]> git.ipfire.org Git - thirdparty/squid.git/blame - src/cf.data.pre
projects / thirdparty / squid.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merged from trunk
[thirdparty/squid.git] / src / cf.data.pre
CommitLineData
9cef6668 1#
6845f129 2# SQUID Web Proxy Cache http://www.squid-cache.org/
9cef6668 3# ----------------------------------------------------------
4#
2b6662ba 5# Squid is the result of efforts by numerous individuals from
6# the Internet community; see the CONTRIBUTORS file for full
7# details. Many organizations have provided support for Squid's
8# development; see the SPONSORS file for full details. Squid is
9# Copyrighted (C) 2000 by the Regents of the University of
10# California; see the COPYRIGHT file for full details. Squid
11# incorporates software developed and/or copyrighted by other
12# sources; see the CREDITS file for full details.
9cef6668 13#
14# This program is free software; you can redistribute it and/or modify
15# it under the terms of the GNU General Public License as published by
16# the Free Software Foundation; either version 2 of the License, or
17# (at your option) any later version.
96d88dcb 18#
9cef6668 19# This program is distributed in the hope that it will be useful,
20# but WITHOUT ANY WARRANTY; without even the implied warranty of
21# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22# GNU General Public License for more details.
96d88dcb 23#
9cef6668 24# You should have received a copy of the GNU General Public License
25# along with this program; if not, write to the Free Software
26# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
27#
28
0f74202c 29COMMENT_START
ad12fb4b 30 WELCOME TO @SQUID@
cccac0a2 31 ----------------------------
3a278cb8 32
cccac0a2 33 This is the default Squid configuration file. You may wish
34 to look at the Squid home page (http://www.squid-cache.org/)
35 for the FAQ and other documentation.
3a278cb8 36
cccac0a2 37 The default Squid config file shows what the defaults for
38 various options happen to be. If you don't need to change the
39 default, you shouldn't uncomment the line. Doing so may cause
40 run-time problems. In some cases "none" refers to no default
41 setting at all, while in other cases it refers to a valid
42 option - the comments for that keyword indicate if this is the
43 case.
debd9a31 44
cccac0a2 45COMMENT_END
3a278cb8 46
592a09dc 47COMMENT_START
48 Configuration options can be included using the "include" directive.
49 Include takes a list of files to include. Quoting and wildcards is
50 supported.
51
52 For example,
53
54 include /path/to/included/file/squid.acl.config
55
56 Includes can be nested up to a hard-coded depth of 16 levels.
57 This arbitrary restriction is to prevent recursive include references
58 from causing Squid entering an infinite loop whilst trying to load
59 configuration files.
60COMMENT_END
61
5473c134 62COMMENT_START
41bd17a4 63 OPTIONS FOR AUTHENTICATION
5473c134 64 -----------------------------------------------------------------------------
65COMMENT_END
66
41bd17a4 67NAME: auth_param
68TYPE: authparam
69LOC: Config.authConfiguration
cccac0a2 70DEFAULT: none
71DOC_START
41bd17a4 72 This is used to define parameters for the various authentication
73 schemes supported by Squid.
cccac0a2 74
41bd17a4 75 format: auth_param scheme parameter [setting]
cccac0a2 76
41bd17a4 77 The order in which authentication schemes are presented to the client is
78 dependent on the order the scheme first appears in config file. IE
79 has a bug (it's not RFC 2617 compliant) in that it will use the basic
80 scheme if basic is the first entry presented, even if more secure
81 schemes are presented. For now use the order in the recommended
82 settings section below. If other browsers have difficulties (don't
83 recognize the schemes offered even if you are using basic) either
84 put basic first, or disable the other schemes (by commenting out their
85 program entry).
cccac0a2 86
41bd17a4 87 Once an authentication scheme is fully configured, it can only be
88 shutdown by shutting squid down and restarting. Changes can be made on
89 the fly and activated with a reconfigure. I.E. You can change to a
90 different helper, but not unconfigure the helper completely.
cccac0a2 91
41bd17a4 92 Please note that while this directive defines how Squid processes
93 authentication it does not automatically activate authentication.
94 To use authentication you must in addition make use of ACLs based
95 on login name in http_access (proxy_auth, proxy_auth_regex or
96 external with %LOGIN used in the format tag). The browser will be
97 challenged for authentication on the first such acl encountered
98 in http_access processing and will also be re-challenged for new
99 login credentials if the request is being denied by a proxy_auth
100 type acl.
cccac0a2 101
41bd17a4 102 WARNING: authentication can't be used in a transparently intercepting
103 proxy as the client then thinks it is talking to an origin server and
104 not the proxy. This is a limitation of bending the TCP/IP protocol to
105 transparently intercepting port 80, not a limitation in Squid.
b3567eb5
FC		 106 Ports flagged 'transparent', 'intercept', or 'tproxy' have
107 authentication disabled.
cccac0a2 108
41bd17a4 109 === Parameters for the basic scheme follow. ===
cccac0a2 110
41bd17a4 111 "program" cmdline
112 Specify the command for the external authenticator. Such a program
113 reads a line containing "username password" and replies "OK" or
114 "ERR" in an endless loop. "ERR" responses may optionally be followed
115 by a error description available as %m in the returned error page.
b3567eb5
FC		 116 If you use an authenticator, make sure you have 1 acl of type
117 proxy_auth.
cccac0a2 118
41bd17a4 119 By default, the basic authentication scheme is not used unless a
120 program is specified.
cccac0a2 121
41bd17a4 122 If you want to use the traditional NCSA proxy authentication, set
123 this line to something like
307b83b7 124
41bd17a4 125 auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
9e7dbc51 126
d2a89ac1
AJ		 127 "utf8" on|off
128 HTTP uses iso-latin-1 as characterset, while some authentication
129 backends such as LDAP expects UTF-8. If this is set to on Squid will
130 translate the HTTP iso-latin-1 charset to UTF-8 before sending the
131 username & password to the helper.
132
7353861b 133 "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
48d54e4d 134 The maximum number of authenticator processes to spawn. If you start too few
41bd17a4 135 Squid will have to wait for them to process a backlog of credential
136 verifications, slowing it down. When password verifications are
137 done via a (slow) network you are likely to need lots of
138 authenticator processes.
48d54e4d
AJ		 139
140 The startup= and idle= options permit some skew in the exact amount
141 run. A minimum of startup=N will begin during startup and reconfigure
142 and Squid will start more in groups of up to idle=N in an attempt to meet
143 traffic needs and to keep idle=N free above those traffic needs up to
144 the maximum.
145
7353861b
HN		 146 The concurrency= option sets the number of concurrent requests the
147 helper can process. The default of 0 is used for helpers who only
148 supports one request at a time. Setting this to a number greater than
149 0 changes the protocol used to include a channel number first on the
150 request/response line, allowing multiple requests to be sent to the
151 same helper in parallell without wating for the response.
41bd17a4 152 Must not be set unless it's known the helper supports this.
7353861b
HN		 153
154 auth_param basic children 20 startup=0 idle=1
0fdafae7 155
41bd17a4 156 "realm" realmstring
157 Specifies the realm name which is to be reported to the
158 client for the basic proxy authentication scheme (part of
159 the text the user will see when prompted their username and
160 password). There is no default.
161 auth_param basic realm Squid proxy-caching web server
d1b63fc8 162
41bd17a4 163 "credentialsttl" timetolive
164 Specifies how long squid assumes an externally validated
165 username:password pair is valid for - in other words how
166 often the helper program is called for that user. Set this
167 low to force revalidation with short lived passwords. Note
168 setting this high does not impact your susceptibility
169 to replay attacks unless you are using an one-time password
170 system (such as SecureID). If you are using such a system,
171 you will be vulnerable to replay attacks unless you also
172 use the max_user_ip ACL in an http_access rule.
cccac0a2 173
41bd17a4 174 "casesensitive" on|off
175 Specifies if usernames are case sensitive. Most user databases are
176 case insensitive allowing the same username to be spelled using both
177 lower and upper case letters, but some are case sensitive. This
178 makes a big difference for user_max_ip ACL processing and similar.
179 auth_param basic casesensitive off
cccac0a2 180
41bd17a4 181 === Parameters for the digest scheme follow ===
cccac0a2 182
41bd17a4 183 "program" cmdline
184 Specify the command for the external authenticator. Such
185 a program reads a line containing "username":"realm" and
186 replies with the appropriate H(A1) value hex encoded or
187 ERR if the user (or his H(A1) hash) does not exists.
188 See rfc 2616 for the definition of H(A1).
189 "ERR" responses may optionally be followed by a error description
190 available as %m in the returned error page.
cccac0a2 191
41bd17a4 192 By default, the digest authentication scheme is not used unless a
193 program is specified.
b8c0c06d 194
41bd17a4 195 If you want to use a digest authenticator, set this line to
196 something like
cccac0a2 197
7ce93108 198 auth_param digest program @DEFAULT_PREFIX@/bin/digest_pw_auth @DEFAULT_PREFIX@/etc/digpass
cccac0a2 199
d2a89ac1
AJ		 200 "utf8" on|off
201 HTTP uses iso-latin-1 as characterset, while some authentication
202 backends such as LDAP expects UTF-8. If this is set to on Squid will
203 translate the HTTP iso-latin-1 charset to UTF-8 before sending the
204 username & password to the helper.
205
7353861b 206 "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
48d54e4d 207 The maximum number of authenticator processes to spawn (default 5).
41bd17a4 208 If you start too few Squid will have to wait for them to
209 process a backlog of H(A1) calculations, slowing it down.
210 When the H(A1) calculations are done via a (slow) network
211 you are likely to need lots of authenticator processes.
48d54e4d
AJ		 212
213 The startup= and idle= options permit some skew in the exact amount
214 run. A minimum of startup=N will begin during startup and reconfigure
215 and Squid will start more in groups of up to idle=N in an attempt to meet
216 traffic needs and to keep idle=N free above those traffic needs up to
217 the maximum.
218
7353861b
HN		 219 The concurrency= option sets the number of concurrent requests the
220 helper can process. The default of 0 is used for helpers who only
221 supports one request at a time. Setting this to a number greater than
222 0 changes the protocol used to include a channel number first on the
223 request/response line, allowing multiple requests to be sent to the
224 same helper in parallell without wating for the response.
225 Must not be set unless it's known the helper supports this.
226
48d54e4d 227 auth_param digest children 20 startup=0 idle=1
cccac0a2 228
41bd17a4 229 "realm" realmstring
230 Specifies the realm name which is to be reported to the
231 client for the digest proxy authentication scheme (part of
232 the text the user will see when prompted their username and
233 password). There is no default.
234 auth_param digest realm Squid proxy-caching web server
cccac0a2 235
41bd17a4 236 "nonce_garbage_interval" timeinterval
237 Specifies the interval that nonces that have been issued
238 to client_agent's are checked for validity.
cccac0a2 239
41bd17a4 240 "nonce_max_duration" timeinterval
241 Specifies the maximum length of time a given nonce will be
242 valid for.
cccac0a2 243
41bd17a4 244 "nonce_max_count" number
245 Specifies the maximum number of times a given nonce can be
246 used.
cccac0a2 247
41bd17a4 248 "nonce_strictness" on|off
249 Determines if squid requires strict increment-by-1 behavior
250 for nonce counts, or just incrementing (off - for use when
251 useragents generate nonce counts that occasionally miss 1
252 (ie, 1,2,4,6)). Default off.
cccac0a2 253
41bd17a4 254 "check_nonce_count" on|off
255 This directive if set to off can disable the nonce count check
256 completely to work around buggy digest qop implementations in
257 certain mainstream browser versions. Default on to check the
258 nonce count to protect from authentication replay attacks.
cccac0a2 259
41bd17a4 260 "post_workaround" on|off
261 This is a workaround to certain buggy browsers who sends
262 an incorrect request digest in POST requests when reusing
263 the same nonce as acquired earlier on a GET request.
cccac0a2 264
41bd17a4 265 === NTLM scheme options follow ===
cccac0a2 266
41bd17a4 267 "program" cmdline
268 Specify the command for the external NTLM authenticator.
269 Such a program reads exchanged NTLMSSP packets with
270 the browser via Squid until authentication is completed.
271 If you use an NTLM authenticator, make sure you have 1 acl
272 of type proxy_auth. By default, the NTLM authenticator_program
273 is not used.
cccac0a2 274
41bd17a4 275 auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
cccac0a2 276
48d54e4d
AJ		 277 "children" numberofchildren [startup=N] [idle=N]
278 The maximum number of authenticator processes to spawn (default 5).
41bd17a4 279 If you start too few Squid will have to wait for them to
280 process a backlog of credential verifications, slowing it
281 down. When credential verifications are done via a (slow)
282 network you are likely to need lots of authenticator
283 processes.
cccac0a2 284
48d54e4d
AJ		 285 The startup= and idle= options permit some skew in the exact amount
286 run. A minimum of startup=N will begin during startup and reconfigure
287 and Squid will start more in groups of up to idle=N in an attempt to meet
288 traffic needs and to keep idle=N free above those traffic needs up to
289 the maximum.
290
291 auth_param ntlm children 20 startup=0 idle=1
cccac0a2 292
41bd17a4 293 "keep_alive" on|off
294 If you experience problems with PUT/POST requests when using the
295 Negotiate authentication scheme then you can try setting this to
296 off. This will cause Squid to forcibly close the connection on
297 the initial requests where the browser asks which schemes are
298 supported by the proxy.
cccac0a2 299
41bd17a4 300 auth_param ntlm keep_alive on
cccac0a2 301
41bd17a4 302 === Options for configuring the NEGOTIATE auth-scheme follow ===
cccac0a2 303
41bd17a4 304 "program" cmdline
305 Specify the command for the external Negotiate authenticator.
306 This protocol is used in Microsoft Active-Directory enabled setups with
307 the Microsoft Internet Explorer or Mozilla Firefox browsers.
308 Its main purpose is to exchange credentials with the Squid proxy
309 using the Kerberos mechanisms.
b3567eb5
FC		 310 If you use a Negotiate authenticator, make sure you have at least
311 one acl of type proxy_auth active. By default, the negotiate
312 authenticator_program is not used.
41bd17a4 313 The only supported program for this role is the ntlm_auth
314 program distributed as part of Samba, version 4 or later.
cccac0a2 315
41bd17a4 316 auth_param negotiate program @DEFAULT_PREFIX@/bin/ntlm_auth --helper-protocol=gss-spnego
cccac0a2 317
48d54e4d
AJ		 318 "children" numberofchildren [startup=N] [idle=N]
319 The maximum number of authenticator processes to spawn (default 5).
41bd17a4 320 If you start too few Squid will have to wait for them to
321 process a backlog of credential verifications, slowing it
322 down. When crendential verifications are done via a (slow)
323 network you are likely to need lots of authenticator
324 processes.
48d54e4d
AJ		 325
326 The startup= and idle= options permit some skew in the exact amount
327 run. A minimum of startup=N will begin during startup and reconfigure
328 and Squid will start more in groups of up to idle=N in an attempt to meet
329 traffic needs and to keep idle=N free above those traffic needs up to
330 the maximum.
331
332 auth_param negotiate children 20 startup=0 idle=1
d3803853 333
41bd17a4 334 "keep_alive" on|off
335 If you experience problems with PUT/POST requests when using the
336 Negotiate authentication scheme then you can try setting this to
337 off. This will cause Squid to forcibly close the connection on
338 the initial requests where the browser asks which schemes are
339 supported by the proxy.
527ee50d 340
41bd17a4 341 auth_param negotiate keep_alive on
cccac0a2 342
e0855596
AJ		 343
344 Examples:
345
41bd17a4 346#Recommended minimum configuration per scheme:
347#auth_param negotiate program <uncomment and complete this line to activate>
48d54e4d 348#auth_param negotiate children 20 startup=0 idle=1
41bd17a4 349#auth_param negotiate keep_alive on
e0855596 350#
41bd17a4 351#auth_param ntlm program <uncomment and complete this line to activate>
48d54e4d 352#auth_param ntlm children 20 startup=0 idle=1
41bd17a4 353#auth_param ntlm keep_alive on
e0855596 354#
41bd17a4 355#auth_param digest program <uncomment and complete this line>
48d54e4d 356#auth_param digest children 20 startup=0 idle=1
41bd17a4 357#auth_param digest realm Squid proxy-caching web server
358#auth_param digest nonce_garbage_interval 5 minutes
359#auth_param digest nonce_max_duration 30 minutes
360#auth_param digest nonce_max_count 50
e0855596 361#
41bd17a4 362#auth_param basic program <uncomment and complete this line>
48d54e4d 363#auth_param basic children 5 stratup=5 idle=1
41bd17a4 364#auth_param basic realm Squid proxy-caching web server
365#auth_param basic credentialsttl 2 hours
41bd17a4 366DOC_END
cccac0a2 367
41bd17a4 368NAME: authenticate_cache_garbage_interval
369TYPE: time_t
370DEFAULT: 1 hour
371LOC: Config.authenticateGCInterval
372DOC_START
373 The time period between garbage collection across the username cache.
374 This is a tradeoff between memory utilization (long intervals - say
375 2 days) and CPU (short intervals - say 1 minute). Only change if you
376 have good reason to.
377DOC_END
cccac0a2 378
41bd17a4 379NAME: authenticate_ttl
380TYPE: time_t
381DEFAULT: 1 hour
382LOC: Config.authenticateTTL
383DOC_START
384 The time a user & their credentials stay in the logged in
385 user cache since their last request. When the garbage
386 interval passes, all user credentials that have passed their
387 TTL are removed from memory.
388DOC_END
cccac0a2 389
41bd17a4 390NAME: authenticate_ip_ttl
391TYPE: time_t
392LOC: Config.authenticateIpTTL
393DEFAULT: 0 seconds
394DOC_START
395 If you use proxy authentication and the 'max_user_ip' ACL,
396 this directive controls how long Squid remembers the IP
397 addresses associated with each user. Use a small value
398 (e.g., 60 seconds) if your users might change addresses
399 quickly, as is the case with dialups. You might be safe
400 using a larger value (e.g., 2 hours) in a corporate LAN
401 environment with relatively static address assignments.
402DOC_END
cccac0a2 403
3d1e3e43 404COMMENT_START
405 ACCESS CONTROLS
406 -----------------------------------------------------------------------------
407COMMENT_END
408
41bd17a4 409NAME: external_acl_type
410TYPE: externalAclHelper
411LOC: Config.externalAclHelperList
cccac0a2 412DEFAULT: none
cccac0a2 413DOC_START
41bd17a4 414 This option defines external acl classes using a helper program
415 to look up the status
cccac0a2 416
41bd17a4 417 external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
cccac0a2 418
41bd17a4 419 Options:
cccac0a2 420
41bd17a4 421 ttl=n TTL in seconds for cached results (defaults to 3600
422 for 1 hour)
423 negative_ttl=n
424 TTL for cached negative lookups (default same
425 as ttl)
48d54e4d
AJ		 426 children-max=n
427 Maximum number of acl helper processes spawned to service
428 external acl lookups of this type. (default 20)
429 children-startup=n
430 Minimum number of acl helper processes to spawn during
431 startup and reconfigure to service external acl lookups
432 of this type. (default 0)
433 children-idle=n
434 Number of acl helper processes to keep ahead of traffic
435 loads. Squid will spawn this many at once whenever load
436 rises above the capabilities of existing processes.
437 Up to the value of children-max. (default 1)
41bd17a4 438 concurrency=n concurrency level per process. Only used with helpers
439 capable of processing more than one query at a time.
48d54e4d 440 cache=n limit the result cache size, default is unbounded.
41bd17a4 441 grace=n Percentage remaining of TTL where a refresh of a
442 cached entry should be initiated without needing to
48d54e4d 443 wait for a new reply. (default is for no grace period)
41bd17a4 444 protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
cc192b50 445 ipv4 / ipv6 IP-mode used to communicate to this helper.
446 For compatability with older configurations and helpers
1de68cc1 447 the default is 'ipv4'.
cccac0a2 448
41bd17a4 449 FORMAT specifications
cccac0a2 450
41bd17a4 451 %LOGIN Authenticated user login name
452 %EXT_USER Username from external acl
453 %IDENT Ident user name
454 %SRC Client IP
455 %SRCPORT Client source port
456 %URI Requested URI
457 %DST Requested host
458 %PROTO Requested protocol
459 %PORT Requested port
460 %PATH Requested URL path
461 %METHOD Request method
462 %MYADDR Squid interface address
463 %MYPORT Squid http_port number
464 %PATH Requested URL-path (including query-string if any)
465 %USER_CERT SSL User certificate in PEM format
466 %USER_CERTCHAIN SSL User certificate chain in PEM format
467 %USER_CERT_xx SSL User certificate subject attribute xx
468 %USER_CA_xx SSL User certificate issuer attribute xx
7b0ca1e8 469
c68c9682 470 %>{Header} HTTP request header "Header"
7b0ca1e8 471 %>{Hdr:member}
c68c9682 472 HTTP request header "Hdr" list member "member"
7b0ca1e8 473 %>{Hdr:;member}
41bd17a4 474 HTTP request header list member using ; as
475 list separator. ; can be any non-alphanumeric
476 character.
cccac0a2 477
c68c9682 478 %<{Header} HTTP reply header "Header"
7b0ca1e8 479 %<{Hdr:member}
c68c9682 480 HTTP reply header "Hdr" list member "member"
7b0ca1e8
AJ		 481 %<{Hdr:;member}
482 HTTP reply header list member using ; as
483 list separator. ; can be any non-alphanumeric
484 character.
485
41bd17a4 486 In addition to the above, any string specified in the referencing
487 acl will also be included in the helper request line, after the
488 specified formats (see the "acl external" directive)
cccac0a2 489
41bd17a4 490 The helper receives lines per the above format specification,
491 and returns lines starting with OK or ERR indicating the validity
492 of the request and optionally followed by additional keywords with
493 more details.
cccac0a2 494
41bd17a4 495 General result syntax:
cccac0a2 496
41bd17a4 497 OK/ERR keyword=value ...
cccac0a2 498
41bd17a4 499 Defined keywords:
cccac0a2 500
41bd17a4 501 user= The users name (login)
502 password= The users password (for login= cache_peer option)
503 message= Message describing the reason. Available as %o
504 in error pages
505 tag= Apply a tag to a request (for both ERR and OK results)
506 Only sets a tag, does not alter existing tags.
507 log= String to be logged in access.log. Available as
508 %ea in logformat specifications
934b03fc 509
41bd17a4 510 If protocol=3.0 (the default) then URL escaping is used to protect
511 each value in both requests and responses.
6a566b9c 512
41bd17a4 513 If using protocol=2.5 then all values need to be enclosed in quotes
514 if they may contain whitespace, or the whitespace escaped using \.
515 And quotes or \ characters within the keyword value must be \ escaped.
1e5562e3 516
41bd17a4 517 When using the concurrency= option the protocol is changed by
518 introducing a query channel tag infront of the request/response.
519 The query channel tag is a number between 0 and concurrency-1.
cccac0a2 520DOC_END
521
41bd17a4 522NAME: acl
523TYPE: acl
524LOC: Config.aclList
1f5bd0a4 525DEFAULT: all src all
cccac0a2 526DOC_START
41bd17a4 527 Defining an Access List
cccac0a2 528
375eeb3b
AJ		 529 Every access list definition must begin with an aclname and acltype,
530 followed by either type-specific arguments or a quoted filename that
531 they are read from.
cccac0a2 532
375eeb3b
AJ		 533 acl aclname acltype argument ...
534 acl aclname acltype "file" ...
cccac0a2 535
375eeb3b 536 When using "file", the file should contain one item per line.
cccac0a2 537
41bd17a4 538 By default, regular expressions are CASE-SENSITIVE. To make
539 them case-insensitive, use the -i option.
cccac0a2 540
b3567eb5
FC		 541 Some acl types require suspending the current request in order
542 to access some external data source.
543 Those which do are marked with the tag [slow], those which
544 don't are marked as [fast].
545 See http://wiki.squid-cache.org/SquidFaq/SquidAcl
546 for further information
e988aa40
AJ		 547
548 ***** ACL TYPES AVAILABLE *****
549
b3567eb5
FC		 550 acl aclname src ip-address/netmask ... # clients IP address [fast]
551 acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
552 acl aclname dst ip-address/netmask ... # URL host's IP address [slow]
553 acl aclname myip ip-address/netmask ... # local socket IP address [fast]
cccac0a2 554
41bd17a4 555 acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
556 # The arp ACL requires the special configure option --enable-arp-acl.
557 # Furthermore, the ARP ACL code is not portable to all operating systems.
b3567eb5
FC		 558 # It works on Linux, Solaris, Windows, FreeBSD, and some
559 # other *BSD variants.
560 # [fast]
41bd17a4 561 #
562 # NOTE: Squid can only determine the MAC address for clients that are on
b3567eb5
FC		 563 # the same subnet. If the client is on a different subnet,
564 # then Squid cannot find out its MAC address.
565
566 acl aclname srcdomain .foo.com ...
567 # reverse lookup, from client IP [slow]
568 acl aclname dstdomain .foo.com ...
e38c7724 569 # Destination server from URL [fast]
b3567eb5
FC		 570 acl aclname srcdom_regex [-i] \.foo\.com ...
571 # regex matching client name [slow]
572 acl aclname dstdom_regex [-i] \.foo\.com ...
e38c7724 573 # regex matching server [fast]
b3567eb5 574 #
41bd17a4 575 # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
576 # based URL is used and no match is found. The name "none" is used
577 # if the reverse lookup fails.
9bc73deb 578
375eeb3b
AJ		 579 acl aclname src_as number ...
580 acl aclname dst_as number ...
b3567eb5 581 # [fast]
e988aa40
AJ		 582 # Except for access control, AS numbers can be used for
583 # routing of requests to specific caches. Here's an
584 # example for routing all requests for AS#1241 and only
585 # those to mycache.mydomain.net:
586 # acl asexample dst_as 1241
587 # cache_peer_access mycache.mydomain.net allow asexample
588 # cache_peer_access mycache_mydomain.net deny all
7f7db318 589
6db78a1a 590 acl aclname peername myPeer ...
b3567eb5 591 # [fast]
6db78a1a
AJ		 592 # match against a named cache_peer entry
593 # set unique name= on cache_peer lines for reliable use.
594
375eeb3b 595 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
b3567eb5 596 # [fast]
375eeb3b
AJ		 597 # day-abbrevs:
598 # S - Sunday
599 # M - Monday
600 # T - Tuesday
601 # W - Wednesday
602 # H - Thursday
603 # F - Friday
604 # A - Saturday
605 # h1:m1 must be less than h2:m2
606
b3567eb5
FC		 607 acl aclname url_regex [-i] ^http:// ...
608 # regex matching on whole URL [fast]
609 acl aclname urlpath_regex [-i] \.gif$ ...
610 # regex matching on URL path [fast]
e988aa40 611
b3567eb5
FC		 612 acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
613 # ranges are alloed
614 acl aclname myport 3128 ... # local socket TCP port [fast]
615 acl aclname myportname 3128 ... # http(s)_port name [fast]
e988aa40 616
b3567eb5
FC		 617 acl aclname proto HTTP FTP ... # request protocol [fast]
618
619 acl aclname method GET POST ... # HTTP request method [fast]
e988aa40 620
b3567eb5
FC		 621 acl aclname http_status 200 301 500- 400-403 ...
622 # status code in reply [fast]
e988aa40 623
375eeb3b 624 acl aclname browser [-i] regexp ...
b3567eb5 625 # pattern match on User-Agent header (see also req_header below) [fast]
e988aa40 626
375eeb3b 627 acl aclname referer_regex [-i] regexp ...
b3567eb5 628 # pattern match on Referer header [fast]
41bd17a4 629 # Referer is highly unreliable, so use with care
e988aa40 630
375eeb3b 631 acl aclname ident username ...
41bd17a4 632 acl aclname ident_regex [-i] pattern ...
b3567eb5 633 # string match on ident output [slow]
41bd17a4 634 # use REQUIRED to accept any non-null ident.
cf5cc17e 635
41bd17a4 636 acl aclname proxy_auth [-i] username ...
637 acl aclname proxy_auth_regex [-i] pattern ...
b3567eb5
FC		 638 # perform http authentication challenge to the client and match against
639 # supplied credentials [slow]
640 #
641 # takes a list of allowed usernames.
41bd17a4 642 # use REQUIRED to accept any valid username.
643 #
b3567eb5
FC		 644 # Will use proxy authentication in forward-proxy scenarios, and plain
645 # http authenticaiton in reverse-proxy scenarios
646 #
41bd17a4 647 # NOTE: when a Proxy-Authentication header is sent but it is not
648 # needed during ACL checking the username is NOT logged
649 # in access.log.
650 #
651 # NOTE: proxy_auth requires a EXTERNAL authentication program
652 # to check username/password combinations (see
653 # auth_param directive).
654 #
e988aa40
AJ		 655 # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
656 # as the browser needs to be configured for using a proxy in order
41bd17a4 657 # to respond to proxy authentication.
8e8d4f30 658
41bd17a4 659 acl aclname snmp_community string ...
b3567eb5 660 # A community string to limit access to your SNMP Agent [fast]
41bd17a4 661 # Example:
662 #
663 # acl snmppublic snmp_community public
934b03fc 664
41bd17a4 665 acl aclname maxconn number
666 # This will be matched when the client's IP address has
b3567eb5 667 # more than <number> HTTP connections established. [fast]
1e5562e3 668
41bd17a4 669 acl aclname max_user_ip [-s] number
670 # This will be matched when the user attempts to log in from more
671 # than <number> different ip addresses. The authenticate_ip_ttl
b3567eb5 672 # parameter controls the timeout on the ip entries. [fast]
41bd17a4 673 # If -s is specified the limit is strict, denying browsing
674 # from any further IP addresses until the ttl has expired. Without
675 # -s Squid will just annoy the user by "randomly" denying requests.
676 # (the counter is reset each time the limit is reached and a
677 # request is denied)
678 # NOTE: in acceleration mode or where there is mesh of child proxies,
679 # clients may appear to come from multiple addresses if they are
680 # going through proxy farms, so a limit of 1 may cause user problems.
cccac0a2 681
cb1b906f
AJ		 682 acl aclname random probability
683 # Pseudo-randomly match requests. Based on the probability given.
684 # Probability may be written as a decimal (0.333), fraction (1/3)
685 # or ratio of matches:non-matches (3:5).
686
375eeb3b 687 acl aclname req_mime_type [-i] mime-type ...
41bd17a4 688 # regex match against the mime type of the request generated
689 # by the client. Can be used to detect file upload or some
b3567eb5 690 # types HTTP tunneling requests [fast]
41bd17a4 691 # NOTE: This does NOT match the reply. You cannot use this
692 # to match the returned file type.
cccac0a2 693
41bd17a4 694 acl aclname req_header header-name [-i] any\.regex\.here
695 # regex match against any of the known request headers. May be
696 # thought of as a superset of "browser", "referer" and "mime-type"
b3567eb5 697 # ACL [fast]
cccac0a2 698
375eeb3b 699 acl aclname rep_mime_type [-i] mime-type ...
41bd17a4 700 # regex match against the mime type of the reply received by
701 # squid. Can be used to detect file download or some
b3567eb5 702 # types HTTP tunneling requests. [fast]
41bd17a4 703 # NOTE: This has no effect in http_access rules. It only has
704 # effect in rules that affect the reply data stream such as
705 # http_reply_access.
cccac0a2 706
41bd17a4 707 acl aclname rep_header header-name [-i] any\.regex\.here
708 # regex match against any of the known reply headers. May be
709 # thought of as a superset of "browser", "referer" and "mime-type"
b3567eb5 710 # ACLs [fast]
cccac0a2 711
375eeb3b 712 acl aclname external class_name [arguments...]
41bd17a4 713 # external ACL lookup via a helper class defined by the
b3567eb5 714 # external_acl_type directive [slow]
cccac0a2 715
41bd17a4 716 acl aclname user_cert attribute values...
717 # match against attributes in a user SSL certificate
b3567eb5 718 # attribute is one of DN/C/O/CN/L/ST [fast]
cccac0a2 719
41bd17a4 720 acl aclname ca_cert attribute values...
721 # match against attributes a users issuing CA SSL certificate
b3567eb5 722 # attribute is one of DN/C/O/CN/L/ST [fast]
cccac0a2 723
41bd17a4 724 acl aclname ext_user username ...
725 acl aclname ext_user_regex [-i] pattern ...
b3567eb5 726 # string match on username returned by external acl helper [slow]
41bd17a4 727 # use REQUIRED to accept any non-null user name.
b3567eb5 728
0ab50441 729 acl aclname tag tagvalue ...
b3567eb5 730 # string match on tag returned by external acl helper [slow]
cccac0a2 731
bbaf2685
AJ		 732 acl aclname hier_code codename ...
733 # string match against squid hierarchy code(s); [fast]
734 # e.g., DIRECT, PARENT_HIT, NONE, etc.
735 #
736 # NOTE: This has no effect in http_access rules. It only has
737 # effect in rules that affect the reply data stream such as
738 # http_reply_access.
739
e0855596
AJ		 740 Examples:
741 acl macaddress arp 09:00:2b:23:45:67
742 acl myexample dst_as 1241
743 acl password proxy_auth REQUIRED
744 acl fileupload req_mime_type -i ^multipart/form-data$
745 acl javascript rep_mime_type -i ^application/x-javascript$
cccac0a2 746
41bd17a4 747NOCOMMENT_START
e0855596
AJ		 748#
749# Recommended minimum configuration:
750#
41bd17a4 751acl manager proto cache_object
ee776778 752acl localhost src 127.0.0.1/32
18a8e998 753@IPV6_ONLY_SETTING@acl localhost src ::1/128
7f83a5f6 754acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
18a8e998 755@IPV6_ONLY_SETTING@acl to_localhost dst ::1/128
e0855596 756
ee776778 757# Example rule allowing access from your local networks.
