_START
395 If you use proxy authentication and the 'max_user_ip' ACL,
396 this directive controls how long Squid remembers the IP
397 addresses associated with each user. Use a small value
398 (e.g., 60 seconds) if your users might change addresses
399 quickly, as is the case with dialups. You might be safe
400 using a larger value (e.g., 2 hours) in a corporate LAN
401 environment with relatively static address assignments.
402DOC_END
cccac0a2 403
3d1e3e43 404COMMENT_START
405 ACCESS CONTROLS
406 -----------------------------------------------------------------------------
407COMMENT_END
408
41bd17a4 409NAME: external_acl_type
410TYPE: externalAclHelper
411LOC: Config.externalAclHelperList
cccac0a2 412DEFAULT: none
cccac0a2 413DOC_START
41bd17a4 414 This option defines external acl classes using a helper program
415 to look up the status
cccac0a2 416
41bd17a4 417 external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
cccac0a2 418
41bd17a4 419 Options:
cccac0a2 420
41bd17a4 421 ttl=n TTL in seconds for cached results (defaults to 3600
422 for 1 hour)
423 negative_ttl=n
424 TTL for cached negative lookups (default same
425 as ttl)
48d54e4d
AJ		 426 children-max=n
427 Maximum number of acl helper processes spawned to service
428 external acl lookups of this type. (default 20)
429 children-startup=n
430 Minimum number of acl helper processes to spawn during
431 startup and reconfigure to service external acl lookups
432 of this type. (default 0)
433 children-idle=n
434 Number of acl helper processes to keep ahead of traffic
435 loads. Squid will spawn this many at once whenever load
436 rises above the capabilities of existing processes.
437 Up to the value of children-max. (default 1)
41bd17a4 438 concurrency=n concurrency level per process. Only used with helpers
439 capable of processing more than one query at a time.
48d54e4d 440 cache=n limit the result cache size, default is unbounded.
41bd17a4 441 grace=n Percentage remaining of TTL where a refresh of a
442 cached entry should be initiated without needing to
48d54e4d 443 wait for a new reply. (default is for no grace period)
41bd17a4 444 protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
cc192b50 445 ipv4 / ipv6 IP-mode used to communicate to this helper.
446 For compatability with older configurations and helpers
1de68cc1 447 the default is 'ipv4'.
cccac0a2 448
41bd17a4 449 FORMAT specifications
cccac0a2 450
41bd17a4 451 %LOGIN Authenticated user login name
452 %EXT_USER Username from external acl
453 %IDENT Ident user name
454 %SRC Client IP
455 %SRCPORT Client source port
456 %URI Requested URI
457 %DST Requested host
458 %PROTO Requested protocol
459 %PORT Requested port
460 %PATH Requested URL path
461 %METHOD Request method
462 %MYADDR Squid interface address
463 %MYPORT Squid http_port number
464 %PATH Requested URL-path (including query-string if any)
465 %USER_CERT SSL User certificate in PEM format
466 %USER_CERTCHAIN SSL User certificate chain in PEM format
467 %USER_CERT_xx SSL User certificate subject attribute xx
468 %USER_CA_xx SSL User certificate issuer attribute xx
7b0ca1e8 469
c68c9682 470 %>{Header} HTTP request header "Header"
7b0ca1e8 471 %>{Hdr:member}
c68c9682 472 HTTP request header "Hdr" list member "member"
7b0ca1e8 473 %>{Hdr:;member}
41bd17a4 474 HTTP request header list member using ; as
475 list separator. ; can be any non-alphanumeric
476 character.
cccac0a2 477
c68c9682 478 %<{Header} HTTP reply header "Header"
7b0ca1e8 479 %<{Hdr:member}
c68c9682 480 HTTP reply header "Hdr" list member "member"
7b0ca1e8
AJ		 481 %<{Hdr:;member}
482 HTTP reply header list member using ; as
483 list separator. ; can be any non-alphanumeric
484 character.
485
41bd17a4 486 In addition to the above, any string specified in the referencing
487 acl will also be included in the helper request line, after the
488 specified formats (see the "acl external" directive)
cccac0a2 489
41bd17a4 490 The helper receives lines per the above format specification,
491 and returns lines starting with OK or ERR indicating the validity
492 of the request and optionally followed by additional keywords with
493 more details.
cccac0a2 494
41bd17a4 495 General result syntax:
cccac0a2 496
41bd17a4 497 OK/ERR keyword=value ...
cccac0a2 498
41bd17a4 499 Defined keywords:
cccac0a2 500
41bd17a4 501 user= The users name (login)
502 password= The users password (for login= cache_peer option)
503 message= Message describing the reason. Available as %o
504 in error pages
505 tag= Apply a tag to a request (for both ERR and OK results)
506 Only sets a tag, does not alter existing tags.
507 log= String to be logged in access.log. Available as
508 %ea in logformat specifications
934b03fc 509
41bd17a4 510 If protocol=3.0 (the default) then URL escaping is used to protect
511 each value in both requests and responses.
6a566b9c 512
41bd17a4 513 If using protocol=2.5 then all values need to be enclosed in quotes
514 if they may contain whitespace, or the whitespace escaped using \.
515 And quotes or \ characters within the keyword value must be \ escaped.
1e5562e3 516
41bd17a4 517 When using the concurrency= option the protocol is changed by
518 introducing a query channel tag infront of the request/response.
519 The query channel tag is a number between 0 and concurrency-1.
cccac0a2 520DOC_END
521
41bd17a4 522NAME: acl
523TYPE: acl
524LOC: Config.aclList
1f5bd0a4 525DEFAULT: all src all
cccac0a2 526DOC_START
41bd17a4 527 Defining an Access List
cccac0a2 528
375eeb3b
AJ		 529 Every access list definition must begin with an aclname and acltype,
530 followed by either type-specific arguments or a quoted filename that
531 they are read from.
cccac0a2 532
375eeb3b
AJ		 533 acl aclname acltype argument ...
534 acl aclname acltype "file" ...
cccac0a2 535
375eeb3b 536 When using "file", the file should contain one item per line.
cccac0a2 537
41bd17a4 538 By default, regular expressions are CASE-SENSITIVE. To make
539 them case-insensitive, use the -i option.
cccac0a2 540
b3567eb5
FC		 541 Some acl types require suspending the current request in order
542 to access some external data source.
543 Those which do are marked with the tag [slow], those which
544 don't are marked as [fast].
545 See http://wiki.squid-cache.org/SquidFaq/SquidAcl
546 for further information
e988aa40
AJ		 547
548 ***** ACL TYPES AVAILABLE *****
549
b3567eb5
FC		 550 acl aclname src ip-address/netmask ... # clients IP address [fast]
551 acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
552 acl aclname dst ip-address/netmask ... # URL host's IP address [slow]
553 acl aclname myip ip-address/netmask ... # local socket IP address [fast]
cccac0a2 554
41bd17a4 555 acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
556 # The arp ACL requires the special configure option --enable-arp-acl.
557 # Furthermore, the ARP ACL code is not portable to all operating systems.
b3567eb5
FC		 558 # It works on Linux, Solaris, Windows, FreeBSD, and some
559 # other *BSD variants.
560 # [fast]
41bd17a4 561 #
562 # NOTE: Squid can only determine the MAC address for clients that are on
b3567eb5
FC		 563 # the same subnet. If the client is on a different subnet,
564 # then Squid cannot find out its MAC address.
565
566 acl aclname srcdomain .foo.com ...
567 # reverse lookup, from client IP [slow]
568 acl aclname dstdomain .foo.com ...
e38c7724 569 # Destination server from URL [fast]
b3567eb5
FC		 570 acl aclname srcdom_regex [-i] \.foo\.com ...
571 # regex matching client name [slow]
572 acl aclname dstdom_regex [-i] \.foo\.com ...
e38c7724 573 # regex matching server [fast]
b3567eb5 574 #
41bd17a4 575 # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
576 # based URL is used and no match is found. The name "none" is used
577 # if the reverse lookup fails.
9bc73deb 578
375eeb3b
AJ		 579 acl aclname src_as number ...
580 acl aclname dst_as number ...
b3567eb5 581 # [fast]
e988aa40
AJ		 582 # Except for access control, AS numbers can be used for
583 # routing of requests to specific caches. Here's an
584 # example for routing all requests for AS#1241 and only
585 # those to mycache.mydomain.net:
586 # acl asexample dst_as 1241
587 # cache_peer_access mycache.mydomain.net allow asexample
588 # cache_peer_access mycache_mydomain.net deny all
7f7db318 589
6db78a1a 590 acl aclname peername myPeer ...
b3567eb5 591 # [fast]
6db78a1a
AJ		 592 # match against a named cache_peer entry
593 # set unique name= on cache_peer lines for reliable use.
594
375eeb3b 595 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
b3567eb5 596 # [fast]
375eeb3b
AJ		 597 # day-abbrevs:
598 # S - Sunday
599 # M - Monday
600 # T - Tuesday
601 # W - Wednesday
602 # H - Thursday
603 # F - Friday
604 # A - Saturday
605 # h1:m1 must be less than h2:m2
606
b3567eb5
FC		 607 acl aclname url_regex [-i] ^http:// ...
608 # regex matching on whole URL [fast]
609 acl aclname urlpath_regex [-i] \.gif$ ...
610 # regex matching on URL path [fast]
e988aa40 611
b3567eb5
FC		 612 acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
613 # ranges are alloed
614 acl aclname myport 3128 ... # local socket TCP port [fast]
615 acl aclname myportname 3128 ... # http(s)_port name [fast]
e988aa40 616
b3567eb5
FC		 617 acl aclname proto HTTP FTP ... # request protocol [fast]
618
619 acl aclname method GET POST ... # HTTP request method [fast]
e988aa40 620
b3567eb5
FC		 621 acl aclname http_status 200 301 500- 400-403 ...
622 # status code in reply [fast]
e988aa40 623
375eeb3b 624 acl aclname browser [-i] regexp ...
b3567eb5 625 # pattern match on User-Agent header (see also req_header below) [fast]
e988aa40 626
375eeb3b 627 acl aclname referer_regex [-i] regexp ...
b3567eb5 628 # pattern match on Referer header [fast]
41bd17a4 629 # Referer is highly unreliable, so use with care
e988aa40 630
375eeb3b 631 acl aclname ident username ...
41bd17a4 632 acl aclname ident_regex [-i] pattern ...
b3567eb5 633 # string match on ident output [slow]
41bd17a4 634 # use REQUIRED to accept any non-null ident.
cf5cc17e 635
41bd17a4 636 acl aclname proxy_auth [-i] username ...
637 acl aclname proxy_auth_regex [-i] pattern ...
b3567eb5
FC		 638 # perform http authentication challenge to the client and match against
639 # supplied credentials [slow]
640 #
641 # takes a list of allowed usernames.
41bd17a4 642 # use REQUIRED to accept any valid username.
643 #
b3567eb5
FC		 644 # Will use proxy authentication in forward-proxy scenarios, and plain
645 # http authenticaiton in reverse-proxy scenarios
646 #
41bd17a4 647 # NOTE: when a Proxy-Authentication header is sent but it is not
648 # needed during ACL checking the username is NOT logged
649 # in access.log.
650 #
651 # NOTE: proxy_auth requires a EXTERNAL authentication program
652 # to check username/password combinations (see
653 # auth_param directive).
654 #
e988aa40
AJ		 655 # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
656 # as the browser needs to be configured for using a proxy in order
41bd17a4 657 # to respond to proxy authentication.
8e8d4f30 658
41bd17a4 659 acl aclname snmp_community string ...
b3567eb5 660 # A community string to limit access to your SNMP Agent [fast]
41bd17a4 661 # Example:
662 #
663 # acl snmppublic snmp_community public
934b03fc 664
41bd17a4 665 acl aclname maxconn number
666 # This will be matched when the client's IP address has
b3567eb5 667 # more than <number> HTTP connections established. [fast]
1e5562e3 668
41bd17a4 669 acl aclname max_user_ip [-s] number
670 # This will be matched when the user attempts to log in from more
671 # than <number> different ip addresses. The authenticate_ip_ttl
b3567eb5 672 # parameter controls the timeout on the ip entries. [fast]
41bd17a4 673 # If -s is specified the limit is strict, denying browsing
674 # from any further IP addresses until the ttl has expired. Without
675 # -s Squid will just annoy the user by "randomly" denying requests.
676 # (the counter is reset each time the limit is reached and a
677 # request is denied)
678 # NOTE: in acceleration mode or where there is mesh of child proxies,
679 # clients may appear to come from multiple addresses if they are
680 # going through proxy farms, so a limit of 1 may cause user problems.
cccac0a2 681
cb1b906f
AJ		 682 acl aclname random probability
683 # Pseudo-randomly match requests. Based on the probability given.
684 # Probability may be written as a decimal (0.333), fraction (1/3)
685 # or ratio of matches:non-matches (3:5).
686
375eeb3b 687 acl aclname req_mime_type [-i] mime-type ...
41bd17a4 688 # regex match against the mime type of the request generated
689 # by the client. Can be used to detect file upload or some
b3567eb5 690 # types HTTP tunneling requests [fast]
41bd17a4 691 # NOTE: This does NOT match the reply. You cannot use this
692 # to match the returned file type.
cccac0a2 693
41bd17a4 694 acl aclname req_header header-name [-i] any\.regex\.here
695 # regex match against any of the known request headers. May be
696 # thought of as a superset of "browser", "referer" and "mime-type"
b3567eb5 697 # ACL [fast]
cccac0a2 698
375eeb3b 699 acl aclname rep_mime_type [-i] mime-type ...
41bd17a4 700 # regex match against the mime type of the reply received by
701 # squid. Can be used to detect file download or some
b3567eb5 702 # types HTTP tunneling requests. [fast]
41bd17a4 703 # NOTE: This has no effect in http_access rules. It only has
704 # effect in rules that affect the reply data stream such as
705 # http_reply_access.
cccac0a2 706
41bd17a4 707 acl aclname rep_header header-name [-i] any\.regex\.here
708 # regex match against any of the known reply headers. May be
709 # thought of as a superset of "browser", "referer" and "mime-type"
b3567eb5 710 # ACLs [fast]
cccac0a2 711
375eeb3b 712 acl aclname external class_name [arguments...]
41bd17a4 713 # external ACL lookup via a helper class defined by the
b3567eb5 714 # external_acl_type directive [slow]
cccac0a2 715
41bd17a4 716 acl aclname user_cert attribute values...
717 # match against attributes in a user SSL certificate
b3567eb5 718 # attribute is one of DN/C/O/CN/L/ST [fast]
cccac0a2 719
41bd17a4 720 acl aclname ca_cert attribute values...
721 # match against attributes a users issuing CA SSL certificate
b3567eb5 722 # attribute is one of DN/C/O/CN/L/ST [fast]
cccac0a2 723
41bd17a4 724 acl aclname ext_user username ...
725 acl aclname ext_user_regex [-i] pattern ...
b3567eb5 726 # string match on username returned by external acl helper [slow]
41bd17a4 727 # use REQUIRED to accept any non-null user name.
b3567eb5 728
0ab50441 729 acl aclname tag tagvalue ...
b3567eb5 730 # string match on tag returned by external acl helper [slow]
cccac0a2 731
bbaf2685
AJ		 732 acl aclname hier_code codename ...
733 # string match against squid hierarchy code(s); [fast]
734 # e.g., DIRECT, PARENT_HIT, NONE, etc.
735 #
736 # NOTE: This has no effect in http_access rules. It only has
737 # effect in rules that affect the reply data stream such as
738 # http_reply_access.
739
e0855596
AJ		 740 Examples:
741 acl macaddress arp 09:00:2b:23:45:67
742 acl myexample dst_as 1241
743 acl password proxy_auth REQUIRED
744 acl fileupload req_mime_type -i ^multipart/form-data$
745 acl javascript rep_mime_type -i ^application/x-javascript$
cccac0a2 746
41bd17a4 747NOCOMMENT_START
e0855596
AJ		 748#
749# Recommended minimum configuration:
750#
41bd17a4 751acl manager proto cache_object
ee776778 752acl localhost src 127.0.0.1/32
18a8e998 753@IPV6_ONLY_SETTING@acl localhost src ::1/128
7f83a5f6 754acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
18a8e998 755@IPV6_ONLY_SETTING@acl to_localhost dst ::1/128
e0855596 756
ee776778 757# Example rule allowing access from your local networks.
758# Adapt to list your (internal) IP networks from where browsing
759# should be allowed
760acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
761acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
762acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
18a8e998
AJ		 763@IPV6_ONLY_SETTING@acl localnet src fc00::/7 # RFC 4193 local private network range
764@IPV6_ONLY_SETTING@acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
e0855596 765
41bd17a4 766acl SSL_ports port 443
767acl Safe_ports port 80 # http
768acl Safe_ports port 21 # ftp
769acl Safe_ports port 443 # https
770acl Safe_ports port 70 # gopher
771acl Safe_ports port 210 # wais
772acl Safe_ports port 1025-65535 # unregistered ports
773acl Safe_ports port 280 # http-mgmt
774acl Safe_ports port 488 # gss-http
775acl Safe_ports port 591 # filemaker
776acl Safe_ports port 777 # multiling http
777acl CONNECT method CONNECT
778NOCOMMENT_END
779DOC_END
cccac0a2 780
3d674977
AJ		 781NAME: follow_x_forwarded_for
782TYPE: acl_access
783IFDEF: FOLLOW_X_FORWARDED_FOR
784LOC: Config.accessList.followXFF
785DEFAULT: none
786DEFAULT_IF_NONE: deny all
787DOC_START
788 Allowing or Denying the X-Forwarded-For header to be followed to
789 find the original source of a request.
790
791 Requests may pass through a chain of several other proxies
792 before reaching us. The X-Forwarded-For header will contain a
793 comma-separated list of the IP addresses in the chain, with the
794 rightmost address being the most recent.
795
796 If a request reaches us from a source that is allowed by this
797 configuration item, then we consult the X-Forwarded-For header
798 to see where that host received the request from. If the
2bf4e8fa
AJ		 799 X-Forwarded-For header contains multiple addresses, we continue
800 backtracking until we reach an address for which we are not allowed
801 to follow the X-Forwarded-For header, or until we reach the first
802 address in the list. For the purpose of ACL used in the
803 follow_x_forwarded_for directive the src ACL type always matches
804 the address we are testing and srcdomain matches its rDNS.
3d674977
AJ		 805
806 The end result of this process is an IP address that we will
807 refer to as the indirect client address. This address may
57d76dd4 808 be treated as the client address for access control, ICAP, delay
3d674977 809 pools and logging, depending on the acl_uses_indirect_client,
96d64448
AJ		 810 icap_uses_indirect_client, delay_pool_uses_indirect_client,
811 log_uses_indirect_client and tproxy_uses_indirect_client options.
3d674977 812
b3567eb5
FC		 813 This clause only supports fast acl types.
814 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
815
3d674977
AJ		 816 SECURITY CONSIDERATIONS:
817
818 Any host for which we follow the X-Forwarded-For header
819 can place incorrect information in the header, and Squid
820 will use the incorrect information as if it were the
821 source address of the request. This may enable remote
822 hosts to bypass any access control restrictions that are
823 based on the client's source addresses.
824
825 For example:
826
827 acl localhost src 127.0.0.1
828 acl my_other_proxy srcdomain .proxy.example.com
829 follow_x_forwarded_for allow localhost
830 follow_x_forwarded_for allow my_other_proxy
831DOC_END
832
833NAME: acl_uses_indirect_client
834COMMENT: on|off
835TYPE: onoff
836IFDEF: FOLLOW_X_FORWARDED_FOR
837DEFAULT: on
838LOC: Config.onoff.acl_uses_indirect_client
839DOC_START
840 Controls whether the indirect client address
841 (see follow_x_forwarded_for) is used instead of the
842 direct client address in acl matching.
843DOC_END
844
845NAME: delay_pool_uses_indirect_client
846COMMENT: on|off
847TYPE: onoff
0dae2bca 848IFDEF: FOLLOW_X_FORWARDED_FOR&&DELAY_POOLS
3d674977
AJ		 849DEFAULT: on
850LOC: Config.onoff.delay_pool_uses_indirect_client
851DOC_START
852 Controls whether the indirect client address
853 (see follow_x_forwarded_for) is used instead of the
854 direct client address in delay pools.
855DOC_END
856
857NAME: log_uses_indirect_client
858COMMENT: on|off
859TYPE: onoff
860IFDEF: FOLLOW_X_FORWARDED_FOR
861DEFAULT: on
862LOC: Config.onoff.log_uses_indirect_client
863DOC_START
864 Controls whether the indirect client address
865 (see follow_x_forwarded_for) is used instead of the
866 direct client address in the access log.
867DOC_END
868
96d64448
AJ		 869NAME: tproxy_uses_indirect_client
870COMMENT: on|off
871TYPE: onoff
872IFDEF: FOLLOW_X_FORWARDED_FOR&&LINUX_NETFILTER
4d7ab5a2 873DEFAULT: off
96d64448
AJ		 874LOC: Config.onoff.tproxy_uses_indirect_client
875DOC_START
876 Controls whether the indirect client address
877 (see follow_x_forwarded_for) is used instead of the
878 direct client address when spoofing the outgoing client.
4d7ab5a2
AJ		 879
880 This has no effect on requests arriving in non-tproxy
881 mode ports.
882
883 SECURITY WARNING: Usage of this option is dangerous
884 and should not be used trivially. Correct configuration
885 of folow_x_forewarded_for with a limited set of trusted
886 sources is required to prevent abuse of your proxy.
96d64448
AJ		 887DOC_END
888
41bd17a4 889NAME: http_access
890TYPE: acl_access
891LOC: Config.accessList.http
892DEFAULT: none
893DEFAULT_IF_NONE: deny all
894DOC_START
895 Allowing or Denying access based on defined access lists
cccac0a2 896
41bd17a4 897 Access to the HTTP port:
898 http_access allow|deny [!]aclname ...
cccac0a2 899
41bd17a4 900 NOTE on default values:
cccac0a2 901
41bd17a4 902 If there are no "access" lines present, the default is to deny
903 the request.
cccac0a2 904
41bd17a4 905 If none of the "access" lines cause a match, the default is the
906 opposite of the last line in the list. If the last line was
907 deny, the default is allow. Conversely, if the last line
908 is allow, the default will be deny. For these reasons, it is a
51ae86b2
HN		 909 good idea to have an "deny all" entry at the end of your access
910 lists to avoid potential confusion.
cccac0a2 911
b3567eb5
FC		 912 This clause supports both fast and slow acl types.
913 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
914
41bd17a4 915NOCOMMENT_START
e0855596
AJ		 916
917#
918# Recommended minimum Access Permission configuration:
41bd17a4 919#
920# Only allow cachemgr access from localhost
921http_access allow manager localhost
922http_access deny manager
e0855596
AJ		 923
924# Deny requests to certain unsafe ports
41bd17a4 925http_access deny !Safe_ports
e0855596
AJ		 926
927# Deny CONNECT to other than secure SSL ports
41bd17a4 928http_access deny CONNECT !SSL_ports
e0855596 929
41bd17a4 930# We strongly recommend the following be uncommented to protect innocent
931# web applications running on the proxy server who think the only
932# one who can access services on "localhost" is a local user
933#http_access deny to_localhost
e0855596 934
41bd17a4 935#
936# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
e0855596 937#
c8f4eac4 938
ee776778 939# Example rule allowing access from your local networks.
940# Adapt localnet in the ACL section to list your (internal) IP networks
941# from where browsing should be allowed
942http_access allow localnet
afb33856 943http_access allow localhost
7d90757b 944
41bd17a4 945# And finally deny all other access to this proxy
946http_access deny all
947NOCOMMENT_END
948DOC_END
7d90757b 949
533493da
AJ		 950NAME: adapted_http_access http_access2
951TYPE: acl_access
952LOC: Config.accessList.adapted_http
953DEFAULT: none
954DOC_START
955 Allowing or Denying access based on defined access lists
956
957 Essentially identical to http_access, but runs after redirectors
958 and ICAP/eCAP adaptation. Allowing access control based on their
959 output.
960
961 If not set then only http_access is used.
962DOC_END
963
41bd17a4 964NAME: http_reply_access
965TYPE: acl_access
966LOC: Config.accessList.reply
967DEFAULT: none
968DOC_START
969 Allow replies to client requests. This is complementary to http_access.
cccac0a2 970
41bd17a4 971 http_reply_access allow|deny [!] aclname ...
cccac0a2 972
41bd17a4 973 NOTE: if there are no access lines present, the default is to allow
974 all replies
1a224843 975
41bd17a4 976 If none of the access lines cause a match the opposite of the
977 last line will apply. Thus it is good practice to end the rules
978 with an "allow all" or "deny all" entry.
b3567eb5
FC		 979
980 This clause supports both fast and slow acl types.
981 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
cccac0a2 982DOC_END
983
41bd17a4 984NAME: icp_access
985TYPE: acl_access
986LOC: Config.accessList.icp
987DEFAULT: none
988DEFAULT_IF_NONE: deny all
5473c134 989DOC_START
41bd17a4 990 Allowing or Denying access to the ICP port based on defined
991 access lists
5473c134 992
41bd17a4 993 icp_access allow|deny [!]aclname ...
5473c134 994
41bd17a4 995 See http_access for details
996
b3567eb5
FC		 997 This clause only supports fast acl types.
998 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
e0855596
AJ		 999
1000# Allow ICP queries from local networks only
df2eec10
AJ		 1001#icp_access allow localnet
1002#icp_access deny all
5473c134 1003DOC_END
1004
41bd17a4 1005NAME: htcp_access
1006IFDEF: USE_HTCP
1007TYPE: acl_access
1008LOC: Config.accessList.htcp
1009DEFAULT: none
1010DEFAULT_IF_NONE: deny all
5473c134 1011DOC_START
41bd17a4 1012 Allowing or Denying access to the HTCP port based on defined
1013 access lists
5473c134 1014
41bd17a4 1015 htcp_access allow|deny [!]aclname ...
5473c134 1016
41bd17a4 1017 See http_access for details
5473c134 1018
0b48417e 1019 NOTE: The default if no htcp_access lines are present is to
1020 deny all traffic. This default may cause problems with peers
1021 using the htcp or htcp-oldsquid options.
1022
b3567eb5
FC		 1023 This clause only supports fast acl types.
1024 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
e0855596
AJ		 1025
1026# Allow HTCP queries from local networks only
df2eec10
AJ		 1027#htcp_access allow localnet
1028#htcp_access deny all
41bd17a4 1029DOC_END
5473c134 1030
41bd17a4 1031NAME: htcp_clr_access
1032IFDEF: USE_HTCP
1033TYPE: acl_access
1034LOC: Config.accessList.htcp_clr
1035DEFAULT: none
1036DEFAULT_IF_NONE: deny all
1037DOC_START
1038 Allowing or Denying access to purge content using HTCP based
1039 on defined access lists
5473c134 1040
41bd17a4 1041 htcp_clr_access allow|deny [!]aclname ...
5473c134 1042
41bd17a4 1043 See http_access for details
5473c134 1044
b3567eb5
FC		 1045 This clause only supports fast acl types.
1046 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
e0855596
AJ		 1047
1048# Allow HTCP CLR requests from trusted peers
41bd17a4 1049acl htcp_clr_peer src 172.16.1.2
1050htcp_clr_access allow htcp_clr_peer
5473c134 1051DOC_END
1052
41bd17a4 1053NAME: miss_access
1054TYPE: acl_access
1055LOC: Config.accessList.miss
df2eec10 1056DEFAULT: allow all
5473c134 1057DOC_START
41bd17a4 1058 Use to force your neighbors to use you as a sibling instead of
1059 a parent. For example:
5473c134 1060
41bd17a4 1061 acl localclients src 172.16.0.0/16
1062 miss_access allow localclients
1063 miss_access deny !localclients
5473c134 1064
41bd17a4 1065 This means only your local clients are allowed to fetch
1066 MISSES and all other clients can only fetch HITS.
5473c134 1067
41bd17a4 1068 By default, allow all clients who passed the http_access rules
1069 to fetch MISSES from us.
b3567eb5
FC		 1070
1071 This clause only supports fast acl types.
1072 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 1073DOC_END
1074
1075NAME: ident_lookup_access
1076TYPE: acl_access
1077IFDEF: USE_IDENT
1078DEFAULT: none
1079DEFAULT_IF_NONE: deny all
4daaf3cb 1080LOC: Ident::TheConfig.identLookup
5473c134 1081DOC_START
41bd17a4 1082 A list of ACL elements which, if matched, cause an ident
1083 (RFC 931) lookup to be performed for this request. For
1084 example, you might choose to always perform ident lookups
1085 for your main multi-user Unix boxes, but not for your Macs
1086 and PCs. By default, ident lookups are not performed for
1087 any requests.
5473c134 1088
41bd17a4 1089 To enable ident lookups for specific client addresses, you
1090 can follow this example:
5473c134 1091
4daaf3cb 1092 acl ident_aware_hosts src 198.168.1.0/24
41bd17a4 1093 ident_lookup_access allow ident_aware_hosts
1094 ident_lookup_access deny all
5473c134 1095
4daaf3cb 1096 Only src type ACL checks are fully supported. A srcdomain
41bd17a4 1097 ACL might work at times, but it will not always provide
1098 the correct result.
b3567eb5
FC		 1099
1100 This clause only supports fast acl types.
1101 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 1102DOC_END
5473c134 1103
5b0f5383 1104NAME: reply_body_max_size
1105COMMENT: size [acl acl...]
1106TYPE: acl_b_size_t
1107DEFAULT: none
1108LOC: Config.ReplyBodySize
1109DOC_START
1110 This option specifies the maximum size of a reply body. It can be
1111 used to prevent users from downloading very large files, such as
1112 MP3's and movies. When the reply headers are received, the
1113 reply_body_max_size lines are processed, and the first line where
1114 all (if any) listed ACLs are true is used as the maximum body size
1115 for this reply.
1116
1117 This size is checked twice. First when we get the reply headers,
1118 we check the content-length value. If the content length value exists
1119 and is larger than the allowed size, the request is denied and the
1120 user receives an error message that says "the request or reply
1121 is too large." If there is no content-length, and the reply
1122 size exceeds this limit, the client's connection is just closed
1123 and they will receive a partial reply.
1124
1125 WARNING: downstream caches probably can not detect a partial reply
1126 if there is no content-length header, so they will cache
1127 partial responses and give them out as hits. You should NOT
1128 use this option if you have downstream caches.
1129
1130 WARNING: A maximum size smaller than the size of squid's error messages
1131 will cause an infinite loop and crash squid. Ensure that the smallest
1132 non-zero value you use is greater that the maximum header size plus
1133 the size of your largest error page.
1134
1135 If you set this parameter none (the default), there will be
1136 no limit imposed.
3bc32f2f
AJ		 1137
1138 Configuration Format is:
1139 reply_body_max_size SIZE UNITS [acl ...]
1140 ie.
1141 reply_body_max_size 10 MB
1142
5b0f5383 1143DOC_END
1144
1145COMMENT_START
1146 NETWORK OPTIONS
1147 -----------------------------------------------------------------------------
1148COMMENT_END
1149
1150NAME: http_port ascii_port
1151TYPE: http_port_list
1152DEFAULT: none
1153LOC: Config.Sockaddr.http
1154DOC_START
c7b1dd5d
AJ		 1155 Usage: port [mode] [options]
1156 hostname:port [mode] [options]
1157 1.2.3.4:port [mode] [options]
5b0f5383 1158
1159 The socket addresses where Squid will listen for HTTP client
1160 requests. You may specify multiple socket addresses.
1161 There are three forms: port alone, hostname with port, and
1162 IP address with port. If you specify a hostname or IP
1163 address, Squid binds the socket to that specific
c7b1dd5d 1164 address. Most likely, you do not need to bind to a specific
5b0f5383 1165 address, so you can use the port number alone.
1166
1167 If you are running Squid in accelerator mode, you
1168 probably want to listen on port 80 also, or instead.
1169
1170 The -a command line option may be used to specify additional
1171 port(s) where Squid listens for proxy request. Such ports will
1172 be plain proxy ports with no options.
