]> git.ipfire.org Git - thirdparty/squid.git/blame - src/cf.data.pre
projects / thirdparty / squid.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Prep for 4.0.22
[thirdparty/squid.git] / src / cf.data.pre
CommitLineData
4ac4a490 1## Copyright (C) 1996-2017 The Squid Software Foundation and contributors
5d28d44b
AJ		 2##
3## Squid software is distributed under GPLv2+ license and includes
4## contributions from numerous individuals and organizations.
5## Please see the COPYING and CONTRIBUTORS files for details.
6##
9cef6668 7
0f74202c 8COMMENT_START
ad12fb4b 9 WELCOME TO @SQUID@
cccac0a2 10 ----------------------------
5945964d
AJ		 11
12 This is the documentation for the Squid configuration file.
13 This documentation can also be found online at:
14 http://www.squid-cache.org/Doc/config/
15
16 You may wish to look at the Squid home page and wiki for the
17 FAQ and other documentation:
18 http://www.squid-cache.org/
19 http://wiki.squid-cache.org/SquidFaq
20 http://wiki.squid-cache.org/ConfigExamples
21
22 This documentation shows what the defaults for various directives
23 happen to be. If you don't need to change the default, you should
24 leave the line out of your squid.conf in most cases.
25
26 In some cases "none" refers to no default setting at all,
27 while in other cases it refers to the value of the option
28 - the comments for that keyword indicate if this is the case.
debd9a31 29
cccac0a2 30COMMENT_END
3a278cb8 31
592a09dc 32COMMENT_START
33 Configuration options can be included using the "include" directive.
5945964d 34 Include takes a list of files to include. Quoting and wildcards are
592a09dc 35 supported.
36
37 For example,
38
39 include /path/to/included/file/squid.acl.config
40
41 Includes can be nested up to a hard-coded depth of 16 levels.
42 This arbitrary restriction is to prevent recursive include references
43 from causing Squid entering an infinite loop whilst trying to load
44 configuration files.
d4a3e179 45
a345387f
AJ		 46 Values with byte units
47
a01a87d9
AJ		 48 Squid accepts size units on some size related directives. All
49 such directives are documented with a default value displaying
50 a unit.
a345387f
AJ		 51
52 Units accepted by Squid are:
a01a87d9
AJ		 53 bytes - byte
54 KB - Kilobyte (1024 bytes)
a345387f
AJ		 55 MB - Megabyte
56 GB - Gigabyte
d4a3e179 57
2eceb328
CT		 58 Values with spaces, quotes, and other special characters
59
60 Squid supports directive parameters with spaces, quotes, and other
61 special characters. Surround such parameters with "double quotes". Use
62 the configuration_includes_quoted_values directive to enable or
63 disable that support.
64
65 Squid supports reading configuration option parameters from external
66 files using the syntax:
67 parameters("/path/filename")
68 For example:
69 acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
70
5735d30b
AR		 71 Conditional configuration
72
73 If-statements can be used to make configuration directives
74 depend on conditions:
75
76 if <CONDITION>
77 ... regular configuration directives ...
78 [else
79 ... regular configuration directives ...]
80 endif
81
82 The else part is optional. The keywords "if", "else", and "endif"
83 must be typed on their own lines, as if they were regular
84 configuration directives.
85
5945964d
AJ		 86 NOTE: An else-if condition is not supported.
87
5735d30b
AR		 88 These individual conditions types are supported:
89
90 true
91 Always evaluates to true.
92 false
93 Always evaluates to false.
94 <integer> = <integer>
95 Equality comparison of two integer numbers.
96
97
d4a3e179
AR		 98 SMP-Related Macros
99
100 The following SMP-related preprocessor macros can be used.
101
102 ${process_name} expands to the current Squid process "name"
103 (e.g., squid1, squid2, or cache1).
104
105 ${process_number} expands to the current Squid process
106 identifier, which is an integer number (e.g., 1, 2, 3) unique
6fe8c876
AJ		 107 across all Squid processes of the current service instance.
108
109 ${service_name} expands into the current Squid service instance
110 name identifier which is provided by -n on the command line.
111
cde8f31b
NH		 112 Logformat Macros
113
114 Logformat macros can be used in many places outside of the logformat
115 directive. In theory, all of the logformat codes can be used as %macros,
116 where they are supported. In practice, a %macro expands as a dash (-) when
117 the transaction does not yet have enough information and a value is needed.
118
119 There is no definitive list of what tokens are available at the various
120 stages of the transaction.
121
122 And some information may already be available to Squid but not yet
123 committed where the macro expansion code can access it (report
124 such instances!). The macro will be expanded into a single dash
125 ('-') in such cases. Not all macros have been tested.
126
592a09dc 127COMMENT_END
128
25234ebd
AJ		 129# options still not yet ported from 2.7 to 3.x
130NAME: broken_vary_encoding
131TYPE: obsolete
132DOC_START
133 This option is not yet supported by Squid-3.
134DOC_END
135
136NAME: cache_vary
137TYPE: obsolete
138DOC_START
139 This option is not yet supported by Squid-3.
140DOC_END
141
25234ebd
AJ		 142NAME: error_map
143TYPE: obsolete
144DOC_START
145 This option is not yet supported by Squid-3.
146DOC_END
147
148NAME: external_refresh_check
149TYPE: obsolete
150DOC_START
151 This option is not yet supported by Squid-3.
152DOC_END
153
96598f93 154NAME: location_rewrite_program location_rewrite_access location_rewrite_children location_rewrite_concurrency
25234ebd
AJ		 155TYPE: obsolete
156DOC_START
157 This option is not yet supported by Squid-3.
158DOC_END
159
96598f93 160NAME: refresh_stale_hit
25234ebd
AJ		 161TYPE: obsolete
162DOC_START
163 This option is not yet supported by Squid-3.
164DOC_END
165
6eb545bc 166# Options removed in 4.x
f1a5d071
AJ		 167NAME: cache_peer_domain cache_host_domain
168TYPE: obsolete
169DOC_START
170 Replace with dstdomain ACLs and cache_peer_access.
171DOC_END
172
6eb545bc
AJ		 173NAME: ie_refresh
174TYPE: obsolete
175DOC_START
176 Remove this line. The behaviour enabled by this is no longer needed.
177DOC_END
178
7e62a74f
AJ		 179NAME: sslproxy_cafile
180TYPE: obsolete
181DOC_START
182 Remove this line. Use tls_outgoing_options cafile= instead.
183DOC_END
184
185NAME: sslproxy_capath
186TYPE: obsolete
187DOC_START
188 Remove this line. Use tls_outgoing_options capath= instead.
189DOC_END
190
191NAME: sslproxy_cipher
192TYPE: obsolete
193DOC_START
194 Remove this line. Use tls_outgoing_options cipher= instead.
195DOC_END
196
197NAME: sslproxy_client_certificate
198TYPE: obsolete
199DOC_START
200 Remove this line. Use tls_outgoing_options cert= instead.
201DOC_END
202
203NAME: sslproxy_client_key
204TYPE: obsolete
205DOC_START
206 Remove this line. Use tls_outgoing_options key= instead.
207DOC_END
208
209NAME: sslproxy_flags
210TYPE: obsolete
211DOC_START
212 Remove this line. Use tls_outgoing_options flags= instead.
213DOC_END
214
215NAME: sslproxy_options
216TYPE: obsolete
217DOC_START
218 Remove this line. Use tls_outgoing_options options= instead.
219DOC_END
220
221NAME: sslproxy_version
222TYPE: obsolete
223DOC_START
1cc44095 224 Remove this line. Use tls_outgoing_options options= instead.
