]> git.ipfire.org Git - thirdparty/squid.git/blame - src/cf.data.pre
projects / thirdparty / squid.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Author: Regardt van de Vyver <squid@vdvyver.net>
[thirdparty/squid.git] / src / cf.data.pre
CommitLineData
3a278cb8 1
9cef6668 2#
c255af72 3# $Id: cf.data.pre,v 1.502 2008/02/12 00:05:11 amosjeffries Exp $
9cef6668 4#
6845f129 5# SQUID Web Proxy Cache http://www.squid-cache.org/
9cef6668 6# ----------------------------------------------------------
7#
2b6662ba 8# Squid is the result of efforts by numerous individuals from
9# the Internet community; see the CONTRIBUTORS file for full
10# details. Many organizations have provided support for Squid's
11# development; see the SPONSORS file for full details. Squid is
12# Copyrighted (C) 2000 by the Regents of the University of
13# California; see the COPYRIGHT file for full details. Squid
14# incorporates software developed and/or copyrighted by other
15# sources; see the CREDITS file for full details.
9cef6668 16#
17# This program is free software; you can redistribute it and/or modify
18# it under the terms of the GNU General Public License as published by
19# the Free Software Foundation; either version 2 of the License, or
20# (at your option) any later version.
96d88dcb 21#
9cef6668 22# This program is distributed in the hope that it will be useful,
23# but WITHOUT ANY WARRANTY; without even the implied warranty of
24# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25# GNU General Public License for more details.
96d88dcb 26#
9cef6668 27# You should have received a copy of the GNU General Public License
28# along with this program; if not, write to the Free Software
29# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
30#
31
0f74202c 32COMMENT_START
cccac0a2 33 WELCOME TO SQUID @VERSION@
34 ----------------------------
3a278cb8 35
cccac0a2 36 This is the default Squid configuration file. You may wish
37 to look at the Squid home page (http://www.squid-cache.org/)
38 for the FAQ and other documentation.
3a278cb8 39
cccac0a2 40 The default Squid config file shows what the defaults for
41 various options happen to be. If you don't need to change the
42 default, you shouldn't uncomment the line. Doing so may cause
43 run-time problems. In some cases "none" refers to no default
44 setting at all, while in other cases it refers to a valid
45 option - the comments for that keyword indicate if this is the
46 case.
debd9a31 47
cccac0a2 48COMMENT_END
3a278cb8 49
592a09dc 50COMMENT_START
51 Configuration options can be included using the "include" directive.
52 Include takes a list of files to include. Quoting and wildcards is
53 supported.
54
55 For example,
56
57 include /path/to/included/file/squid.acl.config
58
59 Includes can be nested up to a hard-coded depth of 16 levels.
60 This arbitrary restriction is to prevent recursive include references
61 from causing Squid entering an infinite loop whilst trying to load
62 configuration files.
63COMMENT_END
64
5473c134 65COMMENT_START
41bd17a4 66 OPTIONS FOR AUTHENTICATION
5473c134 67 -----------------------------------------------------------------------------
68COMMENT_END
69
41bd17a4 70NAME: auth_param
71TYPE: authparam
72LOC: Config.authConfiguration
cccac0a2 73DEFAULT: none
74DOC_START
41bd17a4 75 This is used to define parameters for the various authentication
76 schemes supported by Squid.
cccac0a2 77
41bd17a4 78 format: auth_param scheme parameter [setting]
cccac0a2 79
41bd17a4 80 The order in which authentication schemes are presented to the client is
81 dependent on the order the scheme first appears in config file. IE
82 has a bug (it's not RFC 2617 compliant) in that it will use the basic
83 scheme if basic is the first entry presented, even if more secure
84 schemes are presented. For now use the order in the recommended
85 settings section below. If other browsers have difficulties (don't
86 recognize the schemes offered even if you are using basic) either
87 put basic first, or disable the other schemes (by commenting out their
88 program entry).
cccac0a2 89
41bd17a4 90 Once an authentication scheme is fully configured, it can only be
91 shutdown by shutting squid down and restarting. Changes can be made on
92 the fly and activated with a reconfigure. I.E. You can change to a
93 different helper, but not unconfigure the helper completely.
cccac0a2 94
41bd17a4 95 Please note that while this directive defines how Squid processes
96 authentication it does not automatically activate authentication.
97 To use authentication you must in addition make use of ACLs based
98 on login name in http_access (proxy_auth, proxy_auth_regex or
99 external with %LOGIN used in the format tag). The browser will be
100 challenged for authentication on the first such acl encountered
101 in http_access processing and will also be re-challenged for new
102 login credentials if the request is being denied by a proxy_auth
103 type acl.
cccac0a2 104
41bd17a4 105 WARNING: authentication can't be used in a transparently intercepting
106 proxy as the client then thinks it is talking to an origin server and
107 not the proxy. This is a limitation of bending the TCP/IP protocol to
108 transparently intercepting port 80, not a limitation in Squid.
13b5cd0c
AJ		 109 Ports flagged 'transparent', 'intercept', or 'tproxy' have authentication
110 disabled.
cccac0a2 111
41bd17a4 112 === Parameters for the basic scheme follow. ===
cccac0a2 113
41bd17a4 114 "program" cmdline
115 Specify the command for the external authenticator. Such a program
116 reads a line containing "username password" and replies "OK" or
117 "ERR" in an endless loop. "ERR" responses may optionally be followed
118 by a error description available as %m in the returned error page.
119 If you use an authenticator, make sure you have 1 acl of type proxy_auth.
cccac0a2 120
41bd17a4 121 By default, the basic authentication scheme is not used unless a
122 program is specified.
cccac0a2 123
41bd17a4 124 If you want to use the traditional NCSA proxy authentication, set
125 this line to something like
307b83b7 126
41bd17a4 127 auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
9e7dbc51 128
41bd17a4 129 "children" numberofchildren
130 The number of authenticator processes to spawn. If you start too few
131 Squid will have to wait for them to process a backlog of credential
132 verifications, slowing it down. When password verifications are
133 done via a (slow) network you are likely to need lots of
134 authenticator processes.
135 auth_param basic children 5
9e7dbc51 136
41bd17a4 137 "concurrency" concurrency
138 The number of concurrent requests the helper can process.
139 The default of 0 is used for helpers who only supports
140 one request at a time. Setting this changes the protocol used to
141 include a channel number first on the request/response line, allowing
142 multiple requests to be sent to the same helper in parallell without
143 wating for the response.
144 Must not be set unless it's known the helper supports this.
145 auth_param basic concurrency 0
0fdafae7 146
41bd17a4 147 "realm" realmstring
148 Specifies the realm name which is to be reported to the
149 client for the basic proxy authentication scheme (part of
150 the text the user will see when prompted their username and
151 password). There is no default.
152 auth_param basic realm Squid proxy-caching web server
d1b63fc8 153
41bd17a4 154 "credentialsttl" timetolive
155 Specifies how long squid assumes an externally validated
156 username:password pair is valid for - in other words how
157 often the helper program is called for that user. Set this
158 low to force revalidation with short lived passwords. Note
159 setting this high does not impact your susceptibility
160 to replay attacks unless you are using an one-time password
161 system (such as SecureID). If you are using such a system,
162 you will be vulnerable to replay attacks unless you also
163 use the max_user_ip ACL in an http_access rule.
cccac0a2 164
41bd17a4 165 "casesensitive" on|off
166 Specifies if usernames are case sensitive. Most user databases are
167 case insensitive allowing the same username to be spelled using both
168 lower and upper case letters, but some are case sensitive. This
169 makes a big difference for user_max_ip ACL processing and similar.
170 auth_param basic casesensitive off
cccac0a2 171
41bd17a4 172 === Parameters for the digest scheme follow ===
cccac0a2 173
41bd17a4 174 "program" cmdline
175 Specify the command for the external authenticator. Such
176 a program reads a line containing "username":"realm" and
177 replies with the appropriate H(A1) value hex encoded or
178 ERR if the user (or his H(A1) hash) does not exists.
179 See rfc 2616 for the definition of H(A1).
180 "ERR" responses may optionally be followed by a error description
181 available as %m in the returned error page.
cccac0a2 182
41bd17a4 183 By default, the digest authentication scheme is not used unless a
184 program is specified.
b8c0c06d 185
41bd17a4 186 If you want to use a digest authenticator, set this line to
187 something like
cccac0a2 188
41bd17a4 189 auth_param digest program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass
cccac0a2 190
41bd17a4 191 "children" numberofchildren
192 The number of authenticator processes to spawn (no default).
193 If you start too few Squid will have to wait for them to
194 process a backlog of H(A1) calculations, slowing it down.
195 When the H(A1) calculations are done via a (slow) network
196 you are likely to need lots of authenticator processes.
197 auth_param digest children 5
cccac0a2 198
41bd17a4 199 "realm" realmstring
200 Specifies the realm name which is to be reported to the
201 client for the digest proxy authentication scheme (part of
202 the text the user will see when prompted their username and
203 password). There is no default.
204 auth_param digest realm Squid proxy-caching web server
cccac0a2 205
41bd17a4 206 "nonce_garbage_interval" timeinterval
207 Specifies the interval that nonces that have been issued
208 to client_agent's are checked for validity.
cccac0a2 209
41bd17a4 210 "nonce_max_duration" timeinterval
211 Specifies the maximum length of time a given nonce will be
212 valid for.
cccac0a2 213
41bd17a4 214 "nonce_max_count" number
215 Specifies the maximum number of times a given nonce can be
216 used.
cccac0a2 217
41bd17a4 218 "nonce_strictness" on|off
219 Determines if squid requires strict increment-by-1 behavior
220 for nonce counts, or just incrementing (off - for use when
221 useragents generate nonce counts that occasionally miss 1
222 (ie, 1,2,4,6)). Default off.
cccac0a2 223
41bd17a4 224 "check_nonce_count" on|off
225 This directive if set to off can disable the nonce count check
226 completely to work around buggy digest qop implementations in
227 certain mainstream browser versions. Default on to check the
228 nonce count to protect from authentication replay attacks.
cccac0a2 229
41bd17a4 230 "post_workaround" on|off
231 This is a workaround to certain buggy browsers who sends
232 an incorrect request digest in POST requests when reusing
233 the same nonce as acquired earlier on a GET request.
cccac0a2 234
41bd17a4 235 === NTLM scheme options follow ===
cccac0a2 236
41bd17a4 237 "program" cmdline
238 Specify the command for the external NTLM authenticator.
239 Such a program reads exchanged NTLMSSP packets with
240 the browser via Squid until authentication is completed.
241 If you use an NTLM authenticator, make sure you have 1 acl
242 of type proxy_auth. By default, the NTLM authenticator_program
243 is not used.
cccac0a2 244
41bd17a4 245 auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
cccac0a2 246
41bd17a4 247 "children" numberofchildren
248 The number of authenticator processes to spawn (no default).
249 If you start too few Squid will have to wait for them to
250 process a backlog of credential verifications, slowing it
251 down. When credential verifications are done via a (slow)
252 network you are likely to need lots of authenticator
253 processes.
cccac0a2 254
41bd17a4 255 auth_param ntlm children 5
cccac0a2 256
41bd17a4 257 "keep_alive" on|off
258 If you experience problems with PUT/POST requests when using the
259 Negotiate authentication scheme then you can try setting this to
260 off. This will cause Squid to forcibly close the connection on
261 the initial requests where the browser asks which schemes are
262 supported by the proxy.
cccac0a2 263
41bd17a4 264 auth_param ntlm keep_alive on
cccac0a2 265
41bd17a4 266 === Options for configuring the NEGOTIATE auth-scheme follow ===
cccac0a2 267
41bd17a4 268 "program" cmdline
269 Specify the command for the external Negotiate authenticator.
270 This protocol is used in Microsoft Active-Directory enabled setups with
271 the Microsoft Internet Explorer or Mozilla Firefox browsers.
272 Its main purpose is to exchange credentials with the Squid proxy
273 using the Kerberos mechanisms.
274 If you use a Negotiate authenticator, make sure you have at least one acl
275 of type proxy_auth active. By default, the negotiate authenticator_program
276 is not used.
277 The only supported program for this role is the ntlm_auth
278 program distributed as part of Samba, version 4 or later.
cccac0a2 279
41bd17a4 280 auth_param negotiate program @DEFAULT_PREFIX@/bin/ntlm_auth --helper-protocol=gss-spnego
cccac0a2 281
41bd17a4 282 "children" numberofchildren
283 The number of authenticator processes to spawn (no default).
284 If you start too few Squid will have to wait for them to
285 process a backlog of credential verifications, slowing it
286 down. When crendential verifications are done via a (slow)
287 network you are likely to need lots of authenticator
288 processes.
289 auth_param negotiate children 5
d3803853 290
41bd17a4 291 "keep_alive" on|off
292 If you experience problems with PUT/POST requests when using the
293 Negotiate authentication scheme then you can try setting this to
294 off. This will cause Squid to forcibly close the connection on
295 the initial requests where the browser asks which schemes are
296 supported by the proxy.
527ee50d 297
41bd17a4 298 auth_param negotiate keep_alive on
cccac0a2 299
41bd17a4 300NOCOMMENT_START
301#Recommended minimum configuration per scheme:
302#auth_param negotiate program <uncomment and complete this line to activate>
303#auth_param negotiate children 5
304#auth_param negotiate keep_alive on
305#auth_param ntlm program <uncomment and complete this line to activate>
306#auth_param ntlm children 5
307#auth_param ntlm keep_alive on
308#auth_param digest program <uncomment and complete this line>
309#auth_param digest children 5
310#auth_param digest realm Squid proxy-caching web server
311#auth_param digest nonce_garbage_interval 5 minutes
312#auth_param digest nonce_max_duration 30 minutes
313#auth_param digest nonce_max_count 50
314#auth_param basic program <uncomment and complete this line>
315#auth_param basic children 5
316#auth_param basic realm Squid proxy-caching web server
317#auth_param basic credentialsttl 2 hours
318NOCOMMENT_END
319DOC_END
cccac0a2 320
41bd17a4 321NAME: authenticate_cache_garbage_interval
322TYPE: time_t
323DEFAULT: 1 hour
324LOC: Config.authenticateGCInterval
325DOC_START
326 The time period between garbage collection across the username cache.
327 This is a tradeoff between memory utilization (long intervals - say
328 2 days) and CPU (short intervals - say 1 minute). Only change if you
329 have good reason to.
330DOC_END
cccac0a2 331
41bd17a4 332NAME: authenticate_ttl
333TYPE: time_t
334DEFAULT: 1 hour
335LOC: Config.authenticateTTL
336DOC_START
337 The time a user & their credentials stay in the logged in
338 user cache since their last request. When the garbage
339 interval passes, all user credentials that have passed their
340 TTL are removed from memory.
341DOC_END
cccac0a2 342
41bd17a4 343NAME: authenticate_ip_ttl
344TYPE: time_t
345LOC: Config.authenticateIpTTL
346DEFAULT: 0 seconds
347DOC_START
348 If you use proxy authentication and the 'max_user_ip' ACL,
349 this directive controls how long Squid remembers the IP
350 addresses associated with each user. Use a small value
351 (e.g., 60 seconds) if your users might change addresses
352 quickly, as is the case with dialups. You might be safe
353 using a larger value (e.g., 2 hours) in a corporate LAN
354 environment with relatively static address assignments.
355DOC_END
cccac0a2 356
3d1e3e43 357COMMENT_START
358 ACCESS CONTROLS
359 -----------------------------------------------------------------------------
360COMMENT_END
361
41bd17a4 362NAME: external_acl_type
363TYPE: externalAclHelper
364LOC: Config.externalAclHelperList
cccac0a2 365DEFAULT: none
cccac0a2 366DOC_START
41bd17a4 367 This option defines external acl classes using a helper program
368 to look up the status
cccac0a2 369
41bd17a4 370 external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
cccac0a2 371
41bd17a4 372 Options:
cccac0a2 373
41bd17a4 374 ttl=n TTL in seconds for cached results (defaults to 3600
375 for 1 hour)
376 negative_ttl=n
377 TTL for cached negative lookups (default same
378 as ttl)
379 children=n Number of acl helper processes spawn to service
380 external acl lookups of this type. (default 5)
381 concurrency=n concurrency level per process. Only used with helpers
382 capable of processing more than one query at a time.
383 cache=n result cache size, 0 is unbounded (default)
384 grace=n Percentage remaining of TTL where a refresh of a
385 cached entry should be initiated without needing to
386 wait for a new reply. (default 0 for no grace period)
387 protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
cc192b50 388 ipv4 / ipv6 IP-mode used to communicate to this helper.
389 For compatability with older configurations and helpers
390 'ipv4' is the default unless --with-localhost-ipv6 is used.
391 --with-localhost-ipv6 changes the default to 'ipv6'.
392 SPECIAL NOTE: these options override --with-localhost-ipv6
cccac0a2 393
41bd17a4 394 FORMAT specifications
cccac0a2 395
41bd17a4 396 %LOGIN Authenticated user login name
397 %EXT_USER Username from external acl
398 %IDENT Ident user name
399 %SRC Client IP
400 %SRCPORT Client source port
401 %URI Requested URI
402 %DST Requested host
403 %PROTO Requested protocol
404 %PORT Requested port
405 %PATH Requested URL path
406 %METHOD Request method
407 %MYADDR Squid interface address
408 %MYPORT Squid http_port number
409 %PATH Requested URL-path (including query-string if any)
410 %USER_CERT SSL User certificate in PEM format
411 %USER_CERTCHAIN SSL User certificate chain in PEM format
412 %USER_CERT_xx SSL User certificate subject attribute xx
413 %USER_CA_xx SSL User certificate issuer attribute xx
7b0ca1e8
AJ		 414
415 %>{Header} HTTP request header
416 %>{Hdr:member}
417 HTTP request header list member
418 %>{Hdr:;member}
41bd17a4 419 HTTP request header list member using ; as
420 list separator. ; can be any non-alphanumeric
421 character.
cccac0a2 422
7b0ca1e8
AJ		 423 %<{Header} HTTP reply header
424 %<{Hdr:member}
425 HTTP reply header list member
426 %<{Hdr:;member}
427 HTTP reply header list member using ; as
428 list separator. ; can be any non-alphanumeric
429 character.
430
41bd17a4 431 In addition to the above, any string specified in the referencing
432 acl will also be included in the helper request line, after the
433 specified formats (see the "acl external" directive)
cccac0a2 434
41bd17a4 435 The helper receives lines per the above format specification,
436 and returns lines starting with OK or ERR indicating the validity
437 of the request and optionally followed by additional keywords with
438 more details.
cccac0a2 439
41bd17a4 440 General result syntax:
cccac0a2 441
41bd17a4 442 OK/ERR keyword=value ...
cccac0a2 443
41bd17a4 444 Defined keywords:
cccac0a2 445
41bd17a4 446 user= The users name (login)
447 password= The users password (for login= cache_peer option)
448 message= Message describing the reason. Available as %o
449 in error pages
450 tag= Apply a tag to a request (for both ERR and OK results)
451 Only sets a tag, does not alter existing tags.
452 log= String to be logged in access.log. Available as
453 %ea in logformat specifications
934b03fc 454
41bd17a4 455 If protocol=3.0 (the default) then URL escaping is used to protect
456 each value in both requests and responses.
6a566b9c 457
41bd17a4 458 If using protocol=2.5 then all values need to be enclosed in quotes
459 if they may contain whitespace, or the whitespace escaped using \.
460 And quotes or \ characters within the keyword value must be \ escaped.
1e5562e3 461
41bd17a4 462 When using the concurrency= option the protocol is changed by
463 introducing a query channel tag infront of the request/response.
464 The query channel tag is a number between 0 and concurrency-1.
cccac0a2 465DOC_END
466
41bd17a4 467NAME: acl
468TYPE: acl
469LOC: Config.aclList
1f5bd0a4 470DEFAULT: all src all
cccac0a2 471DOC_START
41bd17a4 472 Defining an Access List
cccac0a2 473
375eeb3b
AJ		 474 Every access list definition must begin with an aclname and acltype,
475 followed by either type-specific arguments or a quoted filename that
476 they are read from.
cccac0a2 477
375eeb3b
AJ		 478 acl aclname acltype argument ...
479 acl aclname acltype "file" ...
cccac0a2 480
375eeb3b 481 When using "file", the file should contain one item per line.
cccac0a2 482
41bd17a4 483 By default, regular expressions are CASE-SENSITIVE. To make
484 them case-insensitive, use the -i option.
cccac0a2 485
e988aa40
AJ		 486
487 ***** ACL TYPES AVAILABLE *****
488
375eeb3b
AJ		 489 acl aclname src ip-address/netmask ... # clients IP address
490 acl aclname src addr1-addr2/netmask ... # range of addresses
491 acl aclname dst ip-address/netmask ... # URL host's IP address
492 acl aclname myip ip-address/netmask ... # local socket IP address
cccac0a2 493
41bd17a4 494 acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
495 # The arp ACL requires the special configure option --enable-arp-acl.
496 # Furthermore, the ARP ACL code is not portable to all operating systems.
497 # It works on Linux, Solaris, Windows, FreeBSD, and some other *BSD variants.
498 #
499 # NOTE: Squid can only determine the MAC address for clients that are on
500 # the same subnet. If the client is on a different subnet, then Squid cannot
501 # find out its MAC address.
934b03fc 502
375eeb3b
AJ		 503 acl aclname srcdomain .foo.com ... # reverse lookup, from client IP
504 acl aclname dstdomain .foo.com ... # Destination server from URL
505 acl aclname srcdom_regex [-i] \.foo\.com ... # regex matching client name
506 acl aclname dstdom_regex [-i] \.foo\.com ... # regex matching server
41bd17a4 507 # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
508 # based URL is used and no match is found. The name "none" is used
509 # if the reverse lookup fails.
9bc73deb 510
375eeb3b
AJ		 511 acl aclname src_as number ...
512 acl aclname dst_as number ...
e988aa40
AJ		 513 # Except for access control, AS numbers can be used for
514 # routing of requests to specific caches. Here's an
515 # example for routing all requests for AS#1241 and only
516 # those to mycache.mydomain.net:
517 # acl asexample dst_as 1241
518 # cache_peer_access mycache.mydomain.net allow asexample
519 # cache_peer_access mycache_mydomain.net deny all
7f7db318 520
6db78a1a
AJ		 521 acl aclname peername myPeer ...
522 # match against a named cache_peer entry
523 # set unique name= on cache_peer lines for reliable use.
524
375eeb3b
AJ		 525 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
526 # day-abbrevs:
527 # S - Sunday
528 # M - Monday
529 # T - Tuesday
530 # W - Wednesday
531 # H - Thursday
532 # F - Friday
533 # A - Saturday
534 # h1:m1 must be less than h2:m2
535
536 acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
41bd17a4 537 acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
e988aa40 538
375eeb3b
AJ		 539 acl aclname port 80 70 21 ...
540 acl aclname port 0-1024 ... # ranges allowed
541 acl aclname myport 3128 ... # (local socket TCP port)
197f6b3c 542 acl aclname myportname 3128 ... # http(s)_port name
e988aa40 543
375eeb3b 544 acl aclname proto HTTP FTP ...
e988aa40 545
375eeb3b 546 acl aclname method GET POST ...
e988aa40
AJ		 547
548 acl aclname http_status 200 301 500- 400-403 ... # status code in reply
549
375eeb3b 550 acl aclname browser [-i] regexp ...
41bd17a4 551 # pattern match on User-Agent header (see also req_header below)
e988aa40 552
375eeb3b 553 acl aclname referer_regex [-i] regexp ...
41bd17a4 554 # pattern match on Referer header
555 # Referer is highly unreliable, so use with care
e988aa40 556
375eeb3b 557 acl aclname ident username ...
41bd17a4 558 acl aclname ident_regex [-i] pattern ...
559 # string match on ident output.
560 # use REQUIRED to accept any non-null ident.
cf5cc17e 561
41bd17a4 562 acl aclname proxy_auth [-i] username ...
563 acl aclname proxy_auth_regex [-i] pattern ...
564 # list of valid usernames
565 # use REQUIRED to accept any valid username.
566 #
567 # NOTE: when a Proxy-Authentication header is sent but it is not
568 # needed during ACL checking the username is NOT logged
569 # in access.log.
570 #
571 # NOTE: proxy_auth requires a EXTERNAL authentication program
572 # to check username/password combinations (see
573 # auth_param directive).
574 #
e988aa40
AJ		 575 # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
576 # as the browser needs to be configured for using a proxy in order
41bd17a4 577 # to respond to proxy authentication.
8e8d4f30 578
41bd17a4 579 acl aclname snmp_community string ...
580 # A community string to limit access to your SNMP Agent
581 # Example:
582 #
583 # acl snmppublic snmp_community public
934b03fc 584
41bd17a4 585 acl aclname maxconn number
586 # This will be matched when the client's IP address has
587 # more than <number> HTTP connections established.
1e5562e3 588
41bd17a4 589 acl aclname max_user_ip [-s] number
590 # This will be matched when the user attempts to log in from more
591 # than <number> different ip addresses. The authenticate_ip_ttl
592 # parameter controls the timeout on the ip entries.
593 # If -s is specified the limit is strict, denying browsing
594 # from any further IP addresses until the ttl has expired. Without
595 # -s Squid will just annoy the user by "randomly" denying requests.
596 # (the counter is reset each time the limit is reached and a
597 # request is denied)
598 # NOTE: in acceleration mode or where there is mesh of child proxies,
599 # clients may appear to come from multiple addresses if they are
600 # going through proxy farms, so a limit of 1 may cause user problems.
cccac0a2 601
375eeb3b 602 acl aclname req_mime_type [-i] mime-type ...
41bd17a4 603 # regex match against the mime type of the request generated
604 # by the client. Can be used to detect file upload or some
605 # types HTTP tunneling requests.
606 # NOTE: This does NOT match the reply. You cannot use this
607 # to match the returned file type.
cccac0a2 608
41bd17a4 609 acl aclname req_header header-name [-i] any\.regex\.here
610 # regex match against any of the known request headers. May be
611 # thought of as a superset of "browser", "referer" and "mime-type"
612 # ACLs.
cccac0a2 613
375eeb3b 614 acl aclname rep_mime_type [-i] mime-type ...
41bd17a4 615 # regex match against the mime type of the reply received by
616 # squid. Can be used to detect file download or some
617 # types HTTP tunneling requests.
618 # NOTE: This has no effect in http_access rules. It only has
619 # effect in rules that affect the reply data stream such as
620 # http_reply_access.
cccac0a2 621
41bd17a4 622 acl aclname rep_header header-name [-i] any\.regex\.here
623 # regex match against any of the known reply headers. May be
624 # thought of as a superset of "browser", "referer" and "mime-type"
625 # ACLs.
cccac0a2 626
375eeb3b 627 acl aclname external class_name [arguments...]
41bd17a4 628 # external ACL lookup via a helper class defined by the
629 # external_acl_type directive.
cccac0a2 630
41bd17a4 631 acl aclname user_cert attribute values...
632 # match against attributes in a user SSL certificate
633 # attribute is one of DN/C/O/CN/L/ST
cccac0a2 634
41bd17a4 635 acl aclname ca_cert attribute values...
636 # match against attributes a users issuing CA SSL certificate
637 # attribute is one of DN/C/O/CN/L/ST
cccac0a2 638
41bd17a4 639 acl aclname ext_user username ...
640 acl aclname ext_user_regex [-i] pattern ...
641 # string match on username returned by external acl helper
642 # use REQUIRED to accept any non-null user name.
cccac0a2 643
41bd17a4 644Examples:
645acl macaddress arp 09:00:2b:23:45:67
646acl myexample dst_as 1241
647acl password proxy_auth REQUIRED
648acl fileupload req_mime_type -i ^multipart/form-data$
649acl javascript rep_mime_type -i ^application/x-javascript$
cccac0a2 650
41bd17a4 651NOCOMMENT_START
652#Recommended minimum configuration:
41bd17a4 653acl manager proto cache_object
ee776778 654acl localhost src 127.0.0.1/32
41bd17a4 655acl to_localhost dst 127.0.0.0/8
ee776778 656#
657# Example rule allowing access from your local networks.
658# Adapt to list your (internal) IP networks from where browsing
659# should be allowed
660acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
661acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
662acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
663#
41bd17a4 664acl SSL_ports port 443
665acl Safe_ports port 80 # http
666acl Safe_ports port 21 # ftp
667acl Safe_ports port 443 # https
668acl Safe_ports port 70 # gopher
669acl Safe_ports port 210 # wais
670acl Safe_ports port 1025-65535 # unregistered ports
671acl Safe_ports port 280 # http-mgmt
672acl Safe_ports port 488 # gss-http
673acl Safe_ports port 591 # filemaker
674acl Safe_ports port 777 # multiling http
675acl CONNECT method CONNECT
676NOCOMMENT_END
677DOC_END
cccac0a2 678
3d674977
AJ		 679NAME: follow_x_forwarded_for
680TYPE: acl_access
681IFDEF: FOLLOW_X_FORWARDED_FOR
682LOC: Config.accessList.followXFF
683DEFAULT: none
684DEFAULT_IF_NONE: deny all
685DOC_START
686 Allowing or Denying the X-Forwarded-For header to be followed to
687 find the original source of a request.
688
689 Requests may pass through a chain of several other proxies
690 before reaching us. The X-Forwarded-For header will contain a
691 comma-separated list of the IP addresses in the chain, with the
692 rightmost address being the most recent.