758# Adapt to list your (internal) IP networks from where browsing
759# should be allowed
760acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
761acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
762acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
18a8e998
AJ		 763@IPV6_ONLY_SETTING@acl localnet src fc00::/7 # RFC 4193 local private network range
764@IPV6_ONLY_SETTING@acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
e0855596 765
41bd17a4 766acl SSL_ports port 443
767acl Safe_ports port 80 # http
768acl Safe_ports port 21 # ftp
769acl Safe_ports port 443 # https
770acl Safe_ports port 70 # gopher
771acl Safe_ports port 210 # wais
772acl Safe_ports port 1025-65535 # unregistered ports
773acl Safe_ports port 280 # http-mgmt
774acl Safe_ports port 488 # gss-http
775acl Safe_ports port 591 # filemaker
776acl Safe_ports port 777 # multiling http
777acl CONNECT method CONNECT
778NOCOMMENT_END
779DOC_END
cccac0a2 780
3d674977
AJ		 781NAME: follow_x_forwarded_for
782TYPE: acl_access
783IFDEF: FOLLOW_X_FORWARDED_FOR
784LOC: Config.accessList.followXFF
785DEFAULT: none
786DEFAULT_IF_NONE: deny all
787DOC_START
788 Allowing or Denying the X-Forwarded-For header to be followed to
789 find the original source of a request.
790
791 Requests may pass through a chain of several other proxies
792 before reaching us. The X-Forwarded-For header will contain a
793 comma-separated list of the IP addresses in the chain, with the
794 rightmost address being the most recent.
795
796 If a request reaches us from a source that is allowed by this
797 configuration item, then we consult the X-Forwarded-For header
798 to see where that host received the request from. If the
799 X-Forwarded-For header contains multiple addresses, and if
800 acl_uses_indirect_client is on, then we continue backtracking
801 until we reach an address for which we are not allowed to
802 follow the X-Forwarded-For header, or until we reach the first
803 address in the list. (If acl_uses_indirect_client is off, then
804 it's impossible to backtrack through more than one level of
805 X-Forwarded-For addresses.)
806
807 The end result of this process is an IP address that we will
808 refer to as the indirect client address. This address may
57d76dd4 809 be treated as the client address for access control, ICAP, delay
3d674977 810 pools and logging, depending on the acl_uses_indirect_client,
57d76dd4
AJ		 811 icap_uses_indirect_client, delay_pool_uses_indirect_client and
812 log_uses_indirect_client options.
3d674977 813
b3567eb5
FC		 814 This clause only supports fast acl types.
815 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
816
3d674977
AJ		 817 SECURITY CONSIDERATIONS:
818
819 Any host for which we follow the X-Forwarded-For header
820 can place incorrect information in the header, and Squid
821 will use the incorrect information as if it were the
822 source address of the request. This may enable remote
823 hosts to bypass any access control restrictions that are
824 based on the client's source addresses.
825
826 For example:
827
828 acl localhost src 127.0.0.1
829 acl my_other_proxy srcdomain .proxy.example.com
830 follow_x_forwarded_for allow localhost
831 follow_x_forwarded_for allow my_other_proxy
832DOC_END
833
834NAME: acl_uses_indirect_client
835COMMENT: on|off
836TYPE: onoff
837IFDEF: FOLLOW_X_FORWARDED_FOR
838DEFAULT: on
839LOC: Config.onoff.acl_uses_indirect_client
840DOC_START
841 Controls whether the indirect client address
842 (see follow_x_forwarded_for) is used instead of the
843 direct client address in acl matching.
844DOC_END
845
846NAME: delay_pool_uses_indirect_client
847COMMENT: on|off
848TYPE: onoff
0dae2bca 849IFDEF: FOLLOW_X_FORWARDED_FOR&&DELAY_POOLS
3d674977
AJ		 850DEFAULT: on
851LOC: Config.onoff.delay_pool_uses_indirect_client
852DOC_START
853 Controls whether the indirect client address
854 (see follow_x_forwarded_for) is used instead of the
855 direct client address in delay pools.
856DOC_END
857
858NAME: log_uses_indirect_client
859COMMENT: on|off
860TYPE: onoff
861IFDEF: FOLLOW_X_FORWARDED_FOR
862DEFAULT: on
863LOC: Config.onoff.log_uses_indirect_client
864DOC_START
865 Controls whether the indirect client address
866 (see follow_x_forwarded_for) is used instead of the
867 direct client address in the access log.
868DOC_END
869
41bd17a4 870NAME: http_access
871TYPE: acl_access
872LOC: Config.accessList.http
873DEFAULT: none
874DEFAULT_IF_NONE: deny all
875DOC_START
876 Allowing or Denying access based on defined access lists
cccac0a2 877
41bd17a4 878 Access to the HTTP port:
879 http_access allow|deny [!]aclname ...
cccac0a2 880
41bd17a4 881 NOTE on default values:
cccac0a2 882
41bd17a4 883 If there are no "access" lines present, the default is to deny
884 the request.
cccac0a2 885
41bd17a4 886 If none of the "access" lines cause a match, the default is the
887 opposite of the last line in the list. If the last line was
888 deny, the default is allow. Conversely, if the last line
889 is allow, the default will be deny. For these reasons, it is a
51ae86b2
HN		 890 good idea to have an "deny all" entry at the end of your access
891 lists to avoid potential confusion.
cccac0a2 892
b3567eb5
FC		 893 This clause supports both fast and slow acl types.
894 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
895
41bd17a4 896NOCOMMENT_START
e0855596
AJ		 897
898#
899# Recommended minimum Access Permission configuration:
41bd17a4 900#
901# Only allow cachemgr access from localhost
902http_access allow manager localhost
903http_access deny manager
e0855596
AJ		 904
905# Deny requests to certain unsafe ports
41bd17a4 906http_access deny !Safe_ports
e0855596
AJ		 907
908# Deny CONNECT to other than secure SSL ports
41bd17a4 909http_access deny CONNECT !SSL_ports
e0855596 910
41bd17a4 911# We strongly recommend the following be uncommented to protect innocent
912# web applications running on the proxy server who think the only
913# one who can access services on "localhost" is a local user
914#http_access deny to_localhost
e0855596 915
41bd17a4 916#
917# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
e0855596 918#
c8f4eac4 919
ee776778 920# Example rule allowing access from your local networks.
921# Adapt localnet in the ACL section to list your (internal) IP networks
922# from where browsing should be allowed
923http_access allow localnet
afb33856 924http_access allow localhost
7d90757b 925
41bd17a4 926# And finally deny all other access to this proxy
927http_access deny all
928NOCOMMENT_END
929DOC_END
7d90757b 930
533493da
AJ		 931NAME: adapted_http_access http_access2
932TYPE: acl_access
933LOC: Config.accessList.adapted_http
934DEFAULT: none
935DOC_START
936 Allowing or Denying access based on defined access lists
937
938 Essentially identical to http_access, but runs after redirectors
939 and ICAP/eCAP adaptation. Allowing access control based on their
940 output.
941
942 If not set then only http_access is used.
943DOC_END
944
41bd17a4 945NAME: http_reply_access
946TYPE: acl_access
947LOC: Config.accessList.reply
948DEFAULT: none
949DOC_START
950 Allow replies to client requests. This is complementary to http_access.
cccac0a2 951
41bd17a4 952 http_reply_access allow|deny [!] aclname ...
cccac0a2 953
41bd17a4 954 NOTE: if there are no access lines present, the default is to allow
955 all replies
1a224843 956
41bd17a4 957 If none of the access lines cause a match the opposite of the
958 last line will apply. Thus it is good practice to end the rules
959 with an "allow all" or "deny all" entry.
b3567eb5
FC		 960
961 This clause supports both fast and slow acl types.
962 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
cccac0a2 963DOC_END
964
41bd17a4 965NAME: icp_access
966TYPE: acl_access
967LOC: Config.accessList.icp
968DEFAULT: none
969DEFAULT_IF_NONE: deny all
5473c134 970DOC_START
41bd17a4 971 Allowing or Denying access to the ICP port based on defined
972 access lists
5473c134 973
41bd17a4 974 icp_access allow|deny [!]aclname ...
5473c134 975
41bd17a4 976 See http_access for details
977
b3567eb5
FC		 978 This clause only supports fast acl types.
979 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
e0855596
AJ		 980
981# Allow ICP queries from local networks only
df2eec10
AJ		 982#icp_access allow localnet
983#icp_access deny all
5473c134 984DOC_END
985
41bd17a4 986NAME: htcp_access
987IFDEF: USE_HTCP
988TYPE: acl_access
989LOC: Config.accessList.htcp
990DEFAULT: none
991DEFAULT_IF_NONE: deny all
5473c134 992DOC_START
41bd17a4 993 Allowing or Denying access to the HTCP port based on defined
994 access lists
5473c134 995
41bd17a4 996 htcp_access allow|deny [!]aclname ...
5473c134 997
41bd17a4 998 See http_access for details
5473c134 999
0b48417e 1000 NOTE: The default if no htcp_access lines are present is to
1001 deny all traffic. This default may cause problems with peers
1002 using the htcp or htcp-oldsquid options.
1003
b3567eb5
FC		 1004 This clause only supports fast acl types.
1005 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
e0855596
AJ		 1006
1007# Allow HTCP queries from local networks only
df2eec10
AJ		 1008#htcp_access allow localnet
1009#htcp_access deny all
41bd17a4 1010DOC_END
5473c134 1011
41bd17a4 1012NAME: htcp_clr_access
1013IFDEF: USE_HTCP
1014TYPE: acl_access
1015LOC: Config.accessList.htcp_clr
1016DEFAULT: none
1017DEFAULT_IF_NONE: deny all
1018DOC_START
1019 Allowing or Denying access to purge content using HTCP based
1020 on defined access lists
5473c134 1021
41bd17a4 1022 htcp_clr_access allow|deny [!]aclname ...
5473c134 1023
41bd17a4 1024 See http_access for details
5473c134 1025
b3567eb5
FC		 1026 This clause only supports fast acl types.
1027 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
e0855596
AJ		 1028
1029# Allow HTCP CLR requests from trusted peers
41bd17a4 1030acl htcp_clr_peer src 172.16.1.2
1031htcp_clr_access allow htcp_clr_peer
5473c134 1032DOC_END
1033
41bd17a4 1034NAME: miss_access
1035TYPE: acl_access
1036LOC: Config.accessList.miss
df2eec10 1037DEFAULT: allow all
5473c134 1038DOC_START
41bd17a4 1039 Use to force your neighbors to use you as a sibling instead of
1040 a parent. For example:
5473c134 1041
41bd17a4 1042 acl localclients src 172.16.0.0/16
1043 miss_access allow localclients
1044 miss_access deny !localclients
5473c134 1045
41bd17a4 1046 This means only your local clients are allowed to fetch
1047 MISSES and all other clients can only fetch HITS.
5473c134 1048
41bd17a4 1049 By default, allow all clients who passed the http_access rules
1050 to fetch MISSES from us.
b3567eb5
FC		 1051
1052 This clause only supports fast acl types.
1053 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 1054DOC_END
1055
1056NAME: ident_lookup_access
1057TYPE: acl_access
1058IFDEF: USE_IDENT
1059DEFAULT: none
1060DEFAULT_IF_NONE: deny all
4daaf3cb 1061LOC: Ident::TheConfig.identLookup
5473c134 1062DOC_START
41bd17a4 1063 A list of ACL elements which, if matched, cause an ident
1064 (RFC 931) lookup to be performed for this request. For
1065 example, you might choose to always perform ident lookups
1066 for your main multi-user Unix boxes, but not for your Macs
1067 and PCs. By default, ident lookups are not performed for
1068 any requests.
5473c134 1069
41bd17a4 1070 To enable ident lookups for specific client addresses, you
1071 can follow this example:
5473c134 1072
4daaf3cb 1073 acl ident_aware_hosts src 198.168.1.0/24
41bd17a4 1074 ident_lookup_access allow ident_aware_hosts
1075 ident_lookup_access deny all
5473c134 1076
4daaf3cb 1077 Only src type ACL checks are fully supported. A srcdomain
41bd17a4 1078 ACL might work at times, but it will not always provide
1079 the correct result.
b3567eb5
FC		 1080
1081 This clause only supports fast acl types.
1082 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 1083DOC_END
5473c134 1084
5b0f5383 1085NAME: reply_body_max_size
1086COMMENT: size [acl acl...]
1087TYPE: acl_b_size_t
1088DEFAULT: none
1089LOC: Config.ReplyBodySize
1090DOC_START
1091 This option specifies the maximum size of a reply body. It can be
1092 used to prevent users from downloading very large files, such as
1093 MP3's and movies. When the reply headers are received, the
1094 reply_body_max_size lines are processed, and the first line where
1095 all (if any) listed ACLs are true is used as the maximum body size
1096 for this reply.
1097
1098 This size is checked twice. First when we get the reply headers,
1099 we check the content-length value. If the content length value exists
1100 and is larger than the allowed size, the request is denied and the
1101 user receives an error message that says "the request or reply
1102 is too large." If there is no content-length, and the reply
1103 size exceeds this limit, the client's connection is just closed
1104 and they will receive a partial reply.
1105
1106 WARNING: downstream caches probably can not detect a partial reply
1107 if there is no content-length header, so they will cache
1108 partial responses and give them out as hits. You should NOT
1109 use this option if you have downstream caches.
1110
1111 WARNING: A maximum size smaller than the size of squid's error messages
1112 will cause an infinite loop and crash squid. Ensure that the smallest
1113 non-zero value you use is greater that the maximum header size plus
1114 the size of your largest error page.
1115
1116 If you set this parameter none (the default), there will be
1117 no limit imposed.
3bc32f2f
AJ		 1118
1119 Configuration Format is:
1120 reply_body_max_size SIZE UNITS [acl ...]
1121 ie.
1122 reply_body_max_size 10 MB
1123
5b0f5383 1124DOC_END
1125
1126COMMENT_START
1127 NETWORK OPTIONS
1128 -----------------------------------------------------------------------------
1129COMMENT_END
1130
1131NAME: http_port ascii_port
1132TYPE: http_port_list
1133DEFAULT: none
1134LOC: Config.Sockaddr.http
1135DOC_START
c7b1dd5d
AJ		 1136 Usage: port [mode] [options]
1137 hostname:port [mode] [options]
1138 1.2.3.4:port [mode] [options]
5b0f5383 1139
1140 The socket addresses where Squid will listen for HTTP client
1141 requests. You may specify multiple socket addresses.
1142 There are three forms: port alone, hostname with port, and
1143 IP address with port. If you specify a hostname or IP
1144 address, Squid binds the socket to that specific
c7b1dd5d 1145 address. Most likely, you do not need to bind to a specific
5b0f5383 1146 address, so you can use the port number alone.
1147
1148 If you are running Squid in accelerator mode, you
1149 probably want to listen on port 80 also, or instead.
1150
1151 The -a command line option may be used to specify additional
1152 port(s) where Squid listens for proxy request. Such ports will
1153 be plain proxy ports with no options.
1154
1155 You may specify multiple socket addresses on multiple lines.
1156
c7b1dd5d 1157 Modes:
5b0f5383 1158
e77bdb4e 1159 intercept Support for IP-Layer interception of
5b0f5383 1160 outgoing requests without browser settings.
13b5cd0c 1161 NP: disables authentication and IPv6 on the port.
5b0f5383 1162
1163 tproxy Support Linux TPROXY for spoofing outgoing
1164 connections using the client IP address.
6f05d9c8 1165 NP: disables authentication and maybe IPv6 on the port.
5b0f5383 1166
1167 accel Accelerator mode. Also needs at least one of
1168 vhost / vport / defaultsite.
1169
c7b1dd5d
AJ		 1170 sslbump Intercept each CONNECT request matching ssl_bump ACL,
1171 establish secure connection with the client and with
1172 the server, decrypt HTTP messages as they pass through
1173 Squid, and treat them as unencrypted HTTP messages,
1174 becoming the man-in-the-middle.
1175
1176 The ssl_bump option is required to fully enable
1177 the SslBump feature.
1178
1179 Omitting the mode flag causes default forward proxy mode to be used.
1180
1181
1182 Accelerator Mode Options:
1183
7f7bdd96
AJ		 1184 allow-direct Allow direct forwarding in accelerator mode. Normally
1185 accelerated requests are denied direct forwarding as if
1186 never_direct was used.
1187
5b0f5383 1188 defaultsite=domainname
1189 What to use for the Host: header if it is not present
1190 in a request. Determines what site (not origin server)
1191 accelerators should consider the default.
1192 Implies accel.
1193
c7b1dd5d
AJ		 1194 vhost Using the Host header for virtual domain support.
1195 Also uses the port as specified in Host: header.
5b0f5383 1196
c7b1dd5d
AJ		 1197 vport IP based virtual host support. Using the http_port number
1198 in passed on Host: headers.
5b0f5383 1199
c7b1dd5d
AJ		 1200 vport=NN Uses the specified port number rather than the
1201 http_port number.
5b0f5383 1202
1203 protocol= Protocol to reconstruct accelerated requests with.
c7b1dd5d 1204 Defaults to http://.
5b0f5383 1205
432bc83c
HN		 1206 ignore-cc Ignore request Cache-Control headers.
1207
1208 Warning: This option violates HTTP specifications if
1209 used in non-accelerator setups.
1210
c7b1dd5d
AJ		 1211
1212 SSL Bump Mode Options:
1213
1214 cert= Path to SSL certificate (PEM format).
1215
1216 key= Path to SSL private key file (PEM format)
1217 if not specified, the certificate file is
1218 assumed to be a combined certificate and
1219 key file.
1220
1221 version= The version of SSL/TLS supported
1222 1 automatic (default)
1223 2 SSLv2 only
1224 3 SSLv3 only
1225 4 TLSv1 only
1226
1227 cipher= Colon separated list of supported ciphers.
1228
1229 options= Various SSL engine options. The most important
1230 being:
1231 NO_SSLv2 Disallow the use of SSLv2
1232 NO_SSLv3 Disallow the use of SSLv3
1233 NO_TLSv1 Disallow the use of TLSv1
1234 SINGLE_DH_USE Always create a new key when using
1235 temporary/ephemeral DH key exchanges
1236 See src/ssl_support.c or OpenSSL SSL_CTX_set_options
1237 documentation for a complete list of options.
1238
1239 clientca= File containing the list of CAs to use when
1240 requesting a client certificate.
1241
1242 cafile= File containing additional CA certificates to
1243 use when verifying client certificates. If unset
1244 clientca will be used.
1245
1246 capath= Directory containing additional CA certificates
1247 and CRL lists to use when verifying client certificates.
1248
1249 crlfile= File of additional CRL lists to use when verifying
1250 the client certificate, in addition to CRLs stored in
1251 the capath. Implies VERIFY_CRL flag below.
1252
1253 dhparams= File containing DH parameters for temporary/ephemeral
1254 DH key exchanges.
1255
1256 sslflags= Various flags modifying the use of SSL:
1257 DELAYED_AUTH
1258 Don't request client certificates
1259 immediately, but wait until acl processing
1260 requires a certificate (not yet implemented).
1261 NO_DEFAULT_CA
1262 Don't use the default CA lists built in
1263 to OpenSSL.
1264 NO_SESSION_REUSE
1265 Don't allow for session reuse. Each connection
1266 will result in a new SSL session.
1267 VERIFY_CRL
1268 Verify CRL lists when accepting client
1269 certificates.
1270 VERIFY_CRL_ALL
1271 Verify CRL lists for all certificates in the
1272 client certificate chain.
1273
1274 sslcontext= SSL session ID context identifier.
1275
1276
1277 Other Options:
1278
6b185b50
AJ		 1279 connection-auth[=on|off]
1280 use connection-auth=off to tell Squid to prevent
1281 forwarding Microsoft connection oriented authentication
d67acb4e
AJ		 1282 (NTLM, Negotiate and Kerberos)
1283
5b0f5383 1284 disable-pmtu-discovery=
1285 Control Path-MTU discovery usage:
1286 off lets OS decide on what to do (default).
1287 transparent disable PMTU discovery when transparent
1288 support is enabled.
1289 always disable always PMTU discovery.
1290
1291 In many setups of transparently intercepting proxies
1292 Path-MTU discovery can not work on traffic towards the
1293 clients. This is the case when the intercepting device
1294 does not fully track connections and fails to forward
1295 ICMP must fragment messages to the cache server. If you
1296 have such setup and experience that certain clients
1297 sporadically hang or never complete requests set
1298 disable-pmtu-discovery option to 'transparent'.
1299
81b6e9a7 1300 name= Specifies a internal name for the port. Defaults to
1301 the port specification (port or addr:port)
1302
68924b6d 1303 tcpkeepalive[=idle,interval,timeout]
b2130d58 1304 Enable TCP keepalive probes of idle connections
1305 idle is the initial time before TCP starts probing
1306 the connection, interval how often to probe, and
1307 timeout the time before giving up.
1308
5b0f5383 1309 If you run Squid on a dual-homed machine with an internal
1310 and an external interface we recommend you to specify the
1311 internal address:port in http_port. This way Squid will only be
1312 visible on the internal address.
1313
1314NOCOMMENT_START
e0855596 1315
5b0f5383 1316# Squid normally listens to port 3128
1317http_port @DEFAULT_HTTP_PORT@
1318NOCOMMENT_END
1319DOC_END
1320
1321NAME: https_port
1322IFDEF: USE_SSL
1323TYPE: https_port_list
1324DEFAULT: none
1325LOC: Config.Sockaddr.https
1326DOC_START
1327 Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
1328
1329 The socket address where Squid will listen for HTTPS client
1330 requests.
1331
1332 This is really only useful for situations where you are running
1333 squid in accelerator mode and you want to do the SSL work at the
1334 accelerator level.
1335
1336 You may specify multiple socket addresses on multiple lines,
1337 each with their own SSL certificate and/or options.
1338
1339 Options:
1340
1341 accel Accelerator mode. Also needs at least one of
1342 defaultsite or vhost.
1343
1344 defaultsite= The name of the https site presented on
1345 this port. Implies accel.
1346
1347 vhost Accelerator mode using Host header for virtual
1348 domain support. Requires a wildcard certificate
1349 or other certificate valid for more than one domain.
1350 Implies accel.
1351
1352 protocol= Protocol to reconstruct accelerated requests with.
1353 Defaults to https.
1354
1355 cert= Path to SSL certificate (PEM format).
1356
1357 key= Path to SSL private key file (PEM format)
1358 if not specified, the certificate file is
1359 assumed to be a combined certificate and
1360 key file.
1361
1362 version= The version of SSL/TLS supported
1363 1 automatic (default)
1364 2 SSLv2 only
1365 3 SSLv3 only
1366 4 TLSv1 only
1367
1368 cipher= Colon separated list of supported ciphers.
1369
1370 options= Various SSL engine options. The most important
1371 being:
1372 NO_SSLv2 Disallow the use of SSLv2
1373 NO_SSLv3 Disallow the use of SSLv3
1374 NO_TLSv1 Disallow the use of TLSv1
1375 SINGLE_DH_USE Always create a new key when using
1376 temporary/ephemeral DH key exchanges
1377 See src/ssl_support.c or OpenSSL SSL_CTX_set_options
1378 documentation for a complete list of options.
1379
1380 clientca= File containing the list of CAs to use when
1381 requesting a client certificate.
1382
1383 cafile= File containing additional CA certificates to
1384 use when verifying client certificates. If unset
1385 clientca will be used.
1386
1387 capath= Directory containing additional CA certificates
1388 and CRL lists to use when verifying client certificates.
1389
1390 crlfile= File of additional CRL lists to use when verifying
1391 the client certificate, in addition to CRLs stored in
1392 the capath. Implies VERIFY_CRL flag below.
1393
1394 dhparams= File containing DH parameters for temporary/ephemeral
1395 DH key exchanges.
1396
1397 sslflags= Various flags modifying the use of SSL:
1398 DELAYED_AUTH
1399 Don't request client certificates
1400 immediately, but wait until acl processing
1401 requires a certificate (not yet implemented).
1402 NO_DEFAULT_CA
1403 Don't use the default CA lists built in
1404 to OpenSSL.
1405 NO_SESSION_REUSE
1406 Don't allow for session reuse. Each connection
1407 will result in a new SSL session.
1408 VERIFY_CRL
1409 Verify CRL lists when accepting client
1410 certificates.
1411 VERIFY_CRL_ALL
1412 Verify CRL lists for all certificates in the
1413 client certificate chain.
1414
1415 sslcontext= SSL session ID context identifier.
1416
1417 vport Accelerator with IP based virtual host support.
1418
1419 vport=NN As above, but uses specified port number rather
1420 than the https_port number. Implies accel.
1421
81b6e9a7 1422 name= Specifies a internal name for the port. Defaults to
1423 the port specification (port or addr:port)
1424
5b0f5383 1425DOC_END
1426
41bd17a4 1427NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
1428TYPE: acl_tos
5473c134 1429DEFAULT: none
41bd17a4 1430LOC: Config.accessList.outgoing_tos
5473c134 1431DOC_START
41bd17a4 1432 Allows you to select a TOS/Diffserv value to mark outgoing
1433 connections with, based on the username or source address
1434 making the request.
5473c134 1435
41bd17a4 1436 tcp_outgoing_tos ds-field [!]aclname ...
cccac0a2 1437
41bd17a4 1438 Example where normal_service_net uses the TOS value 0x00
7def7206 1439 and good_service_net uses 0x20
cccac0a2 1440
41bd17a4 1441 acl normal_service_net src 10.0.0.0/255.255.255.0
1442 acl good_service_net src 10.0.1.0/255.255.255.0
2c73de90 1443 tcp_outgoing_tos 0x00 normal_service_net
41bd17a4 1444 tcp_outgoing_tos 0x20 good_service_net
fa38076e 1445
41bd17a4 1446 TOS/DSCP values really only have local significance - so you should
575cb927
AJ		 1447 know what you're specifying. For more information, see RFC2474,
1448 RFC2475, and RFC3260.
cccac0a2 1449
41bd17a4 1450 The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
1451 "default" to use whatever default your host has. Note that in
1452 practice often only values 0 - 63 is usable as the two highest bits
1453 have been redefined for use by ECN (RFC3168).
cccac0a2 1454
41bd17a4 1455 Processing proceeds in the order specified, and stops at first fully
1456 matching line.
cccac0a2 1457
41bd17a4 1458 Note: The use of this directive using client dependent ACLs is
1459 incompatible with the use of server side persistent connections. To
1460 ensure correct results it is best to set server_persisten_connections
1461 to off when using this directive in such configurations.
cccac0a2 1462DOC_END
1463
41bd17a4 1464NAME: clientside_tos
1465TYPE: acl_tos
cccac0a2 1466DEFAULT: none
41bd17a4 1467LOC: Config.accessList.clientside_tos
cccac0a2 1468DOC_START
41bd17a4 1469 Allows you to select a TOS/Diffserv value to mark client-side
1470 connections with, based on the username or source address
1471 making the request.
1472DOC_END
cccac0a2 1473
575cb927
AJ		 1474NAME: qos_flows
1475TYPE: QosConfig
7172612f 1476IFDEF: USE_ZPH_QOS
575cb927 1477DEFAULT: none
b7ac5457 1478LOC: Ip::Qos::TheConfig
7172612f 1479DOC_START
575cb927
AJ		 1480 Allows you to select a TOS/DSCP value to mark outgoing
1481 connections with, based on where the reply was sourced.
7172612f 1482
575cb927
AJ		 1483 TOS values really only have local significance - so you should
1484 know what you're specifying. For more information, see RFC2474,
1485 RFC2475, and RFC3260.
7172612f 1486
575cb927
AJ		 1487 The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF.
1488 Note that in practice often only values up to 0x3F are usable
1489 as the two highest bits have been redefined for use by ECN
1490 (RFC3168).
7172612f 1491
575cb927
AJ		 1492 This setting is configured by setting the source TOS values:
1493
1494 local-hit=0xFF Value to mark local cache hits.
1495
1496 sibling-hit=0xFF Value to mark hits from sibling peers.
1497
1498 parent-hit=0xFF Value to mark hits from parent peers.
1499
1500
2201bec6
AJ		 1501 NOTE: 'miss' preserve feature is only possible on Linux at this time.
1502
575cb927
AJ		 1503 For the following to work correctly, you will need to patch your
1504 linux kernel with the TOS preserving ZPH patch.
1505 The kernel patch can be downloaded from http://zph.bratcheda.org
1506
575cb927
AJ		 1507 disable-preserve-miss
1508 If set, any HTTP response towards clients will
1509 have the TOS value of the response comming from the
1510 remote server masked with the value of miss-mask.
1511
1512 miss-mask=0xFF
1513 Allows you to mask certain bits in the TOS received from the
1514 remote server, before copying the value to the TOS sent
1515 towards clients.
1516 Default: 0xFF (TOS from server is not changed).
7172612f 1517
7172612f
AJ		 1518DOC_END
1519
41bd17a4 1520NAME: tcp_outgoing_address
1521TYPE: acl_address
1522DEFAULT: none
1523LOC: Config.accessList.outgoing_address
1524DOC_START
1525 Allows you to map requests to different outgoing IP addresses
1526 based on the username or source address of the user making
1527 the request.
7f7db318 1528
41bd17a4 1529 tcp_outgoing_address ipaddr [[!]aclname] ...
c33aa074 1530
41bd17a4 1531 Example where requests from 10.0.0.0/24 will be forwarded
1532 with source address 10.1.0.1, 10.0.2.0/24 forwarded with
1533 source address 10.1.0.2 and the rest will be forwarded with
1534 source address 10.1.0.3.
9197cd13 1535
17148b2f 1536 acl normal_service_net src 10.0.0.0/24
1537 acl good_service_net src 10.0.2.0/24
1538 tcp_outgoing_address 10.1.0.1 normal_service_net
1539 tcp_outgoing_address 10.1.0.2 good_service_net
1540 tcp_outgoing_address 10.1.0.3
9197cd13 1541
41bd17a4 1542 Processing proceeds in the order specified, and stops at first fully
1543 matching line.
cccac0a2 1544
41bd17a4 1545 Note: The use of this directive using client dependent ACLs is
1546 incompatible with the use of server side persistent connections. To
1547 ensure correct results it is best to set server_persistent_connections
1548 to off when using this directive in such configurations.
cc192b50 1549
4ed968be
AJ		 1550 Note: The use of this directive to set a local IP on outgoing TCP links
1551 is incompatible with using TPROXY to set client IP out outbound TCP links.
1552 When needing to contact peers use the no-tproxy cache_peer option to
1553 re-enable normal forwarding such as this.
cc192b50 1554
1555 IPv6 Magic:
1556
b3567eb5
FC		 1557 Squid is built with a capability of bridging the IPv4 and IPv6
1558 internets.
cc192b50 1559 tcp_outgoing_address as exampled above breaks this bridging by forcing
1560 all outbound traffic through a certain IPv4 which may be on the wrong
1561 side of the IPv4/IPv6 boundary.
1562
1563 To operate with tcp_outgoing_address and keep the bridging benefits
1564 an additional ACL needs to be used which ensures the IPv6-bound traffic
1565 is never forced or permitted out the IPv4 interface.
1566
1567 acl to_ipv6 dst ipv6
1568 tcp_outgoing_address 2002::c001 good_service_net to_ipv6
17148b2f 1569 tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
cc192b50 1570
1571 tcp_outgoing_address 2002::beef normal_service_net to_ipv6
17148b2f 1572 tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
cc192b50 1573
1574 tcp_outgoing_address 2002::1 to_ipv6
17148b2f 1575 tcp_outgoing_address 10.1.0.3 !to_ipv6
6db78a1a
AJ		 1576
1577 WARNING:
1578 'dst ipv6' bases its selection assuming DIRECT access.
1579 If peers are used the peername ACL are needed to select outgoing
1580 address which can link to the peer.
1581
6b185b50
AJ		 1582 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used
1583 previously in the http_access rules to locate the destination IP.
1584 Some more magic may be needed for that:
1585 http_access allow to_ipv6 !all
1586 (meaning, allow if to IPv6 but not from anywhere ;)
1587
cccac0a2 1588DOC_END
1589
41bd17a4 1590COMMENT_START
1591 SSL OPTIONS
1592 -----------------------------------------------------------------------------
1593COMMENT_END
1594
1595NAME: ssl_unclean_shutdown
1596IFDEF: USE_SSL
cccac0a2 1597TYPE: onoff
1598DEFAULT: off
41bd17a4 1599LOC: Config.SSL.unclean_shutdown
cccac0a2 1600DOC_START
41bd17a4 1601 Some browsers (especially MSIE) bugs out on SSL shutdown
1602 messages.
cccac0a2 1603DOC_END
1604
41bd17a4 1605NAME: ssl_engine
1606IFDEF: USE_SSL
cccac0a2 1607TYPE: string
41bd17a4 1608LOC: Config.SSL.ssl_engine
1609DEFAULT: none
cccac0a2 1610DOC_START
41bd17a4 1611 The OpenSSL engine to use. You will need to set this if you
1612 would like to use hardware SSL acceleration for example.
cccac0a2 1613DOC_END
1614
41bd17a4 1615NAME: sslproxy_client_certificate
1616IFDEF: USE_SSL
cccac0a2 1617DEFAULT: none
41bd17a4 1618LOC: Config.ssl_client.cert
1619TYPE: string
cccac0a2 1620DOC_START
41bd17a4 1621 Client SSL Certificate to use when proxying https:// URLs
cccac0a2 1622DOC_END
1623
41bd17a4 1624NAME: sslproxy_client_key
1625IFDEF: USE_SSL
cccac0a2 1626DEFAULT: none
41bd17a4 1627LOC: Config.ssl_client.key
1628TYPE: string
cccac0a2 1629DOC_START
41bd17a4 1630 Client SSL Key to use when proxying https:// URLs
cccac0a2 1631DOC_END
1632
41bd17a4 1633NAME: sslproxy_version
1634IFDEF: USE_SSL
1635DEFAULT: 1
1636LOC: Config.ssl_client.version
1637TYPE: int
cccac0a2 1638DOC_START
41bd17a4 1639 SSL version level to use when proxying https:// URLs
cccac0a2 1640DOC_END
1641
41bd17a4 1642NAME: sslproxy_options
1643IFDEF: USE_SSL
1644DEFAULT: none
1645LOC: Config.ssl_client.options
1646TYPE: string
cccac0a2 1647DOC_START
41bd17a4 1648 SSL engine options to use when proxying https:// URLs
ab202e4c
AJ		 1649
1650 The most important being:
1651
1652 NO_SSLv2 Disallow the use of SSLv2
1653 NO_SSLv3 Disallow the use of SSLv3
1654 NO_TLSv1 Disallow the use of TLSv1
1655 SINGLE_DH_USE
1656 Always create a new key when using
1657 temporary/ephemeral DH key exchanges
1658
1659 These options vary depending on your SSL engine.
1660 See the OpenSSL SSL_CTX_set_options documentation for a
1661 complete list of possible options.
cccac0a2 1662DOC_END
1663
41bd17a4 1664NAME: sslproxy_cipher
1665IFDEF: USE_SSL
1666DEFAULT: none
1667LOC: Config.ssl_client.cipher
1668TYPE: string
cccac0a2 1669DOC_START
41bd17a4 1670 SSL cipher list to use when proxying https:// URLs
ab202e4c
AJ		 1671
1672 Colon separated list of supported ciphers.
cccac0a2 1673DOC_END
1674
41bd17a4 1675NAME: sslproxy_cafile
1676IFDEF: USE_SSL
1677DEFAULT: none
1678LOC: Config.ssl_client.cafile
1679TYPE: string
cccac0a2 1680DOC_START
41bd17a4 1681 file containing CA certificates to use when verifying server
1682 certificates while proxying https:// URLs
cccac0a2 1683DOC_END
0976f8db 1684
41bd17a4 1685NAME: sslproxy_capath
1686IFDEF: USE_SSL
5473c134 1687DEFAULT: none
41bd17a4 1688LOC: Config.ssl_client.capath
1689TYPE: string
5473c134 1690DOC_START
41bd17a4 1691 directory containing CA certificates to use when verifying
1692 server certificates while proxying https:// URLs
5473c134 1693DOC_END
1694
4c9da963 1695NAME: ssl_bump
1696IFDEF: USE_SSL
1697TYPE: acl_access
1698LOC: Config.accessList.ssl_bump
1699DEFAULT: none
1700DOC_START
1701 This ACL controls which CONNECT requests to an http_port
1702 marked with an sslBump flag are actually "bumped". Please
1703 see the sslBump flag of an http_port option for more details
1704 about decoding proxied SSL connections.