1173
1174 You may specify multiple socket addresses on multiple lines.
1175
c7b1dd5d 1176 Modes:
5b0f5383 1177
e77bdb4e 1178 intercept Support for IP-Layer interception of
5b0f5383 1179 outgoing requests without browser settings.
13b5cd0c 1180 NP: disables authentication and IPv6 on the port.
5b0f5383 1181
1182 tproxy Support Linux TPROXY for spoofing outgoing
1183 connections using the client IP address.
6f05d9c8 1184 NP: disables authentication and maybe IPv6 on the port.
5b0f5383 1185
1186 accel Accelerator mode. Also needs at least one of
1187 vhost / vport / defaultsite.
1188
c7b1dd5d
AJ		 1189 sslbump Intercept each CONNECT request matching ssl_bump ACL,
1190 establish secure connection with the client and with
1191 the server, decrypt HTTP messages as they pass through
1192 Squid, and treat them as unencrypted HTTP messages,
1193 becoming the man-in-the-middle.
1194
1195 The ssl_bump option is required to fully enable
1196 the SslBump feature.
1197
1198 Omitting the mode flag causes default forward proxy mode to be used.
1199
1200
1201 Accelerator Mode Options:
1202
7f7bdd96
AJ		 1203 allow-direct Allow direct forwarding in accelerator mode. Normally
1204 accelerated requests are denied direct forwarding as if
1205 never_direct was used.
1206
5b0f5383 1207 defaultsite=domainname
1208 What to use for the Host: header if it is not present
1209 in a request. Determines what site (not origin server)
1210 accelerators should consider the default.
1211 Implies accel.
1212
c7b1dd5d
AJ		 1213 vhost Using the Host header for virtual domain support.
1214 Also uses the port as specified in Host: header.
5b0f5383 1215
c7b1dd5d
AJ		 1216 vport IP based virtual host support. Using the http_port number
1217 in passed on Host: headers.
5b0f5383 1218
c7b1dd5d
AJ		 1219 vport=NN Uses the specified port number rather than the
1220 http_port number.
5b0f5383 1221
1222 protocol= Protocol to reconstruct accelerated requests with.
c7b1dd5d 1223 Defaults to http://.
5b0f5383 1224
432bc83c
HN		 1225 ignore-cc Ignore request Cache-Control headers.
1226
1227 Warning: This option violates HTTP specifications if
1228 used in non-accelerator setups.
1229
c7b1dd5d
AJ		 1230
1231 SSL Bump Mode Options:
1232
1233 cert= Path to SSL certificate (PEM format).
1234
1235 key= Path to SSL private key file (PEM format)
1236 if not specified, the certificate file is
1237 assumed to be a combined certificate and
1238 key file.
1239
1240 version= The version of SSL/TLS supported
1241 1 automatic (default)
1242 2 SSLv2 only
1243 3 SSLv3 only
1244 4 TLSv1 only
1245
1246 cipher= Colon separated list of supported ciphers.
1247
1248 options= Various SSL engine options. The most important
1249 being:
1250 NO_SSLv2 Disallow the use of SSLv2
1251 NO_SSLv3 Disallow the use of SSLv3
1252 NO_TLSv1 Disallow the use of TLSv1
1253 SINGLE_DH_USE Always create a new key when using
1254 temporary/ephemeral DH key exchanges
1255 See src/ssl_support.c or OpenSSL SSL_CTX_set_options
1256 documentation for a complete list of options.
1257
1258 clientca= File containing the list of CAs to use when
1259 requesting a client certificate.
1260
1261 cafile= File containing additional CA certificates to
1262 use when verifying client certificates. If unset
1263 clientca will be used.
1264
1265 capath= Directory containing additional CA certificates
1266 and CRL lists to use when verifying client certificates.
1267
1268 crlfile= File of additional CRL lists to use when verifying
1269 the client certificate, in addition to CRLs stored in
1270 the capath. Implies VERIFY_CRL flag below.
1271
1272 dhparams= File containing DH parameters for temporary/ephemeral
1273 DH key exchanges.
1274
1275 sslflags= Various flags modifying the use of SSL:
1276 DELAYED_AUTH
1277 Don't request client certificates
1278 immediately, but wait until acl processing
1279 requires a certificate (not yet implemented).
1280 NO_DEFAULT_CA
1281 Don't use the default CA lists built in
1282 to OpenSSL.
1283 NO_SESSION_REUSE
1284 Don't allow for session reuse. Each connection
1285 will result in a new SSL session.
1286 VERIFY_CRL
1287 Verify CRL lists when accepting client
1288 certificates.
1289 VERIFY_CRL_ALL
1290 Verify CRL lists for all certificates in the
1291 client certificate chain.
1292
1293 sslcontext= SSL session ID context identifier.
1294
1295
1296 Other Options:
1297
6b185b50
AJ		 1298 connection-auth[=on|off]
1299 use connection-auth=off to tell Squid to prevent
1300 forwarding Microsoft connection oriented authentication
d67acb4e
AJ		 1301 (NTLM, Negotiate and Kerberos)
1302
5b0f5383 1303 disable-pmtu-discovery=
1304 Control Path-MTU discovery usage:
1305 off lets OS decide on what to do (default).
1306 transparent disable PMTU discovery when transparent
1307 support is enabled.
1308 always disable always PMTU discovery.
1309
1310 In many setups of transparently intercepting proxies
1311 Path-MTU discovery can not work on traffic towards the
1312 clients. This is the case when the intercepting device
1313 does not fully track connections and fails to forward
1314 ICMP must fragment messages to the cache server. If you
1315 have such setup and experience that certain clients
1316 sporadically hang or never complete requests set
1317 disable-pmtu-discovery option to 'transparent'.
1318
81b6e9a7 1319 name= Specifies a internal name for the port. Defaults to
1320 the port specification (port or addr:port)
1321
68924b6d 1322 tcpkeepalive[=idle,interval,timeout]
b2130d58 1323 Enable TCP keepalive probes of idle connections
1324 idle is the initial time before TCP starts probing
1325 the connection, interval how often to probe, and
1326 timeout the time before giving up.
1327
5b0f5383 1328 If you run Squid on a dual-homed machine with an internal
1329 and an external interface we recommend you to specify the
1330 internal address:port in http_port. This way Squid will only be
1331 visible on the internal address.
1332
1333NOCOMMENT_START
e0855596 1334
5b0f5383 1335# Squid normally listens to port 3128
1336http_port @DEFAULT_HTTP_PORT@
1337NOCOMMENT_END
1338DOC_END
1339
1340NAME: https_port
1341IFDEF: USE_SSL
1342TYPE: https_port_list
1343DEFAULT: none
1344LOC: Config.Sockaddr.https
1345DOC_START
1346 Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
1347
1348 The socket address where Squid will listen for HTTPS client
1349 requests.
1350
1351 This is really only useful for situations where you are running
1352 squid in accelerator mode and you want to do the SSL work at the
1353 accelerator level.
1354
1355 You may specify multiple socket addresses on multiple lines,
1356 each with their own SSL certificate and/or options.
1357
1358 Options:
1359
1360 accel Accelerator mode. Also needs at least one of
1361 defaultsite or vhost.
1362
1363 defaultsite= The name of the https site presented on
1364 this port. Implies accel.
1365
1366 vhost Accelerator mode using Host header for virtual
1367 domain support. Requires a wildcard certificate
1368 or other certificate valid for more than one domain.
1369 Implies accel.
1370
1371 protocol= Protocol to reconstruct accelerated requests with.
1372 Defaults to https.
1373
1374 cert= Path to SSL certificate (PEM format).
1375
1376 key= Path to SSL private key file (PEM format)
1377 if not specified, the certificate file is
1378 assumed to be a combined certificate and
1379 key file.
1380
1381 version= The version of SSL/TLS supported
1382 1 automatic (default)
1383 2 SSLv2 only
1384 3 SSLv3 only
1385 4 TLSv1 only
1386
1387 cipher= Colon separated list of supported ciphers.
1388
1389 options= Various SSL engine options. The most important
1390 being:
1391 NO_SSLv2 Disallow the use of SSLv2
1392 NO_SSLv3 Disallow the use of SSLv3
1393 NO_TLSv1 Disallow the use of TLSv1
1394 SINGLE_DH_USE Always create a new key when using
1395 temporary/ephemeral DH key exchanges
1396 See src/ssl_support.c or OpenSSL SSL_CTX_set_options
1397 documentation for a complete list of options.
1398
1399 clientca= File containing the list of CAs to use when
1400 requesting a client certificate.
1401
1402 cafile= File containing additional CA certificates to
1403 use when verifying client certificates. If unset
1404 clientca will be used.
1405
1406 capath= Directory containing additional CA certificates
1407 and CRL lists to use when verifying client certificates.
1408
1409 crlfile= File of additional CRL lists to use when verifying
1410 the client certificate, in addition to CRLs stored in
1411 the capath. Implies VERIFY_CRL flag below.
1412
1413 dhparams= File containing DH parameters for temporary/ephemeral
1414 DH key exchanges.
1415
1416 sslflags= Various flags modifying the use of SSL:
1417 DELAYED_AUTH
1418 Don't request client certificates
1419 immediately, but wait until acl processing
1420 requires a certificate (not yet implemented).
1421 NO_DEFAULT_CA
1422 Don't use the default CA lists built in
1423 to OpenSSL.
1424 NO_SESSION_REUSE
1425 Don't allow for session reuse. Each connection
1426 will result in a new SSL session.
1427 VERIFY_CRL
1428 Verify CRL lists when accepting client
1429 certificates.
1430 VERIFY_CRL_ALL
1431 Verify CRL lists for all certificates in the
1432 client certificate chain.
1433
1434 sslcontext= SSL session ID context identifier.
1435
1436 vport Accelerator with IP based virtual host support.
1437
1438 vport=NN As above, but uses specified port number rather
1439 than the https_port number. Implies accel.
1440
81b6e9a7 1441 name= Specifies a internal name for the port. Defaults to
1442 the port specification (port or addr:port)
1443
5b0f5383 1444DOC_END
1445
41bd17a4 1446NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
1447TYPE: acl_tos
5473c134 1448DEFAULT: none
41bd17a4 1449LOC: Config.accessList.outgoing_tos
5473c134 1450DOC_START
41bd17a4 1451 Allows you to select a TOS/Diffserv value to mark outgoing
1452 connections with, based on the username or source address
1453 making the request.
5473c134 1454
41bd17a4 1455 tcp_outgoing_tos ds-field [!]aclname ...
cccac0a2 1456
41bd17a4 1457 Example where normal_service_net uses the TOS value 0x00
7def7206 1458 and good_service_net uses 0x20
cccac0a2 1459
41bd17a4 1460 acl normal_service_net src 10.0.0.0/255.255.255.0
1461 acl good_service_net src 10.0.1.0/255.255.255.0
2c73de90 1462 tcp_outgoing_tos 0x00 normal_service_net
41bd17a4 1463 tcp_outgoing_tos 0x20 good_service_net
fa38076e 1464
41bd17a4 1465 TOS/DSCP values really only have local significance - so you should
575cb927
AJ		 1466 know what you're specifying. For more information, see RFC2474,
1467 RFC2475, and RFC3260.
cccac0a2 1468
41bd17a4 1469 The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
1470 "default" to use whatever default your host has. Note that in
1471 practice often only values 0 - 63 is usable as the two highest bits
1472 have been redefined for use by ECN (RFC3168).
cccac0a2 1473
41bd17a4 1474 Processing proceeds in the order specified, and stops at first fully
1475 matching line.
cccac0a2 1476
41bd17a4 1477 Note: The use of this directive using client dependent ACLs is
1478 incompatible with the use of server side persistent connections. To
1479 ensure correct results it is best to set server_persisten_connections
1480 to off when using this directive in such configurations.
cccac0a2 1481DOC_END
1482
41bd17a4 1483NAME: clientside_tos
1484TYPE: acl_tos
cccac0a2 1485DEFAULT: none
41bd17a4 1486LOC: Config.accessList.clientside_tos
cccac0a2 1487DOC_START
41bd17a4 1488 Allows you to select a TOS/Diffserv value to mark client-side
1489 connections with, based on the username or source address
1490 making the request.
1491DOC_END
cccac0a2 1492
575cb927
AJ		 1493NAME: qos_flows
1494TYPE: QosConfig
7172612f 1495IFDEF: USE_ZPH_QOS
575cb927 1496DEFAULT: none
b7ac5457 1497LOC: Ip::Qos::TheConfig
7172612f 1498DOC_START
575cb927
AJ		 1499 Allows you to select a TOS/DSCP value to mark outgoing
1500 connections with, based on where the reply was sourced.
7172612f 1501
575cb927
AJ		 1502 TOS values really only have local significance - so you should
1503 know what you're specifying. For more information, see RFC2474,
1504 RFC2475, and RFC3260.
7172612f 1505
575cb927
AJ		 1506 The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF.
1507 Note that in practice often only values up to 0x3F are usable
1508 as the two highest bits have been redefined for use by ECN
1509 (RFC3168).
7172612f 1510
575cb927
AJ		 1511 This setting is configured by setting the source TOS values:
1512
1513 local-hit=0xFF Value to mark local cache hits.
1514
1515 sibling-hit=0xFF Value to mark hits from sibling peers.
1516
1517 parent-hit=0xFF Value to mark hits from parent peers.
1518
1519
2201bec6
AJ		 1520 NOTE: 'miss' preserve feature is only possible on Linux at this time.
1521
575cb927
AJ		 1522 For the following to work correctly, you will need to patch your
1523 linux kernel with the TOS preserving ZPH patch.
1524 The kernel patch can be downloaded from http://zph.bratcheda.org
1525
575cb927
AJ		 1526 disable-preserve-miss
1527 If set, any HTTP response towards clients will
1528 have the TOS value of the response comming from the
1529 remote server masked with the value of miss-mask.
1530
1531 miss-mask=0xFF
1532 Allows you to mask certain bits in the TOS received from the
1533 remote server, before copying the value to the TOS sent
1534 towards clients.
1535 Default: 0xFF (TOS from server is not changed).
7172612f 1536
7172612f
AJ		 1537DOC_END
1538
41bd17a4 1539NAME: tcp_outgoing_address
1540TYPE: acl_address
1541DEFAULT: none
1542LOC: Config.accessList.outgoing_address
1543DOC_START
1544 Allows you to map requests to different outgoing IP addresses
1545 based on the username or source address of the user making
1546 the request.
7f7db318 1547
41bd17a4 1548 tcp_outgoing_address ipaddr [[!]aclname] ...
c33aa074 1549
41bd17a4 1550 Example where requests from 10.0.0.0/24 will be forwarded
1551 with source address 10.1.0.1, 10.0.2.0/24 forwarded with
1552 source address 10.1.0.2 and the rest will be forwarded with
1553 source address 10.1.0.3.
9197cd13 1554
17148b2f 1555 acl normal_service_net src 10.0.0.0/24
1556 acl good_service_net src 10.0.2.0/24
1557 tcp_outgoing_address 10.1.0.1 normal_service_net
1558 tcp_outgoing_address 10.1.0.2 good_service_net
1559 tcp_outgoing_address 10.1.0.3
9197cd13 1560
41bd17a4 1561 Processing proceeds in the order specified, and stops at first fully
1562 matching line.
cccac0a2 1563
41bd17a4 1564 Note: The use of this directive using client dependent ACLs is
1565 incompatible with the use of server side persistent connections. To
1566 ensure correct results it is best to set server_persistent_connections
1567 to off when using this directive in such configurations.
cc192b50 1568
4ed968be
AJ		 1569 Note: The use of this directive to set a local IP on outgoing TCP links
1570 is incompatible with using TPROXY to set client IP out outbound TCP links.
1571 When needing to contact peers use the no-tproxy cache_peer option to
1572 re-enable normal forwarding such as this.
cc192b50 1573
1574 IPv6 Magic:
1575
b3567eb5
FC		 1576 Squid is built with a capability of bridging the IPv4 and IPv6
1577 internets.
cc192b50 1578 tcp_outgoing_address as exampled above breaks this bridging by forcing
1579 all outbound traffic through a certain IPv4 which may be on the wrong
1580 side of the IPv4/IPv6 boundary.
1581
1582 To operate with tcp_outgoing_address and keep the bridging benefits
1583 an additional ACL needs to be used which ensures the IPv6-bound traffic
1584 is never forced or permitted out the IPv4 interface.
1585
1586 acl to_ipv6 dst ipv6
1587 tcp_outgoing_address 2002::c001 good_service_net to_ipv6
17148b2f 1588 tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
cc192b50 1589
1590 tcp_outgoing_address 2002::beef normal_service_net to_ipv6
17148b2f 1591 tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
cc192b50 1592
1593 tcp_outgoing_address 2002::1 to_ipv6
17148b2f 1594 tcp_outgoing_address 10.1.0.3 !to_ipv6
6db78a1a
AJ		 1595
1596 WARNING:
1597 'dst ipv6' bases its selection assuming DIRECT access.
1598 If peers are used the peername ACL are needed to select outgoing
1599 address which can link to the peer.
1600
6b185b50
AJ		 1601 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used
1602 previously in the http_access rules to locate the destination IP.
1603 Some more magic may be needed for that:
1604 http_access allow to_ipv6 !all
1605 (meaning, allow if to IPv6 but not from anywhere ;)
1606
cccac0a2 1607DOC_END
1608
41bd17a4 1609COMMENT_START
1610 SSL OPTIONS
1611 -----------------------------------------------------------------------------
1612COMMENT_END
1613
1614NAME: ssl_unclean_shutdown
1615IFDEF: USE_SSL
cccac0a2 1616TYPE: onoff
1617DEFAULT: off
41bd17a4 1618LOC: Config.SSL.unclean_shutdown
cccac0a2 1619DOC_START
41bd17a4 1620 Some browsers (especially MSIE) bugs out on SSL shutdown
1621 messages.
cccac0a2 1622DOC_END
1623
41bd17a4 1624NAME: ssl_engine
1625IFDEF: USE_SSL
cccac0a2 1626TYPE: string
41bd17a4 1627LOC: Config.SSL.ssl_engine
1628DEFAULT: none
cccac0a2 1629DOC_START
41bd17a4 1630 The OpenSSL engine to use. You will need to set this if you
1631 would like to use hardware SSL acceleration for example.
cccac0a2 1632DOC_END
1633
41bd17a4 1634NAME: sslproxy_client_certificate
1635IFDEF: USE_SSL
cccac0a2 1636DEFAULT: none
41bd17a4 1637LOC: Config.ssl_client.cert
1638TYPE: string
cccac0a2 1639DOC_START
41bd17a4 1640 Client SSL Certificate to use when proxying https:// URLs
cccac0a2 1641DOC_END
1642
41bd17a4 1643NAME: sslproxy_client_key
1644IFDEF: USE_SSL
cccac0a2 1645DEFAULT: none
41bd17a4 1646LOC: Config.ssl_client.key
1647TYPE: string
cccac0a2 1648DOC_START
41bd17a4 1649 Client SSL Key to use when proxying https:// URLs
cccac0a2 1650DOC_END
1651
41bd17a4 1652NAME: sslproxy_version
1653IFDEF: USE_SSL
1654DEFAULT: 1
1655LOC: Config.ssl_client.version
1656TYPE: int
cccac0a2 1657DOC_START
41bd17a4 1658 SSL version level to use when proxying https:// URLs
cccac0a2 1659DOC_END
1660
41bd17a4 1661NAME: sslproxy_options
1662IFDEF: USE_SSL
1663DEFAULT: none
1664LOC: Config.ssl_client.options
1665TYPE: string
cccac0a2 1666DOC_START
41bd17a4 1667 SSL engine options to use when proxying https:// URLs
ab202e4c
AJ		 1668
1669 The most important being:
1670
1671 NO_SSLv2 Disallow the use of SSLv2
1672 NO_SSLv3 Disallow the use of SSLv3
1673 NO_TLSv1 Disallow the use of TLSv1
1674 SINGLE_DH_USE
1675 Always create a new key when using
1676 temporary/ephemeral DH key exchanges
1677
1678 These options vary depending on your SSL engine.
1679 See the OpenSSL SSL_CTX_set_options documentation for a
1680 complete list of possible options.
cccac0a2 1681DOC_END
1682
41bd17a4 1683NAME: sslproxy_cipher
1684IFDEF: USE_SSL
1685DEFAULT: none
1686LOC: Config.ssl_client.cipher
1687TYPE: string
cccac0a2 1688DOC_START
41bd17a4 1689 SSL cipher list to use when proxying https:// URLs
ab202e4c
AJ		 1690
1691 Colon separated list of supported ciphers.
cccac0a2 1692DOC_END
1693
41bd17a4 1694NAME: sslproxy_cafile
1695IFDEF: USE_SSL
1696DEFAULT: none
1697LOC: Config.ssl_client.cafile
1698TYPE: string
cccac0a2 1699DOC_START
41bd17a4 1700 file containing CA certificates to use when verifying server
1701 certificates while proxying https:// URLs
cccac0a2 1702DOC_END
0976f8db 1703
41bd17a4 1704NAME: sslproxy_capath
1705IFDEF: USE_SSL
5473c134 1706DEFAULT: none
41bd17a4 1707LOC: Config.ssl_client.capath
1708TYPE: string
5473c134 1709DOC_START
41bd17a4 1710 directory containing CA certificates to use when verifying
1711 server certificates while proxying https:// URLs
5473c134 1712DOC_END
1713
4c9da963 1714NAME: ssl_bump
1715IFDEF: USE_SSL
1716TYPE: acl_access
1717LOC: Config.accessList.ssl_bump
1718DEFAULT: none
1719DOC_START
1720 This ACL controls which CONNECT requests to an http_port
1721 marked with an sslBump flag are actually "bumped". Please
1722 see the sslBump flag of an http_port option for more details
1723 about decoding proxied SSL connections.
1724
1725 By default, no requests are bumped.
1726
1727 See also: http_port sslBump
1728
b3567eb5
FC		 1729 This clause only supports fast acl types.
1730 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
e0855596
AJ		 1731
1732
1733 # Example: Bump all requests except those originating from localhost and
1734 # those going to webax.com or example.com sites.
1735
1736 acl localhost src 127.0.0.1/32
1737 acl broken_sites dstdomain .webax.com
1738 acl broken_sites dstdomain .example.com
1739 ssl_bump deny localhost
1740 ssl_bump deny broken_sites
1741 ssl_bump allow all
4c9da963 1742DOC_END
1743
41bd17a4 1744NAME: sslproxy_flags
1745IFDEF: USE_SSL
1746DEFAULT: none
1747LOC: Config.ssl_client.flags
1748TYPE: string
5473c134 1749DOC_START
41bd17a4 1750 Various flags modifying the use of SSL while proxying https:// URLs:
4c9da963 1751 DONT_VERIFY_PEER Accept certificates that fail verification.
1752 For refined control, see sslproxy_cert_error.
41bd17a4 1753 NO_DEFAULT_CA Don't use the default CA list built in
1754 to OpenSSL.
5473c134 1755DOC_END
1756
4c9da963 1757
1758NAME: sslproxy_cert_error
1759IFDEF: USE_SSL
1760DEFAULT: none
1761LOC: Config.ssl_client.cert_error
1762TYPE: acl_access
1763DOC_START
1764 Use this ACL to bypass server certificate validation errors.
1765
1766 For example, the following lines will bypass all validation errors
1767 when talking to servers located at 172.16.0.0/16. All other
1768 validation errors will result in ERR_SECURE_CONNECT_FAIL error.
1769
1770 acl BrokenServersAtTrustedIP dst 172.16.0.0/16
1771 sslproxy_cert_error allow BrokenServersAtTrustedIP
1772 sslproxy_cert_error deny all
1773
b3567eb5
FC		 1774 This clause only supports fast acl types.
1775 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1776 Using slow acl types may result in server crashes
4c9da963 1777
1778 Without this option, all server certificate validation errors
1779 terminate the transaction. Bypassing validation errors is dangerous
1780 because an error usually implies that the server cannot be trusted and
1781 the connection may be insecure.
1782
1783 See also: sslproxy_flags and DONT_VERIFY_PEER.
1784
e0855596 1785 Default setting: sslproxy_cert_error deny all
4c9da963 1786DOC_END
1787
1788
1789
41bd17a4 1790NAME: sslpassword_program
1791IFDEF: USE_SSL
1792DEFAULT: none
1793LOC: Config.Program.ssl_password
1794TYPE: string
5473c134 1795DOC_START
41bd17a4 1796 Specify a program used for entering SSL key passphrases
1797 when using encrypted SSL certificate keys. If not specified
1798 keys must either be unencrypted, or Squid started with the -N
1799 option to allow it to query interactively for the passphrase.
5473c134 1800DOC_END
1801
cccac0a2 1802COMMENT_START
41bd17a4 1803 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
cccac0a2 1804 -----------------------------------------------------------------------------
1805COMMENT_END
1806
41bd17a4 1807NAME: cache_peer
1808TYPE: peer
1809DEFAULT: none
1810LOC: Config.peers
cccac0a2 1811DOC_START
41bd17a4 1812 To specify other caches in a hierarchy, use the format:
2b94f655 1813
41bd17a4 1814 cache_peer hostname type http-port icp-port [options]
2b94f655 1815
41bd17a4 1816 For example,
2b94f655 1817
41bd17a4 1818 # proxy icp
1819 # hostname type port port options
1820 # -------------------- -------- ----- ----- -----------
2b94f655 1821 cache_peer parent.foo.net parent 3128 3130 default
41bd17a4 1822 cache_peer sib1.foo.net sibling 3128 3130 proxy-only
1823 cache_peer sib2.foo.net sibling 3128 3130 proxy-only
2b94f655
AJ		 1824 cache_peer example.com parent 80 0 no-query default
1825 cache_peer cdn.example.com sibling 3128 0
1826
1827 type: either 'parent', 'sibling', or 'multicast'.
1828
1829 proxy-port: The port number where the peer accept HTTP requests.
1830 For other Squid proxies this is usually 3128
1831 For web servers this is usually 80
1832
1833 icp-port: Used for querying neighbor caches about objects.
1834 Set to 0 if the peer does not support ICP or HTCP.
1835 See ICP and HTCP options below for additional details.
1836
1837
1838 ==== ICP OPTIONS ====
1839
1840 You MUST also set icp_port and icp_access explicitly when using these options.
1841 The defaults will prevent peer traffic using ICP.
1842
1843
1844 no-query Disable ICP queries to this neighbor.
1845
1846 multicast-responder
1847 Indicates the named peer is a member of a multicast group.
1848 ICP queries will not be sent directly to the peer, but ICP
1849 replies will be accepted from it.
1850
1851 closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward
1852 CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
1853
1854 background-ping
1855 To only send ICP queries to this neighbor infrequently.
1856 This is used to keep the neighbor round trip time updated
1857 and is usually used in conjunction with weighted-round-robin.
1858
1859
1860 ==== HTCP OPTIONS ====
1861
1862 You MUST also set htcp_port and htcp_access explicitly when using these options.
1863 The defaults will prevent peer traffic using HTCP.
1864
1865
1866 htcp Send HTCP, instead of ICP, queries to the neighbor.
1867 You probably also want to set the "icp-port" to 4827
1868 instead of 3130.
1869
1870 htcp-oldsquid Send HTCP to old Squid versions.
1871
1872 htcp-no-clr Send HTCP to the neighbor but without
1873 sending any CLR requests. This cannot be used with
1874 htcp-only-clr.
1875
1876 htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests.
1877 This cannot be used with htcp-no-clr.
1878
1879 htcp-no-purge-clr
1880 Send HTCP to the neighbor including CLRs but only when
1881 they do not result from PURGE requests.
1882
1883 htcp-forward-clr
1884 Forward any HTCP CLR requests this proxy receives to the peer.
1885
1886
1887 ==== PEER SELECTION METHODS ====
1888
1889 The default peer selection method is ICP, with the first responding peer
1890 being used as source. These options can be used for better load balancing.
1891
1892
1893 default This is a parent cache which can be used as a "last-resort"
1894 if a peer cannot be located by any of the peer-selection methods.
1895 If specified more than once, only the first is used.
1896
1897 round-robin Load-Balance parents which should be used in a round-robin
1898 fashion in the absence of any ICP queries.
1899 weight=N can be used to add bias.
1900
1901 weighted-round-robin
1902 Load-Balance parents which should be used in a round-robin
1903 fashion with the frequency of each parent being based on the
1904 round trip time. Closer parents are used more often.
1905 Usually used for background-ping parents.
1906 weight=N can be used to add bias.
1907
1908 carp Load-Balance parents which should be used as a CARP array.
1909 The requests will be distributed among the parents based on the
1910 CARP load balancing hash function based on their weight.
1911
1912 userhash Load-balance parents based on the client proxy_auth or ident username.
1913
1914 sourcehash Load-balance parents based on the client source IP.
8a368316
AJ		 1915
1916 multicast-siblings
1917 To be used only for cache peers of type "multicast".
1918 ALL members of this multicast group have "sibling"
1919 relationship with it, not "parent". This is to a mulicast
1920 group when the requested object would be fetched only from
1921 a "parent" cache, anyway. It's useful, e.g., when
1922 configuring a pool of redundant Squid proxies, being
1923 members of the same multicast group.
2b94f655
AJ		 1924
1925
1926 ==== PEER SELECTION OPTIONS ====
1927
1928 weight=N use to affect the selection of a peer during any weighted
1929 peer-selection mechanisms.
1930 The weight must be an integer; default is 1,
1931 larger weights are favored more.
1932 This option does not affect parent selection if a peering
1933 protocol is not in use.
1934
1935 basetime=N Specify a base amount to be subtracted from round trip
1936 times of parents.
1937 It is subtracted before division by weight in calculating
1938 which parent to fectch from. If the rtt is less than the
1939 base time the rtt is set to a minimal value.
1940
1941 ttl=N Specify a IP multicast TTL to use when sending an ICP
1942 queries to this address.
1943 Only useful when sending to a multicast group.
1944 Because we don't accept ICP replies from random
1945 hosts, you must configure other group members as
1946 peers with the 'multicast-responder' option.
1947
1948 no-delay To prevent access to this neighbor from influencing the
1949 delay pools.
1950
1951 digest-url=URL Tell Squid to fetch the cache digest (if digests are
1952 enabled) for this host from the specified URL rather
1953 than the Squid default location.
1954
1955
1956 ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
1957
1958 originserver Causes this parent to be contacted as an origin server.
1959 Meant to be used in accelerator setups when the peer
1960 is a web server.
1961
1962 forceddomain=name
1963 Set the Host header of requests forwarded to this peer.
1964 Useful in accelerator setups where the server (peer)
1965 expects a certain domain name but clients may request
1966 others. ie example.com or www.example.com
1967
1968 no-digest Disable request of cache digests.
1969
1970 no-netdb-exchange
1971 Disables requesting ICMP RTT database (NetDB).
1972
1973
1974 ==== AUTHENTICATION OPTIONS ====
1975
1976 login=user:password
1977 If this is a personal/workgroup proxy and your parent
1978 requires proxy authentication.
1979
1980 Note: The string can include URL escapes (i.e. %20 for
1981 spaces). This also means % must be written as %%.
1982
11e4c5e5
AJ		 1983 login=PASSTHRU
1984 Send login details received from client to this peer.
1985 Both Proxy- and WWW-Authorization headers are passed
1986 without alteration to the peer.
1987 Authentication is not required by Squid for this to work.
1988
1989 Note: This will pass any form of authentication but
1990 only Basic auth will work through a proxy unless the
1991 connection-auth options are also used.
ee0b94f4 1992
2b94f655
AJ		 1993 login=PASS Send login details received from client to this peer.
1994 Authentication is not required by this option.
11e4c5e5 1995
2b94f655
AJ		 1996 If there are no client-provided authentication headers
1997 to pass on, but username and password are available
ee0b94f4
HN		 1998 from an external ACL user= and password= result tags
1999 they may be sent instead.
2b94f655
AJ		 2000
2001 Note: To combine this with proxy_auth both proxies must
2002 share the same user database as HTTP only allows for
2003 a single login (one for proxy, one for origin server).
2004 Also be warned this will expose your users proxy
2005 password to the peer. USE WITH CAUTION
2006
2007 login=*:password
2008 Send the username to the upstream cache, but with a
2009 fixed password. This is meant to be used when the peer
2010 is in another administrative domain, but it is still
2011 needed to identify each user.