693
694 If a request reaches us from a source that is allowed by this
695 configuration item, then we consult the X-Forwarded-For header
696 to see where that host received the request from. If the
697 X-Forwarded-For header contains multiple addresses, and if
698 acl_uses_indirect_client is on, then we continue backtracking
699 until we reach an address for which we are not allowed to
700 follow the X-Forwarded-For header, or until we reach the first
701 address in the list. (If acl_uses_indirect_client is off, then
702 it's impossible to backtrack through more than one level of
703 X-Forwarded-For addresses.)
704
705 The end result of this process is an IP address that we will
706 refer to as the indirect client address. This address may
707 be treated as the client address for access control, delay
708 pools and logging, depending on the acl_uses_indirect_client,
709 delay_pool_uses_indirect_client and log_uses_indirect_client
710 options.
711
712 SECURITY CONSIDERATIONS:
713
714 Any host for which we follow the X-Forwarded-For header
715 can place incorrect information in the header, and Squid
716 will use the incorrect information as if it were the
717 source address of the request. This may enable remote
718 hosts to bypass any access control restrictions that are
719 based on the client's source addresses.
720
721 For example:
722
723 acl localhost src 127.0.0.1
724 acl my_other_proxy srcdomain .proxy.example.com
725 follow_x_forwarded_for allow localhost
726 follow_x_forwarded_for allow my_other_proxy
727DOC_END
728
729NAME: acl_uses_indirect_client
730COMMENT: on|off
731TYPE: onoff
732IFDEF: FOLLOW_X_FORWARDED_FOR
733DEFAULT: on
734LOC: Config.onoff.acl_uses_indirect_client
735DOC_START
736 Controls whether the indirect client address
737 (see follow_x_forwarded_for) is used instead of the
738 direct client address in acl matching.
739DOC_END
740
741NAME: delay_pool_uses_indirect_client
742COMMENT: on|off
743TYPE: onoff
97a616ca 744IFDEF: FOLLOW_X_FORWARDED_FOR DELAY_POOLS
3d674977
AJ		 745DEFAULT: on
746LOC: Config.onoff.delay_pool_uses_indirect_client
747DOC_START
748 Controls whether the indirect client address
749 (see follow_x_forwarded_for) is used instead of the
750 direct client address in delay pools.
751DOC_END
752
753NAME: log_uses_indirect_client
754COMMENT: on|off
755TYPE: onoff
756IFDEF: FOLLOW_X_FORWARDED_FOR
757DEFAULT: on
758LOC: Config.onoff.log_uses_indirect_client
759DOC_START
760 Controls whether the indirect client address
761 (see follow_x_forwarded_for) is used instead of the
762 direct client address in the access log.
763DOC_END
764
41bd17a4 765NAME: http_access
766TYPE: acl_access
767LOC: Config.accessList.http
768DEFAULT: none
769DEFAULT_IF_NONE: deny all
770DOC_START
771 Allowing or Denying access based on defined access lists
cccac0a2 772
41bd17a4 773 Access to the HTTP port:
774 http_access allow|deny [!]aclname ...
cccac0a2 775
41bd17a4 776 NOTE on default values:
cccac0a2 777
41bd17a4 778 If there are no "access" lines present, the default is to deny
779 the request.
cccac0a2 780
41bd17a4 781 If none of the "access" lines cause a match, the default is the
782 opposite of the last line in the list. If the last line was
783 deny, the default is allow. Conversely, if the last line
784 is allow, the default will be deny. For these reasons, it is a
785 good idea to have an "deny all" or "allow all" entry at the end
786 of your access lists to avoid potential confusion.
cccac0a2 787
41bd17a4 788NOCOMMENT_START
789#Recommended minimum configuration:
790#
791# Only allow cachemgr access from localhost
792http_access allow manager localhost
793http_access deny manager
794# Deny requests to unknown ports
795http_access deny !Safe_ports
796# Deny CONNECT to other than SSL ports
797http_access deny CONNECT !SSL_ports
798#
799# We strongly recommend the following be uncommented to protect innocent
800# web applications running on the proxy server who think the only
801# one who can access services on "localhost" is a local user
802#http_access deny to_localhost
803#
804# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
c8f4eac4 805
ee776778 806# Example rule allowing access from your local networks.
807# Adapt localnet in the ACL section to list your (internal) IP networks
808# from where browsing should be allowed
809http_access allow localnet
7d90757b 810
41bd17a4 811# And finally deny all other access to this proxy
812http_access deny all
813NOCOMMENT_END
814DOC_END
7d90757b 815
41bd17a4 816NAME: http_reply_access
817TYPE: acl_access
818LOC: Config.accessList.reply
819DEFAULT: none
820DOC_START
821 Allow replies to client requests. This is complementary to http_access.
cccac0a2 822
41bd17a4 823 http_reply_access allow|deny [!] aclname ...
cccac0a2 824
41bd17a4 825 NOTE: if there are no access lines present, the default is to allow
826 all replies
1a224843 827
41bd17a4 828 If none of the access lines cause a match the opposite of the
829 last line will apply. Thus it is good practice to end the rules
830 with an "allow all" or "deny all" entry.
cccac0a2 831DOC_END
832
41bd17a4 833NAME: icp_access
834TYPE: acl_access
835LOC: Config.accessList.icp
836DEFAULT: none
837DEFAULT_IF_NONE: deny all
5473c134 838DOC_START
41bd17a4 839 Allowing or Denying access to the ICP port based on defined
840 access lists
5473c134 841
41bd17a4 842 icp_access allow|deny [!]aclname ...
5473c134 843
41bd17a4 844 See http_access for details
845
846NOCOMMENT_START
ee776778 847#Allow ICP queries from local networks only
df2eec10
AJ		 848#icp_access allow localnet
849#icp_access deny all
41bd17a4 850NOCOMMENT_END
5473c134 851DOC_END
852
41bd17a4 853NAME: htcp_access
854IFDEF: USE_HTCP
855TYPE: acl_access
856LOC: Config.accessList.htcp
857DEFAULT: none
858DEFAULT_IF_NONE: deny all
5473c134 859DOC_START
41bd17a4 860 Allowing or Denying access to the HTCP port based on defined
861 access lists
5473c134 862
41bd17a4 863 htcp_access allow|deny [!]aclname ...
5473c134 864
41bd17a4 865 See http_access for details
5473c134 866
0b48417e 867 NOTE: The default if no htcp_access lines are present is to
868 deny all traffic. This default may cause problems with peers
869 using the htcp or htcp-oldsquid options.
870
ee776778 871NOCOMMENT_START
872#Allow HTCP queries from local networks only
df2eec10
AJ		 873#htcp_access allow localnet
874#htcp_access deny all
ee776778 875NOCOMMENT_END
41bd17a4 876DOC_END
5473c134 877
41bd17a4 878NAME: htcp_clr_access
879IFDEF: USE_HTCP
880TYPE: acl_access
881LOC: Config.accessList.htcp_clr
882DEFAULT: none
883DEFAULT_IF_NONE: deny all
884DOC_START
885 Allowing or Denying access to purge content using HTCP based
886 on defined access lists
5473c134 887
41bd17a4 888 htcp_clr_access allow|deny [!]aclname ...
5473c134 889
41bd17a4 890 See http_access for details
5473c134 891
41bd17a4 892#Allow HTCP CLR requests from trusted peers
893acl htcp_clr_peer src 172.16.1.2
894htcp_clr_access allow htcp_clr_peer
5473c134 895DOC_END
896
41bd17a4 897NAME: miss_access
898TYPE: acl_access
899LOC: Config.accessList.miss
df2eec10 900DEFAULT: allow all
5473c134 901DOC_START
41bd17a4 902 Use to force your neighbors to use you as a sibling instead of
903 a parent. For example:
5473c134 904
41bd17a4 905 acl localclients src 172.16.0.0/16
906 miss_access allow localclients
907 miss_access deny !localclients
5473c134 908
41bd17a4 909 This means only your local clients are allowed to fetch
910 MISSES and all other clients can only fetch HITS.
5473c134 911
41bd17a4 912 By default, allow all clients who passed the http_access rules
913 to fetch MISSES from us.
41bd17a4 914DOC_END
915
916NAME: ident_lookup_access
917TYPE: acl_access
918IFDEF: USE_IDENT
919DEFAULT: none
920DEFAULT_IF_NONE: deny all
921LOC: Config.accessList.identLookup
5473c134 922DOC_START
41bd17a4 923 A list of ACL elements which, if matched, cause an ident
924 (RFC 931) lookup to be performed for this request. For
925 example, you might choose to always perform ident lookups
926 for your main multi-user Unix boxes, but not for your Macs
927 and PCs. By default, ident lookups are not performed for
928 any requests.
5473c134 929
41bd17a4 930 To enable ident lookups for specific client addresses, you
931 can follow this example:
5473c134 932
41bd17a4 933 acl ident_aware_hosts src 198.168.1.0/255.255.255.0
934 ident_lookup_access allow ident_aware_hosts
935 ident_lookup_access deny all
5473c134 936
41bd17a4 937 Only src type ACL checks are fully supported. A src_domain
938 ACL might work at times, but it will not always provide
939 the correct result.
940DOC_END
5473c134 941
5b0f5383 942NAME: reply_body_max_size
943COMMENT: size [acl acl...]
944TYPE: acl_b_size_t
945DEFAULT: none
946LOC: Config.ReplyBodySize
947DOC_START
948 This option specifies the maximum size of a reply body. It can be
949 used to prevent users from downloading very large files, such as
950 MP3's and movies. When the reply headers are received, the
951 reply_body_max_size lines are processed, and the first line where
952 all (if any) listed ACLs are true is used as the maximum body size
953 for this reply.
954
955 This size is checked twice. First when we get the reply headers,
956 we check the content-length value. If the content length value exists
957 and is larger than the allowed size, the request is denied and the
958 user receives an error message that says "the request or reply
959 is too large." If there is no content-length, and the reply
960 size exceeds this limit, the client's connection is just closed
961 and they will receive a partial reply.
962
963 WARNING: downstream caches probably can not detect a partial reply
964 if there is no content-length header, so they will cache
965 partial responses and give them out as hits. You should NOT
966 use this option if you have downstream caches.
967
968 WARNING: A maximum size smaller than the size of squid's error messages
969 will cause an infinite loop and crash squid. Ensure that the smallest
970 non-zero value you use is greater that the maximum header size plus
971 the size of your largest error page.
972
973 If you set this parameter none (the default), there will be
974 no limit imposed.
3bc32f2f
AJ		 975
976 Configuration Format is:
977 reply_body_max_size SIZE UNITS [acl ...]
978 ie.
979 reply_body_max_size 10 MB
980
5b0f5383 981DOC_END
982
983COMMENT_START
984 NETWORK OPTIONS
985 -----------------------------------------------------------------------------
986COMMENT_END
987
988NAME: http_port ascii_port
989TYPE: http_port_list
990DEFAULT: none
991LOC: Config.Sockaddr.http
992DOC_START
993 Usage: port [options]
994 hostname:port [options]
995 1.2.3.4:port [options]
996
997 The socket addresses where Squid will listen for HTTP client
998 requests. You may specify multiple socket addresses.
999 There are three forms: port alone, hostname with port, and
1000 IP address with port. If you specify a hostname or IP
1001 address, Squid binds the socket to that specific
1002 address. This replaces the old 'tcp_incoming_address'
1003 option. Most likely, you do not need to bind to a specific
1004 address, so you can use the port number alone.
1005
1006 If you are running Squid in accelerator mode, you
1007 probably want to listen on port 80 also, or instead.
1008
1009 The -a command line option may be used to specify additional
1010 port(s) where Squid listens for proxy request. Such ports will
1011 be plain proxy ports with no options.
1012
1013 You may specify multiple socket addresses on multiple lines.
1014
1015 Options:
1016
e77bdb4e 1017 intercept Support for IP-Layer interception of
5b0f5383 1018 outgoing requests without browser settings.
13b5cd0c 1019 NP: disables authentication and IPv6 on the port.
5b0f5383 1020
1021 tproxy Support Linux TPROXY for spoofing outgoing
1022 connections using the client IP address.
13b5cd0c 1023 NP: disables authentication and IPv6 on the port.
5b0f5383 1024
1025 accel Accelerator mode. Also needs at least one of
1026 vhost / vport / defaultsite.
1027
1028 defaultsite=domainname
1029 What to use for the Host: header if it is not present
1030 in a request. Determines what site (not origin server)
1031 accelerators should consider the default.
1032 Implies accel.
1033
1034 vhost Accelerator mode using Host header for virtual
1035 domain support. Implies accel.
1036
1037 vport Accelerator with IP based virtual host support.
1038 Implies accel.
1039
1040 vport=NN As above, but uses specified port number rather
1041 than the http_port number. Implies accel.
1042
1043 protocol= Protocol to reconstruct accelerated requests with.
1044 Defaults to http.
1045
d67acb4e
AJ		 1046 connection-auth[=on|off]
1047 use connection-auth=off to tell Squid to prevent
1048 forwarding Microsoft connection oriented authentication
1049 (NTLM, Negotiate and Kerberos)
1050
5b0f5383 1051 disable-pmtu-discovery=
1052 Control Path-MTU discovery usage:
1053 off lets OS decide on what to do (default).
1054 transparent disable PMTU discovery when transparent
1055 support is enabled.
1056 always disable always PMTU discovery.
1057
1058 In many setups of transparently intercepting proxies
1059 Path-MTU discovery can not work on traffic towards the
1060 clients. This is the case when the intercepting device
1061 does not fully track connections and fails to forward
1062 ICMP must fragment messages to the cache server. If you
1063 have such setup and experience that certain clients
1064 sporadically hang or never complete requests set
1065 disable-pmtu-discovery option to 'transparent'.
1066
4c9da963 1067 sslBump Intercept each CONNECT request matching ssl_bump ACL,
1068 establish secure connection with the client and with
1069 the server, decrypt HTTP messages as they pass through
1070 Squid, and treat them as unencrypted HTTP messages,
1071 becoming the man-in-the-middle.
1072
1073 When this option is enabled, additional options become
1074 available to specify SSL-related properties of the
1075 client-side connection: cert, key, version, cipher,
1076 options, clientca, cafile, capath, crlfile, dhparams,
1077 sslflags, and sslcontext. See the https_port directive
1078 for more information on these options.
1079
1080 The ssl_bump option is required to fully enable
1081 the SslBump feature.
1082
81b6e9a7 1083 name= Specifies a internal name for the port. Defaults to
1084 the port specification (port or addr:port)
1085
b2130d58 1086 keepalive[=idle,interval,timeout]
1087 Enable TCP keepalive probes of idle connections
1088 idle is the initial time before TCP starts probing
1089 the connection, interval how often to probe, and
1090 timeout the time before giving up.
1091
5b0f5383 1092 If you run Squid on a dual-homed machine with an internal
1093 and an external interface we recommend you to specify the
1094 internal address:port in http_port. This way Squid will only be
1095 visible on the internal address.
1096
1097NOCOMMENT_START
1098# Squid normally listens to port 3128
1099http_port @DEFAULT_HTTP_PORT@
1100NOCOMMENT_END
1101DOC_END
1102
1103NAME: https_port
1104IFDEF: USE_SSL
1105TYPE: https_port_list
1106DEFAULT: none
1107LOC: Config.Sockaddr.https
1108DOC_START
1109 Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
1110
1111 The socket address where Squid will listen for HTTPS client
1112 requests.
1113
1114 This is really only useful for situations where you are running
1115 squid in accelerator mode and you want to do the SSL work at the
1116 accelerator level.
1117
1118 You may specify multiple socket addresses on multiple lines,
1119 each with their own SSL certificate and/or options.
1120
1121 Options:
1122
1123 accel Accelerator mode. Also needs at least one of
1124 defaultsite or vhost.
1125
1126 defaultsite= The name of the https site presented on
1127 this port. Implies accel.
1128
1129 vhost Accelerator mode using Host header for virtual
1130 domain support. Requires a wildcard certificate
1131 or other certificate valid for more than one domain.
1132 Implies accel.
1133
1134 protocol= Protocol to reconstruct accelerated requests with.
1135 Defaults to https.
1136
1137 cert= Path to SSL certificate (PEM format).
1138
1139 key= Path to SSL private key file (PEM format)
1140 if not specified, the certificate file is
1141 assumed to be a combined certificate and
1142 key file.
1143
1144 version= The version of SSL/TLS supported
1145 1 automatic (default)
1146 2 SSLv2 only
1147 3 SSLv3 only
1148 4 TLSv1 only
1149
1150 cipher= Colon separated list of supported ciphers.
1151
1152 options= Various SSL engine options. The most important
1153 being:
1154 NO_SSLv2 Disallow the use of SSLv2
1155 NO_SSLv3 Disallow the use of SSLv3
1156 NO_TLSv1 Disallow the use of TLSv1
1157 SINGLE_DH_USE Always create a new key when using
1158 temporary/ephemeral DH key exchanges
1159 See src/ssl_support.c or OpenSSL SSL_CTX_set_options
1160 documentation for a complete list of options.
1161
1162 clientca= File containing the list of CAs to use when
1163 requesting a client certificate.
1164
1165 cafile= File containing additional CA certificates to
1166 use when verifying client certificates. If unset
1167 clientca will be used.
1168
1169 capath= Directory containing additional CA certificates
1170 and CRL lists to use when verifying client certificates.
1171
1172 crlfile= File of additional CRL lists to use when verifying
1173 the client certificate, in addition to CRLs stored in
1174 the capath. Implies VERIFY_CRL flag below.
1175
1176 dhparams= File containing DH parameters for temporary/ephemeral
1177 DH key exchanges.
1178
1179 sslflags= Various flags modifying the use of SSL:
1180 DELAYED_AUTH
1181 Don't request client certificates
1182 immediately, but wait until acl processing
1183 requires a certificate (not yet implemented).
1184 NO_DEFAULT_CA
1185 Don't use the default CA lists built in
1186 to OpenSSL.
1187 NO_SESSION_REUSE
1188 Don't allow for session reuse. Each connection
1189 will result in a new SSL session.
1190 VERIFY_CRL
1191 Verify CRL lists when accepting client
1192 certificates.
1193 VERIFY_CRL_ALL
1194 Verify CRL lists for all certificates in the
1195 client certificate chain.
1196
1197 sslcontext= SSL session ID context identifier.
1198
1199 vport Accelerator with IP based virtual host support.
1200
1201 vport=NN As above, but uses specified port number rather
1202 than the https_port number. Implies accel.
1203
81b6e9a7 1204 name= Specifies a internal name for the port. Defaults to
1205 the port specification (port or addr:port)
1206
5b0f5383 1207DOC_END
1208
41bd17a4 1209NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
1210TYPE: acl_tos
5473c134 1211DEFAULT: none
41bd17a4 1212LOC: Config.accessList.outgoing_tos
5473c134 1213DOC_START
41bd17a4 1214 Allows you to select a TOS/Diffserv value to mark outgoing
1215 connections with, based on the username or source address
1216 making the request.
5473c134 1217
41bd17a4 1218 tcp_outgoing_tos ds-field [!]aclname ...
cccac0a2 1219
41bd17a4 1220 Example where normal_service_net uses the TOS value 0x00
1221 and normal_service_net uses 0x20
cccac0a2 1222
41bd17a4 1223 acl normal_service_net src 10.0.0.0/255.255.255.0
1224 acl good_service_net src 10.0.1.0/255.255.255.0
2c73de90 1225 tcp_outgoing_tos 0x00 normal_service_net
41bd17a4 1226 tcp_outgoing_tos 0x20 good_service_net
fa38076e 1227
41bd17a4 1228 TOS/DSCP values really only have local significance - so you should
575cb927
AJ		 1229 know what you're specifying. For more information, see RFC2474,
1230 RFC2475, and RFC3260.
cccac0a2 1231
41bd17a4 1232 The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
1233 "default" to use whatever default your host has. Note that in
1234 practice often only values 0 - 63 is usable as the two highest bits
1235 have been redefined for use by ECN (RFC3168).
cccac0a2 1236
41bd17a4 1237 Processing proceeds in the order specified, and stops at first fully
1238 matching line.
cccac0a2 1239
41bd17a4 1240 Note: The use of this directive using client dependent ACLs is
1241 incompatible with the use of server side persistent connections. To
1242 ensure correct results it is best to set server_persisten_connections
1243 to off when using this directive in such configurations.
cccac0a2 1244DOC_END
1245
41bd17a4 1246NAME: clientside_tos
1247TYPE: acl_tos
cccac0a2 1248DEFAULT: none
41bd17a4 1249LOC: Config.accessList.clientside_tos
cccac0a2 1250DOC_START
41bd17a4 1251 Allows you to select a TOS/Diffserv value to mark client-side
1252 connections with, based on the username or source address
1253 making the request.
1254DOC_END
cccac0a2 1255
575cb927
AJ		 1256NAME: qos_flows
1257TYPE: QosConfig
7172612f 1258IFDEF: USE_ZPH_QOS
575cb927
AJ		 1259DEFAULT: none
1260LOC: Config.zph
7172612f 1261DOC_START
575cb927
AJ		 1262 Allows you to select a TOS/DSCP value to mark outgoing
1263 connections with, based on where the reply was sourced.
7172612f 1264
575cb927
AJ		 1265 TOS values really only have local significance - so you should
1266 know what you're specifying. For more information, see RFC2474,
1267 RFC2475, and RFC3260.
7172612f 1268
575cb927
AJ		 1269 The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF.
1270 Note that in practice often only values up to 0x3F are usable
1271 as the two highest bits have been redefined for use by ECN
1272 (RFC3168).
7172612f 1273
575cb927
AJ		 1274 This setting is configured by setting the source TOS values:
1275
1276 local-hit=0xFF Value to mark local cache hits.
1277
1278 sibling-hit=0xFF Value to mark hits from sibling peers.
1279
1280 parent-hit=0xFF Value to mark hits from parent peers.
1281
1282
2201bec6
AJ		 1283 NOTE: 'miss' preserve feature is only possible on Linux at this time.
1284
575cb927
AJ		 1285 For the following to work correctly, you will need to patch your
1286 linux kernel with the TOS preserving ZPH patch.
1287 The kernel patch can be downloaded from http://zph.bratcheda.org
1288
575cb927
AJ		 1289 disable-preserve-miss
1290 If set, any HTTP response towards clients will
1291 have the TOS value of the response comming from the
1292 remote server masked with the value of miss-mask.
1293
1294 miss-mask=0xFF
1295 Allows you to mask certain bits in the TOS received from the
1296 remote server, before copying the value to the TOS sent
1297 towards clients.
1298 Default: 0xFF (TOS from server is not changed).
7172612f 1299
7172612f
AJ		 1300DOC_END
1301
41bd17a4 1302NAME: tcp_outgoing_address
1303TYPE: acl_address
1304DEFAULT: none
1305LOC: Config.accessList.outgoing_address
1306DOC_START
1307 Allows you to map requests to different outgoing IP addresses
1308 based on the username or source address of the user making
1309 the request.
7f7db318 1310
41bd17a4 1311 tcp_outgoing_address ipaddr [[!]aclname] ...
c33aa074 1312
41bd17a4 1313 Example where requests from 10.0.0.0/24 will be forwarded
1314 with source address 10.1.0.1, 10.0.2.0/24 forwarded with
1315 source address 10.1.0.2 and the rest will be forwarded with
1316 source address 10.1.0.3.
9197cd13 1317
17148b2f 1318 acl normal_service_net src 10.0.0.0/24
1319 acl good_service_net src 10.0.2.0/24
1320 tcp_outgoing_address 10.1.0.1 normal_service_net
1321 tcp_outgoing_address 10.1.0.2 good_service_net
1322 tcp_outgoing_address 10.1.0.3
9197cd13 1323
41bd17a4 1324 Processing proceeds in the order specified, and stops at first fully
1325 matching line.
cccac0a2 1326
41bd17a4 1327 Note: The use of this directive using client dependent ACLs is
1328 incompatible with the use of server side persistent connections. To
1329 ensure correct results it is best to set server_persistent_connections
1330 to off when using this directive in such configurations.
cc192b50 1331
1332
1333 IPv6 Magic:
1334
1335 Squid is built with a capability of bridging the IPv4 and IPv6 internets.
1336 tcp_outgoing_address as exampled above breaks this bridging by forcing
1337 all outbound traffic through a certain IPv4 which may be on the wrong
1338 side of the IPv4/IPv6 boundary.
1339
1340 To operate with tcp_outgoing_address and keep the bridging benefits
1341 an additional ACL needs to be used which ensures the IPv6-bound traffic
1342 is never forced or permitted out the IPv4 interface.
1343
1344 acl to_ipv6 dst ipv6
1345 tcp_outgoing_address 2002::c001 good_service_net to_ipv6
17148b2f 1346 tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
cc192b50 1347
1348 tcp_outgoing_address 2002::beef normal_service_net to_ipv6
17148b2f 1349 tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
cc192b50 1350
1351 tcp_outgoing_address 2002::1 to_ipv6
17148b2f 1352 tcp_outgoing_address 10.1.0.3 !to_ipv6
6db78a1a
AJ		 1353
1354 WARNING:
1355 'dst ipv6' bases its selection assuming DIRECT access.
1356 If peers are used the peername ACL are needed to select outgoing
1357 address which can link to the peer.
1358
cccac0a2 1359DOC_END
1360
41bd17a4 1361COMMENT_START
1362 SSL OPTIONS
1363 -----------------------------------------------------------------------------
1364COMMENT_END
1365
1366NAME: ssl_unclean_shutdown
1367IFDEF: USE_SSL
cccac0a2 1368TYPE: onoff
1369DEFAULT: off
41bd17a4 1370LOC: Config.SSL.unclean_shutdown
cccac0a2 1371DOC_START
41bd17a4 1372 Some browsers (especially MSIE) bugs out on SSL shutdown
1373 messages.
cccac0a2 1374DOC_END
1375
41bd17a4 1376NAME: ssl_engine
1377IFDEF: USE_SSL
cccac0a2 1378TYPE: string
41bd17a4 1379LOC: Config.SSL.ssl_engine
1380DEFAULT: none
cccac0a2 1381DOC_START
41bd17a4 1382 The OpenSSL engine to use. You will need to set this if you
1383 would like to use hardware SSL acceleration for example.
cccac0a2 1384DOC_END
1385
41bd17a4 1386NAME: sslproxy_client_certificate
1387IFDEF: USE_SSL
cccac0a2 1388DEFAULT: none
41bd17a4 1389LOC: Config.ssl_client.cert
1390TYPE: string
cccac0a2 1391DOC_START
41bd17a4 1392 Client SSL Certificate to use when proxying https:// URLs
cccac0a2 1393DOC_END
1394
41bd17a4 1395NAME: sslproxy_client_key
1396IFDEF: USE_SSL
cccac0a2 1397DEFAULT: none
41bd17a4 1398LOC: Config.ssl_client.key
1399TYPE: string
cccac0a2 1400DOC_START
41bd17a4 1401 Client SSL Key to use when proxying https:// URLs
cccac0a2 1402DOC_END
1403
41bd17a4 1404NAME: sslproxy_version
1405IFDEF: USE_SSL
1406DEFAULT: 1
1407LOC: Config.ssl_client.version
1408TYPE: int
cccac0a2 1409DOC_START
41bd17a4 1410 SSL version level to use when proxying https:// URLs
cccac0a2 1411DOC_END
1412
41bd17a4 1413NAME: sslproxy_options
1414IFDEF: USE_SSL
1415DEFAULT: none
1416LOC: Config.ssl_client.options
1417TYPE: string
cccac0a2 1418DOC_START
41bd17a4 1419 SSL engine options to use when proxying https:// URLs
cccac0a2 1420DOC_END
1421
41bd17a4 1422NAME: sslproxy_cipher
1423IFDEF: USE_SSL
1424DEFAULT: none
1425LOC: Config.ssl_client.cipher
1426TYPE: string
cccac0a2 1427DOC_START
41bd17a4 1428 SSL cipher list to use when proxying https:// URLs
cccac0a2 1429DOC_END
1430
41bd17a4 1431NAME: sslproxy_cafile
1432IFDEF: USE_SSL
1433DEFAULT: none
1434LOC: Config.ssl_client.cafile
1435TYPE: string
cccac0a2 1436DOC_START
41bd17a4 1437 file containing CA certificates to use when verifying server
1438 certificates while proxying https:// URLs
cccac0a2 1439DOC_END
0976f8db 1440
41bd17a4 1441NAME: sslproxy_capath
1442IFDEF: USE_SSL
5473c134 1443DEFAULT: none
41bd17a4 1444LOC: Config.ssl_client.capath
1445TYPE: string
5473c134 1446DOC_START
41bd17a4 1447 directory containing CA certificates to use when verifying
1448 server certificates while proxying https:// URLs
5473c134 1449DOC_END
1450
4c9da963 1451NAME: ssl_bump
1452IFDEF: USE_SSL
1453TYPE: acl_access
1454LOC: Config.accessList.ssl_bump
1455DEFAULT: none
1456DOC_START
1457 This ACL controls which CONNECT requests to an http_port
1458 marked with an sslBump flag are actually "bumped". Please
1459 see the sslBump flag of an http_port option for more details
1460 about decoding proxied SSL connections.
1461
1462 By default, no requests are bumped.
1463
1464 See also: http_port sslBump
1465
1466NOCOMMENT_START
1467# Example: Bump all requests except those originating from localhost and
1468# those going to webax.com or example.com sites.
1469#
1470# acl localhost src 127.0.0.1/32
1471# acl broken_sites dstdomain .webax.com
1472# acl broken_sites dstdomain .example.com
1473# ssl_bump deny localhost
1474# ssl_bump deny broken_sites
1475# ssl_bump allow all
1476NOCOMMENT_END
1477DOC_END
1478
41bd17a4 1479NAME: sslproxy_flags
1480IFDEF: USE_SSL
1481DEFAULT: none
1482LOC: Config.ssl_client.flags
1483TYPE: string
5473c134 1484DOC_START
41bd17a4 1485 Various flags modifying the use of SSL while proxying https:// URLs:
4c9da963 1486 DONT_VERIFY_PEER Accept certificates that fail verification.