1705
1706 By default, no requests are bumped.
1707
1708 See also: http_port sslBump
1709
b3567eb5
FC		 1710 This clause only supports fast acl types.
1711 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
e0855596
AJ		 1712
1713
1714 # Example: Bump all requests except those originating from localhost and
1715 # those going to webax.com or example.com sites.
1716
1717 acl localhost src 127.0.0.1/32
1718 acl broken_sites dstdomain .webax.com
1719 acl broken_sites dstdomain .example.com
1720 ssl_bump deny localhost
1721 ssl_bump deny broken_sites
1722 ssl_bump allow all
4c9da963 1723DOC_END
1724
41bd17a4 1725NAME: sslproxy_flags
1726IFDEF: USE_SSL
1727DEFAULT: none
1728LOC: Config.ssl_client.flags
1729TYPE: string
5473c134 1730DOC_START
41bd17a4 1731 Various flags modifying the use of SSL while proxying https:// URLs:
4c9da963 1732 DONT_VERIFY_PEER Accept certificates that fail verification.
1733 For refined control, see sslproxy_cert_error.
41bd17a4 1734 NO_DEFAULT_CA Don't use the default CA list built in
1735 to OpenSSL.
5473c134 1736DOC_END
1737
4c9da963 1738
1739NAME: sslproxy_cert_error
1740IFDEF: USE_SSL
1741DEFAULT: none
1742LOC: Config.ssl_client.cert_error
1743TYPE: acl_access
1744DOC_START
1745 Use this ACL to bypass server certificate validation errors.
1746
1747 For example, the following lines will bypass all validation errors
1748 when talking to servers located at 172.16.0.0/16. All other
1749 validation errors will result in ERR_SECURE_CONNECT_FAIL error.
1750
1751 acl BrokenServersAtTrustedIP dst 172.16.0.0/16
1752 sslproxy_cert_error allow BrokenServersAtTrustedIP
1753 sslproxy_cert_error deny all
1754
b3567eb5
FC		 1755 This clause only supports fast acl types.
1756 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1757 Using slow acl types may result in server crashes
4c9da963 1758
1759 Without this option, all server certificate validation errors
1760 terminate the transaction. Bypassing validation errors is dangerous
1761 because an error usually implies that the server cannot be trusted and
1762 the connection may be insecure.
1763
1764 See also: sslproxy_flags and DONT_VERIFY_PEER.
1765
e0855596 1766 Default setting: sslproxy_cert_error deny all
4c9da963 1767DOC_END
1768
1769
1770
41bd17a4 1771NAME: sslpassword_program
1772IFDEF: USE_SSL
1773DEFAULT: none
1774LOC: Config.Program.ssl_password
1775TYPE: string
5473c134 1776DOC_START
41bd17a4 1777 Specify a program used for entering SSL key passphrases
1778 when using encrypted SSL certificate keys. If not specified
1779 keys must either be unencrypted, or Squid started with the -N
1780 option to allow it to query interactively for the passphrase.
5473c134 1781DOC_END
1782
cccac0a2 1783COMMENT_START
41bd17a4 1784 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
cccac0a2 1785 -----------------------------------------------------------------------------
1786COMMENT_END
1787
41bd17a4 1788NAME: cache_peer
1789TYPE: peer
1790DEFAULT: none
1791LOC: Config.peers
cccac0a2 1792DOC_START
41bd17a4 1793 To specify other caches in a hierarchy, use the format:
2b94f655 1794
41bd17a4 1795 cache_peer hostname type http-port icp-port [options]
2b94f655 1796
41bd17a4 1797 For example,
2b94f655 1798
41bd17a4 1799 # proxy icp
1800 # hostname type port port options
1801 # -------------------- -------- ----- ----- -----------
2b94f655 1802 cache_peer parent.foo.net parent 3128 3130 default
41bd17a4 1803 cache_peer sib1.foo.net sibling 3128 3130 proxy-only
1804 cache_peer sib2.foo.net sibling 3128 3130 proxy-only
2b94f655
AJ		 1805 cache_peer example.com parent 80 0 no-query default
1806 cache_peer cdn.example.com sibling 3128 0
1807
1808 type: either 'parent', 'sibling', or 'multicast'.
1809
1810 proxy-port: The port number where the peer accept HTTP requests.
1811 For other Squid proxies this is usually 3128
1812 For web servers this is usually 80
1813
1814 icp-port: Used for querying neighbor caches about objects.
1815 Set to 0 if the peer does not support ICP or HTCP.
1816 See ICP and HTCP options below for additional details.
1817
1818
1819 ==== ICP OPTIONS ====
1820
1821 You MUST also set icp_port and icp_access explicitly when using these options.
1822 The defaults will prevent peer traffic using ICP.
1823
1824
1825 no-query Disable ICP queries to this neighbor.
1826
1827 multicast-responder
1828 Indicates the named peer is a member of a multicast group.
1829 ICP queries will not be sent directly to the peer, but ICP
1830 replies will be accepted from it.
1831
1832 closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward
1833 CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
1834
1835 background-ping
1836 To only send ICP queries to this neighbor infrequently.
1837 This is used to keep the neighbor round trip time updated
1838 and is usually used in conjunction with weighted-round-robin.
1839
1840
1841 ==== HTCP OPTIONS ====
1842
1843 You MUST also set htcp_port and htcp_access explicitly when using these options.
1844 The defaults will prevent peer traffic using HTCP.
1845
1846
1847 htcp Send HTCP, instead of ICP, queries to the neighbor.
1848 You probably also want to set the "icp-port" to 4827
1849 instead of 3130.
1850
1851 htcp-oldsquid Send HTCP to old Squid versions.
1852
1853 htcp-no-clr Send HTCP to the neighbor but without
1854 sending any CLR requests. This cannot be used with
1855 htcp-only-clr.
1856
1857 htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests.
1858 This cannot be used with htcp-no-clr.
1859
1860 htcp-no-purge-clr
1861 Send HTCP to the neighbor including CLRs but only when
1862 they do not result from PURGE requests.
1863
1864 htcp-forward-clr
1865 Forward any HTCP CLR requests this proxy receives to the peer.
1866
1867
1868 ==== PEER SELECTION METHODS ====
1869
1870 The default peer selection method is ICP, with the first responding peer
1871 being used as source. These options can be used for better load balancing.
1872
1873
1874 default This is a parent cache which can be used as a "last-resort"
1875 if a peer cannot be located by any of the peer-selection methods.
1876 If specified more than once, only the first is used.
1877
1878 round-robin Load-Balance parents which should be used in a round-robin
1879 fashion in the absence of any ICP queries.
1880 weight=N can be used to add bias.
1881
1882 weighted-round-robin
1883 Load-Balance parents which should be used in a round-robin
1884 fashion with the frequency of each parent being based on the
1885 round trip time. Closer parents are used more often.
1886 Usually used for background-ping parents.
1887 weight=N can be used to add bias.
1888
1889 carp Load-Balance parents which should be used as a CARP array.
1890 The requests will be distributed among the parents based on the
1891 CARP load balancing hash function based on their weight.
1892
1893 userhash Load-balance parents based on the client proxy_auth or ident username.
1894
1895 sourcehash Load-balance parents based on the client source IP.
8a368316
AJ		 1896
1897 multicast-siblings
1898 To be used only for cache peers of type "multicast".
1899 ALL members of this multicast group have "sibling"
1900 relationship with it, not "parent". This is to a mulicast
1901 group when the requested object would be fetched only from
1902 a "parent" cache, anyway. It's useful, e.g., when
1903 configuring a pool of redundant Squid proxies, being
1904 members of the same multicast group.
2b94f655
AJ		 1905
1906
1907 ==== PEER SELECTION OPTIONS ====
1908
1909 weight=N use to affect the selection of a peer during any weighted
1910 peer-selection mechanisms.
1911 The weight must be an integer; default is 1,
1912 larger weights are favored more.
1913 This option does not affect parent selection if a peering
1914 protocol is not in use.
1915
1916 basetime=N Specify a base amount to be subtracted from round trip
1917 times of parents.
1918 It is subtracted before division by weight in calculating
1919 which parent to fectch from. If the rtt is less than the
1920 base time the rtt is set to a minimal value.
1921
1922 ttl=N Specify a IP multicast TTL to use when sending an ICP
1923 queries to this address.
1924 Only useful when sending to a multicast group.
1925 Because we don't accept ICP replies from random
1926 hosts, you must configure other group members as
1927 peers with the 'multicast-responder' option.
1928
1929 no-delay To prevent access to this neighbor from influencing the
1930 delay pools.
1931
1932 digest-url=URL Tell Squid to fetch the cache digest (if digests are
1933 enabled) for this host from the specified URL rather
1934 than the Squid default location.
1935
1936
1937 ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
1938
1939 originserver Causes this parent to be contacted as an origin server.
1940 Meant to be used in accelerator setups when the peer
1941 is a web server.
1942
1943 forceddomain=name
1944 Set the Host header of requests forwarded to this peer.
1945 Useful in accelerator setups where the server (peer)
1946 expects a certain domain name but clients may request
1947 others. ie example.com or www.example.com
1948
1949 no-digest Disable request of cache digests.
1950
1951 no-netdb-exchange
1952 Disables requesting ICMP RTT database (NetDB).
1953
1954
1955 ==== AUTHENTICATION OPTIONS ====
1956
1957 login=user:password
1958 If this is a personal/workgroup proxy and your parent
1959 requires proxy authentication.
1960
1961 Note: The string can include URL escapes (i.e. %20 for
1962 spaces). This also means % must be written as %%.
1963
11e4c5e5
AJ		 1964 login=PASSTHRU
1965 Send login details received from client to this peer.
1966 Both Proxy- and WWW-Authorization headers are passed
1967 without alteration to the peer.
1968 Authentication is not required by Squid for this to work.
1969
1970 Note: This will pass any form of authentication but
1971 only Basic auth will work through a proxy unless the
1972 connection-auth options are also used.
ee0b94f4 1973
2b94f655
AJ		 1974 login=PASS Send login details received from client to this peer.
1975 Authentication is not required by this option.
11e4c5e5 1976
2b94f655
AJ		 1977 If there are no client-provided authentication headers
1978 to pass on, but username and password are available
ee0b94f4
HN		 1979 from an external ACL user= and password= result tags
1980 they may be sent instead.
2b94f655
AJ		 1981
1982 Note: To combine this with proxy_auth both proxies must
1983 share the same user database as HTTP only allows for
1984 a single login (one for proxy, one for origin server).
1985 Also be warned this will expose your users proxy
1986 password to the peer. USE WITH CAUTION
1987
1988 login=*:password
1989 Send the username to the upstream cache, but with a
1990 fixed password. This is meant to be used when the peer
1991 is in another administrative domain, but it is still
1992 needed to identify each user.
1993 The star can optionally be followed by some extra
1994 information which is added to the username. This can
1995 be used to identify this proxy to the peer, similar to
1996 the login=username:password option above.
1997
9ca29d23
AJ		 1998 login=NEGOTIATE
1999 If this is a personal/workgroup proxy and your parent
2000 requires a secure proxy authentication.
2001 The first principal from the default keytab or defined by
2002 the environment variable KRB5_KTNAME will be used.
2003
2004 login=NEGOTIATE:principal_name
2005 If this is a personal/workgroup proxy and your parent
2006 requires a secure proxy authentication.
2007 The principal principal_name from the default keytab or
2008 defined by the environment variable KRB5_KTNAME will be
2009 used.
2010
2b94f655
AJ		 2011 connection-auth=on|off
2012 Tell Squid that this peer does or not support Microsoft
2013 connection oriented authentication, and any such
2014 challenges received from there should be ignored.
2015 Default is auto to automatically determine the status
2016 of the peer.
2017
2018
2019 ==== SSL / HTTPS / TLS OPTIONS ====
2020
2021 ssl Encrypt connections to this peer with SSL/TLS.
2022
2023 sslcert=/path/to/ssl/certificate
2024 A client SSL certificate to use when connecting to
2025 this peer.
2026
2027 sslkey=/path/to/ssl/key
2028 The private SSL key corresponding to sslcert above.
2029 If 'sslkey' is not specified 'sslcert' is assumed to
2030 reference a combined file containing both the
2031 certificate and the key.
2032
2033 sslversion=1|2|3|4
2034 The SSL version to use when connecting to this peer
2035 1 = automatic (default)
2036 2 = SSL v2 only
2037 3 = SSL v3 only
2038 4 = TLS v1 only
2039
2040 sslcipher=... The list of valid SSL ciphers to use when connecting
2041 to this peer.
2042
2043 ssloptions=... Specify various SSL engine options:
2044 NO_SSLv2 Disallow the use of SSLv2
2045 NO_SSLv3 Disallow the use of SSLv3
2046 NO_TLSv1 Disallow the use of TLSv1
2047 See src/ssl_support.c or the OpenSSL documentation for
2048 a more complete list.
2049
2050 sslcafile=... A file containing additional CA certificates to use
2051 when verifying the peer certificate.
2052
2053 sslcapath=... A directory containing additional CA certificates to
2054 use when verifying the peer certificate.
2055
2056 sslcrlfile=... A certificate revocation list file to use when
2057 verifying the peer certificate.
2058
2059 sslflags=... Specify various flags modifying the SSL implementation:
2060
41bd17a4 2061 DONT_VERIFY_PEER
2062 Accept certificates even if they fail to
2063 verify.
2064 NO_DEFAULT_CA
2065 Don't use the default CA list built in
2066 to OpenSSL.
2067 DONT_VERIFY_DOMAIN
2068 Don't verify the peer certificate
2069 matches the server name
2b94f655
AJ		 2070
2071 ssldomain= The peer name as advertised in it's certificate.
2072 Used for verifying the correctness of the received peer
2073 certificate. If not specified the peer hostname will be
2074 used.
2075
2076 front-end-https
2077 Enable the "Front-End-Https: On" header needed when
2078 using Squid as a SSL frontend in front of Microsoft OWA.
2079 See MS KB document Q307347 for details on this header.
2080 If set to auto the header will only be added if the
2081 request is forwarded as a https:// URL.
2082
2083
2084 ==== GENERAL OPTIONS ====
2085
2086 connect-timeout=N
2087 A peer-specific connect timeout.
2088 Also see the peer_connect_timeout directive.
2089
2090 connect-fail-limit=N
2091 How many times connecting to a peer must fail before
2092 it is marked as down. Default is 10.
2093
2094 allow-miss Disable Squid's use of only-if-cached when forwarding
2095 requests to siblings. This is primarily useful when
2096 icp_hit_stale is used by the sibling. To extensive use
2097 of this option may result in forwarding loops, and you
2098 should avoid having two-way peerings with this option.
2099 For example to deny peer usage on requests from peer
2100 by denying cache_peer_access if the source is a peer.
2101
2102 max-conn=N Limit the amount of connections Squid may open to this
2103 peer. see also
2104
2105 name=xxx Unique name for the peer.
2106 Required if you have multiple peers on the same host
2107 but different ports.
2108 This name can be used in cache_peer_access and similar
2109 directives to dentify the peer.
2110 Can be used by outgoing access controls through the
2111 peername ACL type.
2112
b0758e04
AJ		 2113 no-tproxy Do not use the client-spoof TPROXY support when forwarding
2114 requests to this peer. Use normal address selection instead.
2115
2b94f655
AJ		 2116 proxy-only objects fetched from the peer will not be stored locally.
2117
41bd17a4 2118DOC_END
cccac0a2 2119
41bd17a4 2120NAME: cache_peer_domain cache_host_domain
2121TYPE: hostdomain
2122DEFAULT: none
2123LOC: none
2124DOC_START
2125 Use to limit the domains for which a neighbor cache will be
2126 queried. Usage:
cccac0a2 2127
41bd17a4 2128 cache_peer_domain cache-host domain [domain ...]
2129 cache_peer_domain cache-host !domain
cccac0a2 2130
41bd17a4 2131 For example, specifying
cccac0a2 2132
41bd17a4 2133 cache_peer_domain parent.foo.net .edu
cccac0a2 2134
41bd17a4 2135 has the effect such that UDP query packets are sent to
2136 'bigserver' only when the requested object exists on a
2137 server in the .edu domain. Prefixing the domainname
2138 with '!' means the cache will be queried for objects
2139 NOT in that domain.
cccac0a2 2140
41bd17a4 2141 NOTE: * Any number of domains may be given for a cache-host,
2142 either on the same or separate lines.
2143 * When multiple domains are given for a particular
2144 cache-host, the first matched domain is applied.
2145 * Cache hosts with no domain restrictions are queried
2146 for all requests.
2147 * There are no defaults.
2148 * There is also a 'cache_peer_access' tag in the ACL
2149 section.
2150DOC_END
dd9b1776 2151
41bd17a4 2152NAME: cache_peer_access
2153TYPE: peer_access
2154DEFAULT: none
2155LOC: none
2156DOC_START
2157 Similar to 'cache_peer_domain' but provides more flexibility by
2158 using ACL elements.
cccac0a2 2159
41bd17a4 2160 cache_peer_access cache-host allow|deny [!]aclname ...
dd9b1776 2161
41bd17a4 2162 The syntax is identical to 'http_access' and the other lists of
2163 ACL elements. See the comments for 'http_access' below, or
e314b7b9 2164 the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl).
41bd17a4 2165DOC_END
dd9b1776 2166
41bd17a4 2167NAME: neighbor_type_domain
2168TYPE: hostdomaintype
2169DEFAULT: none
2170LOC: none
2171DOC_START
2172 usage: neighbor_type_domain neighbor parent|sibling domain domain ...
cccac0a2 2173
41bd17a4 2174 Modifying the neighbor type for specific domains is now
11e3fa1c 2175 possible. You can treat some domains differently than the
41bd17a4 2176 default neighbor type specified on the 'cache_peer' line.
2177 Normally it should only be necessary to list domains which
2178 should be treated differently because the default neighbor type
2179 applies for hostnames which do not match domains listed here.
6bf4f823 2180
41bd17a4 2181EXAMPLE:
dbe3992d 2182 cache_peer cache.foo.org parent 3128 3130
41bd17a4 2183 neighbor_type_domain cache.foo.org sibling .com .net
2184 neighbor_type_domain cache.foo.org sibling .au .de
2185DOC_END
6bf4f823 2186
41bd17a4 2187NAME: dead_peer_timeout
2188COMMENT: (seconds)
2189DEFAULT: 10 seconds
2190TYPE: time_t
2191LOC: Config.Timeout.deadPeer
2192DOC_START
2193 This controls how long Squid waits to declare a peer cache
2194 as "dead." If there are no ICP replies received in this
2195 amount of time, Squid will declare the peer dead and not
2196 expect to receive any further ICP replies. However, it
2197 continues to send ICP queries, and will mark the peer as
2198 alive upon receipt of the first subsequent ICP reply.
699acd19 2199
41bd17a4 2200 This timeout also affects when Squid expects to receive ICP
2201 replies from peers. If more than 'dead_peer' seconds have
2202 passed since the last ICP reply was received, Squid will not
2203 expect to receive an ICP reply on the next query. Thus, if
2204 your time between requests is greater than this timeout, you
2205 will see a lot of requests sent DIRECT to origin servers
2206 instead of to your parents.
2207DOC_END
cccac0a2 2208
437823b4
AJ		 2209NAME: forward_max_tries
2210DEFAULT: 10
2211TYPE: int
2212LOC: Config.forward_max_tries
2213DOC_START
2214 Controls how many different forward paths Squid will try
2215 before giving up. See also forward_timeout.
2216DOC_END
2217
41bd17a4 2218NAME: hierarchy_stoplist
2219TYPE: wordlist
2220DEFAULT: none
2221LOC: Config.hierarchy_stoplist
2222DOC_START
2223 A list of words which, if found in a URL, cause the object to
2224 be handled directly by this cache. In other words, use this
2225 to not query neighbor caches for certain objects. You may
2226 list this option multiple times.
2227 Note: never_direct overrides this option.
cccac0a2 2228NOCOMMENT_START
e0855596
AJ		 2229
2230# We recommend you to use at least the following line.
41bd17a4 2231hierarchy_stoplist cgi-bin ?
6b698a21 2232NOCOMMENT_END
2233DOC_END
0976f8db 2234
41bd17a4 2235COMMENT_START
2236 MEMORY CACHE OPTIONS
2237 -----------------------------------------------------------------------------
2238COMMENT_END
2239
2240NAME: cache_mem
2241COMMENT: (bytes)
2242TYPE: b_size_t
df2eec10 2243DEFAULT: 256 MB
41bd17a4 2244LOC: Config.memMaxSize
6b698a21 2245DOC_START
41bd17a4 2246 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
2247 IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
2248 USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
2249 THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
2250
2251 'cache_mem' specifies the ideal amount of memory to be used
2252 for:
2253 * In-Transit objects
2254 * Hot Objects
2255 * Negative-Cached objects
2256
2257 Data for these objects are stored in 4 KB blocks. This
2258 parameter specifies the ideal upper limit on the total size of
2259 4 KB blocks allocated. In-Transit objects take the highest
2260 priority.
2261
2262 In-transit objects have priority over the others. When
2263 additional space is needed for incoming data, negative-cached
2264 and hot objects will be released. In other words, the
2265 negative-cached and hot objects will fill up any unused space
2266 not needed for in-transit objects.
2267
2268 If circumstances require, this limit will be exceeded.
2269 Specifically, if your incoming request rate requires more than
2270 'cache_mem' of memory to hold in-transit objects, Squid will
2271 exceed this limit to satisfy the new requests. When the load
2272 decreases, blocks will be freed until the high-water mark is
2273 reached. Thereafter, blocks will be used to store hot
2274 objects.
6b698a21 2275DOC_END
0976f8db 2276
41bd17a4 2277NAME: maximum_object_size_in_memory
2278COMMENT: (bytes)
2279TYPE: b_size_t
df2eec10 2280DEFAULT: 512 KB
41bd17a4 2281LOC: Config.Store.maxInMemObjSize
6b698a21 2282DOC_START
41bd17a4 2283 Objects greater than this size will not be attempted to kept in
2284 the memory cache. This should be set high enough to keep objects
2285 accessed frequently in memory to improve performance whilst low
2286 enough to keep larger objects from hoarding cache_mem.
6b698a21 2287DOC_END
0976f8db 2288
ea21d497
HN		 2289NAME: memory_cache_mode
2290TYPE: memcachemode
2291LOC: Config
2292DEFAULT: always
ff4b33f4 2293DOC_START
ea21d497 2294 Controls which objects to keep in the memory cache (cache_mem)
ff4b33f4 2295
ea21d497
HN		 2296 always Keep most recently fetched objects in memory (default)
2297
2298 disk Only disk cache hits are kept in memory, which means
2299 an object must first be cached on disk and then hit
2300 a second time before cached in memory.
2301
2302 network Only objects fetched from network is kept in memory
ff4b33f4
HN		 2303DOC_END
2304
41bd17a4 2305NAME: memory_replacement_policy
2306TYPE: removalpolicy
2307LOC: Config.memPolicy
2308DEFAULT: lru
6b698a21 2309DOC_START
41bd17a4 2310 The memory replacement policy parameter determines which
2311 objects are purged from memory when memory space is needed.
7f7db318 2312
41bd17a4 2313 See cache_replacement_policy for details.
2314DOC_END
6b698a21 2315
41bd17a4 2316COMMENT_START
2317 DISK CACHE OPTIONS
2318 -----------------------------------------------------------------------------
2319COMMENT_END
6b698a21 2320
41bd17a4 2321NAME: cache_replacement_policy
2322TYPE: removalpolicy
2323LOC: Config.replPolicy
2324DEFAULT: lru
2325DOC_START
2326 The cache replacement policy parameter determines which
2327 objects are evicted (replaced) when disk space is needed.
6b698a21 2328
41bd17a4 2329 lru : Squid's original list based LRU policy
2330 heap GDSF : Greedy-Dual Size Frequency
2331 heap LFUDA: Least Frequently Used with Dynamic Aging
2332 heap LRU : LRU policy implemented using a heap
6b698a21 2333
41bd17a4 2334 Applies to any cache_dir lines listed below this.
7f7db318 2335
41bd17a4 2336 The LRU policies keeps recently referenced objects.
0976f8db 2337
41bd17a4 2338 The heap GDSF policy optimizes object hit rate by keeping smaller
2339 popular objects in cache so it has a better chance of getting a
2340 hit. It achieves a lower byte hit rate than LFUDA though since
2341 it evicts larger (possibly popular) objects.
0976f8db 2342
41bd17a4 2343 The heap LFUDA policy keeps popular objects in cache regardless of
2344 their size and thus optimizes byte hit rate at the expense of
2345 hit rate since one large, popular object will prevent many
2346 smaller, slightly less popular objects from being cached.
0976f8db 2347
41bd17a4 2348 Both policies utilize a dynamic aging mechanism that prevents
2349 cache pollution that can otherwise occur with frequency-based
2350 replacement policies.
7d90757b 2351
41bd17a4 2352 NOTE: if using the LFUDA replacement policy you should increase
2353 the value of maximum_object_size above its default of 4096 KB to
2354 to maximize the potential byte hit rate improvement of LFUDA.
dc1af3cf 2355
41bd17a4 2356 For more information about the GDSF and LFUDA cache replacement
2357 policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
2358 and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
6b698a21 2359DOC_END
0976f8db 2360
41bd17a4 2361NAME: cache_dir
2362TYPE: cachedir
2363DEFAULT: none
41bd17a4 2364LOC: Config.cacheSwap
6b698a21 2365DOC_START
41bd17a4 2366 Usage:
0976f8db 2367
41bd17a4 2368 cache_dir Type Directory-Name Fs-specific-data [options]
0976f8db 2369
41bd17a4 2370 You can specify multiple cache_dir lines to spread the
2371 cache among different disk partitions.
0976f8db 2372
41bd17a4 2373 Type specifies the kind of storage system to use. Only "ufs"
2374 is built by default. To enable any of the other storage systems
2375 see the --enable-storeio configure option.
0976f8db 2376
41bd17a4 2377 'Directory' is a top-level directory where cache swap
2378 files will be stored. If you want to use an entire disk
2379 for caching, this can be the mount-point directory.
2380 The directory must exist and be writable by the Squid
2381 process. Squid will NOT create this directory for you.
0976f8db 2382
41bd17a4 2383 The ufs store type:
0976f8db 2384
41bd17a4 2385 "ufs" is the old well-known Squid storage format that has always
2386 been there.
0976f8db 2387
41bd17a4 2388 cache_dir ufs Directory-Name Mbytes L1 L2 [options]
0976f8db 2389
41bd17a4 2390 'Mbytes' is the amount of disk space (MB) to use under this
2391 directory. The default is 100 MB. Change this to suit your
2392 configuration. Do NOT put the size of your disk drive here.
2393 Instead, if you want Squid to use the entire disk drive,
2394 subtract 20% and use that value.
0976f8db 2395
41bd17a4 2396 'Level-1' is the number of first-level subdirectories which
2397 will be created under the 'Directory'. The default is 16.
0976f8db 2398
41bd17a4 2399 'Level-2' is the number of second-level subdirectories which
2400 will be created under each first-level directory. The default
2401 is 256.
0976f8db 2402
41bd17a4 2403 The aufs store type:
7f7db318 2404
41bd17a4 2405 "aufs" uses the same storage format as "ufs", utilizing
2406 POSIX-threads to avoid blocking the main Squid process on
2407 disk-I/O. This was formerly known in Squid as async-io.
38f9c547 2408
41bd17a4 2409 cache_dir aufs Directory-Name Mbytes L1 L2 [options]
38f9c547 2410
41bd17a4 2411 see argument descriptions under ufs above
38f9c547 2412
41bd17a4 2413 The diskd store type:
38f9c547 2414
41bd17a4 2415 "diskd" uses the same storage format as "ufs", utilizing a
2416 separate process to avoid blocking the main Squid process on
2417 disk-I/O.
4c3ef9b2 2418
41bd17a4 2419 cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
0976f8db 2420
41bd17a4 2421 see argument descriptions under ufs above
0976f8db 2422
41bd17a4 2423 Q1 specifies the number of unacknowledged I/O requests when Squid
2424 stops opening new files. If this many messages are in the queues,
2425 Squid won't open new files. Default is 64
0976f8db 2426
41bd17a4 2427 Q2 specifies the number of unacknowledged messages when Squid
2428 starts blocking. If this many messages are in the queues,
2429 Squid blocks until it receives some replies. Default is 72
0976f8db 2430
41bd17a4 2431 When Q1 < Q2 (the default), the cache directory is optimized
2432 for lower response time at the expense of a decrease in hit
2433 ratio. If Q1 > Q2, the cache directory is optimized for
2434 higher hit ratio at the expense of an increase in response
2435 time.
0976f8db 2436
41bd17a4 2437 The coss store type:
0976f8db 2438
db263d62
AJ		 2439 NP: COSS filesystem in Squid-3 has been deemed too unstable for
2440 production use and has thus been removed from this release.
2441 We hope that it can be made usable again soon.
2442
41bd17a4 2443 block-size=n defines the "block size" for COSS cache_dir's.
2444 Squid uses file numbers as block numbers. Since file numbers
2445 are limited to 24 bits, the block size determines the maximum
2446 size of the COSS partition. The default is 512 bytes, which
2447 leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
2448 you should not change the coss block size after Squid
2449 has written some objects to the cache_dir.
0976f8db 2450
41bd17a4 2451 The coss file store has changed from 2.5. Now it uses a file
2452 called 'stripe' in the directory names in the config - and
2453 this will be created by squid -z.
0976f8db 2454
41bd17a4 2455 Common options:
0976f8db 2456
41bd17a4 2457 no-store, no new objects should be stored to this cache_dir
0976f8db 2458
41bd17a4 2459 max-size=n, refers to the max object size this storedir supports.
2460 It is used to initially choose the storedir to dump the object.
2461 Note: To make optimal use of the max-size limits you should order
2462 the cache_dir lines with the smallest max-size value first and the
2463 ones with no max-size specification last.
0976f8db 2464
41bd17a4 2465 Note for coss, max-size must be less than COSS_MEMBUF_SZ,
2466 which can be changed with the --with-coss-membuf-size=N configure
2467 option.
bebc043b 2468NOCOMMENT_START
e0855596
AJ		 2469
2470# Uncomment and adjust the following to add a disk cache directory.
2471#cache_dir ufs @DEFAULT_SWAP_DIR@ 100 16 256
bebc043b 2472NOCOMMENT_END
6b698a21 2473DOC_END
0976f8db 2474
41bd17a4 2475NAME: store_dir_select_algorithm
2476TYPE: string
2477LOC: Config.store_dir_select_algorithm
2478DEFAULT: least-load
6b698a21 2479DOC_START
41bd17a4 2480 Set this to 'round-robin' as an alternative.
6b698a21 2481DOC_END
0976f8db 2482
41bd17a4 2483NAME: max_open_disk_fds
2484TYPE: int
2485LOC: Config.max_open_disk_fds
2486DEFAULT: 0
6b698a21 2487DOC_START
41bd17a4 2488 To avoid having disk as the I/O bottleneck Squid can optionally
2489 bypass the on-disk cache if more than this amount of disk file
2490 descriptors are open.
2491
2492 A value of 0 indicates no limit.
6b698a21 2493DOC_END
0976f8db 2494
41bd17a4 2495NAME: minimum_object_size
6b698a21 2496COMMENT: (bytes)
47f6e231 2497TYPE: b_int64_t
6b698a21 2498DEFAULT: 0 KB
41bd17a4 2499LOC: Config.Store.minObjectSize
6b698a21 2500DOC_START
41bd17a4 2501 Objects smaller than this size will NOT be saved on disk. The
2502 value is specified in kilobytes, and the default is 0 KB, which
2503 means there is no minimum.
6b698a21 2504DOC_END
0976f8db 2505
41bd17a4 2506NAME: maximum_object_size
2507COMMENT: (bytes)
2508TYPE: b_int64_t
2509DEFAULT: 4096 KB
2510LOC: Config.Store.maxObjectSize
777831e0 2511DOC_START
41bd17a4 2512 Objects larger than this size will NOT be saved on disk. The
2513 value is specified in kilobytes, and the default is 4MB. If
2514 you wish to get a high BYTES hit ratio, you should probably
2515 increase this (one 32 MB object hit counts for 3200 10KB
2516 hits). If you wish to increase speed more than your want to
2517 save bandwidth you should leave this low.