2012 The star can optionally be followed by some extra
2013 information which is added to the username. This can
2014 be used to identify this proxy to the peer, similar to
2015 the login=username:password option above.
2016
9ca29d23
AJ		 2017 login=NEGOTIATE
2018 If this is a personal/workgroup proxy and your parent
2019 requires a secure proxy authentication.
2020 The first principal from the default keytab or defined by
2021 the environment variable KRB5_KTNAME will be used.
2022
2023 login=NEGOTIATE:principal_name
2024 If this is a personal/workgroup proxy and your parent
2025 requires a secure proxy authentication.
2026 The principal principal_name from the default keytab or
2027 defined by the environment variable KRB5_KTNAME will be
2028 used.
2029
2b94f655
AJ		 2030 connection-auth=on|off
2031 Tell Squid that this peer does or not support Microsoft
2032 connection oriented authentication, and any such
2033 challenges received from there should be ignored.
2034 Default is auto to automatically determine the status
2035 of the peer.
2036
2037
2038 ==== SSL / HTTPS / TLS OPTIONS ====
2039
2040 ssl Encrypt connections to this peer with SSL/TLS.
2041
2042 sslcert=/path/to/ssl/certificate
2043 A client SSL certificate to use when connecting to
2044 this peer.
2045
2046 sslkey=/path/to/ssl/key
2047 The private SSL key corresponding to sslcert above.
2048 If 'sslkey' is not specified 'sslcert' is assumed to
2049 reference a combined file containing both the
2050 certificate and the key.
2051
2052 sslversion=1|2|3|4
2053 The SSL version to use when connecting to this peer
2054 1 = automatic (default)
2055 2 = SSL v2 only
2056 3 = SSL v3 only
2057 4 = TLS v1 only
2058
2059 sslcipher=... The list of valid SSL ciphers to use when connecting
2060 to this peer.
2061
2062 ssloptions=... Specify various SSL engine options:
2063 NO_SSLv2 Disallow the use of SSLv2
2064 NO_SSLv3 Disallow the use of SSLv3
2065 NO_TLSv1 Disallow the use of TLSv1
2066 See src/ssl_support.c or the OpenSSL documentation for
2067 a more complete list.
2068
2069 sslcafile=... A file containing additional CA certificates to use
2070 when verifying the peer certificate.
2071
2072 sslcapath=... A directory containing additional CA certificates to
2073 use when verifying the peer certificate.
2074
2075 sslcrlfile=... A certificate revocation list file to use when
2076 verifying the peer certificate.
2077
2078 sslflags=... Specify various flags modifying the SSL implementation:
2079
41bd17a4 2080 DONT_VERIFY_PEER
2081 Accept certificates even if they fail to
2082 verify.
2083 NO_DEFAULT_CA
2084 Don't use the default CA list built in
2085 to OpenSSL.
2086 DONT_VERIFY_DOMAIN
2087 Don't verify the peer certificate
2088 matches the server name
2b94f655
AJ		 2089
2090 ssldomain= The peer name as advertised in it's certificate.
2091 Used for verifying the correctness of the received peer
2092 certificate. If not specified the peer hostname will be
2093 used.
2094
2095 front-end-https
2096 Enable the "Front-End-Https: On" header needed when
2097 using Squid as a SSL frontend in front of Microsoft OWA.
2098 See MS KB document Q307347 for details on this header.
2099 If set to auto the header will only be added if the
2100 request is forwarded as a https:// URL.
2101
2102
2103 ==== GENERAL OPTIONS ====
2104
2105 connect-timeout=N
2106 A peer-specific connect timeout.
2107 Also see the peer_connect_timeout directive.
2108
2109 connect-fail-limit=N
2110 How many times connecting to a peer must fail before
2111 it is marked as down. Default is 10.
2112
2113 allow-miss Disable Squid's use of only-if-cached when forwarding
2114 requests to siblings. This is primarily useful when
2115 icp_hit_stale is used by the sibling. To extensive use
2116 of this option may result in forwarding loops, and you
2117 should avoid having two-way peerings with this option.
2118 For example to deny peer usage on requests from peer
2119 by denying cache_peer_access if the source is a peer.
2120
2121 max-conn=N Limit the amount of connections Squid may open to this
2122 peer. see also
2123
2124 name=xxx Unique name for the peer.
2125 Required if you have multiple peers on the same host
2126 but different ports.
2127 This name can be used in cache_peer_access and similar
2128 directives to dentify the peer.
2129 Can be used by outgoing access controls through the
2130 peername ACL type.
2131
b0758e04
AJ		 2132 no-tproxy Do not use the client-spoof TPROXY support when forwarding
2133 requests to this peer. Use normal address selection instead.
2134
2b94f655
AJ		 2135 proxy-only objects fetched from the peer will not be stored locally.
2136
41bd17a4 2137DOC_END
cccac0a2 2138
41bd17a4 2139NAME: cache_peer_domain cache_host_domain
2140TYPE: hostdomain
2141DEFAULT: none
2142LOC: none
2143DOC_START
2144 Use to limit the domains for which a neighbor cache will be
2145 queried. Usage:
cccac0a2 2146
41bd17a4 2147 cache_peer_domain cache-host domain [domain ...]
2148 cache_peer_domain cache-host !domain
cccac0a2 2149
41bd17a4 2150 For example, specifying
cccac0a2 2151
41bd17a4 2152 cache_peer_domain parent.foo.net .edu
cccac0a2 2153
41bd17a4 2154 has the effect such that UDP query packets are sent to
2155 'bigserver' only when the requested object exists on a
2156 server in the .edu domain. Prefixing the domainname
2157 with '!' means the cache will be queried for objects
2158 NOT in that domain.
cccac0a2 2159
41bd17a4 2160 NOTE: * Any number of domains may be given for a cache-host,
2161 either on the same or separate lines.
2162 * When multiple domains are given for a particular
2163 cache-host, the first matched domain is applied.
2164 * Cache hosts with no domain restrictions are queried
2165 for all requests.
2166 * There are no defaults.
2167 * There is also a 'cache_peer_access' tag in the ACL
2168 section.
2169DOC_END
dd9b1776 2170
41bd17a4 2171NAME: cache_peer_access
2172TYPE: peer_access
2173DEFAULT: none
2174LOC: none
2175DOC_START
2176 Similar to 'cache_peer_domain' but provides more flexibility by
2177 using ACL elements.
cccac0a2 2178
41bd17a4 2179 cache_peer_access cache-host allow|deny [!]aclname ...
dd9b1776 2180
41bd17a4 2181 The syntax is identical to 'http_access' and the other lists of
2182 ACL elements. See the comments for 'http_access' below, or
e314b7b9 2183 the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl).
41bd17a4 2184DOC_END
dd9b1776 2185
41bd17a4 2186NAME: neighbor_type_domain
2187TYPE: hostdomaintype
2188DEFAULT: none
2189LOC: none
2190DOC_START
2191 usage: neighbor_type_domain neighbor parent|sibling domain domain ...
cccac0a2 2192
41bd17a4 2193 Modifying the neighbor type for specific domains is now
11e3fa1c 2194 possible. You can treat some domains differently than the
41bd17a4 2195 default neighbor type specified on the 'cache_peer' line.
2196 Normally it should only be necessary to list domains which
2197 should be treated differently because the default neighbor type
2198 applies for hostnames which do not match domains listed here.
6bf4f823 2199
41bd17a4 2200EXAMPLE:
dbe3992d 2201 cache_peer cache.foo.org parent 3128 3130
41bd17a4 2202 neighbor_type_domain cache.foo.org sibling .com .net
2203 neighbor_type_domain cache.foo.org sibling .au .de
2204DOC_END
6bf4f823 2205
41bd17a4 2206NAME: dead_peer_timeout
2207COMMENT: (seconds)
2208DEFAULT: 10 seconds
2209TYPE: time_t
2210LOC: Config.Timeout.deadPeer
2211DOC_START
2212 This controls how long Squid waits to declare a peer cache
2213 as "dead." If there are no ICP replies received in this
2214 amount of time, Squid will declare the peer dead and not
2215 expect to receive any further ICP replies. However, it
2216 continues to send ICP queries, and will mark the peer as
2217 alive upon receipt of the first subsequent ICP reply.
699acd19 2218
41bd17a4 2219 This timeout also affects when Squid expects to receive ICP
2220 replies from peers. If more than 'dead_peer' seconds have
2221 passed since the last ICP reply was received, Squid will not
2222 expect to receive an ICP reply on the next query. Thus, if
2223 your time between requests is greater than this timeout, you
2224 will see a lot of requests sent DIRECT to origin servers
2225 instead of to your parents.
2226DOC_END
cccac0a2 2227
437823b4
AJ		 2228NAME: forward_max_tries
2229DEFAULT: 10
2230TYPE: int
2231LOC: Config.forward_max_tries
2232DOC_START
2233 Controls how many different forward paths Squid will try
2234 before giving up. See also forward_timeout.
2235DOC_END
2236
41bd17a4 2237NAME: hierarchy_stoplist
2238TYPE: wordlist
2239DEFAULT: none
2240LOC: Config.hierarchy_stoplist
2241DOC_START
2242 A list of words which, if found in a URL, cause the object to
2243 be handled directly by this cache. In other words, use this
2244 to not query neighbor caches for certain objects. You may
2245 list this option multiple times.
2246 Note: never_direct overrides this option.
cccac0a2 2247NOCOMMENT_START
e0855596
AJ		 2248
2249# We recommend you to use at least the following line.
41bd17a4 2250hierarchy_stoplist cgi-bin ?
6b698a21 2251NOCOMMENT_END
2252DOC_END
0976f8db 2253
41bd17a4 2254COMMENT_START
2255 MEMORY CACHE OPTIONS
2256 -----------------------------------------------------------------------------
2257COMMENT_END
2258
2259NAME: cache_mem
2260COMMENT: (bytes)
2261TYPE: b_size_t
df2eec10 2262DEFAULT: 256 MB
41bd17a4 2263LOC: Config.memMaxSize
6b698a21 2264DOC_START
41bd17a4 2265 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
2266 IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
2267 USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
2268 THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
2269
2270 'cache_mem' specifies the ideal amount of memory to be used
2271 for:
2272 * In-Transit objects
2273 * Hot Objects
2274 * Negative-Cached objects
2275
2276 Data for these objects are stored in 4 KB blocks. This
2277 parameter specifies the ideal upper limit on the total size of
2278 4 KB blocks allocated. In-Transit objects take the highest
2279 priority.
2280
2281 In-transit objects have priority over the others. When
2282 additional space is needed for incoming data, negative-cached
2283 and hot objects will be released. In other words, the
2284 negative-cached and hot objects will fill up any unused space
2285 not needed for in-transit objects.
2286
2287 If circumstances require, this limit will be exceeded.
2288 Specifically, if your incoming request rate requires more than
2289 'cache_mem' of memory to hold in-transit objects, Squid will
2290 exceed this limit to satisfy the new requests. When the load
2291 decreases, blocks will be freed until the high-water mark is
2292 reached. Thereafter, blocks will be used to store hot
2293 objects.
6b698a21 2294DOC_END
0976f8db 2295
41bd17a4 2296NAME: maximum_object_size_in_memory
2297COMMENT: (bytes)
2298TYPE: b_size_t
df2eec10 2299DEFAULT: 512 KB
41bd17a4 2300LOC: Config.Store.maxInMemObjSize
6b698a21 2301DOC_START
41bd17a4 2302 Objects greater than this size will not be attempted to kept in
2303 the memory cache. This should be set high enough to keep objects
2304 accessed frequently in memory to improve performance whilst low
2305 enough to keep larger objects from hoarding cache_mem.
6b698a21 2306DOC_END
0976f8db 2307
ea21d497
HN		 2308NAME: memory_cache_mode
2309TYPE: memcachemode
2310LOC: Config
2311DEFAULT: always
ff4b33f4 2312DOC_START
ea21d497 2313 Controls which objects to keep in the memory cache (cache_mem)
ff4b33f4 2314
ea21d497
HN		 2315 always Keep most recently fetched objects in memory (default)
2316
2317 disk Only disk cache hits are kept in memory, which means
2318 an object must first be cached on disk and then hit
2319 a second time before cached in memory.
2320
2321 network Only objects fetched from network is kept in memory
ff4b33f4
HN		 2322DOC_END
2323
41bd17a4 2324NAME: memory_replacement_policy
2325TYPE: removalpolicy
2326LOC: Config.memPolicy
2327DEFAULT: lru
6b698a21 2328DOC_START
41bd17a4 2329 The memory replacement policy parameter determines which
2330 objects are purged from memory when memory space is needed.
7f7db318 2331
41bd17a4 2332 See cache_replacement_policy for details.
2333DOC_END
6b698a21 2334
41bd17a4 2335COMMENT_START
2336 DISK CACHE OPTIONS
2337 -----------------------------------------------------------------------------
2338COMMENT_END
6b698a21 2339
41bd17a4 2340NAME: cache_replacement_policy
2341TYPE: removalpolicy
2342LOC: Config.replPolicy
2343DEFAULT: lru
2344DOC_START
2345 The cache replacement policy parameter determines which
2346 objects are evicted (replaced) when disk space is needed.
6b698a21 2347
41bd17a4 2348 lru : Squid's original list based LRU policy
2349 heap GDSF : Greedy-Dual Size Frequency
2350 heap LFUDA: Least Frequently Used with Dynamic Aging
2351 heap LRU : LRU policy implemented using a heap
6b698a21 2352
41bd17a4 2353 Applies to any cache_dir lines listed below this.
7f7db318 2354
41bd17a4 2355 The LRU policies keeps recently referenced objects.
0976f8db 2356
41bd17a4 2357 The heap GDSF policy optimizes object hit rate by keeping smaller
2358 popular objects in cache so it has a better chance of getting a
2359 hit. It achieves a lower byte hit rate than LFUDA though since
2360 it evicts larger (possibly popular) objects.
0976f8db 2361
41bd17a4 2362 The heap LFUDA policy keeps popular objects in cache regardless of
2363 their size and thus optimizes byte hit rate at the expense of
2364 hit rate since one large, popular object will prevent many
2365 smaller, slightly less popular objects from being cached.
0976f8db 2366
41bd17a4 2367 Both policies utilize a dynamic aging mechanism that prevents
2368 cache pollution that can otherwise occur with frequency-based
2369 replacement policies.
7d90757b 2370
41bd17a4 2371 NOTE: if using the LFUDA replacement policy you should increase
2372 the value of maximum_object_size above its default of 4096 KB to
2373 to maximize the potential byte hit rate improvement of LFUDA.
dc1af3cf 2374
41bd17a4 2375 For more information about the GDSF and LFUDA cache replacement
2376 policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
2377 and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
6b698a21 2378DOC_END
0976f8db 2379
41bd17a4 2380NAME: cache_dir
2381TYPE: cachedir
2382DEFAULT: none
41bd17a4 2383LOC: Config.cacheSwap
6b698a21 2384DOC_START
41bd17a4 2385 Usage:
0976f8db 2386
41bd17a4 2387 cache_dir Type Directory-Name Fs-specific-data [options]
0976f8db 2388
41bd17a4 2389 You can specify multiple cache_dir lines to spread the
2390 cache among different disk partitions.
0976f8db 2391
41bd17a4 2392 Type specifies the kind of storage system to use. Only "ufs"
2393 is built by default. To enable any of the other storage systems
2394 see the --enable-storeio configure option.
0976f8db 2395
41bd17a4 2396 'Directory' is a top-level directory where cache swap
2397 files will be stored. If you want to use an entire disk
2398 for caching, this can be the mount-point directory.
2399 The directory must exist and be writable by the Squid
2400 process. Squid will NOT create this directory for you.
0976f8db 2401
41bd17a4 2402 The ufs store type:
0976f8db 2403
41bd17a4 2404 "ufs" is the old well-known Squid storage format that has always
2405 been there.
0976f8db 2406
41bd17a4 2407 cache_dir ufs Directory-Name Mbytes L1 L2 [options]
0976f8db 2408
41bd17a4 2409 'Mbytes' is the amount of disk space (MB) to use under this
2410 directory. The default is 100 MB. Change this to suit your
2411 configuration. Do NOT put the size of your disk drive here.
2412 Instead, if you want Squid to use the entire disk drive,
2413 subtract 20% and use that value.
0976f8db 2414
41bd17a4 2415 'Level-1' is the number of first-level subdirectories which
2416 will be created under the 'Directory'. The default is 16.
0976f8db 2417
41bd17a4 2418 'Level-2' is the number of second-level subdirectories which
2419 will be created under each first-level directory. The default
2420 is 256.
0976f8db 2421
41bd17a4 2422 The aufs store type:
7f7db318 2423
41bd17a4 2424 "aufs" uses the same storage format as "ufs", utilizing
2425 POSIX-threads to avoid blocking the main Squid process on
2426 disk-I/O. This was formerly known in Squid as async-io.
38f9c547 2427
41bd17a4 2428 cache_dir aufs Directory-Name Mbytes L1 L2 [options]
38f9c547 2429
41bd17a4 2430 see argument descriptions under ufs above
38f9c547 2431
41bd17a4 2432 The diskd store type:
38f9c547 2433
41bd17a4 2434 "diskd" uses the same storage format as "ufs", utilizing a
2435 separate process to avoid blocking the main Squid process on
2436 disk-I/O.
4c3ef9b2 2437
41bd17a4 2438 cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
0976f8db 2439
41bd17a4 2440 see argument descriptions under ufs above
0976f8db 2441
41bd17a4 2442 Q1 specifies the number of unacknowledged I/O requests when Squid
2443 stops opening new files. If this many messages are in the queues,
2444 Squid won't open new files. Default is 64
0976f8db 2445
41bd17a4 2446 Q2 specifies the number of unacknowledged messages when Squid
2447 starts blocking. If this many messages are in the queues,
2448 Squid blocks until it receives some replies. Default is 72
0976f8db 2449
41bd17a4 2450 When Q1 < Q2 (the default), the cache directory is optimized
2451 for lower response time at the expense of a decrease in hit
2452 ratio. If Q1 > Q2, the cache directory is optimized for
2453 higher hit ratio at the expense of an increase in response
2454 time.
0976f8db 2455
41bd17a4 2456 The coss store type:
0976f8db 2457
db263d62
AJ		 2458 NP: COSS filesystem in Squid-3 has been deemed too unstable for
2459 production use and has thus been removed from this release.
2460 We hope that it can be made usable again soon.
2461
41bd17a4 2462 block-size=n defines the "block size" for COSS cache_dir's.
2463 Squid uses file numbers as block numbers. Since file numbers
2464 are limited to 24 bits, the block size determines the maximum
2465 size of the COSS partition. The default is 512 bytes, which
2466 leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
2467 you should not change the coss block size after Squid
2468 has written some objects to the cache_dir.
0976f8db 2469
41bd17a4 2470 The coss file store has changed from 2.5. Now it uses a file
2471 called 'stripe' in the directory names in the config - and
2472 this will be created by squid -z.
0976f8db 2473
41bd17a4 2474 Common options:
0976f8db 2475
41bd17a4 2476 no-store, no new objects should be stored to this cache_dir
0976f8db 2477
41bd17a4 2478 max-size=n, refers to the max object size this storedir supports.
2479 It is used to initially choose the storedir to dump the object.
2480 Note: To make optimal use of the max-size limits you should order
2481 the cache_dir lines with the smallest max-size value first and the
2482 ones with no max-size specification last.
0976f8db 2483
41bd17a4 2484 Note for coss, max-size must be less than COSS_MEMBUF_SZ,
2485 which can be changed with the --with-coss-membuf-size=N configure
2486 option.
bebc043b 2487NOCOMMENT_START
e0855596
AJ		 2488
2489# Uncomment and adjust the following to add a disk cache directory.
2490#cache_dir ufs @DEFAULT_SWAP_DIR@ 100 16 256
bebc043b 2491NOCOMMENT_END
6b698a21 2492DOC_END
0976f8db 2493
41bd17a4 2494NAME: store_dir_select_algorithm
2495TYPE: string
2496LOC: Config.store_dir_select_algorithm
2497DEFAULT: least-load
6b698a21 2498DOC_START
41bd17a4 2499 Set this to 'round-robin' as an alternative.
6b698a21 2500DOC_END
0976f8db 2501
41bd17a4 2502NAME: max_open_disk_fds
2503TYPE: int
2504LOC: Config.max_open_disk_fds
2505DEFAULT: 0
6b698a21 2506DOC_START
41bd17a4 2507 To avoid having disk as the I/O bottleneck Squid can optionally
2508 bypass the on-disk cache if more than this amount of disk file
2509 descriptors are open.
2510
2511 A value of 0 indicates no limit.
6b698a21 2512DOC_END
0976f8db 2513
41bd17a4 2514NAME: minimum_object_size
6b698a21 2515COMMENT: (bytes)
47f6e231 2516TYPE: b_int64_t
6b698a21 2517DEFAULT: 0 KB
41bd17a4 2518LOC: Config.Store.minObjectSize
6b698a21 2519DOC_START
41bd17a4 2520 Objects smaller than this size will NOT be saved on disk. The
2521 value is specified in kilobytes, and the default is 0 KB, which
2522 means there is no minimum.
6b698a21 2523DOC_END
0976f8db 2524
41bd17a4 2525NAME: maximum_object_size
2526COMMENT: (bytes)
2527TYPE: b_int64_t
2528DEFAULT: 4096 KB
2529LOC: Config.Store.maxObjectSize
777831e0 2530DOC_START
41bd17a4 2531 Objects larger than this size will NOT be saved on disk. The
2532 value is specified in kilobytes, and the default is 4MB. If
2533 you wish to get a high BYTES hit ratio, you should probably
2534 increase this (one 32 MB object hit counts for 3200 10KB
2535 hits). If you wish to increase speed more than your want to
2536 save bandwidth you should leave this low.
777831e0 2537
41bd17a4 2538 NOTE: if using the LFUDA replacement policy you should increase
2539 this value to maximize the byte hit rate improvement of LFUDA!
2540 See replacement_policy below for a discussion of this policy.
6b698a21 2541DOC_END
0976f8db 2542
41bd17a4 2543NAME: cache_swap_low
2544COMMENT: (percent, 0-100)
5473c134 2545TYPE: int
41bd17a4 2546DEFAULT: 90
2547LOC: Config.Swap.lowWaterMark
2548DOC_NONE
2549
2550NAME: cache_swap_high
2551COMMENT: (percent, 0-100)
2552TYPE: int
2553DEFAULT: 95
2554LOC: Config.Swap.highWaterMark
6b698a21 2555DOC_START
41bd17a4 2556
2557 The low- and high-water marks for cache object replacement.
2558 Replacement begins when the swap (disk) usage is above the
2559 low-water mark and attempts to maintain utilization near the
2560 low-water mark. As swap utilization gets close to high-water
2561 mark object eviction becomes more aggressive. If utilization is
2562 close to the low-water mark less replacement is done each time.
2563
2564 Defaults are 90% and 95%. If you have a large cache, 5% could be
2565 hundreds of MB. If this is the case you may wish to set these
2566 numbers closer together.
6b698a21 2567DOC_END
0976f8db 2568
5473c134 2569COMMENT_START
41bd17a4 2570 LOGFILE OPTIONS
5473c134 2571 -----------------------------------------------------------------------------
2572COMMENT_END
0976f8db 2573
41bd17a4 2574NAME: logformat
2575TYPE: logformat
2576LOC: Config.Log.logformats
5473c134 2577DEFAULT: none
6b698a21 2578DOC_START
41bd17a4 2579 Usage:
0976f8db 2580
41bd17a4 2581 logformat <name> <format specification>
0976f8db 2582
41bd17a4 2583 Defines an access log format.
6b698a21 2584
41bd17a4 2585 The <format specification> is a string with embedded % format codes
5473c134 2586
41bd17a4 2587 % format codes all follow the same basic structure where all but
2588 the formatcode is optional. Output strings are automatically escaped
2589 as required according to their context and the output format
2590 modifiers are usually not needed, but can be specified if an explicit
2591 output format is desired.
6b698a21 2592
41bd17a4 2593 % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
0976f8db 2594
41bd17a4 2595 " output in quoted string format
2596 [ output in squid text log format as used by log_mime_hdrs
2597 # output in URL quoted format
2598 ' output as-is
5473c134 2599
41bd17a4 2600 - left aligned
2601 width field width. If starting with 0 the
2602 output is zero padded
2603 {arg} argument such as header name etc
5473c134 2604
41bd17a4 2605 Format codes:
5473c134 2606
3ff65596 2607 % a literal % character
41bd17a4 2608 >a Client source IP address
2609 >A Client FQDN
2610 >p Client source port
2611 <A Server IP address or peer name
2612 la Local IP address (http_port)
2613 lp Local port number (http_port)
152e24b3 2614 <lp Local port number of the last server or peer connection
17fde513 2615 sn Unique sequence number per log line entry
41bd17a4 2616 ts Seconds since epoch
2617 tu subsecond time (milliseconds)
2618 tl Local time. Optional strftime format argument
3ff65596 2619 default %d/%b/%Y:%H:%M:%S %z
41bd17a4 2620 tg GMT time. Optional strftime format argument
3ff65596 2621 default %d/%b/%Y:%H:%M:%S %z
41bd17a4 2622 tr Response time (milliseconds)
3ff65596
AR		 2623 dt Total time spent making DNS lookups (milliseconds)
2624
2625 HTTP cache related format codes:
2626
ca2e92d8 2627 [http::]>h Original request header. Optional header name argument
3ff65596 2628 on the format header[:[separator]element]
6fca33e0
CT		 2629 [http::]>ha The HTTP request headers after adaptation and redirection.
2630 Optional header name argument as for >h
3ff65596
AR		 2631 [http::]<h Reply header. Optional header name argument
2632 as for >h
2633 [http::]un User name
2634 [http::]ul User name from authentication
2635 [http::]ui User name from ident
2636 [http::]us User name from SSL
2637 [http::]ue User name from external acl helper
2638 [http::]>Hs HTTP status code sent to the client
2639 [http::]<Hs HTTP status code received from the next hop
2640 [http::]Ss Squid request status (TCP_MISS etc)
2641 [http::]Sh Squid hierarchy status (DEFAULT_PARENT etc)
2642 [http::]mt MIME content type
2643 [http::]rm Request method (GET/POST etc)
2644 [http::]ru Request URL
2645 [http::]rp Request URL-Path excluding hostname
2646 [http::]rv Request protocol version
2647 [http::]et Tag returned by external acl
2648 [http::]ea Log string returned by external acl
2649 [http::]<st Sent reply size including HTTP headers
2650 [http::]>st Received request size including HTTP headers. In the
2651 case of chunked requests the chunked encoding metadata
2652 are not included
2653 [http::]>sh Received HTTP request headers size
2654 [http::]<sh Sent HTTP reply headers size
2655 [http::]st Request+Reply size including HTTP headers
2656 [http::]<sH Reply high offset sent
2657 [http::]<sS Upstream object size
2658 [http::]<pt Peer response time in milliseconds. The timer starts
2659 when the last request byte is sent to the next hop
2660 and stops when the last response byte is received.
2661 [http::]<tt Total server-side time in milliseconds. The timer
2662 starts with the first connect request (or write I/O)
2663 sent to the first selected peer. The timer stops
2664 with the last I/O with the last peer.
2665
2666 If ICAP is enabled, the following two codes become available (as
2667 well as ICAP log codes documented with the icap_log option):
2668
2669 icap::tt Total ICAP processing time for the HTTP
2670 transaction. The timer ticks when ICAP
2671 ACLs are checked and when ICAP
2672 transaction is in progress.
2673
2674 icap::<last_h The header of the last ICAP response
2675 related to the HTTP transaction. Like
2676 <h, accepts an optional header name
2677 argument. Will not change semantics
2678 when multiple ICAP transactions per HTTP
2679 transaction are supported.
2680
2681 If adaptation is enabled the following two codes become available:
2682
2683 adapt::sum_trs Summed adaptation transaction response
2684 times recorded as a comma-separated list in
2685 the order of transaction start time. Each time
2686 value is recorded as an integer number,
2687 representing response time of one or more
2688 adaptation (ICAP or eCAP) transaction in
2689 milliseconds. When a failed transaction is
2690 being retried or repeated, its time is not
2691 logged individually but added to the
2692 replacement (next) transaction. See also:
2693 adapt::all_trs.
2694
2695 adapt::all_trs All adaptation transaction response times.
2696 Same as adaptation_strs but response times of
2697 individual transactions are never added
2698 together. Instead, all transaction response
2699 times are recorded individually.
2700
2701 You can prefix adapt::*_trs format codes with adaptation
2702 service name in curly braces to record response time(s) specific
2703 to that service. For example: %{my_service}adapt::sum_trs
5473c134 2704
7d9acc3c
AJ		 2705 The default formats available (which do not need re-defining) are:
2706
3ff65596
AR		 2707logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
2708logformat squidmime %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
2709logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
2710logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
5473c134 2711DOC_END
2712
41bd17a4 2713NAME: access_log cache_access_log
2714TYPE: access_log
2715LOC: Config.Log.accesslogs
02424612 2716DEFAULT: none
82b7abe3 2717DEFAULT_IF_NONE: daemon:@DEFAULT_ACCESS_LOG@ squid
5473c134 2718DOC_START
41bd17a4 2719 These files log client request activities. Has a line every HTTP or
2720 ICP request. The format is:
82b7abe3 2721 access_log <module>:<place> [<logformat name> [acl acl ...]]
41bd17a4 2722 access_log none [acl acl ...]]
82b7abe3
AJ		 2723
2724 Will log to the specified module:place using the specified format (which
41bd17a4 2725 must be defined in a logformat directive) those entries which match
2726 ALL the acl's specified (which must be defined in acl clauses).
82b7abe3
AJ		 2727 If no acl is specified, all requests will be logged to this destination.
2728
2729 ===== Modules Currently available =====
2730
2731 none Do not log any requests matchign these ACL.
2732 Do not specify Place or logformat name.
2733
2734 stdio Write each log line to disk immediately at the completion of
2735 each request.
2736 Place: the filename and path to be written.
2737
2738 daemon Very similar to stdio. But instead of writing to disk the log
2739 line is passed to a daemon helper for asychronous handling instead.
2740 Place: varies depending on the daemon.
2741
2742 log_file_daemon Place: the file name and path to be written.
2743
2744 syslog To log each request via syslog facility.
2745 Place: The syslog facility and priority level for these entries.
2746 Place Format: facility.priority
5473c134 2747
82b7abe3
AJ		 2748 where facility could be any of:
2749 authpriv, daemon, local0 ... local7 or user.
5473c134 2750
82b7abe3
AJ		 2751 And priority could be any of:
2752 err, warning, notice, info, debug.
2753
2754 udp To send each log line as text data to a UDP receiver.
2755 Place: The destination host name or IP and port.
2756 Place Format: \\host:port
df2eec10 2757
2bf4e8fa
AJ		 2758 tcp To send each log line as text data to a TCP receiver.
2759 Place: The destination host name or IP and port.
2760 Place Format: \\host:port
df2eec10
AJ		 2761
2762 Default:
82b7abe3 2763 access_log daemon:@DEFAULT_ACCESS_LOG@ squid
41bd17a4 2764DOC_END
5473c134 2765
3ff65596
AR		 2766NAME: icap_log
2767TYPE: access_log
2768IFDEF: ICAP_CLIENT
2769LOC: Config.Log.icaplogs
2770DEFAULT: none
2771DOC_START
2772 ICAP log files record ICAP transaction summaries, one line per
2773 transaction.
2774
2775 The icap_log option format is:
2776 icap_log <filepath> [<logformat name> [acl acl ...]]
2777 icap_log none [acl acl ...]]
2778
2779 Please see access_log option documentation for details. The two
2780 kinds of logs share the overall configuration approach and many
2781 features.
2782
2783 ICAP processing of a single HTTP message or transaction may
2784 require multiple ICAP transactions. In such cases, multiple
2785 ICAP transaction log lines will correspond to a single access
2786 log line.
2787
2788 ICAP log uses logformat codes that make sense for an ICAP
2789 transaction. Header-related codes are applied to the HTTP header
2790 embedded in an ICAP server response, with the following caveats:
2791 For REQMOD, there is no HTTP response header unless the ICAP
2792 server performed request satisfaction. For RESPMOD, the HTTP
2793 request header is the header sent to the ICAP server. For
2794 OPTIONS, there are no HTTP headers.
2795
2796 The following format codes are also available for ICAP logs:
2797
2798 icap::<A ICAP server IP address. Similar to <A.