1487 For refined control, see sslproxy_cert_error.
41bd17a4 1488 NO_DEFAULT_CA Don't use the default CA list built in
1489 to OpenSSL.
5473c134 1490DOC_END
1491
4c9da963 1492
1493NAME: sslproxy_cert_error
1494IFDEF: USE_SSL
1495DEFAULT: none
1496LOC: Config.ssl_client.cert_error
1497TYPE: acl_access
1498DOC_START
1499 Use this ACL to bypass server certificate validation errors.
1500
1501 For example, the following lines will bypass all validation errors
1502 when talking to servers located at 172.16.0.0/16. All other
1503 validation errors will result in ERR_SECURE_CONNECT_FAIL error.
1504
1505 acl BrokenServersAtTrustedIP dst 172.16.0.0/16
1506 sslproxy_cert_error allow BrokenServersAtTrustedIP
1507 sslproxy_cert_error deny all
1508
1509 This option must use fast ACL expressions only. Expressions that use
1510 external lookups or communication result in unpredictable behavior or
1511 crashes.
1512
1513 Without this option, all server certificate validation errors
1514 terminate the transaction. Bypassing validation errors is dangerous
1515 because an error usually implies that the server cannot be trusted and
1516 the connection may be insecure.
1517
1518 See also: sslproxy_flags and DONT_VERIFY_PEER.
1519
1520NOCOMMENT_START
1521#Default setting:
1522# sslproxy_cert_error deny all
1523NOCOMMENT_END
1524DOC_END
1525
1526
1527
41bd17a4 1528NAME: sslpassword_program
1529IFDEF: USE_SSL
1530DEFAULT: none
1531LOC: Config.Program.ssl_password
1532TYPE: string
5473c134 1533DOC_START
41bd17a4 1534 Specify a program used for entering SSL key passphrases
1535 when using encrypted SSL certificate keys. If not specified
1536 keys must either be unencrypted, or Squid started with the -N
1537 option to allow it to query interactively for the passphrase.
5473c134 1538DOC_END
1539
cccac0a2 1540COMMENT_START
41bd17a4 1541 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
cccac0a2 1542 -----------------------------------------------------------------------------
1543COMMENT_END
1544
41bd17a4 1545NAME: cache_peer
1546TYPE: peer
1547DEFAULT: none
1548LOC: Config.peers
cccac0a2 1549DOC_START
41bd17a4 1550 To specify other caches in a hierarchy, use the format:
cccac0a2 1551
41bd17a4 1552 cache_peer hostname type http-port icp-port [options]
cccac0a2 1553
41bd17a4 1554 For example,
cccac0a2 1555
41bd17a4 1556 # proxy icp
1557 # hostname type port port options
1558 # -------------------- -------- ----- ----- -----------
1559 cache_peer parent.foo.net parent 3128 3130 proxy-only default
1560 cache_peer sib1.foo.net sibling 3128 3130 proxy-only
1561 cache_peer sib2.foo.net sibling 3128 3130 proxy-only
cccac0a2 1562
41bd17a4 1563 type: either 'parent', 'sibling', or 'multicast'.
d5277f40 1564
41bd17a4 1565 proxy-port: The port number where the cache listens for proxy
1566 requests.
8d6275c0 1567
41bd17a4 1568 icp-port: Used for querying neighbor caches about
1569 objects. To have a non-ICP neighbor
df2eec10 1570 specify '0' for the ICP port.
41bd17a4 1571 NOTE: Also requires icp_port option enabled to send/receive
1572 requests via this method.
a78278e2 1573
41bd17a4 1574 options: proxy-only
1575 weight=n
1576 basetime=n
1577 ttl=n
1578 no-query
1579 background-ping
1580 default
1581 round-robin
1582 weighted-round-robin
1583 carp
f7e1d9ce
HN		 1584 userhash
1585 sourcehash
41bd17a4 1586 multicast-responder
1587 closest-only
1588 no-digest
1589 no-netdb-exchange
1590 no-delay
1591 login=user:password | PASS | *:password
1592 connect-timeout=nn
1593 digest-url=url
1594 allow-miss
1595 max-conn=n
1596 htcp
1597 htcp-oldsquid
4f4fa815
BR		 1598 htcp-no-clr
1599 htcp-no-purge-clr
1600 htcp-only-clr
1601 htcp-forward-clr
41bd17a4 1602 originserver
1603 name=xxx
1604 forceddomain=name
1605 ssl
1606 sslcert=/path/to/ssl/certificate
1607 sslkey=/path/to/ssl/key
1608 sslversion=1|2|3|4
1609 sslcipher=...
1610 ssloptions=...
1611 front-end-https[=on|auto]
d67acb4e 1612 connection-auth[=on|off|auto]
cccac0a2 1613
41bd17a4 1614 use 'proxy-only' to specify objects fetched
1615 from this cache should not be saved locally.
cccac0a2 1616
41bd17a4 1617 use 'weight=n' to affect the selection of a peer
1618 during any weighted peer-selection mechanisms.
1619 The weight must be an integer; default is 1,
1620 larger weights are favored more.
1621 This option does not affect parent selection if a peering
1622 protocol is not in use.
cccac0a2 1623
41bd17a4 1624 use 'basetime=n' to specify a base amount to
1625 be subtracted from round trip times of parents.
1626 It is subtracted before division by weight in calculating
1627 which parent to fectch from. If the rtt is less than the
1628 base time the rtt is set to a minimal value.
cccac0a2 1629
41bd17a4 1630 use 'ttl=n' to specify a IP multicast TTL to use
1631 when sending an ICP queries to this address.
1632 Only useful when sending to a multicast group.
1633 Because we don't accept ICP replies from random
1634 hosts, you must configure other group members as
1635 peers with the 'multicast-responder' option below.
5473c134 1636
41bd17a4 1637 use 'no-query' to NOT send ICP queries to this
1638 neighbor.
5473c134 1639
41bd17a4 1640 use 'background-ping' to only send ICP queries to this
1641 neighbor infrequently. This is used to keep the neighbor
1642 round trip time updated and is usually used in
1643 conjunction with weighted-round-robin.
cccac0a2 1644
41bd17a4 1645 use 'default' if this is a parent cache which can
1646 be used as a "last-resort" if a peer cannot be located
1647 by any of the peer-selection mechanisms.
1648 If specified more than once, only the first is used.
cccac0a2 1649
41bd17a4 1650 use 'round-robin' to define a set of parents which
1651 should be used in a round-robin fashion in the
1652 absence of any ICP queries.
cccac0a2 1653
41bd17a4 1654 use 'weighted-round-robin' to define a set of parents
1655 which should be used in a round-robin fashion with the
1656 frequency of each parent being based on the round trip
1657 time. Closer parents are used more often.
1658 Usually used for background-ping parents.
cccac0a2 1659
41bd17a4 1660 use 'carp' to define a set of parents which should
1661 be used as a CARP array. The requests will be
1662 distributed among the parents based on the CARP load
382db7eb 1663 balancing hash function based on their weight.
cccac0a2 1664
f7e1d9ce
HN		 1665 use 'userhash' to load-balance amongst a set of parents
1666 based on the client proxy_auth or ident username.
1667
1668 use 'sourcehash' to load-balance amongst a set of parents
1669 based on the client source ip.
1670
41bd17a4 1671 'multicast-responder' indicates the named peer
1672 is a member of a multicast group. ICP queries will
1673 not be sent directly to the peer, but ICP replies
1674 will be accepted from it.
cccac0a2 1675
41bd17a4 1676 'closest-only' indicates that, for ICP_OP_MISS
1677 replies, we'll only forward CLOSEST_PARENT_MISSes
1678 and never FIRST_PARENT_MISSes.
cccac0a2 1679
41bd17a4 1680 use 'no-digest' to NOT request cache digests from
1681 this neighbor.
cccac0a2 1682
41bd17a4 1683 'no-netdb-exchange' disables requesting ICMP
1684 RTT database (NetDB) from the neighbor.
cccac0a2 1685
41bd17a4 1686 use 'no-delay' to prevent access to this neighbor
1687 from influencing the delay pools.
7d90757b 1688
41bd17a4 1689 use 'login=user:password' if this is a personal/workgroup
1690 proxy and your parent requires proxy authentication.
1691 Note: The string can include URL escapes (i.e. %20 for
1692 spaces). This also means % must be written as %%.
7d90757b 1693
41bd17a4 1694 use 'login=PASS' if users must authenticate against
1695 the upstream proxy or in the case of a reverse proxy
1696 configuration, the origin web server. This will pass
1697 the users credentials as they are to the peer.
1698 This only works for the Basic HTTP authentication scheme.
1699 Note: To combine this with proxy_auth both proxies must
1700 share the same user database as HTTP only allows for
1701 a single login (one for proxy, one for origin server).
1702 Also be warned this will expose your users proxy
1703 password to the peer. USE WITH CAUTION
7d90757b 1704
41bd17a4 1705 use 'login=*:password' to pass the username to the
1706 upstream cache, but with a fixed password. This is meant
1707 to be used when the peer is in another administrative
1708 domain, but it is still needed to identify each user.
1709 The star can optionally be followed by some extra
1710 information which is added to the username. This can
1711 be used to identify this proxy to the peer, similar to
1712 the login=username:password option above.
cccac0a2 1713
41bd17a4 1714 use 'connect-timeout=nn' to specify a peer
1715 specific connect timeout (also see the
1716 peer_connect_timeout directive)
7f7db318 1717
41bd17a4 1718 use 'digest-url=url' to tell Squid to fetch the cache
1719 digest (if digests are enabled) for this host from
1720 the specified URL rather than the Squid default
1721 location.
cccac0a2 1722
41bd17a4 1723 use 'allow-miss' to disable Squid's use of only-if-cached
1724 when forwarding requests to siblings. This is primarily
1725 useful when icp_hit_stale is used by the sibling. To
1726 extensive use of this option may result in forwarding
1727 loops, and you should avoid having two-way peerings
1728 with this option. (for example to deny peer usage on
1729 requests from peer by denying cache_peer_access if the
1730 source is a peer)
cccac0a2 1731
41bd17a4 1732 use 'max-conn=n' to limit the amount of connections Squid
1733 may open to this peer.
cccac0a2 1734
41bd17a4 1735 use 'htcp' to send HTCP, instead of ICP, queries
1736 to the neighbor. You probably also want to
1737 set the "icp port" to 4827 instead of 3130.
0b48417e 1738 You MUST also set htcp_access expicitly. The default of
1739 deny all will prevent peer traffic.
cccac0a2 1740
41bd17a4 1741 use 'htcp-oldsquid' to send HTCP to old Squid versions
0b48417e 1742 You MUST also set htcp_access expicitly. The default of
1743 deny all will prevent peer traffic.
cccac0a2 1744
4f4fa815
BR		 1745 use 'htcp-no-clr' to send HTCP to the neighbor but without
1746 sending any CLR requests. This cannot be used with
1747 htcp-only-clr.
1748
1749 use 'htcp-no-purge-clr' to send HTCP to the neighbor
1750 including CLRs but only when they do not result from
1751 PURGE requests.
1752
1753 use 'htcp-only-clr' to send HTCP to the neighbor but ONLY
1754 CLR requests. This cannot be used with htcp-no-clr.
1755
1756 use 'htcp-forward-clr' to forward any HTCP CLR requests
1757 this proxy receives to the peer.
1758
41bd17a4 1759 'originserver' causes this parent peer to be contacted as
1760 a origin server. Meant to be used in accelerator setups.
cccac0a2 1761
41bd17a4 1762 use 'name=xxx' if you have multiple peers on the same
1763 host but different ports. This name can be used to
1764 differentiate the peers in cache_peer_access and similar
6db78a1a 1765 directives. Including the peername ACL type.
cccac0a2 1766
41bd17a4 1767 use 'forceddomain=name' to forcibly set the Host header
1768 of requests forwarded to this peer. Useful in accelerator
1769 setups where the server (peer) expects a certain domain
1770 name and using redirectors to feed this domain name
1771 is not feasible.
64658378 1772
41bd17a4 1773 use 'ssl' to indicate connections to this peer should
1774 be SSL/TLS encrypted.
cccac0a2 1775
41bd17a4 1776 use 'sslcert=/path/to/ssl/certificate' to specify a client
1777 SSL certificate to use when connecting to this peer.
4c9fa5d5 1778
41bd17a4 1779 use 'sslkey=/path/to/ssl/key' to specify the private SSL
1780 key corresponding to sslcert above. If 'sslkey' is not
1781 specified 'sslcert' is assumed to reference a
1782 combined file containing both the certificate and the key.
4c9fa5d5 1783
41bd17a4 1784 use sslversion=1|2|3|4 to specify the SSL version to use
1785 when connecting to this peer
1786 1 = automatic (default)
1787 2 = SSL v2 only
1788 3 = SSL v3 only
1789 4 = TLS v1 only
cccac0a2 1790
41bd17a4 1791 use sslcipher=... to specify the list of valid SSL ciphers
1792 to use when connecting to this peer.
cccac0a2 1793
41bd17a4 1794 use ssloptions=... to specify various SSL engine options:
1795 NO_SSLv2 Disallow the use of SSLv2
1796 NO_SSLv3 Disallow the use of SSLv3
1797 NO_TLSv1 Disallow the use of TLSv1
1798 See src/ssl_support.c or the OpenSSL documentation for
1799 a more complete list.
cccac0a2 1800
41bd17a4 1801 use sslcafile=... to specify a file containing
1802 additional CA certificates to use when verifying the
1803 peer certificate.
cccac0a2 1804
41bd17a4 1805 use sslcapath=... to specify a directory containing
1806 additional CA certificates to use when verifying the
1807 peer certificate.
cccac0a2 1808
41bd17a4 1809 use sslcrlfile=... to specify a certificate revocation
1810 list file to use when verifying the peer certificate.
1811
1812 use sslflags=... to specify various flags modifying the
1813 SSL implementation:
1814 DONT_VERIFY_PEER
1815 Accept certificates even if they fail to
1816 verify.
1817 NO_DEFAULT_CA
1818 Don't use the default CA list built in
1819 to OpenSSL.
1820 DONT_VERIFY_DOMAIN
1821 Don't verify the peer certificate
1822 matches the server name
cccac0a2 1823
41bd17a4 1824 use ssldomain= to specify the peer name as advertised
1825 in it's certificate. Used for verifying the correctness
1826 of the received peer certificate. If not specified the
1827 peer hostname will be used.
cccac0a2 1828
41bd17a4 1829 use front-end-https to enable the "Front-End-Https: On"
1830 header needed when using Squid as a SSL frontend in front
1831 of Microsoft OWA. See MS KB document Q307347 for details
1832 on this header. If set to auto the header will
1833 only be added if the request is forwarded as a https://
1834 URL.
d67acb4e
AJ		 1835
1836 use connection-auth=off to tell Squid that this peer does
1837 not support Microsoft connection oriented authentication,
1838 and any such challenges received from there should be
1839 ignored. Default is auto to automatically determine the
1840 status of the peer.
41bd17a4 1841DOC_END
cccac0a2 1842
41bd17a4 1843NAME: cache_peer_domain cache_host_domain
1844TYPE: hostdomain
1845DEFAULT: none
1846LOC: none
1847DOC_START
1848 Use to limit the domains for which a neighbor cache will be
1849 queried. Usage:
cccac0a2 1850
41bd17a4 1851 cache_peer_domain cache-host domain [domain ...]
1852 cache_peer_domain cache-host !domain
cccac0a2 1853
41bd17a4 1854 For example, specifying
cccac0a2 1855
41bd17a4 1856 cache_peer_domain parent.foo.net .edu
cccac0a2 1857
41bd17a4 1858 has the effect such that UDP query packets are sent to
1859 'bigserver' only when the requested object exists on a
1860 server in the .edu domain. Prefixing the domainname
1861 with '!' means the cache will be queried for objects
1862 NOT in that domain.
cccac0a2 1863
41bd17a4 1864 NOTE: * Any number of domains may be given for a cache-host,
1865 either on the same or separate lines.
1866 * When multiple domains are given for a particular
1867 cache-host, the first matched domain is applied.
1868 * Cache hosts with no domain restrictions are queried
1869 for all requests.
1870 * There are no defaults.
1871 * There is also a 'cache_peer_access' tag in the ACL
1872 section.
1873DOC_END
dd9b1776 1874
41bd17a4 1875NAME: cache_peer_access
1876TYPE: peer_access
1877DEFAULT: none
1878LOC: none
1879DOC_START
1880 Similar to 'cache_peer_domain' but provides more flexibility by
1881 using ACL elements.
cccac0a2 1882
41bd17a4 1883 cache_peer_access cache-host allow|deny [!]aclname ...
dd9b1776 1884
41bd17a4 1885 The syntax is identical to 'http_access' and the other lists of
1886 ACL elements. See the comments for 'http_access' below, or
1887 the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html).
1888DOC_END
dd9b1776 1889
41bd17a4 1890NAME: neighbor_type_domain
1891TYPE: hostdomaintype
1892DEFAULT: none
1893LOC: none
1894DOC_START
1895 usage: neighbor_type_domain neighbor parent|sibling domain domain ...
cccac0a2 1896
41bd17a4 1897 Modifying the neighbor type for specific domains is now
1898 possible. You can treat some domains differently than the the
1899 default neighbor type specified on the 'cache_peer' line.
1900 Normally it should only be necessary to list domains which
1901 should be treated differently because the default neighbor type
1902 applies for hostnames which do not match domains listed here.
6bf4f823 1903
41bd17a4 1904EXAMPLE:
dbe3992d 1905 cache_peer cache.foo.org parent 3128 3130
41bd17a4 1906 neighbor_type_domain cache.foo.org sibling .com .net
1907 neighbor_type_domain cache.foo.org sibling .au .de
1908DOC_END
6bf4f823 1909
41bd17a4 1910NAME: dead_peer_timeout
1911COMMENT: (seconds)
1912DEFAULT: 10 seconds
1913TYPE: time_t
1914LOC: Config.Timeout.deadPeer
1915DOC_START
1916 This controls how long Squid waits to declare a peer cache
1917 as "dead." If there are no ICP replies received in this
1918 amount of time, Squid will declare the peer dead and not
1919 expect to receive any further ICP replies. However, it
1920 continues to send ICP queries, and will mark the peer as
1921 alive upon receipt of the first subsequent ICP reply.
699acd19 1922
41bd17a4 1923 This timeout also affects when Squid expects to receive ICP
1924 replies from peers. If more than 'dead_peer' seconds have
1925 passed since the last ICP reply was received, Squid will not
1926 expect to receive an ICP reply on the next query. Thus, if
1927 your time between requests is greater than this timeout, you
1928 will see a lot of requests sent DIRECT to origin servers
1929 instead of to your parents.
1930DOC_END
cccac0a2 1931
41bd17a4 1932NAME: hierarchy_stoplist
1933TYPE: wordlist
1934DEFAULT: none
1935LOC: Config.hierarchy_stoplist
1936DOC_START
1937 A list of words which, if found in a URL, cause the object to
1938 be handled directly by this cache. In other words, use this
1939 to not query neighbor caches for certain objects. You may
1940 list this option multiple times.
1941 Note: never_direct overrides this option.
cccac0a2 1942NOCOMMENT_START
41bd17a4 1943#We recommend you to use at least the following line.
1944hierarchy_stoplist cgi-bin ?
6b698a21 1945NOCOMMENT_END
1946DOC_END
0976f8db 1947
41bd17a4 1948COMMENT_START
1949 MEMORY CACHE OPTIONS
1950 -----------------------------------------------------------------------------
1951COMMENT_END
1952
1953NAME: cache_mem
1954COMMENT: (bytes)
1955TYPE: b_size_t
df2eec10 1956DEFAULT: 256 MB
41bd17a4 1957LOC: Config.memMaxSize
6b698a21 1958DOC_START
41bd17a4 1959 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
1960 IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
1961 USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
1962 THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
1963
1964 'cache_mem' specifies the ideal amount of memory to be used
1965 for:
1966 * In-Transit objects
1967 * Hot Objects
1968 * Negative-Cached objects
1969
1970 Data for these objects are stored in 4 KB blocks. This
1971 parameter specifies the ideal upper limit on the total size of
1972 4 KB blocks allocated. In-Transit objects take the highest
1973 priority.
1974
1975 In-transit objects have priority over the others. When
1976 additional space is needed for incoming data, negative-cached
1977 and hot objects will be released. In other words, the
1978 negative-cached and hot objects will fill up any unused space
1979 not needed for in-transit objects.
1980
1981 If circumstances require, this limit will be exceeded.
1982 Specifically, if your incoming request rate requires more than
1983 'cache_mem' of memory to hold in-transit objects, Squid will
1984 exceed this limit to satisfy the new requests. When the load
1985 decreases, blocks will be freed until the high-water mark is
1986 reached. Thereafter, blocks will be used to store hot
1987 objects.
6b698a21 1988DOC_END
0976f8db 1989
41bd17a4 1990NAME: maximum_object_size_in_memory
1991COMMENT: (bytes)
1992TYPE: b_size_t
df2eec10 1993DEFAULT: 512 KB
41bd17a4 1994LOC: Config.Store.maxInMemObjSize
6b698a21 1995DOC_START
41bd17a4 1996 Objects greater than this size will not be attempted to kept in
1997 the memory cache. This should be set high enough to keep objects
1998 accessed frequently in memory to improve performance whilst low
1999 enough to keep larger objects from hoarding cache_mem.
6b698a21 2000DOC_END
0976f8db 2001
41bd17a4 2002NAME: memory_replacement_policy
2003TYPE: removalpolicy
2004LOC: Config.memPolicy
2005DEFAULT: lru
6b698a21 2006DOC_START
41bd17a4 2007 The memory replacement policy parameter determines which
2008 objects are purged from memory when memory space is needed.
7f7db318 2009
41bd17a4 2010 See cache_replacement_policy for details.
2011DOC_END
6b698a21 2012
41bd17a4 2013COMMENT_START
2014 DISK CACHE OPTIONS
2015 -----------------------------------------------------------------------------
2016COMMENT_END
6b698a21 2017
41bd17a4 2018NAME: cache_replacement_policy
2019TYPE: removalpolicy
2020LOC: Config.replPolicy
2021DEFAULT: lru
2022DOC_START
2023 The cache replacement policy parameter determines which
2024 objects are evicted (replaced) when disk space is needed.
6b698a21 2025
41bd17a4 2026 lru : Squid's original list based LRU policy
2027 heap GDSF : Greedy-Dual Size Frequency
2028 heap LFUDA: Least Frequently Used with Dynamic Aging
2029 heap LRU : LRU policy implemented using a heap
6b698a21 2030
41bd17a4 2031 Applies to any cache_dir lines listed below this.
7f7db318 2032
41bd17a4 2033 The LRU policies keeps recently referenced objects.
0976f8db 2034
41bd17a4 2035 The heap GDSF policy optimizes object hit rate by keeping smaller
2036 popular objects in cache so it has a better chance of getting a
2037 hit. It achieves a lower byte hit rate than LFUDA though since
2038 it evicts larger (possibly popular) objects.
0976f8db 2039
41bd17a4 2040 The heap LFUDA policy keeps popular objects in cache regardless of
2041 their size and thus optimizes byte hit rate at the expense of
2042 hit rate since one large, popular object will prevent many
2043 smaller, slightly less popular objects from being cached.
0976f8db 2044
41bd17a4 2045 Both policies utilize a dynamic aging mechanism that prevents
2046 cache pollution that can otherwise occur with frequency-based
2047 replacement policies.
7d90757b 2048
41bd17a4 2049 NOTE: if using the LFUDA replacement policy you should increase
2050 the value of maximum_object_size above its default of 4096 KB to
2051 to maximize the potential byte hit rate improvement of LFUDA.
dc1af3cf 2052
41bd17a4 2053 For more information about the GDSF and LFUDA cache replacement
2054 policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
2055 and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
6b698a21 2056DOC_END
0976f8db 2057
41bd17a4 2058NAME: cache_dir
2059TYPE: cachedir
2060DEFAULT: none
41bd17a4 2061LOC: Config.cacheSwap
6b698a21 2062DOC_START
41bd17a4 2063 Usage:
0976f8db 2064
41bd17a4 2065 cache_dir Type Directory-Name Fs-specific-data [options]
0976f8db 2066
41bd17a4 2067 You can specify multiple cache_dir lines to spread the
2068 cache among different disk partitions.
0976f8db 2069
41bd17a4 2070 Type specifies the kind of storage system to use. Only "ufs"
2071 is built by default. To enable any of the other storage systems
2072 see the --enable-storeio configure option.
0976f8db 2073
41bd17a4 2074 'Directory' is a top-level directory where cache swap
2075 files will be stored. If you want to use an entire disk
2076 for caching, this can be the mount-point directory.
2077 The directory must exist and be writable by the Squid
2078 process. Squid will NOT create this directory for you.
0976f8db 2079
41bd17a4 2080 The ufs store type:
0976f8db 2081
41bd17a4 2082 "ufs" is the old well-known Squid storage format that has always
2083 been there.
0976f8db 2084
41bd17a4 2085 cache_dir ufs Directory-Name Mbytes L1 L2 [options]
0976f8db 2086
41bd17a4 2087 'Mbytes' is the amount of disk space (MB) to use under this
2088 directory. The default is 100 MB. Change this to suit your
2089 configuration. Do NOT put the size of your disk drive here.
2090 Instead, if you want Squid to use the entire disk drive,
2091 subtract 20% and use that value.
0976f8db 2092
41bd17a4 2093 'Level-1' is the number of first-level subdirectories which
2094 will be created under the 'Directory'. The default is 16.
0976f8db 2095
41bd17a4 2096 'Level-2' is the number of second-level subdirectories which
2097 will be created under each first-level directory. The default
2098 is 256.
0976f8db 2099
41bd17a4 2100 The aufs store type:
7f7db318 2101
41bd17a4 2102 "aufs" uses the same storage format as "ufs", utilizing
2103 POSIX-threads to avoid blocking the main Squid process on
2104 disk-I/O. This was formerly known in Squid as async-io.
38f9c547 2105
41bd17a4 2106 cache_dir aufs Directory-Name Mbytes L1 L2 [options]
38f9c547 2107
41bd17a4 2108 see argument descriptions under ufs above
38f9c547 2109
41bd17a4 2110 The diskd store type:
38f9c547 2111
41bd17a4 2112 "diskd" uses the same storage format as "ufs", utilizing a
2113 separate process to avoid blocking the main Squid process on
2114 disk-I/O.
4c3ef9b2 2115
41bd17a4 2116 cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
0976f8db 2117
41bd17a4 2118 see argument descriptions under ufs above
0976f8db 2119
41bd17a4 2120 Q1 specifies the number of unacknowledged I/O requests when Squid
2121 stops opening new files. If this many messages are in the queues,
2122 Squid won't open new files. Default is 64
0976f8db 2123
41bd17a4 2124 Q2 specifies the number of unacknowledged messages when Squid
2125 starts blocking. If this many messages are in the queues,
2126 Squid blocks until it receives some replies. Default is 72
0976f8db 2127
41bd17a4 2128 When Q1 < Q2 (the default), the cache directory is optimized
2129 for lower response time at the expense of a decrease in hit
2130 ratio. If Q1 > Q2, the cache directory is optimized for
2131 higher hit ratio at the expense of an increase in response
2132 time.
0976f8db 2133
41bd17a4 2134 The coss store type:
0976f8db 2135
db263d62
AJ		 2136 NP: COSS filesystem in Squid-3 has been deemed too unstable for
2137 production use and has thus been removed from this release.
2138 We hope that it can be made usable again soon.
2139
41bd17a4 2140 block-size=n defines the "block size" for COSS cache_dir's.
2141 Squid uses file numbers as block numbers. Since file numbers
2142 are limited to 24 bits, the block size determines the maximum
2143 size of the COSS partition. The default is 512 bytes, which
2144 leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
2145 you should not change the coss block size after Squid
2146 has written some objects to the cache_dir.
0976f8db 2147
41bd17a4 2148 The coss file store has changed from 2.5. Now it uses a file
2149 called 'stripe' in the directory names in the config - and
2150 this will be created by squid -z.
0976f8db 2151
41bd17a4 2152 Common options:
0976f8db 2153
41bd17a4 2154 no-store, no new objects should be stored to this cache_dir
0976f8db 2155
41bd17a4 2156 max-size=n, refers to the max object size this storedir supports.
2157 It is used to initially choose the storedir to dump the object.
2158 Note: To make optimal use of the max-size limits you should order
2159 the cache_dir lines with the smallest max-size value first and the
2160 ones with no max-size specification last.
0976f8db 2161
41bd17a4 2162 Note for coss, max-size must be less than COSS_MEMBUF_SZ,
2163 which can be changed with the --with-coss-membuf-size=N configure
2164 option.
bebc043b 2165NOCOMMENT_START
df2eec10 2166# cache_dir ufs @DEFAULT_SWAP_DIR@ 100 16 256
bebc043b 2167NOCOMMENT_END
6b698a21 2168DOC_END
0976f8db 2169
41bd17a4 2170NAME: store_dir_select_algorithm
2171TYPE: string
2172LOC: Config.store_dir_select_algorithm
2173DEFAULT: least-load
6b698a21 2174DOC_START
41bd17a4 2175 Set this to 'round-robin' as an alternative.