777831e0 2518
41bd17a4 2519 NOTE: if using the LFUDA replacement policy you should increase
2520 this value to maximize the byte hit rate improvement of LFUDA!
2521 See replacement_policy below for a discussion of this policy.
6b698a21 2522DOC_END
0976f8db 2523
41bd17a4 2524NAME: cache_swap_low
2525COMMENT: (percent, 0-100)
5473c134 2526TYPE: int
41bd17a4 2527DEFAULT: 90
2528LOC: Config.Swap.lowWaterMark
2529DOC_NONE
2530
2531NAME: cache_swap_high
2532COMMENT: (percent, 0-100)
2533TYPE: int
2534DEFAULT: 95
2535LOC: Config.Swap.highWaterMark
6b698a21 2536DOC_START
41bd17a4 2537
2538 The low- and high-water marks for cache object replacement.
2539 Replacement begins when the swap (disk) usage is above the
2540 low-water mark and attempts to maintain utilization near the
2541 low-water mark. As swap utilization gets close to high-water
2542 mark object eviction becomes more aggressive. If utilization is
2543 close to the low-water mark less replacement is done each time.
2544
2545 Defaults are 90% and 95%. If you have a large cache, 5% could be
2546 hundreds of MB. If this is the case you may wish to set these
2547 numbers closer together.
6b698a21 2548DOC_END
0976f8db 2549
5473c134 2550COMMENT_START
41bd17a4 2551 LOGFILE OPTIONS
5473c134 2552 -----------------------------------------------------------------------------
2553COMMENT_END
0976f8db 2554
41bd17a4 2555NAME: logformat
2556TYPE: logformat
2557LOC: Config.Log.logformats
5473c134 2558DEFAULT: none
6b698a21 2559DOC_START
41bd17a4 2560 Usage:
0976f8db 2561
41bd17a4 2562 logformat <name> <format specification>
0976f8db 2563
41bd17a4 2564 Defines an access log format.
6b698a21 2565
41bd17a4 2566 The <format specification> is a string with embedded % format codes
5473c134 2567
41bd17a4 2568 % format codes all follow the same basic structure where all but
2569 the formatcode is optional. Output strings are automatically escaped
2570 as required according to their context and the output format
2571 modifiers are usually not needed, but can be specified if an explicit
2572 output format is desired.
6b698a21 2573
41bd17a4 2574 % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
0976f8db 2575
41bd17a4 2576 " output in quoted string format
2577 [ output in squid text log format as used by log_mime_hdrs
2578 # output in URL quoted format
2579 ' output as-is
5473c134 2580
41bd17a4 2581 - left aligned
2582 width field width. If starting with 0 the
2583 output is zero padded
2584 {arg} argument such as header name etc
5473c134 2585
41bd17a4 2586 Format codes:
5473c134 2587
3ff65596 2588 % a literal % character
41bd17a4 2589 >a Client source IP address
2590 >A Client FQDN
2591 >p Client source port
2592 <A Server IP address or peer name
2593 la Local IP address (http_port)
2594 lp Local port number (http_port)
17fde513 2595 sn Unique sequence number per log line entry
41bd17a4 2596 ts Seconds since epoch
2597 tu subsecond time (milliseconds)
2598 tl Local time. Optional strftime format argument
3ff65596 2599 default %d/%b/%Y:%H:%M:%S %z
41bd17a4 2600 tg GMT time. Optional strftime format argument
3ff65596 2601 default %d/%b/%Y:%H:%M:%S %z
41bd17a4 2602 tr Response time (milliseconds)
3ff65596
AR		 2603 dt Total time spent making DNS lookups (milliseconds)
2604
2605 HTTP cache related format codes:
2606
ca2e92d8 2607 [http::]>h Original request header. Optional header name argument
3ff65596 2608 on the format header[:[separator]element]
6fca33e0
CT		 2609 [http::]>ha The HTTP request headers after adaptation and redirection.
2610 Optional header name argument as for >h
3ff65596
AR		 2611 [http::]<h Reply header. Optional header name argument
2612 as for >h
2613 [http::]un User name
2614 [http::]ul User name from authentication
2615 [http::]ui User name from ident
2616 [http::]us User name from SSL
2617 [http::]ue User name from external acl helper
2618 [http::]>Hs HTTP status code sent to the client
2619 [http::]<Hs HTTP status code received from the next hop
2620 [http::]Ss Squid request status (TCP_MISS etc)
2621 [http::]Sh Squid hierarchy status (DEFAULT_PARENT etc)
2622 [http::]mt MIME content type
2623 [http::]rm Request method (GET/POST etc)
2624 [http::]ru Request URL
2625 [http::]rp Request URL-Path excluding hostname
2626 [http::]rv Request protocol version
2627 [http::]et Tag returned by external acl
2628 [http::]ea Log string returned by external acl
2629 [http::]<st Sent reply size including HTTP headers
2630 [http::]>st Received request size including HTTP headers. In the
2631 case of chunked requests the chunked encoding metadata
2632 are not included
2633 [http::]>sh Received HTTP request headers size
2634 [http::]<sh Sent HTTP reply headers size
2635 [http::]st Request+Reply size including HTTP headers
2636 [http::]<sH Reply high offset sent
2637 [http::]<sS Upstream object size
2638 [http::]<pt Peer response time in milliseconds. The timer starts
2639 when the last request byte is sent to the next hop
2640 and stops when the last response byte is received.
2641 [http::]<tt Total server-side time in milliseconds. The timer
2642 starts with the first connect request (or write I/O)
2643 sent to the first selected peer. The timer stops
2644 with the last I/O with the last peer.
2645
2646 If ICAP is enabled, the following two codes become available (as
2647 well as ICAP log codes documented with the icap_log option):
2648
2649 icap::tt Total ICAP processing time for the HTTP
2650 transaction. The timer ticks when ICAP
2651 ACLs are checked and when ICAP
2652 transaction is in progress.
2653
2654 icap::<last_h The header of the last ICAP response
2655 related to the HTTP transaction. Like
2656 <h, accepts an optional header name
2657 argument. Will not change semantics
2658 when multiple ICAP transactions per HTTP
2659 transaction are supported.
2660
2661 If adaptation is enabled the following two codes become available:
2662
2663 adapt::sum_trs Summed adaptation transaction response
2664 times recorded as a comma-separated list in
2665 the order of transaction start time. Each time
2666 value is recorded as an integer number,
2667 representing response time of one or more
2668 adaptation (ICAP or eCAP) transaction in
2669 milliseconds. When a failed transaction is
2670 being retried or repeated, its time is not
2671 logged individually but added to the
2672 replacement (next) transaction. See also:
2673 adapt::all_trs.
2674
2675 adapt::all_trs All adaptation transaction response times.
2676 Same as adaptation_strs but response times of
2677 individual transactions are never added
2678 together. Instead, all transaction response
2679 times are recorded individually.
2680
2681 You can prefix adapt::*_trs format codes with adaptation
2682 service name in curly braces to record response time(s) specific
2683 to that service. For example: %{my_service}adapt::sum_trs
5473c134 2684
7d9acc3c
AJ		 2685 The default formats available (which do not need re-defining) are:
2686
3ff65596
AR		 2687logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
2688logformat squidmime %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
2689logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
2690logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
5473c134 2691DOC_END
2692
41bd17a4 2693NAME: access_log cache_access_log
2694TYPE: access_log
2695LOC: Config.Log.accesslogs
02424612 2696DEFAULT: none
82b7abe3 2697DEFAULT_IF_NONE: daemon:@DEFAULT_ACCESS_LOG@ squid
5473c134 2698DOC_START
41bd17a4 2699 These files log client request activities. Has a line every HTTP or
2700 ICP request. The format is:
82b7abe3 2701 access_log <module>:<place> [<logformat name> [acl acl ...]]
41bd17a4 2702 access_log none [acl acl ...]]
82b7abe3
AJ		 2703
2704 Will log to the specified module:place using the specified format (which
41bd17a4 2705 must be defined in a logformat directive) those entries which match
2706 ALL the acl's specified (which must be defined in acl clauses).
82b7abe3
AJ		 2707 If no acl is specified, all requests will be logged to this destination.
2708
2709 ===== Modules Currently available =====
2710
2711 none Do not log any requests matchign these ACL.
2712 Do not specify Place or logformat name.
2713
2714 stdio Write each log line to disk immediately at the completion of
2715 each request.
2716 Place: the filename and path to be written.
2717
2718 daemon Very similar to stdio. But instead of writing to disk the log
2719 line is passed to a daemon helper for asychronous handling instead.
2720 Place: varies depending on the daemon.
2721
2722 log_file_daemon Place: the file name and path to be written.
2723
2724 syslog To log each request via syslog facility.
2725 Place: The syslog facility and priority level for these entries.
2726 Place Format: facility.priority
5473c134 2727
82b7abe3
AJ		 2728 where facility could be any of:
2729 authpriv, daemon, local0 ... local7 or user.
5473c134 2730
82b7abe3
AJ		 2731 And priority could be any of:
2732 err, warning, notice, info, debug.
2733
2734 udp To send each log line as text data to a UDP receiver.
2735 Place: The destination host name or IP and port.
2736 Place Format: \\host:port
df2eec10
AJ		 2737
2738 Default:
82b7abe3 2739 access_log daemon:@DEFAULT_ACCESS_LOG@ squid
41bd17a4 2740DOC_END
5473c134 2741
3ff65596
AR		 2742NAME: icap_log
2743TYPE: access_log
2744IFDEF: ICAP_CLIENT
2745LOC: Config.Log.icaplogs
2746DEFAULT: none
2747DOC_START
2748 ICAP log files record ICAP transaction summaries, one line per
2749 transaction.
2750
2751 The icap_log option format is:
2752 icap_log <filepath> [<logformat name> [acl acl ...]]
2753 icap_log none [acl acl ...]]
2754
2755 Please see access_log option documentation for details. The two
2756 kinds of logs share the overall configuration approach and many
2757 features.
2758
2759 ICAP processing of a single HTTP message or transaction may
2760 require multiple ICAP transactions. In such cases, multiple
2761 ICAP transaction log lines will correspond to a single access
2762 log line.
2763
2764 ICAP log uses logformat codes that make sense for an ICAP
2765 transaction. Header-related codes are applied to the HTTP header
2766 embedded in an ICAP server response, with the following caveats:
2767 For REQMOD, there is no HTTP response header unless the ICAP
2768 server performed request satisfaction. For RESPMOD, the HTTP
2769 request header is the header sent to the ICAP server. For
2770 OPTIONS, there are no HTTP headers.
2771
2772 The following format codes are also available for ICAP logs:
2773
2774 icap::<A ICAP server IP address. Similar to <A.
2775
2776 icap::<service_name ICAP service name from the icap_service
2777 option in Squid configuration file.
2778
2779 icap::ru ICAP Request-URI. Similar to ru.
2780
2781 icap::rm ICAP request method (REQMOD, RESPMOD, or
2782 OPTIONS). Similar to existing rm.
2783
2784 icap::>st Bytes sent to the ICAP server (TCP payload
2785 only; i.e., what Squid writes to the socket).
2786
2787 icap::<st Bytes received from the ICAP server (TCP
2788 payload only; i.e., what Squid reads from
2789 the socket).
2790
2791 icap::tr Transaction response time (in
2792 milliseconds). The timer starts when
2793 the ICAP transaction is created and
2794 stops when the transaction is completed.
2795 Similar to tr.
2796
2797 icap::tio Transaction I/O time (in milliseconds). The
2798 timer starts when the first ICAP request
2799 byte is scheduled for sending. The timers
2800 stops when the last byte of the ICAP response
2801 is received.
2802
2803 icap::to Transaction outcome: ICAP_ERR* for all
2804 transaction errors, ICAP_OPT for OPTION
2805 transactions, ICAP_ECHO for 204
2806 responses, ICAP_MOD for message
2807 modification, and ICAP_SAT for request
2808 satisfaction. Similar to Ss.
2809
2810 icap::Hs ICAP response status code. Similar to Hs.
2811
2812 icap::>h ICAP request header(s). Similar to >h.
2813
2814 icap::<h ICAP response header(s). Similar to <h.
2815
2816 The default ICAP log format, which can be used without an explicit
2817 definition, is called icap_squid:
2818
2819logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
2820
2821 See also: logformat, log_icap, and %icap::<last_h
2822DOC_END
2823
82b7abe3
AJ		 2824NAME: logfile_daemon
2825TYPE: string
2826DEFAULT: @DEFAULT_LOGFILED@
2827LOC: Log::TheConfig.logfile_daemon
2828DOC_START
2829 Specify the path to the logfile-writing daemon. This daemon is
2830 used to write the access and store logs, if configured.
2831DOC_END
2832
5b0f5383 2833NAME: log_access
2834TYPE: acl_access
2835LOC: Config.accessList.log
2836DEFAULT: none
2837COMMENT: allow|deny acl acl...
2838DOC_START
2839 This options allows you to control which requests gets logged
2840 to access.log (see access_log directive). Requests denied for
2841 logging will also not be accounted for in performance counters.
b3567eb5
FC		 2842
2843 This clause only supports fast acl types.
2844 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5b0f5383 2845DOC_END
2846
3ff65596
AR		 2847NAME: log_icap
2848TYPE: acl_access
2849IFDEF: ICAP_CLIENT
2850LOC: Config.accessList.icap
2851DEFAULT: none
2852DOC_START
2853 This options allows you to control which requests get logged
2854 to icap.log. See the icap_log directive for ICAP log details.
2855DOC_END
2856
41bd17a4 2857NAME: cache_store_log
2858TYPE: string
df2eec10 2859DEFAULT: none
41bd17a4 2860LOC: Config.Log.store
2861DOC_START
2862 Logs the activities of the storage manager. Shows which
2863 objects are ejected from the cache, and which objects are
df2eec10
AJ		 2864 saved and for how long. To disable, enter "none" or remove the line.
2865 There are not really utilities to analyze this data, so you can safely
41bd17a4 2866 disable it.
e0855596
AJ		 2867
2868 Example:
2869 cache_store_log @DEFAULT_STORE_LOG@
5473c134 2870DOC_END
2871
41bd17a4 2872NAME: cache_swap_state cache_swap_log
2873TYPE: string
2874LOC: Config.Log.swap
5473c134 2875DEFAULT: none
2876DOC_START
41bd17a4 2877 Location for the cache "swap.state" file. This index file holds
2878 the metadata of objects saved on disk. It is used to rebuild
2879 the cache during startup. Normally this file resides in each
2880 'cache_dir' directory, but you may specify an alternate
2881 pathname here. Note you must give a full filename, not just
2882 a directory. Since this is the index for the whole object
2883 list you CANNOT periodically rotate it!
5473c134 2884
41bd17a4 2885 If %s can be used in the file name it will be replaced with a
2886 a representation of the cache_dir name where each / is replaced
2887 with '.'. This is needed to allow adding/removing cache_dir
2888 lines when cache_swap_log is being used.
5473c134 2889
41bd17a4 2890 If have more than one 'cache_dir', and %s is not used in the name
2891 these swap logs will have names such as:
5473c134 2892
41bd17a4 2893 cache_swap_log.00
2894 cache_swap_log.01
2895 cache_swap_log.02
5473c134 2896
41bd17a4 2897 The numbered extension (which is added automatically)
2898 corresponds to the order of the 'cache_dir' lines in this
2899 configuration file. If you change the order of the 'cache_dir'
2900 lines in this file, these index files will NOT correspond to
2901 the correct 'cache_dir' entry (unless you manually rename
2902 them). We recommend you do NOT use this option. It is
2903 better to keep these index files in each 'cache_dir' directory.
5473c134 2904DOC_END
2905
41bd17a4 2906NAME: logfile_rotate
2907TYPE: int
2908DEFAULT: 10
2909LOC: Config.Log.rotateNumber
5473c134 2910DOC_START
41bd17a4 2911 Specifies the number of logfile rotations to make when you
2912 type 'squid -k rotate'. The default is 10, which will rotate
2913 with extensions 0 through 9. Setting logfile_rotate to 0 will
2914 disable the file name rotation, but the logfiles are still closed
2915 and re-opened. This will enable you to rename the logfiles
2916 yourself just before sending the rotate signal.
5473c134 2917
41bd17a4 2918 Note, the 'squid -k rotate' command normally sends a USR1
2919 signal to the running squid process. In certain situations
2920 (e.g. on Linux with Async I/O), USR1 is used for other
2921 purposes, so -k rotate uses another signal. It is best to get
2922 in the habit of using 'squid -k rotate' instead of 'kill -USR1
2923 <pid>'.
62493678
AJ		 2924
2925 Note, from Squid-3.1 this option has no effect on the cache.log,
2926 that log can be rotated separately by using debug_options
41bd17a4 2927DOC_END
5473c134 2928
41bd17a4 2929NAME: emulate_httpd_log
2930COMMENT: on|off
2931TYPE: onoff
2932DEFAULT: off
2933LOC: Config.onoff.common_log
2934DOC_START
2935 The Cache can emulate the log file format which many 'httpd'
2936 programs use. To disable/enable this emulation, set
2937 emulate_httpd_log to 'off' or 'on'. The default
2938 is to use the native log format since it includes useful
2939 information Squid-specific log analyzers use.
5473c134 2940DOC_END
2941
41bd17a4 2942NAME: log_ip_on_direct
2943COMMENT: on|off
2944TYPE: onoff
5473c134 2945DEFAULT: on
41bd17a4 2946LOC: Config.onoff.log_ip_on_direct
5473c134 2947DOC_START
41bd17a4 2948 Log the destination IP address in the hierarchy log tag when going
2949 direct. Earlier Squid versions logged the hostname here. If you
2950 prefer the old way set this to off.
2951DOC_END
5473c134 2952
41bd17a4 2953NAME: mime_table
2954TYPE: string
2955DEFAULT: @DEFAULT_MIME_TABLE@
2956LOC: Config.mimeTablePathname
2957DOC_START
2958 Pathname to Squid's MIME table. You shouldn't need to change
2959 this, but the default file contains examples and formatting
2960 information if you do.
5473c134 2961DOC_END
2962
41bd17a4 2963NAME: log_mime_hdrs
2964COMMENT: on|off
2965TYPE: onoff
2966LOC: Config.onoff.log_mime_hdrs
2967DEFAULT: off
2968DOC_START
2969 The Cache can record both the request and the response MIME
2970 headers for each HTTP transaction. The headers are encoded
2971 safely and will appear as two bracketed fields at the end of
2972 the access log (for either the native or httpd-emulated log
2973 formats). To enable this logging set log_mime_hdrs to 'on'.
2974DOC_END
5473c134 2975
41bd17a4 2976NAME: useragent_log
2977TYPE: string
2978LOC: Config.Log.useragent
2979DEFAULT: none
2980IFDEF: USE_USERAGENT_LOG
5473c134 2981DOC_START
41bd17a4 2982 Squid will write the User-Agent field from HTTP requests
2983 to the filename specified here. By default useragent_log
2984 is disabled.
5473c134 2985DOC_END
2986
41bd17a4 2987NAME: referer_log referrer_log
2988TYPE: string
2989LOC: Config.Log.referer
2990DEFAULT: none
2991IFDEF: USE_REFERER_LOG
5473c134 2992DOC_START
41bd17a4 2993 Squid will write the Referer field from HTTP requests to the
2994 filename specified here. By default referer_log is disabled.
2995 Note that "referer" is actually a misspelling of "referrer"
2996 however the misspelt version has been accepted into the HTTP RFCs
2997 and we accept both.
5473c134 2998DOC_END
2999
41bd17a4 3000NAME: pid_filename
3001TYPE: string
3002DEFAULT: @DEFAULT_PID_FILE@
3003LOC: Config.pidFilename
5473c134 3004DOC_START
41bd17a4 3005 A filename to write the process-id to. To disable, enter "none".
5473c134 3006DOC_END
3007
41bd17a4 3008NAME: log_fqdn
3009COMMENT: on|off
3010TYPE: onoff
3011DEFAULT: off
3012LOC: Config.onoff.log_fqdn
5473c134 3013DOC_START
41bd17a4 3014 Turn this on if you wish to log fully qualified domain names
3015 in the access.log. To do this Squid does a DNS lookup of all
3016 IP's connecting to it. This can (in some situations) increase
3017 latency, which makes your cache seem slower for interactive
3018 browsing.
5473c134 3019DOC_END
3020
41bd17a4 3021NAME: client_netmask
3022TYPE: address
3023LOC: Config.Addrs.client_netmask
0eb08770 3024DEFAULT: no_addr
5473c134 3025DOC_START
41bd17a4 3026 A netmask for client addresses in logfiles and cachemgr output.
3027 Change this to protect the privacy of your cache clients.
3028 A netmask of 255.255.255.0 will log all IP's in that range with
3029 the last digit set to '0'.
5473c134 3030DOC_END
3031
41bd17a4 3032NAME: forward_log
3033IFDEF: WIP_FWD_LOG
3034TYPE: string
3035DEFAULT: none
3036LOC: Config.Log.forward
5473c134 3037DOC_START
41bd17a4 3038 Logs the server-side requests.
5473c134 3039
41bd17a4 3040 This is currently work in progress.
5473c134 3041DOC_END
3042
41bd17a4 3043NAME: strip_query_terms
5473c134 3044TYPE: onoff
41bd17a4 3045LOC: Config.onoff.strip_query_terms
5473c134 3046DEFAULT: on
3047DOC_START
41bd17a4 3048 By default, Squid strips query terms from requested URLs before
3049 logging. This protects your user's privacy.
5473c134 3050DOC_END
3051
41bd17a4 3052NAME: buffered_logs
3053COMMENT: on|off
3054TYPE: onoff
3055DEFAULT: off
3056LOC: Config.onoff.buffered_logs
5473c134 3057DOC_START
41bd17a4 3058 cache.log log file is written with stdio functions, and as such
3059 it can be buffered or unbuffered. By default it will be unbuffered.
3060 Buffering it can speed up the writing slightly (though you are
3061 unlikely to need to worry unless you run with tons of debugging
3062 enabled in which case performance will suffer badly anyway..).
6b698a21 3063DOC_END
0976f8db 3064
2b753521 3065NAME: netdb_filename
3066TYPE: string
3067DEFAULT: @DEFAULT_NETDB_FILE@
3068LOC: Config.netdbFilename
fb6a61d1 3069IFDEF: USE_ICMP
2b753521 3070DOC_START
3071 A filename where Squid stores it's netdb state between restarts.
3072 To disable, enter "none".
3073DOC_END
3074
62493678
AJ		 3075COMMENT_START
3076 OPTIONS FOR TROUBLESHOOTING
3077 -----------------------------------------------------------------------------
3078COMMENT_END
3079
3080NAME: cache_log
3081TYPE: string
3082DEFAULT: none
3083DEFAULT_IF_NONE: @DEFAULT_CACHE_LOG@
3084LOC: Debug::cache_log
3085DOC_START
3086 Cache logging file. This is where general information about
3087 your cache's behavior goes. You can increase the amount of data
3088 logged to this file and how often its rotated with "debug_options"
3089DOC_END
3090
3091NAME: debug_options
3092TYPE: eol
47df1aa7 3093DEFAULT: ALL,1
62493678
AJ		 3094LOC: Debug::debugOptions
3095DOC_START
3096 Logging options are set as section,level where each source file
3097 is assigned a unique section. Lower levels result in less
3098 output, Full debugging (level 9) can result in a very large
3099 log file, so be careful.
3100
3101 The magic word "ALL" sets debugging levels for all sections.
3102 We recommend normally running with "ALL,1".
3103
47df1aa7
AJ		 3104 The rotate=N option can be used to keep more or less of these logs
3105 than would otherwise be kept by logfile_rotate.
62493678
AJ		 3106 For most uses a single log should be enough to monitor current
3107 events affecting Squid.
3108DOC_END
3109
3110NAME: coredump_dir
3111TYPE: string
3112LOC: Config.coredump_dir
3113DEFAULT: none
3114DEFAULT_IF_NONE: none
3115DOC_START
3116 By default Squid leaves core files in the directory from where
3117 it was started. If you set 'coredump_dir' to a directory
3118 that exists, Squid will chdir() to that directory at startup
3119 and coredump files will be left there.
3120
3121NOCOMMENT_START
e0855596 3122
62493678
AJ		 3123# Leave coredumps in the first cache dir
3124coredump_dir @DEFAULT_SWAP_DIR@
3125NOCOMMENT_END
3126DOC_END
3127
3128
41bd17a4 3129COMMENT_START
3130 OPTIONS FOR FTP GATEWAYING
3131 -----------------------------------------------------------------------------
3132COMMENT_END
3133
3134NAME: ftp_user
3135TYPE: string
3136DEFAULT: Squid@
3137LOC: Config.Ftp.anon_user
6b698a21 3138DOC_START
41bd17a4 3139 If you want the anonymous login password to be more informative
3140 (and enable the use of picky ftp servers), set this to something
3141 reasonable for your domain, like wwwuser@somewhere.net
7f7db318 3142
41bd17a4 3143 The reason why this is domainless by default is the
3144 request can be made on the behalf of a user in any domain,
3145 depending on how the cache is used.
3146 Some ftp server also validate the email address is valid
3147 (for example perl.com).
6b698a21 3148DOC_END
0976f8db 3149
41bd17a4 3150NAME: ftp_passive
3151TYPE: onoff
3152DEFAULT: on
3153LOC: Config.Ftp.passive
6b698a21 3154DOC_START
41bd17a4 3155 If your firewall does not allow Squid to use passive
3156 connections, turn off this option.
a689bd4e 3157
3158 Use of ftp_epsv_all option requires this to be ON.
3159DOC_END
3160
3161NAME: ftp_epsv_all
3162TYPE: onoff
3163DEFAULT: off
3164LOC: Config.Ftp.epsv_all
3165DOC_START
3166 FTP Protocol extensions permit the use of a special "EPSV ALL" command.
3167
3168 NATs may be able to put the connection on a "fast path" through the
3169 translator, as the EPRT command will never be used and therefore,
3170 translation of the data portion of the segments will never be needed.
3171
b3567eb5
FC		 3172 When a client only expects to do two-way FTP transfers this may be
3173 useful.
a689bd4e 3174 If squid finds that it must do a three-way FTP transfer after issuing
3175 an EPSV ALL command, the FTP session will fail.
3176
3177 If you have any doubts about this option do not use it.
3178 Squid will nicely attempt all other connection methods.
3179
51ee534d
AJ		 3180 Requires ftp_passive to be ON (default) for any effect.
3181DOC_END
3182
3183NAME: ftp_epsv
3184TYPE: onoff
3185DEFAULT: on
3186LOC: Config.Ftp.epsv
3187DOC_START
3188 FTP Protocol extensions permit the use of a special "EPSV" command.
3189
3190 NATs may be able to put the connection on a "fast path" through the
b3567eb5
FC		 3191 translator using EPSV, as the EPRT command will never be used
3192 and therefore, translation of the data portion of the segments
3193 will never be needed.
51ee534d
AJ		 3194
3195 Turning this OFF will prevent EPSV being attempted.
3196 WARNING: Doing so will convert Squid back to the old behavior with all
3197 the related problems with external NAT devices/layers.
3198
3199 Requires ftp_passive to be ON (default) for any effect.
41bd17a4 3200DOC_END
9e7dbc51 3201
41bd17a4 3202NAME: ftp_sanitycheck
3203TYPE: onoff
3204DEFAULT: on
3205LOC: Config.Ftp.sanitycheck
3206DOC_START
3207 For security and data integrity reasons Squid by default performs
3208 sanity checks of the addresses of FTP data connections ensure the
3209 data connection is to the requested server. If you need to allow
3210 FTP connections to servers using another IP address for the data
3211 connection turn this off.
3212DOC_END
9e7dbc51 3213
41bd17a4 3214NAME: ftp_telnet_protocol
3215TYPE: onoff
3216DEFAULT: on
3217LOC: Config.Ftp.telnet
3218DOC_START
3219 The FTP protocol is officially defined to use the telnet protocol
3220 as transport channel for the control connection. However, many
3221 implementations are broken and does not respect this aspect of
3222 the FTP protocol.
3223
3224 If you have trouble accessing files with ASCII code 255 in the
3225 path or similar problems involving this ASCII code you can
3226 try setting this directive to off. If that helps, report to the
3227 operator of the FTP server in question that their FTP server
3228 is broken and does not follow the FTP standard.
3229DOC_END
3230
3231COMMENT_START
3232 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
3233 -----------------------------------------------------------------------------
3234COMMENT_END
3235
3236NAME: diskd_program
3237TYPE: string
3238DEFAULT: @DEFAULT_DISKD@
3239LOC: Config.Program.diskd
3240DOC_START
3241 Specify the location of the diskd executable.
3242 Note this is only useful if you have compiled in
3243 diskd as one of the store io modules.
3244DOC_END
3245
3246NAME: unlinkd_program
3247IFDEF: USE_UNLINKD
3248TYPE: string
3249DEFAULT: @DEFAULT_UNLINKD@
3250LOC: Config.Program.unlinkd
3251DOC_START
3252 Specify the location of the executable for file deletion process.
3253DOC_END
3254
3255NAME: pinger_program
3256TYPE: string
3257DEFAULT: @DEFAULT_PINGER@
cc192b50 3258LOC: Config.pinger.program
41bd17a4 3259IFDEF: USE_ICMP
3260DOC_START
3261 Specify the location of the executable for the pinger process.
3262DOC_END
3263
cc192b50 3264NAME: pinger_enable
3265TYPE: onoff
3266DEFAULT: on
3267LOC: Config.pinger.enable
3268IFDEF: USE_ICMP
3269DOC_START
3270 Control whether the pinger is active at run-time.
b3567eb5
FC		 3271 Enables turning ICMP pinger on and off with a simple
3272 squid -k reconfigure.
cc192b50 3273DOC_END
3274
3275
41bd17a4 3276COMMENT_START
3277 OPTIONS FOR URL REWRITING
3278 -----------------------------------------------------------------------------
3279COMMENT_END
3280
3281NAME: url_rewrite_program redirect_program
3282TYPE: wordlist
3283LOC: Config.Program.redirect
3284DEFAULT: none
3285DOC_START
3286 Specify the location of the executable for the URL rewriter.
3287 Since they can perform almost any function there isn't one included.
3288
3289 For each requested URL rewriter will receive on line with the format
3290
c71adec1 3291 URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
3292
3293 In the future, the rewriter interface will be extended with
3294 key=value pairs ("kvpairs" shown above). Rewriter programs
3295 should be prepared to receive and possibly ignore additional
3296 whitespace-separated tokens on each input line.
41bd17a4 3297
3298 And the rewriter may return a rewritten URL. The other components of
3299 the request line does not need to be returned (ignored if they are).
3300
3301 The rewriter can also indicate that a client-side redirect should
3302 be performed to the new URL. This is done by prefixing the returned
3303 URL with "301:" (moved permanently) or 302: (moved temporarily).
3304
3305 By default, a URL rewriter is not used.
3306DOC_END
3307
3308NAME: url_rewrite_children redirect_children
48d54e4d 3309TYPE: HelperChildConfig
5b708d95 3310DEFAULT: 20 startup=0 idle=1 concurrency=0
41bd17a4 3311LOC: Config.redirectChildren
3312DOC_START
48d54e4d
AJ		 3313 The maximum number of redirector processes to spawn. If you limit
3314 it too few Squid will have to wait for them to process a backlog of
3315 URLs, slowing it down. If you allow too many they will use RAM
3316 and other system resources noticably.
3317
3318 The startup= and idle= options allow some measure of skew in your
3319 tuning.
3320
3321 startup=
3322
3323 Sets a minimum of how many processes are to be spawned when Squid
3324 starts or reconfigures. When set to zero the first request will
3325 cause spawning of the first child process to handle it.
3326
3327 Starting too few will cause an initial slowdown in traffic as Squid
3328 attempts to simultaneously spawn enough processes to cope.
3329
3330 idle=
3331
3332 Sets a minimum of how many processes Squid is to try and keep available
3333 at all times. When traffic begins to rise above what the existing
3334 processes can handle this many more will be spawned up to the maximum
3335 configured. A minimum setting of 1 is required.
3336
3337 concurrency=
41bd17a4 3338
41bd17a4 3339 The number of requests each redirector helper can handle in
3340 parallel. Defaults to 0 which indicates the redirector
3341 is a old-style single threaded redirector.
6a171502
AJ		 3342
3343 When this directive is set to a value >= 1 then the protocol
3344 used to communicate with the helper is modified to include
3345 a request ID in front of the request/response. The request
3346 ID from the request must be echoed back with the response
3347 to that request.
41bd17a4 3348DOC_END
3349
3350NAME: url_rewrite_host_header redirect_rewrites_host_header
3351TYPE: onoff
3352DEFAULT: on
3353LOC: Config.onoff.redir_rewrites_host
3354DOC_START
3355 By default Squid rewrites any Host: header in redirected
3356 requests. If you are running an accelerator this may
3357 not be a wanted effect of a redirector.
3358
3359 WARNING: Entries are cached on the result of the URL rewriting
3360 process, so be careful if you have domain-virtual hosts.
3361DOC_END
3362
3363NAME: url_rewrite_access redirector_access
3364TYPE: acl_access
3365DEFAULT: none
3366LOC: Config.accessList.redirector
3367DOC_START
3368 If defined, this access list specifies which requests are
3369 sent to the redirector processes. By default all requests
3370 are sent.
b3567eb5
FC		 3371
3372 This clause supports both fast and slow acl types.
3373 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 3374DOC_END
3375
3376NAME: url_rewrite_bypass redirector_bypass
3377TYPE: onoff
3378LOC: Config.onoff.redirector_bypass
3379DEFAULT: off
3380DOC_START
3381 When this is 'on', a request will not go through the
3382 redirector if all redirectors are busy. If this is 'off'
3383 and the redirector queue grows too large, Squid will exit
3384 with a FATAL error and ask you to increase the number of
3385 redirectors. You should only enable this if the redirectors
3386 are not critical to your caching system. If you use
3387 redirectors for access control, and you enable this option,
3388 users may have access to pages they should not
3389 be allowed to request.