2799
2800 icap::<service_name ICAP service name from the icap_service
2801 option in Squid configuration file.
2802
2803 icap::ru ICAP Request-URI. Similar to ru.
2804
2805 icap::rm ICAP request method (REQMOD, RESPMOD, or
2806 OPTIONS). Similar to existing rm.
2807
2808 icap::>st Bytes sent to the ICAP server (TCP payload
2809 only; i.e., what Squid writes to the socket).
2810
2811 icap::<st Bytes received from the ICAP server (TCP
2812 payload only; i.e., what Squid reads from
2813 the socket).
2814
2815 icap::tr Transaction response time (in
2816 milliseconds). The timer starts when
2817 the ICAP transaction is created and
2818 stops when the transaction is completed.
2819 Similar to tr.
2820
2821 icap::tio Transaction I/O time (in milliseconds). The
2822 timer starts when the first ICAP request
2823 byte is scheduled for sending. The timers
2824 stops when the last byte of the ICAP response
2825 is received.
2826
2827 icap::to Transaction outcome: ICAP_ERR* for all
2828 transaction errors, ICAP_OPT for OPTION
2829 transactions, ICAP_ECHO for 204
2830 responses, ICAP_MOD for message
2831 modification, and ICAP_SAT for request
2832 satisfaction. Similar to Ss.
2833
2834 icap::Hs ICAP response status code. Similar to Hs.
2835
2836 icap::>h ICAP request header(s). Similar to >h.
2837
2838 icap::<h ICAP response header(s). Similar to <h.
2839
2840 The default ICAP log format, which can be used without an explicit
2841 definition, is called icap_squid:
2842
2843logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
2844
2845 See also: logformat, log_icap, and %icap::<last_h
2846DOC_END
2847
82b7abe3
AJ		 2848NAME: logfile_daemon
2849TYPE: string
2850DEFAULT: @DEFAULT_LOGFILED@
2851LOC: Log::TheConfig.logfile_daemon
2852DOC_START
2853 Specify the path to the logfile-writing daemon. This daemon is
2854 used to write the access and store logs, if configured.
2855DOC_END
2856
5b0f5383 2857NAME: log_access
2858TYPE: acl_access
2859LOC: Config.accessList.log
2860DEFAULT: none
2861COMMENT: allow|deny acl acl...
2862DOC_START
2863 This options allows you to control which requests gets logged
2864 to access.log (see access_log directive). Requests denied for
2865 logging will also not be accounted for in performance counters.
b3567eb5
FC		 2866
2867 This clause only supports fast acl types.
2868 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5b0f5383 2869DOC_END
2870
3ff65596
AR		 2871NAME: log_icap
2872TYPE: acl_access
2873IFDEF: ICAP_CLIENT
2874LOC: Config.accessList.icap
2875DEFAULT: none
2876DOC_START
2877 This options allows you to control which requests get logged
2878 to icap.log. See the icap_log directive for ICAP log details.
2879DOC_END
2880
41bd17a4 2881NAME: cache_store_log
2882TYPE: string
df2eec10 2883DEFAULT: none
41bd17a4 2884LOC: Config.Log.store
2885DOC_START
2886 Logs the activities of the storage manager. Shows which
2887 objects are ejected from the cache, and which objects are
df2eec10
AJ		 2888 saved and for how long. To disable, enter "none" or remove the line.
2889 There are not really utilities to analyze this data, so you can safely
41bd17a4 2890 disable it.
e0855596
AJ		 2891
2892 Example:
2893 cache_store_log @DEFAULT_STORE_LOG@
5473c134 2894DOC_END
2895
41bd17a4 2896NAME: cache_swap_state cache_swap_log
2897TYPE: string
2898LOC: Config.Log.swap
5473c134 2899DEFAULT: none
2900DOC_START
41bd17a4 2901 Location for the cache "swap.state" file. This index file holds
2902 the metadata of objects saved on disk. It is used to rebuild
2903 the cache during startup. Normally this file resides in each
2904 'cache_dir' directory, but you may specify an alternate
2905 pathname here. Note you must give a full filename, not just
2906 a directory. Since this is the index for the whole object
2907 list you CANNOT periodically rotate it!
5473c134 2908
41bd17a4 2909 If %s can be used in the file name it will be replaced with a
2910 a representation of the cache_dir name where each / is replaced
2911 with '.'. This is needed to allow adding/removing cache_dir
2912 lines when cache_swap_log is being used.
5473c134 2913
41bd17a4 2914 If have more than one 'cache_dir', and %s is not used in the name
2915 these swap logs will have names such as:
5473c134 2916
41bd17a4 2917 cache_swap_log.00
2918 cache_swap_log.01
2919 cache_swap_log.02
5473c134 2920
41bd17a4 2921 The numbered extension (which is added automatically)
2922 corresponds to the order of the 'cache_dir' lines in this
2923 configuration file. If you change the order of the 'cache_dir'
2924 lines in this file, these index files will NOT correspond to
2925 the correct 'cache_dir' entry (unless you manually rename
2926 them). We recommend you do NOT use this option. It is
2927 better to keep these index files in each 'cache_dir' directory.
5473c134 2928DOC_END
2929
41bd17a4 2930NAME: logfile_rotate
2931TYPE: int
2932DEFAULT: 10
2933LOC: Config.Log.rotateNumber
5473c134 2934DOC_START
41bd17a4 2935 Specifies the number of logfile rotations to make when you
2936 type 'squid -k rotate'. The default is 10, which will rotate
2937 with extensions 0 through 9. Setting logfile_rotate to 0 will
2938 disable the file name rotation, but the logfiles are still closed
2939 and re-opened. This will enable you to rename the logfiles
2940 yourself just before sending the rotate signal.
5473c134 2941
41bd17a4 2942 Note, the 'squid -k rotate' command normally sends a USR1
2943 signal to the running squid process. In certain situations
2944 (e.g. on Linux with Async I/O), USR1 is used for other
2945 purposes, so -k rotate uses another signal. It is best to get
2946 in the habit of using 'squid -k rotate' instead of 'kill -USR1
2947 <pid>'.
62493678
AJ		 2948
2949 Note, from Squid-3.1 this option has no effect on the cache.log,
2950 that log can be rotated separately by using debug_options
41bd17a4 2951DOC_END
5473c134 2952
41bd17a4 2953NAME: emulate_httpd_log
2954COMMENT: on|off
2955TYPE: onoff
2956DEFAULT: off
2957LOC: Config.onoff.common_log
2958DOC_START
2959 The Cache can emulate the log file format which many 'httpd'
2960 programs use. To disable/enable this emulation, set
2961 emulate_httpd_log to 'off' or 'on'. The default
2962 is to use the native log format since it includes useful
2963 information Squid-specific log analyzers use.
5473c134 2964DOC_END
2965
41bd17a4 2966NAME: log_ip_on_direct
2967COMMENT: on|off
2968TYPE: onoff
5473c134 2969DEFAULT: on
41bd17a4 2970LOC: Config.onoff.log_ip_on_direct
5473c134 2971DOC_START
41bd17a4 2972 Log the destination IP address in the hierarchy log tag when going
2973 direct. Earlier Squid versions logged the hostname here. If you
2974 prefer the old way set this to off.
2975DOC_END
5473c134 2976
41bd17a4 2977NAME: mime_table
2978TYPE: string
2979DEFAULT: @DEFAULT_MIME_TABLE@
2980LOC: Config.mimeTablePathname
2981DOC_START
2982 Pathname to Squid's MIME table. You shouldn't need to change
2983 this, but the default file contains examples and formatting
2984 information if you do.
5473c134 2985DOC_END
2986
41bd17a4 2987NAME: log_mime_hdrs
2988COMMENT: on|off
2989TYPE: onoff
2990LOC: Config.onoff.log_mime_hdrs
2991DEFAULT: off
2992DOC_START
2993 The Cache can record both the request and the response MIME
2994 headers for each HTTP transaction. The headers are encoded
2995 safely and will appear as two bracketed fields at the end of
2996 the access log (for either the native or httpd-emulated log
2997 formats). To enable this logging set log_mime_hdrs to 'on'.
2998DOC_END
5473c134 2999
41bd17a4 3000NAME: useragent_log
3001TYPE: string
3002LOC: Config.Log.useragent
3003DEFAULT: none
3004IFDEF: USE_USERAGENT_LOG
5473c134 3005DOC_START
41bd17a4 3006 Squid will write the User-Agent field from HTTP requests
3007 to the filename specified here. By default useragent_log
3008 is disabled.
5473c134 3009DOC_END
3010
41bd17a4 3011NAME: referer_log referrer_log
3012TYPE: string
3013LOC: Config.Log.referer
3014DEFAULT: none
3015IFDEF: USE_REFERER_LOG
5473c134 3016DOC_START
41bd17a4 3017 Squid will write the Referer field from HTTP requests to the
3018 filename specified here. By default referer_log is disabled.
3019 Note that "referer" is actually a misspelling of "referrer"
3020 however the misspelt version has been accepted into the HTTP RFCs
3021 and we accept both.
5473c134 3022DOC_END
3023
41bd17a4 3024NAME: pid_filename
3025TYPE: string
3026DEFAULT: @DEFAULT_PID_FILE@
3027LOC: Config.pidFilename
5473c134 3028DOC_START
41bd17a4 3029 A filename to write the process-id to. To disable, enter "none".
5473c134 3030DOC_END
3031
41bd17a4 3032NAME: log_fqdn
3033COMMENT: on|off
3034TYPE: onoff
3035DEFAULT: off
3036LOC: Config.onoff.log_fqdn
5473c134 3037DOC_START
41bd17a4 3038 Turn this on if you wish to log fully qualified domain names
3039 in the access.log. To do this Squid does a DNS lookup of all
3040 IP's connecting to it. This can (in some situations) increase
3041 latency, which makes your cache seem slower for interactive
3042 browsing.
5473c134 3043DOC_END
3044
41bd17a4 3045NAME: client_netmask
3046TYPE: address
3047LOC: Config.Addrs.client_netmask
0eb08770 3048DEFAULT: no_addr
5473c134 3049DOC_START
41bd17a4 3050 A netmask for client addresses in logfiles and cachemgr output.
3051 Change this to protect the privacy of your cache clients.
3052 A netmask of 255.255.255.0 will log all IP's in that range with
3053 the last digit set to '0'.
5473c134 3054DOC_END
3055
41bd17a4 3056NAME: forward_log
3057IFDEF: WIP_FWD_LOG
3058TYPE: string
3059DEFAULT: none
3060LOC: Config.Log.forward
5473c134 3061DOC_START
41bd17a4 3062 Logs the server-side requests.
5473c134 3063
41bd17a4 3064 This is currently work in progress.
5473c134 3065DOC_END
3066
41bd17a4 3067NAME: strip_query_terms
5473c134 3068TYPE: onoff
41bd17a4 3069LOC: Config.onoff.strip_query_terms
5473c134 3070DEFAULT: on
3071DOC_START
41bd17a4 3072 By default, Squid strips query terms from requested URLs before
3073 logging. This protects your user's privacy.
5473c134 3074DOC_END
3075
41bd17a4 3076NAME: buffered_logs
3077COMMENT: on|off
3078TYPE: onoff
3079DEFAULT: off
3080LOC: Config.onoff.buffered_logs
5473c134 3081DOC_START
41bd17a4 3082 cache.log log file is written with stdio functions, and as such
3083 it can be buffered or unbuffered. By default it will be unbuffered.
3084 Buffering it can speed up the writing slightly (though you are
3085 unlikely to need to worry unless you run with tons of debugging
3086 enabled in which case performance will suffer badly anyway..).
6b698a21 3087DOC_END
0976f8db 3088
2b753521 3089NAME: netdb_filename
3090TYPE: string
3091DEFAULT: @DEFAULT_NETDB_FILE@
3092LOC: Config.netdbFilename
fb6a61d1 3093IFDEF: USE_ICMP
2b753521 3094DOC_START
3095 A filename where Squid stores it's netdb state between restarts.
3096 To disable, enter "none".
3097DOC_END
3098
62493678
AJ		 3099COMMENT_START
3100 OPTIONS FOR TROUBLESHOOTING
3101 -----------------------------------------------------------------------------
3102COMMENT_END
3103
3104NAME: cache_log
3105TYPE: string
3106DEFAULT: none
3107DEFAULT_IF_NONE: @DEFAULT_CACHE_LOG@
3108LOC: Debug::cache_log
3109DOC_START
3110 Cache logging file. This is where general information about
3111 your cache's behavior goes. You can increase the amount of data
3112 logged to this file and how often its rotated with "debug_options"
3113DOC_END
3114
3115NAME: debug_options
3116TYPE: eol
47df1aa7 3117DEFAULT: ALL,1
62493678
AJ		 3118LOC: Debug::debugOptions
3119DOC_START
3120 Logging options are set as section,level where each source file
3121 is assigned a unique section. Lower levels result in less
3122 output, Full debugging (level 9) can result in a very large
3123 log file, so be careful.
3124
3125 The magic word "ALL" sets debugging levels for all sections.
3126 We recommend normally running with "ALL,1".
3127
47df1aa7
AJ		 3128 The rotate=N option can be used to keep more or less of these logs
3129 than would otherwise be kept by logfile_rotate.
62493678
AJ		 3130 For most uses a single log should be enough to monitor current
3131 events affecting Squid.
3132DOC_END
3133
3134NAME: coredump_dir
3135TYPE: string
3136LOC: Config.coredump_dir
3137DEFAULT: none
3138DEFAULT_IF_NONE: none
3139DOC_START
3140 By default Squid leaves core files in the directory from where
3141 it was started. If you set 'coredump_dir' to a directory
3142 that exists, Squid will chdir() to that directory at startup
3143 and coredump files will be left there.
3144
3145NOCOMMENT_START
e0855596 3146
62493678
AJ		 3147# Leave coredumps in the first cache dir
3148coredump_dir @DEFAULT_SWAP_DIR@
3149NOCOMMENT_END
3150DOC_END
3151
3152
41bd17a4 3153COMMENT_START
3154 OPTIONS FOR FTP GATEWAYING
3155 -----------------------------------------------------------------------------
3156COMMENT_END
3157
3158NAME: ftp_user
3159TYPE: string
3160DEFAULT: Squid@
3161LOC: Config.Ftp.anon_user
6b698a21 3162DOC_START
41bd17a4 3163 If you want the anonymous login password to be more informative
3164 (and enable the use of picky ftp servers), set this to something
3165 reasonable for your domain, like wwwuser@somewhere.net
7f7db318 3166
41bd17a4 3167 The reason why this is domainless by default is the
3168 request can be made on the behalf of a user in any domain,
3169 depending on how the cache is used.
3170 Some ftp server also validate the email address is valid
3171 (for example perl.com).
6b698a21 3172DOC_END
0976f8db 3173
41bd17a4 3174NAME: ftp_passive
3175TYPE: onoff
3176DEFAULT: on
3177LOC: Config.Ftp.passive
6b698a21 3178DOC_START
41bd17a4 3179 If your firewall does not allow Squid to use passive
3180 connections, turn off this option.
a689bd4e 3181
3182 Use of ftp_epsv_all option requires this to be ON.
3183DOC_END
3184
3185NAME: ftp_epsv_all
3186TYPE: onoff
3187DEFAULT: off
3188LOC: Config.Ftp.epsv_all
3189DOC_START
3190 FTP Protocol extensions permit the use of a special "EPSV ALL" command.
3191
3192 NATs may be able to put the connection on a "fast path" through the
3193 translator, as the EPRT command will never be used and therefore,
3194 translation of the data portion of the segments will never be needed.
3195
b3567eb5
FC		 3196 When a client only expects to do two-way FTP transfers this may be
3197 useful.
a689bd4e 3198 If squid finds that it must do a three-way FTP transfer after issuing
3199 an EPSV ALL command, the FTP session will fail.
3200
3201 If you have any doubts about this option do not use it.
3202 Squid will nicely attempt all other connection methods.
3203
51ee534d
AJ		 3204 Requires ftp_passive to be ON (default) for any effect.
3205DOC_END
3206
3207NAME: ftp_epsv
3208TYPE: onoff
3209DEFAULT: on
3210LOC: Config.Ftp.epsv
3211DOC_START
3212 FTP Protocol extensions permit the use of a special "EPSV" command.
3213
3214 NATs may be able to put the connection on a "fast path" through the
b3567eb5
FC		 3215 translator using EPSV, as the EPRT command will never be used
3216 and therefore, translation of the data portion of the segments
3217 will never be needed.
51ee534d
AJ		 3218
3219 Turning this OFF will prevent EPSV being attempted.
3220 WARNING: Doing so will convert Squid back to the old behavior with all
3221 the related problems with external NAT devices/layers.
3222
3223 Requires ftp_passive to be ON (default) for any effect.
41bd17a4 3224DOC_END
9e7dbc51 3225
41bd17a4 3226NAME: ftp_sanitycheck
3227TYPE: onoff
3228DEFAULT: on
3229LOC: Config.Ftp.sanitycheck
3230DOC_START
3231 For security and data integrity reasons Squid by default performs
3232 sanity checks of the addresses of FTP data connections ensure the
3233 data connection is to the requested server. If you need to allow
3234 FTP connections to servers using another IP address for the data
3235 connection turn this off.
3236DOC_END
9e7dbc51 3237
41bd17a4 3238NAME: ftp_telnet_protocol
3239TYPE: onoff
3240DEFAULT: on
3241LOC: Config.Ftp.telnet
3242DOC_START
3243 The FTP protocol is officially defined to use the telnet protocol
3244 as transport channel for the control connection. However, many
3245 implementations are broken and does not respect this aspect of
3246 the FTP protocol.
3247
3248 If you have trouble accessing files with ASCII code 255 in the
3249 path or similar problems involving this ASCII code you can
3250 try setting this directive to off. If that helps, report to the
3251 operator of the FTP server in question that their FTP server
3252 is broken and does not follow the FTP standard.
3253DOC_END
3254
3255COMMENT_START
3256 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
3257 -----------------------------------------------------------------------------
3258COMMENT_END
3259
3260NAME: diskd_program
3261TYPE: string
3262DEFAULT: @DEFAULT_DISKD@
3263LOC: Config.Program.diskd
3264DOC_START
3265 Specify the location of the diskd executable.
3266 Note this is only useful if you have compiled in
3267 diskd as one of the store io modules.
3268DOC_END
3269
3270NAME: unlinkd_program
3271IFDEF: USE_UNLINKD
3272TYPE: string
3273DEFAULT: @DEFAULT_UNLINKD@
3274LOC: Config.Program.unlinkd
3275DOC_START
3276 Specify the location of the executable for file deletion process.
3277DOC_END
3278
3279NAME: pinger_program
3280TYPE: string
3281DEFAULT: @DEFAULT_PINGER@
cc192b50 3282LOC: Config.pinger.program
41bd17a4 3283IFDEF: USE_ICMP
3284DOC_START
3285 Specify the location of the executable for the pinger process.
3286DOC_END
3287
cc192b50 3288NAME: pinger_enable
3289TYPE: onoff
3290DEFAULT: on
3291LOC: Config.pinger.enable
3292IFDEF: USE_ICMP
3293DOC_START
3294 Control whether the pinger is active at run-time.
b3567eb5
FC		 3295 Enables turning ICMP pinger on and off with a simple
3296 squid -k reconfigure.
cc192b50 3297DOC_END
3298
3299
41bd17a4 3300COMMENT_START
3301 OPTIONS FOR URL REWRITING
3302 -----------------------------------------------------------------------------
3303COMMENT_END
3304
3305NAME: url_rewrite_program redirect_program
3306TYPE: wordlist
3307LOC: Config.Program.redirect
3308DEFAULT: none
3309DOC_START
3310 Specify the location of the executable for the URL rewriter.
3311 Since they can perform almost any function there isn't one included.
3312
3313 For each requested URL rewriter will receive on line with the format
3314
c71adec1 3315 URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
3316
3317 In the future, the rewriter interface will be extended with
3318 key=value pairs ("kvpairs" shown above). Rewriter programs
3319 should be prepared to receive and possibly ignore additional
3320 whitespace-separated tokens on each input line.
41bd17a4 3321
3322 And the rewriter may return a rewritten URL. The other components of
3323 the request line does not need to be returned (ignored if they are).
3324
3325 The rewriter can also indicate that a client-side redirect should
3326 be performed to the new URL. This is done by prefixing the returned
3327 URL with "301:" (moved permanently) or 302: (moved temporarily).
3328
3329 By default, a URL rewriter is not used.
3330DOC_END
3331
3332NAME: url_rewrite_children redirect_children
48d54e4d 3333TYPE: HelperChildConfig
5b708d95 3334DEFAULT: 20 startup=0 idle=1 concurrency=0
41bd17a4 3335LOC: Config.redirectChildren
3336DOC_START
48d54e4d
AJ		 3337 The maximum number of redirector processes to spawn. If you limit
3338 it too few Squid will have to wait for them to process a backlog of
3339 URLs, slowing it down. If you allow too many they will use RAM
3340 and other system resources noticably.
3341
3342 The startup= and idle= options allow some measure of skew in your
3343 tuning.
3344
3345 startup=
3346
3347 Sets a minimum of how many processes are to be spawned when Squid
3348 starts or reconfigures. When set to zero the first request will
3349 cause spawning of the first child process to handle it.
3350
3351 Starting too few will cause an initial slowdown in traffic as Squid
3352 attempts to simultaneously spawn enough processes to cope.
3353
3354 idle=
3355
3356 Sets a minimum of how many processes Squid is to try and keep available
3357 at all times. When traffic begins to rise above what the existing
3358 processes can handle this many more will be spawned up to the maximum
3359 configured. A minimum setting of 1 is required.
3360
3361 concurrency=
41bd17a4 3362
41bd17a4 3363 The number of requests each redirector helper can handle in
3364 parallel. Defaults to 0 which indicates the redirector
3365 is a old-style single threaded redirector.
6a171502
AJ		 3366
3367 When this directive is set to a value >= 1 then the protocol
3368 used to communicate with the helper is modified to include
3369 a request ID in front of the request/response. The request
3370 ID from the request must be echoed back with the response
3371 to that request.
41bd17a4 3372DOC_END
3373
3374NAME: url_rewrite_host_header redirect_rewrites_host_header
3375TYPE: onoff
3376DEFAULT: on
3377LOC: Config.onoff.redir_rewrites_host
3378DOC_START
3379 By default Squid rewrites any Host: header in redirected
3380 requests. If you are running an accelerator this may
3381 not be a wanted effect of a redirector.
3382
3383 WARNING: Entries are cached on the result of the URL rewriting
3384 process, so be careful if you have domain-virtual hosts.
3385DOC_END
3386
3387NAME: url_rewrite_access redirector_access
3388TYPE: acl_access
3389DEFAULT: none
3390LOC: Config.accessList.redirector
3391DOC_START
3392 If defined, this access list specifies which requests are
3393 sent to the redirector processes. By default all requests
3394 are sent.
b3567eb5
FC		 3395
3396 This clause supports both fast and slow acl types.
3397 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 3398DOC_END
3399
3400NAME: url_rewrite_bypass redirector_bypass
3401TYPE: onoff
3402LOC: Config.onoff.redirector_bypass
3403DEFAULT: off
3404DOC_START
3405 When this is 'on', a request will not go through the
3406 redirector if all redirectors are busy. If this is 'off'
3407 and the redirector queue grows too large, Squid will exit
3408 with a FATAL error and ask you to increase the number of
3409 redirectors. You should only enable this if the redirectors
3410 are not critical to your caching system. If you use
3411 redirectors for access control, and you enable this option,
3412 users may have access to pages they should not
3413 be allowed to request.
3414DOC_END
3415
3416COMMENT_START
3417 OPTIONS FOR TUNING THE CACHE
3418 -----------------------------------------------------------------------------
3419COMMENT_END
3420
f04b37d8 3421NAME: cache no_cache
3422TYPE: acl_access
3423DEFAULT: none
3424LOC: Config.accessList.noCache
41bd17a4 3425DOC_START
240887f0 3426 A list of ACL elements which, if matched and denied, cause the request to
f04b37d8 3427 not be satisfied from the cache and the reply to not be cached.
3428 In other words, use this to force certain objects to never be cached.
41bd17a4 3429
240887f0 3430 You must use the words 'allow' or 'deny' to indicate whether items
3431 matching the ACL should be allowed or denied into the cache.
f04b37d8 3432
240887f0 3433 Default is to allow all to be cached.
b3567eb5
FC		 3434
3435 This clause supports both fast and slow acl types.
3436 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 3437DOC_END
3438
3439NAME: refresh_pattern
3440TYPE: refreshpattern
3441LOC: Config.Refresh
3442DEFAULT: none
3443DOC_START
3444 usage: refresh_pattern [-i] regex min percent max [options]
9e7dbc51 3445
6b698a21 3446 By default, regular expressions are CASE-SENSITIVE. To make
3447 them case-insensitive, use the -i option.
9e7dbc51 3448
41bd17a4 3449 'Min' is the time (in minutes) an object without an explicit
3450 expiry time should be considered fresh. The recommended
3451 value is 0, any higher values may cause dynamic applications
3452 to be erroneously cached unless the application designer
3453 has taken the appropriate actions.
9e7dbc51 3454
41bd17a4 3455 'Percent' is a percentage of the objects age (time since last
3456 modification age) an object without explicit expiry time
3457 will be considered fresh.
5b807763 3458
41bd17a4 3459 'Max' is an upper limit on how long objects without an explicit
3460 expiry time will be considered fresh.
9e7dbc51 3461
41bd17a4 3462 options: override-expire
3463 override-lastmod
3464 reload-into-ims
3465 ignore-reload
3466 ignore-no-cache
3467 ignore-no-store
4ca08219 3468 ignore-must-revalidate
41bd17a4 3469 ignore-private
3470 ignore-auth
3471 refresh-ims
3d8b6ba4 3472 store-stale
a0ec9f68 3473
41bd17a4 3474 override-expire enforces min age even if the server
9b2ad080
HN		 3475 sent an explicit expiry time (e.g., with the
3476 Expires: header or Cache-Control: max-age). Doing this
3477 VIOLATES the HTTP standard. Enabling this feature
3478 could make you liable for problems which it causes.
6468fe10 3479
04925576
AJ		 3480 Note: override-expire does not enforce staleness - it only extends
3481 freshness / min. If the server returns a Expires time which
3482 is longer than your max time, Squid will still consider
3483 the object fresh for that period of time.
3484
41bd17a4 3485 override-lastmod enforces min age even on objects
3486 that were modified recently.
934b03fc 3487
41bd17a4 3488 reload-into-ims changes client no-cache or ``reload''
3489 to If-Modified-Since requests. Doing this VIOLATES the
3490 HTTP standard. Enabling this feature could make you
3491 liable for problems which it causes.
dba79ac5 3492
41bd17a4 3493 ignore-reload ignores a client no-cache or ``reload''
3494 header. Doing this VIOLATES the HTTP standard. Enabling
3495 this feature could make you liable for problems which
3496 it causes.
9bc73deb 3497
41bd17a4 3498 ignore-no-cache ignores any ``Pragma: no-cache'' and
3499 ``Cache-control: no-cache'' headers received from a server.
3500 The HTTP RFC never allows the use of this (Pragma) header
3501 from a server, only a client, though plenty of servers
3502 send it anyway.
3503
3504 ignore-no-store ignores any ``Cache-control: no-store''
3505 headers received from a server. Doing this VIOLATES
3506 the HTTP standard. Enabling this feature could make you
3507 liable for problems which it causes.
3508
4ca08219
AJ		 3509 ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
3510 headers received from a server. Doing this VIOLATES
3511 the HTTP standard. Enabling this feature could make you
3512 liable for problems which it causes.
3513
41bd17a4 3514 ignore-private ignores any ``Cache-control: private''
3515 headers received from a server. Doing this VIOLATES
3516 the HTTP standard. Enabling this feature could make you
3517 liable for problems which it causes.
3518
3519 ignore-auth caches responses to requests with authorization,
3520 as if the originserver had sent ``Cache-control: public''
3521 in the response header. Doing this VIOLATES the HTTP standard.
3522 Enabling this feature could make you liable for problems which
3523 it causes.
3524
3525 refresh-ims causes squid to contact the origin server
3526 when a client issues an If-Modified-Since request. This
3527 ensures that the client will receive an updated version
3528 if one is available.
3529
3d8b6ba4
AJ		 3530 store-stale stores responses even if they don't have explicit
3531 freshness or a validator (i.e., Last-Modified or an ETag)
3532 present, or if they're already stale. By default, Squid will
3533 not cache such responses because they usually can't be
3534 reused. Note that such responses will be stale by default.
3535
41bd17a4 3536 Basically a cached object is:
3537
3538 FRESH if expires < now, else STALE
3539 STALE if age > max
3540 FRESH if lm-factor < percent, else STALE
3541 FRESH if age < min
3542 else STALE
3543
3544 The refresh_pattern lines are checked in the order listed here.
3545 The first entry which matches is used. If none of the entries
3546 match the default will be used.
3547
3548 Note, you must uncomment all the default lines if you want
3549 to change one. The default setting is only active if none is
3550 used.
3551
41bd17a4 3552NOCOMMENT_START
e0855596
AJ		 3553
3554# Add any of your own refresh_pattern entries above these.
41bd17a4 3555refresh_pattern ^ftp: 1440 20% 10080
3556refresh_pattern ^gopher: 1440 0% 1440
89db45fa 3557refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
41bd17a4 3558refresh_pattern . 0 20% 4320
3559NOCOMMENT_END
3560DOC_END
3561
3562NAME: quick_abort_min
3563COMMENT: (KB)
3564TYPE: kb_int64_t
3565DEFAULT: 16 KB
3566LOC: Config.quickAbort.min
3567DOC_NONE
3568
3569NAME: quick_abort_max
3570COMMENT: (KB)
3571TYPE: kb_int64_t
3572DEFAULT: 16 KB
3573LOC: Config.quickAbort.max
3574DOC_NONE
3575
3576NAME: quick_abort_pct
3577COMMENT: (percent)
3578TYPE: int
3579DEFAULT: 95
3580LOC: Config.quickAbort.pct
3581DOC_START
3582 The cache by default continues downloading aborted requests
3583 which are almost completed (less than 16 KB remaining). This
3584 may be undesirable on slow (e.g. SLIP) links and/or very busy
3585 caches. Impatient users may tie up file descriptors and
3586 bandwidth by repeatedly requesting and immediately aborting
3587 downloads.
3588
3589 When the user aborts a request, Squid will check the
3590 quick_abort values to the amount of data transfered until
3591 then.
3592
3593 If the transfer has less than 'quick_abort_min' KB remaining,
3594 it will finish the retrieval.
3595
3596 If the transfer has more than 'quick_abort_max' KB remaining,
3597 it will abort the retrieval.
3598
3599 If more than 'quick_abort_pct' of the transfer has completed,
3600 it will finish the retrieval.
3601
3602 If you do not want any retrieval to continue after the client
3603 has aborted, set both 'quick_abort_min' and 'quick_abort_max'
3604 to '0 KB'.
3605
3606 If you want retrievals to always continue if they are being
3607 cached set 'quick_abort_min' to '-1 KB'.
3608DOC_END
60d096f4 3609
41bd17a4 3610NAME: read_ahead_gap
3611COMMENT: buffer-size
3612TYPE: b_int64_t
3613LOC: Config.readAheadGap
3614DEFAULT: 16 KB
3615DOC_START
3616 The amount of data the cache will buffer ahead of what has been
3617 sent to the client when retrieving an object from another server.
3618DOC_END
53e738c6 3619
41bd17a4 3620NAME: negative_ttl
ac9cc053 3621IFDEF: HTTP_VIOLATIONS
41bd17a4 3622COMMENT: time-units
3623TYPE: time_t
3624LOC: Config.negativeTtl
ac9cc053 3625DEFAULT: 0 seconds
41bd17a4 3626DOC_START
ac9cc053
AJ		 3627 Set the Default Time-to-Live (TTL) for failed requests.