6b698a21 2176DOC_END
0976f8db 2177
41bd17a4 2178NAME: max_open_disk_fds
2179TYPE: int
2180LOC: Config.max_open_disk_fds
2181DEFAULT: 0
6b698a21 2182DOC_START
41bd17a4 2183 To avoid having disk as the I/O bottleneck Squid can optionally
2184 bypass the on-disk cache if more than this amount of disk file
2185 descriptors are open.
2186
2187 A value of 0 indicates no limit.
6b698a21 2188DOC_END
0976f8db 2189
41bd17a4 2190NAME: minimum_object_size
6b698a21 2191COMMENT: (bytes)
47f6e231 2192TYPE: b_int64_t
6b698a21 2193DEFAULT: 0 KB
41bd17a4 2194LOC: Config.Store.minObjectSize
6b698a21 2195DOC_START
41bd17a4 2196 Objects smaller than this size will NOT be saved on disk. The
2197 value is specified in kilobytes, and the default is 0 KB, which
2198 means there is no minimum.
6b698a21 2199DOC_END
0976f8db 2200
41bd17a4 2201NAME: maximum_object_size
2202COMMENT: (bytes)
2203TYPE: b_int64_t
2204DEFAULT: 4096 KB
2205LOC: Config.Store.maxObjectSize
777831e0 2206DOC_START
41bd17a4 2207 Objects larger than this size will NOT be saved on disk. The
2208 value is specified in kilobytes, and the default is 4MB. If
2209 you wish to get a high BYTES hit ratio, you should probably
2210 increase this (one 32 MB object hit counts for 3200 10KB
2211 hits). If you wish to increase speed more than your want to
2212 save bandwidth you should leave this low.
777831e0 2213
41bd17a4 2214 NOTE: if using the LFUDA replacement policy you should increase
2215 this value to maximize the byte hit rate improvement of LFUDA!
2216 See replacement_policy below for a discussion of this policy.
6b698a21 2217DOC_END
0976f8db 2218
41bd17a4 2219NAME: cache_swap_low
2220COMMENT: (percent, 0-100)
5473c134 2221TYPE: int
41bd17a4 2222DEFAULT: 90
2223LOC: Config.Swap.lowWaterMark
2224DOC_NONE
2225
2226NAME: cache_swap_high
2227COMMENT: (percent, 0-100)
2228TYPE: int
2229DEFAULT: 95
2230LOC: Config.Swap.highWaterMark
6b698a21 2231DOC_START
41bd17a4 2232
2233 The low- and high-water marks for cache object replacement.
2234 Replacement begins when the swap (disk) usage is above the
2235 low-water mark and attempts to maintain utilization near the
2236 low-water mark. As swap utilization gets close to high-water
2237 mark object eviction becomes more aggressive. If utilization is
2238 close to the low-water mark less replacement is done each time.
2239
2240 Defaults are 90% and 95%. If you have a large cache, 5% could be
2241 hundreds of MB. If this is the case you may wish to set these
2242 numbers closer together.
6b698a21 2243DOC_END
0976f8db 2244
5473c134 2245COMMENT_START
41bd17a4 2246 LOGFILE OPTIONS
5473c134 2247 -----------------------------------------------------------------------------
2248COMMENT_END
0976f8db 2249
41bd17a4 2250NAME: logformat
2251TYPE: logformat
2252LOC: Config.Log.logformats
5473c134 2253DEFAULT: none
6b698a21 2254DOC_START
41bd17a4 2255 Usage:
0976f8db 2256
41bd17a4 2257 logformat <name> <format specification>
0976f8db 2258
41bd17a4 2259 Defines an access log format.
6b698a21 2260
41bd17a4 2261 The <format specification> is a string with embedded % format codes
5473c134 2262
41bd17a4 2263 % format codes all follow the same basic structure where all but
2264 the formatcode is optional. Output strings are automatically escaped
2265 as required according to their context and the output format
2266 modifiers are usually not needed, but can be specified if an explicit
2267 output format is desired.
6b698a21 2268
41bd17a4 2269 % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
0976f8db 2270
41bd17a4 2271 " output in quoted string format
2272 [ output in squid text log format as used by log_mime_hdrs
2273 # output in URL quoted format
2274 ' output as-is
5473c134 2275
41bd17a4 2276 - left aligned
2277 width field width. If starting with 0 the
2278 output is zero padded
2279 {arg} argument such as header name etc
5473c134 2280
41bd17a4 2281 Format codes:
5473c134 2282
41bd17a4 2283 >a Client source IP address
2284 >A Client FQDN
2285 >p Client source port
2286 <A Server IP address or peer name
2287 la Local IP address (http_port)
2288 lp Local port number (http_port)
2289 ts Seconds since epoch
2290 tu subsecond time (milliseconds)
2291 tl Local time. Optional strftime format argument
2292 default %d/%b/%Y:%H:%M:%S %z
2293 tg GMT time. Optional strftime format argument
2294 default %d/%b/%Y:%H:%M:%S %z
2295 tr Response time (milliseconds)
2296 >h Request header. Optional header name argument
2297 on the format header[:[separator]element]
2298 <h Reply header. Optional header name argument
2299 as for >h
2300 un User name
2301 ul User name from authentication
2302 ui User name from ident
2303 us User name from SSL
2304 ue User name from external acl helper
2305 Hs HTTP status code
2306 Ss Squid request status (TCP_MISS etc)
2307 Sh Squid hierarchy status (DEFAULT_PARENT etc)
2308 mt MIME content type
2309 rm Request method (GET/POST etc)
2310 ru Request URL
2311 rp Request URL-Path excluding hostname
2312 rv Request protocol version
2313 et Tag returned by external acl
2314 ea Log string returned by external acl
2315 <st Reply size including HTTP headers
1a86db31
AJ		 2316 >st Request size including HTTP headers
2317 st Request+Reply size including HTTP headers
41bd17a4 2318 <sH Reply high offset sent
2319 <sS Upstream object size
2320 % a literal % character
5473c134 2321
7d9acc3c
AJ		 2322 The default formats available (which do not need re-defining) are:
2323
2324logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
2325logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
41bd17a4 2326logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
2327logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
5473c134 2328DOC_END
2329
41bd17a4 2330NAME: access_log cache_access_log
2331TYPE: access_log
2332LOC: Config.Log.accesslogs
02424612 2333DEFAULT: none
01ddaf65 2334DEFAULT_IF_NONE: @DEFAULT_ACCESS_LOG@ squid
5473c134 2335DOC_START
41bd17a4 2336 These files log client request activities. Has a line every HTTP or
2337 ICP request. The format is:
2338 access_log <filepath> [<logformat name> [acl acl ...]]
2339 access_log none [acl acl ...]]
5473c134 2340
41bd17a4 2341 Will log to the specified file using the specified format (which
2342 must be defined in a logformat directive) those entries which match
2343 ALL the acl's specified (which must be defined in acl clauses).
2344 If no acl is specified, all requests will be logged to this file.
5473c134 2345
41bd17a4 2346 To disable logging of a request use the filepath "none", in which case
2347 a logformat name should not be specified.
5473c134 2348
41bd17a4 2349 To log the request via syslog specify a filepath of "syslog":
5473c134 2350
41bd17a4 2351 access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]]
2352 where facility could be any of:
2353 authpriv, daemon, local0 .. local7 or user.
5473c134 2354
41bd17a4 2355 And priority could be any of:
2356 err, warning, notice, info, debug.
df2eec10
AJ		 2357
2358 Default:
2359 access_log @DEFAULT_ACCESS_LOG@ squid
41bd17a4 2360DOC_END
5473c134 2361
5b0f5383 2362NAME: log_access
2363TYPE: acl_access
2364LOC: Config.accessList.log
2365DEFAULT: none
2366COMMENT: allow|deny acl acl...
2367DOC_START
2368 This options allows you to control which requests gets logged
2369 to access.log (see access_log directive). Requests denied for
2370 logging will also not be accounted for in performance counters.
2371DOC_END
2372
41bd17a4 2373NAME: cache_log
2374TYPE: string
02424612 2375DEFAULT: none
01ddaf65 2376DEFAULT_IF_NONE: @DEFAULT_CACHE_LOG@
41bd17a4 2377LOC: Config.Log.log
2378DOC_START
2379 Cache logging file. This is where general information about
2380 your cache's behavior goes. You can increase the amount of data
2381 logged to this file with the "debug_options" tag below.
2382DOC_END
5473c134 2383
41bd17a4 2384NAME: cache_store_log
2385TYPE: string
df2eec10 2386DEFAULT: none
41bd17a4 2387LOC: Config.Log.store
2388DOC_START
2389 Logs the activities of the storage manager. Shows which
2390 objects are ejected from the cache, and which objects are
df2eec10
AJ		 2391 saved and for how long. To disable, enter "none" or remove the line.
2392 There are not really utilities to analyze this data, so you can safely
41bd17a4 2393 disable it.
df2eec10
AJ		 2394NOCOMMENT_START
2395# cache_store_log @DEFAULT_STORE_LOG@
2396NOCOMMENT_END
5473c134 2397DOC_END
2398
41bd17a4 2399NAME: cache_swap_state cache_swap_log
2400TYPE: string
2401LOC: Config.Log.swap
5473c134 2402DEFAULT: none
2403DOC_START
41bd17a4 2404 Location for the cache "swap.state" file. This index file holds
2405 the metadata of objects saved on disk. It is used to rebuild
2406 the cache during startup. Normally this file resides in each
2407 'cache_dir' directory, but you may specify an alternate
2408 pathname here. Note you must give a full filename, not just
2409 a directory. Since this is the index for the whole object
2410 list you CANNOT periodically rotate it!
5473c134 2411
41bd17a4 2412 If %s can be used in the file name it will be replaced with a
2413 a representation of the cache_dir name where each / is replaced
2414 with '.'. This is needed to allow adding/removing cache_dir
2415 lines when cache_swap_log is being used.
5473c134 2416
41bd17a4 2417 If have more than one 'cache_dir', and %s is not used in the name
2418 these swap logs will have names such as:
5473c134 2419
41bd17a4 2420 cache_swap_log.00
2421 cache_swap_log.01
2422 cache_swap_log.02
5473c134 2423
41bd17a4 2424 The numbered extension (which is added automatically)
2425 corresponds to the order of the 'cache_dir' lines in this
2426 configuration file. If you change the order of the 'cache_dir'
2427 lines in this file, these index files will NOT correspond to
2428 the correct 'cache_dir' entry (unless you manually rename
2429 them). We recommend you do NOT use this option. It is
2430 better to keep these index files in each 'cache_dir' directory.
5473c134 2431DOC_END
2432
41bd17a4 2433NAME: logfile_rotate
2434TYPE: int
2435DEFAULT: 10
2436LOC: Config.Log.rotateNumber
5473c134 2437DOC_START
41bd17a4 2438 Specifies the number of logfile rotations to make when you
2439 type 'squid -k rotate'. The default is 10, which will rotate
2440 with extensions 0 through 9. Setting logfile_rotate to 0 will
2441 disable the file name rotation, but the logfiles are still closed
2442 and re-opened. This will enable you to rename the logfiles
2443 yourself just before sending the rotate signal.
5473c134 2444
41bd17a4 2445 Note, the 'squid -k rotate' command normally sends a USR1
2446 signal to the running squid process. In certain situations
2447 (e.g. on Linux with Async I/O), USR1 is used for other
2448 purposes, so -k rotate uses another signal. It is best to get
2449 in the habit of using 'squid -k rotate' instead of 'kill -USR1
2450 <pid>'.
2451DOC_END
5473c134 2452
41bd17a4 2453NAME: emulate_httpd_log
2454COMMENT: on|off
2455TYPE: onoff
2456DEFAULT: off
2457LOC: Config.onoff.common_log
2458DOC_START
2459 The Cache can emulate the log file format which many 'httpd'
2460 programs use. To disable/enable this emulation, set
2461 emulate_httpd_log to 'off' or 'on'. The default
2462 is to use the native log format since it includes useful
2463 information Squid-specific log analyzers use.
5473c134 2464DOC_END
2465
41bd17a4 2466NAME: log_ip_on_direct
2467COMMENT: on|off
2468TYPE: onoff
5473c134 2469DEFAULT: on
41bd17a4 2470LOC: Config.onoff.log_ip_on_direct
5473c134 2471DOC_START
41bd17a4 2472 Log the destination IP address in the hierarchy log tag when going
2473 direct. Earlier Squid versions logged the hostname here. If you
2474 prefer the old way set this to off.
2475DOC_END
5473c134 2476
41bd17a4 2477NAME: mime_table
2478TYPE: string
2479DEFAULT: @DEFAULT_MIME_TABLE@
2480LOC: Config.mimeTablePathname
2481DOC_START
2482 Pathname to Squid's MIME table. You shouldn't need to change
2483 this, but the default file contains examples and formatting
2484 information if you do.
5473c134 2485DOC_END
2486
41bd17a4 2487NAME: log_mime_hdrs
2488COMMENT: on|off
2489TYPE: onoff
2490LOC: Config.onoff.log_mime_hdrs
2491DEFAULT: off
2492DOC_START
2493 The Cache can record both the request and the response MIME
2494 headers for each HTTP transaction. The headers are encoded
2495 safely and will appear as two bracketed fields at the end of
2496 the access log (for either the native or httpd-emulated log
2497 formats). To enable this logging set log_mime_hdrs to 'on'.
2498DOC_END
5473c134 2499
41bd17a4 2500NAME: useragent_log
2501TYPE: string
2502LOC: Config.Log.useragent
2503DEFAULT: none
2504IFDEF: USE_USERAGENT_LOG
5473c134 2505DOC_START
41bd17a4 2506 Squid will write the User-Agent field from HTTP requests
2507 to the filename specified here. By default useragent_log
2508 is disabled.
5473c134 2509DOC_END
2510
41bd17a4 2511NAME: referer_log referrer_log
2512TYPE: string
2513LOC: Config.Log.referer
2514DEFAULT: none
2515IFDEF: USE_REFERER_LOG
5473c134 2516DOC_START
41bd17a4 2517 Squid will write the Referer field from HTTP requests to the
2518 filename specified here. By default referer_log is disabled.
2519 Note that "referer" is actually a misspelling of "referrer"
2520 however the misspelt version has been accepted into the HTTP RFCs
2521 and we accept both.
5473c134 2522DOC_END
2523
41bd17a4 2524NAME: pid_filename
2525TYPE: string
2526DEFAULT: @DEFAULT_PID_FILE@
2527LOC: Config.pidFilename
5473c134 2528DOC_START
41bd17a4 2529 A filename to write the process-id to. To disable, enter "none".
5473c134 2530DOC_END
2531
41bd17a4 2532NAME: debug_options
fb6a61d1 2533TYPE: eol
41bd17a4 2534DEFAULT: ALL,1
2535LOC: Config.debugOptions
5473c134 2536DOC_START
41bd17a4 2537 Logging options are set as section,level where each source file
2538 is assigned a unique section. Lower levels result in less
2539 output, Full debugging (level 9) can result in a very large
2540 log file, so be careful. The magic word "ALL" sets debugging
2541 levels for all sections. We recommend normally running with
2542 "ALL,1".
5473c134 2543DOC_END
2544
41bd17a4 2545NAME: log_fqdn
2546COMMENT: on|off
2547TYPE: onoff
2548DEFAULT: off
2549LOC: Config.onoff.log_fqdn
5473c134 2550DOC_START
41bd17a4 2551 Turn this on if you wish to log fully qualified domain names
2552 in the access.log. To do this Squid does a DNS lookup of all
2553 IP's connecting to it. This can (in some situations) increase
2554 latency, which makes your cache seem slower for interactive
2555 browsing.
5473c134 2556DOC_END
2557
41bd17a4 2558NAME: client_netmask
2559TYPE: address
2560LOC: Config.Addrs.client_netmask
2561DEFAULT: 255.255.255.255
5473c134 2562DOC_START
41bd17a4 2563 A netmask for client addresses in logfiles and cachemgr output.
2564 Change this to protect the privacy of your cache clients.
2565 A netmask of 255.255.255.0 will log all IP's in that range with
2566 the last digit set to '0'.
5473c134 2567DOC_END
2568
41bd17a4 2569NAME: forward_log
2570IFDEF: WIP_FWD_LOG
2571TYPE: string
2572DEFAULT: none
2573LOC: Config.Log.forward
5473c134 2574DOC_START
41bd17a4 2575 Logs the server-side requests.
5473c134 2576
41bd17a4 2577 This is currently work in progress.
5473c134 2578DOC_END
2579
41bd17a4 2580NAME: strip_query_terms
5473c134 2581TYPE: onoff
41bd17a4 2582LOC: Config.onoff.strip_query_terms
5473c134 2583DEFAULT: on
2584DOC_START
41bd17a4 2585 By default, Squid strips query terms from requested URLs before
2586 logging. This protects your user's privacy.
5473c134 2587DOC_END
2588
41bd17a4 2589NAME: buffered_logs
2590COMMENT: on|off
2591TYPE: onoff
2592DEFAULT: off
2593LOC: Config.onoff.buffered_logs
5473c134 2594DOC_START
41bd17a4 2595 cache.log log file is written with stdio functions, and as such
2596 it can be buffered or unbuffered. By default it will be unbuffered.
2597 Buffering it can speed up the writing slightly (though you are
2598 unlikely to need to worry unless you run with tons of debugging
2599 enabled in which case performance will suffer badly anyway..).
6b698a21 2600DOC_END
0976f8db 2601
2b753521 2602NAME: netdb_filename
2603TYPE: string
2604DEFAULT: @DEFAULT_NETDB_FILE@
2605LOC: Config.netdbFilename
fb6a61d1 2606IFDEF: USE_ICMP
2b753521 2607DOC_START
2608 A filename where Squid stores it's netdb state between restarts.
2609 To disable, enter "none".
2610DOC_END
2611
41bd17a4 2612COMMENT_START
2613 OPTIONS FOR FTP GATEWAYING
2614 -----------------------------------------------------------------------------
2615COMMENT_END
2616
2617NAME: ftp_user
2618TYPE: string
2619DEFAULT: Squid@
2620LOC: Config.Ftp.anon_user
6b698a21 2621DOC_START
41bd17a4 2622 If you want the anonymous login password to be more informative
2623 (and enable the use of picky ftp servers), set this to something
2624 reasonable for your domain, like wwwuser@somewhere.net
7f7db318 2625
41bd17a4 2626 The reason why this is domainless by default is the
2627 request can be made on the behalf of a user in any domain,
2628 depending on how the cache is used.
2629 Some ftp server also validate the email address is valid
2630 (for example perl.com).
6b698a21 2631DOC_END
0976f8db 2632
41bd17a4 2633NAME: ftp_list_width
2634TYPE: size_t
2635DEFAULT: 32
2636LOC: Config.Ftp.list_width
6b698a21 2637DOC_START
41bd17a4 2638 Sets the width of ftp listings. This should be set to fit in
2639 the width of a standard browser. Setting this too small
2640 can cut off long filenames when browsing ftp sites.
6b698a21 2641DOC_END
9e7dbc51 2642
41bd17a4 2643NAME: ftp_passive
2644TYPE: onoff
2645DEFAULT: on
2646LOC: Config.Ftp.passive
6b698a21 2647DOC_START
41bd17a4 2648 If your firewall does not allow Squid to use passive
2649 connections, turn off this option.
a689bd4e 2650
2651 Use of ftp_epsv_all option requires this to be ON.
2652DOC_END
2653
2654NAME: ftp_epsv_all
2655TYPE: onoff
2656DEFAULT: off
2657LOC: Config.Ftp.epsv_all
2658DOC_START
2659 FTP Protocol extensions permit the use of a special "EPSV ALL" command.
2660
2661 NATs may be able to put the connection on a "fast path" through the
2662 translator, as the EPRT command will never be used and therefore,
2663 translation of the data portion of the segments will never be needed.
2664
2665 When a client only expects to do two-way FTP transfers this may be useful.
2666 If squid finds that it must do a three-way FTP transfer after issuing
2667 an EPSV ALL command, the FTP session will fail.
2668
2669 If you have any doubts about this option do not use it.
2670 Squid will nicely attempt all other connection methods.
2671
2672 Requires ftp_passive to be ON (default)
41bd17a4 2673DOC_END
9e7dbc51 2674
41bd17a4 2675NAME: ftp_sanitycheck
2676TYPE: onoff
2677DEFAULT: on
2678LOC: Config.Ftp.sanitycheck
2679DOC_START
2680 For security and data integrity reasons Squid by default performs
2681 sanity checks of the addresses of FTP data connections ensure the
2682 data connection is to the requested server. If you need to allow
2683 FTP connections to servers using another IP address for the data
2684 connection turn this off.
2685DOC_END
9e7dbc51 2686
41bd17a4 2687NAME: ftp_telnet_protocol
2688TYPE: onoff
2689DEFAULT: on
2690LOC: Config.Ftp.telnet
2691DOC_START
2692 The FTP protocol is officially defined to use the telnet protocol
2693 as transport channel for the control connection. However, many
2694 implementations are broken and does not respect this aspect of
2695 the FTP protocol.
2696
2697 If you have trouble accessing files with ASCII code 255 in the
2698 path or similar problems involving this ASCII code you can
2699 try setting this directive to off. If that helps, report to the
2700 operator of the FTP server in question that their FTP server
2701 is broken and does not follow the FTP standard.
2702DOC_END
2703
2704COMMENT_START
2705 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
2706 -----------------------------------------------------------------------------
2707COMMENT_END
2708
2709NAME: diskd_program
2710TYPE: string
2711DEFAULT: @DEFAULT_DISKD@
2712LOC: Config.Program.diskd
2713DOC_START
2714 Specify the location of the diskd executable.
2715 Note this is only useful if you have compiled in
2716 diskd as one of the store io modules.
2717DOC_END
2718
2719NAME: unlinkd_program
2720IFDEF: USE_UNLINKD
2721TYPE: string
2722DEFAULT: @DEFAULT_UNLINKD@
2723LOC: Config.Program.unlinkd
2724DOC_START
2725 Specify the location of the executable for file deletion process.
2726DOC_END
2727
2728NAME: pinger_program
2729TYPE: string
2730DEFAULT: @DEFAULT_PINGER@
cc192b50 2731LOC: Config.pinger.program
41bd17a4 2732IFDEF: USE_ICMP
2733DOC_START
2734 Specify the location of the executable for the pinger process.
2735DOC_END
2736
cc192b50 2737NAME: pinger_enable
2738TYPE: onoff
2739DEFAULT: on
2740LOC: Config.pinger.enable
2741IFDEF: USE_ICMP
2742DOC_START
2743 Control whether the pinger is active at run-time.
2744 Enables turning ICMP pinger on and off with a simple squid -k reconfigure.
2745DOC_END
2746
2747
41bd17a4 2748COMMENT_START
2749 OPTIONS FOR URL REWRITING
2750 -----------------------------------------------------------------------------
2751COMMENT_END
2752
2753NAME: url_rewrite_program redirect_program
2754TYPE: wordlist
2755LOC: Config.Program.redirect
2756DEFAULT: none
2757DOC_START
2758 Specify the location of the executable for the URL rewriter.
2759 Since they can perform almost any function there isn't one included.
2760
2761 For each requested URL rewriter will receive on line with the format
2762
c71adec1 2763 URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
2764
2765 In the future, the rewriter interface will be extended with
2766 key=value pairs ("kvpairs" shown above). Rewriter programs
2767 should be prepared to receive and possibly ignore additional
2768 whitespace-separated tokens on each input line.
41bd17a4 2769
2770 And the rewriter may return a rewritten URL. The other components of
2771 the request line does not need to be returned (ignored if they are).
2772
2773 The rewriter can also indicate that a client-side redirect should
2774 be performed to the new URL. This is done by prefixing the returned
2775 URL with "301:" (moved permanently) or 302: (moved temporarily).
2776
2777 By default, a URL rewriter is not used.
2778DOC_END
2779
2780NAME: url_rewrite_children redirect_children
2781TYPE: int
2782DEFAULT: 5
2783LOC: Config.redirectChildren
2784DOC_START
2785 The number of redirector processes to spawn. If you start
2786 too few Squid will have to wait for them to process a backlog of
2787 URLs, slowing it down. If you start too many they will use RAM
2788 and other system resources.
2789DOC_END
2790
2791NAME: url_rewrite_concurrency redirect_concurrency
2792TYPE: int
2793DEFAULT: 0
2794LOC: Config.redirectConcurrency
2795DOC_START
2796 The number of requests each redirector helper can handle in
2797 parallel. Defaults to 0 which indicates the redirector
2798 is a old-style single threaded redirector.
6a171502
AJ		 2799
2800 When this directive is set to a value >= 1 then the protocol
2801 used to communicate with the helper is modified to include
2802 a request ID in front of the request/response. The request
2803 ID from the request must be echoed back with the response
2804 to that request.
41bd17a4 2805DOC_END
2806
2807NAME: url_rewrite_host_header redirect_rewrites_host_header
2808TYPE: onoff
2809DEFAULT: on
2810LOC: Config.onoff.redir_rewrites_host
2811DOC_START
2812 By default Squid rewrites any Host: header in redirected
2813 requests. If you are running an accelerator this may
2814 not be a wanted effect of a redirector.
2815
2816 WARNING: Entries are cached on the result of the URL rewriting
2817 process, so be careful if you have domain-virtual hosts.
2818DOC_END
2819
2820NAME: url_rewrite_access redirector_access
2821TYPE: acl_access
2822DEFAULT: none
2823LOC: Config.accessList.redirector
2824DOC_START
2825 If defined, this access list specifies which requests are
2826 sent to the redirector processes. By default all requests
2827 are sent.
2828DOC_END
2829
2830NAME: url_rewrite_bypass redirector_bypass
2831TYPE: onoff
2832LOC: Config.onoff.redirector_bypass
2833DEFAULT: off
2834DOC_START
2835 When this is 'on', a request will not go through the
2836 redirector if all redirectors are busy. If this is 'off'
2837 and the redirector queue grows too large, Squid will exit
2838 with a FATAL error and ask you to increase the number of
2839 redirectors. You should only enable this if the redirectors
2840 are not critical to your caching system. If you use
2841 redirectors for access control, and you enable this option,
2842 users may have access to pages they should not
2843 be allowed to request.
2844DOC_END
2845
2846COMMENT_START
2847 OPTIONS FOR TUNING THE CACHE
2848 -----------------------------------------------------------------------------
2849COMMENT_END
2850
f04b37d8 2851NAME: cache no_cache
2852TYPE: acl_access
2853DEFAULT: none
2854LOC: Config.accessList.noCache
41bd17a4 2855DOC_START
240887f0 2856 A list of ACL elements which, if matched and denied, cause the request to
f04b37d8 2857 not be satisfied from the cache and the reply to not be cached.
2858 In other words, use this to force certain objects to never be cached.
41bd17a4 2859
240887f0 2860 You must use the words 'allow' or 'deny' to indicate whether items
2861 matching the ACL should be allowed or denied into the cache.
f04b37d8 2862
240887f0 2863 Default is to allow all to be cached.
41bd17a4 2864DOC_END
2865
2866NAME: refresh_pattern
2867TYPE: refreshpattern
2868LOC: Config.Refresh
2869DEFAULT: none
2870DOC_START
2871 usage: refresh_pattern [-i] regex min percent max [options]
9e7dbc51 2872
6b698a21 2873 By default, regular expressions are CASE-SENSITIVE. To make
2874 them case-insensitive, use the -i option.
9e7dbc51 2875
41bd17a4 2876 'Min' is the time (in minutes) an object without an explicit
2877 expiry time should be considered fresh. The recommended
2878 value is 0, any higher values may cause dynamic applications
2879 to be erroneously cached unless the application designer
2880 has taken the appropriate actions.
9e7dbc51 2881
41bd17a4 2882 'Percent' is a percentage of the objects age (time since last
2883 modification age) an object without explicit expiry time
2884 will be considered fresh.
5b807763 2885
41bd17a4 2886 'Max' is an upper limit on how long objects without an explicit
2887 expiry time will be considered fresh.
9e7dbc51 2888
41bd17a4 2889 options: override-expire
2890 override-lastmod
2891 reload-into-ims
2892 ignore-reload
2893 ignore-no-cache
2894 ignore-no-store
2895 ignore-private
2896 ignore-auth
2897 refresh-ims
a0ec9f68 2898
41bd17a4 2899 override-expire enforces min age even if the server
9b2ad080
HN		 2900 sent an explicit expiry time (e.g., with the
2901 Expires: header or Cache-Control: max-age). Doing this
2902 VIOLATES the HTTP standard. Enabling this feature
2903 could make you liable for problems which it causes.
6468fe10 2904
41bd17a4 2905 override-lastmod enforces min age even on objects
2906 that were modified recently.
934b03fc 2907
41bd17a4 2908 reload-into-ims changes client no-cache or ``reload''
2909 to If-Modified-Since requests. Doing this VIOLATES the
2910 HTTP standard. Enabling this feature could make you
2911 liable for problems which it causes.
dba79ac5 2912
41bd17a4 2913 ignore-reload ignores a client no-cache or ``reload''
2914 header. Doing this VIOLATES the HTTP standard. Enabling
2915 this feature could make you liable for problems which
2916 it causes.
9bc73deb 2917
41bd17a4 2918 ignore-no-cache ignores any ``Pragma: no-cache'' and
2919 ``Cache-control: no-cache'' headers received from a server.
2920 The HTTP RFC never allows the use of this (Pragma) header
2921 from a server, only a client, though plenty of servers
2922 send it anyway.
2923
2924 ignore-no-store ignores any ``Cache-control: no-store''
2925 headers received from a server. Doing this VIOLATES
2926 the HTTP standard. Enabling this feature could make you
2927 liable for problems which it causes.