3390DOC_END
3391
3392COMMENT_START
3393 OPTIONS FOR TUNING THE CACHE
3394 -----------------------------------------------------------------------------
3395COMMENT_END
3396
f04b37d8 3397NAME: cache no_cache
3398TYPE: acl_access
3399DEFAULT: none
3400LOC: Config.accessList.noCache
41bd17a4 3401DOC_START
240887f0 3402 A list of ACL elements which, if matched and denied, cause the request to
f04b37d8 3403 not be satisfied from the cache and the reply to not be cached.
3404 In other words, use this to force certain objects to never be cached.
41bd17a4 3405
240887f0 3406 You must use the words 'allow' or 'deny' to indicate whether items
3407 matching the ACL should be allowed or denied into the cache.
f04b37d8 3408
240887f0 3409 Default is to allow all to be cached.
b3567eb5
FC		 3410
3411 This clause supports both fast and slow acl types.
3412 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 3413DOC_END
3414
3415NAME: refresh_pattern
3416TYPE: refreshpattern
3417LOC: Config.Refresh
3418DEFAULT: none
3419DOC_START
3420 usage: refresh_pattern [-i] regex min percent max [options]
9e7dbc51 3421
6b698a21 3422 By default, regular expressions are CASE-SENSITIVE. To make
3423 them case-insensitive, use the -i option.
9e7dbc51 3424
41bd17a4 3425 'Min' is the time (in minutes) an object without an explicit
3426 expiry time should be considered fresh. The recommended
3427 value is 0, any higher values may cause dynamic applications
3428 to be erroneously cached unless the application designer
3429 has taken the appropriate actions.
9e7dbc51 3430
41bd17a4 3431 'Percent' is a percentage of the objects age (time since last
3432 modification age) an object without explicit expiry time
3433 will be considered fresh.
5b807763 3434
41bd17a4 3435 'Max' is an upper limit on how long objects without an explicit
3436 expiry time will be considered fresh.
9e7dbc51 3437
41bd17a4 3438 options: override-expire
3439 override-lastmod
3440 reload-into-ims
3441 ignore-reload
3442 ignore-no-cache
3443 ignore-no-store
4ca08219 3444 ignore-must-revalidate
41bd17a4 3445 ignore-private
3446 ignore-auth
3447 refresh-ims
a0ec9f68 3448
41bd17a4 3449 override-expire enforces min age even if the server
9b2ad080
HN		 3450 sent an explicit expiry time (e.g., with the
3451 Expires: header or Cache-Control: max-age). Doing this
3452 VIOLATES the HTTP standard. Enabling this feature
3453 could make you liable for problems which it causes.
6468fe10 3454
04925576
AJ		 3455 Note: override-expire does not enforce staleness - it only extends
3456 freshness / min. If the server returns a Expires time which
3457 is longer than your max time, Squid will still consider
3458 the object fresh for that period of time.
3459
41bd17a4 3460 override-lastmod enforces min age even on objects
3461 that were modified recently.
934b03fc 3462
41bd17a4 3463 reload-into-ims changes client no-cache or ``reload''
3464 to If-Modified-Since requests. Doing this VIOLATES the
3465 HTTP standard. Enabling this feature could make you
3466 liable for problems which it causes.
dba79ac5 3467
41bd17a4 3468 ignore-reload ignores a client no-cache or ``reload''
3469 header. Doing this VIOLATES the HTTP standard. Enabling
3470 this feature could make you liable for problems which
3471 it causes.
9bc73deb 3472
41bd17a4 3473 ignore-no-cache ignores any ``Pragma: no-cache'' and
3474 ``Cache-control: no-cache'' headers received from a server.
3475 The HTTP RFC never allows the use of this (Pragma) header
3476 from a server, only a client, though plenty of servers
3477 send it anyway.
3478
3479 ignore-no-store ignores any ``Cache-control: no-store''
3480 headers received from a server. Doing this VIOLATES
3481 the HTTP standard. Enabling this feature could make you
3482 liable for problems which it causes.
3483
4ca08219
AJ		 3484 ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
3485 headers received from a server. Doing this VIOLATES
3486 the HTTP standard. Enabling this feature could make you
3487 liable for problems which it causes.
3488
41bd17a4 3489 ignore-private ignores any ``Cache-control: private''
3490 headers received from a server. Doing this VIOLATES
3491 the HTTP standard. Enabling this feature could make you
3492 liable for problems which it causes.
3493
3494 ignore-auth caches responses to requests with authorization,
3495 as if the originserver had sent ``Cache-control: public''
3496 in the response header. Doing this VIOLATES the HTTP standard.
3497 Enabling this feature could make you liable for problems which
3498 it causes.
3499
3500 refresh-ims causes squid to contact the origin server
3501 when a client issues an If-Modified-Since request. This
3502 ensures that the client will receive an updated version
3503 if one is available.
3504
3505 Basically a cached object is:
3506
3507 FRESH if expires < now, else STALE
3508 STALE if age > max
3509 FRESH if lm-factor < percent, else STALE
3510 FRESH if age < min
3511 else STALE
3512
3513 The refresh_pattern lines are checked in the order listed here.
3514 The first entry which matches is used. If none of the entries
3515 match the default will be used.
3516
3517 Note, you must uncomment all the default lines if you want
3518 to change one. The default setting is only active if none is
3519 used.
3520
41bd17a4 3521NOCOMMENT_START
e0855596
AJ		 3522
3523# Add any of your own refresh_pattern entries above these.
41bd17a4 3524refresh_pattern ^ftp: 1440 20% 10080
3525refresh_pattern ^gopher: 1440 0% 1440
89db45fa 3526refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
41bd17a4 3527refresh_pattern . 0 20% 4320
3528NOCOMMENT_END
3529DOC_END
3530
3531NAME: quick_abort_min
3532COMMENT: (KB)
3533TYPE: kb_int64_t
3534DEFAULT: 16 KB
3535LOC: Config.quickAbort.min
3536DOC_NONE
3537
3538NAME: quick_abort_max
3539COMMENT: (KB)
3540TYPE: kb_int64_t
3541DEFAULT: 16 KB
3542LOC: Config.quickAbort.max
3543DOC_NONE
3544
3545NAME: quick_abort_pct
3546COMMENT: (percent)
3547TYPE: int
3548DEFAULT: 95
3549LOC: Config.quickAbort.pct
3550DOC_START
3551 The cache by default continues downloading aborted requests
3552 which are almost completed (less than 16 KB remaining). This
3553 may be undesirable on slow (e.g. SLIP) links and/or very busy
3554 caches. Impatient users may tie up file descriptors and
3555 bandwidth by repeatedly requesting and immediately aborting
3556 downloads.
3557
3558 When the user aborts a request, Squid will check the
3559 quick_abort values to the amount of data transfered until
3560 then.
3561
3562 If the transfer has less than 'quick_abort_min' KB remaining,
3563 it will finish the retrieval.
3564
3565 If the transfer has more than 'quick_abort_max' KB remaining,
3566 it will abort the retrieval.
3567
3568 If more than 'quick_abort_pct' of the transfer has completed,
3569 it will finish the retrieval.
3570
3571 If you do not want any retrieval to continue after the client
3572 has aborted, set both 'quick_abort_min' and 'quick_abort_max'
3573 to '0 KB'.
3574
3575 If you want retrievals to always continue if they are being
3576 cached set 'quick_abort_min' to '-1 KB'.
3577DOC_END
60d096f4 3578
41bd17a4 3579NAME: read_ahead_gap
3580COMMENT: buffer-size
3581TYPE: b_int64_t
3582LOC: Config.readAheadGap
3583DEFAULT: 16 KB
3584DOC_START
3585 The amount of data the cache will buffer ahead of what has been
3586 sent to the client when retrieving an object from another server.
3587DOC_END
53e738c6 3588
41bd17a4 3589NAME: negative_ttl
ac9cc053 3590IFDEF: HTTP_VIOLATIONS
41bd17a4 3591COMMENT: time-units
3592TYPE: time_t
3593LOC: Config.negativeTtl
ac9cc053 3594DEFAULT: 0 seconds
41bd17a4 3595DOC_START
ac9cc053
AJ		 3596 Set the Default Time-to-Live (TTL) for failed requests.
3597 Certain types of failures (such as "connection refused" and
3598 "404 Not Found") are able to be negatively-cached for a short time.
3599 Modern web servers should provide Expires: header, however if they
3600 do not this can provide a minimum TTL.
3601 The default is not to cache errors with unknown expiry details.
3602
3603 Note that this is different from negative caching of DNS lookups.
39956c7c
AJ		 3604
3605 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3606 this feature could make you liable for problems which it
3607 causes.
41bd17a4 3608DOC_END
53e738c6 3609
41bd17a4 3610NAME: positive_dns_ttl
3611COMMENT: time-units
3612TYPE: time_t
3613LOC: Config.positiveDnsTtl
3614DEFAULT: 6 hours
3615DOC_START
3616 Upper limit on how long Squid will cache positive DNS responses.
3617 Default is 6 hours (360 minutes). This directive must be set
3618 larger than negative_dns_ttl.
3619DOC_END
c4ab8329 3620
41bd17a4 3621NAME: negative_dns_ttl
3622COMMENT: time-units
3623TYPE: time_t
3624LOC: Config.negativeDnsTtl
3625DEFAULT: 1 minutes
3626DOC_START
3627 Time-to-Live (TTL) for negative caching of failed DNS lookups.
3628 This also sets the lower cache limit on positive lookups.
3629 Minimum value is 1 second, and it is not recommendable to go
3630 much below 10 seconds.
3631DOC_END
7df0bfd7 3632
41bd17a4 3633NAME: range_offset_limit
11e3fa1c
AJ		 3634COMMENT: size [acl acl...]
3635TYPE: acl_b_size_t
41bd17a4 3636LOC: Config.rangeOffsetLimit
11e3fa1c 3637DEFAULT: none
41bd17a4 3638DOC_START
11e3fa1c
AJ		 3639 usage: (size) [units] [[!]aclname]
3640
3641 Sets an upper limit on how far (number of bytes) into the file
3642 a Range request may be to cause Squid to prefetch the whole file.
3643 If beyond this limit, Squid forwards the Range request as it is and
3644 the result is NOT cached.
3645
41bd17a4 3646 This is to stop a far ahead range request (lets say start at 17MB)
3647 from making Squid fetch the whole object up to that point before
3648 sending anything to the client.
11e3fa1c
AJ		 3649
3650 Multiple range_offset_limit lines may be specified, and they will
3651 be searched from top to bottom on each request until a match is found.
3652 The first match found will be used. If no line matches a request, the
3653 default limit of 0 bytes will be used.
3654
3655 'size' is the limit specified as a number of units.
3656
3657 'units' specifies whether to use bytes, KB, MB, etc.
3658 If no units are specified bytes are assumed.
3659
3660 A size of 0 causes Squid to never fetch more than the
ab275c7b 3661 client requested. (default)
11e3fa1c
AJ		 3662
3663 A size of 'none' causes Squid to always fetch the object from the
41bd17a4 3664 beginning so it may cache the result. (2.0 style)
11e3fa1c
AJ		 3665
3666 'aclname' is the name of a defined ACL.
3667
3668 NP: Using 'none' as the byte value here will override any quick_abort settings
3669 that may otherwise apply to the range request. The range request will
ab275c7b
AJ		 3670 be fully fetched from start to finish regardless of the client
3671 actions. This affects bandwidth usage.
41bd17a4 3672DOC_END
d95b862f 3673
41bd17a4 3674NAME: minimum_expiry_time
3675COMMENT: (seconds)
3676TYPE: time_t
3677LOC: Config.minimum_expiry_time
3678DEFAULT: 60 seconds
3679DOC_START
3680 The minimum caching time according to (Expires - Date)
3681 Headers Squid honors if the object can't be revalidated
649fa918 3682 defaults to 60 seconds. In reverse proxy environments it
41bd17a4 3683 might be desirable to honor shorter object lifetimes. It
3684 is most likely better to make your server return a
3685 meaningful Last-Modified header however. In ESI environments
3686 where page fragments often have short lifetimes, this will
3687 often be best set to 0.
3688DOC_END
c68e9c6b 3689
41bd17a4 3690NAME: store_avg_object_size
3691COMMENT: (kbytes)
3e62bd58 3692TYPE: kb_int64_t
41bd17a4 3693DEFAULT: 13 KB
3694LOC: Config.Store.avgObjectSize
3695DOC_START
3696 Average object size, used to estimate number of objects your
3697 cache can hold. The default is 13 KB.
cccac0a2 3698DOC_END
3699
41bd17a4 3700NAME: store_objects_per_bucket
3701TYPE: int
3702DEFAULT: 20
3703LOC: Config.Store.objectsPerBucket
3704DOC_START
3705 Target number of objects per bucket in the store hash table.
3706 Lowering this value increases the total number of buckets and
3707 also the storage maintenance rate. The default is 20.
3708DOC_END
3709
3710COMMENT_START
3711 HTTP OPTIONS
3712 -----------------------------------------------------------------------------
3713COMMENT_END
3714
f04b37d8 3715NAME: request_header_max_size
3716COMMENT: (KB)
3717TYPE: b_size_t
df2eec10 3718DEFAULT: 64 KB
f04b37d8 3719LOC: Config.maxRequestHeaderSize
3720DOC_START
3721 This specifies the maximum size for HTTP headers in a request.
3722 Request headers are usually relatively small (about 512 bytes).
3723 Placing a limit on the request header size will catch certain
3724 bugs (for example with persistent connections) and possibly
3725 buffer-overflow or denial-of-service attacks.
3726DOC_END
3727
3728NAME: reply_header_max_size
3729COMMENT: (KB)
3730TYPE: b_size_t
df2eec10 3731DEFAULT: 64 KB
f04b37d8 3732LOC: Config.maxReplyHeaderSize
3733DOC_START
3734 This specifies the maximum size for HTTP headers in a reply.
3735 Reply headers are usually relatively small (about 512 bytes).
3736 Placing a limit on the reply header size will catch certain
3737 bugs (for example with persistent connections) and possibly
3738 buffer-overflow or denial-of-service attacks.
3739DOC_END
3740
3741NAME: request_body_max_size
3742COMMENT: (bytes)
3743TYPE: b_int64_t
3744DEFAULT: 0 KB
3745LOC: Config.maxRequestBodySize
3746DOC_START
3747 This specifies the maximum size for an HTTP request body.
3748 In other words, the maximum size of a PUT/POST request.
3749 A user who attempts to send a request with a body larger
3750 than this limit receives an "Invalid Request" error message.
3751 If you set this parameter to a zero (the default), there will
3752 be no limit imposed.
3753DOC_END
3754
3ff65596
AR		 3755NAME: chunked_request_body_max_size
3756COMMENT: (bytes)
3757TYPE: b_int64_t
3758DEFAULT: 64 KB
3759LOC: Config.maxChunkedRequestBodySize
3760DOC_START
3761 A broken or confused HTTP/1.1 client may send a chunked HTTP
3762 request to Squid. Squid does not have full support for that
3763 feature yet. To cope with such requests, Squid buffers the
3764 entire request and then dechunks request body to create a
3765 plain HTTP/1.0 request with a known content length. The plain
3766 request is then used by the rest of Squid code as usual.
3767
3768 The option value specifies the maximum size of the buffer used
3769 to hold the request before the conversion. If the chunked
3770 request size exceeds the specified limit, the conversion
3771 fails, and the client receives an "unsupported request" error,
3772 as if dechunking was disabled.
3773
3774 Dechunking is enabled by default. To disable conversion of
3775 chunked requests, set the maximum to zero.
3776
3777 Request dechunking feature and this option in particular are a
3778 temporary hack. When chunking requests and responses are fully
3779 supported, there will be no need to buffer a chunked request.
3780DOC_END
3781
41bd17a4 3782NAME: broken_posts
aa49962c 3783IFDEF: HTTP_VIOLATIONS
cccac0a2 3784TYPE: acl_access
cccac0a2 3785DEFAULT: none
41bd17a4 3786LOC: Config.accessList.brokenPosts
cccac0a2 3787DOC_START
41bd17a4 3788 A list of ACL elements which, if matched, causes Squid to send
3789 an extra CRLF pair after the body of a PUT/POST request.
cccac0a2 3790
41bd17a4 3791 Some HTTP servers has broken implementations of PUT/POST,
3792 and rely on an extra CRLF pair sent by some WWW clients.
cccac0a2 3793
41bd17a4 3794 Quote from RFC2616 section 4.1 on this matter:
cccac0a2 3795
41bd17a4 3796 Note: certain buggy HTTP/1.0 client implementations generate an
3797 extra CRLF's after a POST request. To restate what is explicitly
3798 forbidden by the BNF, an HTTP/1.1 client must not preface or follow
3799 a request with an extra CRLF.
cccac0a2 3800
b3567eb5
FC		 3801 This clause only supports fast acl types.
3802 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3803
41bd17a4 3804Example:
3805 acl buggy_server url_regex ^http://....
3806 broken_posts allow buggy_server
3807DOC_END
cccac0a2 3808
57d76dd4
AJ		 3809NAME: icap_uses_indirect_client
3810COMMENT: on|off
3811TYPE: onoff
0dae2bca 3812IFDEF: FOLLOW_X_FORWARDED_FOR&&ICAP_CLIENT
57d76dd4
AJ		 3813DEFAULT: on
3814LOC: Adaptation::Icap::TheConfig.icap_uses_indirect_client
3815DOC_START
3816 Controls whether the indirect client address
3817 (see follow_x_forwarded_for) instead of the
3818 direct client address is passed to an ICAP
3819 server as "X-Client-IP".
3820DOC_END
3821
41bd17a4 3822NAME: via
3823IFDEF: HTTP_VIOLATIONS
3824COMMENT: on|off
3825TYPE: onoff
3826DEFAULT: on
3827LOC: Config.onoff.via
3828DOC_START
3829 If set (default), Squid will include a Via header in requests and
3830 replies as required by RFC2616.
3831DOC_END
4cc6eb12 3832
41bd17a4 3833NAME: ie_refresh
3834COMMENT: on|off
3835TYPE: onoff
3836LOC: Config.onoff.ie_refresh
3837DEFAULT: off
3838DOC_START
3839 Microsoft Internet Explorer up until version 5.5 Service
3840 Pack 1 has an issue with transparent proxies, wherein it
3841 is impossible to force a refresh. Turning this on provides
3842 a partial fix to the problem, by causing all IMS-REFRESH
3843 requests from older IE versions to check the origin server
3844 for fresh content. This reduces hit ratio by some amount
3845 (~10% in my experience), but allows users to actually get
3846 fresh content when they want it. Note because Squid
3847 cannot tell if the user is using 5.5 or 5.5SP1, the behavior
3848 of 5.5 is unchanged from old versions of Squid (i.e. a
3849 forced refresh is impossible). Newer versions of IE will,
3850 hopefully, continue to have the new behavior and will be
3851 handled based on that assumption. This option defaults to
3852 the old Squid behavior, which is better for hit ratios but
3853 worse for clients using IE, if they need to be able to
3854 force fresh content.
3855DOC_END
b9d7fe3e 3856
41bd17a4 3857NAME: vary_ignore_expire
3858COMMENT: on|off
3859TYPE: onoff
3860LOC: Config.onoff.vary_ignore_expire
3861DEFAULT: off
3862DOC_START
3863 Many HTTP servers supporting Vary gives such objects
3864 immediate expiry time with no cache-control header
3865 when requested by a HTTP/1.0 client. This option
3866 enables Squid to ignore such expiry times until
3867 HTTP/1.1 is fully implemented.
7e73cd78
AJ		 3868
3869 WARNING: If turned on this may eventually cause some
3870 varying objects not intended for caching to get cached.
cccac0a2 3871DOC_END
c4ab8329 3872
41bd17a4 3873NAME: request_entities
3874TYPE: onoff
3875LOC: Config.onoff.request_entities
3876DEFAULT: off
3877DOC_START
3878 Squid defaults to deny GET and HEAD requests with request entities,
3879 as the meaning of such requests are undefined in the HTTP standard
3880 even if not explicitly forbidden.
0976f8db 3881
41bd17a4 3882 Set this directive to on if you have clients which insists
3883 on sending request entities in GET or HEAD requests. But be warned
3884 that there is server software (both proxies and web servers) which
3885 can fail to properly process this kind of request which may make you
3886 vulnerable to cache pollution attacks if enabled.
cccac0a2 3887DOC_END
6b53c392 3888
41bd17a4 3889NAME: request_header_access
3890IFDEF: HTTP_VIOLATIONS
3891TYPE: http_header_access[]
3892LOC: Config.request_header_access
cccac0a2 3893DEFAULT: none
cccac0a2 3894DOC_START
41bd17a4 3895 Usage: request_header_access header_name allow|deny [!]aclname ...
0976f8db 3896
41bd17a4 3897 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3898 this feature could make you liable for problems which it
3899 causes.
0976f8db 3900
41bd17a4 3901 This option replaces the old 'anonymize_headers' and the
3902 older 'http_anonymizer' option with something that is much
3903 more configurable. This new method creates a list of ACLs
3904 for each header, allowing you very fine-tuned header
3905 mangling.
934b03fc 3906
41bd17a4 3907 This option only applies to request headers, i.e., from the
3908 client to the server.
5401aa8d 3909
41bd17a4 3910 You can only specify known headers for the header name.
3911 Other headers are reclassified as 'Other'. You can also
3912 refer to all the headers with 'All'.
5401aa8d 3913
41bd17a4 3914 For example, to achieve the same behavior as the old
3915 'http_anonymizer standard' option, you should use:
5401aa8d 3916
41bd17a4 3917 request_header_access From deny all
3918 request_header_access Referer deny all
3919 request_header_access Server deny all
3920 request_header_access User-Agent deny all
3921 request_header_access WWW-Authenticate deny all
3922 request_header_access Link deny all
5401aa8d 3923
41bd17a4 3924 Or, to reproduce the old 'http_anonymizer paranoid' feature
3925 you should use:
5401aa8d 3926
41bd17a4 3927 request_header_access Allow allow all
3928 request_header_access Authorization allow all
3929 request_header_access WWW-Authenticate allow all
3930 request_header_access Proxy-Authorization allow all
3931 request_header_access Proxy-Authenticate allow all
3932 request_header_access Cache-Control allow all
3933 request_header_access Content-Encoding allow all
3934 request_header_access Content-Length allow all
3935 request_header_access Content-Type allow all
3936 request_header_access Date allow all
3937 request_header_access Expires allow all
3938 request_header_access Host allow all
3939 request_header_access If-Modified-Since allow all
3940 request_header_access Last-Modified allow all
3941 request_header_access Location allow all
3942 request_header_access Pragma allow all
3943 request_header_access Accept allow all
3944 request_header_access Accept-Charset allow all
3945 request_header_access Accept-Encoding allow all
3946 request_header_access Accept-Language allow all
3947 request_header_access Content-Language allow all
3948 request_header_access Mime-Version allow all
3949 request_header_access Retry-After allow all
3950 request_header_access Title allow all
3951 request_header_access Connection allow all
3952 request_header_access Proxy-Connection allow all
3953 request_header_access All deny all
5401aa8d 3954
41bd17a4 3955 although many of those are HTTP reply headers, and so should be
3956 controlled with the reply_header_access directive.
5401aa8d 3957
41bd17a4 3958 By default, all headers are allowed (no anonymizing is
3959 performed).
5401aa8d 3960DOC_END
3961
41bd17a4 3962NAME: reply_header_access
3963IFDEF: HTTP_VIOLATIONS
3964TYPE: http_header_access[]
3965LOC: Config.reply_header_access
cccac0a2 3966DEFAULT: none
3967DOC_START
41bd17a4 3968 Usage: reply_header_access header_name allow|deny [!]aclname ...
934b03fc 3969
41bd17a4 3970 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3971 this feature could make you liable for problems which it
3972 causes.
934b03fc 3973
41bd17a4 3974 This option only applies to reply headers, i.e., from the
3975 server to the client.
934b03fc 3976
41bd17a4 3977 This is the same as request_header_access, but in the other
3978 direction.
6b53c392 3979
41bd17a4 3980 This option replaces the old 'anonymize_headers' and the
3981 older 'http_anonymizer' option with something that is much
3982 more configurable. This new method creates a list of ACLs
3983 for each header, allowing you very fine-tuned header
3984 mangling.
cccac0a2 3985
41bd17a4 3986 You can only specify known headers for the header name.
3987 Other headers are reclassified as 'Other'. You can also
3988 refer to all the headers with 'All'.
cccac0a2 3989
41bd17a4 3990 For example, to achieve the same behavior as the old
3991 'http_anonymizer standard' option, you should use:
cccac0a2 3992
41bd17a4 3993 reply_header_access From deny all
3994 reply_header_access Referer deny all
3995 reply_header_access Server deny all
3996 reply_header_access User-Agent deny all
3997 reply_header_access WWW-Authenticate deny all
3998 reply_header_access Link deny all
cccac0a2 3999
41bd17a4 4000 Or, to reproduce the old 'http_anonymizer paranoid' feature
4001 you should use:
cccac0a2 4002
41bd17a4 4003 reply_header_access Allow allow all
4004 reply_header_access Authorization allow all
4005 reply_header_access WWW-Authenticate allow all
4006 reply_header_access Proxy-Authorization allow all
4007 reply_header_access Proxy-Authenticate allow all
4008 reply_header_access Cache-Control allow all
4009 reply_header_access Content-Encoding allow all
4010 reply_header_access Content-Length allow all
4011 reply_header_access Content-Type allow all
4012 reply_header_access Date allow all
4013 reply_header_access Expires allow all
4014 reply_header_access Host allow all
4015 reply_header_access If-Modified-Since allow all
4016 reply_header_access Last-Modified allow all
4017 reply_header_access Location allow all
4018 reply_header_access Pragma allow all
4019 reply_header_access Accept allow all
4020 reply_header_access Accept-Charset allow all
4021 reply_header_access Accept-Encoding allow all
4022 reply_header_access Accept-Language allow all
4023 reply_header_access Content-Language allow all
4024 reply_header_access Mime-Version allow all
4025 reply_header_access Retry-After allow all
4026 reply_header_access Title allow all
4027 reply_header_access Connection allow all
4028 reply_header_access Proxy-Connection allow all
4029 reply_header_access All deny all
cccac0a2 4030
41bd17a4 4031 although the HTTP request headers won't be usefully controlled
4032 by this directive -- see request_header_access for details.
cccac0a2 4033
41bd17a4 4034 By default, all headers are allowed (no anonymizing is
4035 performed).
cccac0a2 4036DOC_END
4037
41bd17a4 4038NAME: header_replace
4039IFDEF: HTTP_VIOLATIONS
4040TYPE: http_header_replace[]
4041LOC: Config.request_header_access
cccac0a2 4042DEFAULT: none
41bd17a4 4043DOC_START
4044 Usage: header_replace header_name message
4045 Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
cccac0a2 4046
41bd17a4 4047 This option allows you to change the contents of headers
4048 denied with header_access above, by replacing them with
4049 some fixed string. This replaces the old fake_user_agent
4050 option.
cccac0a2 4051
41bd17a4 4052 This only applies to request headers, not reply headers.
cccac0a2 4053
41bd17a4 4054 By default, headers are removed if denied.
4055DOC_END
cccac0a2 4056
41bd17a4 4057NAME: relaxed_header_parser
4058COMMENT: on|off|warn
4059TYPE: tristate
4060LOC: Config.onoff.relaxed_header_parser
4061DEFAULT: on
4062DOC_START
4063 In the default "on" setting Squid accepts certain forms
4064 of non-compliant HTTP messages where it is unambiguous
4065 what the sending application intended even if the message
4066 is not correctly formatted. The messages is then normalized
4067 to the correct form when forwarded by Squid.
cccac0a2 4068
41bd17a4 4069 If set to "warn" then a warning will be emitted in cache.log
4070 each time such HTTP error is encountered.
cccac0a2 4071
41bd17a4 4072 If set to "off" then such HTTP errors will cause the request
4073 or response to be rejected.
4074DOC_END
7d90757b 4075
52b601ff
AJ		 4076NAME: ignore_expect_100
4077COMMENT: on|off
4078IFDEF: HTTP_VIOLATIONS
4079TYPE: onoff
4080LOC: Config.onoff.ignore_expect_100
4081DEFAULT: off
4082DOC_START
4083 This option makes Squid ignore any Expect: 100-continue header present
4084 in the request. RFC 2616 requires that Squid being unable to satisfy
4085 the response expectation MUST return a 417 error.
4086
4087 Note: Enabling this is a HTTP protocol violation, but some clients may
4088 not handle it well..
4089DOC_END
4090
41bd17a4 4091COMMENT_START
4092 TIMEOUTS
4093 -----------------------------------------------------------------------------
4094COMMENT_END
4095
4096NAME: forward_timeout
4097COMMENT: time-units
4098TYPE: time_t
4099LOC: Config.Timeout.forward
4100DEFAULT: 4 minutes
4101DOC_START
4102 This parameter specifies how long Squid should at most attempt in
4103 finding a forwarding path for the request before giving up.
cccac0a2 4104DOC_END
4105
41bd17a4 4106NAME: connect_timeout
4107COMMENT: time-units
4108TYPE: time_t
4109LOC: Config.Timeout.connect
4110DEFAULT: 1 minute
057f5854 4111DOC_START
41bd17a4 4112 This parameter specifies how long to wait for the TCP connect to
4113 the requested server or peer to complete before Squid should
4114 attempt to find another path where to forward the request.
057f5854 4115DOC_END
4116
41bd17a4 4117NAME: peer_connect_timeout
4118COMMENT: time-units
4119TYPE: time_t
4120LOC: Config.Timeout.peer_connect
4121DEFAULT: 30 seconds
cccac0a2 4122DOC_START
41bd17a4 4123 This parameter specifies how long to wait for a pending TCP
4124 connection to a peer cache. The default is 30 seconds. You
4125 may also set different timeout values for individual neighbors
4126 with the 'connect-timeout' option on a 'cache_peer' line.
4127DOC_END
7f7db318 4128
41bd17a4 4129NAME: read_timeout
4130COMMENT: time-units
4131TYPE: time_t
4132LOC: Config.Timeout.read
4133DEFAULT: 15 minutes
4134DOC_START
4135 The read_timeout is applied on server-side connections. After
4136 each successful read(), the timeout will be extended by this
4137 amount. If no data is read again after this amount of time,
4138 the request is aborted and logged with ERR_READ_TIMEOUT. The
4139 default is 15 minutes.
4140DOC_END
cccac0a2 4141
5ef5e5cc
AJ		 4142NAME: write_timeout
4143COMMENT: time-units
4144TYPE: time_t
4145LOC: Config.Timeout.write
4146DEFAULT: 15 minutes
4147DOC_START
4148 This timeout is tracked for all connections that have data
4149 available for writing and are waiting for the socket to become
4150 ready. After each successful write, the timeout is extended by
4151 the configured amount. If Squid has data to write but the
4152 connection is not ready for the configured duration, the
4153 transaction associated with the connection is terminated. The
4154 default is 15 minutes.
4155DOC_END
4156
41bd17a4 4157NAME: request_timeout
4158TYPE: time_t
4159LOC: Config.Timeout.request
4160DEFAULT: 5 minutes
4161DOC_START
4162 How long to wait for an HTTP request after initial
4163 connection establishment.
4164DOC_END
cccac0a2 4165
41bd17a4 4166NAME: persistent_request_timeout
4167TYPE: time_t
4168LOC: Config.Timeout.persistent_request
4169DEFAULT: 2 minutes
4170DOC_START
4171 How long to wait for the next HTTP request on a persistent
4172 connection after the previous request completes.
4173DOC_END
cccac0a2 4174
41bd17a4 4175NAME: client_lifetime
4176COMMENT: time-units
4177TYPE: time_t
4178LOC: Config.Timeout.lifetime
4179DEFAULT: 1 day
4180DOC_START
4181 The maximum amount of time a client (browser) is allowed to
4182 remain connected to the cache process. This protects the Cache
4183 from having a lot of sockets (and hence file descriptors) tied up
4184 in a CLOSE_WAIT state from remote clients that go away without
4185 properly shutting down (either because of a network failure or
4186 because of a poor client implementation). The default is one
4187 day, 1440 minutes.
7d90757b 4188
41bd17a4 4189 NOTE: The default value is intended to be much larger than any
4190 client would ever need to be connected to your cache. You
4191 should probably change client_lifetime only as a last resort.
4192 If you seem to have many client connections tying up
4193 filedescriptors, we recommend first tuning the read_timeout,
4194 request_timeout, persistent_request_timeout and quick_abort values.
cccac0a2 4195DOC_END
4196
41bd17a4 4197NAME: half_closed_clients
4198TYPE: onoff
4199LOC: Config.onoff.half_closed_clients
0c2f5c4f 4200DEFAULT: off
4eb368f9 4201DOC_START
41bd17a4 4202 Some clients may shutdown the sending side of their TCP
4203 connections, while leaving their receiving sides open. Sometimes,
4204 Squid can not tell the difference between a half-closed and a
0c2f5c4f
AJ		 4205 fully-closed TCP connection.
4206
4207 By default, Squid will immediately close client connections when
4208 read(2) returns "no more data to read."
4209
abdf1651 4210 Change this option to 'on' and Squid will keep open connections
0c2f5c4f
AJ		 4211 until a read(2) or write(2) on the socket returns an error.
4212 This may show some benefits for reverse proxies. But if not
4213 it is recommended to leave OFF.
4eb368f9 4214DOC_END
4215
41bd17a4 4216NAME: pconn_timeout
4217TYPE: time_t
4218LOC: Config.Timeout.pconn
4219DEFAULT: 1 minute
cccac0a2 4220DOC_START
41bd17a4 4221 Timeout for idle persistent connections to servers and other
4222 proxies.