3628 Certain types of failures (such as "connection refused" and
3629 "404 Not Found") are able to be negatively-cached for a short time.
3630 Modern web servers should provide Expires: header, however if they
3631 do not this can provide a minimum TTL.
3632 The default is not to cache errors with unknown expiry details.
3633
3634 Note that this is different from negative caching of DNS lookups.
39956c7c
AJ		 3635
3636 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3637 this feature could make you liable for problems which it
3638 causes.
41bd17a4 3639DOC_END
53e738c6 3640
41bd17a4 3641NAME: positive_dns_ttl
3642COMMENT: time-units
3643TYPE: time_t
3644LOC: Config.positiveDnsTtl
3645DEFAULT: 6 hours
3646DOC_START
3647 Upper limit on how long Squid will cache positive DNS responses.
3648 Default is 6 hours (360 minutes). This directive must be set
3649 larger than negative_dns_ttl.
3650DOC_END
c4ab8329 3651
41bd17a4 3652NAME: negative_dns_ttl
3653COMMENT: time-units
3654TYPE: time_t
3655LOC: Config.negativeDnsTtl
3656DEFAULT: 1 minutes
3657DOC_START
3658 Time-to-Live (TTL) for negative caching of failed DNS lookups.
3659 This also sets the lower cache limit on positive lookups.
3660 Minimum value is 1 second, and it is not recommendable to go
3661 much below 10 seconds.
3662DOC_END
7df0bfd7 3663
41bd17a4 3664NAME: range_offset_limit
11e3fa1c
AJ		 3665COMMENT: size [acl acl...]
3666TYPE: acl_b_size_t
41bd17a4 3667LOC: Config.rangeOffsetLimit
11e3fa1c 3668DEFAULT: none
41bd17a4 3669DOC_START
11e3fa1c
AJ		 3670 usage: (size) [units] [[!]aclname]
3671
3672 Sets an upper limit on how far (number of bytes) into the file
3673 a Range request may be to cause Squid to prefetch the whole file.
3674 If beyond this limit, Squid forwards the Range request as it is and
3675 the result is NOT cached.
3676
41bd17a4 3677 This is to stop a far ahead range request (lets say start at 17MB)
3678 from making Squid fetch the whole object up to that point before
3679 sending anything to the client.
11e3fa1c
AJ		 3680
3681 Multiple range_offset_limit lines may be specified, and they will
3682 be searched from top to bottom on each request until a match is found.
3683 The first match found will be used. If no line matches a request, the
3684 default limit of 0 bytes will be used.
3685
3686 'size' is the limit specified as a number of units.
3687
3688 'units' specifies whether to use bytes, KB, MB, etc.
3689 If no units are specified bytes are assumed.
3690
3691 A size of 0 causes Squid to never fetch more than the
ab275c7b 3692 client requested. (default)
11e3fa1c
AJ		 3693
3694 A size of 'none' causes Squid to always fetch the object from the
41bd17a4 3695 beginning so it may cache the result. (2.0 style)
11e3fa1c
AJ		 3696
3697 'aclname' is the name of a defined ACL.
3698
3699 NP: Using 'none' as the byte value here will override any quick_abort settings
3700 that may otherwise apply to the range request. The range request will
ab275c7b
AJ		 3701 be fully fetched from start to finish regardless of the client
3702 actions. This affects bandwidth usage.
41bd17a4 3703DOC_END
d95b862f 3704
41bd17a4 3705NAME: minimum_expiry_time
3706COMMENT: (seconds)
3707TYPE: time_t
3708LOC: Config.minimum_expiry_time
3709DEFAULT: 60 seconds
3710DOC_START
3711 The minimum caching time according to (Expires - Date)
3712 Headers Squid honors if the object can't be revalidated
649fa918 3713 defaults to 60 seconds. In reverse proxy environments it
41bd17a4 3714 might be desirable to honor shorter object lifetimes. It
3715 is most likely better to make your server return a
3716 meaningful Last-Modified header however. In ESI environments
3717 where page fragments often have short lifetimes, this will
3718 often be best set to 0.
3719DOC_END
c68e9c6b 3720
41bd17a4 3721NAME: store_avg_object_size
3722COMMENT: (kbytes)
3e62bd58 3723TYPE: kb_int64_t
41bd17a4 3724DEFAULT: 13 KB
3725LOC: Config.Store.avgObjectSize
3726DOC_START
3727 Average object size, used to estimate number of objects your
3728 cache can hold. The default is 13 KB.
cccac0a2 3729DOC_END
3730
41bd17a4 3731NAME: store_objects_per_bucket
3732TYPE: int
3733DEFAULT: 20
3734LOC: Config.Store.objectsPerBucket
3735DOC_START
3736 Target number of objects per bucket in the store hash table.
3737 Lowering this value increases the total number of buckets and
3738 also the storage maintenance rate. The default is 20.
3739DOC_END
3740
3741COMMENT_START
3742 HTTP OPTIONS
3743 -----------------------------------------------------------------------------
3744COMMENT_END
3745
f04b37d8 3746NAME: request_header_max_size
3747COMMENT: (KB)
3748TYPE: b_size_t
df2eec10 3749DEFAULT: 64 KB
f04b37d8 3750LOC: Config.maxRequestHeaderSize
3751DOC_START
3752 This specifies the maximum size for HTTP headers in a request.
3753 Request headers are usually relatively small (about 512 bytes).
3754 Placing a limit on the request header size will catch certain
3755 bugs (for example with persistent connections) and possibly
3756 buffer-overflow or denial-of-service attacks.
3757DOC_END
3758
3759NAME: reply_header_max_size
3760COMMENT: (KB)
3761TYPE: b_size_t
df2eec10 3762DEFAULT: 64 KB
f04b37d8 3763LOC: Config.maxReplyHeaderSize
3764DOC_START
3765 This specifies the maximum size for HTTP headers in a reply.
3766 Reply headers are usually relatively small (about 512 bytes).
3767 Placing a limit on the reply header size will catch certain
3768 bugs (for example with persistent connections) and possibly
3769 buffer-overflow or denial-of-service attacks.
3770DOC_END
3771
3772NAME: request_body_max_size
3773COMMENT: (bytes)
3774TYPE: b_int64_t
3775DEFAULT: 0 KB
3776LOC: Config.maxRequestBodySize
3777DOC_START
3778 This specifies the maximum size for an HTTP request body.
3779 In other words, the maximum size of a PUT/POST request.
3780 A user who attempts to send a request with a body larger
3781 than this limit receives an "Invalid Request" error message.
3782 If you set this parameter to a zero (the default), there will
3783 be no limit imposed.
3784DOC_END
3785
3ff65596
AR		 3786NAME: chunked_request_body_max_size
3787COMMENT: (bytes)
3788TYPE: b_int64_t
3789DEFAULT: 64 KB
3790LOC: Config.maxChunkedRequestBodySize
3791DOC_START
3792 A broken or confused HTTP/1.1 client may send a chunked HTTP
3793 request to Squid. Squid does not have full support for that
3794 feature yet. To cope with such requests, Squid buffers the
3795 entire request and then dechunks request body to create a
3796 plain HTTP/1.0 request with a known content length. The plain
3797 request is then used by the rest of Squid code as usual.
3798
3799 The option value specifies the maximum size of the buffer used
3800 to hold the request before the conversion. If the chunked
3801 request size exceeds the specified limit, the conversion
3802 fails, and the client receives an "unsupported request" error,
3803 as if dechunking was disabled.
3804
3805 Dechunking is enabled by default. To disable conversion of
3806 chunked requests, set the maximum to zero.
3807
3808 Request dechunking feature and this option in particular are a
3809 temporary hack. When chunking requests and responses are fully
3810 supported, there will be no need to buffer a chunked request.
3811DOC_END
3812
41bd17a4 3813NAME: broken_posts
aa49962c 3814IFDEF: HTTP_VIOLATIONS
cccac0a2 3815TYPE: acl_access
cccac0a2 3816DEFAULT: none
41bd17a4 3817LOC: Config.accessList.brokenPosts
cccac0a2 3818DOC_START
41bd17a4 3819 A list of ACL elements which, if matched, causes Squid to send
3820 an extra CRLF pair after the body of a PUT/POST request.
cccac0a2 3821
41bd17a4 3822 Some HTTP servers has broken implementations of PUT/POST,
3823 and rely on an extra CRLF pair sent by some WWW clients.
cccac0a2 3824
41bd17a4 3825 Quote from RFC2616 section 4.1 on this matter:
cccac0a2 3826
41bd17a4 3827 Note: certain buggy HTTP/1.0 client implementations generate an
3828 extra CRLF's after a POST request. To restate what is explicitly
3829 forbidden by the BNF, an HTTP/1.1 client must not preface or follow
3830 a request with an extra CRLF.
cccac0a2 3831
b3567eb5
FC		 3832 This clause only supports fast acl types.
3833 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3834
41bd17a4 3835Example:
3836 acl buggy_server url_regex ^http://....
3837 broken_posts allow buggy_server
3838DOC_END
cccac0a2 3839
57d76dd4
AJ		 3840NAME: icap_uses_indirect_client
3841COMMENT: on|off
3842TYPE: onoff
0dae2bca 3843IFDEF: FOLLOW_X_FORWARDED_FOR&&ICAP_CLIENT
57d76dd4
AJ		 3844DEFAULT: on
3845LOC: Adaptation::Icap::TheConfig.icap_uses_indirect_client
3846DOC_START
3847 Controls whether the indirect client address
3848 (see follow_x_forwarded_for) instead of the
3849 direct client address is passed to an ICAP
3850 server as "X-Client-IP".
3851DOC_END
3852
41bd17a4 3853NAME: via
3854IFDEF: HTTP_VIOLATIONS
3855COMMENT: on|off
3856TYPE: onoff
3857DEFAULT: on
3858LOC: Config.onoff.via
3859DOC_START
3860 If set (default), Squid will include a Via header in requests and
3861 replies as required by RFC2616.
3862DOC_END
4cc6eb12 3863
41bd17a4 3864NAME: ie_refresh
3865COMMENT: on|off
3866TYPE: onoff
3867LOC: Config.onoff.ie_refresh
3868DEFAULT: off
3869DOC_START
3870 Microsoft Internet Explorer up until version 5.5 Service
3871 Pack 1 has an issue with transparent proxies, wherein it
3872 is impossible to force a refresh. Turning this on provides
3873 a partial fix to the problem, by causing all IMS-REFRESH
3874 requests from older IE versions to check the origin server
3875 for fresh content. This reduces hit ratio by some amount
3876 (~10% in my experience), but allows users to actually get
3877 fresh content when they want it. Note because Squid
3878 cannot tell if the user is using 5.5 or 5.5SP1, the behavior
3879 of 5.5 is unchanged from old versions of Squid (i.e. a
3880 forced refresh is impossible). Newer versions of IE will,
3881 hopefully, continue to have the new behavior and will be
3882 handled based on that assumption. This option defaults to
3883 the old Squid behavior, which is better for hit ratios but
3884 worse for clients using IE, if they need to be able to
3885 force fresh content.
3886DOC_END
b9d7fe3e 3887
41bd17a4 3888NAME: vary_ignore_expire
3889COMMENT: on|off
3890TYPE: onoff
3891LOC: Config.onoff.vary_ignore_expire
3892DEFAULT: off
3893DOC_START
3894 Many HTTP servers supporting Vary gives such objects
3895 immediate expiry time with no cache-control header
3896 when requested by a HTTP/1.0 client. This option
3897 enables Squid to ignore such expiry times until
3898 HTTP/1.1 is fully implemented.
7e73cd78
AJ		 3899
3900 WARNING: If turned on this may eventually cause some
3901 varying objects not intended for caching to get cached.
cccac0a2 3902DOC_END
c4ab8329 3903
41bd17a4 3904NAME: request_entities
3905TYPE: onoff
3906LOC: Config.onoff.request_entities
3907DEFAULT: off
3908DOC_START
3909 Squid defaults to deny GET and HEAD requests with request entities,
3910 as the meaning of such requests are undefined in the HTTP standard
3911 even if not explicitly forbidden.
0976f8db 3912
41bd17a4 3913 Set this directive to on if you have clients which insists
3914 on sending request entities in GET or HEAD requests. But be warned
3915 that there is server software (both proxies and web servers) which
3916 can fail to properly process this kind of request which may make you
3917 vulnerable to cache pollution attacks if enabled.
cccac0a2 3918DOC_END
6b53c392 3919
41bd17a4 3920NAME: request_header_access
3921IFDEF: HTTP_VIOLATIONS
3922TYPE: http_header_access[]
3923LOC: Config.request_header_access
cccac0a2 3924DEFAULT: none
cccac0a2 3925DOC_START
41bd17a4 3926 Usage: request_header_access header_name allow|deny [!]aclname ...
0976f8db 3927
41bd17a4 3928 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3929 this feature could make you liable for problems which it
3930 causes.
0976f8db 3931
41bd17a4 3932 This option replaces the old 'anonymize_headers' and the
3933 older 'http_anonymizer' option with something that is much
3934 more configurable. This new method creates a list of ACLs
3935 for each header, allowing you very fine-tuned header
3936 mangling.
934b03fc 3937
41bd17a4 3938 This option only applies to request headers, i.e., from the
3939 client to the server.
5401aa8d 3940
41bd17a4 3941 You can only specify known headers for the header name.
3942 Other headers are reclassified as 'Other'. You can also
3943 refer to all the headers with 'All'.
5401aa8d 3944
41bd17a4 3945 For example, to achieve the same behavior as the old
3946 'http_anonymizer standard' option, you should use:
5401aa8d 3947
41bd17a4 3948 request_header_access From deny all
3949 request_header_access Referer deny all
3950 request_header_access Server deny all
3951 request_header_access User-Agent deny all
3952 request_header_access WWW-Authenticate deny all
3953 request_header_access Link deny all
5401aa8d 3954
41bd17a4 3955 Or, to reproduce the old 'http_anonymizer paranoid' feature
3956 you should use:
5401aa8d 3957
41bd17a4 3958 request_header_access Allow allow all
3959 request_header_access Authorization allow all
3960 request_header_access WWW-Authenticate allow all
3961 request_header_access Proxy-Authorization allow all
3962 request_header_access Proxy-Authenticate allow all
3963 request_header_access Cache-Control allow all
3964 request_header_access Content-Encoding allow all
3965 request_header_access Content-Length allow all
3966 request_header_access Content-Type allow all
3967 request_header_access Date allow all
3968 request_header_access Expires allow all
3969 request_header_access Host allow all
3970 request_header_access If-Modified-Since allow all
3971 request_header_access Last-Modified allow all
3972 request_header_access Location allow all
3973 request_header_access Pragma allow all
3974 request_header_access Accept allow all
3975 request_header_access Accept-Charset allow all
3976 request_header_access Accept-Encoding allow all
3977 request_header_access Accept-Language allow all
3978 request_header_access Content-Language allow all
3979 request_header_access Mime-Version allow all
3980 request_header_access Retry-After allow all
3981 request_header_access Title allow all
3982 request_header_access Connection allow all
3983 request_header_access Proxy-Connection allow all
3984 request_header_access All deny all
5401aa8d 3985
41bd17a4 3986 although many of those are HTTP reply headers, and so should be
3987 controlled with the reply_header_access directive.
5401aa8d 3988
41bd17a4 3989 By default, all headers are allowed (no anonymizing is
3990 performed).
5401aa8d 3991DOC_END
3992
41bd17a4 3993NAME: reply_header_access
3994IFDEF: HTTP_VIOLATIONS
3995TYPE: http_header_access[]
3996LOC: Config.reply_header_access
cccac0a2 3997DEFAULT: none
3998DOC_START
41bd17a4 3999 Usage: reply_header_access header_name allow|deny [!]aclname ...
934b03fc 4000
41bd17a4 4001 WARNING: Doing this VIOLATES the HTTP standard. Enabling
4002 this feature could make you liable for problems which it
4003 causes.
934b03fc 4004
41bd17a4 4005 This option only applies to reply headers, i.e., from the
4006 server to the client.
934b03fc 4007
41bd17a4 4008 This is the same as request_header_access, but in the other
4009 direction.
6b53c392 4010
41bd17a4 4011 This option replaces the old 'anonymize_headers' and the
4012 older 'http_anonymizer' option with something that is much
4013 more configurable. This new method creates a list of ACLs
4014 for each header, allowing you very fine-tuned header
4015 mangling.
cccac0a2 4016
41bd17a4 4017 You can only specify known headers for the header name.
4018 Other headers are reclassified as 'Other'. You can also
4019 refer to all the headers with 'All'.
cccac0a2 4020
41bd17a4 4021 For example, to achieve the same behavior as the old
4022 'http_anonymizer standard' option, you should use:
cccac0a2 4023
41bd17a4 4024 reply_header_access From deny all
4025 reply_header_access Referer deny all
4026 reply_header_access Server deny all
4027 reply_header_access User-Agent deny all
4028 reply_header_access WWW-Authenticate deny all
4029 reply_header_access Link deny all
cccac0a2 4030
41bd17a4 4031 Or, to reproduce the old 'http_anonymizer paranoid' feature
4032 you should use:
cccac0a2 4033
41bd17a4 4034 reply_header_access Allow allow all
4035 reply_header_access Authorization allow all
4036 reply_header_access WWW-Authenticate allow all
4037 reply_header_access Proxy-Authorization allow all
4038 reply_header_access Proxy-Authenticate allow all
4039 reply_header_access Cache-Control allow all
4040 reply_header_access Content-Encoding allow all
4041 reply_header_access Content-Length allow all
4042 reply_header_access Content-Type allow all
4043 reply_header_access Date allow all
4044 reply_header_access Expires allow all
4045 reply_header_access Host allow all
4046 reply_header_access If-Modified-Since allow all
4047 reply_header_access Last-Modified allow all
4048 reply_header_access Location allow all
4049 reply_header_access Pragma allow all
4050 reply_header_access Accept allow all
4051 reply_header_access Accept-Charset allow all
4052 reply_header_access Accept-Encoding allow all
4053 reply_header_access Accept-Language allow all
4054 reply_header_access Content-Language allow all
4055 reply_header_access Mime-Version allow all
4056 reply_header_access Retry-After allow all
4057 reply_header_access Title allow all
4058 reply_header_access Connection allow all
4059 reply_header_access Proxy-Connection allow all
4060 reply_header_access All deny all
cccac0a2 4061
41bd17a4 4062 although the HTTP request headers won't be usefully controlled
4063 by this directive -- see request_header_access for details.
cccac0a2 4064
41bd17a4 4065 By default, all headers are allowed (no anonymizing is
4066 performed).
cccac0a2 4067DOC_END
4068
41bd17a4 4069NAME: header_replace
4070IFDEF: HTTP_VIOLATIONS
4071TYPE: http_header_replace[]
4072LOC: Config.request_header_access
cccac0a2 4073DEFAULT: none
41bd17a4 4074DOC_START
4075 Usage: header_replace header_name message
4076 Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
cccac0a2 4077
41bd17a4 4078 This option allows you to change the contents of headers
4079 denied with header_access above, by replacing them with
4080 some fixed string. This replaces the old fake_user_agent
4081 option.
cccac0a2 4082
41bd17a4 4083 This only applies to request headers, not reply headers.
cccac0a2 4084
41bd17a4 4085 By default, headers are removed if denied.
4086DOC_END
cccac0a2 4087
41bd17a4 4088NAME: relaxed_header_parser
4089COMMENT: on|off|warn
4090TYPE: tristate
4091LOC: Config.onoff.relaxed_header_parser
4092DEFAULT: on
4093DOC_START
4094 In the default "on" setting Squid accepts certain forms
4095 of non-compliant HTTP messages where it is unambiguous
4096 what the sending application intended even if the message
4097 is not correctly formatted. The messages is then normalized
4098 to the correct form when forwarded by Squid.
cccac0a2 4099
41bd17a4 4100 If set to "warn" then a warning will be emitted in cache.log
4101 each time such HTTP error is encountered.
cccac0a2 4102
41bd17a4 4103 If set to "off" then such HTTP errors will cause the request
4104 or response to be rejected.
4105DOC_END
7d90757b 4106
52b601ff
AJ		 4107NAME: ignore_expect_100
4108COMMENT: on|off
4109IFDEF: HTTP_VIOLATIONS
4110TYPE: onoff
4111LOC: Config.onoff.ignore_expect_100
4112DEFAULT: off
4113DOC_START
4114 This option makes Squid ignore any Expect: 100-continue header present
4115 in the request. RFC 2616 requires that Squid being unable to satisfy
4116 the response expectation MUST return a 417 error.
4117
4118 Note: Enabling this is a HTTP protocol violation, but some clients may
4119 not handle it well..
4120DOC_END
4121
41bd17a4 4122COMMENT_START
4123 TIMEOUTS
4124 -----------------------------------------------------------------------------
4125COMMENT_END
4126
4127NAME: forward_timeout
4128COMMENT: time-units
4129TYPE: time_t
4130LOC: Config.Timeout.forward
4131DEFAULT: 4 minutes
4132DOC_START
4133 This parameter specifies how long Squid should at most attempt in
4134 finding a forwarding path for the request before giving up.
cccac0a2 4135DOC_END
4136
41bd17a4 4137NAME: connect_timeout
4138COMMENT: time-units
4139TYPE: time_t
4140LOC: Config.Timeout.connect
4141DEFAULT: 1 minute
057f5854 4142DOC_START
41bd17a4 4143 This parameter specifies how long to wait for the TCP connect to
4144 the requested server or peer to complete before Squid should
4145 attempt to find another path where to forward the request.
057f5854 4146DOC_END
4147
41bd17a4 4148NAME: peer_connect_timeout
4149COMMENT: time-units
4150TYPE: time_t
4151LOC: Config.Timeout.peer_connect
4152DEFAULT: 30 seconds
cccac0a2 4153DOC_START
41bd17a4 4154 This parameter specifies how long to wait for a pending TCP
4155 connection to a peer cache. The default is 30 seconds. You
4156 may also set different timeout values for individual neighbors
4157 with the 'connect-timeout' option on a 'cache_peer' line.
4158DOC_END
7f7db318 4159
41bd17a4 4160NAME: read_timeout
4161COMMENT: time-units
4162TYPE: time_t
4163LOC: Config.Timeout.read
4164DEFAULT: 15 minutes
4165DOC_START
4166 The read_timeout is applied on server-side connections. After
4167 each successful read(), the timeout will be extended by this
4168 amount. If no data is read again after this amount of time,
4169 the request is aborted and logged with ERR_READ_TIMEOUT. The
4170 default is 15 minutes.
4171DOC_END
cccac0a2 4172
5ef5e5cc
AJ		 4173NAME: write_timeout
4174COMMENT: time-units
4175TYPE: time_t
4176LOC: Config.Timeout.write
4177DEFAULT: 15 minutes
4178DOC_START
4179 This timeout is tracked for all connections that have data
4180 available for writing and are waiting for the socket to become
4181 ready. After each successful write, the timeout is extended by
4182 the configured amount. If Squid has data to write but the
4183 connection is not ready for the configured duration, the
4184 transaction associated with the connection is terminated. The
4185 default is 15 minutes.
4186DOC_END
4187
41bd17a4 4188NAME: request_timeout
4189TYPE: time_t
4190LOC: Config.Timeout.request
4191DEFAULT: 5 minutes
4192DOC_START
4193 How long to wait for an HTTP request after initial
4194 connection establishment.
4195DOC_END
cccac0a2 4196
41bd17a4 4197NAME: persistent_request_timeout
4198TYPE: time_t
4199LOC: Config.Timeout.persistent_request
4200DEFAULT: 2 minutes
4201DOC_START
4202 How long to wait for the next HTTP request on a persistent
4203 connection after the previous request completes.
4204DOC_END
cccac0a2 4205
41bd17a4 4206NAME: client_lifetime
4207COMMENT: time-units
4208TYPE: time_t
4209LOC: Config.Timeout.lifetime
4210DEFAULT: 1 day
4211DOC_START
4212 The maximum amount of time a client (browser) is allowed to
4213 remain connected to the cache process. This protects the Cache
4214 from having a lot of sockets (and hence file descriptors) tied up
4215 in a CLOSE_WAIT state from remote clients that go away without
4216 properly shutting down (either because of a network failure or
4217 because of a poor client implementation). The default is one
4218 day, 1440 minutes.
7d90757b 4219
41bd17a4 4220 NOTE: The default value is intended to be much larger than any
4221 client would ever need to be connected to your cache. You
4222 should probably change client_lifetime only as a last resort.
4223 If you seem to have many client connections tying up
4224 filedescriptors, we recommend first tuning the read_timeout,
4225 request_timeout, persistent_request_timeout and quick_abort values.
cccac0a2 4226DOC_END
4227
41bd17a4 4228NAME: half_closed_clients
4229TYPE: onoff
4230LOC: Config.onoff.half_closed_clients
0c2f5c4f 4231DEFAULT: off
4eb368f9 4232DOC_START
41bd17a4 4233 Some clients may shutdown the sending side of their TCP
4234 connections, while leaving their receiving sides open. Sometimes,
4235 Squid can not tell the difference between a half-closed and a
0c2f5c4f
AJ		 4236 fully-closed TCP connection.
4237
4238 By default, Squid will immediately close client connections when
4239 read(2) returns "no more data to read."
4240
abdf1651 4241 Change this option to 'on' and Squid will keep open connections
0c2f5c4f
AJ		 4242 until a read(2) or write(2) on the socket returns an error.
4243 This may show some benefits for reverse proxies. But if not
4244 it is recommended to leave OFF.
4eb368f9 4245DOC_END
4246
41bd17a4 4247NAME: pconn_timeout
4248TYPE: time_t
4249LOC: Config.Timeout.pconn
4250DEFAULT: 1 minute
cccac0a2 4251DOC_START
41bd17a4 4252 Timeout for idle persistent connections to servers and other
4253 proxies.
4254DOC_END
cccac0a2 4255
41bd17a4 4256NAME: ident_timeout
4257TYPE: time_t
4258IFDEF: USE_IDENT
4daaf3cb 4259LOC: Ident::TheConfig.timeout
41bd17a4 4260DEFAULT: 10 seconds
4261DOC_START
4262 Maximum time to wait for IDENT lookups to complete.
cccac0a2 4263
41bd17a4 4264 If this is too high, and you enabled IDENT lookups from untrusted
4265 users, you might be susceptible to denial-of-service by having
4266 many ident requests going at once.
cccac0a2 4267DOC_END
4268
41bd17a4 4269NAME: shutdown_lifetime
4270COMMENT: time-units
4271TYPE: time_t
4272LOC: Config.shutdownLifetime
4273DEFAULT: 30 seconds
cccac0a2 4274DOC_START
41bd17a4 4275 When SIGTERM or SIGHUP is received, the cache is put into
4276 "shutdown pending" mode until all active sockets are closed.
4277 This value is the lifetime to set for all open descriptors
4278 during shutdown mode. Any active clients after this many
4279 seconds will receive a 'timeout' message.
cccac0a2 4280DOC_END
0976f8db 4281
cccac0a2 4282COMMENT_START
4283 ADMINISTRATIVE PARAMETERS
4284 -----------------------------------------------------------------------------
4285COMMENT_END
4286
4287NAME: cache_mgr
4288TYPE: string
4289DEFAULT: webmaster
4290LOC: Config.adminEmail
4291DOC_START
4292 Email-address of local cache manager who will receive
4293 mail if the cache dies. The default is "webmaster."
4294DOC_END
4295
abacf776 4296NAME: mail_from
4297TYPE: string
4298DEFAULT: none
4299LOC: Config.EmailFrom
4300DOC_START
4301 From: email-address for mail sent when the cache dies.
4302 The default is to use 'appname@unique_hostname'.
b8c0c06d 4303 Default appname value is "squid", can be changed into
abacf776 4304 src/globals.h before building squid.
4305DOC_END
4306
d084bf20 4307NAME: mail_program
4308TYPE: eol
4309DEFAULT: mail
4310LOC: Config.EmailProgram
4311DOC_START
4312 Email program used to send mail if the cache dies.
846a5e31 4313 The default is "mail". The specified program must comply
d084bf20 4314 with the standard Unix mail syntax:
846a5e31 4315 mail-program recipient < mailfile
4316
d084bf20 4317 Optional command line options can be specified.
4318DOC_END
4319
cccac0a2 4320NAME: cache_effective_user
4321TYPE: string
5483d916 4322DEFAULT: @DEFAULT_CACHE_EFFECTIVE_USER@
cccac0a2 4323LOC: Config.effectiveUser
e3d74828 4324DOC_START
4325 If you start Squid as root, it will change its effective/real
4326 UID/GID to the user specified below. The default is to change
5483d916 4327 to UID of @DEFAULT_CACHE_EFFECTIVE_USER@.
64e288bd 4328 see also; cache_effective_group
e3d74828 4329DOC_END
4330
cccac0a2 4331NAME: cache_effective_group
4332TYPE: string
4333DEFAULT: none
4334LOC: Config.effectiveGroup
4335DOC_START
64e288bd 4336 Squid sets the GID to the effective user's default group ID
4337 (taken from the password file) and supplementary group list
4338 from the groups membership.
4339
e3d74828 4340 If you want Squid to run with a specific GID regardless of
4341 the group memberships of the effective user then set this
4342 to the group (or GID) you want Squid to run as. When set
64e288bd 4343 all other group privileges of the effective user are ignored
e3d74828 4344 and only this GID is effective. If Squid is not started as
64e288bd 4345 root the user starting Squid MUST be member of the specified
e3d74828 4346 group.
64e288bd 4347
4348 This option is not recommended by the Squid Team.
4349 Our preference is for administrators to configure a secure
4350 user account for squid with UID/GID matching system policies.
cccac0a2 4351DOC_END
4352
d3caee79 4353NAME: httpd_suppress_version_string
4354COMMENT: on|off
4355TYPE: onoff
4356DEFAULT: off
4357LOC: Config.onoff.httpd_suppress_version_string
4358DOC_START
4359 Suppress Squid version string info in HTTP headers and HTML error pages.
4360DOC_END
4361
cccac0a2 4362NAME: visible_hostname
4363TYPE: string
4364LOC: Config.visibleHostname
4365DEFAULT: none
4366DOC_START
4367 If you want to present a special hostname in error messages, etc,
7f7db318 4368 define this. Otherwise, the return value of gethostname()
cccac0a2 4369 will be used. If you have multiple caches in a cluster and
4370 get errors about IP-forwarding you must set them to have individual
4371 names with this setting.
4372DOC_END
4373
cccac0a2 4374NAME: unique_hostname
4375TYPE: string
4376LOC: Config.uniqueHostname
4377DEFAULT: none
4378DOC_START
4379 If you want to have multiple machines with the same
7f7db318 4380 'visible_hostname' you must give each machine a different
4381 'unique_hostname' so forwarding loops can be detected.
cccac0a2 4382DOC_END
4383
cccac0a2 4384NAME: hostname_aliases
4385TYPE: wordlist
4386LOC: Config.hostnameAliases
4387DEFAULT: none
4388DOC_START
7f7db318 4389 A list of other DNS names your cache has.
cccac0a2 4390DOC_END
0976f8db 4391
c642c141
AJ		 4392NAME: umask
4393TYPE: int
4394LOC: Config.umask
4395DEFAULT: 027
4396DOC_START
4397 Minimum umask which should be enforced while the proxy
4398 is running, in addition to the umask set at startup.
4399
4400 For a traditional octal representation of umasks, start
4401 your value with 0.
4402DOC_END
4403
cccac0a2 4404COMMENT_START
4405 OPTIONS FOR THE CACHE REGISTRATION SERVICE
4406 -----------------------------------------------------------------------------
4407
4408 This section contains parameters for the (optional) cache
4409 announcement service. This service is provided to help
4410 cache administrators locate one another in order to join or
4411 create cache hierarchies.
4412
4413 An 'announcement' message is sent (via UDP) to the registration
4414 service by Squid. By default, the announcement message is NOT
4415 SENT unless you enable it with 'announce_period' below.
4416
4417 The announcement message includes your hostname, plus the
4418 following information from this configuration file:
4419
4420 http_port
4421 icp_port
4422 cache_mgr
4423
4424 All current information is processed regularly and made
4425 available on the Web at http://www.ircache.net/Cache/Tracker/.