2928
2929 ignore-private ignores any ``Cache-control: private''
2930 headers received from a server. Doing this VIOLATES
2931 the HTTP standard. Enabling this feature could make you
2932 liable for problems which it causes.
2933
2934 ignore-auth caches responses to requests with authorization,
2935 as if the originserver had sent ``Cache-control: public''
2936 in the response header. Doing this VIOLATES the HTTP standard.
2937 Enabling this feature could make you liable for problems which
2938 it causes.
2939
2940 refresh-ims causes squid to contact the origin server
2941 when a client issues an If-Modified-Since request. This
2942 ensures that the client will receive an updated version
2943 if one is available.
2944
2945 Basically a cached object is:
2946
2947 FRESH if expires < now, else STALE
2948 STALE if age > max
2949 FRESH if lm-factor < percent, else STALE
2950 FRESH if age < min
2951 else STALE
2952
2953 The refresh_pattern lines are checked in the order listed here.
2954 The first entry which matches is used. If none of the entries
2955 match the default will be used.
2956
2957 Note, you must uncomment all the default lines if you want
2958 to change one. The default setting is only active if none is
2959 used.
2960
2961Suggested default:
2962NOCOMMENT_START
2963refresh_pattern ^ftp: 1440 20% 10080
2964refresh_pattern ^gopher: 1440 0% 1440
89db45fa 2965refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
41bd17a4 2966refresh_pattern . 0 20% 4320
2967NOCOMMENT_END
2968DOC_END
2969
2970NAME: quick_abort_min
2971COMMENT: (KB)
2972TYPE: kb_int64_t
2973DEFAULT: 16 KB
2974LOC: Config.quickAbort.min
2975DOC_NONE
2976
2977NAME: quick_abort_max
2978COMMENT: (KB)
2979TYPE: kb_int64_t
2980DEFAULT: 16 KB
2981LOC: Config.quickAbort.max
2982DOC_NONE
2983
2984NAME: quick_abort_pct
2985COMMENT: (percent)
2986TYPE: int
2987DEFAULT: 95
2988LOC: Config.quickAbort.pct
2989DOC_START
2990 The cache by default continues downloading aborted requests
2991 which are almost completed (less than 16 KB remaining). This
2992 may be undesirable on slow (e.g. SLIP) links and/or very busy
2993 caches. Impatient users may tie up file descriptors and
2994 bandwidth by repeatedly requesting and immediately aborting
2995 downloads.
2996
2997 When the user aborts a request, Squid will check the
2998 quick_abort values to the amount of data transfered until
2999 then.
3000
3001 If the transfer has less than 'quick_abort_min' KB remaining,
3002 it will finish the retrieval.
3003
3004 If the transfer has more than 'quick_abort_max' KB remaining,
3005 it will abort the retrieval.
3006
3007 If more than 'quick_abort_pct' of the transfer has completed,
3008 it will finish the retrieval.
3009
3010 If you do not want any retrieval to continue after the client
3011 has aborted, set both 'quick_abort_min' and 'quick_abort_max'
3012 to '0 KB'.
3013
3014 If you want retrievals to always continue if they are being
3015 cached set 'quick_abort_min' to '-1 KB'.
3016DOC_END
60d096f4 3017
41bd17a4 3018NAME: read_ahead_gap
3019COMMENT: buffer-size
3020TYPE: b_int64_t
3021LOC: Config.readAheadGap
3022DEFAULT: 16 KB
3023DOC_START
3024 The amount of data the cache will buffer ahead of what has been
3025 sent to the client when retrieving an object from another server.
3026DOC_END
53e738c6 3027
41bd17a4 3028NAME: negative_ttl
ac9cc053 3029IFDEF: HTTP_VIOLATIONS
41bd17a4 3030COMMENT: time-units
3031TYPE: time_t
3032LOC: Config.negativeTtl
ac9cc053 3033DEFAULT: 0 seconds
41bd17a4 3034DOC_START
ac9cc053
AJ		 3035 Set the Default Time-to-Live (TTL) for failed requests.
3036 Certain types of failures (such as "connection refused" and
3037 "404 Not Found") are able to be negatively-cached for a short time.
3038 Modern web servers should provide Expires: header, however if they
3039 do not this can provide a minimum TTL.
3040 The default is not to cache errors with unknown expiry details.
3041
3042 Note that this is different from negative caching of DNS lookups.
39956c7c
AJ		 3043
3044 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3045 this feature could make you liable for problems which it
3046 causes.
41bd17a4 3047DOC_END
53e738c6 3048
41bd17a4 3049NAME: positive_dns_ttl
3050COMMENT: time-units
3051TYPE: time_t
3052LOC: Config.positiveDnsTtl
3053DEFAULT: 6 hours
3054DOC_START
3055 Upper limit on how long Squid will cache positive DNS responses.
3056 Default is 6 hours (360 minutes). This directive must be set
3057 larger than negative_dns_ttl.
3058DOC_END
c4ab8329 3059
41bd17a4 3060NAME: negative_dns_ttl
3061COMMENT: time-units
3062TYPE: time_t
3063LOC: Config.negativeDnsTtl
3064DEFAULT: 1 minutes
3065DOC_START
3066 Time-to-Live (TTL) for negative caching of failed DNS lookups.
3067 This also sets the lower cache limit on positive lookups.
3068 Minimum value is 1 second, and it is not recommendable to go
3069 much below 10 seconds.
3070DOC_END
7df0bfd7 3071
41bd17a4 3072NAME: range_offset_limit
3073COMMENT: (bytes)
3074TYPE: b_int64_t
3075LOC: Config.rangeOffsetLimit
3076DEFAULT: 0 KB
3077DOC_START
3078 Sets a upper limit on how far into the the file a Range request
3079 may be to cause Squid to prefetch the whole file. If beyond this
3080 limit Squid forwards the Range request as it is and the result
3081 is NOT cached.
c4ab8329 3082
41bd17a4 3083 This is to stop a far ahead range request (lets say start at 17MB)
3084 from making Squid fetch the whole object up to that point before
3085 sending anything to the client.
a7ad6e4e 3086
41bd17a4 3087 A value of -1 causes Squid to always fetch the object from the
3088 beginning so it may cache the result. (2.0 style)
a7ad6e4e 3089
41bd17a4 3090 A value of 0 causes Squid to never fetch more than the
3091 client requested. (default)
3092DOC_END
d95b862f 3093
41bd17a4 3094NAME: minimum_expiry_time
3095COMMENT: (seconds)
3096TYPE: time_t
3097LOC: Config.minimum_expiry_time
3098DEFAULT: 60 seconds
3099DOC_START
3100 The minimum caching time according to (Expires - Date)
3101 Headers Squid honors if the object can't be revalidated
649fa918 3102 defaults to 60 seconds. In reverse proxy environments it
41bd17a4 3103 might be desirable to honor shorter object lifetimes. It
3104 is most likely better to make your server return a
3105 meaningful Last-Modified header however. In ESI environments
3106 where page fragments often have short lifetimes, this will
3107 often be best set to 0.
3108DOC_END
c68e9c6b 3109
41bd17a4 3110NAME: store_avg_object_size
3111COMMENT: (kbytes)
3e62bd58 3112TYPE: kb_int64_t
41bd17a4 3113DEFAULT: 13 KB
3114LOC: Config.Store.avgObjectSize
3115DOC_START
3116 Average object size, used to estimate number of objects your
3117 cache can hold. The default is 13 KB.
cccac0a2 3118DOC_END
3119
41bd17a4 3120NAME: store_objects_per_bucket
3121TYPE: int
3122DEFAULT: 20
3123LOC: Config.Store.objectsPerBucket
3124DOC_START
3125 Target number of objects per bucket in the store hash table.
3126 Lowering this value increases the total number of buckets and
3127 also the storage maintenance rate. The default is 20.
3128DOC_END
3129
3130COMMENT_START
3131 HTTP OPTIONS
3132 -----------------------------------------------------------------------------
3133COMMENT_END
3134
f04b37d8 3135NAME: request_header_max_size
3136COMMENT: (KB)
3137TYPE: b_size_t
df2eec10 3138DEFAULT: 64 KB
f04b37d8 3139LOC: Config.maxRequestHeaderSize
3140DOC_START
3141 This specifies the maximum size for HTTP headers in a request.
3142 Request headers are usually relatively small (about 512 bytes).
3143 Placing a limit on the request header size will catch certain
3144 bugs (for example with persistent connections) and possibly
3145 buffer-overflow or denial-of-service attacks.
3146DOC_END
3147
3148NAME: reply_header_max_size
3149COMMENT: (KB)
3150TYPE: b_size_t
df2eec10 3151DEFAULT: 64 KB
f04b37d8 3152LOC: Config.maxReplyHeaderSize
3153DOC_START
3154 This specifies the maximum size for HTTP headers in a reply.
3155 Reply headers are usually relatively small (about 512 bytes).
3156 Placing a limit on the reply header size will catch certain
3157 bugs (for example with persistent connections) and possibly
3158 buffer-overflow or denial-of-service attacks.
3159DOC_END
3160
3161NAME: request_body_max_size
3162COMMENT: (bytes)
3163TYPE: b_int64_t
3164DEFAULT: 0 KB
3165LOC: Config.maxRequestBodySize
3166DOC_START
3167 This specifies the maximum size for an HTTP request body.
3168 In other words, the maximum size of a PUT/POST request.
3169 A user who attempts to send a request with a body larger
3170 than this limit receives an "Invalid Request" error message.
3171 If you set this parameter to a zero (the default), there will
3172 be no limit imposed.
3173DOC_END
3174
41bd17a4 3175NAME: broken_posts
cccac0a2 3176TYPE: acl_access
cccac0a2 3177DEFAULT: none
41bd17a4 3178LOC: Config.accessList.brokenPosts
cccac0a2 3179DOC_START
41bd17a4 3180 A list of ACL elements which, if matched, causes Squid to send
3181 an extra CRLF pair after the body of a PUT/POST request.
cccac0a2 3182
41bd17a4 3183 Some HTTP servers has broken implementations of PUT/POST,
3184 and rely on an extra CRLF pair sent by some WWW clients.
cccac0a2 3185
41bd17a4 3186 Quote from RFC2616 section 4.1 on this matter:
cccac0a2 3187
41bd17a4 3188 Note: certain buggy HTTP/1.0 client implementations generate an
3189 extra CRLF's after a POST request. To restate what is explicitly
3190 forbidden by the BNF, an HTTP/1.1 client must not preface or follow
3191 a request with an extra CRLF.
cccac0a2 3192
41bd17a4 3193Example:
3194 acl buggy_server url_regex ^http://....
3195 broken_posts allow buggy_server
3196DOC_END
cccac0a2 3197
41bd17a4 3198NAME: via
3199IFDEF: HTTP_VIOLATIONS
3200COMMENT: on|off
3201TYPE: onoff
3202DEFAULT: on
3203LOC: Config.onoff.via
3204DOC_START
3205 If set (default), Squid will include a Via header in requests and
3206 replies as required by RFC2616.
3207DOC_END
4cc6eb12 3208
41bd17a4 3209NAME: ie_refresh
3210COMMENT: on|off
3211TYPE: onoff
3212LOC: Config.onoff.ie_refresh
3213DEFAULT: off
3214DOC_START
3215 Microsoft Internet Explorer up until version 5.5 Service
3216 Pack 1 has an issue with transparent proxies, wherein it
3217 is impossible to force a refresh. Turning this on provides
3218 a partial fix to the problem, by causing all IMS-REFRESH
3219 requests from older IE versions to check the origin server
3220 for fresh content. This reduces hit ratio by some amount
3221 (~10% in my experience), but allows users to actually get
3222 fresh content when they want it. Note because Squid
3223 cannot tell if the user is using 5.5 or 5.5SP1, the behavior
3224 of 5.5 is unchanged from old versions of Squid (i.e. a
3225 forced refresh is impossible). Newer versions of IE will,
3226 hopefully, continue to have the new behavior and will be
3227 handled based on that assumption. This option defaults to
3228 the old Squid behavior, which is better for hit ratios but
3229 worse for clients using IE, if they need to be able to
3230 force fresh content.
3231DOC_END
b9d7fe3e 3232
41bd17a4 3233NAME: vary_ignore_expire
3234COMMENT: on|off
3235TYPE: onoff
3236LOC: Config.onoff.vary_ignore_expire
3237DEFAULT: off
3238DOC_START
3239 Many HTTP servers supporting Vary gives such objects
3240 immediate expiry time with no cache-control header
3241 when requested by a HTTP/1.0 client. This option
3242 enables Squid to ignore such expiry times until
3243 HTTP/1.1 is fully implemented.
3244 WARNING: This may eventually cause some varying
3245 objects not intended for caching to get cached.
cccac0a2 3246DOC_END
c4ab8329 3247
41bd17a4 3248NAME: request_entities
3249TYPE: onoff
3250LOC: Config.onoff.request_entities
3251DEFAULT: off
3252DOC_START
3253 Squid defaults to deny GET and HEAD requests with request entities,
3254 as the meaning of such requests are undefined in the HTTP standard
3255 even if not explicitly forbidden.
0976f8db 3256
41bd17a4 3257 Set this directive to on if you have clients which insists
3258 on sending request entities in GET or HEAD requests. But be warned
3259 that there is server software (both proxies and web servers) which
3260 can fail to properly process this kind of request which may make you
3261 vulnerable to cache pollution attacks if enabled.
cccac0a2 3262DOC_END
6b53c392 3263
41bd17a4 3264NAME: request_header_access
3265IFDEF: HTTP_VIOLATIONS
3266TYPE: http_header_access[]
3267LOC: Config.request_header_access
cccac0a2 3268DEFAULT: none
cccac0a2 3269DOC_START
41bd17a4 3270 Usage: request_header_access header_name allow|deny [!]aclname ...
0976f8db 3271
41bd17a4 3272 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3273 this feature could make you liable for problems which it
3274 causes.
0976f8db 3275
41bd17a4 3276 This option replaces the old 'anonymize_headers' and the
3277 older 'http_anonymizer' option with something that is much
3278 more configurable. This new method creates a list of ACLs
3279 for each header, allowing you very fine-tuned header
3280 mangling.
934b03fc 3281
41bd17a4 3282 This option only applies to request headers, i.e., from the
3283 client to the server.
5401aa8d 3284
41bd17a4 3285 You can only specify known headers for the header name.
3286 Other headers are reclassified as 'Other'. You can also
3287 refer to all the headers with 'All'.
5401aa8d 3288
41bd17a4 3289 For example, to achieve the same behavior as the old
3290 'http_anonymizer standard' option, you should use:
5401aa8d 3291
41bd17a4 3292 request_header_access From deny all
3293 request_header_access Referer deny all
3294 request_header_access Server deny all
3295 request_header_access User-Agent deny all
3296 request_header_access WWW-Authenticate deny all
3297 request_header_access Link deny all
5401aa8d 3298
41bd17a4 3299 Or, to reproduce the old 'http_anonymizer paranoid' feature
3300 you should use:
5401aa8d 3301
41bd17a4 3302 request_header_access Allow allow all
3303 request_header_access Authorization allow all
3304 request_header_access WWW-Authenticate allow all
3305 request_header_access Proxy-Authorization allow all
3306 request_header_access Proxy-Authenticate allow all
3307 request_header_access Cache-Control allow all
3308 request_header_access Content-Encoding allow all
3309 request_header_access Content-Length allow all
3310 request_header_access Content-Type allow all
3311 request_header_access Date allow all
3312 request_header_access Expires allow all
3313 request_header_access Host allow all
3314 request_header_access If-Modified-Since allow all
3315 request_header_access Last-Modified allow all
3316 request_header_access Location allow all
3317 request_header_access Pragma allow all
3318 request_header_access Accept allow all
3319 request_header_access Accept-Charset allow all
3320 request_header_access Accept-Encoding allow all
3321 request_header_access Accept-Language allow all
3322 request_header_access Content-Language allow all
3323 request_header_access Mime-Version allow all
3324 request_header_access Retry-After allow all
3325 request_header_access Title allow all
3326 request_header_access Connection allow all
3327 request_header_access Proxy-Connection allow all
3328 request_header_access All deny all
5401aa8d 3329
41bd17a4 3330 although many of those are HTTP reply headers, and so should be
3331 controlled with the reply_header_access directive.
5401aa8d 3332
41bd17a4 3333 By default, all headers are allowed (no anonymizing is
3334 performed).
5401aa8d 3335DOC_END
3336
41bd17a4 3337NAME: reply_header_access
3338IFDEF: HTTP_VIOLATIONS
3339TYPE: http_header_access[]
3340LOC: Config.reply_header_access
cccac0a2 3341DEFAULT: none
3342DOC_START
41bd17a4 3343 Usage: reply_header_access header_name allow|deny [!]aclname ...
934b03fc 3344
41bd17a4 3345 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3346 this feature could make you liable for problems which it
3347 causes.
934b03fc 3348
41bd17a4 3349 This option only applies to reply headers, i.e., from the
3350 server to the client.
934b03fc 3351
41bd17a4 3352 This is the same as request_header_access, but in the other
3353 direction.
6b53c392 3354
41bd17a4 3355 This option replaces the old 'anonymize_headers' and the
3356 older 'http_anonymizer' option with something that is much
3357 more configurable. This new method creates a list of ACLs
3358 for each header, allowing you very fine-tuned header
3359 mangling.
cccac0a2 3360
41bd17a4 3361 You can only specify known headers for the header name.
3362 Other headers are reclassified as 'Other'. You can also
3363 refer to all the headers with 'All'.
cccac0a2 3364
41bd17a4 3365 For example, to achieve the same behavior as the old
3366 'http_anonymizer standard' option, you should use:
cccac0a2 3367
41bd17a4 3368 reply_header_access From deny all
3369 reply_header_access Referer deny all
3370 reply_header_access Server deny all
3371 reply_header_access User-Agent deny all
3372 reply_header_access WWW-Authenticate deny all
3373 reply_header_access Link deny all
cccac0a2 3374
41bd17a4 3375 Or, to reproduce the old 'http_anonymizer paranoid' feature
3376 you should use:
cccac0a2 3377
41bd17a4 3378 reply_header_access Allow allow all
3379 reply_header_access Authorization allow all
3380 reply_header_access WWW-Authenticate allow all
3381 reply_header_access Proxy-Authorization allow all
3382 reply_header_access Proxy-Authenticate allow all
3383 reply_header_access Cache-Control allow all
3384 reply_header_access Content-Encoding allow all
3385 reply_header_access Content-Length allow all
3386 reply_header_access Content-Type allow all
3387 reply_header_access Date allow all
3388 reply_header_access Expires allow all
3389 reply_header_access Host allow all
3390 reply_header_access If-Modified-Since allow all
3391 reply_header_access Last-Modified allow all
3392 reply_header_access Location allow all
3393 reply_header_access Pragma allow all
3394 reply_header_access Accept allow all
3395 reply_header_access Accept-Charset allow all
3396 reply_header_access Accept-Encoding allow all
3397 reply_header_access Accept-Language allow all
3398 reply_header_access Content-Language allow all
3399 reply_header_access Mime-Version allow all
3400 reply_header_access Retry-After allow all
3401 reply_header_access Title allow all
3402 reply_header_access Connection allow all
3403 reply_header_access Proxy-Connection allow all
3404 reply_header_access All deny all
cccac0a2 3405
41bd17a4 3406 although the HTTP request headers won't be usefully controlled
3407 by this directive -- see request_header_access for details.
cccac0a2 3408
41bd17a4 3409 By default, all headers are allowed (no anonymizing is
3410 performed).
cccac0a2 3411DOC_END
3412
41bd17a4 3413NAME: header_replace
3414IFDEF: HTTP_VIOLATIONS
3415TYPE: http_header_replace[]
3416LOC: Config.request_header_access
cccac0a2 3417DEFAULT: none
41bd17a4 3418DOC_START
3419 Usage: header_replace header_name message
3420 Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
cccac0a2 3421
41bd17a4 3422 This option allows you to change the contents of headers
3423 denied with header_access above, by replacing them with
3424 some fixed string. This replaces the old fake_user_agent
3425 option.
cccac0a2 3426
41bd17a4 3427 This only applies to request headers, not reply headers.
cccac0a2 3428
41bd17a4 3429 By default, headers are removed if denied.
3430DOC_END
cccac0a2 3431
41bd17a4 3432NAME: relaxed_header_parser
3433COMMENT: on|off|warn
3434TYPE: tristate
3435LOC: Config.onoff.relaxed_header_parser
3436DEFAULT: on
3437DOC_START
3438 In the default "on" setting Squid accepts certain forms
3439 of non-compliant HTTP messages where it is unambiguous
3440 what the sending application intended even if the message
3441 is not correctly formatted. The messages is then normalized
3442 to the correct form when forwarded by Squid.
cccac0a2 3443
41bd17a4 3444 If set to "warn" then a warning will be emitted in cache.log
3445 each time such HTTP error is encountered.
cccac0a2 3446
41bd17a4 3447 If set to "off" then such HTTP errors will cause the request
3448 or response to be rejected.
3449DOC_END
7d90757b 3450
41bd17a4 3451COMMENT_START
3452 TIMEOUTS
3453 -----------------------------------------------------------------------------
3454COMMENT_END
3455
3456NAME: forward_timeout
3457COMMENT: time-units
3458TYPE: time_t
3459LOC: Config.Timeout.forward
3460DEFAULT: 4 minutes
3461DOC_START
3462 This parameter specifies how long Squid should at most attempt in
3463 finding a forwarding path for the request before giving up.
cccac0a2 3464DOC_END
3465
41bd17a4 3466NAME: connect_timeout
3467COMMENT: time-units
3468TYPE: time_t
3469LOC: Config.Timeout.connect
3470DEFAULT: 1 minute
057f5854 3471DOC_START
41bd17a4 3472 This parameter specifies how long to wait for the TCP connect to
3473 the requested server or peer to complete before Squid should
3474 attempt to find another path where to forward the request.
057f5854 3475DOC_END
3476
41bd17a4 3477NAME: peer_connect_timeout
3478COMMENT: time-units
3479TYPE: time_t
3480LOC: Config.Timeout.peer_connect
3481DEFAULT: 30 seconds
cccac0a2 3482DOC_START
41bd17a4 3483 This parameter specifies how long to wait for a pending TCP
3484 connection to a peer cache. The default is 30 seconds. You
3485 may also set different timeout values for individual neighbors
3486 with the 'connect-timeout' option on a 'cache_peer' line.
3487DOC_END
7f7db318 3488
41bd17a4 3489NAME: read_timeout
3490COMMENT: time-units
3491TYPE: time_t
3492LOC: Config.Timeout.read
3493DEFAULT: 15 minutes
3494DOC_START
3495 The read_timeout is applied on server-side connections. After
3496 each successful read(), the timeout will be extended by this
3497 amount. If no data is read again after this amount of time,
3498 the request is aborted and logged with ERR_READ_TIMEOUT. The
3499 default is 15 minutes.
3500DOC_END
cccac0a2 3501
41bd17a4 3502NAME: request_timeout
3503TYPE: time_t
3504LOC: Config.Timeout.request
3505DEFAULT: 5 minutes
3506DOC_START
3507 How long to wait for an HTTP request after initial
3508 connection establishment.
3509DOC_END
cccac0a2 3510
41bd17a4 3511NAME: persistent_request_timeout
3512TYPE: time_t
3513LOC: Config.Timeout.persistent_request
3514DEFAULT: 2 minutes
3515DOC_START
3516 How long to wait for the next HTTP request on a persistent
3517 connection after the previous request completes.
3518DOC_END
cccac0a2 3519
41bd17a4 3520NAME: client_lifetime
3521COMMENT: time-units
3522TYPE: time_t
3523LOC: Config.Timeout.lifetime
3524DEFAULT: 1 day
3525DOC_START
3526 The maximum amount of time a client (browser) is allowed to
3527 remain connected to the cache process. This protects the Cache
3528 from having a lot of sockets (and hence file descriptors) tied up
3529 in a CLOSE_WAIT state from remote clients that go away without
3530 properly shutting down (either because of a network failure or
3531 because of a poor client implementation). The default is one
3532 day, 1440 minutes.
7d90757b 3533
41bd17a4 3534 NOTE: The default value is intended to be much larger than any
3535 client would ever need to be connected to your cache. You
3536 should probably change client_lifetime only as a last resort.
3537 If you seem to have many client connections tying up
3538 filedescriptors, we recommend first tuning the read_timeout,
3539 request_timeout, persistent_request_timeout and quick_abort values.
cccac0a2 3540DOC_END
3541
41bd17a4 3542NAME: half_closed_clients
3543TYPE: onoff
3544LOC: Config.onoff.half_closed_clients
3545DEFAULT: on
4eb368f9 3546DOC_START
41bd17a4 3547 Some clients may shutdown the sending side of their TCP
3548 connections, while leaving their receiving sides open. Sometimes,
3549 Squid can not tell the difference between a half-closed and a
3550 fully-closed TCP connection. By default, half-closed client
3551 connections are kept open until a read(2) or write(2) on the
3552 socket returns an error. Change this option to 'off' and Squid
3553 will immediately close client connections when read(2) returns
3554 "no more data to read."
4eb368f9 3555DOC_END
3556
41bd17a4 3557NAME: pconn_timeout
3558TYPE: time_t
3559LOC: Config.Timeout.pconn
3560DEFAULT: 1 minute
cccac0a2 3561DOC_START
41bd17a4 3562 Timeout for idle persistent connections to servers and other
3563 proxies.
3564DOC_END
cccac0a2 3565
41bd17a4 3566NAME: ident_timeout
3567TYPE: time_t
3568IFDEF: USE_IDENT
3569LOC: Config.Timeout.ident
3570DEFAULT: 10 seconds
3571DOC_START
3572 Maximum time to wait for IDENT lookups to complete.
cccac0a2 3573
41bd17a4 3574 If this is too high, and you enabled IDENT lookups from untrusted
3575 users, you might be susceptible to denial-of-service by having
3576 many ident requests going at once.
cccac0a2 3577DOC_END
3578
41bd17a4 3579NAME: shutdown_lifetime
3580COMMENT: time-units
3581TYPE: time_t
3582LOC: Config.shutdownLifetime
3583DEFAULT: 30 seconds
cccac0a2 3584DOC_START
41bd17a4 3585 When SIGTERM or SIGHUP is received, the cache is put into
3586 "shutdown pending" mode until all active sockets are closed.
3587 This value is the lifetime to set for all open descriptors
3588 during shutdown mode. Any active clients after this many
3589 seconds will receive a 'timeout' message.
cccac0a2 3590DOC_END
0976f8db 3591
cccac0a2 3592COMMENT_START
3593 ADMINISTRATIVE PARAMETERS
3594 -----------------------------------------------------------------------------
3595COMMENT_END
3596
3597NAME: cache_mgr
3598TYPE: string
3599DEFAULT: webmaster
3600LOC: Config.adminEmail
3601DOC_START
3602 Email-address of local cache manager who will receive
3603 mail if the cache dies. The default is "webmaster."
3604DOC_END
3605
abacf776 3606NAME: mail_from
3607TYPE: string
3608DEFAULT: none
3609LOC: Config.EmailFrom
3610DOC_START
3611 From: email-address for mail sent when the cache dies.
3612 The default is to use 'appname@unique_hostname'.
b8c0c06d 3613 Default appname value is "squid", can be changed into
abacf776 3614 src/globals.h before building squid.
3615DOC_END
3616
d084bf20 3617NAME: mail_program
3618TYPE: eol
3619DEFAULT: mail
3620LOC: Config.EmailProgram
3621DOC_START
3622 Email program used to send mail if the cache dies.
846a5e31 3623 The default is "mail". The specified program must comply
d084bf20 3624 with the standard Unix mail syntax:
846a5e31 3625 mail-program recipient < mailfile
3626
d084bf20 3627 Optional command line options can be specified.
3628DOC_END
3629
cccac0a2 3630NAME: cache_effective_user
3631TYPE: string
5483d916 3632DEFAULT: @DEFAULT_CACHE_EFFECTIVE_USER@
cccac0a2 3633LOC: Config.effectiveUser
e3d74828 3634DOC_START
3635 If you start Squid as root, it will change its effective/real
3636 UID/GID to the user specified below. The default is to change
5483d916 3637 to UID of @DEFAULT_CACHE_EFFECTIVE_USER@.
64e288bd 3638 see also; cache_effective_group
e3d74828 3639DOC_END
3640
cccac0a2 3641NAME: cache_effective_group
3642TYPE: string
3643DEFAULT: none
3644LOC: Config.effectiveGroup
3645DOC_START
64e288bd 3646 Squid sets the GID to the effective user's default group ID
3647 (taken from the password file) and supplementary group list
3648 from the groups membership.
3649
e3d74828 3650 If you want Squid to run with a specific GID regardless of
3651 the group memberships of the effective user then set this
3652 to the group (or GID) you want Squid to run as. When set
64e288bd 3653 all other group privileges of the effective user are ignored
e3d74828 3654 and only this GID is effective. If Squid is not started as
64e288bd 3655 root the user starting Squid MUST be member of the specified
e3d74828 3656 group.
64e288bd 3657
3658 This option is not recommended by the Squid Team.
3659 Our preference is for administrators to configure a secure
3660 user account for squid with UID/GID matching system policies.
cccac0a2 3661DOC_END
3662
d3caee79 3663NAME: httpd_suppress_version_string
3664COMMENT: on|off
3665TYPE: onoff
3666DEFAULT: off
3667LOC: Config.onoff.httpd_suppress_version_string
3668DOC_START
3669 Suppress Squid version string info in HTTP headers and HTML error pages.
3670DOC_END
3671
cccac0a2 3672NAME: visible_hostname
3673TYPE: string
3674LOC: Config.visibleHostname
3675DEFAULT: none
3676DOC_START
3677 If you want to present a special hostname in error messages, etc,
7f7db318 3678 define this. Otherwise, the return value of gethostname()
cccac0a2 3679 will be used. If you have multiple caches in a cluster and
3680 get errors about IP-forwarding you must set them to have individual
3681 names with this setting.