7e62a74f
AJ		 225DOC_END
226
9967aef6
AJ		 227# Options removed in 3.5
228NAME: hierarchy_stoplist
229TYPE: obsolete
230DOC_START
231 Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use.
232DOC_END
233
a8f70484 234# Options removed in 3.4
74d81220
AJ		 235NAME: log_access
236TYPE: obsolete
237DOC_START
238 Remove this line. Use acls with access_log directives to control access logging
239DOC_END
240
241NAME: log_icap
242TYPE: obsolete
243DOC_START
244 Remove this line. Use acls with icap_log directives to control icap logging
245DOC_END
246
96598f93
AJ		 247# Options Removed in 3.3
248NAME: ignore_ims_on_miss
25234ebd
AJ		 249TYPE: obsolete
250DOC_START
2d4eefd9 251 Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'.
25234ebd
AJ		 252DOC_END
253
76f44481 254# Options Removed in 3.2
16cd62b7
AJ		 255NAME: chunked_request_body_max_size
256TYPE: obsolete
257DOC_START
258 Remove this line. Squid is now HTTP/1.1 compliant.
259DOC_END
260
74d81220 261NAME: dns_v4_fallback
76f44481
AJ		 262TYPE: obsolete
263DOC_START
74d81220 264 Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
76f44481
AJ		 265DOC_END
266
74d81220 267NAME: emulate_httpd_log
6e095b46
AJ		 268TYPE: obsolete
269DOC_START
74d81220
AJ		 270 Replace this with an access_log directive using the format 'common' or 'combined'.
271DOC_END
272
273NAME: forward_log
274TYPE: obsolete
275DOC_START
276 Use a regular access.log with ACL limiting it to MISS events.
6e095b46
AJ		 277DOC_END
278
76f44481
AJ		 279NAME: ftp_list_width
280TYPE: obsolete
281DOC_START
282 Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
283DOC_END
284
74d81220
AJ		 285NAME: ignore_expect_100
286TYPE: obsolete
287DOC_START
288 Remove this line. The HTTP/1.1 feature is now fully supported by default.
289DOC_END
290
291NAME: log_fqdn
292TYPE: obsolete
293DOC_START
294 Remove this option from your config. To log FQDN use %>A in the log format.
295DOC_END
296
297NAME: log_ip_on_direct
298TYPE: obsolete
299DOC_START
300 Remove this option from your config. To log server or peer names use %<A in the log format.
301DOC_END
302
38493d67
AJ		 303NAME: maximum_single_addr_tries
304TYPE: obsolete
305DOC_START
306 Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
307DOC_END
308
74d81220
AJ		 309NAME: referer_log referrer_log
310TYPE: obsolete
311DOC_START
312 Replace this with an access_log directive using the format 'referrer'.
313DOC_END
314
4ded749e
AJ		 315NAME: update_headers
316TYPE: obsolete
317DOC_START
318 Remove this line. The feature is supported by default in storage types where update is implemented.
319DOC_END
320
76f44481
AJ		 321NAME: url_rewrite_concurrency
322TYPE: obsolete
323DOC_START
324 Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
325DOC_END
326
74d81220
AJ		 327NAME: useragent_log
328TYPE: obsolete
329DOC_START
330 Replace this with an access_log directive using the format 'useragent'.
331DOC_END
332
76f44481
AJ		 333# Options Removed in 3.1
334NAME: dns_testnames
335TYPE: obsolete
336DOC_START
337 Remove this line. DNS is no longer tested on startup.
338DOC_END
339
340NAME: extension_methods
341TYPE: obsolete
342DOC_START
343 Remove this line. All valid methods for HTTP are accepted by default.
344DOC_END
345
c72a2049
AJ		 346# 2.7 Options Removed/Replaced in 3.2
347NAME: zero_buffers
348TYPE: obsolete
349DOC_NONE
350
76f44481
AJ		 351# 2.7 Options Removed/Replaced in 3.1
352NAME: incoming_rate
353TYPE: obsolete
354DOC_NONE
355
356NAME: server_http11
357TYPE: obsolete
358DOC_START
359 Remove this line. HTTP/1.1 is supported by default.
360DOC_END
361
362NAME: upgrade_http0.9
363TYPE: obsolete
364DOC_START
365 Remove this line. ICY/1.0 streaming protocol is supported by default.
366DOC_END
367
368NAME: zph_local zph_mode zph_option zph_parent zph_sibling
369TYPE: obsolete
370DOC_START
371 Alter these entries. Use the qos_flows directive instead.
372DOC_END
373
374# Options Removed in 3.0
375NAME: header_access
376TYPE: obsolete
377DOC_START
378 Since squid-3.0 replace with request_header_access or reply_header_access
379 depending on whether you wish to match client requests or server replies.
380DOC_END
381
382NAME: httpd_accel_no_pmtu_disc
383TYPE: obsolete
384DOC_START
385 Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
386DOC_END
387
3b31a711
AJ		 388NAME: wais_relay_host
389TYPE: obsolete
390DOC_START
391 Replace this line with 'cache_peer' configuration.
392DOC_END
393
394NAME: wais_relay_port
395TYPE: obsolete
396DOC_START
397 Replace this line with 'cache_peer' configuration.
398DOC_END
399
50ff42a2
AJ		 400COMMENT_START
401 OPTIONS FOR SMP
402 -----------------------------------------------------------------------------
403COMMENT_END
404
405NAME: workers
406TYPE: int
407LOC: Config.workers
408DEFAULT: 1
409DEFAULT_DOC: SMP support disabled.
410DOC_START
411 Number of main Squid processes or "workers" to fork and maintain.
412 0: "no daemon" mode, like running "squid -N ..."
413 1: "no SMP" mode, start one main Squid process daemon (default)
414 N: start N main Squid process daemons (i.e., SMP mode)
415
416 In SMP mode, each worker does nearly all what a single Squid daemon
417 does (e.g., listen on http_port and forward HTTP requests).
418DOC_END
419
420NAME: cpu_affinity_map
421TYPE: CpuAffinityMap
422LOC: Config.cpuAffinityMap
423DEFAULT: none
424DEFAULT_DOC: Let operating system decide.
425DOC_START
426 Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
427
428 Sets 1:1 mapping between Squid processes and CPU cores. For example,
429
430 cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
431
432 affects processes 1 through 4 only and places them on the first
433 four even cores, starting with core #1.
434
435 CPU cores are numbered starting from 1. Requires support for
436 sched_getaffinity(2) and sched_setaffinity(2) system calls.
437
438 Multiple cpu_affinity_map options are merged.
439
440 See also: workers
441DOC_END
442
c756d517
AR		 443NAME: shared_memory_locking
444TYPE: YesNoNone
445COMMENT: on|off
446LOC: Config.shmLocking
447DEFAULT: off
448DOC_START
449 Whether to ensure that all required shared memory is available by
450 "locking" that shared memory into RAM when Squid starts. The
451 alternative is faster startup time followed by slightly slower
452 performance and, if not enough RAM is actually available during
453 runtime, mysterious crashes.
454
455 SMP Squid uses many shared memory segments. These segments are
456 brought into Squid memory space using an mmap(2) system call. During
457 Squid startup, the mmap() call often succeeds regardless of whether
458 the system has enough RAM. In general, Squid cannot tell whether the
459 kernel applies this "optimistic" memory allocation policy (but
460 popular modern kernels usually use it).
461
462 Later, if Squid attempts to actually access the mapped memory
463 regions beyond what the kernel is willing to allocate, the
464 "optimistic" kernel simply kills Squid kid with a SIGBUS signal.