4223DOC_END
cccac0a2 4224
41bd17a4 4225NAME: ident_timeout
4226TYPE: time_t
4227IFDEF: USE_IDENT
4daaf3cb 4228LOC: Ident::TheConfig.timeout
41bd17a4 4229DEFAULT: 10 seconds
4230DOC_START
4231 Maximum time to wait for IDENT lookups to complete.
cccac0a2 4232
41bd17a4 4233 If this is too high, and you enabled IDENT lookups from untrusted
4234 users, you might be susceptible to denial-of-service by having
4235 many ident requests going at once.
cccac0a2 4236DOC_END
4237
41bd17a4 4238NAME: shutdown_lifetime
4239COMMENT: time-units
4240TYPE: time_t
4241LOC: Config.shutdownLifetime
4242DEFAULT: 30 seconds
cccac0a2 4243DOC_START
41bd17a4 4244 When SIGTERM or SIGHUP is received, the cache is put into
4245 "shutdown pending" mode until all active sockets are closed.
4246 This value is the lifetime to set for all open descriptors
4247 during shutdown mode. Any active clients after this many
4248 seconds will receive a 'timeout' message.
cccac0a2 4249DOC_END
0976f8db 4250
cccac0a2 4251COMMENT_START
4252 ADMINISTRATIVE PARAMETERS
4253 -----------------------------------------------------------------------------
4254COMMENT_END
4255
4256NAME: cache_mgr
4257TYPE: string
4258DEFAULT: webmaster
4259LOC: Config.adminEmail
4260DOC_START
4261 Email-address of local cache manager who will receive
4262 mail if the cache dies. The default is "webmaster."
4263DOC_END
4264
abacf776 4265NAME: mail_from
4266TYPE: string
4267DEFAULT: none
4268LOC: Config.EmailFrom
4269DOC_START
4270 From: email-address for mail sent when the cache dies.
4271 The default is to use 'appname@unique_hostname'.
b8c0c06d 4272 Default appname value is "squid", can be changed into
abacf776 4273 src/globals.h before building squid.
4274DOC_END
4275
d084bf20 4276NAME: mail_program
4277TYPE: eol
4278DEFAULT: mail
4279LOC: Config.EmailProgram
4280DOC_START
4281 Email program used to send mail if the cache dies.
846a5e31 4282 The default is "mail". The specified program must comply
d084bf20 4283 with the standard Unix mail syntax:
846a5e31 4284 mail-program recipient < mailfile
4285
d084bf20 4286 Optional command line options can be specified.
4287DOC_END
4288
cccac0a2 4289NAME: cache_effective_user
4290TYPE: string
5483d916 4291DEFAULT: @DEFAULT_CACHE_EFFECTIVE_USER@
cccac0a2 4292LOC: Config.effectiveUser
e3d74828 4293DOC_START
4294 If you start Squid as root, it will change its effective/real
4295 UID/GID to the user specified below. The default is to change
5483d916 4296 to UID of @DEFAULT_CACHE_EFFECTIVE_USER@.
64e288bd 4297 see also; cache_effective_group
e3d74828 4298DOC_END
4299
cccac0a2 4300NAME: cache_effective_group
4301TYPE: string
4302DEFAULT: none
4303LOC: Config.effectiveGroup
4304DOC_START
64e288bd 4305 Squid sets the GID to the effective user's default group ID
4306 (taken from the password file) and supplementary group list
4307 from the groups membership.
4308
e3d74828 4309 If you want Squid to run with a specific GID regardless of
4310 the group memberships of the effective user then set this
4311 to the group (or GID) you want Squid to run as. When set
64e288bd 4312 all other group privileges of the effective user are ignored
e3d74828 4313 and only this GID is effective. If Squid is not started as
64e288bd 4314 root the user starting Squid MUST be member of the specified
e3d74828 4315 group.
64e288bd 4316
4317 This option is not recommended by the Squid Team.
4318 Our preference is for administrators to configure a secure
4319 user account for squid with UID/GID matching system policies.
cccac0a2 4320DOC_END
4321
d3caee79 4322NAME: httpd_suppress_version_string
4323COMMENT: on|off
4324TYPE: onoff
4325DEFAULT: off
4326LOC: Config.onoff.httpd_suppress_version_string
4327DOC_START
4328 Suppress Squid version string info in HTTP headers and HTML error pages.
4329DOC_END
4330
cccac0a2 4331NAME: visible_hostname
4332TYPE: string
4333LOC: Config.visibleHostname
4334DEFAULT: none
4335DOC_START
4336 If you want to present a special hostname in error messages, etc,
7f7db318 4337 define this. Otherwise, the return value of gethostname()
cccac0a2 4338 will be used. If you have multiple caches in a cluster and
4339 get errors about IP-forwarding you must set them to have individual
4340 names with this setting.
4341DOC_END
4342
cccac0a2 4343NAME: unique_hostname
4344TYPE: string
4345LOC: Config.uniqueHostname
4346DEFAULT: none
4347DOC_START
4348 If you want to have multiple machines with the same
7f7db318 4349 'visible_hostname' you must give each machine a different
4350 'unique_hostname' so forwarding loops can be detected.
cccac0a2 4351DOC_END
4352
cccac0a2 4353NAME: hostname_aliases
4354TYPE: wordlist
4355LOC: Config.hostnameAliases
4356DEFAULT: none
4357DOC_START
7f7db318 4358 A list of other DNS names your cache has.
cccac0a2 4359DOC_END
0976f8db 4360
c642c141
AJ		 4361NAME: umask
4362TYPE: int
4363LOC: Config.umask
4364DEFAULT: 027
4365DOC_START
4366 Minimum umask which should be enforced while the proxy
4367 is running, in addition to the umask set at startup.
4368
4369 For a traditional octal representation of umasks, start
4370 your value with 0.
4371DOC_END
4372
cccac0a2 4373COMMENT_START
4374 OPTIONS FOR THE CACHE REGISTRATION SERVICE
4375 -----------------------------------------------------------------------------
4376
4377 This section contains parameters for the (optional) cache
4378 announcement service. This service is provided to help
4379 cache administrators locate one another in order to join or
4380 create cache hierarchies.
4381
4382 An 'announcement' message is sent (via UDP) to the registration
4383 service by Squid. By default, the announcement message is NOT
4384 SENT unless you enable it with 'announce_period' below.
4385
4386 The announcement message includes your hostname, plus the
4387 following information from this configuration file:
4388
4389 http_port
4390 icp_port
4391 cache_mgr
4392
4393 All current information is processed regularly and made
4394 available on the Web at http://www.ircache.net/Cache/Tracker/.
4395COMMENT_END
4396
4397NAME: announce_period
4398TYPE: time_t
4399LOC: Config.Announce.period
4400DEFAULT: 0
4401DOC_START
4402 This is how frequently to send cache announcements. The
4403 default is `0' which disables sending the announcement
4404 messages.
4405
e0855596 4406 To enable announcing your cache, just set an announce period.
cccac0a2 4407
e0855596
AJ		 4408 Example:
4409 announce_period 1 day
cccac0a2 4410DOC_END
4411
cccac0a2 4412NAME: announce_host
4413TYPE: string
4414DEFAULT: tracker.ircache.net
4415LOC: Config.Announce.host
4416DOC_NONE
4417
4418NAME: announce_file
4419TYPE: string
4420DEFAULT: none
4421LOC: Config.Announce.file
4422DOC_NONE
4423
4424NAME: announce_port
4425TYPE: ushort
4426DEFAULT: 3131
4427LOC: Config.Announce.port
4428DOC_START
4429 announce_host and announce_port set the hostname and port
4430 number where the registration message will be sent.
4431
4432 Hostname will default to 'tracker.ircache.net' and port will
4433 default default to 3131. If the 'filename' argument is given,
4434 the contents of that file will be included in the announce
4435 message.
4436DOC_END
4437
8d6275c0 4438COMMENT_START
4439 HTTPD-ACCELERATOR OPTIONS
4440 -----------------------------------------------------------------------------
4441COMMENT_END
4442
cccac0a2 4443NAME: httpd_accel_surrogate_id
cccac0a2 4444TYPE: string
b2b40d8c 4445DEFAULT: none
cccac0a2 4446LOC: Config.Accel.surrogate_id
cccac0a2 4447DOC_START
4448 Surrogates (http://www.esi.org/architecture_spec_1.0.html)
4449 need an identification token to allow control targeting. Because
4450 a farm of surrogates may all perform the same tasks, they may share
4451 an identification token.
b2b40d8c
AJ		 4452
4453 The default ID is the visible_hostname
cccac0a2 4454DOC_END
4455
4456NAME: http_accel_surrogate_remote
cccac0a2 4457COMMENT: on|off
4458TYPE: onoff
4459DEFAULT: off
4460LOC: Config.onoff.surrogate_is_remote
4461DOC_START
4462 Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
4463 Set this to on to have squid behave as a remote surrogate.
4464DOC_END
4465
4466NAME: esi_parser
f41735ea 4467IFDEF: USE_SQUID_ESI
964b44c3 4468COMMENT: libxml2|expat|custom
cccac0a2 4469TYPE: string
4470LOC: ESIParser::Type
4471DEFAULT: custom
4472DOC_START
4473 ESI markup is not strictly XML compatible. The custom ESI parser
4474 will give higher performance, but cannot handle non ASCII character
4475 encodings.
4476DOC_END
0976f8db 4477
9edd9041 4478COMMENT_START
8d6275c0 4479 DELAY POOL PARAMETERS
9edd9041 4480 -----------------------------------------------------------------------------
4481COMMENT_END
4482
4483NAME: delay_pools
4484TYPE: delay_pool_count
4485DEFAULT: 0
4486IFDEF: DELAY_POOLS
4487LOC: Config.Delay
4488DOC_START
4489 This represents the number of delay pools to be used. For example,
4490 if you have one class 2 delay pool and one class 3 delays pool, you
4491 have a total of 2 delay pools.
4492DOC_END
4493
4494NAME: delay_class
4495TYPE: delay_pool_class
4496DEFAULT: none
4497IFDEF: DELAY_POOLS
4498LOC: Config.Delay
4499DOC_START
4500 This defines the class of each delay pool. There must be exactly one
4501 delay_class line for each delay pool. For example, to define two
4502 delay pools, one of class 2 and one of class 3, the settings above
4503 and here would be:
4504
b1fb3348
AJ		 4505 Example:
4506 delay_pools 4 # 4 delay pools
4507 delay_class 1 2 # pool 1 is a class 2 pool
4508 delay_class 2 3 # pool 2 is a class 3 pool
4509 delay_class 3 4 # pool 3 is a class 4 pool
4510 delay_class 4 5 # pool 4 is a class 5 pool
9edd9041 4511
4512 The delay pool classes are:
4513
4514 class 1 Everything is limited by a single aggregate
4515 bucket.
4516
4517 class 2 Everything is limited by a single aggregate
4518 bucket as well as an "individual" bucket chosen
b1fb3348 4519 from bits 25 through 32 of the IPv4 address.
9edd9041 4520
4521 class 3 Everything is limited by a single aggregate
4522 bucket as well as a "network" bucket chosen
4523 from bits 17 through 24 of the IP address and a
4524 "individual" bucket chosen from bits 17 through
b1fb3348 4525 32 of the IPv4 address.
9edd9041 4526
4527 class 4 Everything in a class 3 delay pool, with an
4528 additional limit on a per user basis. This
4529 only takes effect if the username is established
4530 in advance - by forcing authentication in your
4531 http_access rules.
4532
4533 class 5 Requests are grouped according their tag (see
4534 external_acl's tag= reply).
4535
4536 NOTE: If an IP address is a.b.c.d
4537 -> bits 25 through 32 are "d"
4538 -> bits 17 through 24 are "c"
4539 -> bits 17 through 32 are "c * 256 + d"
b1fb3348
AJ		 4540
4541 NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
4542 IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
9edd9041 4543DOC_END
4544
4545NAME: delay_access
4546TYPE: delay_pool_access
4547DEFAULT: none
4548IFDEF: DELAY_POOLS
4549LOC: Config.Delay
4550DOC_START
4551 This is used to determine which delay pool a request falls into.
4552
4553 delay_access is sorted per pool and the matching starts with pool 1,
4554 then pool 2, ..., and finally pool N. The first delay pool where the
4555 request is allowed is selected for the request. If it does not allow
4556 the request to any pool then the request is not delayed (default).
4557
4558 For example, if you want some_big_clients in delay
4559 pool 1 and lotsa_little_clients in delay pool 2:
4560
4561Example:
4562 delay_access 1 allow some_big_clients
4563 delay_access 1 deny all
4564 delay_access 2 allow lotsa_little_clients
4565 delay_access 2 deny all
4566 delay_access 3 allow authenticated_clients
4567DOC_END
4568
4569NAME: delay_parameters
4570TYPE: delay_pool_rates
4571DEFAULT: none
4572IFDEF: DELAY_POOLS
4573LOC: Config.Delay
4574DOC_START
4575 This defines the parameters for a delay pool. Each delay pool has
4576 a number of "buckets" associated with it, as explained in the
4577 description of delay_class. For a class 1 delay pool, the syntax is:
4578
4579delay_parameters pool aggregate
4580
4581 For a class 2 delay pool:
4582
4583delay_parameters pool aggregate individual
4584
4585 For a class 3 delay pool:
4586
4587delay_parameters pool aggregate network individual
4588
4589 For a class 4 delay pool:
4590
4591delay_parameters pool aggregate network individual user
4592
4593 For a class 5 delay pool:
4594
4595delay_parameters pool tag
4596
4597 The variables here are:
4598
4599 pool a pool number - ie, a number between 1 and the
4600 number specified in delay_pools as used in
4601 delay_class lines.
4602
4603 aggregate the "delay parameters" for the aggregate bucket
4604 (class 1, 2, 3).
4605
4606 individual the "delay parameters" for the individual
4607 buckets (class 2, 3).
4608
4609 network the "delay parameters" for the network buckets
4610 (class 3).
4611
4612 user the delay parameters for the user buckets
4613 (class 4).
4614
4615 tag the delay parameters for the tag buckets
4616 (class 5).
4617
4618 A pair of delay parameters is written restore/maximum, where restore is
4619 the number of bytes (not bits - modem and network speeds are usually
4620 quoted in bits) per second placed into the bucket, and maximum is the
4621 maximum number of bytes which can be in the bucket at any time.
4622
4623 For example, if delay pool number 1 is a class 2 delay pool as in the
4624 above example, and is being used to strictly limit each host to 64kbps
4625 (plus overheads), with no overall limit, the line is:
4626
4627delay_parameters 1 -1/-1 8000/8000
4628
4629 Note that the figure -1 is used to represent "unlimited".
4630
4631 And, if delay pool number 2 is a class 3 delay pool as in the above
4632 example, and you want to limit it to a total of 256kbps (strict limit)
4633 with each 8-bit network permitted 64kbps (strict limit) and each
4634 individual host permitted 4800bps with a bucket maximum size of 64kb
4635 to permit a decent web page to be downloaded at a decent speed
4636 (if the network is not being limited due to overuse) but slow down
4637 large downloads more significantly:
4638
4639delay_parameters 2 32000/32000 8000/8000 600/8000
4640
4641 There must be one delay_parameters line for each delay pool.
4642
4643 Finally, for a class 4 delay pool as in the example - each user will
4644 be limited to 128Kb no matter how many workstations they are logged into.:
4645
4646delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
4647DOC_END
4648
4649NAME: delay_initial_bucket_level
4650COMMENT: (percent, 0-100)
4651TYPE: ushort
4652DEFAULT: 50
4653IFDEF: DELAY_POOLS
4654LOC: Config.Delay.initial
4655DOC_START
4656 The initial bucket percentage is used to determine how much is put
4657 in each bucket when squid starts, is reconfigured, or first notices
4658 a host accessing it (in class 2 and class 3, individual hosts and
4659 networks only have buckets associated with them once they have been
4660 "seen" by squid).
4661DOC_END
4662
cccac0a2 4663COMMENT_START
8d6275c0 4664 WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
cccac0a2 4665 -----------------------------------------------------------------------------
4666COMMENT_END
4667
8d6275c0 4668NAME: wccp_router
4669TYPE: address
4670LOC: Config.Wccp.router
0eb08770 4671DEFAULT: any_addr
8d6275c0 4672IFDEF: USE_WCCP
e313ab0a
AJ		 4673DOC_START
4674 Use this option to define your WCCP ``home'' router for
4675 Squid.
4676
4677 wccp_router supports a single WCCP(v1) router
4678
4679 wccp2_router supports multiple WCCPv2 routers
4680
4681 only one of the two may be used at the same time and defines
4682 which version of WCCP to use.
4683DOC_END
df2eec10 4684
8d6275c0 4685NAME: wccp2_router
9fb4efad 4686TYPE: IpAddress_list
8d6275c0 4687LOC: Config.Wccp2.router
cccac0a2 4688DEFAULT: none
8d6275c0 4689IFDEF: USE_WCCPv2
cccac0a2 4690DOC_START
8d6275c0 4691 Use this option to define your WCCP ``home'' router for
4692 Squid.
cccac0a2 4693
8d6275c0 4694 wccp_router supports a single WCCP(v1) router
cccac0a2 4695
8d6275c0 4696 wccp2_router supports multiple WCCPv2 routers
cccac0a2 4697
8d6275c0 4698 only one of the two may be used at the same time and defines
4699 which version of WCCP to use.
4700DOC_END
4701
4702NAME: wccp_version
cccac0a2 4703TYPE: int
8d6275c0 4704LOC: Config.Wccp.version
4705DEFAULT: 4
4706IFDEF: USE_WCCP
cccac0a2 4707DOC_START
8d6275c0 4708 This directive is only relevant if you need to set up WCCP(v1)
4709 to some very old and end-of-life Cisco routers. In all other
4710 setups it must be left unset or at the default setting.
4711 It defines an internal version in the WCCP(v1) protocol,
4712 with version 4 being the officially documented protocol.
cccac0a2 4713
8d6275c0 4714 According to some users, Cisco IOS 11.2 and earlier only
4715 support WCCP version 3. If you're using that or an earlier
4716 version of IOS, you may need to change this value to 3, otherwise
4717 do not specify this parameter.
cccac0a2 4718DOC_END
4719
8d6275c0 4720NAME: wccp2_rebuild_wait
4721TYPE: onoff
4722LOC: Config.Wccp2.rebuildwait
4723DEFAULT: on
4724IFDEF: USE_WCCPv2
4725DOC_START
4726 If this is enabled Squid will wait for the cache dir rebuild to finish
4727 before sending the first wccp2 HereIAm packet
4728DOC_END
cccac0a2 4729
8d6275c0 4730NAME: wccp2_forwarding_method
e313ab0a 4731TYPE: wccp2_method
8d6275c0 4732LOC: Config.Wccp2.forwarding_method
451c4786 4733DEFAULT: gre
8d6275c0 4734IFDEF: USE_WCCPv2
cccac0a2 4735DOC_START
699acd19 4736 WCCP2 allows the setting of forwarding methods between the
8d6275c0 4737 router/switch and the cache. Valid values are as follows:
cccac0a2 4738
451c4786
AJ		 4739 gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4740 l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
cccac0a2 4741
8d6275c0 4742 Currently (as of IOS 12.4) cisco routers only support GRE.
4743 Cisco switches only support the L2 redirect assignment method.
cccac0a2 4744DOC_END
4745
8d6275c0 4746NAME: wccp2_return_method
e313ab0a 4747TYPE: wccp2_method
8d6275c0 4748LOC: Config.Wccp2.return_method
451c4786 4749DEFAULT: gre
8d6275c0 4750IFDEF: USE_WCCPv2
cccac0a2 4751DOC_START
699acd19 4752 WCCP2 allows the setting of return methods between the
8d6275c0 4753 router/switch and the cache for packets that the cache
4754 decides not to handle. Valid values are as follows:
cccac0a2 4755
451c4786
AJ		 4756 gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4757 l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
cccac0a2 4758
8d6275c0 4759 Currently (as of IOS 12.4) cisco routers only support GRE.
4760 Cisco switches only support the L2 redirect assignment.
cccac0a2 4761
699acd19 4762 If the "ip wccp redirect exclude in" command has been
8d6275c0 4763 enabled on the cache interface, then it is still safe for
4764 the proxy server to use a l2 redirect method even if this
4765 option is set to GRE.
cccac0a2 4766DOC_END
4767
8d6275c0 4768NAME: wccp2_assignment_method
451c4786 4769TYPE: wccp2_amethod
8d6275c0 4770LOC: Config.Wccp2.assignment_method
451c4786 4771DEFAULT: hash
8d6275c0 4772IFDEF: USE_WCCPv2
cccac0a2 4773DOC_START
8d6275c0 4774 WCCP2 allows the setting of methods to assign the WCCP hash
4775 Valid values are as follows:
cccac0a2 4776
451c4786
AJ		 4777 hash - Hash assignment
4778 mask - Mask assignment
cccac0a2 4779
8d6275c0 4780 As a general rule, cisco routers support the hash assignment method
4781 and cisco switches support the mask assignment method.
4782DOC_END
cccac0a2 4783
8d6275c0 4784NAME: wccp2_service
4785TYPE: wccp2_service
4786LOC: Config.Wccp2.info
4787DEFAULT: none
4788DEFAULT_IF_NONE: standard 0
4789IFDEF: USE_WCCPv2
4790DOC_START
4791 WCCP2 allows for multiple traffic services. There are two
4792 types: "standard" and "dynamic". The standard type defines
4793 one service id - http (id 0). The dynamic service ids can be from
4794 51 to 255 inclusive. In order to use a dynamic service id
4795 one must define the type of traffic to be redirected; this is done
4796 using the wccp2_service_info option.
4797
4798 The "standard" type does not require a wccp2_service_info option,
4799 just specifying the service id will suffice.
4800
4801 MD5 service authentication can be enabled by adding
4802 "password=<password>" to the end of this service declaration.
4803
4804 Examples:
4805
4806 wccp2_service standard 0 # for the 'web-cache' standard service
4807 wccp2_service dynamic 80 # a dynamic service type which will be
4808 # fleshed out with subsequent options.
4809 wccp2_service standard 0 password=foo
8d6275c0 4810DOC_END
4811
4812NAME: wccp2_service_info
4813TYPE: wccp2_service_info
4814LOC: Config.Wccp2.info
4815DEFAULT: none
4816IFDEF: USE_WCCPv2
4817DOC_START
4818 Dynamic WCCPv2 services require further information to define the
4819 traffic you wish to have diverted.
4820
4821 The format is:
4822
4823 wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
4824 priority=<priority> ports=<port>,<port>..
4825
4826 The relevant WCCPv2 flags:
4827 + src_ip_hash, dst_ip_hash
005fe566 4828 + source_port_hash, dst_port_hash
8d6275c0 4829 + src_ip_alt_hash, dst_ip_alt_hash
4830 + src_port_alt_hash, dst_port_alt_hash
4831 + ports_source
4832
4833 The port list can be one to eight entries.
4834
4835 Example:
4836
4837 wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
4838 priority=240 ports=80
4839
4840 Note: the service id must have been defined by a previous
4841 'wccp2_service dynamic <id>' entry.
4842DOC_END
4843
4844NAME: wccp2_weight
4845TYPE: int
4846LOC: Config.Wccp2.weight
4847DEFAULT: 10000
4848IFDEF: USE_WCCPv2
4849DOC_START
4850 Each cache server gets assigned a set of the destination
4851 hash proportional to their weight.
4852DOC_END
4853
4854NAME: wccp_address
4855TYPE: address
4856LOC: Config.Wccp.address
4857DEFAULT: 0.0.0.0
4858IFDEF: USE_WCCP
4859DOC_NONE
df2eec10 4860
8d6275c0 4861NAME: wccp2_address
4862TYPE: address
4863LOC: Config.Wccp2.address
4864DEFAULT: 0.0.0.0
4865IFDEF: USE_WCCPv2
4866DOC_START
4867 Use this option if you require WCCP to use a specific
4868 interface address.
4869
4870 The default behavior is to not bind to any specific address.
4871DOC_END
4872
4873COMMENT_START
4874 PERSISTENT CONNECTION HANDLING
4875 -----------------------------------------------------------------------------
4876
4877 Also see "pconn_timeout" in the TIMEOUTS section
4878COMMENT_END
4879
4880NAME: client_persistent_connections
4881TYPE: onoff
4882LOC: Config.onoff.client_pconns
4883DEFAULT: on
4884DOC_NONE
4885
4886NAME: server_persistent_connections
4887TYPE: onoff
4888LOC: Config.onoff.server_pconns
4889DEFAULT: on
4890DOC_START
4891 Persistent connection support for clients and servers. By
4892 default, Squid uses persistent connections (when allowed)
4893 with its clients and servers. You can use these options to
4894 disable persistent connections with clients and/or servers.
4895DOC_END
4896
4897NAME: persistent_connection_after_error
4898TYPE: onoff
4899LOC: Config.onoff.error_pconns
4900DEFAULT: off
4901DOC_START
4902 With this directive the use of persistent connections after
4903 HTTP errors can be disabled. Useful if you have clients
4904 who fail to handle errors on persistent connections proper.
4905DOC_END
4906
4907NAME: detect_broken_pconn
4908TYPE: onoff
4909LOC: Config.onoff.detect_broken_server_pconns
4910DEFAULT: off
4911DOC_START
4912 Some servers have been found to incorrectly signal the use
4913 of HTTP/1.0 persistent connections even on replies not
4914 compatible, causing significant delays. This server problem
4915 has mostly been seen on redirects.
4916
4917 By enabling this directive Squid attempts to detect such
4918 broken replies and automatically assume the reply is finished
4919 after 10 seconds timeout.
4920DOC_END
4921
4922COMMENT_START
4923 CACHE DIGEST OPTIONS
4924 -----------------------------------------------------------------------------
4925COMMENT_END
4926
4927NAME: digest_generation
4928IFDEF: USE_CACHE_DIGESTS
4929TYPE: onoff
4930LOC: Config.onoff.digest_generation
4931DEFAULT: on
4932DOC_START
4933 This controls whether the server will generate a Cache Digest
4934 of its contents. By default, Cache Digest generation is
13e917b5 4935 enabled if Squid is compiled with --enable-cache-digests defined.
8d6275c0 4936DOC_END
4937
4938NAME: digest_bits_per_entry
4939IFDEF: USE_CACHE_DIGESTS
4940TYPE: int
4941LOC: Config.digest.bits_per_entry
4942DEFAULT: 5
4943DOC_START
4944 This is the number of bits of the server's Cache Digest which
4945 will be associated with the Digest entry for a given HTTP
4946 Method and URL (public key) combination. The default is 5.
4947DOC_END
4948
4949NAME: digest_rebuild_period
4950IFDEF: USE_CACHE_DIGESTS
4951COMMENT: (seconds)
4952TYPE: time_t
4953LOC: Config.digest.rebuild_period
4954DEFAULT: 1 hour
4955DOC_START
749ceff8 4956 This is the wait time between Cache Digest rebuilds.
8d6275c0 4957DOC_END
4958
4959NAME: digest_rewrite_period
4960COMMENT: (seconds)
4961IFDEF: USE_CACHE_DIGESTS
4962TYPE: time_t
4963LOC: Config.digest.rewrite_period
4964DEFAULT: 1 hour
4965DOC_START
749ceff8 4966 This is the wait time between Cache Digest writes to
8d6275c0 4967 disk.
4968DOC_END
4969
4970NAME: digest_swapout_chunk_size
4971COMMENT: (bytes)
4972TYPE: b_size_t
4973IFDEF: USE_CACHE_DIGESTS
4974LOC: Config.digest.swapout_chunk_size
4975DEFAULT: 4096 bytes
4976DOC_START
4977 This is the number of bytes of the Cache Digest to write to
4978 disk at a time. It defaults to 4096 bytes (4KB), the Squid
4979 default swap page.
4980DOC_END
4981
4982NAME: digest_rebuild_chunk_percentage
4983COMMENT: (percent, 0-100)
4984IFDEF: USE_CACHE_DIGESTS
4985TYPE: int
4986LOC: Config.digest.rebuild_chunk_percentage
4987DEFAULT: 10
4988DOC_START
4989 This is the percentage of the Cache Digest to be scanned at a
4990 time. By default it is set to 10% of the Cache Digest.
4991DOC_END
4992
1db9eacd 4993COMMENT_START
5473c134 4994 SNMP OPTIONS
1db9eacd 4995 -----------------------------------------------------------------------------
4996COMMENT_END
4997
5473c134 4998NAME: snmp_port
4999TYPE: ushort
5000LOC: Config.Port.snmp
87630341 5001DEFAULT: 0
5473c134 5002IFDEF: SQUID_SNMP
8d6275c0 5003DOC_START
87630341 5004 The port number where Squid listens for SNMP requests. To enable
5005 SNMP support set this to a suitable port number. Port number
5006 3401 is often used for the Squid SNMP agent. By default it's
5007 set to "0" (disabled)
e0855596
AJ		 5008
5009 Example:
5010 snmp_port 3401
8d6275c0 5011DOC_END
5012
5473c134 5013NAME: snmp_access
5014TYPE: acl_access
5015LOC: Config.accessList.snmp
8d6275c0 5016DEFAULT: none
5473c134 5017DEFAULT_IF_NONE: deny all
5018IFDEF: SQUID_SNMP
8d6275c0 5019DOC_START
5473c134 5020 Allowing or denying access to the SNMP port.
8d6275c0 5021
5473c134 5022 All access to the agent is denied by default.
5023 usage:
8d6275c0 5024
5473c134 5025 snmp_access allow|deny [!]aclname ...
8d6275c0 5026
b3567eb5
FC		 5027 This clause only supports fast acl types.
5028 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5473c134 5029Example:
5030 snmp_access allow snmppublic localhost
5031 snmp_access deny all
cccac0a2 5032DOC_END
5033
5473c134 5034NAME: snmp_incoming_address
5035TYPE: address
5036LOC: Config.Addrs.snmp_incoming
0eb08770 5037DEFAULT: any_addr
5473c134 5038IFDEF: SQUID_SNMP
5039DOC_NONE
df2eec10 5040
5473c134 5041NAME: snmp_outgoing_address
5042TYPE: address
5043LOC: Config.Addrs.snmp_outgoing
0eb08770 5044DEFAULT: no_addr
5473c134 5045IFDEF: SQUID_SNMP
cccac0a2 5046DOC_START
df2eec10 5047 Just like 'udp_incoming_address', but for the SNMP port.
cccac0a2 5048
5473c134 5049 snmp_incoming_address is used for the SNMP socket receiving
5050 messages from SNMP agents.
5051 snmp_outgoing_address is used for SNMP packets returned to SNMP
5052 agents.
cccac0a2 5053
0eb08770 5054 The default snmp_incoming_address is to listen on all
5473c134 5055 available network interfaces.
cccac0a2 5056
0eb08770
HN		 5057 If snmp_outgoing_address is not set it will use the same socket
5058 as snmp_incoming_address. Only change this if you want to have
5059 SNMP replies sent using another address than where this Squid
5060 listens for SNMP queries.
cccac0a2 5061
5473c134 5062 NOTE, snmp_incoming_address and snmp_outgoing_address can not have
5063 the same value since they both use port 3401.
cccac0a2 5064DOC_END
5065
5473c134 5066COMMENT_START
5067 ICP OPTIONS
5068 -----------------------------------------------------------------------------
5069COMMENT_END
5070
5071NAME: icp_port udp_port
5072TYPE: ushort
5073DEFAULT: 0
5074LOC: Config.Port.icp
cccac0a2 5075DOC_START
5473c134 5076 The port number where Squid sends and receives ICP queries to
5077 and from neighbor caches. The standard UDP port for ICP is 3130.
5078 Default is disabled (0).
e0855596
AJ		 5079
5080 Example:
5081 icp_port @DEFAULT_ICP_PORT@
cccac0a2 5082DOC_END
5083
5473c134 5084NAME: htcp_port
5085IFDEF: USE_HTCP
5086TYPE: ushort
87630341 5087DEFAULT: 0
5473c134 5088LOC: Config.Port.htcp
cccac0a2 5089DOC_START
5473c134 5090 The port number where Squid sends and receives HTCP queries to
87630341 5091 and from neighbor caches. To turn it on you want to set it to
5092 4827. By default it is set to "0" (disabled).
e0855596
AJ		 5093
5094 Example:
5095 htcp_port 4827
cccac0a2 5096DOC_END
5097
5098NAME: log_icp_queries
5099COMMENT: on|off
5100TYPE: onoff
5101DEFAULT: on
5102LOC: Config.onoff.log_udp
5103DOC_START
5104 If set, ICP queries are logged to access.log. You may wish
5105 do disable this if your ICP load is VERY high to speed things
5106 up or to simplify log analysis.
5107DOC_END
5108
5473c134 5109NAME: udp_incoming_address
5110TYPE: address
5111LOC:Config.Addrs.udp_incoming
0eb08770 5112DEFAULT: any_addr
8524d4b2 5113DOC_START
5114 udp_incoming_address is used for UDP packets received from other
5115 caches.
5116
5117 The default behavior is to not bind to any specific address.
5118
5119 Only change this if you want to have all UDP queries received on
5120 a specific interface/address.
5121
5122 NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
5123 modules. Altering it will affect all of them in the same manner.
5124
5125 see also; udp_outgoing_address
5126
5127 NOTE, udp_incoming_address and udp_outgoing_address can not
5128 have the same value since they both use the same port.
5129DOC_END
cccac0a2 5130
5473c134 5131NAME: udp_outgoing_address
5132TYPE: address
5133LOC: Config.Addrs.udp_outgoing
0eb08770 5134DEFAULT: no_addr
cccac0a2 5135DOC_START
8524d4b2 5136 udp_outgoing_address is used for UDP packets sent out to other
5473c134 5137 caches.
cccac0a2 5138
5473c134 5139 The default behavior is to not bind to any specific address.
cccac0a2 5140
8524d4b2 5141 Instead it will use the same socket as udp_incoming_address.
5142 Only change this if you want to have UDP queries sent using another
5143 address than where this Squid listens for UDP queries from other
5473c134 5144 caches.
5145
8524d4b2 5146 NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
5147 modules. Altering it will affect all of them in the same manner.
5148
5149 see also; udp_incoming_address
5150
5473c134 5151 NOTE, udp_incoming_address and udp_outgoing_address can not
8524d4b2 5152 have the same value since they both use the same port.
cccac0a2 5153DOC_END
5154
3d1e3e43 5155NAME: icp_hit_stale
5156COMMENT: on|off
5157TYPE: onoff
5158DEFAULT: off
5159LOC: Config.onoff.icp_hit_stale
5160DOC_START
5161 If you want to return ICP_HIT for stale cache objects, set this
5162 option to 'on'. If you have sibling relationships with caches
5163 in other administrative domains, this should be 'off'. If you only
5164 have sibling relationships with caches under your control,
5165 it is probably okay to set this to 'on'.