3682DOC_END
3683
cccac0a2 3684NAME: unique_hostname
3685TYPE: string
3686LOC: Config.uniqueHostname
3687DEFAULT: none
3688DOC_START
3689 If you want to have multiple machines with the same
7f7db318 3690 'visible_hostname' you must give each machine a different
3691 'unique_hostname' so forwarding loops can be detected.
cccac0a2 3692DOC_END
3693
cccac0a2 3694NAME: hostname_aliases
3695TYPE: wordlist
3696LOC: Config.hostnameAliases
3697DEFAULT: none
3698DOC_START
7f7db318 3699 A list of other DNS names your cache has.
cccac0a2 3700DOC_END
0976f8db 3701
c642c141
AJ		 3702NAME: umask
3703TYPE: int
3704LOC: Config.umask
3705DEFAULT: 027
3706DOC_START
3707 Minimum umask which should be enforced while the proxy
3708 is running, in addition to the umask set at startup.
3709
3710 For a traditional octal representation of umasks, start
3711 your value with 0.
3712DOC_END
3713
cccac0a2 3714COMMENT_START
3715 OPTIONS FOR THE CACHE REGISTRATION SERVICE
3716 -----------------------------------------------------------------------------
3717
3718 This section contains parameters for the (optional) cache
3719 announcement service. This service is provided to help
3720 cache administrators locate one another in order to join or
3721 create cache hierarchies.
3722
3723 An 'announcement' message is sent (via UDP) to the registration
3724 service by Squid. By default, the announcement message is NOT
3725 SENT unless you enable it with 'announce_period' below.
3726
3727 The announcement message includes your hostname, plus the
3728 following information from this configuration file:
3729
3730 http_port
3731 icp_port
3732 cache_mgr
3733
3734 All current information is processed regularly and made
3735 available on the Web at http://www.ircache.net/Cache/Tracker/.
3736COMMENT_END
3737
3738NAME: announce_period
3739TYPE: time_t
3740LOC: Config.Announce.period
3741DEFAULT: 0
3742DOC_START
3743 This is how frequently to send cache announcements. The
3744 default is `0' which disables sending the announcement
3745 messages.
3746
3747 To enable announcing your cache, just uncomment the line
3748 below.
3749
3750NOCOMMENT_START
9e7dbc51 3751#To enable announcing your cache, just uncomment the line below.
3752#announce_period 1 day
cccac0a2 3753NOCOMMENT_END
3754DOC_END
3755
cccac0a2 3756NAME: announce_host
3757TYPE: string
3758DEFAULT: tracker.ircache.net
3759LOC: Config.Announce.host
3760DOC_NONE
3761
3762NAME: announce_file
3763TYPE: string
3764DEFAULT: none
3765LOC: Config.Announce.file
3766DOC_NONE
3767
3768NAME: announce_port
3769TYPE: ushort
3770DEFAULT: 3131
3771LOC: Config.Announce.port
3772DOC_START
3773 announce_host and announce_port set the hostname and port
3774 number where the registration message will be sent.
3775
3776 Hostname will default to 'tracker.ircache.net' and port will
3777 default default to 3131. If the 'filename' argument is given,
3778 the contents of that file will be included in the announce
3779 message.
3780DOC_END
3781
8d6275c0 3782COMMENT_START
3783 HTTPD-ACCELERATOR OPTIONS
3784 -----------------------------------------------------------------------------
3785COMMENT_END
3786
cccac0a2 3787NAME: httpd_accel_surrogate_id
f41735ea 3788IFDEF: USE_SQUID_ESI
cccac0a2 3789TYPE: string
3790LOC: Config.Accel.surrogate_id
3791DEFAULT: unset-id
3792DOC_START
3793 Surrogates (http://www.esi.org/architecture_spec_1.0.html)
3794 need an identification token to allow control targeting. Because
3795 a farm of surrogates may all perform the same tasks, they may share
3796 an identification token.
3797DOC_END
3798
3799NAME: http_accel_surrogate_remote
f41735ea 3800IFDEF: USE_SQUID_ESI
cccac0a2 3801COMMENT: on|off
3802TYPE: onoff
3803DEFAULT: off
3804LOC: Config.onoff.surrogate_is_remote
3805DOC_START
3806 Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
3807 Set this to on to have squid behave as a remote surrogate.
3808DOC_END
3809
3810NAME: esi_parser
f41735ea 3811IFDEF: USE_SQUID_ESI
964b44c3 3812COMMENT: libxml2|expat|custom
cccac0a2 3813TYPE: string
3814LOC: ESIParser::Type
3815DEFAULT: custom
3816DOC_START
3817 ESI markup is not strictly XML compatible. The custom ESI parser
3818 will give higher performance, but cannot handle non ASCII character
3819 encodings.
3820DOC_END
0976f8db 3821
9edd9041 3822COMMENT_START
8d6275c0 3823 DELAY POOL PARAMETERS
9edd9041 3824 -----------------------------------------------------------------------------
3825COMMENT_END
3826
3827NAME: delay_pools
3828TYPE: delay_pool_count
3829DEFAULT: 0
3830IFDEF: DELAY_POOLS
3831LOC: Config.Delay
3832DOC_START
3833 This represents the number of delay pools to be used. For example,
3834 if you have one class 2 delay pool and one class 3 delays pool, you
3835 have a total of 2 delay pools.
3836DOC_END
3837
3838NAME: delay_class
3839TYPE: delay_pool_class
3840DEFAULT: none
3841IFDEF: DELAY_POOLS
3842LOC: Config.Delay
3843DOC_START
3844 This defines the class of each delay pool. There must be exactly one
3845 delay_class line for each delay pool. For example, to define two
3846 delay pools, one of class 2 and one of class 3, the settings above
3847 and here would be:
3848
3849Example:
3850 delay_pools 4 # 4 delay pools
3851 delay_class 1 2 # pool 1 is a class 2 pool
3852 delay_class 2 3 # pool 2 is a class 3 pool
3853 delay_class 3 4 # pool 3 is a class 4 pool
3854 delay_class 4 5 # pool 4 is a class 5 pool
3855
3856 The delay pool classes are:
3857
3858 class 1 Everything is limited by a single aggregate
3859 bucket.
3860
3861 class 2 Everything is limited by a single aggregate
3862 bucket as well as an "individual" bucket chosen
3863 from bits 25 through 32 of the IP address.
3864
3865 class 3 Everything is limited by a single aggregate
3866 bucket as well as a "network" bucket chosen
3867 from bits 17 through 24 of the IP address and a
3868 "individual" bucket chosen from bits 17 through
3869 32 of the IP address.
3870
3871 class 4 Everything in a class 3 delay pool, with an
3872 additional limit on a per user basis. This
3873 only takes effect if the username is established
3874 in advance - by forcing authentication in your
3875 http_access rules.
3876
3877 class 5 Requests are grouped according their tag (see
3878 external_acl's tag= reply).
3879
3880 NOTE: If an IP address is a.b.c.d
3881 -> bits 25 through 32 are "d"
3882 -> bits 17 through 24 are "c"
3883 -> bits 17 through 32 are "c * 256 + d"
3884DOC_END
3885
3886NAME: delay_access
3887TYPE: delay_pool_access
3888DEFAULT: none
3889IFDEF: DELAY_POOLS
3890LOC: Config.Delay
3891DOC_START
3892 This is used to determine which delay pool a request falls into.
3893
3894 delay_access is sorted per pool and the matching starts with pool 1,
3895 then pool 2, ..., and finally pool N. The first delay pool where the
3896 request is allowed is selected for the request. If it does not allow
3897 the request to any pool then the request is not delayed (default).
3898
3899 For example, if you want some_big_clients in delay
3900 pool 1 and lotsa_little_clients in delay pool 2:
3901
3902Example:
3903 delay_access 1 allow some_big_clients
3904 delay_access 1 deny all
3905 delay_access 2 allow lotsa_little_clients
3906 delay_access 2 deny all
3907 delay_access 3 allow authenticated_clients
3908DOC_END
3909
3910NAME: delay_parameters
3911TYPE: delay_pool_rates
3912DEFAULT: none
3913IFDEF: DELAY_POOLS
3914LOC: Config.Delay
3915DOC_START
3916 This defines the parameters for a delay pool. Each delay pool has
3917 a number of "buckets" associated with it, as explained in the
3918 description of delay_class. For a class 1 delay pool, the syntax is:
3919
3920delay_parameters pool aggregate
3921
3922 For a class 2 delay pool:
3923
3924delay_parameters pool aggregate individual
3925
3926 For a class 3 delay pool:
3927
3928delay_parameters pool aggregate network individual
3929
3930 For a class 4 delay pool:
3931
3932delay_parameters pool aggregate network individual user
3933
3934 For a class 5 delay pool:
3935
3936delay_parameters pool tag
3937
3938 The variables here are:
3939
3940 pool a pool number - ie, a number between 1 and the
3941 number specified in delay_pools as used in
3942 delay_class lines.
3943
3944 aggregate the "delay parameters" for the aggregate bucket
3945 (class 1, 2, 3).
3946
3947 individual the "delay parameters" for the individual
3948 buckets (class 2, 3).
3949
3950 network the "delay parameters" for the network buckets
3951 (class 3).
3952
3953 user the delay parameters for the user buckets
3954 (class 4).
3955
3956 tag the delay parameters for the tag buckets
3957 (class 5).
3958
3959 A pair of delay parameters is written restore/maximum, where restore is
3960 the number of bytes (not bits - modem and network speeds are usually
3961 quoted in bits) per second placed into the bucket, and maximum is the
3962 maximum number of bytes which can be in the bucket at any time.
3963
3964 For example, if delay pool number 1 is a class 2 delay pool as in the
3965 above example, and is being used to strictly limit each host to 64kbps
3966 (plus overheads), with no overall limit, the line is:
3967
3968delay_parameters 1 -1/-1 8000/8000
3969
3970 Note that the figure -1 is used to represent "unlimited".
3971
3972 And, if delay pool number 2 is a class 3 delay pool as in the above
3973 example, and you want to limit it to a total of 256kbps (strict limit)
3974 with each 8-bit network permitted 64kbps (strict limit) and each
3975 individual host permitted 4800bps with a bucket maximum size of 64kb
3976 to permit a decent web page to be downloaded at a decent speed
3977 (if the network is not being limited due to overuse) but slow down
3978 large downloads more significantly:
3979
3980delay_parameters 2 32000/32000 8000/8000 600/8000
3981
3982 There must be one delay_parameters line for each delay pool.
3983
3984 Finally, for a class 4 delay pool as in the example - each user will
3985 be limited to 128Kb no matter how many workstations they are logged into.:
3986
3987delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
3988DOC_END
3989
3990NAME: delay_initial_bucket_level
3991COMMENT: (percent, 0-100)
3992TYPE: ushort
3993DEFAULT: 50
3994IFDEF: DELAY_POOLS
3995LOC: Config.Delay.initial
3996DOC_START
3997 The initial bucket percentage is used to determine how much is put
3998 in each bucket when squid starts, is reconfigured, or first notices
3999 a host accessing it (in class 2 and class 3, individual hosts and
4000 networks only have buckets associated with them once they have been
4001 "seen" by squid).
4002DOC_END
4003
cccac0a2 4004COMMENT_START
8d6275c0 4005 WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
cccac0a2 4006 -----------------------------------------------------------------------------
4007COMMENT_END
4008
8d6275c0 4009NAME: wccp_router
4010TYPE: address
4011LOC: Config.Wccp.router
4012DEFAULT: 0.0.0.0
4013IFDEF: USE_WCCP
e313ab0a
AJ		 4014DOC_START
4015 Use this option to define your WCCP ``home'' router for
4016 Squid.
4017
4018 wccp_router supports a single WCCP(v1) router
4019
4020 wccp2_router supports multiple WCCPv2 routers
4021
4022 only one of the two may be used at the same time and defines
4023 which version of WCCP to use.
4024DOC_END
df2eec10 4025
8d6275c0 4026NAME: wccp2_router
9fb4efad 4027TYPE: IpAddress_list
8d6275c0 4028LOC: Config.Wccp2.router
cccac0a2 4029DEFAULT: none
8d6275c0 4030IFDEF: USE_WCCPv2
cccac0a2 4031DOC_START
8d6275c0 4032 Use this option to define your WCCP ``home'' router for
4033 Squid.
cccac0a2 4034
8d6275c0 4035 wccp_router supports a single WCCP(v1) router
cccac0a2 4036
8d6275c0 4037 wccp2_router supports multiple WCCPv2 routers
cccac0a2 4038
8d6275c0 4039 only one of the two may be used at the same time and defines
4040 which version of WCCP to use.
4041DOC_END
4042
4043NAME: wccp_version
cccac0a2 4044TYPE: int
8d6275c0 4045LOC: Config.Wccp.version
4046DEFAULT: 4
4047IFDEF: USE_WCCP
cccac0a2 4048DOC_START
8d6275c0 4049 This directive is only relevant if you need to set up WCCP(v1)
4050 to some very old and end-of-life Cisco routers. In all other
4051 setups it must be left unset or at the default setting.
4052 It defines an internal version in the WCCP(v1) protocol,
4053 with version 4 being the officially documented protocol.
cccac0a2 4054
8d6275c0 4055 According to some users, Cisco IOS 11.2 and earlier only
4056 support WCCP version 3. If you're using that or an earlier
4057 version of IOS, you may need to change this value to 3, otherwise
4058 do not specify this parameter.
cccac0a2 4059DOC_END
4060
8d6275c0 4061NAME: wccp2_rebuild_wait
4062TYPE: onoff
4063LOC: Config.Wccp2.rebuildwait
4064DEFAULT: on
4065IFDEF: USE_WCCPv2
4066DOC_START
4067 If this is enabled Squid will wait for the cache dir rebuild to finish
4068 before sending the first wccp2 HereIAm packet
4069DOC_END
cccac0a2 4070
8d6275c0 4071NAME: wccp2_forwarding_method
e313ab0a 4072TYPE: wccp2_method
8d6275c0 4073LOC: Config.Wccp2.forwarding_method
451c4786 4074DEFAULT: gre
8d6275c0 4075IFDEF: USE_WCCPv2
cccac0a2 4076DOC_START
699acd19 4077 WCCP2 allows the setting of forwarding methods between the
8d6275c0 4078 router/switch and the cache. Valid values are as follows:
cccac0a2 4079
451c4786
AJ		 4080 gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4081 l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
cccac0a2 4082
8d6275c0 4083 Currently (as of IOS 12.4) cisco routers only support GRE.
4084 Cisco switches only support the L2 redirect assignment method.
cccac0a2 4085DOC_END
4086
8d6275c0 4087NAME: wccp2_return_method
e313ab0a 4088TYPE: wccp2_method
8d6275c0 4089LOC: Config.Wccp2.return_method
451c4786 4090DEFAULT: gre
8d6275c0 4091IFDEF: USE_WCCPv2
cccac0a2 4092DOC_START
699acd19 4093 WCCP2 allows the setting of return methods between the
8d6275c0 4094 router/switch and the cache for packets that the cache
4095 decides not to handle. Valid values are as follows:
cccac0a2 4096
451c4786
AJ		 4097 gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4098 l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
cccac0a2 4099
8d6275c0 4100 Currently (as of IOS 12.4) cisco routers only support GRE.
4101 Cisco switches only support the L2 redirect assignment.
cccac0a2 4102
699acd19 4103 If the "ip wccp redirect exclude in" command has been
8d6275c0 4104 enabled on the cache interface, then it is still safe for
4105 the proxy server to use a l2 redirect method even if this
4106 option is set to GRE.
cccac0a2 4107DOC_END
4108
8d6275c0 4109NAME: wccp2_assignment_method
451c4786 4110TYPE: wccp2_amethod
8d6275c0 4111LOC: Config.Wccp2.assignment_method
451c4786 4112DEFAULT: hash
8d6275c0 4113IFDEF: USE_WCCPv2
cccac0a2 4114DOC_START
8d6275c0 4115 WCCP2 allows the setting of methods to assign the WCCP hash
4116 Valid values are as follows:
cccac0a2 4117
451c4786
AJ		 4118 hash - Hash assignment
4119 mask - Mask assignment
cccac0a2 4120
8d6275c0 4121 As a general rule, cisco routers support the hash assignment method
4122 and cisco switches support the mask assignment method.
4123DOC_END
cccac0a2 4124
8d6275c0 4125NAME: wccp2_service
4126TYPE: wccp2_service
4127LOC: Config.Wccp2.info
4128DEFAULT: none
4129DEFAULT_IF_NONE: standard 0
4130IFDEF: USE_WCCPv2
4131DOC_START
4132 WCCP2 allows for multiple traffic services. There are two
4133 types: "standard" and "dynamic". The standard type defines
4134 one service id - http (id 0). The dynamic service ids can be from
4135 51 to 255 inclusive. In order to use a dynamic service id
4136 one must define the type of traffic to be redirected; this is done
4137 using the wccp2_service_info option.
4138
4139 The "standard" type does not require a wccp2_service_info option,
4140 just specifying the service id will suffice.
4141
4142 MD5 service authentication can be enabled by adding
4143 "password=<password>" to the end of this service declaration.
4144
4145 Examples:
4146
4147 wccp2_service standard 0 # for the 'web-cache' standard service
4148 wccp2_service dynamic 80 # a dynamic service type which will be
4149 # fleshed out with subsequent options.
4150 wccp2_service standard 0 password=foo
8d6275c0 4151DOC_END
4152
4153NAME: wccp2_service_info
4154TYPE: wccp2_service_info
4155LOC: Config.Wccp2.info
4156DEFAULT: none
4157IFDEF: USE_WCCPv2
4158DOC_START
4159 Dynamic WCCPv2 services require further information to define the
4160 traffic you wish to have diverted.
4161
4162 The format is:
4163
4164 wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
4165 priority=<priority> ports=<port>,<port>..
4166
4167 The relevant WCCPv2 flags:
4168 + src_ip_hash, dst_ip_hash
005fe566 4169 + source_port_hash, dst_port_hash
8d6275c0 4170 + src_ip_alt_hash, dst_ip_alt_hash
4171 + src_port_alt_hash, dst_port_alt_hash
4172 + ports_source
4173
4174 The port list can be one to eight entries.
4175
4176 Example:
4177
4178 wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
4179 priority=240 ports=80
4180
4181 Note: the service id must have been defined by a previous
4182 'wccp2_service dynamic <id>' entry.
4183DOC_END
4184
4185NAME: wccp2_weight
4186TYPE: int
4187LOC: Config.Wccp2.weight
4188DEFAULT: 10000
4189IFDEF: USE_WCCPv2
4190DOC_START
4191 Each cache server gets assigned a set of the destination
4192 hash proportional to their weight.
4193DOC_END
4194
4195NAME: wccp_address
4196TYPE: address
4197LOC: Config.Wccp.address
4198DEFAULT: 0.0.0.0
4199IFDEF: USE_WCCP
4200DOC_NONE
df2eec10 4201
8d6275c0 4202NAME: wccp2_address
4203TYPE: address
4204LOC: Config.Wccp2.address
4205DEFAULT: 0.0.0.0
4206IFDEF: USE_WCCPv2
4207DOC_START
4208 Use this option if you require WCCP to use a specific
4209 interface address.
4210
4211 The default behavior is to not bind to any specific address.
4212DOC_END
4213
4214COMMENT_START
4215 PERSISTENT CONNECTION HANDLING
4216 -----------------------------------------------------------------------------
4217
4218 Also see "pconn_timeout" in the TIMEOUTS section
4219COMMENT_END
4220
4221NAME: client_persistent_connections
4222TYPE: onoff
4223LOC: Config.onoff.client_pconns
4224DEFAULT: on
4225DOC_NONE
4226
4227NAME: server_persistent_connections
4228TYPE: onoff
4229LOC: Config.onoff.server_pconns
4230DEFAULT: on
4231DOC_START
4232 Persistent connection support for clients and servers. By
4233 default, Squid uses persistent connections (when allowed)
4234 with its clients and servers. You can use these options to
4235 disable persistent connections with clients and/or servers.
4236DOC_END
4237
4238NAME: persistent_connection_after_error
4239TYPE: onoff
4240LOC: Config.onoff.error_pconns
4241DEFAULT: off
4242DOC_START
4243 With this directive the use of persistent connections after
4244 HTTP errors can be disabled. Useful if you have clients
4245 who fail to handle errors on persistent connections proper.
4246DOC_END
4247
4248NAME: detect_broken_pconn
4249TYPE: onoff
4250LOC: Config.onoff.detect_broken_server_pconns
4251DEFAULT: off
4252DOC_START
4253 Some servers have been found to incorrectly signal the use
4254 of HTTP/1.0 persistent connections even on replies not
4255 compatible, causing significant delays. This server problem
4256 has mostly been seen on redirects.
4257
4258 By enabling this directive Squid attempts to detect such
4259 broken replies and automatically assume the reply is finished
4260 after 10 seconds timeout.
4261DOC_END
4262
4263COMMENT_START
4264 CACHE DIGEST OPTIONS
4265 -----------------------------------------------------------------------------
4266COMMENT_END
4267
4268NAME: digest_generation
4269IFDEF: USE_CACHE_DIGESTS
4270TYPE: onoff
4271LOC: Config.onoff.digest_generation
4272DEFAULT: on
4273DOC_START
4274 This controls whether the server will generate a Cache Digest
4275 of its contents. By default, Cache Digest generation is
13e917b5 4276 enabled if Squid is compiled with --enable-cache-digests defined.
8d6275c0 4277DOC_END
4278
4279NAME: digest_bits_per_entry
4280IFDEF: USE_CACHE_DIGESTS
4281TYPE: int
4282LOC: Config.digest.bits_per_entry
4283DEFAULT: 5
4284DOC_START
4285 This is the number of bits of the server's Cache Digest which
4286 will be associated with the Digest entry for a given HTTP
4287 Method and URL (public key) combination. The default is 5.
4288DOC_END
4289
4290NAME: digest_rebuild_period
4291IFDEF: USE_CACHE_DIGESTS
4292COMMENT: (seconds)
4293TYPE: time_t
4294LOC: Config.digest.rebuild_period
4295DEFAULT: 1 hour
4296DOC_START
749ceff8 4297 This is the wait time between Cache Digest rebuilds.
8d6275c0 4298DOC_END
4299
4300NAME: digest_rewrite_period
4301COMMENT: (seconds)
4302IFDEF: USE_CACHE_DIGESTS
4303TYPE: time_t
4304LOC: Config.digest.rewrite_period
4305DEFAULT: 1 hour
4306DOC_START
749ceff8 4307 This is the wait time between Cache Digest writes to
8d6275c0 4308 disk.
4309DOC_END
4310
4311NAME: digest_swapout_chunk_size
4312COMMENT: (bytes)
4313TYPE: b_size_t
4314IFDEF: USE_CACHE_DIGESTS
4315LOC: Config.digest.swapout_chunk_size
4316DEFAULT: 4096 bytes
4317DOC_START
4318 This is the number of bytes of the Cache Digest to write to
4319 disk at a time. It defaults to 4096 bytes (4KB), the Squid
4320 default swap page.
4321DOC_END
4322
4323NAME: digest_rebuild_chunk_percentage
4324COMMENT: (percent, 0-100)
4325IFDEF: USE_CACHE_DIGESTS
4326TYPE: int
4327LOC: Config.digest.rebuild_chunk_percentage
4328DEFAULT: 10
4329DOC_START
4330 This is the percentage of the Cache Digest to be scanned at a
4331 time. By default it is set to 10% of the Cache Digest.
4332DOC_END
4333
1db9eacd 4334COMMENT_START
5473c134 4335 SNMP OPTIONS
1db9eacd 4336 -----------------------------------------------------------------------------
4337COMMENT_END
4338
5473c134 4339NAME: snmp_port
4340TYPE: ushort
4341LOC: Config.Port.snmp
87630341 4342DEFAULT: 0
5473c134 4343IFDEF: SQUID_SNMP
8d6275c0 4344DOC_START
87630341 4345 The port number where Squid listens for SNMP requests. To enable
4346 SNMP support set this to a suitable port number. Port number
4347 3401 is often used for the Squid SNMP agent. By default it's
4348 set to "0" (disabled)
4349NOCOMMENT_START
4350#snmp_port 3401
4351NOCOMMENT_END
8d6275c0 4352DOC_END
4353
5473c134 4354NAME: snmp_access
4355TYPE: acl_access
4356LOC: Config.accessList.snmp
8d6275c0 4357DEFAULT: none
5473c134 4358DEFAULT_IF_NONE: deny all
4359IFDEF: SQUID_SNMP
8d6275c0 4360DOC_START
5473c134 4361 Allowing or denying access to the SNMP port.
8d6275c0 4362
5473c134 4363 All access to the agent is denied by default.
4364 usage:
8d6275c0 4365
5473c134 4366 snmp_access allow|deny [!]aclname ...
8d6275c0 4367
5473c134 4368Example:
4369 snmp_access allow snmppublic localhost
4370 snmp_access deny all
cccac0a2 4371DOC_END
4372
5473c134 4373NAME: snmp_incoming_address
4374TYPE: address
4375LOC: Config.Addrs.snmp_incoming
4376DEFAULT: 0.0.0.0
4377IFDEF: SQUID_SNMP
4378DOC_NONE
df2eec10 4379
5473c134 4380NAME: snmp_outgoing_address
4381TYPE: address
4382LOC: Config.Addrs.snmp_outgoing
4383DEFAULT: 255.255.255.255
4384IFDEF: SQUID_SNMP
cccac0a2 4385DOC_START
df2eec10 4386 Just like 'udp_incoming_address', but for the SNMP port.
cccac0a2 4387
5473c134 4388 snmp_incoming_address is used for the SNMP socket receiving
4389 messages from SNMP agents.
4390 snmp_outgoing_address is used for SNMP packets returned to SNMP
4391 agents.
cccac0a2 4392
5473c134 4393 The default snmp_incoming_address (0.0.0.0) is to listen on all
4394 available network interfaces.
cccac0a2 4395
5473c134 4396 If snmp_outgoing_address is set to 255.255.255.255 (the default)
4397 it will use the same socket as snmp_incoming_address. Only
4398 change this if you want to have SNMP replies sent using another
4399 address than where this Squid listens for SNMP queries.
cccac0a2 4400
5473c134 4401 NOTE, snmp_incoming_address and snmp_outgoing_address can not have
4402 the same value since they both use port 3401.
cccac0a2 4403DOC_END
4404
5473c134 4405COMMENT_START
4406 ICP OPTIONS
4407 -----------------------------------------------------------------------------
4408COMMENT_END
4409
4410NAME: icp_port udp_port
4411TYPE: ushort
4412DEFAULT: 0
4413LOC: Config.Port.icp
cccac0a2 4414DOC_START
5473c134 4415 The port number where Squid sends and receives ICP queries to
4416 and from neighbor caches. The standard UDP port for ICP is 3130.
4417 Default is disabled (0).
4418NOCOMMENT_START
df2eec10 4419#icp_port @DEFAULT_ICP_PORT@
5473c134 4420NOCOMMENT_END
cccac0a2 4421DOC_END
4422
5473c134 4423NAME: htcp_port
4424IFDEF: USE_HTCP
4425TYPE: ushort
87630341 4426DEFAULT: 0
5473c134 4427LOC: Config.Port.htcp
cccac0a2 4428DOC_START
5473c134 4429 The port number where Squid sends and receives HTCP queries to
87630341 4430 and from neighbor caches. To turn it on you want to set it to
4431 4827. By default it is set to "0" (disabled).
4432NOCOMMENT_START
4433#htcp_port 4827
4434NOCOMMENT_END
cccac0a2 4435DOC_END
4436
4437NAME: log_icp_queries
4438COMMENT: on|off
4439TYPE: onoff
4440DEFAULT: on
4441LOC: Config.onoff.log_udp
4442DOC_START
4443 If set, ICP queries are logged to access.log. You may wish
4444 do disable this if your ICP load is VERY high to speed things
4445 up or to simplify log analysis.
4446DOC_END
4447
5473c134 4448NAME: udp_incoming_address
4449TYPE: address
4450LOC:Config.Addrs.udp_incoming
4451DEFAULT: 0.0.0.0
8524d4b2 4452DOC_START
4453 udp_incoming_address is used for UDP packets received from other
4454 caches.
4455
4456 The default behavior is to not bind to any specific address.
4457
4458 Only change this if you want to have all UDP queries received on
4459 a specific interface/address.
4460
4461 NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
4462 modules. Altering it will affect all of them in the same manner.
4463
4464 see also; udp_outgoing_address
4465
4466 NOTE, udp_incoming_address and udp_outgoing_address can not
4467 have the same value since they both use the same port.
4468DOC_END
cccac0a2 4469
5473c134 4470NAME: udp_outgoing_address
4471TYPE: address
4472LOC: Config.Addrs.udp_outgoing
4473DEFAULT: 255.255.255.255
cccac0a2 4474DOC_START
8524d4b2 4475 udp_outgoing_address is used for UDP packets sent out to other
5473c134 4476 caches.
cccac0a2 4477
5473c134 4478 The default behavior is to not bind to any specific address.
cccac0a2 4479
8524d4b2 4480 Instead it will use the same socket as udp_incoming_address.
4481 Only change this if you want to have UDP queries sent using another
4482 address than where this Squid listens for UDP queries from other
5473c134 4483 caches.