465 Some of the memory limits enforced by the kernel are currently
466 poorly understood: We do not know how to detect and check them. This
467 option ensures that the mapped memory will be available.
468
469 This option may have a positive performance side-effect: Locking
470 memory at start avoids runtime paging I/O. Paging slows Squid down.
471
472 Locking memory may require a large enough RLIMIT_MEMLOCK OS limit,
473 CAP_IPC_LOCK capability, or equivalent.
474DOC_END
475
00e2479d
AR		 476NAME: hopeless_kid_revival_delay
477COMMENT: time-units
478TYPE: time_t
479LOC: Config.hopelessKidRevivalDelay
480DEFAULT: 1 hour
481DOC_START
482 Normally, when a kid process dies, Squid immediately restarts the
483 kid. A kid experiencing frequent deaths is marked as "hopeless" for
484 the duration specified by this directive. Hopeless kids are not
485 automatically restarted.
486
487 Currently, zero values are not supported because they result in
488 misconfigured SMP Squid instances running forever, endlessly
489 restarting each dying kid. To effectively disable hopeless kids
490 revival, set the delay to a huge value (e.g., 1 year).
491
492 Reconfiguration also clears all hopeless kids designations, allowing
493 for manual revival of hopeless kids.
494DOC_END
495
5473c134 496COMMENT_START
41bd17a4 497 OPTIONS FOR AUTHENTICATION
5473c134 498 -----------------------------------------------------------------------------
499COMMENT_END
500
41bd17a4 501NAME: auth_param
502TYPE: authparam
2f1431ea 503IFDEF: USE_AUTH
5c112575 504LOC: Auth::TheConfig.schemes
cccac0a2 505DEFAULT: none
506DOC_START
41bd17a4 507 This is used to define parameters for the various authentication
508 schemes supported by Squid.
cccac0a2 509
66c583dc 510 format: auth_param scheme parameter [setting]
cccac0a2 511
41bd17a4 512 The order in which authentication schemes are presented to the client is
513 dependent on the order the scheme first appears in config file. IE
514 has a bug (it's not RFC 2617 compliant) in that it will use the basic
515 scheme if basic is the first entry presented, even if more secure
516 schemes are presented. For now use the order in the recommended
517 settings section below. If other browsers have difficulties (don't
518 recognize the schemes offered even if you are using basic) either
519 put basic first, or disable the other schemes (by commenting out their
520 program entry).
cccac0a2 521
41bd17a4 522 Once an authentication scheme is fully configured, it can only be
523 shutdown by shutting squid down and restarting. Changes can be made on
524 the fly and activated with a reconfigure. I.E. You can change to a
525 different helper, but not unconfigure the helper completely.
cccac0a2 526
41bd17a4 527 Please note that while this directive defines how Squid processes
528 authentication it does not automatically activate authentication.
529 To use authentication you must in addition make use of ACLs based
530 on login name in http_access (proxy_auth, proxy_auth_regex or
531 external with %LOGIN used in the format tag). The browser will be
532 challenged for authentication on the first such acl encountered
533 in http_access processing and will also be re-challenged for new
534 login credentials if the request is being denied by a proxy_auth
535 type acl.
cccac0a2 536
41bd17a4 537 WARNING: authentication can't be used in a transparently intercepting
538 proxy as the client then thinks it is talking to an origin server and
539 not the proxy. This is a limitation of bending the TCP/IP protocol to
540 transparently intercepting port 80, not a limitation in Squid.
b3567eb5
FC		 541 Ports flagged 'transparent', 'intercept', or 'tproxy' have
542 authentication disabled.
cccac0a2 543
d4806c91
CT		 544 === Parameters common to all schemes. ===
545
546 "program" cmdline
66c583dc 547 Specifies the command for the external authenticator.
d4806c91 548
66c583dc
AJ		 549 By default, each authentication scheme is not used unless a
550 program is specified.
cccac0a2 551
66c583dc
AJ		 552 See http://wiki.squid-cache.org/Features/AddonHelpers for
553 more details on helper operations and creating your own.
5269ec0e 554
66c583dc
AJ		 555 "key_extras" format
556 Specifies a string to be append to request line format for
557 the authentication helper. "Quoted" format values may contain
558 spaces and logformat %macros. In theory, any logformat %macro
559 can be used. In practice, a %macro expands as a dash (-) if
560 the helper request is sent before the required macro
561 information is available to Squid.
562
563 By default, Squid uses request formats provided in
564 scheme-specific examples below (search for %credentials).
565
566 The expanded key_extras value is added to the Squid credentials
567 cache and, hence, will affect authentication. It can be used to
568 autenticate different users with identical user names (e.g.,
569 when user authentication depends on http_port).
570
571 Avoid adding frequently changing information to key_extras. For
572 example, if you add user source IP, and it changes frequently
573 in your environment, then max_user_ip ACL is going to treat
574 every user+IP combination as a unique "user", breaking the ACL
575 and wasting a lot of memory on those user records. It will also
576 force users to authenticate from scratch whenever their IP
577 changes.
578
579 "realm" string
580 Specifies the protection scope (aka realm name) which is to be
581 reported to the client for the authentication scheme. It is
582 commonly part of the text the user will see when prompted for
583 their username and password.
584
585 For Basic the default is "Squid proxy-caching web server".
586 For Digest there is no default, this parameter is mandatory.
587 For NTLM and Negotiate this parameter is ignored.
5269ec0e 588
6082a0e2
EB		 589 "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
590 [queue-size=N] [on-persistent-overload=action]
5269ec0e 591
66c583dc
AJ		 592 The maximum number of authenticator processes to spawn. If
593 you start too few Squid will have to wait for them to process
594 a backlog of credential verifications, slowing it down. When
595 password verifications are done via a (slow) network you are
596 likely to need lots of authenticator processes.
5269ec0e 597
66c583dc
AJ		 598 The startup= and idle= options permit some skew in the exact
599 amount run. A minimum of startup=N will begin during startup
600 and reconfigure. Squid will start more in groups of up to
601 idle=N in an attempt to meet traffic needs and to keep idle=N
602 free above those traffic needs up to the maximum.
5269ec0e 603
66c583dc
AJ		 604 The concurrency= option sets the number of concurrent requests
605 the helper can process. The default of 0 is used for helpers
606 who only supports one request at a time. Setting this to a
607 number greater than 0 changes the protocol used to include a
608 channel ID field first on the request/response line, allowing
609 multiple requests to be sent to the same helper in parallel
610 without waiting for the response.
cccac0a2 611
66c583dc
AJ		 612 Concurrency must not be set unless it's known the helper
613 supports the input format with channel-ID fields.
cccac0a2 614
6082a0e2
EB		 615 The queue-size=N option sets the maximum number of queued
616 requests to N. The default maximum is 2*numberofchildren. Squid
617 is allowed to temporarily exceed the configured maximum, marking
618 the affected helper as "overloaded". If the helper overload
619 lasts more than 3 minutes, the action prescribed by the
620 on-persistent-overload option applies.
621
622 The on-persistent-overload=action option specifies Squid
623 reaction to a new helper request arriving when the helper
624 has been overloaded for more that 3 minutes already. The number
625 of queued requests determines whether the helper is overloaded
626 (see the queue-size option).
627
628 Two actions are supported:
629
630 die Squid worker quits. This is the default behavior.
631
632 ERR Squid treats the helper request as if it was
633 immediately submitted, and the helper immediately
634 replied with an ERR response. This action has no effect
635 on the already queued and in-progress helper requests.
6825b101 636
66c583dc
AJ		 637 NOTE: NTLM and Negotiate schemes do not support concurrency
638 in the Squid code module even though some helpers can.