4426COMMENT_END
4427
4428NAME: announce_period
4429TYPE: time_t
4430LOC: Config.Announce.period
4431DEFAULT: 0
4432DOC_START
4433 This is how frequently to send cache announcements. The
4434 default is `0' which disables sending the announcement
4435 messages.
4436
e0855596 4437 To enable announcing your cache, just set an announce period.
cccac0a2 4438
e0855596
AJ		 4439 Example:
4440 announce_period 1 day
cccac0a2 4441DOC_END
4442
cccac0a2 4443NAME: announce_host
4444TYPE: string
4445DEFAULT: tracker.ircache.net
4446LOC: Config.Announce.host
4447DOC_NONE
4448
4449NAME: announce_file
4450TYPE: string
4451DEFAULT: none
4452LOC: Config.Announce.file
4453DOC_NONE
4454
4455NAME: announce_port
4456TYPE: ushort
4457DEFAULT: 3131
4458LOC: Config.Announce.port
4459DOC_START
4460 announce_host and announce_port set the hostname and port
4461 number where the registration message will be sent.
4462
4463 Hostname will default to 'tracker.ircache.net' and port will
4464 default default to 3131. If the 'filename' argument is given,
4465 the contents of that file will be included in the announce
4466 message.
4467DOC_END
4468
8d6275c0 4469COMMENT_START
4470 HTTPD-ACCELERATOR OPTIONS
4471 -----------------------------------------------------------------------------
4472COMMENT_END
4473
cccac0a2 4474NAME: httpd_accel_surrogate_id
cccac0a2 4475TYPE: string
b2b40d8c 4476DEFAULT: none
cccac0a2 4477LOC: Config.Accel.surrogate_id
cccac0a2 4478DOC_START
4479 Surrogates (http://www.esi.org/architecture_spec_1.0.html)
4480 need an identification token to allow control targeting. Because
4481 a farm of surrogates may all perform the same tasks, they may share
4482 an identification token.
b2b40d8c
AJ		 4483
4484 The default ID is the visible_hostname
cccac0a2 4485DOC_END
4486
4487NAME: http_accel_surrogate_remote
cccac0a2 4488COMMENT: on|off
4489TYPE: onoff
4490DEFAULT: off
4491LOC: Config.onoff.surrogate_is_remote
4492DOC_START
4493 Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
4494 Set this to on to have squid behave as a remote surrogate.
4495DOC_END
4496
4497NAME: esi_parser
f41735ea 4498IFDEF: USE_SQUID_ESI
964b44c3 4499COMMENT: libxml2|expat|custom
cccac0a2 4500TYPE: string
4501LOC: ESIParser::Type
4502DEFAULT: custom
4503DOC_START
4504 ESI markup is not strictly XML compatible. The custom ESI parser
4505 will give higher performance, but cannot handle non ASCII character
4506 encodings.
4507DOC_END
0976f8db 4508
9edd9041 4509COMMENT_START
8d6275c0 4510 DELAY POOL PARAMETERS
9edd9041 4511 -----------------------------------------------------------------------------
4512COMMENT_END
4513
4514NAME: delay_pools
4515TYPE: delay_pool_count
4516DEFAULT: 0
4517IFDEF: DELAY_POOLS
4518LOC: Config.Delay
4519DOC_START
4520 This represents the number of delay pools to be used. For example,
4521 if you have one class 2 delay pool and one class 3 delays pool, you
4522 have a total of 2 delay pools.
4523DOC_END
4524
4525NAME: delay_class
4526TYPE: delay_pool_class
4527DEFAULT: none
4528IFDEF: DELAY_POOLS
4529LOC: Config.Delay
4530DOC_START
4531 This defines the class of each delay pool. There must be exactly one
4532 delay_class line for each delay pool. For example, to define two
4533 delay pools, one of class 2 and one of class 3, the settings above
4534 and here would be:
4535
b1fb3348
AJ		 4536 Example:
4537 delay_pools 4 # 4 delay pools
4538 delay_class 1 2 # pool 1 is a class 2 pool
4539 delay_class 2 3 # pool 2 is a class 3 pool
4540 delay_class 3 4 # pool 3 is a class 4 pool
4541 delay_class 4 5 # pool 4 is a class 5 pool
9edd9041 4542
4543 The delay pool classes are:
4544
4545 class 1 Everything is limited by a single aggregate
4546 bucket.
4547
4548 class 2 Everything is limited by a single aggregate
4549 bucket as well as an "individual" bucket chosen
b1fb3348 4550 from bits 25 through 32 of the IPv4 address.
9edd9041 4551
4552 class 3 Everything is limited by a single aggregate
4553 bucket as well as a "network" bucket chosen
4554 from bits 17 through 24 of the IP address and a
4555 "individual" bucket chosen from bits 17 through
b1fb3348 4556 32 of the IPv4 address.
9edd9041 4557
4558 class 4 Everything in a class 3 delay pool, with an
4559 additional limit on a per user basis. This
4560 only takes effect if the username is established
4561 in advance - by forcing authentication in your
4562 http_access rules.
4563
4564 class 5 Requests are grouped according their tag (see
4565 external_acl's tag= reply).
4566
4567 NOTE: If an IP address is a.b.c.d
4568 -> bits 25 through 32 are "d"
4569 -> bits 17 through 24 are "c"
4570 -> bits 17 through 32 are "c * 256 + d"
b1fb3348
AJ		 4571
4572 NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
4573 IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
9edd9041 4574DOC_END
4575
4576NAME: delay_access
4577TYPE: delay_pool_access
4578DEFAULT: none
4579IFDEF: DELAY_POOLS
4580LOC: Config.Delay
4581DOC_START
4582 This is used to determine which delay pool a request falls into.
4583
4584 delay_access is sorted per pool and the matching starts with pool 1,
4585 then pool 2, ..., and finally pool N. The first delay pool where the
4586 request is allowed is selected for the request. If it does not allow
4587 the request to any pool then the request is not delayed (default).
4588
4589 For example, if you want some_big_clients in delay
4590 pool 1 and lotsa_little_clients in delay pool 2:
4591
4592Example:
4593 delay_access 1 allow some_big_clients
4594 delay_access 1 deny all
4595 delay_access 2 allow lotsa_little_clients
4596 delay_access 2 deny all
4597 delay_access 3 allow authenticated_clients
4598DOC_END
4599
4600NAME: delay_parameters
4601TYPE: delay_pool_rates
4602DEFAULT: none
4603IFDEF: DELAY_POOLS
4604LOC: Config.Delay
4605DOC_START
4606 This defines the parameters for a delay pool. Each delay pool has
4607 a number of "buckets" associated with it, as explained in the
4608 description of delay_class. For a class 1 delay pool, the syntax is:
4609
4610delay_parameters pool aggregate
4611
4612 For a class 2 delay pool:
4613
4614delay_parameters pool aggregate individual
4615
4616 For a class 3 delay pool:
4617
4618delay_parameters pool aggregate network individual
4619
4620 For a class 4 delay pool:
4621
4622delay_parameters pool aggregate network individual user
4623
4624 For a class 5 delay pool:
4625
4626delay_parameters pool tag
4627
4628 The variables here are:
4629
4630 pool a pool number - ie, a number between 1 and the
4631 number specified in delay_pools as used in
4632 delay_class lines.
4633
4634 aggregate the "delay parameters" for the aggregate bucket
4635 (class 1, 2, 3).
4636
4637 individual the "delay parameters" for the individual
4638 buckets (class 2, 3).
4639
4640 network the "delay parameters" for the network buckets
4641 (class 3).
4642
4643 user the delay parameters for the user buckets
4644 (class 4).
4645
4646 tag the delay parameters for the tag buckets
4647 (class 5).
4648
4649 A pair of delay parameters is written restore/maximum, where restore is
4650 the number of bytes (not bits - modem and network speeds are usually
4651 quoted in bits) per second placed into the bucket, and maximum is the
4652 maximum number of bytes which can be in the bucket at any time.
4653
4654 For example, if delay pool number 1 is a class 2 delay pool as in the
4655 above example, and is being used to strictly limit each host to 64kbps
4656 (plus overheads), with no overall limit, the line is:
4657
4658delay_parameters 1 -1/-1 8000/8000
4659
4660 Note that the figure -1 is used to represent "unlimited".
4661
4662 And, if delay pool number 2 is a class 3 delay pool as in the above
4663 example, and you want to limit it to a total of 256kbps (strict limit)
4664 with each 8-bit network permitted 64kbps (strict limit) and each
4665 individual host permitted 4800bps with a bucket maximum size of 64kb
4666 to permit a decent web page to be downloaded at a decent speed
4667 (if the network is not being limited due to overuse) but slow down
4668 large downloads more significantly:
4669
4670delay_parameters 2 32000/32000 8000/8000 600/8000
4671
4672 There must be one delay_parameters line for each delay pool.
4673
4674 Finally, for a class 4 delay pool as in the example - each user will
4675 be limited to 128Kb no matter how many workstations they are logged into.:
4676
4677delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
4678DOC_END
4679
4680NAME: delay_initial_bucket_level
4681COMMENT: (percent, 0-100)
4682TYPE: ushort
4683DEFAULT: 50
4684IFDEF: DELAY_POOLS
4685LOC: Config.Delay.initial
4686DOC_START
4687 The initial bucket percentage is used to determine how much is put
4688 in each bucket when squid starts, is reconfigured, or first notices
4689 a host accessing it (in class 2 and class 3, individual hosts and
4690 networks only have buckets associated with them once they have been
4691 "seen" by squid).
4692DOC_END
4693
cccac0a2 4694COMMENT_START
8d6275c0 4695 WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
cccac0a2 4696 -----------------------------------------------------------------------------
4697COMMENT_END
4698
8d6275c0 4699NAME: wccp_router
4700TYPE: address
4701LOC: Config.Wccp.router
0eb08770 4702DEFAULT: any_addr
8d6275c0 4703IFDEF: USE_WCCP
e313ab0a
AJ		 4704DOC_START
4705 Use this option to define your WCCP ``home'' router for
4706 Squid.
4707
4708 wccp_router supports a single WCCP(v1) router
4709
4710 wccp2_router supports multiple WCCPv2 routers
4711
4712 only one of the two may be used at the same time and defines
4713 which version of WCCP to use.
4714DOC_END
df2eec10 4715
8d6275c0 4716NAME: wccp2_router
9fb4efad 4717TYPE: IpAddress_list
8d6275c0 4718LOC: Config.Wccp2.router
cccac0a2 4719DEFAULT: none
8d6275c0 4720IFDEF: USE_WCCPv2
cccac0a2 4721DOC_START
8d6275c0 4722 Use this option to define your WCCP ``home'' router for
4723 Squid.
cccac0a2 4724
8d6275c0 4725 wccp_router supports a single WCCP(v1) router
cccac0a2 4726
8d6275c0 4727 wccp2_router supports multiple WCCPv2 routers
cccac0a2 4728
8d6275c0 4729 only one of the two may be used at the same time and defines
4730 which version of WCCP to use.
4731DOC_END
4732
4733NAME: wccp_version
cccac0a2 4734TYPE: int
8d6275c0 4735LOC: Config.Wccp.version
4736DEFAULT: 4
4737IFDEF: USE_WCCP
cccac0a2 4738DOC_START
8d6275c0 4739 This directive is only relevant if you need to set up WCCP(v1)
4740 to some very old and end-of-life Cisco routers. In all other
4741 setups it must be left unset or at the default setting.
4742 It defines an internal version in the WCCP(v1) protocol,
4743 with version 4 being the officially documented protocol.
cccac0a2 4744
8d6275c0 4745 According to some users, Cisco IOS 11.2 and earlier only
4746 support WCCP version 3. If you're using that or an earlier
4747 version of IOS, you may need to change this value to 3, otherwise
4748 do not specify this parameter.
cccac0a2 4749DOC_END
4750
8d6275c0 4751NAME: wccp2_rebuild_wait
4752TYPE: onoff
4753LOC: Config.Wccp2.rebuildwait
4754DEFAULT: on
4755IFDEF: USE_WCCPv2
4756DOC_START
4757 If this is enabled Squid will wait for the cache dir rebuild to finish
4758 before sending the first wccp2 HereIAm packet
4759DOC_END
cccac0a2 4760
8d6275c0 4761NAME: wccp2_forwarding_method
e313ab0a 4762TYPE: wccp2_method
8d6275c0 4763LOC: Config.Wccp2.forwarding_method
451c4786 4764DEFAULT: gre
8d6275c0 4765IFDEF: USE_WCCPv2
cccac0a2 4766DOC_START
699acd19 4767 WCCP2 allows the setting of forwarding methods between the
8d6275c0 4768 router/switch and the cache. Valid values are as follows:
cccac0a2 4769
451c4786
AJ		 4770 gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4771 l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
cccac0a2 4772
8d6275c0 4773 Currently (as of IOS 12.4) cisco routers only support GRE.
4774 Cisco switches only support the L2 redirect assignment method.
cccac0a2 4775DOC_END
4776
8d6275c0 4777NAME: wccp2_return_method
e313ab0a 4778TYPE: wccp2_method
8d6275c0 4779LOC: Config.Wccp2.return_method
451c4786 4780DEFAULT: gre
8d6275c0 4781IFDEF: USE_WCCPv2
cccac0a2 4782DOC_START
699acd19 4783 WCCP2 allows the setting of return methods between the
8d6275c0 4784 router/switch and the cache for packets that the cache
4785 decides not to handle. Valid values are as follows:
cccac0a2 4786
451c4786
AJ		 4787 gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4788 l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
cccac0a2 4789
8d6275c0 4790 Currently (as of IOS 12.4) cisco routers only support GRE.
4791 Cisco switches only support the L2 redirect assignment.
cccac0a2 4792
699acd19 4793 If the "ip wccp redirect exclude in" command has been
8d6275c0 4794 enabled on the cache interface, then it is still safe for
4795 the proxy server to use a l2 redirect method even if this
4796 option is set to GRE.
cccac0a2 4797DOC_END
4798
8d6275c0 4799NAME: wccp2_assignment_method
451c4786 4800TYPE: wccp2_amethod
8d6275c0 4801LOC: Config.Wccp2.assignment_method
451c4786 4802DEFAULT: hash
8d6275c0 4803IFDEF: USE_WCCPv2
cccac0a2 4804DOC_START
8d6275c0 4805 WCCP2 allows the setting of methods to assign the WCCP hash
4806 Valid values are as follows:
cccac0a2 4807
451c4786
AJ		 4808 hash - Hash assignment
4809 mask - Mask assignment
cccac0a2 4810
8d6275c0 4811 As a general rule, cisco routers support the hash assignment method
4812 and cisco switches support the mask assignment method.
4813DOC_END
cccac0a2 4814
8d6275c0 4815NAME: wccp2_service
4816TYPE: wccp2_service
4817LOC: Config.Wccp2.info
4818DEFAULT: none
4819DEFAULT_IF_NONE: standard 0
4820IFDEF: USE_WCCPv2
4821DOC_START
4822 WCCP2 allows for multiple traffic services. There are two
4823 types: "standard" and "dynamic". The standard type defines
4824 one service id - http (id 0). The dynamic service ids can be from
4825 51 to 255 inclusive. In order to use a dynamic service id
4826 one must define the type of traffic to be redirected; this is done
4827 using the wccp2_service_info option.
4828
4829 The "standard" type does not require a wccp2_service_info option,
4830 just specifying the service id will suffice.
4831
4832 MD5 service authentication can be enabled by adding
4833 "password=<password>" to the end of this service declaration.
4834
4835 Examples:
4836
4837 wccp2_service standard 0 # for the 'web-cache' standard service
4838 wccp2_service dynamic 80 # a dynamic service type which will be
4839 # fleshed out with subsequent options.
4840 wccp2_service standard 0 password=foo
8d6275c0 4841DOC_END
4842
4843NAME: wccp2_service_info
4844TYPE: wccp2_service_info
4845LOC: Config.Wccp2.info
4846DEFAULT: none
4847IFDEF: USE_WCCPv2
4848DOC_START
4849 Dynamic WCCPv2 services require further information to define the
4850 traffic you wish to have diverted.
4851
4852 The format is:
4853
4854 wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
4855 priority=<priority> ports=<port>,<port>..
4856
4857 The relevant WCCPv2 flags:
4858 + src_ip_hash, dst_ip_hash
005fe566 4859 + source_port_hash, dst_port_hash
8d6275c0 4860 + src_ip_alt_hash, dst_ip_alt_hash
4861 + src_port_alt_hash, dst_port_alt_hash
4862 + ports_source
4863
4864 The port list can be one to eight entries.
4865
4866 Example:
4867
4868 wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
4869 priority=240 ports=80
4870
4871 Note: the service id must have been defined by a previous
4872 'wccp2_service dynamic <id>' entry.
4873DOC_END
4874
4875NAME: wccp2_weight
4876TYPE: int
4877LOC: Config.Wccp2.weight
4878DEFAULT: 10000
4879IFDEF: USE_WCCPv2
4880DOC_START
4881 Each cache server gets assigned a set of the destination
4882 hash proportional to their weight.
4883DOC_END
4884
4885NAME: wccp_address
4886TYPE: address
4887LOC: Config.Wccp.address
4888DEFAULT: 0.0.0.0
4889IFDEF: USE_WCCP
4890DOC_NONE
df2eec10 4891
8d6275c0 4892NAME: wccp2_address
4893TYPE: address
4894LOC: Config.Wccp2.address
4895DEFAULT: 0.0.0.0
4896IFDEF: USE_WCCPv2
4897DOC_START
4898 Use this option if you require WCCP to use a specific
4899 interface address.
4900
4901 The default behavior is to not bind to any specific address.
4902DOC_END
4903
4904COMMENT_START
4905 PERSISTENT CONNECTION HANDLING
4906 -----------------------------------------------------------------------------
4907
4908 Also see "pconn_timeout" in the TIMEOUTS section
4909COMMENT_END
4910
4911NAME: client_persistent_connections
4912TYPE: onoff
4913LOC: Config.onoff.client_pconns
4914DEFAULT: on
4915DOC_NONE
4916
4917NAME: server_persistent_connections
4918TYPE: onoff
4919LOC: Config.onoff.server_pconns
4920DEFAULT: on
4921DOC_START
4922 Persistent connection support for clients and servers. By
4923 default, Squid uses persistent connections (when allowed)
4924 with its clients and servers. You can use these options to
4925 disable persistent connections with clients and/or servers.
4926DOC_END
4927
4928NAME: persistent_connection_after_error
4929TYPE: onoff
4930LOC: Config.onoff.error_pconns
4931DEFAULT: off
4932DOC_START
4933 With this directive the use of persistent connections after
4934 HTTP errors can be disabled. Useful if you have clients
4935 who fail to handle errors on persistent connections proper.
4936DOC_END
4937
4938NAME: detect_broken_pconn
4939TYPE: onoff
4940LOC: Config.onoff.detect_broken_server_pconns
4941DEFAULT: off
4942DOC_START
4943 Some servers have been found to incorrectly signal the use
4944 of HTTP/1.0 persistent connections even on replies not
4945 compatible, causing significant delays. This server problem
4946 has mostly been seen on redirects.
4947
4948 By enabling this directive Squid attempts to detect such
4949 broken replies and automatically assume the reply is finished
4950 after 10 seconds timeout.
4951DOC_END
4952
4953COMMENT_START
4954 CACHE DIGEST OPTIONS
4955 -----------------------------------------------------------------------------
4956COMMENT_END
4957
4958NAME: digest_generation
4959IFDEF: USE_CACHE_DIGESTS
4960TYPE: onoff
4961LOC: Config.onoff.digest_generation
4962DEFAULT: on
4963DOC_START
4964 This controls whether the server will generate a Cache Digest
4965 of its contents. By default, Cache Digest generation is
13e917b5 4966 enabled if Squid is compiled with --enable-cache-digests defined.
8d6275c0 4967DOC_END
4968
4969NAME: digest_bits_per_entry
4970IFDEF: USE_CACHE_DIGESTS
4971TYPE: int
4972LOC: Config.digest.bits_per_entry
4973DEFAULT: 5
4974DOC_START
4975 This is the number of bits of the server's Cache Digest which
4976 will be associated with the Digest entry for a given HTTP
4977 Method and URL (public key) combination. The default is 5.
4978DOC_END
4979
4980NAME: digest_rebuild_period
4981IFDEF: USE_CACHE_DIGESTS
4982COMMENT: (seconds)
4983TYPE: time_t
4984LOC: Config.digest.rebuild_period
4985DEFAULT: 1 hour
4986DOC_START
749ceff8 4987 This is the wait time between Cache Digest rebuilds.
8d6275c0 4988DOC_END
4989
4990NAME: digest_rewrite_period
4991COMMENT: (seconds)
4992IFDEF: USE_CACHE_DIGESTS
4993TYPE: time_t
4994LOC: Config.digest.rewrite_period
4995DEFAULT: 1 hour
4996DOC_START
749ceff8 4997 This is the wait time between Cache Digest writes to
8d6275c0 4998 disk.
4999DOC_END
5000
5001NAME: digest_swapout_chunk_size
5002COMMENT: (bytes)
5003TYPE: b_size_t
5004IFDEF: USE_CACHE_DIGESTS
5005LOC: Config.digest.swapout_chunk_size
5006DEFAULT: 4096 bytes
5007DOC_START
5008 This is the number of bytes of the Cache Digest to write to
5009 disk at a time. It defaults to 4096 bytes (4KB), the Squid
5010 default swap page.
5011DOC_END
5012
5013NAME: digest_rebuild_chunk_percentage
5014COMMENT: (percent, 0-100)
5015IFDEF: USE_CACHE_DIGESTS
5016TYPE: int
5017LOC: Config.digest.rebuild_chunk_percentage
5018DEFAULT: 10
5019DOC_START
5020 This is the percentage of the Cache Digest to be scanned at a
5021 time. By default it is set to 10% of the Cache Digest.
5022DOC_END
5023
1db9eacd 5024COMMENT_START
5473c134 5025 SNMP OPTIONS
1db9eacd 5026 -----------------------------------------------------------------------------
5027COMMENT_END
5028
5473c134 5029NAME: snmp_port
5030TYPE: ushort
5031LOC: Config.Port.snmp
87630341 5032DEFAULT: 0
5473c134 5033IFDEF: SQUID_SNMP
8d6275c0 5034DOC_START
87630341 5035 The port number where Squid listens for SNMP requests. To enable
5036 SNMP support set this to a suitable port number. Port number
5037 3401 is often used for the Squid SNMP agent. By default it's
5038 set to "0" (disabled)
e0855596
AJ		 5039
5040 Example:
5041 snmp_port 3401
8d6275c0 5042DOC_END
5043
5473c134 5044NAME: snmp_access
5045TYPE: acl_access
5046LOC: Config.accessList.snmp
8d6275c0 5047DEFAULT: none
5473c134 5048DEFAULT_IF_NONE: deny all
5049IFDEF: SQUID_SNMP
8d6275c0 5050DOC_START
5473c134 5051 Allowing or denying access to the SNMP port.
8d6275c0 5052
5473c134 5053 All access to the agent is denied by default.
5054 usage:
8d6275c0 5055
5473c134 5056 snmp_access allow|deny [!]aclname ...
8d6275c0 5057
b3567eb5
FC		 5058 This clause only supports fast acl types.
5059 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5473c134 5060Example:
5061 snmp_access allow snmppublic localhost
5062 snmp_access deny all
cccac0a2 5063DOC_END
5064
5473c134 5065NAME: snmp_incoming_address
5066TYPE: address
5067LOC: Config.Addrs.snmp_incoming
0eb08770 5068DEFAULT: any_addr
5473c134 5069IFDEF: SQUID_SNMP
5070DOC_NONE
df2eec10 5071
5473c134 5072NAME: snmp_outgoing_address
5073TYPE: address
5074LOC: Config.Addrs.snmp_outgoing
0eb08770 5075DEFAULT: no_addr
5473c134 5076IFDEF: SQUID_SNMP
cccac0a2 5077DOC_START
df2eec10 5078 Just like 'udp_incoming_address', but for the SNMP port.
cccac0a2 5079
5473c134 5080 snmp_incoming_address is used for the SNMP socket receiving
5081 messages from SNMP agents.
5082 snmp_outgoing_address is used for SNMP packets returned to SNMP
5083 agents.
cccac0a2 5084
0eb08770 5085 The default snmp_incoming_address is to listen on all
5473c134 5086 available network interfaces.
cccac0a2 5087
0eb08770
HN		 5088 If snmp_outgoing_address is not set it will use the same socket
5089 as snmp_incoming_address. Only change this if you want to have
5090 SNMP replies sent using another address than where this Squid
5091 listens for SNMP queries.
cccac0a2 5092
5473c134 5093 NOTE, snmp_incoming_address and snmp_outgoing_address can not have
5094 the same value since they both use port 3401.
cccac0a2 5095DOC_END
5096
5473c134 5097COMMENT_START
5098 ICP OPTIONS
5099 -----------------------------------------------------------------------------
5100COMMENT_END
5101
5102NAME: icp_port udp_port
5103TYPE: ushort
5104DEFAULT: 0
5105LOC: Config.Port.icp
cccac0a2 5106DOC_START
5473c134 5107 The port number where Squid sends and receives ICP queries to
5108 and from neighbor caches. The standard UDP port for ICP is 3130.
5109 Default is disabled (0).
e0855596
AJ		 5110
5111 Example:
5112 icp_port @DEFAULT_ICP_PORT@
cccac0a2 5113DOC_END
5114
5473c134 5115NAME: htcp_port
5116IFDEF: USE_HTCP
5117TYPE: ushort
87630341 5118DEFAULT: 0
5473c134 5119LOC: Config.Port.htcp
cccac0a2 5120DOC_START
5473c134 5121 The port number where Squid sends and receives HTCP queries to
87630341 5122 and from neighbor caches. To turn it on you want to set it to
5123 4827. By default it is set to "0" (disabled).
e0855596
AJ		 5124
5125 Example:
5126 htcp_port 4827
cccac0a2 5127DOC_END
5128
5129NAME: log_icp_queries
5130COMMENT: on|off
5131TYPE: onoff
5132DEFAULT: on
5133LOC: Config.onoff.log_udp
5134DOC_START
5135 If set, ICP queries are logged to access.log. You may wish
5136 do disable this if your ICP load is VERY high to speed things
5137 up or to simplify log analysis.
5138DOC_END
5139
5473c134 5140NAME: udp_incoming_address
5141TYPE: address
5142LOC:Config.Addrs.udp_incoming
0eb08770 5143DEFAULT: any_addr
8524d4b2 5144DOC_START
5145 udp_incoming_address is used for UDP packets received from other
5146 caches.
5147
5148 The default behavior is to not bind to any specific address.
5149
5150 Only change this if you want to have all UDP queries received on
5151 a specific interface/address.
5152
5153 NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
5154 modules. Altering it will affect all of them in the same manner.
5155
5156 see also; udp_outgoing_address
5157
5158 NOTE, udp_incoming_address and udp_outgoing_address can not
5159 have the same value since they both use the same port.
5160DOC_END
cccac0a2 5161
5473c134 5162NAME: udp_outgoing_address
5163TYPE: address
5164LOC: Config.Addrs.udp_outgoing
0eb08770 5165DEFAULT: no_addr
cccac0a2 5166DOC_START
8524d4b2 5167 udp_outgoing_address is used for UDP packets sent out to other
5473c134 5168 caches.
cccac0a2 5169
5473c134 5170 The default behavior is to not bind to any specific address.
cccac0a2 5171
8524d4b2 5172 Instead it will use the same socket as udp_incoming_address.
5173 Only change this if you want to have UDP queries sent using another
5174 address than where this Squid listens for UDP queries from other
5473c134 5175 caches.
5176
8524d4b2 5177 NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
5178 modules. Altering it will affect all of them in the same manner.
5179
5180 see also; udp_incoming_address
5181
5473c134 5182 NOTE, udp_incoming_address and udp_outgoing_address can not
8524d4b2 5183 have the same value since they both use the same port.
cccac0a2 5184DOC_END
5185
3d1e3e43 5186NAME: icp_hit_stale
5187COMMENT: on|off
5188TYPE: onoff
5189DEFAULT: off
5190LOC: Config.onoff.icp_hit_stale
5191DOC_START
5192 If you want to return ICP_HIT for stale cache objects, set this
5193 option to 'on'. If you have sibling relationships with caches
5194 in other administrative domains, this should be 'off'. If you only
5195 have sibling relationships with caches under your control,
5196 it is probably okay to set this to 'on'.
5197 If set to 'on', your siblings should use the option "allow-miss"
5198 on their cache_peer lines for connecting to you.
5199DOC_END
5200
5473c134 5201NAME: minimum_direct_hops
cccac0a2 5202TYPE: int
5473c134 5203DEFAULT: 4
5204LOC: Config.minDirectHops
cccac0a2 5205DOC_START
5473c134 5206 If using the ICMP pinging stuff, do direct fetches for sites
5207 which are no more than this many hops away.
cccac0a2 5208DOC_END
5209
5473c134 5210NAME: minimum_direct_rtt
5211TYPE: int
5212DEFAULT: 400
5213LOC: Config.minDirectRtt
cccac0a2 5214DOC_START
5473c134 5215 If using the ICMP pinging stuff, do direct fetches for sites
5216 which are no more than this many rtt milliseconds away.
cccac0a2 5217DOC_END
5218
cccac0a2 5219NAME: netdb_low
5220TYPE: int
5221DEFAULT: 900
5222LOC: Config.Netdb.low
5223DOC_NONE
5224
5225NAME: netdb_high
5226TYPE: int
5227DEFAULT: 1000
5228LOC: Config.Netdb.high
5229DOC_START
5230 The low and high water marks for the ICMP measurement
5231 database. These are counts, not percents. The defaults are
5232 900 and 1000. When the high water mark is reached, database
5233 entries will be deleted until the low mark is reached.
5234DOC_END
5235
cccac0a2 5236NAME: netdb_ping_period
5237TYPE: time_t
5238LOC: Config.Netdb.period
5239DEFAULT: 5 minutes
5240DOC_START
5241 The minimum period for measuring a site. There will be at
5242 least this much delay between successive pings to the same
5243 network. The default is five minutes.
5244DOC_END
5245
cccac0a2 5246NAME: query_icmp
5247COMMENT: on|off
5248TYPE: onoff
5249DEFAULT: off
5250LOC: Config.onoff.query_icmp
5251DOC_START
5252 If you want to ask your peers to include ICMP data in their ICP
5253 replies, enable this option.
5254
5255 If your peer has configured Squid (during compilation) with
7f7db318 5256 '--enable-icmp' that peer will send ICMP pings to origin server
5257 sites of the URLs it receives. If you enable this option the
cccac0a2 5258 ICP replies from that peer will include the ICMP data (if available).
5259 Then, when choosing a parent cache, Squid will choose the parent with
5260 the minimal RTT to the origin server. When this happens, the
5261 hierarchy field of the access.log will be
5262 "CLOSEST_PARENT_MISS". This option is off by default.
5263DOC_END
5264
5265NAME: test_reachability
5266COMMENT: on|off
5267TYPE: onoff
5268DEFAULT: off
5269LOC: Config.onoff.test_reachability
5270DOC_START
5271 When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
5272 instead of ICP_MISS if the target host is NOT in the ICMP
5273 database, or has a zero RTT.
5274DOC_END
5275
5473c134 5276NAME: icp_query_timeout
5277COMMENT: (msec)
5278DEFAULT: 0
5279TYPE: int
5280LOC: Config.Timeout.icp_query
4c3ef9b2 5281DOC_START
5473c134 5282 Normally Squid will automatically determine an optimal ICP
5283 query timeout value based on the round-trip-time of recent ICP
5284 queries. If you want to override the value determined by
5285 Squid, set this 'icp_query_timeout' to a non-zero value. This
5286 value is specified in MILLISECONDS, so, to use a 2-second
5287 timeout (the old default), you would write:
4c3ef9b2 5288
5473c134 5289 icp_query_timeout 2000
4c3ef9b2 5290DOC_END
5291
5473c134 5292NAME: maximum_icp_query_timeout
5293COMMENT: (msec)
5294DEFAULT: 2000
5295TYPE: int
5296LOC: Config.Timeout.icp_query_max
cccac0a2 5297DOC_START
5473c134 5298 Normally the ICP query timeout is determined dynamically. But
5299 sometimes it can lead to very large values (say 5 seconds).