5166 If set to 'on', your siblings should use the option "allow-miss"
5167 on their cache_peer lines for connecting to you.
5168DOC_END
5169
5473c134 5170NAME: minimum_direct_hops
cccac0a2 5171TYPE: int
5473c134 5172DEFAULT: 4
5173LOC: Config.minDirectHops
cccac0a2 5174DOC_START
5473c134 5175 If using the ICMP pinging stuff, do direct fetches for sites
5176 which are no more than this many hops away.
cccac0a2 5177DOC_END
5178
5473c134 5179NAME: minimum_direct_rtt
5180TYPE: int
5181DEFAULT: 400
5182LOC: Config.minDirectRtt
cccac0a2 5183DOC_START
5473c134 5184 If using the ICMP pinging stuff, do direct fetches for sites
5185 which are no more than this many rtt milliseconds away.
cccac0a2 5186DOC_END
5187
cccac0a2 5188NAME: netdb_low
5189TYPE: int
5190DEFAULT: 900
5191LOC: Config.Netdb.low
5192DOC_NONE
5193
5194NAME: netdb_high
5195TYPE: int
5196DEFAULT: 1000
5197LOC: Config.Netdb.high
5198DOC_START
5199 The low and high water marks for the ICMP measurement
5200 database. These are counts, not percents. The defaults are
5201 900 and 1000. When the high water mark is reached, database
5202 entries will be deleted until the low mark is reached.
5203DOC_END
5204
cccac0a2 5205NAME: netdb_ping_period
5206TYPE: time_t
5207LOC: Config.Netdb.period
5208DEFAULT: 5 minutes
5209DOC_START
5210 The minimum period for measuring a site. There will be at
5211 least this much delay between successive pings to the same
5212 network. The default is five minutes.
5213DOC_END
5214
cccac0a2 5215NAME: query_icmp
5216COMMENT: on|off
5217TYPE: onoff
5218DEFAULT: off
5219LOC: Config.onoff.query_icmp
5220DOC_START
5221 If you want to ask your peers to include ICMP data in their ICP
5222 replies, enable this option.
5223
5224 If your peer has configured Squid (during compilation) with
7f7db318 5225 '--enable-icmp' that peer will send ICMP pings to origin server
5226 sites of the URLs it receives. If you enable this option the
cccac0a2 5227 ICP replies from that peer will include the ICMP data (if available).
5228 Then, when choosing a parent cache, Squid will choose the parent with
5229 the minimal RTT to the origin server. When this happens, the
5230 hierarchy field of the access.log will be
5231 "CLOSEST_PARENT_MISS". This option is off by default.
5232DOC_END
5233
5234NAME: test_reachability
5235COMMENT: on|off
5236TYPE: onoff
5237DEFAULT: off
5238LOC: Config.onoff.test_reachability
5239DOC_START
5240 When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
5241 instead of ICP_MISS if the target host is NOT in the ICMP
5242 database, or has a zero RTT.
5243DOC_END
5244
5473c134 5245NAME: icp_query_timeout
5246COMMENT: (msec)
5247DEFAULT: 0
5248TYPE: int
5249LOC: Config.Timeout.icp_query
4c3ef9b2 5250DOC_START
5473c134 5251 Normally Squid will automatically determine an optimal ICP
5252 query timeout value based on the round-trip-time of recent ICP
5253 queries. If you want to override the value determined by
5254 Squid, set this 'icp_query_timeout' to a non-zero value. This
5255 value is specified in MILLISECONDS, so, to use a 2-second
5256 timeout (the old default), you would write:
4c3ef9b2 5257
5473c134 5258 icp_query_timeout 2000
4c3ef9b2 5259DOC_END
5260
5473c134 5261NAME: maximum_icp_query_timeout
5262COMMENT: (msec)
5263DEFAULT: 2000
5264TYPE: int
5265LOC: Config.Timeout.icp_query_max
cccac0a2 5266DOC_START
5473c134 5267 Normally the ICP query timeout is determined dynamically. But
5268 sometimes it can lead to very large values (say 5 seconds).
5269 Use this option to put an upper limit on the dynamic timeout
5270 value. Do NOT use this option to always use a fixed (instead
5271 of a dynamic) timeout value. To set a fixed timeout see the
5272 'icp_query_timeout' directive.
cccac0a2 5273DOC_END
5274
5473c134 5275NAME: minimum_icp_query_timeout
5276COMMENT: (msec)
5277DEFAULT: 5
5278TYPE: int
5279LOC: Config.Timeout.icp_query_min
cccac0a2 5280DOC_START
5473c134 5281 Normally the ICP query timeout is determined dynamically. But
5282 sometimes it can lead to very small timeouts, even lower than
5283 the normal latency variance on your link due to traffic.
5284 Use this option to put an lower limit on the dynamic timeout
5285 value. Do NOT use this option to always use a fixed (instead
5286 of a dynamic) timeout value. To set a fixed timeout see the
5287 'icp_query_timeout' directive.
cccac0a2 5288DOC_END
5289
5473c134 5290NAME: background_ping_rate
5291COMMENT: time-units
5292TYPE: time_t
5293DEFAULT: 10 seconds
5294LOC: Config.backgroundPingRate
cccac0a2 5295DOC_START
5473c134 5296 Controls how often the ICP pings are sent to siblings that
5297 have background-ping set.
cccac0a2 5298DOC_END
5299
5473c134 5300COMMENT_START
5301 MULTICAST ICP OPTIONS
5302 -----------------------------------------------------------------------------
5303COMMENT_END
5304
5305NAME: mcast_groups
5306TYPE: wordlist
5307LOC: Config.mcast_group_list
8c01ada0 5308DEFAULT: none
5309DOC_START
5473c134 5310 This tag specifies a list of multicast groups which your server
5311 should join to receive multicasted ICP queries.
8c01ada0 5312
5473c134 5313 NOTE! Be very careful what you put here! Be sure you
5314 understand the difference between an ICP _query_ and an ICP
5315 _reply_. This option is to be set only if you want to RECEIVE
5316 multicast queries. Do NOT set this option to SEND multicast
5317 ICP (use cache_peer for that). ICP replies are always sent via
5318 unicast, so this option does not affect whether or not you will
5319 receive replies from multicast group members.
8c01ada0 5320
5473c134 5321 You must be very careful to NOT use a multicast address which
5322 is already in use by another group of caches.
8c01ada0 5323
5473c134 5324 If you are unsure about multicast, please read the Multicast
5325 chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
8c01ada0 5326
5473c134 5327 Usage: mcast_groups 239.128.16.128 224.0.1.20
8c01ada0 5328
5473c134 5329 By default, Squid doesn't listen on any multicast groups.
5330DOC_END
8c01ada0 5331
5473c134 5332NAME: mcast_miss_addr
5333IFDEF: MULTICAST_MISS_STREAM
5334TYPE: address
5335LOC: Config.mcast_miss.addr
0eb08770 5336DEFAULT: no_addr
5473c134 5337DOC_START
5338 If you enable this option, every "cache miss" URL will
5339 be sent out on the specified multicast address.
cccac0a2 5340
5473c134 5341 Do not enable this option unless you are are absolutely
5342 certain you understand what you are doing.
cccac0a2 5343DOC_END
5344
5473c134 5345NAME: mcast_miss_ttl
5346IFDEF: MULTICAST_MISS_STREAM
5347TYPE: ushort
5348LOC: Config.mcast_miss.ttl
5349DEFAULT: 16
cccac0a2 5350DOC_START
5473c134 5351 This is the time-to-live value for packets multicasted
5352 when multicasting off cache miss URLs is enabled. By
5353 default this is set to 'site scope', i.e. 16.
5354DOC_END
cccac0a2 5355
5473c134 5356NAME: mcast_miss_port
5357IFDEF: MULTICAST_MISS_STREAM
5358TYPE: ushort
5359LOC: Config.mcast_miss.port
5360DEFAULT: 3135
5361DOC_START
5362 This is the port number to be used in conjunction with
5363 'mcast_miss_addr'.
5364DOC_END
cccac0a2 5365
5473c134 5366NAME: mcast_miss_encode_key
5367IFDEF: MULTICAST_MISS_STREAM
5368TYPE: string
5369LOC: Config.mcast_miss.encode_key
5370DEFAULT: XXXXXXXXXXXXXXXX
5371DOC_START
5372 The URLs that are sent in the multicast miss stream are
5373 encrypted. This is the encryption key.
5374DOC_END
8c01ada0 5375
5473c134 5376NAME: mcast_icp_query_timeout
5377COMMENT: (msec)
5378DEFAULT: 2000
5379TYPE: int
5380LOC: Config.Timeout.mcast_icp_query
5381DOC_START
5382 For multicast peers, Squid regularly sends out ICP "probes" to
5383 count how many other peers are listening on the given multicast
5384 address. This value specifies how long Squid should wait to
5385 count all the replies. The default is 2000 msec, or 2
5386 seconds.
cccac0a2 5387DOC_END
5388
5473c134 5389COMMENT_START
5390 INTERNAL ICON OPTIONS
5391 -----------------------------------------------------------------------------
5392COMMENT_END
5393
cccac0a2 5394NAME: icon_directory
5395TYPE: string
5396LOC: Config.icons.directory
5397DEFAULT: @DEFAULT_ICON_DIR@
5398DOC_START
5399 Where the icons are stored. These are normally kept in
5400 @DEFAULT_ICON_DIR@
5401DOC_END
5402
f024c970 5403NAME: global_internal_static
5404TYPE: onoff
5405LOC: Config.onoff.global_internal_static
5406DEFAULT: on
5407DOC_START
5408 This directive controls is Squid should intercept all requests for
5409 /squid-internal-static/ no matter which host the URL is requesting
5410 (default on setting), or if nothing special should be done for
5411 such URLs (off setting). The purpose of this directive is to make
5412 icons etc work better in complex cache hierarchies where it may
5413 not always be possible for all corners in the cache mesh to reach
5414 the server generating a directory listing.
5415DOC_END
5416
5473c134 5417NAME: short_icon_urls
5418TYPE: onoff
5419LOC: Config.icons.use_short_names
5420DEFAULT: on
5421DOC_START
5422 If this is enabled Squid will use short URLs for icons.
5423 If disabled it will revert to the old behavior of including
5424 it's own name and port in the URL.
5425
5426 If you run a complex cache hierarchy with a mix of Squid and
5427 other proxies you may need to disable this directive.
5428DOC_END
5429
5430COMMENT_START
5431 ERROR PAGE OPTIONS
5432 -----------------------------------------------------------------------------
5433COMMENT_END
5434
5435NAME: error_directory
5436TYPE: string
5437LOC: Config.errorDirectory
43000484 5438DEFAULT: none
5473c134 5439DOC_START
5440 If you wish to create your own versions of the default
43000484
AJ		 5441 error files to customize them to suit your company copy
5442 the error/template files to another directory and point
5443 this tag at them.
5444
5445 WARNING: This option will disable multi-language support
5446 on error pages if used.
5473c134 5447
5448 The squid developers are interested in making squid available in
5449 a wide variety of languages. If you are making translations for a
43000484 5450 language that Squid does not currently provide please consider
5473c134 5451 contributing your translation back to the project.
43000484
AJ		 5452 http://wiki.squid-cache.org/Translations
5453
5454 The squid developers working on translations are happy to supply drop-in
5455 translated error files in exchange for any new language contributions.
5456DOC_END
5457
5458NAME: error_default_language
5459IFDEF: USE_ERR_LOCALES
5460TYPE: string
5461LOC: Config.errorDefaultLanguage
5462DEFAULT: none
5463DOC_START
5464 Set the default language which squid will send error pages in
5465 if no existing translation matches the clients language
5466 preferences.
5467
5468 If unset (default) generic English will be used.
5469
5470 The squid developers are interested in making squid available in
5471 a wide variety of languages. If you are interested in making
5472 translations for any language see the squid wiki for details.
5473 http://wiki.squid-cache.org/Translations
5473c134 5474DOC_END
5475
c411820c
AJ		 5476NAME: error_log_languages
5477IFDEF: USE_ERR_LOCALES
5478TYPE: onoff
5479LOC: Config.errorLogMissingLanguages
5480DEFAULT: on
5481DOC_START
5482 Log to cache.log what languages users are attempting to
5483 auto-negotiate for translations.
5484
5485 Successful negotiations are not logged. Only failures
5486 have meaning to indicate that Squid may need an upgrade
0c49f10e 5487 of its error page translations.
c411820c
AJ		 5488DOC_END
5489
5b52cb6c
AJ		 5490NAME: err_page_stylesheet
5491TYPE: string
5492LOC: Config.errorStylesheet
5493DEFAULT: @DEFAULT_CONFIG_DIR@/errorpage.css
5494DOC_START
5495 CSS Stylesheet to pattern the display of Squid default error pages.
5496
5497 For information on CSS see http://www.w3.org/Style/CSS/
5498DOC_END
5499
5473c134 5500NAME: err_html_text
5501TYPE: eol
5502LOC: Config.errHtmlText
5503DEFAULT: none
5504DOC_START
5505 HTML text to include in error messages. Make this a "mailto"
5506 URL to your admin address, or maybe just a link to your
5507 organizations Web page.
5508
5509 To include this in your error messages, you must rewrite
5510 the error template files (found in the "errors" directory).
5511 Wherever you want the 'err_html_text' line to appear,
5512 insert a %L tag in the error template file.
5513DOC_END
5514
5515NAME: email_err_data
5516COMMENT: on|off
5517TYPE: onoff
5518LOC: Config.onoff.emailErrData
5519DEFAULT: on
5520DOC_START
5521 If enabled, information about the occurred error will be
5522 included in the mailto links of the ERR pages (if %W is set)
5523 so that the email body contains the data.
5524 Syntax is <A HREF="mailto:%w%W">%w</A>
5525DOC_END
5526
5527NAME: deny_info
5528TYPE: denyinfo
5529LOC: Config.denyInfoList
5530DEFAULT: none
5531DOC_START
5532 Usage: deny_info err_page_name acl
5533 or deny_info http://... acl
43000484 5534 or deny_info TCP_RESET acl
5473c134 5535
5536 This can be used to return a ERR_ page for requests which
5537 do not pass the 'http_access' rules. Squid remembers the last
5538 acl it evaluated in http_access, and if a 'deny_info' line exists
5539 for that ACL Squid returns a corresponding error page.
5540
5541 The acl is typically the last acl on the http_access deny line which
5542 denied access. The exceptions to this rule are:
5543 - When Squid needs to request authentication credentials. It's then
5544 the first authentication related acl encountered
5545 - When none of the http_access lines matches. It's then the last
5546 acl processed on the last http_access line.
5547
43000484
AJ		 5548 NP: If providing your own custom error pages with error_directory
5549 you may also specify them by your custom file name:
5550 Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
5473c134 5551
5473c134 5552 Alternatively you can tell Squid to reset the TCP connection
5553 by specifying TCP_RESET.
15b02e9a
AJ		 5554
5555 Or you can specify an error URL or URL pattern. The browsers will
5556 get redirected (302) to the specified URL after formattgin tags have
5557 been replaced.
5558
5559 URL FORMAT TAGS:
5560 %a - username (if available. Password NOT included)
5561 %B - FTP path URL
5562 %e - Error number
5563 %E - Error description
5564 %h - Squid hostname
5565 %H - Request domain name
5566 %i - Client IP Address
5567 %M - Request Method
5568 %o - Message result from external ACL helper
5569 %p - Request Port number
5570 %P - Request Protocol name
5571 %R - Request URL path
5572 %T - Timestamp in RFC 1123 format
5573 %U - Full canonical URL from client
5574 (HTTPS URLs terminate with *)
5575 %u - Full canonical URL from client
5576 %w - Admin email from squid.conf
5577 %% - Literal percent (%) code
5578
5473c134 5579DOC_END
5580
5581COMMENT_START
5582 OPTIONS INFLUENCING REQUEST FORWARDING
5583 -----------------------------------------------------------------------------
5584COMMENT_END
5585
5586NAME: nonhierarchical_direct
e72a0ec0 5587TYPE: onoff
5473c134 5588LOC: Config.onoff.nonhierarchical_direct
e72a0ec0 5589DEFAULT: on
5590DOC_START
5473c134 5591 By default, Squid will send any non-hierarchical requests
5592 (matching hierarchy_stoplist or not cacheable request type) direct
5593 to origin servers.
e72a0ec0 5594
5473c134 5595 If you set this to off, Squid will prefer to send these
5596 requests to parents.
0b0cfcf2 5597
5473c134 5598 Note that in most configurations, by turning this off you will only
5599 add latency to these request without any improvement in global hit
5600 ratio.
0b0cfcf2 5601
5473c134 5602 If you are inside an firewall see never_direct instead of
5603 this directive.
8d6275c0 5604DOC_END
0b0cfcf2 5605
5473c134 5606NAME: prefer_direct
8d6275c0 5607TYPE: onoff
5473c134 5608LOC: Config.onoff.prefer_direct
8d6275c0 5609DEFAULT: off
5610DOC_START
5473c134 5611 Normally Squid tries to use parents for most requests. If you for some
5612 reason like it to first try going direct and only use a parent if
5613 going direct fails set this to on.
0b0cfcf2 5614
5473c134 5615 By combining nonhierarchical_direct off and prefer_direct on you
5616 can set up Squid to use a parent as a backup path if going direct
5617 fails.
5618
5619 Note: If you want Squid to use parents for all requests see
5620 the never_direct directive. prefer_direct only modifies how Squid
5621 acts on cacheable requests.
cccac0a2 5622DOC_END
5623
5473c134 5624NAME: always_direct
8d6275c0 5625TYPE: acl_access
5473c134 5626LOC: Config.accessList.AlwaysDirect
0b0cfcf2 5627DEFAULT: none
0b0cfcf2 5628DOC_START
5473c134 5629 Usage: always_direct allow|deny [!]aclname ...
0b0cfcf2 5630
5473c134 5631 Here you can use ACL elements to specify requests which should
5632 ALWAYS be forwarded by Squid to the origin servers without using
5633 any peers. For example, to always directly forward requests for
5634 local servers ignoring any parents or siblings you may have use
5635 something like:
0b0cfcf2 5636
5473c134 5637 acl local-servers dstdomain my.domain.net
5638 always_direct allow local-servers
0b0cfcf2 5639
5473c134 5640 To always forward FTP requests directly, use
f16fbc82 5641
5473c134 5642 acl FTP proto FTP
5643 always_direct allow FTP
cccac0a2 5644
5473c134 5645 NOTE: There is a similar, but opposite option named
5646 'never_direct'. You need to be aware that "always_direct deny
5647 foo" is NOT the same thing as "never_direct allow foo". You
5648 may need to use a deny rule to exclude a more-specific case of
5649 some other rule. Example:
8d6275c0 5650
5473c134 5651 acl local-external dstdomain external.foo.net
5652 acl local-servers dstdomain .foo.net
5653 always_direct deny local-external
5654 always_direct allow local-servers
8d6275c0 5655
5473c134 5656 NOTE: If your goal is to make the client forward the request
5657 directly to the origin server bypassing Squid then this needs
5658 to be done in the client configuration. Squid configuration
5659 can only tell Squid how Squid should fetch the object.
8d6275c0 5660
5473c134 5661 NOTE: This directive is not related to caching. The replies
5662 is cached as usual even if you use always_direct. To not cache
b3567eb5 5663 the replies see the 'cache' directive.
5473c134 5664
b3567eb5
FC		 5665 This clause supports both fast and slow acl types.
5666 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
cccac0a2 5667DOC_END
0976f8db 5668
5473c134 5669NAME: never_direct
5670TYPE: acl_access
5671LOC: Config.accessList.NeverDirect
5672DEFAULT: none
8d6275c0 5673DOC_START
5473c134 5674 Usage: never_direct allow|deny [!]aclname ...
5675
5676 never_direct is the opposite of always_direct. Please read
5677 the description for always_direct if you have not already.
5678
5679 With 'never_direct' you can use ACL elements to specify
5680 requests which should NEVER be forwarded directly to origin
5681 servers. For example, to force the use of a proxy for all
5682 requests, except those in your local domain use something like:
5683
5684 acl local-servers dstdomain .foo.net
5473c134 5685 never_direct deny local-servers
5686 never_direct allow all
5687
5688 or if Squid is inside a firewall and there are local intranet
5689 servers inside the firewall use something like:
5690
5691 acl local-intranet dstdomain .foo.net
5692 acl local-external dstdomain external.foo.net
5693 always_direct deny local-external
5694 always_direct allow local-intranet
5695 never_direct allow all
5696
b3567eb5
FC		 5697 This clause supports both fast and slow acl types.
5698 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
8d6275c0 5699DOC_END
0976f8db 5700
5473c134 5701COMMENT_START
5702 ADVANCED NETWORKING OPTIONS
5703 -----------------------------------------------------------------------------
5704COMMENT_END
5705
cccac0a2 5706NAME: incoming_icp_average
5707TYPE: int
5708DEFAULT: 6
5709LOC: Config.comm_incoming.icp_average
5710DOC_NONE
5711
5712NAME: incoming_http_average
5713TYPE: int
5714DEFAULT: 4
5715LOC: Config.comm_incoming.http_average
5716DOC_NONE
5717
5718NAME: incoming_dns_average
5719TYPE: int
5720DEFAULT: 4
5721LOC: Config.comm_incoming.dns_average
5722DOC_NONE
5723
5724NAME: min_icp_poll_cnt
5725TYPE: int
5726DEFAULT: 8
5727LOC: Config.comm_incoming.icp_min_poll
5728DOC_NONE
5729
5730NAME: min_dns_poll_cnt
5731TYPE: int
5732DEFAULT: 8
5733LOC: Config.comm_incoming.dns_min_poll
5734DOC_NONE
5735
5736NAME: min_http_poll_cnt
5737TYPE: int
5738DEFAULT: 8
5739LOC: Config.comm_incoming.http_min_poll
5740DOC_START
5473c134 5741 Heavy voodoo here. I can't even believe you are reading this.
5742 Are you crazy? Don't even think about adjusting these unless
5743 you understand the algorithms in comm_select.c first!
5744DOC_END
5745
5746NAME: accept_filter
5473c134 5747TYPE: string
5748DEFAULT: none
5749LOC: Config.accept_filter
5750DOC_START
0b4d4be5 5751 FreeBSD:
5752
5473c134 5753 The name of an accept(2) filter to install on Squid's
5754 listen socket(s). This feature is perhaps specific to
5755 FreeBSD and requires support in the kernel.
5756
5757 The 'httpready' filter delays delivering new connections
2324cda2 5758 to Squid until a full HTTP request has been received.
0b4d4be5 5759 See the accf_http(9) man page for details.
5760
5761 The 'dataready' filter delays delivering new connections
5762 to Squid until there is some data to process.
5763 See the accf_dataready(9) man page for details.
5764
5765 Linux:
5766
5767 The 'data' filter delays delivering of new connections
5768 to Squid until there is some data to process by TCP_ACCEPT_DEFER.
5769 You may optionally specify a number of seconds to wait by
5770 'data=N' where N is the number of seconds. Defaults to 30
5771 if not specified. See the tcp(7) man page for details.
5473c134 5772EXAMPLE:
0b4d4be5 5773# FreeBSD
5473c134 5774accept_filter httpready
0b4d4be5 5775# Linux
5776accept_filter data
5473c134 5777DOC_END
5778
ab2ecb0e
AJ		 5779NAME: client_ip_max_connections
5780TYPE: int
5781LOC: Config.client_ip_max_connections
5782DEFAULT: -1
5783DOC_START
5784 Set an absolute limit on the number of connections a single
5785 client IP can use. Any more than this and Squid will begin to drop
5786 new connections from the client until it closes some links.
5787
5788 Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
5789 connections from the client. For finer control use the ACL access controls.
5790
5791 Requires client_db to be enabled (the default).
5792
5793 WARNING: This may noticably slow down traffic received via external proxies
5794 or NAT devices and cause them to rebound error messages back to their clients.
5795DOC_END
5796
5473c134 5797NAME: tcp_recv_bufsize
5798COMMENT: (bytes)
5799TYPE: b_size_t
5800DEFAULT: 0 bytes
5801LOC: Config.tcpRcvBufsz
5802DOC_START
5803 Size of receive buffer to set for TCP sockets. Probably just
5804 as easy to change your kernel's default. Set to zero to use
5805 the default buffer size.
5806DOC_END
5807
5808COMMENT_START
5809 ICAP OPTIONS
5810 -----------------------------------------------------------------------------
5811COMMENT_END
5812
5813NAME: icap_enable
5814TYPE: onoff
5815IFDEF: ICAP_CLIENT
5816COMMENT: on|off
26cc52cb 5817LOC: Adaptation::Icap::TheConfig.onoff
5473c134 5818DEFAULT: off
5819DOC_START
53e738c6 5820 If you want to enable the ICAP module support, set this to on.
5473c134 5821DOC_END
5822
5823NAME: icap_connect_timeout
5824TYPE: time_t
5825DEFAULT: none
26cc52cb 5826LOC: Adaptation::Icap::TheConfig.connect_timeout_raw
5473c134 5827IFDEF: ICAP_CLIENT
5828DOC_START
5829 This parameter specifies how long to wait for the TCP connect to
5830 the requested ICAP server to complete before giving up and either
5831 terminating the HTTP transaction or bypassing the failure.
5832
5833 The default for optional services is peer_connect_timeout.
5834 The default for essential services is connect_timeout.
5835 If this option is explicitly set, its value applies to all services.
5836DOC_END
5837
5838NAME: icap_io_timeout
5839COMMENT: time-units
5840TYPE: time_t
5841DEFAULT: none
26cc52cb 5842LOC: Adaptation::Icap::TheConfig.io_timeout_raw
5473c134 5843IFDEF: ICAP_CLIENT
5844DOC_START
5845 This parameter specifies how long to wait for an I/O activity on
5846 an established, active ICAP connection before giving up and
5847 either terminating the HTTP transaction or bypassing the
5848 failure.
5849
5850 The default is read_timeout.
5851DOC_END
5852
5853NAME: icap_service_failure_limit
8277060a
CT		 5854COMMENT: limit [in memory-depth time-units]
5855TYPE: icap_service_failure_limit
5473c134 5856IFDEF: ICAP_CLIENT
8277060a 5857LOC: Adaptation::Icap::TheConfig
5473c134 5858DEFAULT: 10
5859DOC_START
5860 The limit specifies the number of failures that Squid tolerates
5861 when establishing a new TCP connection with an ICAP service. If
5862 the number of failures exceeds the limit, the ICAP service is
5863 not used for new ICAP requests until it is time to refresh its
8277060a 5864 OPTIONS.
5473c134 5865
5866 A negative value disables the limit. Without the limit, an ICAP
5867 service will not be considered down due to connectivity failures
5868 between ICAP OPTIONS requests.
8277060a
CT		 5869
5870 Squid forgets ICAP service failures older than the specified
5871 value of memory-depth. The memory fading algorithm
5872 is approximate because Squid does not remember individual
5873 errors but groups them instead, splitting the option
5874 value into ten time slots of equal length.
5875
5876 When memory-depth is 0 and by default this option has no
5877 effect on service failure expiration.
5878
5879 Squid always forgets failures when updating service settings
5880 using an ICAP OPTIONS transaction, regardless of this option
5881 setting.
5882
5883 For example,
5884 # suspend service usage after 10 failures in 5 seconds:
5885 icap_service_failure_limit 10 in 5 seconds
cccac0a2 5886DOC_END
5887
5473c134 5888NAME: icap_service_revival_delay
cccac0a2 5889TYPE: int
5473c134 5890IFDEF: ICAP_CLIENT
26cc52cb 5891LOC: Adaptation::Icap::TheConfig.service_revival_delay
5473c134 5892DEFAULT: 180
cccac0a2 5893DOC_START
5473c134 5894 The delay specifies the number of seconds to wait after an ICAP
5895 OPTIONS request failure before requesting the options again. The
5896 failed ICAP service is considered "down" until fresh OPTIONS are
5897 fetched.
cccac0a2 5898
5473c134 5899 The actual delay cannot be smaller than the hardcoded minimum
5900 delay of 30 seconds.
cccac0a2 5901DOC_END
5902
5473c134 5903NAME: icap_preview_enable
cccac0a2 5904TYPE: onoff
5473c134 5905IFDEF: ICAP_CLIENT
5906COMMENT: on|off
26cc52cb 5907LOC: Adaptation::Icap::TheConfig.preview_enable
ac7a62f9 5908DEFAULT: on
cccac0a2 5909DOC_START
ac7a62f9 5910 The ICAP Preview feature allows the ICAP server to handle the
5911 HTTP message by looking only at the beginning of the message body
5912 or even without receiving the body at all. In some environments,
5913 previews greatly speedup ICAP processing.
5914
5915 During an ICAP OPTIONS transaction, the server may tell Squid what
5916 HTTP messages should be previewed and how big the preview should be.
5917 Squid will not use Preview if the server did not request one.
5918
5919 To disable ICAP Preview for all ICAP services, regardless of
5920 individual ICAP server OPTIONS responses, set this option to "off".
5921Example:
5922icap_preview_enable off
cccac0a2 5923DOC_END
5924
5473c134 5925NAME: icap_preview_size
5926TYPE: int
5927IFDEF: ICAP_CLIENT
26cc52cb 5928LOC: Adaptation::Icap::TheConfig.preview_size
5473c134 5929DEFAULT: -1
cccac0a2 5930DOC_START
53e738c6 5931 The default size of preview data to be sent to the ICAP server.
5932 -1 means no preview. This value might be overwritten on a per server
5933 basis by OPTIONS requests.
cccac0a2 5934DOC_END
5935
5473c134 5936NAME: icap_default_options_ttl
5937TYPE: int
5938IFDEF: ICAP_CLIENT
26cc52cb 5939LOC: Adaptation::Icap::TheConfig.default_options_ttl
5473c134 5940DEFAULT: 60
cccac0a2 5941DOC_START
53e738c6 5942 The default TTL value for ICAP OPTIONS responses that don't have
5473c134 5943 an Options-TTL header.
cccac0a2 5944DOC_END
5945
5473c134 5946NAME: icap_persistent_connections
5947TYPE: onoff
5948IFDEF: ICAP_CLIENT
5949COMMENT: on|off
26cc52cb 5950LOC: Adaptation::Icap::TheConfig.reuse_connections
5473c134 5951DEFAULT: on
cccac0a2 5952DOC_START
5473c134 5953 Whether or not Squid should use persistent connections to
5954 an ICAP server.
cccac0a2 5955DOC_END
5956
5473c134 5957NAME: icap_send_client_ip
5958TYPE: onoff
5959IFDEF: ICAP_CLIENT
5960COMMENT: on|off
26cc52cb 5961LOC: Adaptation::Icap::TheConfig.send_client_ip
5473c134 5962DEFAULT: off
cccac0a2 5963DOC_START
53e738c6 5964 This adds the header "X-Client-IP" to ICAP requests.
cccac0a2 5965DOC_END
5966
5473c134 5967NAME: icap_send_client_username
5968TYPE: onoff
5969IFDEF: ICAP_CLIENT
5970COMMENT: on|off
26cc52cb 5971LOC: Adaptation::Icap::TheConfig.send_client_username
5473c134 5972DEFAULT: off
cccac0a2 5973DOC_START
5473c134 5974 This sends authenticated HTTP client username (if available) to
5975 the ICAP service. The username value is encoded based on the
5976 icap_client_username_encode option and is sent using the header
5977 specified by the icap_client_username_header option.
cccac0a2 5978DOC_END
5979
5473c134 5980NAME: icap_client_username_header
cccac0a2 5981TYPE: string
5473c134 5982IFDEF: ICAP_CLIENT
26cc52cb 5983LOC: Adaptation::Icap::TheConfig.client_username_header
5473c134 5984DEFAULT: X-Client-Username
cccac0a2 5985DOC_START
5473c134 5986 ICAP request header name to use for send_client_username.
cccac0a2 5987DOC_END
5988
5473c134 5989NAME: icap_client_username_encode
cccac0a2 5990TYPE: onoff
5473c134 5991IFDEF: ICAP_CLIENT
5992COMMENT: on|off
26cc52cb 5993LOC: Adaptation::Icap::TheConfig.client_username_encode
5473c134 5994DEFAULT: off
cccac0a2 5995DOC_START
5473c134 5996 Whether to base64 encode the authenticated client username.
cccac0a2 5997DOC_END
5998
5473c134 5999NAME: icap_service
6000TYPE: icap_service_type
6001IFDEF: ICAP_CLIENT
26cc52cb 6002LOC: Adaptation::Icap::TheConfig
5473c134 6003DEFAULT: none
cccac0a2 6004DOC_START
a22e6cd3 6005 Defines a single ICAP service using the following format:
cccac0a2 6006
a22e6cd3 6007 icap_service service_name vectoring_point [options] service_url
7d90757b 6008
a22e6cd3
AR		 6009 service_name: ID
6010 an opaque identifier which must be unique in squid.conf
6011
6012 vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
f3db09e2 6013 This specifies at which point of transaction processing the
6014 ICAP service should be activated. *_postcache vectoring points
6015 are not yet supported.
a22e6cd3
AR		 6016
6017 service_url: icap://servername:port/servicepath
6018 ICAP server and service location.
6019
6020 ICAP does not allow a single service to handle both REQMOD and RESPMOD
6021 transactions. Squid does not enforce that requirement. You can specify
6022 services with the same service_url and different vectoring_points. You
6023 can even specify multiple identical services as long as their
6024 service_names differ.
6025
6026
6027 Service options are separated by white space. ICAP services support
6028 the following name=value options:
6029
6030 bypass=on|off|1|0
6031 If set to 'on' or '1', the ICAP service is treated as
6032 optional. If the service cannot be reached or malfunctions,
6033 Squid will try to ignore any errors and process the message as
6034 if the service was not enabled. No all ICAP errors can be
6035 bypassed. If set to 0, the ICAP service is treated as
6036 essential and all ICAP errors will result in an error page
6037 returned to the HTTP client.