4484
8524d4b2 4485 NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
4486 modules. Altering it will affect all of them in the same manner.
4487
4488 see also; udp_incoming_address
4489
5473c134 4490 NOTE, udp_incoming_address and udp_outgoing_address can not
8524d4b2 4491 have the same value since they both use the same port.
cccac0a2 4492DOC_END
4493
3d1e3e43 4494NAME: icp_hit_stale
4495COMMENT: on|off
4496TYPE: onoff
4497DEFAULT: off
4498LOC: Config.onoff.icp_hit_stale
4499DOC_START
4500 If you want to return ICP_HIT for stale cache objects, set this
4501 option to 'on'. If you have sibling relationships with caches
4502 in other administrative domains, this should be 'off'. If you only
4503 have sibling relationships with caches under your control,
4504 it is probably okay to set this to 'on'.
4505 If set to 'on', your siblings should use the option "allow-miss"
4506 on their cache_peer lines for connecting to you.
4507DOC_END
4508
5473c134 4509NAME: minimum_direct_hops
cccac0a2 4510TYPE: int
5473c134 4511DEFAULT: 4
4512LOC: Config.minDirectHops
cccac0a2 4513DOC_START
5473c134 4514 If using the ICMP pinging stuff, do direct fetches for sites
4515 which are no more than this many hops away.
cccac0a2 4516DOC_END
4517
5473c134 4518NAME: minimum_direct_rtt
4519TYPE: int
4520DEFAULT: 400
4521LOC: Config.minDirectRtt
cccac0a2 4522DOC_START
5473c134 4523 If using the ICMP pinging stuff, do direct fetches for sites
4524 which are no more than this many rtt milliseconds away.
cccac0a2 4525DOC_END
4526
cccac0a2 4527NAME: netdb_low
4528TYPE: int
4529DEFAULT: 900
4530LOC: Config.Netdb.low
4531DOC_NONE
4532
4533NAME: netdb_high
4534TYPE: int
4535DEFAULT: 1000
4536LOC: Config.Netdb.high
4537DOC_START
4538 The low and high water marks for the ICMP measurement
4539 database. These are counts, not percents. The defaults are
4540 900 and 1000. When the high water mark is reached, database
4541 entries will be deleted until the low mark is reached.
4542DOC_END
4543
cccac0a2 4544NAME: netdb_ping_period
4545TYPE: time_t
4546LOC: Config.Netdb.period
4547DEFAULT: 5 minutes
4548DOC_START
4549 The minimum period for measuring a site. There will be at
4550 least this much delay between successive pings to the same
4551 network. The default is five minutes.
4552DOC_END
4553
cccac0a2 4554NAME: query_icmp
4555COMMENT: on|off
4556TYPE: onoff
4557DEFAULT: off
4558LOC: Config.onoff.query_icmp
4559DOC_START
4560 If you want to ask your peers to include ICMP data in their ICP
4561 replies, enable this option.
4562
4563 If your peer has configured Squid (during compilation) with
7f7db318 4564 '--enable-icmp' that peer will send ICMP pings to origin server
4565 sites of the URLs it receives. If you enable this option the
cccac0a2 4566 ICP replies from that peer will include the ICMP data (if available).
4567 Then, when choosing a parent cache, Squid will choose the parent with
4568 the minimal RTT to the origin server. When this happens, the
4569 hierarchy field of the access.log will be
4570 "CLOSEST_PARENT_MISS". This option is off by default.
4571DOC_END
4572
4573NAME: test_reachability
4574COMMENT: on|off
4575TYPE: onoff
4576DEFAULT: off
4577LOC: Config.onoff.test_reachability
4578DOC_START
4579 When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
4580 instead of ICP_MISS if the target host is NOT in the ICMP
4581 database, or has a zero RTT.
4582DOC_END
4583
5473c134 4584NAME: icp_query_timeout
4585COMMENT: (msec)
4586DEFAULT: 0
4587TYPE: int
4588LOC: Config.Timeout.icp_query
4c3ef9b2 4589DOC_START
5473c134 4590 Normally Squid will automatically determine an optimal ICP
4591 query timeout value based on the round-trip-time of recent ICP
4592 queries. If you want to override the value determined by
4593 Squid, set this 'icp_query_timeout' to a non-zero value. This
4594 value is specified in MILLISECONDS, so, to use a 2-second
4595 timeout (the old default), you would write:
4c3ef9b2 4596
5473c134 4597 icp_query_timeout 2000
4c3ef9b2 4598DOC_END
4599
5473c134 4600NAME: maximum_icp_query_timeout
4601COMMENT: (msec)
4602DEFAULT: 2000
4603TYPE: int
4604LOC: Config.Timeout.icp_query_max
cccac0a2 4605DOC_START
5473c134 4606 Normally the ICP query timeout is determined dynamically. But
4607 sometimes it can lead to very large values (say 5 seconds).
4608 Use this option to put an upper limit on the dynamic timeout
4609 value. Do NOT use this option to always use a fixed (instead
4610 of a dynamic) timeout value. To set a fixed timeout see the
4611 'icp_query_timeout' directive.
cccac0a2 4612DOC_END
4613
5473c134 4614NAME: minimum_icp_query_timeout
4615COMMENT: (msec)
4616DEFAULT: 5
4617TYPE: int
4618LOC: Config.Timeout.icp_query_min
cccac0a2 4619DOC_START
5473c134 4620 Normally the ICP query timeout is determined dynamically. But
4621 sometimes it can lead to very small timeouts, even lower than
4622 the normal latency variance on your link due to traffic.
4623 Use this option to put an lower limit on the dynamic timeout
4624 value. Do NOT use this option to always use a fixed (instead
4625 of a dynamic) timeout value. To set a fixed timeout see the
4626 'icp_query_timeout' directive.
cccac0a2 4627DOC_END
4628
5473c134 4629NAME: background_ping_rate
4630COMMENT: time-units
4631TYPE: time_t
4632DEFAULT: 10 seconds
4633LOC: Config.backgroundPingRate
cccac0a2 4634DOC_START
5473c134 4635 Controls how often the ICP pings are sent to siblings that
4636 have background-ping set.
cccac0a2 4637DOC_END
4638
5473c134 4639COMMENT_START
4640 MULTICAST ICP OPTIONS
4641 -----------------------------------------------------------------------------
4642COMMENT_END
4643
4644NAME: mcast_groups
4645TYPE: wordlist
4646LOC: Config.mcast_group_list
8c01ada0 4647DEFAULT: none
4648DOC_START
5473c134 4649 This tag specifies a list of multicast groups which your server
4650 should join to receive multicasted ICP queries.
8c01ada0 4651
5473c134 4652 NOTE! Be very careful what you put here! Be sure you
4653 understand the difference between an ICP _query_ and an ICP
4654 _reply_. This option is to be set only if you want to RECEIVE
4655 multicast queries. Do NOT set this option to SEND multicast
4656 ICP (use cache_peer for that). ICP replies are always sent via
4657 unicast, so this option does not affect whether or not you will
4658 receive replies from multicast group members.
8c01ada0 4659
5473c134 4660 You must be very careful to NOT use a multicast address which
4661 is already in use by another group of caches.
8c01ada0 4662
5473c134 4663 If you are unsure about multicast, please read the Multicast
4664 chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
8c01ada0 4665
5473c134 4666 Usage: mcast_groups 239.128.16.128 224.0.1.20
8c01ada0 4667
5473c134 4668 By default, Squid doesn't listen on any multicast groups.
4669DOC_END
8c01ada0 4670
5473c134 4671NAME: mcast_miss_addr
4672IFDEF: MULTICAST_MISS_STREAM
4673TYPE: address
4674LOC: Config.mcast_miss.addr
4675DEFAULT: 255.255.255.255
4676DOC_START
4677 If you enable this option, every "cache miss" URL will
4678 be sent out on the specified multicast address.
cccac0a2 4679
5473c134 4680 Do not enable this option unless you are are absolutely
4681 certain you understand what you are doing.
cccac0a2 4682DOC_END
4683
5473c134 4684NAME: mcast_miss_ttl
4685IFDEF: MULTICAST_MISS_STREAM
4686TYPE: ushort
4687LOC: Config.mcast_miss.ttl
4688DEFAULT: 16
cccac0a2 4689DOC_START
5473c134 4690 This is the time-to-live value for packets multicasted
4691 when multicasting off cache miss URLs is enabled. By
4692 default this is set to 'site scope', i.e. 16.
4693DOC_END
cccac0a2 4694
5473c134 4695NAME: mcast_miss_port
4696IFDEF: MULTICAST_MISS_STREAM
4697TYPE: ushort
4698LOC: Config.mcast_miss.port
4699DEFAULT: 3135
4700DOC_START
4701 This is the port number to be used in conjunction with
4702 'mcast_miss_addr'.
4703DOC_END
cccac0a2 4704
5473c134 4705NAME: mcast_miss_encode_key
4706IFDEF: MULTICAST_MISS_STREAM
4707TYPE: string
4708LOC: Config.mcast_miss.encode_key
4709DEFAULT: XXXXXXXXXXXXXXXX
4710DOC_START
4711 The URLs that are sent in the multicast miss stream are
4712 encrypted. This is the encryption key.
4713DOC_END
8c01ada0 4714
5473c134 4715NAME: mcast_icp_query_timeout
4716COMMENT: (msec)
4717DEFAULT: 2000
4718TYPE: int
4719LOC: Config.Timeout.mcast_icp_query
4720DOC_START
4721 For multicast peers, Squid regularly sends out ICP "probes" to
4722 count how many other peers are listening on the given multicast
4723 address. This value specifies how long Squid should wait to
4724 count all the replies. The default is 2000 msec, or 2
4725 seconds.
cccac0a2 4726DOC_END
4727
5473c134 4728COMMENT_START
4729 INTERNAL ICON OPTIONS
4730 -----------------------------------------------------------------------------
4731COMMENT_END
4732
cccac0a2 4733NAME: icon_directory
4734TYPE: string
4735LOC: Config.icons.directory
4736DEFAULT: @DEFAULT_ICON_DIR@
4737DOC_START
4738 Where the icons are stored. These are normally kept in
4739 @DEFAULT_ICON_DIR@
4740DOC_END
4741
f024c970 4742NAME: global_internal_static
4743TYPE: onoff
4744LOC: Config.onoff.global_internal_static
4745DEFAULT: on
4746DOC_START
4747 This directive controls is Squid should intercept all requests for
4748 /squid-internal-static/ no matter which host the URL is requesting
4749 (default on setting), or if nothing special should be done for
4750 such URLs (off setting). The purpose of this directive is to make
4751 icons etc work better in complex cache hierarchies where it may
4752 not always be possible for all corners in the cache mesh to reach
4753 the server generating a directory listing.
4754DOC_END
4755
5473c134 4756NAME: short_icon_urls
4757TYPE: onoff
4758LOC: Config.icons.use_short_names
4759DEFAULT: on
4760DOC_START
4761 If this is enabled Squid will use short URLs for icons.
4762 If disabled it will revert to the old behavior of including
4763 it's own name and port in the URL.
4764
4765 If you run a complex cache hierarchy with a mix of Squid and
4766 other proxies you may need to disable this directive.
4767DOC_END
4768
4769COMMENT_START
4770 ERROR PAGE OPTIONS
4771 -----------------------------------------------------------------------------
4772COMMENT_END
4773
4774NAME: error_directory
4775TYPE: string
4776LOC: Config.errorDirectory
43000484 4777DEFAULT: none
5473c134 4778DOC_START
4779 If you wish to create your own versions of the default
43000484
AJ		 4780 error files to customize them to suit your company copy
4781 the error/template files to another directory and point
4782 this tag at them.
4783
4784 WARNING: This option will disable multi-language support
4785 on error pages if used.
5473c134 4786
4787 The squid developers are interested in making squid available in
4788 a wide variety of languages. If you are making translations for a
43000484 4789 language that Squid does not currently provide please consider
5473c134 4790 contributing your translation back to the project.
43000484
AJ		 4791 http://wiki.squid-cache.org/Translations
4792
4793 The squid developers working on translations are happy to supply drop-in
4794 translated error files in exchange for any new language contributions.
4795DOC_END
4796
4797NAME: error_default_language
4798IFDEF: USE_ERR_LOCALES
4799TYPE: string
4800LOC: Config.errorDefaultLanguage
4801DEFAULT: none
4802DOC_START
4803 Set the default language which squid will send error pages in
4804 if no existing translation matches the clients language
4805 preferences.
4806
4807 If unset (default) generic English will be used.
4808
4809 The squid developers are interested in making squid available in
4810 a wide variety of languages. If you are interested in making
4811 translations for any language see the squid wiki for details.
4812 http://wiki.squid-cache.org/Translations
5473c134 4813DOC_END
4814
c411820c
AJ		 4815NAME: error_log_languages
4816IFDEF: USE_ERR_LOCALES
4817TYPE: onoff
4818LOC: Config.errorLogMissingLanguages
4819DEFAULT: on
4820DOC_START
4821 Log to cache.log what languages users are attempting to
4822 auto-negotiate for translations.
4823
4824 Successful negotiations are not logged. Only failures
4825 have meaning to indicate that Squid may need an upgrade
0c49f10e 4826 of its error page translations.
c411820c
AJ		 4827DOC_END
4828
5b52cb6c
AJ		 4829NAME: err_page_stylesheet
4830TYPE: string
4831LOC: Config.errorStylesheet
4832DEFAULT: @DEFAULT_CONFIG_DIR@/errorpage.css
4833DOC_START
4834 CSS Stylesheet to pattern the display of Squid default error pages.
4835
4836 For information on CSS see http://www.w3.org/Style/CSS/
4837DOC_END
4838
5473c134 4839NAME: err_html_text
4840TYPE: eol
4841LOC: Config.errHtmlText
4842DEFAULT: none
4843DOC_START
4844 HTML text to include in error messages. Make this a "mailto"
4845 URL to your admin address, or maybe just a link to your
4846 organizations Web page.
4847
4848 To include this in your error messages, you must rewrite
4849 the error template files (found in the "errors" directory).
4850 Wherever you want the 'err_html_text' line to appear,
4851 insert a %L tag in the error template file.
4852DOC_END
4853
4854NAME: email_err_data
4855COMMENT: on|off
4856TYPE: onoff
4857LOC: Config.onoff.emailErrData
4858DEFAULT: on
4859DOC_START
4860 If enabled, information about the occurred error will be
4861 included in the mailto links of the ERR pages (if %W is set)
4862 so that the email body contains the data.
4863 Syntax is <A HREF="mailto:%w%W">%w</A>
4864DOC_END
4865
4866NAME: deny_info
4867TYPE: denyinfo
4868LOC: Config.denyInfoList
4869DEFAULT: none
4870DOC_START
4871 Usage: deny_info err_page_name acl
4872 or deny_info http://... acl
43000484 4873 or deny_info TCP_RESET acl
5473c134 4874
4875 This can be used to return a ERR_ page for requests which
4876 do not pass the 'http_access' rules. Squid remembers the last
4877 acl it evaluated in http_access, and if a 'deny_info' line exists
4878 for that ACL Squid returns a corresponding error page.
4879
4880 The acl is typically the last acl on the http_access deny line which
4881 denied access. The exceptions to this rule are:
4882 - When Squid needs to request authentication credentials. It's then
4883 the first authentication related acl encountered
4884 - When none of the http_access lines matches. It's then the last
4885 acl processed on the last http_access line.
4886
43000484
AJ		 4887 NP: If providing your own custom error pages with error_directory
4888 you may also specify them by your custom file name:
4889 Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
5473c134 4890
4891 Alternatively you can specify an error URL. The browsers will
4892 get redirected (302) to the specified URL. %s in the redirection
4893 URL will be replaced by the requested URL.
4894
4895 Alternatively you can tell Squid to reset the TCP connection
4896 by specifying TCP_RESET.
4897DOC_END
4898
4899COMMENT_START
4900 OPTIONS INFLUENCING REQUEST FORWARDING
4901 -----------------------------------------------------------------------------
4902COMMENT_END
4903
4904NAME: nonhierarchical_direct
e72a0ec0 4905TYPE: onoff
5473c134 4906LOC: Config.onoff.nonhierarchical_direct
e72a0ec0 4907DEFAULT: on
4908DOC_START
5473c134 4909 By default, Squid will send any non-hierarchical requests
4910 (matching hierarchy_stoplist or not cacheable request type) direct
4911 to origin servers.
e72a0ec0 4912
5473c134 4913 If you set this to off, Squid will prefer to send these
4914 requests to parents.
0b0cfcf2 4915
5473c134 4916 Note that in most configurations, by turning this off you will only
4917 add latency to these request without any improvement in global hit
4918 ratio.
0b0cfcf2 4919
5473c134 4920 If you are inside an firewall see never_direct instead of
4921 this directive.
8d6275c0 4922DOC_END
0b0cfcf2 4923
5473c134 4924NAME: prefer_direct
8d6275c0 4925TYPE: onoff
5473c134 4926LOC: Config.onoff.prefer_direct
8d6275c0 4927DEFAULT: off
4928DOC_START
5473c134 4929 Normally Squid tries to use parents for most requests. If you for some
4930 reason like it to first try going direct and only use a parent if
4931 going direct fails set this to on.
0b0cfcf2 4932
5473c134 4933 By combining nonhierarchical_direct off and prefer_direct on you
4934 can set up Squid to use a parent as a backup path if going direct
4935 fails.
4936
4937 Note: If you want Squid to use parents for all requests see
4938 the never_direct directive. prefer_direct only modifies how Squid
4939 acts on cacheable requests.
cccac0a2 4940DOC_END
4941
5473c134 4942NAME: always_direct
8d6275c0 4943TYPE: acl_access
5473c134 4944LOC: Config.accessList.AlwaysDirect
0b0cfcf2 4945DEFAULT: none
0b0cfcf2 4946DOC_START
5473c134 4947 Usage: always_direct allow|deny [!]aclname ...
0b0cfcf2 4948
5473c134 4949 Here you can use ACL elements to specify requests which should
4950 ALWAYS be forwarded by Squid to the origin servers without using
4951 any peers. For example, to always directly forward requests for
4952 local servers ignoring any parents or siblings you may have use
4953 something like:
0b0cfcf2 4954
5473c134 4955 acl local-servers dstdomain my.domain.net
4956 always_direct allow local-servers
0b0cfcf2 4957
5473c134 4958 To always forward FTP requests directly, use
f16fbc82 4959
5473c134 4960 acl FTP proto FTP
4961 always_direct allow FTP
cccac0a2 4962
5473c134 4963 NOTE: There is a similar, but opposite option named
4964 'never_direct'. You need to be aware that "always_direct deny
4965 foo" is NOT the same thing as "never_direct allow foo". You
4966 may need to use a deny rule to exclude a more-specific case of
4967 some other rule. Example:
8d6275c0 4968
5473c134 4969 acl local-external dstdomain external.foo.net
4970 acl local-servers dstdomain .foo.net
4971 always_direct deny local-external
4972 always_direct allow local-servers
8d6275c0 4973
5473c134 4974 NOTE: If your goal is to make the client forward the request
4975 directly to the origin server bypassing Squid then this needs
4976 to be done in the client configuration. Squid configuration
4977 can only tell Squid how Squid should fetch the object.
8d6275c0 4978
5473c134 4979 NOTE: This directive is not related to caching. The replies
4980 is cached as usual even if you use always_direct. To not cache
4981 the replies see no_cache.
4982
4983 This option replaces some v1.1 options such as local_domain
4984 and local_ip.
cccac0a2 4985DOC_END
0976f8db 4986
5473c134 4987NAME: never_direct
4988TYPE: acl_access
4989LOC: Config.accessList.NeverDirect
4990DEFAULT: none
8d6275c0 4991DOC_START
5473c134 4992 Usage: never_direct allow|deny [!]aclname ...
4993
4994 never_direct is the opposite of always_direct. Please read
4995 the description for always_direct if you have not already.
4996
4997 With 'never_direct' you can use ACL elements to specify
4998 requests which should NEVER be forwarded directly to origin
4999 servers. For example, to force the use of a proxy for all
5000 requests, except those in your local domain use something like:
5001
5002 acl local-servers dstdomain .foo.net
5473c134 5003 never_direct deny local-servers
5004 never_direct allow all
5005
5006 or if Squid is inside a firewall and there are local intranet
5007 servers inside the firewall use something like:
5008
5009 acl local-intranet dstdomain .foo.net
5010 acl local-external dstdomain external.foo.net
5011 always_direct deny local-external
5012 always_direct allow local-intranet
5013 never_direct allow all
5014
5015 This option replaces some v1.1 options such as inside_firewall
5016 and firewall_ip.
8d6275c0 5017DOC_END
0976f8db 5018
5473c134 5019COMMENT_START
5020 ADVANCED NETWORKING OPTIONS
5021 -----------------------------------------------------------------------------
5022COMMENT_END
5023
cccac0a2 5024NAME: incoming_icp_average
5025TYPE: int
5026DEFAULT: 6
5027LOC: Config.comm_incoming.icp_average
5028DOC_NONE
5029
5030NAME: incoming_http_average
5031TYPE: int
5032DEFAULT: 4
5033LOC: Config.comm_incoming.http_average
5034DOC_NONE
5035
5036NAME: incoming_dns_average
5037TYPE: int
5038DEFAULT: 4
5039LOC: Config.comm_incoming.dns_average
5040DOC_NONE
5041
5042NAME: min_icp_poll_cnt
5043TYPE: int
5044DEFAULT: 8
5045LOC: Config.comm_incoming.icp_min_poll
5046DOC_NONE
5047
5048NAME: min_dns_poll_cnt
5049TYPE: int
5050DEFAULT: 8
5051LOC: Config.comm_incoming.dns_min_poll
5052DOC_NONE
5053
5054NAME: min_http_poll_cnt
5055TYPE: int
5056DEFAULT: 8
5057LOC: Config.comm_incoming.http_min_poll
5058DOC_START
5473c134 5059 Heavy voodoo here. I can't even believe you are reading this.
5060 Are you crazy? Don't even think about adjusting these unless
5061 you understand the algorithms in comm_select.c first!
5062DOC_END
5063
5064NAME: accept_filter
5473c134 5065TYPE: string
5066DEFAULT: none
5067LOC: Config.accept_filter
5068DOC_START
0b4d4be5 5069 FreeBSD:
5070
5473c134 5071 The name of an accept(2) filter to install on Squid's
5072 listen socket(s). This feature is perhaps specific to
5073 FreeBSD and requires support in the kernel.
5074
5075 The 'httpready' filter delays delivering new connections
2324cda2 5076 to Squid until a full HTTP request has been received.
0b4d4be5 5077 See the accf_http(9) man page for details.
5078
5079 The 'dataready' filter delays delivering new connections
5080 to Squid until there is some data to process.
5081 See the accf_dataready(9) man page for details.
5082
5083 Linux:
5084
5085 The 'data' filter delays delivering of new connections
5086 to Squid until there is some data to process by TCP_ACCEPT_DEFER.
5087 You may optionally specify a number of seconds to wait by
5088 'data=N' where N is the number of seconds. Defaults to 30
5089 if not specified. See the tcp(7) man page for details.
5473c134 5090EXAMPLE:
0b4d4be5 5091# FreeBSD
5473c134 5092accept_filter httpready
0b4d4be5 5093# Linux
5094accept_filter data
5473c134 5095DOC_END
5096
5097NAME: tcp_recv_bufsize
5098COMMENT: (bytes)
5099TYPE: b_size_t
5100DEFAULT: 0 bytes
5101LOC: Config.tcpRcvBufsz
5102DOC_START
5103 Size of receive buffer to set for TCP sockets. Probably just
5104 as easy to change your kernel's default. Set to zero to use
5105 the default buffer size.
5106DOC_END
5107
5108COMMENT_START
5109 ICAP OPTIONS
5110 -----------------------------------------------------------------------------
5111COMMENT_END
5112
5113NAME: icap_enable
5114TYPE: onoff
5115IFDEF: ICAP_CLIENT
5116COMMENT: on|off
5117LOC: TheICAPConfig.onoff
5118DEFAULT: off
5119DOC_START
53e738c6 5120 If you want to enable the ICAP module support, set this to on.
5473c134 5121DOC_END
5122
5123NAME: icap_connect_timeout
5124TYPE: time_t
5125DEFAULT: none
5126LOC: TheICAPConfig.connect_timeout_raw
5127IFDEF: ICAP_CLIENT
5128DOC_START
5129 This parameter specifies how long to wait for the TCP connect to
5130 the requested ICAP server to complete before giving up and either
5131 terminating the HTTP transaction or bypassing the failure.
5132
5133 The default for optional services is peer_connect_timeout.
5134 The default for essential services is connect_timeout.
5135 If this option is explicitly set, its value applies to all services.
5136DOC_END
5137
5138NAME: icap_io_timeout
5139COMMENT: time-units
5140TYPE: time_t
5141DEFAULT: none
5142LOC: TheICAPConfig.io_timeout_raw
5143IFDEF: ICAP_CLIENT
5144DOC_START
5145 This parameter specifies how long to wait for an I/O activity on
5146 an established, active ICAP connection before giving up and
5147 either terminating the HTTP transaction or bypassing the
5148 failure.
5149
5150 The default is read_timeout.
5151DOC_END
5152
5153NAME: icap_service_failure_limit
5154TYPE: int
5155IFDEF: ICAP_CLIENT
5156LOC: TheICAPConfig.service_failure_limit
5157DEFAULT: 10
5158DOC_START
5159 The limit specifies the number of failures that Squid tolerates
5160 when establishing a new TCP connection with an ICAP service. If
5161 the number of failures exceeds the limit, the ICAP service is
5162 not used for new ICAP requests until it is time to refresh its
5163 OPTIONS. The per-service failure counter is reset to zero each
5164 time Squid fetches new service OPTIONS.
5165
5166 A negative value disables the limit. Without the limit, an ICAP
5167 service will not be considered down due to connectivity failures
5168 between ICAP OPTIONS requests.
cccac0a2 5169DOC_END
5170
5473c134 5171NAME: icap_service_revival_delay
cccac0a2 5172TYPE: int
5473c134 5173IFDEF: ICAP_CLIENT
5174LOC: TheICAPConfig.service_revival_delay
5175DEFAULT: 180
cccac0a2 5176DOC_START
5473c134 5177 The delay specifies the number of seconds to wait after an ICAP
5178 OPTIONS request failure before requesting the options again. The
5179 failed ICAP service is considered "down" until fresh OPTIONS are
5180 fetched.
cccac0a2 5181
5473c134 5182 The actual delay cannot be smaller than the hardcoded minimum
5183 delay of 30 seconds.
cccac0a2 5184DOC_END
5185
5473c134 5186NAME: icap_preview_enable
cccac0a2 5187TYPE: onoff
5473c134 5188IFDEF: ICAP_CLIENT
5189COMMENT: on|off
5190LOC: TheICAPConfig.preview_enable
ac7a62f9 5191DEFAULT: on
cccac0a2 5192DOC_START
ac7a62f9 5193 The ICAP Preview feature allows the ICAP server to handle the
5194 HTTP message by looking only at the beginning of the message body
5195 or even without receiving the body at all. In some environments,
5196 previews greatly speedup ICAP processing.
5197
5198 During an ICAP OPTIONS transaction, the server may tell Squid what
5199 HTTP messages should be previewed and how big the preview should be.
5200 Squid will not use Preview if the server did not request one.
5201
5202 To disable ICAP Preview for all ICAP services, regardless of
5203 individual ICAP server OPTIONS responses, set this option to "off".
5204Example:
5205icap_preview_enable off
cccac0a2 5206DOC_END
5207
5473c134 5208NAME: icap_preview_size
5209TYPE: int
5210IFDEF: ICAP_CLIENT
5211LOC: TheICAPConfig.preview_size
5212DEFAULT: -1
cccac0a2 5213DOC_START
53e738c6 5214 The default size of preview data to be sent to the ICAP server.
5215 -1 means no preview. This value might be overwritten on a per server
5216 basis by OPTIONS requests.
cccac0a2 5217DOC_END
5218
5473c134 5219NAME: icap_default_options_ttl
5220TYPE: int
5221IFDEF: ICAP_CLIENT
5222LOC: TheICAPConfig.default_options_ttl
5223DEFAULT: 60
cccac0a2 5224DOC_START
53e738c6 5225 The default TTL value for ICAP OPTIONS responses that don't have
5473c134 5226 an Options-TTL header.
cccac0a2 5227DOC_END
5228
5473c134 5229NAME: icap_persistent_connections
5230TYPE: onoff
5231IFDEF: ICAP_CLIENT
5232COMMENT: on|off
5233LOC: TheICAPConfig.reuse_connections
5234DEFAULT: on
cccac0a2 5235DOC_START
5473c134 5236 Whether or not Squid should use persistent connections to
5237 an ICAP server.
cccac0a2 5238DOC_END
5239
5473c134 5240NAME: icap_send_client_ip
5241TYPE: onoff
5242IFDEF: ICAP_CLIENT
5243COMMENT: on|off
5244LOC: TheICAPConfig.send_client_ip
5245DEFAULT: off
cccac0a2 5246DOC_START
53e738c6 5247 This adds the header "X-Client-IP" to ICAP requests.
cccac0a2 5248DOC_END
5249
5473c134 5250NAME: icap_send_client_username
5251TYPE: onoff
5252IFDEF: ICAP_CLIENT
5253COMMENT: on|off
5254LOC: TheICAPConfig.send_client_username
5255DEFAULT: off
cccac0a2 5256DOC_START
5473c134 5257 This sends authenticated HTTP client username (if available) to
5258 the ICAP service. The username value is encoded based on the
5259 icap_client_username_encode option and is sent using the header
5260 specified by the icap_client_username_header option.
cccac0a2 5261DOC_END
5262
5473c134 5263NAME: icap_client_username_header
cccac0a2 5264TYPE: string
5473c134 5265IFDEF: ICAP_CLIENT
5266LOC: TheICAPConfig.client_username_header
5267DEFAULT: X-Client-Username
cccac0a2 5268DOC_START
5473c134 5269 ICAP request header name to use for send_client_username.
cccac0a2 5270DOC_END
5271
5473c134 5272NAME: icap_client_username_encode
cccac0a2 5273TYPE: onoff
5473c134 5274IFDEF: ICAP_CLIENT
5275COMMENT: on|off
5276LOC: TheICAPConfig.client_username_encode
5277DEFAULT: off
cccac0a2 5278DOC_START
5473c134 5279 Whether to base64 encode the authenticated client username.
cccac0a2 5280DOC_END
5281
5473c134 5282NAME: icap_service
5283TYPE: icap_service_type
5284IFDEF: ICAP_CLIENT
5285LOC: TheICAPConfig
5286DEFAULT: none
cccac0a2 5287DOC_START
53e738c6 5288 Defines a single ICAP service
cccac0a2 5289
53e738c6 5290 icap_service servicename vectoring_point bypass service_url
7d90757b 5291
53e738c6 5292 vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
f3db09e2 5293 This specifies at which point of transaction processing the
5294 ICAP service should be activated. *_postcache vectoring points
5295 are not yet supported.