5300 Use this option to put an upper limit on the dynamic timeout
5301 value. Do NOT use this option to always use a fixed (instead
5302 of a dynamic) timeout value. To set a fixed timeout see the
5303 'icp_query_timeout' directive.
cccac0a2 5304DOC_END
5305
5473c134 5306NAME: minimum_icp_query_timeout
5307COMMENT: (msec)
5308DEFAULT: 5
5309TYPE: int
5310LOC: Config.Timeout.icp_query_min
cccac0a2 5311DOC_START
5473c134 5312 Normally the ICP query timeout is determined dynamically. But
5313 sometimes it can lead to very small timeouts, even lower than
5314 the normal latency variance on your link due to traffic.
5315 Use this option to put an lower limit on the dynamic timeout
5316 value. Do NOT use this option to always use a fixed (instead
5317 of a dynamic) timeout value. To set a fixed timeout see the
5318 'icp_query_timeout' directive.
cccac0a2 5319DOC_END
5320
5473c134 5321NAME: background_ping_rate
5322COMMENT: time-units
5323TYPE: time_t
5324DEFAULT: 10 seconds
5325LOC: Config.backgroundPingRate
cccac0a2 5326DOC_START
5473c134 5327 Controls how often the ICP pings are sent to siblings that
5328 have background-ping set.
cccac0a2 5329DOC_END
5330
5473c134 5331COMMENT_START
5332 MULTICAST ICP OPTIONS
5333 -----------------------------------------------------------------------------
5334COMMENT_END
5335
5336NAME: mcast_groups
5337TYPE: wordlist
5338LOC: Config.mcast_group_list
8c01ada0 5339DEFAULT: none
5340DOC_START
5473c134 5341 This tag specifies a list of multicast groups which your server
5342 should join to receive multicasted ICP queries.
8c01ada0 5343
5473c134 5344 NOTE! Be very careful what you put here! Be sure you
5345 understand the difference between an ICP _query_ and an ICP
5346 _reply_. This option is to be set only if you want to RECEIVE
5347 multicast queries. Do NOT set this option to SEND multicast
5348 ICP (use cache_peer for that). ICP replies are always sent via
5349 unicast, so this option does not affect whether or not you will
5350 receive replies from multicast group members.
8c01ada0 5351
5473c134 5352 You must be very careful to NOT use a multicast address which
5353 is already in use by another group of caches.
8c01ada0 5354
5473c134 5355 If you are unsure about multicast, please read the Multicast
5356 chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
8c01ada0 5357
5473c134 5358 Usage: mcast_groups 239.128.16.128 224.0.1.20
8c01ada0 5359
5473c134 5360 By default, Squid doesn't listen on any multicast groups.
5361DOC_END
8c01ada0 5362
5473c134 5363NAME: mcast_miss_addr
5364IFDEF: MULTICAST_MISS_STREAM
5365TYPE: address
5366LOC: Config.mcast_miss.addr
0eb08770 5367DEFAULT: no_addr
5473c134 5368DOC_START
5369 If you enable this option, every "cache miss" URL will
5370 be sent out on the specified multicast address.
cccac0a2 5371
5473c134 5372 Do not enable this option unless you are are absolutely
5373 certain you understand what you are doing.
cccac0a2 5374DOC_END
5375
5473c134 5376NAME: mcast_miss_ttl
5377IFDEF: MULTICAST_MISS_STREAM
5378TYPE: ushort
5379LOC: Config.mcast_miss.ttl
5380DEFAULT: 16
cccac0a2 5381DOC_START
5473c134 5382 This is the time-to-live value for packets multicasted
5383 when multicasting off cache miss URLs is enabled. By
5384 default this is set to 'site scope', i.e. 16.
5385DOC_END
cccac0a2 5386
5473c134 5387NAME: mcast_miss_port
5388IFDEF: MULTICAST_MISS_STREAM
5389TYPE: ushort
5390LOC: Config.mcast_miss.port
5391DEFAULT: 3135
5392DOC_START
5393 This is the port number to be used in conjunction with
5394 'mcast_miss_addr'.
5395DOC_END
cccac0a2 5396
5473c134 5397NAME: mcast_miss_encode_key
5398IFDEF: MULTICAST_MISS_STREAM
5399TYPE: string
5400LOC: Config.mcast_miss.encode_key
5401DEFAULT: XXXXXXXXXXXXXXXX
5402DOC_START
5403 The URLs that are sent in the multicast miss stream are
5404 encrypted. This is the encryption key.
5405DOC_END
8c01ada0 5406
5473c134 5407NAME: mcast_icp_query_timeout
5408COMMENT: (msec)
5409DEFAULT: 2000
5410TYPE: int
5411LOC: Config.Timeout.mcast_icp_query
5412DOC_START
5413 For multicast peers, Squid regularly sends out ICP "probes" to
5414 count how many other peers are listening on the given multicast
5415 address. This value specifies how long Squid should wait to
5416 count all the replies. The default is 2000 msec, or 2
5417 seconds.
cccac0a2 5418DOC_END
5419
5473c134 5420COMMENT_START
5421 INTERNAL ICON OPTIONS
5422 -----------------------------------------------------------------------------
5423COMMENT_END
5424
cccac0a2 5425NAME: icon_directory
5426TYPE: string
5427LOC: Config.icons.directory
5428DEFAULT: @DEFAULT_ICON_DIR@
5429DOC_START
5430 Where the icons are stored. These are normally kept in
5431 @DEFAULT_ICON_DIR@
5432DOC_END
5433
f024c970 5434NAME: global_internal_static
5435TYPE: onoff
5436LOC: Config.onoff.global_internal_static
5437DEFAULT: on
5438DOC_START
5439 This directive controls is Squid should intercept all requests for
5440 /squid-internal-static/ no matter which host the URL is requesting
5441 (default on setting), or if nothing special should be done for
5442 such URLs (off setting). The purpose of this directive is to make
5443 icons etc work better in complex cache hierarchies where it may
5444 not always be possible for all corners in the cache mesh to reach
5445 the server generating a directory listing.
5446DOC_END
5447
5473c134 5448NAME: short_icon_urls
5449TYPE: onoff
5450LOC: Config.icons.use_short_names
5451DEFAULT: on
5452DOC_START
5453 If this is enabled Squid will use short URLs for icons.
5454 If disabled it will revert to the old behavior of including
5455 it's own name and port in the URL.
5456
5457 If you run a complex cache hierarchy with a mix of Squid and
5458 other proxies you may need to disable this directive.
5459DOC_END
5460
5461COMMENT_START
5462 ERROR PAGE OPTIONS
5463 -----------------------------------------------------------------------------
5464COMMENT_END
5465
5466NAME: error_directory
5467TYPE: string
5468LOC: Config.errorDirectory
43000484 5469DEFAULT: none
5473c134 5470DOC_START
5471 If you wish to create your own versions of the default
43000484
AJ		 5472 error files to customize them to suit your company copy
5473 the error/template files to another directory and point
5474 this tag at them.
5475
5476 WARNING: This option will disable multi-language support
5477 on error pages if used.
5473c134 5478
5479 The squid developers are interested in making squid available in
5480 a wide variety of languages. If you are making translations for a
43000484 5481 language that Squid does not currently provide please consider
5473c134 5482 contributing your translation back to the project.
43000484
AJ		 5483 http://wiki.squid-cache.org/Translations
5484
5485 The squid developers working on translations are happy to supply drop-in
5486 translated error files in exchange for any new language contributions.
5487DOC_END
5488
5489NAME: error_default_language
5490IFDEF: USE_ERR_LOCALES
5491TYPE: string
5492LOC: Config.errorDefaultLanguage
5493DEFAULT: none
5494DOC_START
5495 Set the default language which squid will send error pages in
5496 if no existing translation matches the clients language
5497 preferences.
5498
5499 If unset (default) generic English will be used.
5500
5501 The squid developers are interested in making squid available in
5502 a wide variety of languages. If you are interested in making
5503 translations for any language see the squid wiki for details.
5504 http://wiki.squid-cache.org/Translations
5473c134 5505DOC_END
5506
c411820c
AJ		 5507NAME: error_log_languages
5508IFDEF: USE_ERR_LOCALES
5509TYPE: onoff
5510LOC: Config.errorLogMissingLanguages
5511DEFAULT: on
5512DOC_START
5513 Log to cache.log what languages users are attempting to
5514 auto-negotiate for translations.
5515
5516 Successful negotiations are not logged. Only failures
5517 have meaning to indicate that Squid may need an upgrade
0c49f10e 5518 of its error page translations.
c411820c
AJ		 5519DOC_END
5520
5b52cb6c
AJ		 5521NAME: err_page_stylesheet
5522TYPE: string
5523LOC: Config.errorStylesheet
5524DEFAULT: @DEFAULT_CONFIG_DIR@/errorpage.css
5525DOC_START
5526 CSS Stylesheet to pattern the display of Squid default error pages.
5527
5528 For information on CSS see http://www.w3.org/Style/CSS/
5529DOC_END
5530
5473c134 5531NAME: err_html_text
5532TYPE: eol
5533LOC: Config.errHtmlText
5534DEFAULT: none
5535DOC_START
5536 HTML text to include in error messages. Make this a "mailto"
5537 URL to your admin address, or maybe just a link to your
5538 organizations Web page.
5539
5540 To include this in your error messages, you must rewrite
5541 the error template files (found in the "errors" directory).
5542 Wherever you want the 'err_html_text' line to appear,
5543 insert a %L tag in the error template file.
5544DOC_END
5545
5546NAME: email_err_data
5547COMMENT: on|off
5548TYPE: onoff
5549LOC: Config.onoff.emailErrData
5550DEFAULT: on
5551DOC_START
5552 If enabled, information about the occurred error will be
5553 included in the mailto links of the ERR pages (if %W is set)
5554 so that the email body contains the data.
5555 Syntax is <A HREF="mailto:%w%W">%w</A>
5556DOC_END
5557
5558NAME: deny_info
5559TYPE: denyinfo
5560LOC: Config.denyInfoList
5561DEFAULT: none
5562DOC_START
5563 Usage: deny_info err_page_name acl
5564 or deny_info http://... acl
43000484 5565 or deny_info TCP_RESET acl
5473c134 5566
5567 This can be used to return a ERR_ page for requests which
5568 do not pass the 'http_access' rules. Squid remembers the last
5569 acl it evaluated in http_access, and if a 'deny_info' line exists
5570 for that ACL Squid returns a corresponding error page.
5571
5572 The acl is typically the last acl on the http_access deny line which
5573 denied access. The exceptions to this rule are:
5574 - When Squid needs to request authentication credentials. It's then
5575 the first authentication related acl encountered
5576 - When none of the http_access lines matches. It's then the last
5577 acl processed on the last http_access line.
5578
43000484
AJ		 5579 NP: If providing your own custom error pages with error_directory
5580 you may also specify them by your custom file name:
5581 Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
5473c134 5582
5473c134 5583 Alternatively you can tell Squid to reset the TCP connection
5584 by specifying TCP_RESET.
15b02e9a
AJ		 5585
5586 Or you can specify an error URL or URL pattern. The browsers will
5587 get redirected (302) to the specified URL after formattgin tags have
5588 been replaced.
5589
5590 URL FORMAT TAGS:
5591 %a - username (if available. Password NOT included)
5592 %B - FTP path URL
5593 %e - Error number
5594 %E - Error description
5595 %h - Squid hostname
5596 %H - Request domain name
5597 %i - Client IP Address
5598 %M - Request Method
5599 %o - Message result from external ACL helper
5600 %p - Request Port number
5601 %P - Request Protocol name
5602 %R - Request URL path
5603 %T - Timestamp in RFC 1123 format
5604 %U - Full canonical URL from client
5605 (HTTPS URLs terminate with *)
5606 %u - Full canonical URL from client
5607 %w - Admin email from squid.conf
5608 %% - Literal percent (%) code
5609
5473c134 5610DOC_END
5611
5612COMMENT_START
5613 OPTIONS INFLUENCING REQUEST FORWARDING
5614 -----------------------------------------------------------------------------
5615COMMENT_END
5616
5617NAME: nonhierarchical_direct
e72a0ec0 5618TYPE: onoff
5473c134 5619LOC: Config.onoff.nonhierarchical_direct
e72a0ec0 5620DEFAULT: on
5621DOC_START
5473c134 5622 By default, Squid will send any non-hierarchical requests
5623 (matching hierarchy_stoplist or not cacheable request type) direct
5624 to origin servers.
e72a0ec0 5625
5473c134 5626 If you set this to off, Squid will prefer to send these
5627 requests to parents.
0b0cfcf2 5628
5473c134 5629 Note that in most configurations, by turning this off you will only
5630 add latency to these request without any improvement in global hit
5631 ratio.
0b0cfcf2 5632
5473c134 5633 If you are inside an firewall see never_direct instead of
5634 this directive.
8d6275c0 5635DOC_END
0b0cfcf2 5636
5473c134 5637NAME: prefer_direct
8d6275c0 5638TYPE: onoff
5473c134 5639LOC: Config.onoff.prefer_direct
8d6275c0 5640DEFAULT: off
5641DOC_START
5473c134 5642 Normally Squid tries to use parents for most requests. If you for some
5643 reason like it to first try going direct and only use a parent if
5644 going direct fails set this to on.
0b0cfcf2 5645
5473c134 5646 By combining nonhierarchical_direct off and prefer_direct on you
5647 can set up Squid to use a parent as a backup path if going direct
5648 fails.
5649
5650 Note: If you want Squid to use parents for all requests see
5651 the never_direct directive. prefer_direct only modifies how Squid
5652 acts on cacheable requests.
cccac0a2 5653DOC_END
5654
5473c134 5655NAME: always_direct
8d6275c0 5656TYPE: acl_access
5473c134 5657LOC: Config.accessList.AlwaysDirect
0b0cfcf2 5658DEFAULT: none
0b0cfcf2 5659DOC_START
5473c134 5660 Usage: always_direct allow|deny [!]aclname ...
0b0cfcf2 5661
5473c134 5662 Here you can use ACL elements to specify requests which should
5663 ALWAYS be forwarded by Squid to the origin servers without using
5664 any peers. For example, to always directly forward requests for
5665 local servers ignoring any parents or siblings you may have use
5666 something like:
0b0cfcf2 5667
5473c134 5668 acl local-servers dstdomain my.domain.net
5669 always_direct allow local-servers
0b0cfcf2 5670
5473c134 5671 To always forward FTP requests directly, use
f16fbc82 5672
5473c134 5673 acl FTP proto FTP
5674 always_direct allow FTP
cccac0a2 5675
5473c134 5676 NOTE: There is a similar, but opposite option named
5677 'never_direct'. You need to be aware that "always_direct deny
5678 foo" is NOT the same thing as "never_direct allow foo". You
5679 may need to use a deny rule to exclude a more-specific case of
5680 some other rule. Example:
8d6275c0 5681
5473c134 5682 acl local-external dstdomain external.foo.net
5683 acl local-servers dstdomain .foo.net
5684 always_direct deny local-external
5685 always_direct allow local-servers
8d6275c0 5686
5473c134 5687 NOTE: If your goal is to make the client forward the request
5688 directly to the origin server bypassing Squid then this needs
5689 to be done in the client configuration. Squid configuration
5690 can only tell Squid how Squid should fetch the object.
8d6275c0 5691
5473c134 5692 NOTE: This directive is not related to caching. The replies
5693 is cached as usual even if you use always_direct. To not cache
b3567eb5 5694 the replies see the 'cache' directive.
5473c134 5695
b3567eb5
FC		 5696 This clause supports both fast and slow acl types.
5697 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
cccac0a2 5698DOC_END
0976f8db 5699
5473c134 5700NAME: never_direct
5701TYPE: acl_access
5702LOC: Config.accessList.NeverDirect
5703DEFAULT: none
8d6275c0 5704DOC_START
5473c134 5705 Usage: never_direct allow|deny [!]aclname ...
5706
5707 never_direct is the opposite of always_direct. Please read
5708 the description for always_direct if you have not already.
5709
5710 With 'never_direct' you can use ACL elements to specify
5711 requests which should NEVER be forwarded directly to origin
5712 servers. For example, to force the use of a proxy for all
5713 requests, except those in your local domain use something like:
5714
5715 acl local-servers dstdomain .foo.net
5473c134 5716 never_direct deny local-servers
5717 never_direct allow all
5718
5719 or if Squid is inside a firewall and there are local intranet
5720 servers inside the firewall use something like:
5721
5722 acl local-intranet dstdomain .foo.net
5723 acl local-external dstdomain external.foo.net
5724 always_direct deny local-external
5725 always_direct allow local-intranet
5726 never_direct allow all
5727
b3567eb5
FC		 5728 This clause supports both fast and slow acl types.
5729 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
8d6275c0 5730DOC_END
0976f8db 5731
5473c134 5732COMMENT_START
5733 ADVANCED NETWORKING OPTIONS
5734 -----------------------------------------------------------------------------
5735COMMENT_END
5736
cccac0a2 5737NAME: incoming_icp_average
5738TYPE: int
5739DEFAULT: 6
5740LOC: Config.comm_incoming.icp_average
5741DOC_NONE
5742
5743NAME: incoming_http_average
5744TYPE: int
5745DEFAULT: 4
5746LOC: Config.comm_incoming.http_average
5747DOC_NONE
5748
5749NAME: incoming_dns_average
5750TYPE: int
5751DEFAULT: 4
5752LOC: Config.comm_incoming.dns_average
5753DOC_NONE
5754
5755NAME: min_icp_poll_cnt
5756TYPE: int
5757DEFAULT: 8
5758LOC: Config.comm_incoming.icp_min_poll
5759DOC_NONE
5760
5761NAME: min_dns_poll_cnt
5762TYPE: int
5763DEFAULT: 8
5764LOC: Config.comm_incoming.dns_min_poll
5765DOC_NONE
5766
5767NAME: min_http_poll_cnt
5768TYPE: int
5769DEFAULT: 8
5770LOC: Config.comm_incoming.http_min_poll
5771DOC_START
5473c134 5772 Heavy voodoo here. I can't even believe you are reading this.
5773 Are you crazy? Don't even think about adjusting these unless
5774 you understand the algorithms in comm_select.c first!
5775DOC_END
5776
5777NAME: accept_filter
5473c134 5778TYPE: string
5779DEFAULT: none
5780LOC: Config.accept_filter
5781DOC_START
0b4d4be5 5782 FreeBSD:
5783
5473c134 5784 The name of an accept(2) filter to install on Squid's
5785 listen socket(s). This feature is perhaps specific to
5786 FreeBSD and requires support in the kernel.
5787
5788 The 'httpready' filter delays delivering new connections
2324cda2 5789 to Squid until a full HTTP request has been received.
0b4d4be5 5790 See the accf_http(9) man page for details.
5791
5792 The 'dataready' filter delays delivering new connections
5793 to Squid until there is some data to process.
5794 See the accf_dataready(9) man page for details.
5795
5796 Linux:
5797
5798 The 'data' filter delays delivering of new connections
5799 to Squid until there is some data to process by TCP_ACCEPT_DEFER.
5800 You may optionally specify a number of seconds to wait by
5801 'data=N' where N is the number of seconds. Defaults to 30
5802 if not specified. See the tcp(7) man page for details.
5473c134 5803EXAMPLE:
0b4d4be5 5804# FreeBSD
5473c134 5805accept_filter httpready
0b4d4be5 5806# Linux
5807accept_filter data
5473c134 5808DOC_END
5809
ab2ecb0e
AJ		 5810NAME: client_ip_max_connections
5811TYPE: int
5812LOC: Config.client_ip_max_connections
5813DEFAULT: -1
5814DOC_START
5815 Set an absolute limit on the number of connections a single
5816 client IP can use. Any more than this and Squid will begin to drop
5817 new connections from the client until it closes some links.
5818
5819 Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
5820 connections from the client. For finer control use the ACL access controls.
5821
5822 Requires client_db to be enabled (the default).
5823
5824 WARNING: This may noticably slow down traffic received via external proxies
5825 or NAT devices and cause them to rebound error messages back to their clients.
5826DOC_END
5827
5473c134 5828NAME: tcp_recv_bufsize
5829COMMENT: (bytes)
5830TYPE: b_size_t
5831DEFAULT: 0 bytes
5832LOC: Config.tcpRcvBufsz
5833DOC_START
5834 Size of receive buffer to set for TCP sockets. Probably just
5835 as easy to change your kernel's default. Set to zero to use
5836 the default buffer size.
5837DOC_END
5838
5839COMMENT_START
5840 ICAP OPTIONS
5841 -----------------------------------------------------------------------------
5842COMMENT_END
5843
5844NAME: icap_enable
5845TYPE: onoff
5846IFDEF: ICAP_CLIENT
5847COMMENT: on|off
26cc52cb 5848LOC: Adaptation::Icap::TheConfig.onoff
5473c134 5849DEFAULT: off
5850DOC_START
53e738c6 5851 If you want to enable the ICAP module support, set this to on.
5473c134 5852DOC_END
5853
5854NAME: icap_connect_timeout
5855TYPE: time_t
5856DEFAULT: none
26cc52cb 5857LOC: Adaptation::Icap::TheConfig.connect_timeout_raw
5473c134 5858IFDEF: ICAP_CLIENT
5859DOC_START
5860 This parameter specifies how long to wait for the TCP connect to
5861 the requested ICAP server to complete before giving up and either
5862 terminating the HTTP transaction or bypassing the failure.
5863
5864 The default for optional services is peer_connect_timeout.
5865 The default for essential services is connect_timeout.
5866 If this option is explicitly set, its value applies to all services.
5867DOC_END
5868
5869NAME: icap_io_timeout
5870COMMENT: time-units
5871TYPE: time_t
5872DEFAULT: none
26cc52cb 5873LOC: Adaptation::Icap::TheConfig.io_timeout_raw
5473c134 5874IFDEF: ICAP_CLIENT
5875DOC_START
5876 This parameter specifies how long to wait for an I/O activity on
5877 an established, active ICAP connection before giving up and
5878 either terminating the HTTP transaction or bypassing the
5879 failure.
5880
5881 The default is read_timeout.
5882DOC_END
5883
5884NAME: icap_service_failure_limit
8277060a
CT		 5885COMMENT: limit [in memory-depth time-units]
5886TYPE: icap_service_failure_limit
5473c134 5887IFDEF: ICAP_CLIENT
8277060a 5888LOC: Adaptation::Icap::TheConfig
5473c134 5889DEFAULT: 10
5890DOC_START
5891 The limit specifies the number of failures that Squid tolerates
5892 when establishing a new TCP connection with an ICAP service. If
5893 the number of failures exceeds the limit, the ICAP service is
5894 not used for new ICAP requests until it is time to refresh its
8277060a 5895 OPTIONS.
5473c134 5896
5897 A negative value disables the limit. Without the limit, an ICAP
5898 service will not be considered down due to connectivity failures
5899 between ICAP OPTIONS requests.
8277060a
CT		 5900
5901 Squid forgets ICAP service failures older than the specified
5902 value of memory-depth. The memory fading algorithm
5903 is approximate because Squid does not remember individual
5904 errors but groups them instead, splitting the option
5905 value into ten time slots of equal length.
5906
5907 When memory-depth is 0 and by default this option has no
5908 effect on service failure expiration.
5909
5910 Squid always forgets failures when updating service settings
5911 using an ICAP OPTIONS transaction, regardless of this option
5912 setting.
5913
5914 For example,
5915 # suspend service usage after 10 failures in 5 seconds:
5916 icap_service_failure_limit 10 in 5 seconds
cccac0a2 5917DOC_END
5918
5473c134 5919NAME: icap_service_revival_delay
cccac0a2 5920TYPE: int
5473c134 5921IFDEF: ICAP_CLIENT
26cc52cb 5922LOC: Adaptation::Icap::TheConfig.service_revival_delay
5473c134 5923DEFAULT: 180
cccac0a2 5924DOC_START
5473c134 5925 The delay specifies the number of seconds to wait after an ICAP
5926 OPTIONS request failure before requesting the options again. The
5927 failed ICAP service is considered "down" until fresh OPTIONS are
5928 fetched.
cccac0a2 5929
5473c134 5930 The actual delay cannot be smaller than the hardcoded minimum
5931 delay of 30 seconds.
cccac0a2 5932DOC_END
5933
5473c134 5934NAME: icap_preview_enable
cccac0a2 5935TYPE: onoff
5473c134 5936IFDEF: ICAP_CLIENT
5937COMMENT: on|off
26cc52cb 5938LOC: Adaptation::Icap::TheConfig.preview_enable
ac7a62f9 5939DEFAULT: on
cccac0a2 5940DOC_START
ac7a62f9 5941 The ICAP Preview feature allows the ICAP server to handle the
5942 HTTP message by looking only at the beginning of the message body
5943 or even without receiving the body at all. In some environments,
5944 previews greatly speedup ICAP processing.
5945
5946 During an ICAP OPTIONS transaction, the server may tell Squid what
5947 HTTP messages should be previewed and how big the preview should be.
5948 Squid will not use Preview if the server did not request one.
5949
5950 To disable ICAP Preview for all ICAP services, regardless of
5951 individual ICAP server OPTIONS responses, set this option to "off".
5952Example:
5953icap_preview_enable off
cccac0a2 5954DOC_END
5955
5473c134 5956NAME: icap_preview_size
5957TYPE: int
5958IFDEF: ICAP_CLIENT
26cc52cb 5959LOC: Adaptation::Icap::TheConfig.preview_size
5473c134 5960DEFAULT: -1
cccac0a2 5961DOC_START
53e738c6 5962 The default size of preview data to be sent to the ICAP server.
5963 -1 means no preview. This value might be overwritten on a per server
5964 basis by OPTIONS requests.
cccac0a2 5965DOC_END
5966
5473c134 5967NAME: icap_default_options_ttl
5968TYPE: int
5969IFDEF: ICAP_CLIENT
26cc52cb 5970LOC: Adaptation::Icap::TheConfig.default_options_ttl
5473c134 5971DEFAULT: 60
cccac0a2 5972DOC_START
53e738c6 5973 The default TTL value for ICAP OPTIONS responses that don't have
5473c134 5974 an Options-TTL header.
cccac0a2 5975DOC_END
5976
5473c134 5977NAME: icap_persistent_connections
5978TYPE: onoff
5979IFDEF: ICAP_CLIENT
5980COMMENT: on|off
26cc52cb 5981LOC: Adaptation::Icap::TheConfig.reuse_connections
5473c134 5982DEFAULT: on
cccac0a2 5983DOC_START
5473c134 5984 Whether or not Squid should use persistent connections to
5985 an ICAP server.
cccac0a2 5986DOC_END
5987
5473c134 5988NAME: icap_send_client_ip
5989TYPE: onoff
5990IFDEF: ICAP_CLIENT
5991COMMENT: on|off
26cc52cb 5992LOC: Adaptation::Icap::TheConfig.send_client_ip
5473c134 5993DEFAULT: off
cccac0a2 5994DOC_START
53e738c6 5995 This adds the header "X-Client-IP" to ICAP requests.
cccac0a2 5996DOC_END
5997
5473c134 5998NAME: icap_send_client_username
5999TYPE: onoff
6000IFDEF: ICAP_CLIENT
6001COMMENT: on|off
26cc52cb 6002LOC: Adaptation::Icap::TheConfig.send_client_username
5473c134 6003DEFAULT: off
cccac0a2 6004DOC_START
5473c134 6005 This sends authenticated HTTP client username (if available) to
6006 the ICAP service. The username value is encoded based on the
6007 icap_client_username_encode option and is sent using the header
6008 specified by the icap_client_username_header option.
cccac0a2 6009DOC_END
6010
5473c134 6011NAME: icap_client_username_header
cccac0a2 6012TYPE: string
5473c134 6013IFDEF: ICAP_CLIENT
26cc52cb 6014LOC: Adaptation::Icap::TheConfig.client_username_header
5473c134 6015DEFAULT: X-Client-Username
cccac0a2 6016DOC_START
5473c134 6017 ICAP request header name to use for send_client_username.
cccac0a2 6018DOC_END
6019
5473c134 6020NAME: icap_client_username_encode
cccac0a2 6021TYPE: onoff
5473c134 6022IFDEF: ICAP_CLIENT
6023COMMENT: on|off
26cc52cb 6024LOC: Adaptation::Icap::TheConfig.client_username_encode
5473c134 6025DEFAULT: off
cccac0a2 6026DOC_START
5473c134 6027 Whether to base64 encode the authenticated client username.
cccac0a2 6028DOC_END
6029
5473c134 6030NAME: icap_service
6031TYPE: icap_service_type
6032IFDEF: ICAP_CLIENT
26cc52cb 6033LOC: Adaptation::Icap::TheConfig
5473c134 6034DEFAULT: none
cccac0a2 6035DOC_START
a22e6cd3 6036 Defines a single ICAP service using the following format:
cccac0a2 6037
a22e6cd3 6038 icap_service service_name vectoring_point [options] service_url
7d90757b 6039
a22e6cd3
AR		 6040 service_name: ID
6041 an opaque identifier which must be unique in squid.conf
6042
6043 vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
f3db09e2 6044 This specifies at which point of transaction processing the
6045 ICAP service should be activated. *_postcache vectoring points
6046 are not yet supported.
a22e6cd3
AR		 6047
6048 service_url: icap://servername:port/servicepath
6049 ICAP server and service location.
6050
6051 ICAP does not allow a single service to handle both REQMOD and RESPMOD
6052 transactions. Squid does not enforce that requirement. You can specify
6053 services with the same service_url and different vectoring_points. You
6054 can even specify multiple identical services as long as their
6055 service_names differ.
6056
6057
6058 Service options are separated by white space. ICAP services support
6059 the following name=value options:
6060
6061 bypass=on|off|1|0
6062 If set to 'on' or '1', the ICAP service is treated as
6063 optional. If the service cannot be reached or malfunctions,
6064 Squid will try to ignore any errors and process the message as
6065 if the service was not enabled. No all ICAP errors can be
6066 bypassed. If set to 0, the ICAP service is treated as
6067 essential and all ICAP errors will result in an error page
6068 returned to the HTTP client.
6069
6070 Bypass is off by default: services are treated as essential.
6071
6072 routing=on|off|1|0
6073 If set to 'on' or '1', the ICAP service is allowed to
6074 dynamically change the current message adaptation plan by
6075 returning a chain of services to be used next. The services
6076 are specified using the X-Next-Services ICAP response header
6077 value, formatted as a comma-separated list of service names.
6078 Each named service should be configured in squid.conf and
6079 should have the same method and vectoring point as the current
6080 ICAP transaction. Services violating these rules are ignored.
6081 An empty X-Next-Services value results in an empty plan which
6082 ends the current adaptation.
6083
6084 Routing is not allowed by default: the ICAP X-Next-Services
6085 response header is ignored.
6086
6087 Older icap_service format without optional named parameters is
6088 deprecated but supported for backward compatibility.
5473c134 6089
5473c134 6090Example:
a22e6cd3
AR		 6091icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod
6092icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod
cccac0a2 6093DOC_END
6094
5473c134 6095NAME: icap_class
6096TYPE: icap_class_type
6097IFDEF: ICAP_CLIENT
21a26d31 6098LOC: none
5473c134 6099DEFAULT: none
cccac0a2 6100DOC_START
a22e6cd3 6101 This deprecated option was documented to define an ICAP service
62c7f90e
AR		 6102 chain, even though it actually defined a set of similar, redundant
6103 services, and the chains were not supported.