307b83b7 639
b2b09838
AJ		 640 "keep_alive" on|off
641 If you experience problems with PUT/POST requests when using
642 the NTLM or Negotiate schemes then you can try setting this
643 to off. This will cause Squid to forcibly close the connection
644 on the initial request where the browser asks which schemes
645 are supported by the proxy.
9e7dbc51 646
b2b09838 647 For Basic and Digest this parameter is ignored.
d2a89ac1 648
66c583dc
AJ		 649 "utf8" on|off
650 HTTP uses iso-latin-1 as character set, while some
651 authentication backends such as LDAP expects UTF-8. If this is
652 set to on Squid will translate the HTTP iso-latin-1 charset to
653 UTF-8 before sending the username and password to the helper.
d1b63fc8 654
b2b09838
AJ		 655 For NTLM and Negotiate this parameter is ignored.
656
657IF HAVE_AUTH_MODULE_BASIC
658 === Basic authentication parameters ===
659
41bd17a4 660 "credentialsttl" timetolive
66c583dc
AJ		 661 Specifies how long squid assumes an externally validated
662 username:password pair is valid for - in other words how
663 often the helper program is called for that user. Set this
664 low to force revalidation with short lived passwords.
cccac0a2 665
66c583dc
AJ		 666 NOTE: setting this high does not impact your susceptibility
667 to replay attacks unless you are using an one-time password
668 system (such as SecureID). If you are using such a system,
669 you will be vulnerable to replay attacks unless you also
670 use the max_user_ip ACL in an http_access rule.
cccac0a2 671
66c583dc
AJ		 672 "casesensitive" on|off
673 Specifies if usernames are case sensitive. Most user databases
674 are case insensitive allowing the same username to be spelled
675 using both lower and upper case letters, but some are case
676 sensitive. This makes a big difference for user_max_ip ACL
677 processing and similar.
cccac0a2 678
66c583dc
AJ		 679ENDIF
680IF HAVE_AUTH_MODULE_DIGEST
681 === Digest authentication parameters ===
cccac0a2 682
41bd17a4 683 "nonce_garbage_interval" timeinterval
66c583dc
AJ		 684 Specifies the interval that nonces that have been issued
685 to client_agent's are checked for validity.
cccac0a2 686
41bd17a4 687 "nonce_max_duration" timeinterval
66c583dc
AJ		 688 Specifies the maximum length of time a given nonce will be
689 valid for.
cccac0a2 690
41bd17a4 691 "nonce_max_count" number
66c583dc
AJ		 692 Specifies the maximum number of times a given nonce can be
693 used.
cccac0a2 694
41bd17a4 695 "nonce_strictness" on|off
66c583dc
AJ		 696 Determines if squid requires strict increment-by-1 behavior
697 for nonce counts, or just incrementing (off - for use when
698 user agents generate nonce counts that occasionally miss 1
699 (ie, 1,2,4,6)). Default off.
cccac0a2 700
41bd17a4 701 "check_nonce_count" on|off
66c583dc
AJ		 702 This directive if set to off can disable the nonce count check
703 completely to work around buggy digest qop implementations in
704 certain mainstream browser versions. Default on to check the
705 nonce count to protect from authentication replay attacks.
cccac0a2 706
41bd17a4 707 "post_workaround" on|off
66c583dc
AJ		 708 This is a workaround to certain buggy browsers who send an
709 incorrect request digest in POST requests when reusing the
710 same nonce as acquired earlier on a GET request.
cccac0a2 711
66c583dc 712ENDIF
527ee50d 713
66c583dc
AJ		 714 === Example Configuration ===
715
716 This configuration displays the recommended authentication scheme
717 order from most to least secure with recommended minimum configuration
718 settings for each scheme:
e0855596 719
41bd17a4 720#auth_param negotiate program <uncomment and complete this line to activate>
48d54e4d 721#auth_param negotiate children 20 startup=0 idle=1
e0855596 722#
66c583dc 723#auth_param digest program <uncomment and complete this line to activate>
48d54e4d 724#auth_param digest children 20 startup=0 idle=1
41bd17a4 725#auth_param digest realm Squid proxy-caching web server
726#auth_param digest nonce_garbage_interval 5 minutes
727#auth_param digest nonce_max_duration 30 minutes
728#auth_param digest nonce_max_count 50
e0855596 729#
66c583dc
AJ		 730#auth_param ntlm program <uncomment and complete this line to activate>
731#auth_param ntlm children 20 startup=0 idle=1
66c583dc 732#
41bd17a4 733#auth_param basic program <uncomment and complete this line>
6f4d3ed6 734#auth_param basic children 5 startup=5 idle=1
41bd17a4 735#auth_param basic credentialsttl 2 hours
41bd17a4 736DOC_END
cccac0a2 737
41bd17a4 738NAME: authenticate_cache_garbage_interval
5db226c8 739IFDEF: USE_AUTH
41bd17a4 740TYPE: time_t
741DEFAULT: 1 hour
00ef8d82 742LOC: Auth::TheConfig.garbageCollectInterval
41bd17a4 743DOC_START
744 The time period between garbage collection across the username cache.
4ded749e 745 This is a trade-off between memory utilization (long intervals - say
41bd17a4 746 2 days) and CPU (short intervals - say 1 minute). Only change if you
747 have good reason to.
748DOC_END
cccac0a2 749
41bd17a4 750NAME: authenticate_ttl
5db226c8 751IFDEF: USE_AUTH
41bd17a4 752TYPE: time_t
753DEFAULT: 1 hour
00ef8d82 754LOC: Auth::TheConfig.credentialsTtl
41bd17a4 755DOC_START
756 The time a user & their credentials stay in the logged in
757 user cache since their last request. When the garbage
758 interval passes, all user credentials that have passed their
759 TTL are removed from memory.
760DOC_END
cccac0a2 761
41bd17a4 762NAME: authenticate_ip_ttl
5db226c8 763IFDEF: USE_AUTH
41bd17a4 764TYPE: time_t
00ef8d82 765LOC: Auth::TheConfig.ipTtl
c35dd848 766DEFAULT: 1 second
41bd17a4 767DOC_START
768 If you use proxy authentication and the 'max_user_ip' ACL,
769 this directive controls how long Squid remembers the IP
770 addresses associated with each user. Use a small value
771 (e.g., 60 seconds) if your users might change addresses
4ded749e 772 quickly, as is the case with dialup. You might be safe
41bd17a4 773 using a larger value (e.g., 2 hours) in a corporate LAN
774 environment with relatively static address assignments.
775DOC_END
cccac0a2 776
3d1e3e43 777COMMENT_START
778 ACCESS CONTROLS
779 -----------------------------------------------------------------------------
780COMMENT_END
781
41bd17a4 782NAME: external_acl_type
783TYPE: externalAclHelper
784LOC: Config.externalAclHelperList
cccac0a2 785DEFAULT: none
cccac0a2 786DOC_START
41bd17a4 787 This option defines external acl classes using a helper program
788 to look up the status
cccac0a2 789
262eaf9a 790 external_acl_type name [options] FORMAT /path/to/helper [helper arguments]
cccac0a2 791
41bd17a4 792 Options:
cccac0a2 793
41bd17a4 794 ttl=n TTL in seconds for cached results (defaults to 3600
cd0fd8a9 795 for 1 hour)
4f8d0a65 796
41bd17a4 797 negative_ttl=n
cd0fd8a9
AJ		 798 TTL for cached negative lookups (default same
799 as ttl)
4f8d0a65
AJ		 800
801 grace=n Percentage remaining of TTL where a refresh of a
802 cached entry should be initiated without needing to
803 wait for a new reply. (default is for no grace period)
804
eef8bf2d
AR		 805 cache=n The maximum number of entries in the result cache. The
806 default limit is 262144 entries. Each cache entry usually
807 consumes at least 256 bytes. Squid currently does not remove
808 expired cache entries until the limit is reached, so a proxy
809 will sooner or later reach the limit. The expanded FORMAT
810 value is used as the cache key, so if the details in FORMAT
811 are highly variable, a larger cache may be needed to produce
812 reduction in helper load.