53e738c6 5296 bypass = 1|0
f3db09e2 5297 If set to 1, the ICAP service is treated as optional. If the
5298 service cannot be reached or malfunctions, Squid will try to
5299 ignore any errors and process the message as if the service
5300 was not enabled. No all ICAP errors can be bypassed.
5301 If set to 0, the ICAP service is treated as essential and all
5302 ICAP errors will result in an error page returned to the
5303 HTTP client.
53e738c6 5304 service_url = icap://servername:port/service
5473c134 5305
5473c134 5306Example:
5307icap_service service_1 reqmod_precache 0 icap://icap1.mydomain.net:1344/reqmod
5308icap_service service_2 respmod_precache 0 icap://icap2.mydomain.net:1344/respmod
cccac0a2 5309DOC_END
5310
5473c134 5311NAME: icap_class
5312TYPE: icap_class_type
5313IFDEF: ICAP_CLIENT
21a26d31 5314LOC: none
5473c134 5315DEFAULT: none
cccac0a2 5316DOC_START
62c7f90e
AR		 5317 This depricated option was documented to define an ICAP service
5318 chain, even though it actually defined a set of similar, redundant
5319 services, and the chains were not supported.
5473c134 5320
62c7f90e
AR		 5321 To define a set of redundant services, please use the
5322 adaptation_service_set directive.
5473c134 5323
62c7f90e
AR		 5324 If you need adaptation service chains, patches or sponsorship
5325 is welcome.
cccac0a2 5326DOC_END
5327
5473c134 5328NAME: icap_access
5329TYPE: icap_access_type
5330IFDEF: ICAP_CLIENT
21a26d31 5331LOC: none
cccac0a2 5332DEFAULT: none
cccac0a2 5333DOC_START
62c7f90e
AR		 5334 This option is depricated. Please use adaptation_access, which
5335 has the same ICAP functionality, but comes with better
5336 documentation, and eCAP support.
cccac0a2 5337DOC_END
5338
57afc994
AR		 5339COMMENT_START
5340 eCAP OPTIONS
5341 -----------------------------------------------------------------------------
5342COMMENT_END
5343
21a26d31
AR		 5344NAME: ecap_enable
5345TYPE: onoff
5346IFDEF: USE_ECAP
5347COMMENT: on|off
5348LOC: Ecap::TheConfig.onoff
5349DEFAULT: off
5350DOC_START
5351 Controls whether eCAP support is enabled.
5352DOC_END
5353
5354NAME: ecap_service
5355TYPE: ecap_service_type
5356IFDEF: USE_ECAP
5357LOC: Ecap::TheConfig
5358DEFAULT: none
5359DOC_START
5360 Defines a single eCAP service
5361
5362 ecap_service servicename vectoring_point bypass service_url
5363
5364 vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
5365 This specifies at which point of transaction processing the
5366 eCAP service should be activated. *_postcache vectoring points
5367 are not yet supported.
5368 bypass = 1|0
5369 If set to 1, the eCAP service is treated as optional. If the
5370 service cannot be reached or malfunctions, Squid will try to
5371 ignore any errors and process the message as if the service
5372 was not enabled. No all eCAP errors can be bypassed.
5373 If set to 0, the eCAP service is treated as essential and all
5374 eCAP errors will result in an error page returned to the
5375 HTTP client.
5376 service_url = ecap://vendor/service_name?custom&cgi=style&parameters=optional
5377
5378Example:
5379ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
5380ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
5381DOC_END
5382
57afc994
AR		 5383NAME: loadable_modules
5384TYPE: wordlist
5385IFDEF: USE_LOADABLE_MODULES
5386LOC: Config.loadable_module_names
5387DEFAULT: none
5388DOC_START
5389 Instructs Squid to load the specified dynamic module(s) or activate
5390 preloaded module(s).
5391Example:
5392loadable_modules @DEFAULT_PREFIX@/lib/MinimalAdapter.so
5393DOC_END
5394
62c7f90e
AR		 5395COMMENT_START
5396 MESSAGE ADAPTATION OPTIONS
5397 -----------------------------------------------------------------------------
5398COMMENT_END
5399
5400NAME: adaptation_service_set
5401TYPE: adaptation_service_set_type
5402IFDEF: USE_ADAPTATION
5403LOC: none
5404DEFAULT: none
5405DOC_START
5406
5407 Defines a named adaptation service set. The set is populated in
5408 the order of adaptation_service_set directives in this file.
5409 When adaptation ACLs are processed, the first and only the first
5410 applicable adaptation service from the set will be used. Thus,
5411 the set should group similar, redundant services, rather than a
5412 chain of complementary services.
5413
5414 If you have a single adaptation service, you do not need to
5415 define a set containing it because adaptation_access accepts
5416 service names.
5417
5418 See also: adaptation_access
5419
5420Example:
5421adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
5422adaptation service_set svcLogger loggerLocal loggerRemote
5423DOC_END
5424
5425NAME: adaptation_access
5426TYPE: adaptation_access_type
5427IFDEF: USE_ADAPTATION
5428LOC: none
5429DEFAULT: none
5430DOC_START
5431 Sends an HTTP transaction to an ICAP or eCAP adaptation service.
5432
5433 adaptation_access service_name allow|deny [!]aclname...
5434 adaptation_access set_name allow|deny [!]aclname...
5435
5436 At each supported vectoring point, the adaptation_access
5437 statements are processed in the order they appear in this
5438 configuration file. Statements pointing to the following services
5439 are ignored (i.e., skipped without checking their ACL):
5440
5441 - services serving different vectoring points
5442 - "broken-but-bypassable" services
5443 - "up" services configured to ignore such transactions
5444 (e.g., based on the ICAP Transfer-Ignore header).
5445
5446 When a set_name is used, all services in the set are checked
5447 using the same rules, to find the first applicable one. See
5448 adaptation_service_set for details.
5449
5450 If an access list is checked and there is a match, the
5451 processing stops: For an "allow" rule, the corresponding
5452 adaptation service is used for the transaction. For a "deny"
5453 rule, no adaptation service is activated.
5454
5455 It is currently not possible to apply more than one adaptation
5456 service at the same vectoring point to the same HTTP transaction.
5457
5458 See also: icap_service and ecap_service
5459
5460Example:
5461adaptation_access service_1 allow all
5462DOC_END
5463
5473c134 5464COMMENT_START
5465 DNS OPTIONS
5466 -----------------------------------------------------------------------------
5467COMMENT_END
5468
5469NAME: check_hostnames
cccac0a2 5470TYPE: onoff
cccac0a2 5471DEFAULT: off
5473c134 5472LOC: Config.onoff.check_hostnames
cccac0a2 5473DOC_START
5473c134 5474 For security and stability reasons Squid can check
5475 hostnames for Internet standard RFC compliance. If you want
5476 Squid to perform these checks turn this directive on.
cccac0a2 5477DOC_END
5478
5473c134 5479NAME: allow_underscore
cccac0a2 5480TYPE: onoff
cccac0a2 5481DEFAULT: on
5473c134 5482LOC: Config.onoff.allow_underscore
cccac0a2 5483DOC_START
5473c134 5484 Underscore characters is not strictly allowed in Internet hostnames
5485 but nevertheless used by many sites. Set this to off if you want
5486 Squid to be strict about the standard.
5487 This check is performed only when check_hostnames is set to on.
cccac0a2 5488DOC_END
5489
5473c134 5490NAME: cache_dns_program
cccac0a2 5491TYPE: string
5473c134 5492IFDEF: USE_DNSSERVERS
5493DEFAULT: @DEFAULT_DNSSERVER@
5494LOC: Config.Program.dnsserver
cccac0a2 5495DOC_START
5473c134 5496 Specify the location of the executable for dnslookup process.
cccac0a2 5497DOC_END
5498
5473c134 5499NAME: dns_children
5500TYPE: int
5501IFDEF: USE_DNSSERVERS
5502DEFAULT: 5
5503LOC: Config.dnsChildren
58850d15 5504DOC_START
5473c134 5505 The number of processes spawn to service DNS name lookups.
5506 For heavily loaded caches on large servers, you should
5507 probably increase this value to at least 10. The maximum
5508 is 32. The default is 5.
58850d15 5509
5473c134 5510 You must have at least one dnsserver process.
58850d15 5511DOC_END
5512
5473c134 5513NAME: dns_retransmit_interval
5514TYPE: time_t
5515DEFAULT: 5 seconds
5516LOC: Config.Timeout.idns_retransmit
5517IFDEF: !USE_DNSSERVERS
cccac0a2 5518DOC_START
5473c134 5519 Initial retransmit interval for DNS queries. The interval is
5520 doubled each time all configured DNS servers have been tried.
cccac0a2 5521
cccac0a2 5522DOC_END
5523
5473c134 5524NAME: dns_timeout
5525TYPE: time_t
5526DEFAULT: 2 minutes
5527LOC: Config.Timeout.idns_query
5528IFDEF: !USE_DNSSERVERS
cccac0a2 5529DOC_START
5473c134 5530 DNS Query timeout. If no response is received to a DNS query
5531 within this time all DNS servers for the queried domain
5532 are assumed to be unavailable.
cccac0a2 5533DOC_END
5534
5473c134 5535NAME: dns_defnames
5536COMMENT: on|off
cccac0a2 5537TYPE: onoff
cccac0a2 5538DEFAULT: off
5473c134 5539LOC: Config.onoff.res_defnames
cccac0a2 5540DOC_START
5473c134 5541 Normally the RES_DEFNAMES resolver option is disabled
5542 (see res_init(3)). This prevents caches in a hierarchy
5543 from interpreting single-component hostnames locally. To allow
5544 Squid to handle single-component names, enable this option.
cccac0a2 5545DOC_END
5546
5473c134 5547NAME: dns_nameservers
5548TYPE: wordlist
5549DEFAULT: none
5550LOC: Config.dns_nameservers
cccac0a2 5551DOC_START
5473c134 5552 Use this if you want to specify a list of DNS name servers
5553 (IP addresses) to use instead of those given in your
5554 /etc/resolv.conf file.
5555 On Windows platforms, if no value is specified here or in
5556 the /etc/resolv.conf file, the list of DNS name servers are
5557 taken from the Windows registry, both static and dynamic DHCP
5558 configurations are supported.
cccac0a2 5559
5473c134 5560 Example: dns_nameservers 10.0.0.1 192.172.0.4
cccac0a2 5561DOC_END
5562
5473c134 5563NAME: hosts_file
cccac0a2 5564TYPE: string
5473c134 5565DEFAULT: @DEFAULT_HOSTS@
5566LOC: Config.etcHostsPath
cccac0a2 5567DOC_START
5473c134 5568 Location of the host-local IP name-address associations
5569 database. Most Operating Systems have such a file on different
5570 default locations:
5571 - Un*X & Linux: /etc/hosts
5572 - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
5573 (%SystemRoot% value install default is c:\winnt)
5574 - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
5575 (%SystemRoot% value install default is c:\windows)
5576 - Windows 9x/Me: %windir%\hosts
5577 (%windir% value is usually c:\windows)
5578 - Cygwin: /etc/hosts
cccac0a2 5579
5473c134 5580 The file contains newline-separated definitions, in the
5581 form ip_address_in_dotted_form name [name ...] names are
5582 whitespace-separated. Lines beginning with an hash (#)
5583 character are comments.
cccac0a2 5584
5473c134 5585 The file is checked at startup and upon configuration.
5586 If set to 'none', it won't be checked.
5587 If append_domain is used, that domain will be added to
5588 domain-local (i.e. not containing any dot character) host
5589 definitions.
cccac0a2 5590DOC_END
5591
5473c134 5592NAME: append_domain
5593TYPE: string
5594LOC: Config.appendDomain
5595DEFAULT: none
6a2f3fcf 5596DOC_START
5473c134 5597 Appends local domain name to hostnames without any dots in
5598 them. append_domain must begin with a period.
5599
5600 Be warned there are now Internet names with no dots in
5601 them using only top-domain names, so setting this may
5602 cause some Internet sites to become unavailable.
5603
5604Example:
5605 append_domain .yourdomain.com
6a2f3fcf 5606DOC_END
5607
5473c134 5608NAME: ignore_unknown_nameservers
5609TYPE: onoff
5610LOC: Config.onoff.ignore_unknown_nameservers
df6fd596 5611DEFAULT: on
5612DOC_START
5473c134 5613 By default Squid checks that DNS responses are received
5614 from the same IP addresses they are sent to. If they
5615 don't match, Squid ignores the response and writes a warning
5616 message to cache.log. You can allow responses from unknown
5617 nameservers by setting this option to 'off'.
df6fd596 5618DOC_END
5619
cc192b50 5620NAME: dns_v4_fallback
5621TYPE: onoff
5622DEFAULT: on
5623LOC: Config.onoff.dns_require_A
5624DOC_START
5625 Standard practice with DNS is to lookup either A or AAAA records
5626 and use the results if it succeeds. Only looking up the other if
5627 the first attempt fails or otherwise produces no results.
5628
5629 That policy however will cause squid to produce error pages for some
5630 servers that advertise AAAA but are unreachable over IPv6.
5631
5632 If this is ON squid will always lookup both AAAA and A, using both.
5633 If this is OFF squid will lookup AAAA and only try A if none found.
5634
5635 WARNING: There are some possibly unwanted side-effects with this on:
5636 *) Doubles the load placed by squid on the DNS network.
5637 *) May negatively impact connection delay times.
5638DOC_END
5639
6bc15a4f 5640NAME: ipcache_size
5641COMMENT: (number of entries)
5642TYPE: int
5643DEFAULT: 1024
5644LOC: Config.ipcache.size
5645DOC_NONE
5646
5647NAME: ipcache_low
5648COMMENT: (percent)
5649TYPE: int
5650DEFAULT: 90
5651LOC: Config.ipcache.low
5652DOC_NONE
5653
5654NAME: ipcache_high
5655COMMENT: (percent)
5656TYPE: int
5657DEFAULT: 95
5658LOC: Config.ipcache.high
5659DOC_START
5660 The size, low-, and high-water marks for the IP cache.
5661DOC_END
5662
5663NAME: fqdncache_size
5664COMMENT: (number of entries)
5665TYPE: int
5666DEFAULT: 1024
5667LOC: Config.fqdncache.size
5668DOC_START
5669 Maximum number of FQDN cache entries.
5670DOC_END
5671
a58ff010 5672COMMENT_START
5473c134 5673 MISCELLANEOUS
a58ff010 5674 -----------------------------------------------------------------------------
5675COMMENT_END
5676
5473c134 5677NAME: memory_pools
a58ff010 5678COMMENT: on|off
5473c134 5679TYPE: onoff
5680DEFAULT: on
5681LOC: Config.onoff.mem_pools
a58ff010 5682DOC_START
5473c134 5683 If set, Squid will keep pools of allocated (but unused) memory
5684 available for future use. If memory is a premium on your
5685 system and you believe your malloc library outperforms Squid
5686 routines, disable this.
a58ff010 5687DOC_END
5688
5473c134 5689NAME: memory_pools_limit
5690COMMENT: (bytes)
5691TYPE: b_size_t
5692DEFAULT: 5 MB
5693LOC: Config.MemPools.limit
ec1245f8 5694DOC_START
5473c134 5695 Used only with memory_pools on:
5696 memory_pools_limit 50 MB
ec1245f8 5697
5473c134 5698 If set to a non-zero value, Squid will keep at most the specified
5699 limit of allocated (but unused) memory in memory pools. All free()
5700 requests that exceed this limit will be handled by your malloc
5701 library. Squid does not pre-allocate any memory, just safe-keeps
5702 objects that otherwise would be free()d. Thus, it is safe to set
5703 memory_pools_limit to a reasonably high value even if your
5704 configuration will use less memory.
ec1245f8 5705
5473c134 5706 If set to zero, Squid will keep all memory it can. That is, there
5707 will be no limit on the total amount of memory used for safe-keeping.
ec1245f8 5708
5473c134 5709 To disable memory allocation optimization, do not set
5710 memory_pools_limit to 0. Set memory_pools to "off" instead.
5711
5712 An overhead for maintaining memory pools is not taken into account
5713 when the limit is checked. This overhead is close to four bytes per
5714 object kept. However, pools may actually _save_ memory because of
5715 reduced memory thrashing in your malloc library.
ec1245f8 5716DOC_END
5717
5473c134 5718NAME: forwarded_for
67c06f0d
AJ		 5719COMMENT: on|off|transparent|truncate|delete
5720TYPE: string
5473c134 5721DEFAULT: on
5722LOC: opt_forwarded_for
5f8252d2 5723DOC_START
67c06f0d
AJ		 5724 If set to "on", Squid will append your client's IP address
5725 in the HTTP requests it forwards. By default it looks like:
5f8252d2 5726
5473c134 5727 X-Forwarded-For: 192.1.2.3
5728
67c06f0d 5729 If set to "off", it will appear as
5473c134 5730
5731 X-Forwarded-For: unknown
67c06f0d
AJ		 5732
5733 If set to "transparent", Squid will not alter the
5734 X-Forwarded-For header in any way.
5735
5736 If set to "delete", Squid will delete the entire
5737 X-Forwarded-For header.
5738
5739 If set to "truncate", Squid will remove all existing
5740 X-Forwarded-For entries, and place itself as the sole entry.
5f8252d2 5741DOC_END
5742
5473c134 5743NAME: cachemgr_passwd
5744TYPE: cachemgrpasswd
5745DEFAULT: none
5746LOC: Config.passwd_list
5f8252d2 5747DOC_START
5473c134 5748 Specify passwords for cachemgr operations.
5f8252d2 5749
5473c134 5750 Usage: cachemgr_passwd password action action ...
5751
5752 Some valid actions are (see cache manager menu for a full list):
5753 5min
5754 60min
5755 asndb
5756 authenticator
5757 cbdata
5758 client_list
5759 comm_incoming
5760 config *
5761 counters
5762 delay
5763 digest_stats
5764 dns
5765 events
5766 filedescriptors
5767 fqdncache
5768 histograms
5769 http_headers
5770 info
5771 io
5772 ipcache
5773 mem
5774 menu
5775 netdb
5776 non_peers
5777 objects
5778 offline_toggle *
5779 pconn
5780 peer_select
b360c477 5781 reconfigure *
5473c134 5782 redirector
5783 refresh
5784 server_list
5785 shutdown *
5786 store_digest
5787 storedir
5788 utilization
5789 via_headers
5790 vm_objects
5791
5792 * Indicates actions which will not be performed without a
5793 valid password, others can be performed if not listed here.
5794
5795 To disable an action, set the password to "disable".
5796 To allow performing an action without a password, set the
5797 password to "none".
5798
5799 Use the keyword "all" to set the same password for all actions.
5800
5801Example:
5802 cachemgr_passwd secret shutdown
5803 cachemgr_passwd lesssssssecret info stats/objects
5804 cachemgr_passwd disable all
5f8252d2 5805DOC_END
5806
5473c134 5807NAME: client_db
a58ff010 5808COMMENT: on|off
5473c134 5809TYPE: onoff
5810DEFAULT: on
5811LOC: Config.onoff.client_db
a58ff010 5812DOC_START
5473c134 5813 If you want to disable collecting per-client statistics,
5814 turn off client_db here.
a58ff010 5815DOC_END
5816
5473c134 5817NAME: refresh_all_ims
5818COMMENT: on|off
5819TYPE: onoff
5820DEFAULT: off
5821LOC: Config.onoff.refresh_all_ims
a58ff010 5822DOC_START
5473c134 5823 When you enable this option, squid will always check
5824 the origin server for an update when a client sends an
5825 If-Modified-Since request. Many browsers use IMS
5826 requests when the user requests a reload, and this
5827 ensures those clients receive the latest version.
a58ff010 5828
5473c134 5829 By default (off), squid may return a Not Modified response
5830 based on the age of the cached version.
78e8cfc4 5831DOC_END
5832
5473c134 5833NAME: reload_into_ims
5834IFDEF: HTTP_VIOLATIONS
12b91c99 5835COMMENT: on|off
5473c134 5836TYPE: onoff
5837DEFAULT: off
5838LOC: Config.onoff.reload_into_ims
12b91c99 5839DOC_START
5473c134 5840 When you enable this option, client no-cache or ``reload''
5841 requests will be changed to If-Modified-Since requests.
5842 Doing this VIOLATES the HTTP standard. Enabling this
5843 feature could make you liable for problems which it
5844 causes.
5845
5846 see also refresh_pattern for a more selective approach.
12b91c99 5847DOC_END
5848
5473c134 5849NAME: maximum_single_addr_tries
5850TYPE: int
5851LOC: Config.retry.maxtries
5852DEFAULT: 1
a58ff010 5853DOC_START
5473c134 5854 This sets the maximum number of connection attempts for a
5855 host that only has one address (for multiple-address hosts,
5856 each address is tried once).
5857
5858 The default value is one attempt, the (not recommended)
5859 maximum is 255 tries. A warning message will be generated
5860 if it is set to a value greater than ten.
5861
5862 Note: This is in addition to the request re-forwarding which
5863 takes place if Squid fails to get a satisfying response.
a58ff010 5864DOC_END
5865
5473c134 5866NAME: retry_on_error
a58ff010 5867TYPE: onoff
5473c134 5868LOC: Config.retry.onerror
a58ff010 5869DEFAULT: off
5870DOC_START
5473c134 5871 If set to on Squid will automatically retry requests when
5872 receiving an error response. This is mainly useful if you
5873 are in a complex cache hierarchy to work around access
5874 control errors.
5f8252d2 5875DOC_END
5876
5473c134 5877NAME: as_whois_server
5f8252d2 5878TYPE: string
5473c134 5879LOC: Config.as_whois_server
5880DEFAULT: whois.ra.net
5881DEFAULT_IF_NONE: whois.ra.net
5f8252d2 5882DOC_START
5473c134 5883 WHOIS server to query for AS numbers. NOTE: AS numbers are
5884 queried only when Squid starts up, not for every request.
5f8252d2 5885DOC_END
5886
5473c134 5887NAME: offline_mode
5f8252d2 5888TYPE: onoff
5473c134 5889LOC: Config.onoff.offline
5f8252d2 5890DEFAULT: off
5891DOC_START
5473c134 5892 Enable this option and Squid will never try to validate cached
5893 objects.
a58ff010 5894DOC_END
5895
5473c134 5896NAME: uri_whitespace
5897TYPE: uri_whitespace
5898LOC: Config.uri_whitespace
5899DEFAULT: strip
a58ff010 5900DOC_START
5473c134 5901 What to do with requests that have whitespace characters in the
5902 URI. Options:
a58ff010 5903
5473c134 5904 strip: The whitespace characters are stripped out of the URL.
5905 This is the behavior recommended by RFC2396.
5906 deny: The request is denied. The user receives an "Invalid
5907 Request" message.
5908 allow: The request is allowed and the URI is not changed. The
5909 whitespace characters remain in the URI. Note the
5910 whitespace is passed to redirector processes if they
5911 are in use.
5912 encode: The request is allowed and the whitespace characters are
5913 encoded according to RFC1738. This could be considered
5914 a violation of the HTTP/1.1
5915 RFC because proxies are not allowed to rewrite URI's.
5916 chop: The request is allowed and the URI is chopped at the
5917 first whitespace. This might also be considered a
5918 violation.
5919DOC_END
a58ff010 5920
5473c134 5921NAME: coredump_dir
5922TYPE: string
5923LOC: Config.coredump_dir
5924DEFAULT: none
5925DEFAULT_IF_NONE: none
5926DOC_START
5927 By default Squid leaves core files in the directory from where
5928 it was started. If you set 'coredump_dir' to a directory
5929 that exists, Squid will chdir() to that directory at startup
5930 and coredump files will be left there.
a58ff010 5931
5473c134 5932NOCOMMENT_START
5933# Leave coredumps in the first cache dir
5934coredump_dir @DEFAULT_SWAP_DIR@
5935NOCOMMENT_END
5936DOC_END
a58ff010 5937
5473c134 5938NAME: chroot
5939TYPE: string
5940LOC: Config.chroot_dir
a58ff010 5941DEFAULT: none
5942DOC_START
5473c134 5943 Use this to have Squid do a chroot() while initializing. This
5944 also causes Squid to fully drop root privileges after
5945 initializing. This means, for example, if you use a HTTP
5946 port less than 1024 and try to reconfigure, you will may get an
5947 error saying that Squid can not open the port.
5948DOC_END
a58ff010 5949
5473c134 5950NAME: balance_on_multiple_ip
5951TYPE: onoff
5952LOC: Config.onoff.balance_on_multiple_ip
cc192b50 5953DEFAULT: off
5473c134 5954DOC_START
cc192b50 5955 Modern IP resolvers in squid sort lookup results by preferred access.
5956 By default squid will use these IP in order and only rotates to
5957 the next listed when the most preffered fails.
5958
5473c134 5959 Some load balancing servers based on round robin DNS have been
5960 found not to preserve user session state across requests
5961 to different IP addresses.
a58ff010 5962
cc192b50 5963 Enabling this directive Squid rotates IP's per request.
a58ff010 5964DOC_END
5965
5473c134 5966NAME: pipeline_prefetch
5967TYPE: onoff
5968LOC: Config.onoff.pipeline_prefetch
5969DEFAULT: off
a58ff010 5970DOC_START
5473c134 5971 To boost the performance of pipelined requests to closer
5972 match that of a non-proxied environment Squid can try to fetch
5973 up to two requests in parallel from a pipeline.
a58ff010 5974
5473c134 5975 Defaults to off for bandwidth management and access logging
5976 reasons.
5977DOC_END
a58ff010 5978
5473c134 5979NAME: high_response_time_warning
5980TYPE: int
5981COMMENT: (msec)
5982LOC: Config.warnings.high_rptm
5983DEFAULT: 0
5984DOC_START
5985 If the one-minute median response time exceeds this value,
5986 Squid prints a WARNING with debug level 0 to get the
5987 administrators attention. The value is in milliseconds.
a58ff010 5988DOC_END
5989
5473c134 5990NAME: high_page_fault_warning
5991TYPE: int
5992LOC: Config.warnings.high_pf
5993DEFAULT: 0
cc9f92d4 5994DOC_START
5473c134 5995 If the one-minute average page fault rate exceeds this
5996 value, Squid prints a WARNING with debug level 0 to get
5997 the administrators attention. The value is in page faults
5998 per second.
5999DOC_END
cc9f92d4 6000
5473c134 6001NAME: high_memory_warning
6002TYPE: b_size_t
6003LOC: Config.warnings.high_memory
904971da 6004DEFAULT: 0 KB
5473c134 6005DOC_START
6006 If the memory usage (as determined by mallinfo) exceeds
904971da 6007 this amount, Squid prints a WARNING with debug level 0 to get
5473c134 6008 the administrators attention.
6009DOC_END
cc9f92d4 6010
5473c134 6011NAME: sleep_after_fork
6012COMMENT: (microseconds)
6013TYPE: int
6014LOC: Config.sleep_after_fork
6015DEFAULT: 0
6016DOC_START
6017 When this is set to a non-zero value, the main Squid process
6018 sleeps the specified number of microseconds after a fork()
6019 system call. This sleep may help the situation where your
6020 system reports fork() failures due to lack of (virtual)
6021 memory. Note, however, if you have a lot of child
6022 processes, these sleep delays will add up and your
6023 Squid will not service requests for some amount of time
6024 until all the child processes have been started.
6025 On Windows value less then 1000 (1 milliseconds) are
6026 rounded to 1000.
cc9f92d4 6027DOC_END
6028
b6696974 6029NAME: windows_ipaddrchangemonitor
6b0516c6 6030IFDEF: _SQUID_MSWIN_
b6696974
GS		 6031COMMENT: on|off
6032TYPE: onoff
6033DEFAULT: on
6034LOC: Config.onoff.WIN32_IpAddrChangeMonitor
6035DOC_START
6036 On Windows Squid by default will monitor IP address changes and will
6037 reconfigure itself after any detected event. This is very useful for
6038 proxies connected to internet with dial-up interfaces.
6039 In some cases (a Proxy server acting as VPN gateway is one) it could be
6040 desiderable to disable this behaviour setting this to 'off'.
6041 Note: after changing this, Squid service must be restarted.
6042DOC_END
6043
cccac0a2 6044EOF
Mirror of https://github.com/squid-cache/squid.git