6038
6039 Bypass is off by default: services are treated as essential.
6040
6041 routing=on|off|1|0
6042 If set to 'on' or '1', the ICAP service is allowed to
6043 dynamically change the current message adaptation plan by
6044 returning a chain of services to be used next. The services
6045 are specified using the X-Next-Services ICAP response header
6046 value, formatted as a comma-separated list of service names.
6047 Each named service should be configured in squid.conf and
6048 should have the same method and vectoring point as the current
6049 ICAP transaction. Services violating these rules are ignored.
6050 An empty X-Next-Services value results in an empty plan which
6051 ends the current adaptation.
6052
6053 Routing is not allowed by default: the ICAP X-Next-Services
6054 response header is ignored.
6055
6056 Older icap_service format without optional named parameters is
6057 deprecated but supported for backward compatibility.
5473c134 6058
5473c134 6059Example:
a22e6cd3
AR		 6060icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod
6061icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod
cccac0a2 6062DOC_END
6063
5473c134 6064NAME: icap_class
6065TYPE: icap_class_type
6066IFDEF: ICAP_CLIENT
21a26d31 6067LOC: none
5473c134 6068DEFAULT: none
cccac0a2 6069DOC_START
a22e6cd3 6070 This deprecated option was documented to define an ICAP service
62c7f90e
AR		 6071 chain, even though it actually defined a set of similar, redundant
6072 services, and the chains were not supported.
5473c134 6073
62c7f90e 6074 To define a set of redundant services, please use the
a22e6cd3
AR		 6075 adaptation_service_set directive. For service chains, use
6076 adaptation_service_chain.
cccac0a2 6077DOC_END
6078
5473c134 6079NAME: icap_access
6080TYPE: icap_access_type
6081IFDEF: ICAP_CLIENT
21a26d31 6082LOC: none
cccac0a2 6083DEFAULT: none
cccac0a2 6084DOC_START
a22e6cd3 6085 This option is deprecated. Please use adaptation_access, which
62c7f90e
AR		 6086 has the same ICAP functionality, but comes with better
6087 documentation, and eCAP support.
cccac0a2 6088DOC_END
6089
57afc994
AR		 6090COMMENT_START
6091 eCAP OPTIONS
6092 -----------------------------------------------------------------------------
6093COMMENT_END
6094
21a26d31
AR		 6095NAME: ecap_enable
6096TYPE: onoff
6097IFDEF: USE_ECAP
6098COMMENT: on|off
574b508c 6099LOC: Adaptation::Ecap::TheConfig.onoff
21a26d31
AR		 6100DEFAULT: off
6101DOC_START
6102 Controls whether eCAP support is enabled.
6103DOC_END
6104
6105NAME: ecap_service
6106TYPE: ecap_service_type
6107IFDEF: USE_ECAP
574b508c 6108LOC: Adaptation::Ecap::TheConfig
21a26d31
AR		 6109DEFAULT: none
6110DOC_START
6111 Defines a single eCAP service
6112
6113 ecap_service servicename vectoring_point bypass service_url
6114
6115 vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
6116 This specifies at which point of transaction processing the
6117 eCAP service should be activated. *_postcache vectoring points
6118 are not yet supported.
6119 bypass = 1|0
6120 If set to 1, the eCAP service is treated as optional. If the
6121 service cannot be reached or malfunctions, Squid will try to
6122 ignore any errors and process the message as if the service
6123 was not enabled. No all eCAP errors can be bypassed.
6124 If set to 0, the eCAP service is treated as essential and all
6125 eCAP errors will result in an error page returned to the
6126 HTTP client.
6127 service_url = ecap://vendor/service_name?custom&cgi=style&parameters=optional
6128
6129Example:
6130ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
6131ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
6132DOC_END
6133
57afc994
AR		 6134NAME: loadable_modules
6135TYPE: wordlist
6136IFDEF: USE_LOADABLE_MODULES
6137LOC: Config.loadable_module_names
6138DEFAULT: none
6139DOC_START
6140 Instructs Squid to load the specified dynamic module(s) or activate
6141 preloaded module(s).
6142Example:
6143loadable_modules @DEFAULT_PREFIX@/lib/MinimalAdapter.so
6144DOC_END
6145
62c7f90e
AR		 6146COMMENT_START
6147 MESSAGE ADAPTATION OPTIONS
6148 -----------------------------------------------------------------------------
6149COMMENT_END
6150
6151NAME: adaptation_service_set
6152TYPE: adaptation_service_set_type
6153IFDEF: USE_ADAPTATION
6154LOC: none
6155DEFAULT: none
6156DOC_START
6157
a22e6cd3
AR		 6158 Configures an ordered set of similar, redundant services. This is
6159 useful when hot standby or backup adaptation servers are available.
6160
6161 adaptation_service_set set_name service_name1 service_name2 ...
6162
6163 The named services are used in the set declaration order. The first
6164 applicable adaptation service from the set is used first. The next
6165 applicable service is tried if and only if the transaction with the
6166 previous service fails and the message waiting to be adapted is still
6167 intact.
62c7f90e 6168
a22e6cd3
AR		 6169 When adaptation starts, broken services are ignored as if they were
6170 not a part of the set. A broken service is a down optional service.
62c7f90e 6171
a22e6cd3
AR		 6172 The services in a set must be attached to the same vectoring point
6173 (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
6174
6175 If all services in a set are optional then adaptation failures are
6176 bypassable. If all services in the set are essential, then a
6177 transaction failure with one service may still be retried using
6178 another service from the set, but when all services fail, the master
6179 transaction fails as well.
6180
6181 A set may contain a mix of optional and essential services, but that
6182 is likely to lead to surprising results because broken services become
6183 ignored (see above), making previously bypassable failures fatal.
6184 Technically, it is the bypassability of the last failed service that
6185 matters.
6186
6187 See also: adaptation_access adaptation_service_chain
62c7f90e
AR		 6188
6189Example:
6190adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
6191adaptation service_set svcLogger loggerLocal loggerRemote
6192DOC_END
6193
a22e6cd3
AR		 6194NAME: adaptation_service_chain
6195TYPE: adaptation_service_chain_type
6196IFDEF: USE_ADAPTATION
6197LOC: none
6198DEFAULT: none
6199DOC_START
6200
6201 Configures a list of complementary services that will be applied
6202 one-by-one, forming an adaptation chain or pipeline. This is useful
6203 when Squid must perform different adaptations on the same message.
6204
6205 adaptation_service_chain chain_name service_name1 svc_name2 ...
6206
6207 The named services are used in the chain declaration order. The first
6208 applicable adaptation service from the chain is used first. The next
6209 applicable service is applied to the successful adaptation results of
6210 the previous service in the chain.
6211
6212 When adaptation starts, broken services are ignored as if they were
6213 not a part of the chain. A broken service is a down optional service.
6214
6215 Request satisfaction terminates the adaptation chain because Squid
6216 does not currently allow declaration of RESPMOD services at the
6217 "reqmod_precache" vectoring point (see icap_service or ecap_service).
6218
6219 The services in a chain must be attached to the same vectoring point
6220 (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
6221
6222 A chain may contain a mix of optional and essential services. If an
6223 essential adaptation fails (or the failure cannot be bypassed for
6224 other reasons), the master transaction fails. Otherwise, the failure
6225 is bypassed as if the failed adaptation service was not in the chain.
6226
6227 See also: adaptation_access adaptation_service_set
6228
6229Example:
6230adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
6231DOC_END
6232
62c7f90e
AR		 6233NAME: adaptation_access
6234TYPE: adaptation_access_type
6235IFDEF: USE_ADAPTATION
6236LOC: none
6237DEFAULT: none
6238DOC_START
6239 Sends an HTTP transaction to an ICAP or eCAP adaptation service.
6240
6241 adaptation_access service_name allow|deny [!]aclname...
6242 adaptation_access set_name allow|deny [!]aclname...
6243
6244 At each supported vectoring point, the adaptation_access
6245 statements are processed in the order they appear in this
6246 configuration file. Statements pointing to the following services
6247 are ignored (i.e., skipped without checking their ACL):
6248
6249 - services serving different vectoring points
6250 - "broken-but-bypassable" services
6251 - "up" services configured to ignore such transactions
6252 (e.g., based on the ICAP Transfer-Ignore header).
6253
6254 When a set_name is used, all services in the set are checked
6255 using the same rules, to find the first applicable one. See
6256 adaptation_service_set for details.
6257
6258 If an access list is checked and there is a match, the
6259 processing stops: For an "allow" rule, the corresponding
6260 adaptation service is used for the transaction. For a "deny"
6261 rule, no adaptation service is activated.
6262
6263 It is currently not possible to apply more than one adaptation
6264 service at the same vectoring point to the same HTTP transaction.
6265
6266 See also: icap_service and ecap_service
6267
6268Example:
6269adaptation_access service_1 allow all
6270DOC_END
6271
a22e6cd3
AR		 6272NAME: adaptation_service_iteration_limit
6273TYPE: int
6274IFDEF: USE_ADAPTATION
6275LOC: Adaptation::Config::service_iteration_limit
6276DEFAULT: 16
6277DOC_START
6278 Limits the number of iterations allowed when applying adaptation
6279 services to a message. If your longest adaptation set or chain
6280 may have more than 16 services, increase the limit beyond its
6281 default value of 16. If detecting infinite iteration loops sooner
6282 is critical, make the iteration limit match the actual number
6283 of services in your longest adaptation set or chain.
6284
6285 Infinite adaptation loops are most likely with routing services.
6286
6287 See also: icap_service routing=1
6288DOC_END
6289
3ff65596
AR		 6290NAME: adaptation_masterx_shared_names
6291TYPE: string
6292IFDEF: USE_ADAPTATION
6293LOC: Adaptation::Config::masterx_shared_name
6294DEFAULT: none
6295DOC_START
6296 For each master transaction (i.e., the HTTP request and response
6297 sequence, including all related ICAP and eCAP exchanges), Squid
6298 maintains a table of metadata. The table entries are (name, value)
6299 pairs shared among eCAP and ICAP exchanges. The table is destroyed
6300 with the master transaction.
6301
6302 This option specifies the table entry names that Squid must accept
6303 from and forward to the adaptation transactions.
6304
6305 An ICAP REQMOD or RESPMOD transaction may set an entry in the
6306 shared table by returning an ICAP header field with a name
6307 specified in adaptation_masterx_shared_names. Squid will store
6308 and forward that ICAP header field to subsequent ICAP
6309 transactions within the same master transaction scope.
6310
6311 Only one shared entry name is supported at this time.
6312
6313Example:
6314# share authentication information among ICAP services
6315adaptation_masterx_shared_names X-Subscriber-ID
6316DOC_END
6317
6318NAME: icap_retry
6319TYPE: acl_access
6320IFDEF: ICAP_CLIENT
6321LOC: Adaptation::Icap::TheConfig.repeat
6322DEFAULT: none
6323DEFAULT_IF_NONE: deny all
6324DOC_START
6325 This ACL determines which retriable ICAP transactions are
6326 retried. Transactions that received a complete ICAP response
6327 and did not have to consume or produce HTTP bodies to receive
6328 that response are usually retriable.
6329
6330 icap_retry allow|deny [!]aclname ...
6331
6332 Squid automatically retries some ICAP I/O timeouts and errors
6333 due to persistent connection race conditions.
6334
6335 See also: icap_retry_limit
6336DOC_END
6337
6338NAME: icap_retry_limit
6339TYPE: int
6340IFDEF: ICAP_CLIENT
6341LOC: Adaptation::Icap::TheConfig.repeat_limit
6342DEFAULT: 0
6343DOC_START
6344 Limits the number of retries allowed. When set to zero (default),
6345 no retries are allowed.
6346
6347 Communication errors due to persistent connection race
6348 conditions are unavoidable, automatically retried, and do not
6349 count against this limit.
6350
6351 See also: icap_retry
6352DOC_END
6353
6354
5473c134 6355COMMENT_START
6356 DNS OPTIONS
6357 -----------------------------------------------------------------------------
6358COMMENT_END
6359
6360NAME: check_hostnames
cccac0a2 6361TYPE: onoff
cccac0a2 6362DEFAULT: off
5473c134 6363LOC: Config.onoff.check_hostnames
cccac0a2 6364DOC_START
5473c134 6365 For security and stability reasons Squid can check
6366 hostnames for Internet standard RFC compliance. If you want
6367 Squid to perform these checks turn this directive on.
cccac0a2 6368DOC_END
6369
5473c134 6370NAME: allow_underscore
cccac0a2 6371TYPE: onoff
cccac0a2 6372DEFAULT: on
5473c134 6373LOC: Config.onoff.allow_underscore
cccac0a2 6374DOC_START
5473c134 6375 Underscore characters is not strictly allowed in Internet hostnames
6376 but nevertheless used by many sites. Set this to off if you want
6377 Squid to be strict about the standard.
6378 This check is performed only when check_hostnames is set to on.
cccac0a2 6379DOC_END
6380
5473c134 6381NAME: cache_dns_program
cccac0a2 6382TYPE: string
5473c134 6383IFDEF: USE_DNSSERVERS
6384DEFAULT: @DEFAULT_DNSSERVER@
6385LOC: Config.Program.dnsserver
cccac0a2 6386DOC_START
5473c134 6387 Specify the location of the executable for dnslookup process.
cccac0a2 6388DOC_END
6389
5473c134 6390NAME: dns_children
48d54e4d 6391TYPE: HelperChildConfig
5473c134 6392IFDEF: USE_DNSSERVERS
48d54e4d 6393DEFAULT: 32 startup=1 idle=1
5473c134 6394LOC: Config.dnsChildren
58850d15 6395DOC_START
48d54e4d
AJ		 6396 The maximum number of processes spawn to service DNS name lookups.
6397 If you limit it too few Squid will have to wait for them to process
6398 a backlog of requests, slowing it down. If you allow too many they
6399 will use RAM and other system resources noticably.
6400 The maximum this may be safely set to is 32.
6401
6402 The startup= and idle= options allow some measure of skew in your
6403 tuning.
6404
6405 startup=
6406
6407 Sets a minimum of how many processes are to be spawned when Squid
6408 starts or reconfigures. When set to zero the first request will
6409 cause spawning of the first child process to handle it.
6410
6411 Starting too few will cause an initial slowdown in traffic as Squid
6412 attempts to simultaneously spawn enough processes to cope.
6413
6414 idle=
6415
6416 Sets a minimum of how many processes Squid is to try and keep available
6417 at all times. When traffic begins to rise above what the existing
6418 processes can handle this many more will be spawned up to the maximum
6419 configured. A minimum setting of 1 is required.
58850d15 6420DOC_END
6421
5473c134 6422NAME: dns_retransmit_interval
6423TYPE: time_t
6424DEFAULT: 5 seconds
6425LOC: Config.Timeout.idns_retransmit
6426IFDEF: !USE_DNSSERVERS
cccac0a2 6427DOC_START
5473c134 6428 Initial retransmit interval for DNS queries. The interval is
6429 doubled each time all configured DNS servers have been tried.
cccac0a2 6430DOC_END
6431
5473c134 6432NAME: dns_timeout
6433TYPE: time_t
6434DEFAULT: 2 minutes
6435LOC: Config.Timeout.idns_query
6436IFDEF: !USE_DNSSERVERS
cccac0a2 6437DOC_START
5473c134 6438 DNS Query timeout. If no response is received to a DNS query
6439 within this time all DNS servers for the queried domain
6440 are assumed to be unavailable.
cccac0a2 6441DOC_END
6442
5473c134 6443NAME: dns_defnames
6444COMMENT: on|off
cccac0a2 6445TYPE: onoff
cccac0a2 6446DEFAULT: off
5473c134 6447LOC: Config.onoff.res_defnames
cccac0a2 6448DOC_START
5473c134 6449 Normally the RES_DEFNAMES resolver option is disabled
6450 (see res_init(3)). This prevents caches in a hierarchy
6451 from interpreting single-component hostnames locally. To allow
6452 Squid to handle single-component names, enable this option.
cccac0a2 6453DOC_END
6454
5473c134 6455NAME: dns_nameservers
6456TYPE: wordlist
6457DEFAULT: none
6458LOC: Config.dns_nameservers
cccac0a2 6459DOC_START
5473c134 6460 Use this if you want to specify a list of DNS name servers
6461 (IP addresses) to use instead of those given in your
6462 /etc/resolv.conf file.
6463 On Windows platforms, if no value is specified here or in
6464 the /etc/resolv.conf file, the list of DNS name servers are
6465 taken from the Windows registry, both static and dynamic DHCP
6466 configurations are supported.
cccac0a2 6467
5473c134 6468 Example: dns_nameservers 10.0.0.1 192.172.0.4
cccac0a2 6469DOC_END
6470
5473c134 6471NAME: hosts_file
cccac0a2 6472TYPE: string
5473c134 6473DEFAULT: @DEFAULT_HOSTS@
6474LOC: Config.etcHostsPath
cccac0a2 6475DOC_START
5473c134 6476 Location of the host-local IP name-address associations
6477 database. Most Operating Systems have such a file on different
6478 default locations:
6479 - Un*X & Linux: /etc/hosts
6480 - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
6481 (%SystemRoot% value install default is c:\winnt)
6482 - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
6483 (%SystemRoot% value install default is c:\windows)
6484 - Windows 9x/Me: %windir%\hosts
6485 (%windir% value is usually c:\windows)
6486 - Cygwin: /etc/hosts
cccac0a2 6487
5473c134 6488 The file contains newline-separated definitions, in the
6489 form ip_address_in_dotted_form name [name ...] names are
6490 whitespace-separated. Lines beginning with an hash (#)
6491 character are comments.
cccac0a2 6492
5473c134 6493 The file is checked at startup and upon configuration.
6494 If set to 'none', it won't be checked.
6495 If append_domain is used, that domain will be added to
6496 domain-local (i.e. not containing any dot character) host
6497 definitions.
cccac0a2 6498DOC_END
6499
5473c134 6500NAME: append_domain
6501TYPE: string
6502LOC: Config.appendDomain
6503DEFAULT: none
6a2f3fcf 6504DOC_START
5473c134 6505 Appends local domain name to hostnames without any dots in
6506 them. append_domain must begin with a period.
6507
6508 Be warned there are now Internet names with no dots in
6509 them using only top-domain names, so setting this may
6510 cause some Internet sites to become unavailable.
6511
6512Example:
6513 append_domain .yourdomain.com
6a2f3fcf 6514DOC_END
6515
5473c134 6516NAME: ignore_unknown_nameservers
6517TYPE: onoff
6518LOC: Config.onoff.ignore_unknown_nameservers
df6fd596 6519DEFAULT: on
6520DOC_START
5473c134 6521 By default Squid checks that DNS responses are received
6522 from the same IP addresses they are sent to. If they
6523 don't match, Squid ignores the response and writes a warning
6524 message to cache.log. You can allow responses from unknown
6525 nameservers by setting this option to 'off'.
df6fd596 6526DOC_END
6527
cc192b50 6528NAME: dns_v4_fallback
6529TYPE: onoff
6530DEFAULT: on
6531LOC: Config.onoff.dns_require_A
6532DOC_START
6533 Standard practice with DNS is to lookup either A or AAAA records
6534 and use the results if it succeeds. Only looking up the other if
6535 the first attempt fails or otherwise produces no results.
6536
6537 That policy however will cause squid to produce error pages for some
6538 servers that advertise AAAA but are unreachable over IPv6.
6539
6540 If this is ON squid will always lookup both AAAA and A, using both.
6541 If this is OFF squid will lookup AAAA and only try A if none found.
6542
6543 WARNING: There are some possibly unwanted side-effects with this on:
6544 *) Doubles the load placed by squid on the DNS network.
6545 *) May negatively impact connection delay times.
6546DOC_END
6547
6bc15a4f 6548NAME: ipcache_size
6549COMMENT: (number of entries)
6550TYPE: int
6551DEFAULT: 1024
6552LOC: Config.ipcache.size
6553DOC_NONE
6554
6555NAME: ipcache_low
6556COMMENT: (percent)
6557TYPE: int
6558DEFAULT: 90
6559LOC: Config.ipcache.low
6560DOC_NONE
6561
6562NAME: ipcache_high
6563COMMENT: (percent)
6564TYPE: int
6565DEFAULT: 95
6566LOC: Config.ipcache.high
6567DOC_START
6568 The size, low-, and high-water marks for the IP cache.
6569DOC_END
6570
6571NAME: fqdncache_size
6572COMMENT: (number of entries)
6573TYPE: int
6574DEFAULT: 1024
6575LOC: Config.fqdncache.size
6576DOC_START
6577 Maximum number of FQDN cache entries.
6578DOC_END
6579
a58ff010 6580COMMENT_START
5473c134 6581 MISCELLANEOUS
a58ff010 6582 -----------------------------------------------------------------------------
6583COMMENT_END
6584
5473c134 6585NAME: memory_pools
a58ff010 6586COMMENT: on|off
5473c134 6587TYPE: onoff
6588DEFAULT: on
6589LOC: Config.onoff.mem_pools
a58ff010 6590DOC_START
5473c134 6591 If set, Squid will keep pools of allocated (but unused) memory
6592 available for future use. If memory is a premium on your
6593 system and you believe your malloc library outperforms Squid
6594 routines, disable this.
a58ff010 6595DOC_END
6596
5473c134 6597NAME: memory_pools_limit
6598COMMENT: (bytes)
6599TYPE: b_size_t
6600DEFAULT: 5 MB
6601LOC: Config.MemPools.limit
ec1245f8 6602DOC_START
5473c134 6603 Used only with memory_pools on:
6604 memory_pools_limit 50 MB
ec1245f8 6605
5473c134 6606 If set to a non-zero value, Squid will keep at most the specified
6607 limit of allocated (but unused) memory in memory pools. All free()
6608 requests that exceed this limit will be handled by your malloc
6609 library. Squid does not pre-allocate any memory, just safe-keeps
6610 objects that otherwise would be free()d. Thus, it is safe to set
6611 memory_pools_limit to a reasonably high value even if your
6612 configuration will use less memory.
ec1245f8 6613
5473c134 6614 If set to zero, Squid will keep all memory it can. That is, there
6615 will be no limit on the total amount of memory used for safe-keeping.
ec1245f8 6616
5473c134 6617 To disable memory allocation optimization, do not set
6618 memory_pools_limit to 0. Set memory_pools to "off" instead.
6619
6620 An overhead for maintaining memory pools is not taken into account
6621 when the limit is checked. This overhead is close to four bytes per
6622 object kept. However, pools may actually _save_ memory because of
6623 reduced memory thrashing in your malloc library.
ec1245f8 6624DOC_END
6625
5473c134 6626NAME: forwarded_for
67c06f0d
AJ		 6627COMMENT: on|off|transparent|truncate|delete
6628TYPE: string
5473c134 6629DEFAULT: on
6630LOC: opt_forwarded_for
5f8252d2 6631DOC_START
67c06f0d
AJ		 6632 If set to "on", Squid will append your client's IP address
6633 in the HTTP requests it forwards. By default it looks like:
5f8252d2 6634
5473c134 6635 X-Forwarded-For: 192.1.2.3
6636
67c06f0d 6637 If set to "off", it will appear as
5473c134 6638
6639 X-Forwarded-For: unknown
67c06f0d
AJ		 6640
6641 If set to "transparent", Squid will not alter the
6642 X-Forwarded-For header in any way.
6643
6644 If set to "delete", Squid will delete the entire
6645 X-Forwarded-For header.
6646
6647 If set to "truncate", Squid will remove all existing
6648 X-Forwarded-For entries, and place itself as the sole entry.
5f8252d2 6649DOC_END
6650
5473c134 6651NAME: cachemgr_passwd
6652TYPE: cachemgrpasswd
6653DEFAULT: none
6654LOC: Config.passwd_list
5f8252d2 6655DOC_START
5473c134 6656 Specify passwords for cachemgr operations.
5f8252d2 6657
5473c134 6658 Usage: cachemgr_passwd password action action ...
6659
6660 Some valid actions are (see cache manager menu for a full list):
6661 5min
6662 60min
6663 asndb
6664 authenticator
6665 cbdata
6666 client_list
6667 comm_incoming
6668 config *
6669 counters
6670 delay
6671 digest_stats
6672 dns
6673 events
6674 filedescriptors
6675 fqdncache
6676 histograms
6677 http_headers
6678 info
6679 io
6680 ipcache
6681 mem
6682 menu
6683 netdb
6684 non_peers
6685 objects
6686 offline_toggle *
6687 pconn
6688 peer_select
b360c477 6689 reconfigure *
5473c134 6690 redirector
6691 refresh
6692 server_list
6693 shutdown *
6694 store_digest
6695 storedir
6696 utilization
6697 via_headers
6698 vm_objects
6699
6700 * Indicates actions which will not be performed without a
6701 valid password, others can be performed if not listed here.
6702
6703 To disable an action, set the password to "disable".
6704 To allow performing an action without a password, set the
6705 password to "none".
6706
6707 Use the keyword "all" to set the same password for all actions.
6708
6709Example:
6710 cachemgr_passwd secret shutdown
6711 cachemgr_passwd lesssssssecret info stats/objects
6712 cachemgr_passwd disable all
5f8252d2 6713DOC_END
6714
5473c134 6715NAME: client_db
a58ff010 6716COMMENT: on|off
5473c134 6717TYPE: onoff
6718DEFAULT: on
6719LOC: Config.onoff.client_db
a58ff010 6720DOC_START
5473c134 6721 If you want to disable collecting per-client statistics,
6722 turn off client_db here.
a58ff010 6723DOC_END
6724
5473c134 6725NAME: refresh_all_ims
6726COMMENT: on|off
6727TYPE: onoff
6728DEFAULT: off
6729LOC: Config.onoff.refresh_all_ims
a58ff010 6730DOC_START
5473c134 6731 When you enable this option, squid will always check
6732 the origin server for an update when a client sends an
6733 If-Modified-Since request. Many browsers use IMS
6734 requests when the user requests a reload, and this
6735 ensures those clients receive the latest version.
a58ff010 6736
5473c134 6737 By default (off), squid may return a Not Modified response
6738 based on the age of the cached version.
78e8cfc4 6739DOC_END
6740
5473c134 6741NAME: reload_into_ims
6742IFDEF: HTTP_VIOLATIONS
12b91c99 6743COMMENT: on|off
5473c134 6744TYPE: onoff
6745DEFAULT: off
6746LOC: Config.onoff.reload_into_ims
12b91c99 6747DOC_START
5473c134 6748 When you enable this option, client no-cache or ``reload''
6749 requests will be changed to If-Modified-Since requests.
6750 Doing this VIOLATES the HTTP standard. Enabling this
6751 feature could make you liable for problems which it
6752 causes.
6753
6754 see also refresh_pattern for a more selective approach.
12b91c99 6755DOC_END
6756
5473c134 6757NAME: maximum_single_addr_tries
6758TYPE: int
6759LOC: Config.retry.maxtries
6760DEFAULT: 1
a58ff010 6761DOC_START
5473c134 6762 This sets the maximum number of connection attempts for a
6763 host that only has one address (for multiple-address hosts,
6764 each address is tried once).
6765
6766 The default value is one attempt, the (not recommended)
6767 maximum is 255 tries. A warning message will be generated
6768 if it is set to a value greater than ten.
6769
6770 Note: This is in addition to the request re-forwarding which
6771 takes place if Squid fails to get a satisfying response.
a58ff010 6772DOC_END
6773
5473c134 6774NAME: retry_on_error
a58ff010 6775TYPE: onoff
5473c134 6776LOC: Config.retry.onerror
a58ff010 6777DEFAULT: off
6778DOC_START
5473c134 6779 If set to on Squid will automatically retry requests when
6780 receiving an error response. This is mainly useful if you
6781 are in a complex cache hierarchy to work around access
6782 control errors.
5f8252d2 6783DOC_END
6784
5473c134 6785NAME: as_whois_server
5f8252d2 6786TYPE: string
5473c134 6787LOC: Config.as_whois_server
6788DEFAULT: whois.ra.net
6789DEFAULT_IF_NONE: whois.ra.net
5f8252d2 6790DOC_START
5473c134 6791 WHOIS server to query for AS numbers. NOTE: AS numbers are
6792 queried only when Squid starts up, not for every request.
5f8252d2 6793DOC_END
6794
5473c134 6795NAME: offline_mode
5f8252d2 6796TYPE: onoff
5473c134 6797LOC: Config.onoff.offline
5f8252d2 6798DEFAULT: off
6799DOC_START
5473c134 6800 Enable this option and Squid will never try to validate cached
6801 objects.
a58ff010 6802DOC_END
6803
5473c134 6804NAME: uri_whitespace
6805TYPE: uri_whitespace
6806LOC: Config.uri_whitespace
6807DEFAULT: strip
a58ff010 6808DOC_START
5473c134 6809 What to do with requests that have whitespace characters in the
6810 URI. Options:
a58ff010 6811
5473c134 6812 strip: The whitespace characters are stripped out of the URL.
6813 This is the behavior recommended by RFC2396.
6814 deny: The request is denied. The user receives an "Invalid
6815 Request" message.
6816 allow: The request is allowed and the URI is not changed. The
6817 whitespace characters remain in the URI. Note the
6818 whitespace is passed to redirector processes if they
6819 are in use.
6820 encode: The request is allowed and the whitespace characters are
6821 encoded according to RFC1738. This could be considered
6822 a violation of the HTTP/1.1
6823 RFC because proxies are not allowed to rewrite URI's.
6824 chop: The request is allowed and the URI is chopped at the
6825 first whitespace. This might also be considered a
6826 violation.
6827DOC_END
a58ff010 6828
5473c134 6829NAME: chroot
6830TYPE: string
6831LOC: Config.chroot_dir
a58ff010 6832DEFAULT: none
6833DOC_START
9f37c18a 6834 Specifies a directory where Squid should do a chroot() while
2d89f399
HN		 6835 initializing. This also causes Squid to fully drop root
6836 privileges after initializing. This means, for example, if you
6837 use a HTTP port less than 1024 and try to reconfigure, you may
6838 get an error saying that Squid can not open the port.
5473c134 6839DOC_END
a58ff010 6840
5473c134 6841NAME: balance_on_multiple_ip
6842TYPE: onoff
6843LOC: Config.onoff.balance_on_multiple_ip
cc192b50 6844DEFAULT: off
5473c134 6845DOC_START
cc192b50 6846 Modern IP resolvers in squid sort lookup results by preferred access.
6847 By default squid will use these IP in order and only rotates to
6848 the next listed when the most preffered fails.
6849
5473c134 6850 Some load balancing servers based on round robin DNS have been
6851 found not to preserve user session state across requests
6852 to different IP addresses.
a58ff010 6853
cc192b50 6854 Enabling this directive Squid rotates IP's per request.
a58ff010 6855DOC_END
6856
5473c134 6857NAME: pipeline_prefetch
6858TYPE: onoff
6859LOC: Config.onoff.pipeline_prefetch
6860DEFAULT: off
a58ff010 6861DOC_START
5473c134 6862 To boost the performance of pipelined requests to closer
6863 match that of a non-proxied environment Squid can try to fetch
6864 up to two requests in parallel from a pipeline.
a58ff010 6865
5473c134 6866 Defaults to off for bandwidth management and access logging
6867 reasons.
6868DOC_END
a58ff010 6869
5473c134 6870NAME: high_response_time_warning
6871TYPE: int
6872COMMENT: (msec)
6873LOC: Config.warnings.high_rptm
6874DEFAULT: 0
6875DOC_START
6876 If the one-minute median response time exceeds this value,
6877 Squid prints a WARNING with debug level 0 to get the
6878 administrators attention. The value is in milliseconds.
a58ff010 6879DOC_END
6880
5473c134 6881NAME: high_page_fault_warning
6882TYPE: int
6883LOC: Config.warnings.high_pf
6884DEFAULT: 0
cc9f92d4 6885DOC_START
5473c134 6886 If the one-minute average page fault rate exceeds this
6887 value, Squid prints a WARNING with debug level 0 to get
6888 the administrators attention. The value is in page faults
6889 per second.
6890DOC_END
cc9f92d4 6891
5473c134 6892NAME: high_memory_warning
6893TYPE: b_size_t
6894LOC: Config.warnings.high_memory
904971da 6895DEFAULT: 0 KB
5473c134 6896DOC_START
6897 If the memory usage (as determined by mallinfo) exceeds
904971da 6898 this amount, Squid prints a WARNING with debug level 0 to get
5473c134 6899 the administrators attention.
6900DOC_END
cc9f92d4 6901
5473c134 6902NAME: sleep_after_fork
6903COMMENT: (microseconds)
6904TYPE: int
6905LOC: Config.sleep_after_fork
6906DEFAULT: 0
6907DOC_START
6908 When this is set to a non-zero value, the main Squid process
6909 sleeps the specified number of microseconds after a fork()
6910 system call. This sleep may help the situation where your
6911 system reports fork() failures due to lack of (virtual)
6912 memory. Note, however, if you have a lot of child
6913 processes, these sleep delays will add up and your
6914 Squid will not service requests for some amount of time
6915 until all the child processes have been started.
6916 On Windows value less then 1000 (1 milliseconds) are
6917 rounded to 1000.
cc9f92d4 6918DOC_END
6919
b6696974 6920NAME: windows_ipaddrchangemonitor
6b0516c6 6921IFDEF: _SQUID_MSWIN_
b6696974
GS		 6922COMMENT: on|off
6923TYPE: onoff
6924DEFAULT: on
6925LOC: Config.onoff.WIN32_IpAddrChangeMonitor
6926DOC_START
6927 On Windows Squid by default will monitor IP address changes and will
6928 reconfigure itself after any detected event. This is very useful for
6929 proxies connected to internet with dial-up interfaces.
6930 In some cases (a Proxy server acting as VPN gateway is one) it could be
6931 desiderable to disable this behaviour setting this to 'off'.
6932 Note: after changing this, Squid service must be restarted.
6933DOC_END
6934
a98c2da5
AJ		 6935NAME: eui_lookup
6936TYPE: onoff
6937IFDEF: USE_SQUID_EUI
6938DEFAULT: on
6939LOC: Eui::TheConfig.euiLookup
6940DOC_START
6941 Whether to lookup the EUI or MAC address of a connected client.
6942DOC_END
6943
cccac0a2 6944EOF
Mirror of https://github.com/squid-cache/squid.git