4f8d0a65 813
48d54e4d
AJ		 814 children-max=n
815 Maximum number of acl helper processes spawned to service
2ccfb9a7 816 external acl lookups of this type. (default 5)
4f8d0a65 817
48d54e4d
AJ		 818 children-startup=n
819 Minimum number of acl helper processes to spawn during
820 startup and reconfigure to service external acl lookups
821 of this type. (default 0)
4f8d0a65 822
48d54e4d
AJ		 823 children-idle=n
824 Number of acl helper processes to keep ahead of traffic
825 loads. Squid will spawn this many at once whenever load
826 rises above the capabilities of existing processes.
827 Up to the value of children-max. (default 1)
4f8d0a65 828
41bd17a4 829 concurrency=n concurrency level per process. Only used with helpers
830 capable of processing more than one query at a time.
4f8d0a65 831
6825b101
CT		 832 queue-size=N The queue-size= option sets the maximum number of queued
833 requests. If the queued requests exceed queue size
4f8d0a65 834 the acl is ignored.
6825b101 835 The default value is set to 2*children-max.
4f8d0a65
AJ		 836
837 protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers.
838
91e64de9
AJ		 839 ipv4 / ipv6 IP protocol used to communicate with this helper.
840 The default is to auto-detect IPv6 and use it when available.
cccac0a2 841
4f8d0a65 842
cd0fd8a9
AJ		 843 FORMAT is a series of %macro codes. See logformat directive for a full list
844 of the accepted codes. Although note that at the time of any external ACL
845 being tested data may not be available and thus some %macro expand to '-'.
846
847 In addition to the logformat codes; when processing external ACLs these
848 additional macros are made available:
7b0ca1e8 849
ec2d5242 850 %ACL The name of the ACL being tested.
ec2d5242 851
0638f4a2
AJ		 852 %DATA The ACL arguments specified in the referencing config
853 'acl ... external' line, separated by spaces (an
854 "argument string"). see acl external.
855
856 If there are no ACL arguments %DATA expands to '-'.
857
858 If you do not specify a DATA macro inside FORMAT,
859 Squid automatically appends %DATA to your FORMAT.
cd0fd8a9 860
262eaf9a
CT		 861 By default, Squid applies URL-encoding to each ACL
862 argument inside the argument string. If an explicit
863 encoding modifier is used (e.g., %#DATA), then Squid
864 encodes the whole argument string as a single token
865 (e.g., with %#DATA, spaces between arguments become
866 %20).
867
cd0fd8a9
AJ		 868 If SSL is enabled, the following formating codes become available:
869
870 %USER_CERT SSL User certificate in PEM format
871 %USER_CERTCHAIN SSL User certificate chain in PEM format
872 %USER_CERT_xx SSL User certificate subject attribute xx
873 %USER_CA_CERT_xx SSL User certificate issuer attribute xx
874
875
876 NOTE: all other format codes accepted by older Squid versions
877 are deprecated.
0db8942f 878
cccac0a2 879
5269ec0e
AJ		 880 General request syntax:
881
0638f4a2 882 [channel-ID] FORMAT-values
5269ec0e
AJ		 883
884
885 FORMAT-values consists of transaction details expanded with
886 whitespace separation per the config file FORMAT specification
887 using the FORMAT macros listed above.
888
5269ec0e
AJ		 889 Request values sent to the helper are URL escaped to protect
890 each value in requests against whitespaces.
891
892 If using protocol=2.5 then the request sent to the helper is not
893 URL escaped to protect against whitespace.
894
895 NOTE: protocol=3.0 is deprecated as no longer necessary.
896
897 When using the concurrency= option the protocol is changed by
898 introducing a query channel tag in front of the request/response.
899 The query channel tag is a number between 0 and concurrency-1.
900 This value must be echoed back unchanged to Squid as the first part
901 of the response relating to its request.
902
903
904 The helper receives lines expanded per the above format specification
905 and for each input line returns 1 line starting with OK/ERR/BH result
906 code and optionally followed by additional keywords with more details.
907
cccac0a2 908
41bd17a4 909 General result syntax:
cccac0a2 910
5269ec0e
AJ		 911 [channel-ID] result keyword=value ...
912
913 Result consists of one of the codes:
914
915 OK
916 the ACL test produced a match.
917
918 ERR
919 the ACL test does not produce a match.
920
921 BH
4ded749e 922 An internal error occurred in the helper, preventing
5269ec0e
AJ		 923 a result being identified.
924
925 The meaning of 'a match' is determined by your squid.conf
926 access control configuration. See the Squid wiki for details.
cccac0a2 927
41bd17a4 928 Defined keywords:
cccac0a2 929
41bd17a4 930 user= The users name (login)
5269ec0e 931
41bd17a4 932 password= The users password (for login= cache_peer option)
5269ec0e 933
05e52854 934 message= Message describing the reason for this response.
5269ec0e
AJ		 935 Available as %o in error pages.
936 Useful on (ERR and BH results).
937
05e52854
AJ		 938 tag= Apply a tag to a request. Only sets a tag once,
939 does not alter existing tags.
5269ec0e 940
41bd17a4 941 log= String to be logged in access.log. Available as
cd0fd8a9 942 %ea in logformat specifications.
934b03fc 943
cd0fd8a9 944 clt_conn_tag= Associates a TAG with the client TCP connection.
4f8d0a65
AJ		 945 Please see url_rewrite_program related documentation
946 for this kv-pair.
457857fe 947
05e52854 948 Any keywords may be sent on any response whether OK, ERR or BH.
6a566b9c 949
05e52854
AJ		 950 All response keyword values need to be a single token with URL
951 escaping, or enclosed in double quotes (") and escaped using \ on
24eac830
AJ		 952 any double quotes or \ characters within the value. The wrapping
953 double quotes are removed before the value is interpreted by Squid.
954 \r and \n are also replace by CR and LF.
1e5562e3 955
24eac830
AJ		 956 Some example key values:
957
5269ec0e 958 user=John%20Smith
24eac830
AJ		 959 user="John Smith"
960 user="J. \"Bob\" Smith"
cccac0a2 961DOC_END
962
41bd17a4 963NAME: acl
964TYPE: acl
965LOC: Config.aclList
cb4f4424 966IF USE_OPENSSL
cf1c09f6
CT		 967DEFAULT: ssl::certHasExpired ssl_error X509_V_ERR_CERT_HAS_EXPIRED
968DEFAULT: ssl::certNotYetValid ssl_error X509_V_ERR_CERT_NOT_YET_VALID
969DEFAULT: ssl::certDomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
970DEFAULT: ssl::certUntrusted ssl_error X509_V_ERR_INVALID_CA X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY X509_V_ERR_CERT_UNTRUSTED
971DEFAULT: ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
972ENDIF
1f5bd0a4 973DEFAULT: all src all
b8a25eaa
AJ		 974DEFAULT: manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
975DEFAULT: localhost src 127.0.0.1/32 ::1
976DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
2c56ee3c 977DEFAULT: CONNECT method CONNECT
29503899 978DEFAULT_DOC: ACLs all, manager, localhost, to_localhost, and CONNECT are predefined.
cccac0a2 979DOC_START
41bd17a4 980 Defining an Access List
cccac0a2 981
375eeb3b
AJ		 982 Every access list definition must begin with an aclname and acltype,
983 followed by either type-specific arguments or a quoted filename that
984 they are read from.
cccac0a2 985
375eeb3b
AJ		 986 acl aclname acltype argument ...