5473c134 6104
62c7f90e 6105 To define a set of redundant services, please use the
a22e6cd3
AR		 6106 adaptation_service_set directive. For service chains, use
6107 adaptation_service_chain.
cccac0a2 6108DOC_END
6109
5473c134 6110NAME: icap_access
6111TYPE: icap_access_type
6112IFDEF: ICAP_CLIENT
21a26d31 6113LOC: none
cccac0a2 6114DEFAULT: none
cccac0a2 6115DOC_START
a22e6cd3 6116 This option is deprecated. Please use adaptation_access, which
62c7f90e
AR		 6117 has the same ICAP functionality, but comes with better
6118 documentation, and eCAP support.
cccac0a2 6119DOC_END
6120
57afc994
AR		 6121COMMENT_START
6122 eCAP OPTIONS
6123 -----------------------------------------------------------------------------
6124COMMENT_END
6125
21a26d31
AR		 6126NAME: ecap_enable
6127TYPE: onoff
6128IFDEF: USE_ECAP
6129COMMENT: on|off
574b508c 6130LOC: Adaptation::Ecap::TheConfig.onoff
21a26d31
AR		 6131DEFAULT: off
6132DOC_START
6133 Controls whether eCAP support is enabled.
6134DOC_END
6135
6136NAME: ecap_service
6137TYPE: ecap_service_type
6138IFDEF: USE_ECAP
574b508c 6139LOC: Adaptation::Ecap::TheConfig
21a26d31
AR		 6140DEFAULT: none
6141DOC_START
6142 Defines a single eCAP service
6143
6144 ecap_service servicename vectoring_point bypass service_url
6145
6146 vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
6147 This specifies at which point of transaction processing the
6148 eCAP service should be activated. *_postcache vectoring points
6149 are not yet supported.
6150 bypass = 1|0
6151 If set to 1, the eCAP service is treated as optional. If the
6152 service cannot be reached or malfunctions, Squid will try to
6153 ignore any errors and process the message as if the service
6154 was not enabled. No all eCAP errors can be bypassed.
6155 If set to 0, the eCAP service is treated as essential and all
6156 eCAP errors will result in an error page returned to the
6157 HTTP client.
6158 service_url = ecap://vendor/service_name?custom&cgi=style&parameters=optional
6159
6160Example:
6161ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
6162ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
6163DOC_END
6164
57afc994
AR		 6165NAME: loadable_modules
6166TYPE: wordlist
6167IFDEF: USE_LOADABLE_MODULES
6168LOC: Config.loadable_module_names
6169DEFAULT: none
6170DOC_START
6171 Instructs Squid to load the specified dynamic module(s) or activate
6172 preloaded module(s).
6173Example:
6174loadable_modules @DEFAULT_PREFIX@/lib/MinimalAdapter.so
6175DOC_END
6176
62c7f90e
AR		 6177COMMENT_START
6178 MESSAGE ADAPTATION OPTIONS
6179 -----------------------------------------------------------------------------
6180COMMENT_END
6181
6182NAME: adaptation_service_set
6183TYPE: adaptation_service_set_type
6184IFDEF: USE_ADAPTATION
6185LOC: none
6186DEFAULT: none
6187DOC_START
6188
a22e6cd3
AR		 6189 Configures an ordered set of similar, redundant services. This is
6190 useful when hot standby or backup adaptation servers are available.
6191
6192 adaptation_service_set set_name service_name1 service_name2 ...
6193
6194 The named services are used in the set declaration order. The first
6195 applicable adaptation service from the set is used first. The next
6196 applicable service is tried if and only if the transaction with the
6197 previous service fails and the message waiting to be adapted is still
6198 intact.
62c7f90e 6199
a22e6cd3
AR		 6200 When adaptation starts, broken services are ignored as if they were
6201 not a part of the set. A broken service is a down optional service.
62c7f90e 6202
a22e6cd3
AR		 6203 The services in a set must be attached to the same vectoring point
6204 (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
6205
6206 If all services in a set are optional then adaptation failures are
6207 bypassable. If all services in the set are essential, then a
6208 transaction failure with one service may still be retried using
6209 another service from the set, but when all services fail, the master
6210 transaction fails as well.
6211
6212 A set may contain a mix of optional and essential services, but that
6213 is likely to lead to surprising results because broken services become
6214 ignored (see above), making previously bypassable failures fatal.
6215 Technically, it is the bypassability of the last failed service that
6216 matters.
6217
6218 See also: adaptation_access adaptation_service_chain
62c7f90e
AR		 6219
6220Example:
6221adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
6222adaptation service_set svcLogger loggerLocal loggerRemote
6223DOC_END
6224
a22e6cd3
AR		 6225NAME: adaptation_service_chain
6226TYPE: adaptation_service_chain_type
6227IFDEF: USE_ADAPTATION
6228LOC: none
6229DEFAULT: none
6230DOC_START
6231
6232 Configures a list of complementary services that will be applied
6233 one-by-one, forming an adaptation chain or pipeline. This is useful
6234 when Squid must perform different adaptations on the same message.
6235
6236 adaptation_service_chain chain_name service_name1 svc_name2 ...
6237
6238 The named services are used in the chain declaration order. The first
6239 applicable adaptation service from the chain is used first. The next
6240 applicable service is applied to the successful adaptation results of
6241 the previous service in the chain.
6242
6243 When adaptation starts, broken services are ignored as if they were
6244 not a part of the chain. A broken service is a down optional service.
6245
6246 Request satisfaction terminates the adaptation chain because Squid
6247 does not currently allow declaration of RESPMOD services at the
6248 "reqmod_precache" vectoring point (see icap_service or ecap_service).
6249
6250 The services in a chain must be attached to the same vectoring point
6251 (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
6252
6253 A chain may contain a mix of optional and essential services. If an
6254 essential adaptation fails (or the failure cannot be bypassed for
6255 other reasons), the master transaction fails. Otherwise, the failure
6256 is bypassed as if the failed adaptation service was not in the chain.
6257
6258 See also: adaptation_access adaptation_service_set
6259
6260Example:
6261adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
6262DOC_END
6263
62c7f90e
AR		 6264NAME: adaptation_access
6265TYPE: adaptation_access_type
6266IFDEF: USE_ADAPTATION
6267LOC: none
6268DEFAULT: none
6269DOC_START
6270 Sends an HTTP transaction to an ICAP or eCAP adaptation service.
6271
6272 adaptation_access service_name allow|deny [!]aclname...
6273 adaptation_access set_name allow|deny [!]aclname...
6274
6275 At each supported vectoring point, the adaptation_access
6276 statements are processed in the order they appear in this
6277 configuration file. Statements pointing to the following services
6278 are ignored (i.e., skipped without checking their ACL):
6279
6280 - services serving different vectoring points
6281 - "broken-but-bypassable" services
6282 - "up" services configured to ignore such transactions
6283 (e.g., based on the ICAP Transfer-Ignore header).
6284
6285 When a set_name is used, all services in the set are checked
6286 using the same rules, to find the first applicable one. See
6287 adaptation_service_set for details.
6288
6289 If an access list is checked and there is a match, the
6290 processing stops: For an "allow" rule, the corresponding
6291 adaptation service is used for the transaction. For a "deny"
6292 rule, no adaptation service is activated.
6293
6294 It is currently not possible to apply more than one adaptation
6295 service at the same vectoring point to the same HTTP transaction.
6296
6297 See also: icap_service and ecap_service
6298
6299Example:
6300adaptation_access service_1 allow all
6301DOC_END
6302
a22e6cd3
AR		 6303NAME: adaptation_service_iteration_limit
6304TYPE: int
6305IFDEF: USE_ADAPTATION
6306LOC: Adaptation::Config::service_iteration_limit
6307DEFAULT: 16
6308DOC_START
6309 Limits the number of iterations allowed when applying adaptation
6310 services to a message. If your longest adaptation set or chain
6311 may have more than 16 services, increase the limit beyond its
6312 default value of 16. If detecting infinite iteration loops sooner
6313 is critical, make the iteration limit match the actual number
6314 of services in your longest adaptation set or chain.
6315
6316 Infinite adaptation loops are most likely with routing services.
6317
6318 See also: icap_service routing=1
6319DOC_END
6320
3ff65596
AR		 6321NAME: adaptation_masterx_shared_names
6322TYPE: string
6323IFDEF: USE_ADAPTATION
6324LOC: Adaptation::Config::masterx_shared_name
6325DEFAULT: none
6326DOC_START
6327 For each master transaction (i.e., the HTTP request and response
6328 sequence, including all related ICAP and eCAP exchanges), Squid
6329 maintains a table of metadata. The table entries are (name, value)
6330 pairs shared among eCAP and ICAP exchanges. The table is destroyed
6331 with the master transaction.
6332
6333 This option specifies the table entry names that Squid must accept
6334 from and forward to the adaptation transactions.
6335
6336 An ICAP REQMOD or RESPMOD transaction may set an entry in the
6337 shared table by returning an ICAP header field with a name
6338 specified in adaptation_masterx_shared_names. Squid will store
6339 and forward that ICAP header field to subsequent ICAP
6340 transactions within the same master transaction scope.
6341
6342 Only one shared entry name is supported at this time.
6343
6344Example:
6345# share authentication information among ICAP services
6346adaptation_masterx_shared_names X-Subscriber-ID
6347DOC_END
6348
6349NAME: icap_retry
6350TYPE: acl_access
6351IFDEF: ICAP_CLIENT
6352LOC: Adaptation::Icap::TheConfig.repeat
6353DEFAULT: none
6354DEFAULT_IF_NONE: deny all
6355DOC_START
6356 This ACL determines which retriable ICAP transactions are
6357 retried. Transactions that received a complete ICAP response
6358 and did not have to consume or produce HTTP bodies to receive
6359 that response are usually retriable.
6360
6361 icap_retry allow|deny [!]aclname ...
6362
6363 Squid automatically retries some ICAP I/O timeouts and errors
6364 due to persistent connection race conditions.
6365
6366 See also: icap_retry_limit
6367DOC_END
6368
6369NAME: icap_retry_limit
6370TYPE: int
6371IFDEF: ICAP_CLIENT
6372LOC: Adaptation::Icap::TheConfig.repeat_limit
6373DEFAULT: 0
6374DOC_START
6375 Limits the number of retries allowed. When set to zero (default),
6376 no retries are allowed.
6377
6378 Communication errors due to persistent connection race
6379 conditions are unavoidable, automatically retried, and do not
6380 count against this limit.
6381
6382 See also: icap_retry
6383DOC_END
6384
6385
5473c134 6386COMMENT_START
6387 DNS OPTIONS
6388 -----------------------------------------------------------------------------
6389COMMENT_END
6390
6391NAME: check_hostnames
cccac0a2 6392TYPE: onoff
cccac0a2 6393DEFAULT: off
5473c134 6394LOC: Config.onoff.check_hostnames
cccac0a2 6395DOC_START
5473c134 6396 For security and stability reasons Squid can check
6397 hostnames for Internet standard RFC compliance. If you want
6398 Squid to perform these checks turn this directive on.
cccac0a2 6399DOC_END
6400
5473c134 6401NAME: allow_underscore
cccac0a2 6402TYPE: onoff
cccac0a2 6403DEFAULT: on
5473c134 6404LOC: Config.onoff.allow_underscore
cccac0a2 6405DOC_START
5473c134 6406 Underscore characters is not strictly allowed in Internet hostnames
6407 but nevertheless used by many sites. Set this to off if you want
6408 Squid to be strict about the standard.
6409 This check is performed only when check_hostnames is set to on.
cccac0a2 6410DOC_END
6411
5473c134 6412NAME: cache_dns_program
cccac0a2 6413TYPE: string
5473c134 6414IFDEF: USE_DNSSERVERS
6415DEFAULT: @DEFAULT_DNSSERVER@
6416LOC: Config.Program.dnsserver
cccac0a2 6417DOC_START
5473c134 6418 Specify the location of the executable for dnslookup process.
cccac0a2 6419DOC_END
6420
5473c134 6421NAME: dns_children
48d54e4d 6422TYPE: HelperChildConfig
5473c134 6423IFDEF: USE_DNSSERVERS
48d54e4d 6424DEFAULT: 32 startup=1 idle=1
5473c134 6425LOC: Config.dnsChildren
58850d15 6426DOC_START
48d54e4d
AJ		 6427 The maximum number of processes spawn to service DNS name lookups.
6428 If you limit it too few Squid will have to wait for them to process
6429 a backlog of requests, slowing it down. If you allow too many they
6430 will use RAM and other system resources noticably.
6431 The maximum this may be safely set to is 32.
6432
6433 The startup= and idle= options allow some measure of skew in your
6434 tuning.
6435
6436 startup=
6437
6438 Sets a minimum of how many processes are to be spawned when Squid
6439 starts or reconfigures. When set to zero the first request will
6440 cause spawning of the first child process to handle it.
6441
6442 Starting too few will cause an initial slowdown in traffic as Squid
6443 attempts to simultaneously spawn enough processes to cope.
6444
6445 idle=
6446
6447 Sets a minimum of how many processes Squid is to try and keep available
6448 at all times. When traffic begins to rise above what the existing
6449 processes can handle this many more will be spawned up to the maximum
6450 configured. A minimum setting of 1 is required.
58850d15 6451DOC_END
6452
5473c134 6453NAME: dns_retransmit_interval
6454TYPE: time_t
6455DEFAULT: 5 seconds
6456LOC: Config.Timeout.idns_retransmit
6457IFDEF: !USE_DNSSERVERS
cccac0a2 6458DOC_START
5473c134 6459 Initial retransmit interval for DNS queries. The interval is
6460 doubled each time all configured DNS servers have been tried.
cccac0a2 6461DOC_END
6462
5473c134 6463NAME: dns_timeout
6464TYPE: time_t
6465DEFAULT: 2 minutes
6466LOC: Config.Timeout.idns_query
6467IFDEF: !USE_DNSSERVERS
cccac0a2 6468DOC_START
5473c134 6469 DNS Query timeout. If no response is received to a DNS query
6470 within this time all DNS servers for the queried domain
6471 are assumed to be unavailable.
cccac0a2 6472DOC_END
6473
5473c134 6474NAME: dns_defnames
6475COMMENT: on|off
cccac0a2 6476TYPE: onoff
cccac0a2 6477DEFAULT: off
5473c134 6478LOC: Config.onoff.res_defnames
cccac0a2 6479DOC_START
5473c134 6480 Normally the RES_DEFNAMES resolver option is disabled
6481 (see res_init(3)). This prevents caches in a hierarchy
6482 from interpreting single-component hostnames locally. To allow
6483 Squid to handle single-component names, enable this option.
cccac0a2 6484DOC_END
6485
5473c134 6486NAME: dns_nameservers
6487TYPE: wordlist
6488DEFAULT: none
6489LOC: Config.dns_nameservers
cccac0a2 6490DOC_START
5473c134 6491 Use this if you want to specify a list of DNS name servers
6492 (IP addresses) to use instead of those given in your
6493 /etc/resolv.conf file.
6494 On Windows platforms, if no value is specified here or in
6495 the /etc/resolv.conf file, the list of DNS name servers are
6496 taken from the Windows registry, both static and dynamic DHCP
6497 configurations are supported.
cccac0a2 6498
5473c134 6499 Example: dns_nameservers 10.0.0.1 192.172.0.4
cccac0a2 6500DOC_END
6501
5473c134 6502NAME: hosts_file
cccac0a2 6503TYPE: string
5473c134 6504DEFAULT: @DEFAULT_HOSTS@
6505LOC: Config.etcHostsPath
cccac0a2 6506DOC_START
5473c134 6507 Location of the host-local IP name-address associations
6508 database. Most Operating Systems have such a file on different
6509 default locations:
6510 - Un*X & Linux: /etc/hosts
6511 - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
6512 (%SystemRoot% value install default is c:\winnt)
6513 - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
6514 (%SystemRoot% value install default is c:\windows)
6515 - Windows 9x/Me: %windir%\hosts
6516 (%windir% value is usually c:\windows)
6517 - Cygwin: /etc/hosts
cccac0a2 6518
5473c134 6519 The file contains newline-separated definitions, in the
6520 form ip_address_in_dotted_form name [name ...] names are
6521 whitespace-separated. Lines beginning with an hash (#)
6522 character are comments.
cccac0a2 6523
5473c134 6524 The file is checked at startup and upon configuration.
6525 If set to 'none', it won't be checked.
6526 If append_domain is used, that domain will be added to
6527 domain-local (i.e. not containing any dot character) host
6528 definitions.
cccac0a2 6529DOC_END
6530
5473c134 6531NAME: append_domain
6532TYPE: string
6533LOC: Config.appendDomain
6534DEFAULT: none
6a2f3fcf 6535DOC_START
5473c134 6536 Appends local domain name to hostnames without any dots in
6537 them. append_domain must begin with a period.
6538
6539 Be warned there are now Internet names with no dots in
6540 them using only top-domain names, so setting this may
6541 cause some Internet sites to become unavailable.
6542
6543Example:
6544 append_domain .yourdomain.com
6a2f3fcf 6545DOC_END
6546
5473c134 6547NAME: ignore_unknown_nameservers
6548TYPE: onoff
6549LOC: Config.onoff.ignore_unknown_nameservers
df6fd596 6550DEFAULT: on
6551DOC_START
5473c134 6552 By default Squid checks that DNS responses are received
6553 from the same IP addresses they are sent to. If they
6554 don't match, Squid ignores the response and writes a warning
6555 message to cache.log. You can allow responses from unknown
6556 nameservers by setting this option to 'off'.
df6fd596 6557DOC_END
6558
cc192b50 6559NAME: dns_v4_fallback
6560TYPE: onoff
6561DEFAULT: on
6562LOC: Config.onoff.dns_require_A
6563DOC_START
6564 Standard practice with DNS is to lookup either A or AAAA records
6565 and use the results if it succeeds. Only looking up the other if
6566 the first attempt fails or otherwise produces no results.
6567
6568 That policy however will cause squid to produce error pages for some
6569 servers that advertise AAAA but are unreachable over IPv6.
6570
6571 If this is ON squid will always lookup both AAAA and A, using both.
6572 If this is OFF squid will lookup AAAA and only try A if none found.
6573
6574 WARNING: There are some possibly unwanted side-effects with this on:
6575 *) Doubles the load placed by squid on the DNS network.
6576 *) May negatively impact connection delay times.
6577DOC_END
6578
6bc15a4f 6579NAME: ipcache_size
6580COMMENT: (number of entries)
6581TYPE: int
6582DEFAULT: 1024
6583LOC: Config.ipcache.size
6584DOC_NONE
6585
6586NAME: ipcache_low
6587COMMENT: (percent)
6588TYPE: int
6589DEFAULT: 90
6590LOC: Config.ipcache.low
6591DOC_NONE
6592
6593NAME: ipcache_high
6594COMMENT: (percent)
6595TYPE: int
6596DEFAULT: 95
6597LOC: Config.ipcache.high
6598DOC_START
6599 The size, low-, and high-water marks for the IP cache.
6600DOC_END
6601
6602NAME: fqdncache_size
6603COMMENT: (number of entries)
6604TYPE: int
6605DEFAULT: 1024
6606LOC: Config.fqdncache.size
6607DOC_START
6608 Maximum number of FQDN cache entries.
6609DOC_END
6610
a58ff010 6611COMMENT_START
5473c134 6612 MISCELLANEOUS
a58ff010 6613 -----------------------------------------------------------------------------
6614COMMENT_END
6615
5473c134 6616NAME: memory_pools
a58ff010 6617COMMENT: on|off
5473c134 6618TYPE: onoff
6619DEFAULT: on
6620LOC: Config.onoff.mem_pools
a58ff010 6621DOC_START
5473c134 6622 If set, Squid will keep pools of allocated (but unused) memory
6623 available for future use. If memory is a premium on your
6624 system and you believe your malloc library outperforms Squid
6625 routines, disable this.
a58ff010 6626DOC_END
6627
5473c134 6628NAME: memory_pools_limit
6629COMMENT: (bytes)
6630TYPE: b_size_t
6631DEFAULT: 5 MB
6632LOC: Config.MemPools.limit
ec1245f8 6633DOC_START
5473c134 6634 Used only with memory_pools on:
6635 memory_pools_limit 50 MB
ec1245f8 6636
5473c134 6637 If set to a non-zero value, Squid will keep at most the specified
6638 limit of allocated (but unused) memory in memory pools. All free()
6639 requests that exceed this limit will be handled by your malloc
6640 library. Squid does not pre-allocate any memory, just safe-keeps
6641 objects that otherwise would be free()d. Thus, it is safe to set
6642 memory_pools_limit to a reasonably high value even if your
6643 configuration will use less memory.
ec1245f8 6644
89646bd7 6645 If set to none, Squid will keep all memory it can. That is, there
5473c134 6646 will be no limit on the total amount of memory used for safe-keeping.
ec1245f8 6647
5473c134 6648 To disable memory allocation optimization, do not set
6649 memory_pools_limit to 0. Set memory_pools to "off" instead.
6650
6651 An overhead for maintaining memory pools is not taken into account
6652 when the limit is checked. This overhead is close to four bytes per
6653 object kept. However, pools may actually _save_ memory because of
6654 reduced memory thrashing in your malloc library.
ec1245f8 6655DOC_END
6656
5473c134 6657NAME: forwarded_for
67c06f0d
AJ		 6658COMMENT: on|off|transparent|truncate|delete
6659TYPE: string
5473c134 6660DEFAULT: on
6661LOC: opt_forwarded_for
5f8252d2 6662DOC_START
67c06f0d
AJ		 6663 If set to "on", Squid will append your client's IP address
6664 in the HTTP requests it forwards. By default it looks like:
5f8252d2 6665
5473c134 6666 X-Forwarded-For: 192.1.2.3
6667
67c06f0d 6668 If set to "off", it will appear as
5473c134 6669
6670 X-Forwarded-For: unknown
67c06f0d
AJ		 6671
6672 If set to "transparent", Squid will not alter the
6673 X-Forwarded-For header in any way.
6674
6675 If set to "delete", Squid will delete the entire
6676 X-Forwarded-For header.
6677
6678 If set to "truncate", Squid will remove all existing
6679 X-Forwarded-For entries, and place itself as the sole entry.
5f8252d2 6680DOC_END
6681
5473c134 6682NAME: cachemgr_passwd
6683TYPE: cachemgrpasswd
6684DEFAULT: none
6685LOC: Config.passwd_list
5f8252d2 6686DOC_START
5473c134 6687 Specify passwords for cachemgr operations.
5f8252d2 6688
5473c134 6689 Usage: cachemgr_passwd password action action ...
6690
6691 Some valid actions are (see cache manager menu for a full list):
6692 5min
6693 60min
6694 asndb
6695 authenticator
6696 cbdata
6697 client_list
6698 comm_incoming
6699 config *
6700 counters
6701 delay
6702 digest_stats
6703 dns
6704 events
6705 filedescriptors
6706 fqdncache
6707 histograms
6708 http_headers
6709 info
6710 io
6711 ipcache
6712 mem
6713 menu
6714 netdb
6715 non_peers
6716 objects
6717 offline_toggle *
6718 pconn
6719 peer_select
b360c477 6720 reconfigure *
5473c134 6721 redirector
6722 refresh
6723 server_list
6724 shutdown *
6725 store_digest
6726 storedir
6727 utilization
6728 via_headers
6729 vm_objects
6730
6731 * Indicates actions which will not be performed without a
6732 valid password, others can be performed if not listed here.
6733
6734 To disable an action, set the password to "disable".
6735 To allow performing an action without a password, set the
6736 password to "none".
6737
6738 Use the keyword "all" to set the same password for all actions.
6739
6740Example:
6741 cachemgr_passwd secret shutdown
6742 cachemgr_passwd lesssssssecret info stats/objects
6743 cachemgr_passwd disable all
5f8252d2 6744DOC_END
6745
5473c134 6746NAME: client_db
a58ff010 6747COMMENT: on|off
5473c134 6748TYPE: onoff
6749DEFAULT: on
6750LOC: Config.onoff.client_db
a58ff010 6751DOC_START
5473c134 6752 If you want to disable collecting per-client statistics,
6753 turn off client_db here.
a58ff010 6754DOC_END
6755
5473c134 6756NAME: refresh_all_ims
6757COMMENT: on|off
6758TYPE: onoff
6759DEFAULT: off
6760LOC: Config.onoff.refresh_all_ims
a58ff010 6761DOC_START
5473c134 6762 When you enable this option, squid will always check
6763 the origin server for an update when a client sends an
6764 If-Modified-Since request. Many browsers use IMS
6765 requests when the user requests a reload, and this
6766 ensures those clients receive the latest version.
a58ff010 6767
5473c134 6768 By default (off), squid may return a Not Modified response
6769 based on the age of the cached version.
78e8cfc4 6770DOC_END
6771
5473c134 6772NAME: reload_into_ims
6773IFDEF: HTTP_VIOLATIONS
12b91c99 6774COMMENT: on|off
5473c134 6775TYPE: onoff
6776DEFAULT: off
6777LOC: Config.onoff.reload_into_ims
12b91c99 6778DOC_START
5473c134 6779 When you enable this option, client no-cache or ``reload''
6780 requests will be changed to If-Modified-Since requests.
6781 Doing this VIOLATES the HTTP standard. Enabling this
6782 feature could make you liable for problems which it
6783 causes.
6784
6785 see also refresh_pattern for a more selective approach.
12b91c99 6786DOC_END
6787
5473c134 6788NAME: maximum_single_addr_tries
6789TYPE: int
6790LOC: Config.retry.maxtries
6791DEFAULT: 1
a58ff010 6792DOC_START
5473c134 6793 This sets the maximum number of connection attempts for a
6794 host that only has one address (for multiple-address hosts,
6795 each address is tried once).
6796
6797 The default value is one attempt, the (not recommended)
6798 maximum is 255 tries. A warning message will be generated
6799 if it is set to a value greater than ten.
6800
6801 Note: This is in addition to the request re-forwarding which
6802 takes place if Squid fails to get a satisfying response.
a58ff010 6803DOC_END
6804
5473c134 6805NAME: retry_on_error
a58ff010 6806TYPE: onoff
5473c134 6807LOC: Config.retry.onerror
a58ff010 6808DEFAULT: off
6809DOC_START
5473c134 6810 If set to on Squid will automatically retry requests when
6811 receiving an error response. This is mainly useful if you
6812 are in a complex cache hierarchy to work around access
6813 control errors.
5f8252d2 6814DOC_END
6815
5473c134 6816NAME: as_whois_server
5f8252d2 6817TYPE: string
5473c134 6818LOC: Config.as_whois_server
6819DEFAULT: whois.ra.net
6820DEFAULT_IF_NONE: whois.ra.net
5f8252d2 6821DOC_START
5473c134 6822 WHOIS server to query for AS numbers. NOTE: AS numbers are
6823 queried only when Squid starts up, not for every request.
5f8252d2 6824DOC_END
6825
5473c134 6826NAME: offline_mode
5f8252d2 6827TYPE: onoff
5473c134 6828LOC: Config.onoff.offline
5f8252d2 6829DEFAULT: off
6830DOC_START
5473c134 6831 Enable this option and Squid will never try to validate cached
6832 objects.
a58ff010 6833DOC_END
6834
5473c134 6835NAME: uri_whitespace
6836TYPE: uri_whitespace
6837LOC: Config.uri_whitespace
6838DEFAULT: strip
a58ff010 6839DOC_START
5473c134 6840 What to do with requests that have whitespace characters in the
6841 URI. Options:
a58ff010 6842
5473c134 6843 strip: The whitespace characters are stripped out of the URL.
6844 This is the behavior recommended by RFC2396.
6845 deny: The request is denied. The user receives an "Invalid
6846 Request" message.
6847 allow: The request is allowed and the URI is not changed. The
6848 whitespace characters remain in the URI. Note the
6849 whitespace is passed to redirector processes if they
6850 are in use.
6851 encode: The request is allowed and the whitespace characters are
6852 encoded according to RFC1738. This could be considered
6853 a violation of the HTTP/1.1
6854 RFC because proxies are not allowed to rewrite URI's.
6855 chop: The request is allowed and the URI is chopped at the
6856 first whitespace. This might also be considered a
6857 violation.
6858DOC_END
a58ff010 6859
5473c134 6860NAME: chroot
6861TYPE: string
6862LOC: Config.chroot_dir
a58ff010 6863DEFAULT: none
6864DOC_START
9f37c18a 6865 Specifies a directory where Squid should do a chroot() while
2d89f399
HN		 6866 initializing. This also causes Squid to fully drop root
6867 privileges after initializing. This means, for example, if you
6868 use a HTTP port less than 1024 and try to reconfigure, you may
6869 get an error saying that Squid can not open the port.
5473c134 6870DOC_END
a58ff010 6871
5473c134 6872NAME: balance_on_multiple_ip
6873TYPE: onoff
6874LOC: Config.onoff.balance_on_multiple_ip
cc192b50 6875DEFAULT: off
5473c134 6876DOC_START
cc192b50 6877 Modern IP resolvers in squid sort lookup results by preferred access.
6878 By default squid will use these IP in order and only rotates to
6879 the next listed when the most preffered fails.
6880
5473c134 6881 Some load balancing servers based on round robin DNS have been
6882 found not to preserve user session state across requests
6883 to different IP addresses.
a58ff010 6884
cc192b50 6885 Enabling this directive Squid rotates IP's per request.
a58ff010 6886DOC_END
6887
5473c134 6888NAME: pipeline_prefetch
6889TYPE: onoff
6890LOC: Config.onoff.pipeline_prefetch
6891DEFAULT: off
a58ff010 6892DOC_START
5473c134 6893 To boost the performance of pipelined requests to closer
6894 match that of a non-proxied environment Squid can try to fetch
6895 up to two requests in parallel from a pipeline.
a58ff010 6896
5473c134 6897 Defaults to off for bandwidth management and access logging
6898 reasons.
6899DOC_END
a58ff010 6900
5473c134 6901NAME: high_response_time_warning
6902TYPE: int
6903COMMENT: (msec)
6904LOC: Config.warnings.high_rptm
6905DEFAULT: 0
6906DOC_START
6907 If the one-minute median response time exceeds this value,
6908 Squid prints a WARNING with debug level 0 to get the
6909 administrators attention. The value is in milliseconds.
a58ff010 6910DOC_END
6911
5473c134 6912NAME: high_page_fault_warning
6913TYPE: int
6914LOC: Config.warnings.high_pf
6915DEFAULT: 0
cc9f92d4 6916DOC_START
5473c134 6917 If the one-minute average page fault rate exceeds this
6918 value, Squid prints a WARNING with debug level 0 to get
6919 the administrators attention. The value is in page faults
6920 per second.
6921DOC_END
cc9f92d4 6922
5473c134 6923NAME: high_memory_warning
6924TYPE: b_size_t
6925LOC: Config.warnings.high_memory
904971da 6926DEFAULT: 0 KB
5473c134 6927DOC_START
6928 If the memory usage (as determined by mallinfo) exceeds
904971da 6929 this amount, Squid prints a WARNING with debug level 0 to get
5473c134 6930 the administrators attention.
6931DOC_END
cc9f92d4 6932
5473c134 6933NAME: sleep_after_fork
6934COMMENT: (microseconds)
6935TYPE: int
6936LOC: Config.sleep_after_fork
6937DEFAULT: 0
6938DOC_START
6939 When this is set to a non-zero value, the main Squid process
6940 sleeps the specified number of microseconds after a fork()
6941 system call. This sleep may help the situation where your
6942 system reports fork() failures due to lack of (virtual)
6943 memory. Note, however, if you have a lot of child
6944 processes, these sleep delays will add up and your
6945 Squid will not service requests for some amount of time
6946 until all the child processes have been started.
6947 On Windows value less then 1000 (1 milliseconds) are
6948 rounded to 1000.
cc9f92d4 6949DOC_END
6950
b6696974 6951NAME: windows_ipaddrchangemonitor
6b0516c6 6952IFDEF: _SQUID_MSWIN_
b6696974
GS		 6953COMMENT: on|off
6954TYPE: onoff
6955DEFAULT: on
6956LOC: Config.onoff.WIN32_IpAddrChangeMonitor
6957DOC_START
6958 On Windows Squid by default will monitor IP address changes and will
6959 reconfigure itself after any detected event. This is very useful for
6960 proxies connected to internet with dial-up interfaces.
6961 In some cases (a Proxy server acting as VPN gateway is one) it could be
6962 desiderable to disable this behaviour setting this to 'off'.
6963 Note: after changing this, Squid service must be restarted.
6964DOC_END
6965
a98c2da5
AJ		 6966NAME: eui_lookup
6967TYPE: onoff
6968IFDEF: USE_SQUID_EUI
6969DEFAULT: on
6970LOC: Eui::TheConfig.euiLookup
6971DOC_START
6972 Whether to lookup the EUI or MAC address of a connected client.
6973DOC_END
6974
cccac0a2 6975EOF
Mirror of https://github.com/squid-cache/squid.git