987 acl aclname acltype "file" ...
cccac0a2 988
375eeb3b 989 When using "file", the file should contain one item per line.
cccac0a2 990
76ee67ac
CT		 991
992 ACL Options
993
994 Some acl types supports options which changes their default behaviour:
0f987978
CT		 995
996 -i,+i By default, regular expressions are CASE-SENSITIVE. To make them
997 case-insensitive, use the -i option. To return case-sensitive
998 use the +i option between patterns, or make a new ACL line
999 without -i.
1000
1001 -n Disable lookups and address type conversions. If lookup or
1002 conversion is required because the parameter type (IP or
1003 domain name) does not match the message address type (domain
1004 name or IP), then the ACL would immediately declare a mismatch
1005 without any warnings or lookups.
1006
76ee67ac
CT		 1007 -m[=delimiters]
1008 Perform a list membership test, interpreting values as
1009 comma-separated token lists and matching against individual
1010 tokens instead of whole values.
1011 The optional "delimiters" parameter specifies one or more
1012 alternative non-alphanumeric delimiter characters.
1013 non-alphanumeric delimiter characters.
1014
0f987978
CT		 1015 -- Used to stop processing all options, in the case the first acl
1016 value has '-' character as first character (for example the '-'
1017 is a valid domain name)
cccac0a2 1018
b3567eb5
FC		 1019 Some acl types require suspending the current request in order
1020 to access some external data source.
1021 Those which do are marked with the tag [slow], those which
1022 don't are marked as [fast].
1023 See http://wiki.squid-cache.org/SquidFaq/SquidAcl
1024 for further information
e988aa40
AJ		 1025
1026 ***** ACL TYPES AVAILABLE *****
1027
1e40905d
AJ		 1028 acl aclname src ip-address/mask ... # clients IP address [fast]
1029 acl aclname src addr1-addr2/mask ... # range of addresses [fast]
0f987978 1030 acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow]
1e40905d 1031 acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
cccac0a2 1032
41bd17a4 1033 acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
b3567eb5 1034 # [fast]
abe01913
AJ		 1035 # The 'arp' ACL code is not portable to all operating systems.
1036 # It works on Linux, Solaris, Windows, FreeBSD, and some other
1037 # BSD variants.
41bd17a4 1038 #
abe01913
AJ		 1039 # NOTE: Squid can only determine the MAC/EUI address for IPv4
1040 # clients that are on the same subnet. If the client is on a
1041 # different subnet, then Squid cannot find out its address.
1042 #
1043 # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either
1044 # encoded directly in the IPv6 address or not available.
b3567eb5
FC		 1045
1046 acl aclname srcdomain .foo.com ...
1047 # reverse lookup, from client IP [slow]
0f987978 1048 acl aclname dstdomain [-n] .foo.com ...
e38c7724 1049 # Destination server from URL [fast]
b3567eb5
FC		 1050 acl aclname srcdom_regex [-i] \.foo\.com ...
1051 # regex matching client name [slow]
0f987978 1052 acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
e38c7724 1053 # regex matching server [fast]
b3567eb5 1054 #
41bd17a4 1055 # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
1056 # based URL is used and no match is found. The name "none" is used
1057 # if the reverse lookup fails.
9bc73deb 1058
375eeb3b
AJ		 1059 acl aclname src_as number ...
1060 acl aclname dst_as number ...
b3567eb5 1061 # [fast]
e988aa40
AJ		 1062 # Except for access control, AS numbers can be used for
1063 # routing of requests to specific caches. Here's an
1064 # example for routing all requests for AS#1241 and only
1065 # those to mycache.mydomain.net:
1066 # acl asexample dst_as 1241
1067 # cache_peer_access mycache.mydomain.net allow asexample
1068 # cache_peer_access mycache_mydomain.net deny all
7f7db318 1069
6db78a1a 1070 acl aclname peername myPeer ...
b3567eb5 1071 # [fast]
6db78a1a
AJ		 1072 # match against a named cache_peer entry
1073 # set unique name= on cache_peer lines for reliable use.
1074
375eeb3b 1075 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
b3567eb5 1076 # [fast]
375eeb3b
AJ		 1077 # day-abbrevs:
1078 # S - Sunday
1079 # M - Monday
1080 # T - Tuesday
1081 # W - Wednesday
1082 # H - Thursday
1083 # F - Friday
1084 # A - Saturday
1085 # h1:m1 must be less than h2:m2
1086
b3567eb5
FC		 1087 acl aclname url_regex [-i] ^http:// ...
1088 # regex matching on whole URL [fast]
9d35fe37
AJ		 1089 acl aclname urllogin [-i] [^a-zA-Z0-9] ...
1090 # regex matching on URL login field
b3567eb5
FC		 1091 acl aclname urlpath_regex [-i] \.gif$ ...
1092 # regex matching on URL path [fast]
e988aa40 1093
b3567eb5
FC		 1094 acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
1095 # ranges are alloed
1e40905d
AJ		 1096 acl aclname localport 3128 ... # TCP port the client connected to [fast]
1097 # NP: for interception mode this is usually '80'
1098
3cc0f4e7 1099 acl aclname myportname 3128 ... # *_port name [fast]
e988aa40 1100
b3567eb5
FC		 1101 acl aclname proto HTTP FTP ... # request protocol [fast]
1102
1103 acl aclname method GET POST ... # HTTP request method [fast]
e988aa40 1104
b3567eb5
FC		 1105 acl aclname http_status 200 301 500- 400-403 ...
1106 # status code in reply [fast]
e988aa40 1107
375eeb3b 1108 acl aclname browser [-i] regexp ...
b3567eb5 1109 # pattern match on User-Agent header (see also req_header below) [fast]
e988aa40 1110
375eeb3b 1111 acl aclname referer_regex [-i] regexp ...
b3567eb5 1112 # pattern match on Referer header [fast]
41bd17a4 1113 # Referer is highly unreliable, so use with care
e988aa40 1114
375eeb3b 1115 acl aclname ident username ...
41bd17a4 1116 acl aclname ident_regex [-i] pattern ...
b3567eb5 1117 # string match on ident output [slow]
41bd17a4 1118 # use REQUIRED to accept any non-null ident.
cf5cc17e 1119
41bd17a4 1120 acl aclname proxy_auth [-i] username ...
1121 acl aclname proxy_auth_regex [-i] pattern ...
b3567eb5
FC		 1122 # perform http authentication challenge to the client and match against
1123 # supplied credentials [slow]
1124 #
1125 # takes a list of allowed usernames.
41bd17a4 1126 # use REQUIRED to accept any valid username.
1127 #
b3567eb5
FC		 1128 # Will use proxy authentication in forward-proxy scenarios, and plain
1129 # http authenticaiton in reverse-proxy scenarios
1130 #
41bd17a4 1131 # NOTE: when a Proxy-Authentication header is sent but it is not
1132 # needed during ACL checking the username is NOT logged
1133 # in access.log.
1134 #
1135 # NOTE: proxy_auth requires a EXTERNAL authentication program
1136 # to check username/password combinations (see
1137 # auth_param directive).
1138 #
e988aa40
AJ		 1139 # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
1140 # as the browser needs to be configured for using a proxy in order
41bd17a4 1141 # to respond to proxy authentication.
8e8d4f30 1142
41bd17a4 1143 acl aclname snmp_community string ...
b3567eb5 1144 # A community string to limit access to your SNMP Agent [fast]
41bd17a4 1145 # Example:
1146 #
1147 # acl snmppublic snmp_community public
934b03fc 1148
41bd17a4 1149 acl aclname maxconn number
1150 # This will be matched when the client's IP address has
55d0fae8
AJ		 1151 # more than <number> TCP connections established. [fast]
1152 # NOTE: This only measures direct TCP links so X-Forwarded-For
1153 # indirect clients are not counted.
1e5562e3 1154
41bd17a4 1155 acl aclname max_user_ip [-s] number
1156 # This will be matched when the user attempts to log in from more
1157 # than <number> different ip addresses. The authenticate_ip_ttl
b3567eb5 1158 # parameter controls the timeout on the ip entries. [fast]
41bd17a4 1159 # If -s is specified the limit is strict, denying browsing
1160 # from any further IP addresses until the ttl has expired. Without
1161 # -s Squid will just annoy the user by "randomly" denying requests.
1162 # (the counter is reset each time the limit is reached and a
1163 # request is denied)
1164 # NOTE: in acceleration mode or where there is mesh of child proxies,
1165 # clients may appear to come from multiple addresses if they are
1166 # going through proxy farms, so a limit of 1 may cause user problems.
cccac0a2 1167
cb1b906f
AJ		 1168 acl aclname random probability
1169 # Pseudo-randomly match requests. Based on the probability given.
1170 # Probability may be written as a decimal (0.333), fraction (1/3)
1171 # or ratio of matches:non-matches (3:5).
1172
375eeb3b 1173 acl aclname req_mime_type [-i] mime-type ...
41bd17a4 1174 # regex match against the mime type of the request generated
1175 # by the client. Can be used to detect file upload or some
b3567eb5 1176 # types HTTP tunneling requests [fast]
41bd17a4 1177 # NOTE: This does NOT match the reply. You cannot use this
1178 # to match the returned file type.
cccac0a2 1179
41bd17a4 1180 acl aclname req_header header-name [-i] any\.regex\.here
1181 # regex match against any of the known request headers. May be
1182 # thought of as a superset of "browser", "referer" and "mime-type"
b3567eb5 1183 # ACL [fast]
cccac0a2 1184
375eeb3b 1185 acl aclname rep_mime_type [-i] mime-type ...
41bd17a4 1186 # regex match against the mime type of the reply received by
1187 # squid. Can be used to detect file download or some
b3567eb5 1188 # types HTTP tunneling requests. [fast]
41bd17a4 1189 # NOTE: This has no effect in http_access rules. It only has
1190 # effect in rules that affect the reply data stream such as
1191 # http_reply_access.
cccac0a2 1192
41bd17a4 1193 acl aclname rep_header header-name [-i] any\.regex\.here
1194 # regex match against any of the known reply headers. May be
1195 # thought of as a superset of "browser", "referer" and "mime-type"
b3567eb5 1196 # ACLs [fast]
cccac0a2 1197
375eeb3b 1198 acl aclname external class_name [arguments...]
41bd17a4 1199 # external ACL lookup via a helper class defined by the
b3567eb5 1200 # external_acl_type directive [slow]
cccac0a2 1201
41bd17a4 1202 acl aclname user_cert attribute values...
1203 # match against attributes in a user SSL certificate
2927ae41 1204 # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
cccac0a2 1205
41bd17a4 1206 acl aclname ca_cert attribute values...
1207 # match against attributes a users issuing CA SSL certificate
2927ae41 1208 # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
cccac0a2 1209
41bd17a4 1210 acl aclname ext_user username ...
1211 acl aclname ext_user_regex [-i] pattern ...
b3567eb5 1212 # string match on username returned by external acl helper [slow]
41bd17a4 1213 # use REQUIRED to accept any non-null user name.
b3567eb5 1214
0ab50441 1215 acl aclname tag tagvalue ...
94da12c8
AJ		 1216 # string match on tag returned by external acl helper [fast]
1217 # DEPRECATED. Only the first tag will match with this ACL.
1218 # Use the 'note' ACL instead for handling multiple tag values.
cccac0a2 1219
bbaf2685
AJ		 1220 acl aclname hier_code codename ...
1221 # string match against squid hierarchy code(s); [fast]
1222 # e.g., DIRECT, PARENT_HIT, NONE, etc.
1223 #
1224 # NOTE: This has no effect in http_access rules. It only has
1225 # effect in rules that affect the reply data stream such as
1226 # http_reply_access.
1227
76ee67ac 1228 acl aclname note [-m[=delimiters]] name [value ...]
39baccc8
CT		 1229 # match transaction annotation [fast]
1230 # Without values, matches any annotation with a given name.
1231 # With value(s), matches any annotation with a given name that
1232 # also has one of the given values.
76ee67ac
CT		 1233 # If the -m flag is used, then the value of the named
1234 # annotation is interpreted as a list of tokens, and the ACL
1235 # matches individual name=token pairs rather than whole
1236 # name=value pairs. See "ACL Options" above for more info.
39baccc8
CT		 1237 # Annotation sources include note and adaptation_meta directives
1238 # as well as helper and eCAP responses.
1239
589aab05
CT		 1240 acl aclname annotate_transaction [-m[=delimiters]] key=value ...
1241 acl aclname annotate_transaction [-m[=delimiters]] key+=value ...
75d47340
CT		 1242 # Always matches. [fast]
1243 # Used for its side effect: This ACL immediately adds a
1244 # key=value annotation to the current master transaction.
1245 # The added annotation can then be tested using note ACL and
1246 # logged (or sent to helpers) using %note format code.
1247 #
1248 # Annotations can be specified using replacement and addition
1249 # formats. The key=value form replaces old same-key annotation
1250 # value(s). The key+=value form appends a new value to the old
1251 # same-key annotation. Both forms create a new key=value
1252 # annotation if no same-key annotation exists already. If
1253 # -m flag is used, then the value is interpreted as a list
1254 # and the annotation will contain key=token pair(s) instead of the
1255 # whole key=value pair.
1256 #
1257 # This ACL is especially useful for recording complex multi-step
1258 # ACL-driven decisions. For example, the following configuration
1259 # avoids logging transactions accepted after aclX matched:
1260 #
1261 # # First, mark transactions accepted after aclX matched
1262 # acl markSpecial annotate_transaction special=true
1263 # http_access allow acl001
1264 # ...
1265 # http_access deny acl100
1266 # http_access allow aclX markSpecial
1267 #
1268 # # Second, do not log marked transactions:
1269 # acl markedSpecial note special true
1270 # access_log ... deny markedSpecial
1271 #
1272 # # Note that the following would not have worked because aclX
1273 # # alone does not determine whether the transaction was allowed:
1274 # access_log ... deny aclX # Wrong!
1275 #
1276 # Warning: This ACL annotates the transaction even when negated
1277 # and even if subsequent ACLs fail to match. For example, the
1278 # following three rules will have exactly the same effect as far
1279 # as annotations set by the "mark" ACL are concerned:
1280 #
1281 # some_directive acl1 ... mark # rule matches if mark is reached
1282 # some_directive acl1 ... !mark # rule never matches
1283 # some_directive acl1 ... mark !all # rule never matches
1284
589aab05
CT		 1285 acl aclname annotate_client [-m[=delimiters]] key=value ...
1286 acl aclname annotate_client [-m[=delimiters]] key+=value ...
75d47340 1287 #
589aab05
CT		 1288 # Always matches. [fast]
1289 # Used for its side effect: This ACL immediately adds a
1290 # key=value annotation to the current client-to-Squid
75d47340
CT		 1291 # connection. Connection annotations are propagated to the current
1292 # and all future master transactions on the annotated connection.
1293 # See the annotate_transaction ACL for details.
1294 #
1295 # For example, the following configuration avoids rewriting URLs
1296 # of transactions bumped by SslBump:
1297 #
1298 # # First, mark bumped connections:
1299 # acl markBumped annotate_client bumped=true
1300 # ssl_bump peek acl1
1301 # ssl_bump stare acl2
1302 # ssl_bump bump acl3 markBumped
1303 # ssl_bump splice all
1304 #
1305 # # Second, do not send marked transactions to the redirector:
1306 # acl markedBumped note bumped true
1307 # url_rewrite_access deny markedBumped
1308 #
1309 # # Note that the following would not have worked because acl3 alone
1310 # # does not determine whether the connection is going to be bumped:
1311 # url_rewrite_access deny acl3 # Wrong!
1312
c302ddb5
CT		 1313 acl aclname adaptation_service service ...
1314 # Matches the name of any icap_service, ecap_service,
1315 # adaptation_service_set, or adaptation_service_chain that Squid
1316 # has used (or attempted to use) for the master transaction.
1317 # This ACL must be defined after the corresponding adaptation
1318 # service is named in squid.conf. This ACL is usable with
1319 # adaptation_meta because it starts matching immediately after
1320 # the service has been selected for adaptation.
1321
5ceaee75
CT		 1322 acl aclname transaction_initiator initiator ...
1323 # Matches transaction's initiator [fast]
1324 #
1325 # Supported initiators are:
1326 # esi: matches transactions fetching ESI resources
1327 # certificate-fetching: matches transactions fetching
1328 # a missing intermediate TLS certificate
1329 # cache-digest: matches transactions fetching Cache Digests
1330 # from a cache_peer
1331 # htcp: matches HTCP requests from peers
1332 # icp: matches ICP requests to peers
1333 # icmp: matches ICMP RTT database (NetDB) requests to peers
1334 # asn: matches asns db requests
1335 # internal: matches any of the above
1336 # client: matches transactions containing an HTTP or FTP
1337 # client request received at a Squid *_port
1338 # all: matches any transaction, including internal transactions
1339 # without a configurable initiator and hopefully rare
1340 # transactions without a known-to-Squid initiator
1341 #
1342 # Multiple initiators are ORed.
1343
5ec4cffe
EB		 1344 acl aclname has component
1345 # matches a transaction "component" [fast]
1346 #
1347 # Supported transaction components are:
1348 # request: transaction has a request header (at least)
1349 # response: transaction has a response header (at least)
1350 # ALE: transaction has an internally-generated Access Log Entry
1351 # structure; bugs notwithstanding, all transaction have it
1352 #
1353 # For example, the following configuration helps when dealing with HTTP
1354 # clients that close connections without sending a request header:
1355 #
1356 # acl hasRequest has request
1357 # acl logMe note important_transaction
1358 # # avoid "logMe ACL is used in context without an HTTP request" warnings
1359 # access_log ... logformat=detailed hasRequest logMe
1360 # # log request-less transactions, instead of ignoring them
1361 # access_log ... logformat=brief !hasRequest
1362 #
1363 # Multiple components are not supported for one "acl" rule, but
1364 # can be specified (and are ORed) using multiple same-name rules:
1365 #
1366 # # OK, this strange logging daemon needs request or response,
1367 # # but can work without either a request or a response:
1368 # acl hasWhatMyLoggingDaemonNeeds has request
1369 # acl hasWhatMyLoggingDaemonNeeds has response
1370
cb4f4424 1371IF USE_OPENSSL
cf1c09f6
CT		 1372 acl aclname ssl_error errorname
1373 # match against SSL certificate validation error [fast]
cf1c09f6 1374 #
7a957a93
AR		 1375 # For valid error names see in @DEFAULT_ERROR_DIR@/templates/error-details.txt
1376 # template file.
cf1c09f6 1377 #
7a957a93
AR		 1378 # The following can be used as shortcuts for certificate properties:
1379 # [ssl::]certHasExpired: the "not after" field is in the past
1380 # [ssl::]certNotYetValid: the "not before" field is in the future
1381 # [ssl::]certUntrusted: The certificate issuer is not to be trusted.
1382 # [ssl::]certSelfSigned: The certificate is self signed.
1383 # [ssl::]certDomainMismatch: The certificate CN domain does not
1384 # match the name the name of the host we are connecting to.
1385 #
1386 # The ssl::certHasExpired, ssl::certNotYetValid, ssl::certDomainMismatch,
1387 # ssl::certUntrusted, and ssl::certSelfSigned can also be used as
1388 # predefined ACLs, just like the 'all' ACL.
1389 #
1390 # NOTE: The ssl_error ACL is only supported with sslproxy_cert_error,
1391 # sslproxy_cert_sign, and sslproxy_cert_adapt options.
00352183 1392
72b12f9e 1393 acl aclname server_cert_fingerprint [-sha1] fingerprint
00352183
AR		 1394 # match against server SSL certificate fingerprint [fast]
1395 #
1396 # The fingerprint is the digest of the DER encoded version
1397 # of the whole certificate. The user should use the form: XX:XX:...
1398 # Optional argument specifies the digest algorithm to use.
1399 # The SHA1 digest algorithm is the default and is currently
1400 # the only algorithm supported (-sha1).
5d65362c 1401
652fcffd 1402 acl aclname at_step step
8f165829
AR		 1403 # match against the current step during ssl_bump evaluation [fast]
1404 # Never matches and should not be used outside the ssl_bump context.
1405 #
1406 # At each SslBump step, Squid evaluates ssl_bump directives to find
1407 # the next bumping action (e.g., peek or splice). Valid SslBump step
1408 # values and the corresponding ssl_bump evaluation moments are:
1110989a
CT		 1409 # SslBump1: After getting TCP-level and HTTP CONNECT info.
1410 # SslBump2: After getting SSL Client Hello info.
1411 # SslBump3: After getting SSL Server Hello info.
69f69080 1412
4f6990ec 1413 acl aclname ssl::server_name [option] .foo.com ...
69f69080
CT		 1414 # matches server name obtained from various sources [fast]
1415 #
4f6990ec
CT		 1416 # The ACL computes server name(s) using such information sources as
1417 # CONNECT request URI, TLS client SNI, and TLS server certificate
1418 # subject (CN and SubjectAltName). The computed server name(s) usually
1419 # change with each SslBump step, as more info becomes available:
1420 # * SNI is used as the server name instead of the request URI,
1421 # * subject name(s) from the server certificate (CN and
1422 # SubjectAltName) are used as the server names instead of SNI.
1423 #
1424 # When the ACL computes multiple server names, matching any single
1425 # computed name is sufficient for the ACL to match.
1426 #
1427 # The "none" name can be used to match transactions where the ACL
8d9e6d7f 1428 # could not compute the server name using any information source
4f6990ec
CT		 1429 # that was both available and allowed to be used by the ACL options at
1430 # the ACL evaluation time.
1431 #
1432 # Unlike dstdomain, this ACL does not perform DNS lookups.
1433 #
1434 # An ACL option below may be used to restrict what information
1435 # sources are used to extract the server names from:
1436 #
1437 # --client-requested
1438 # The server name is SNI regardless of what the server says.
1439 # --server-provided
1440 # The server name(s) are the certificate subject name(s), regardless
1441 # of what the client has requested. If the server certificate is
1442 # unavailable, then the name is "none".
1443 # --consensus
1444 # The server name is either SNI (if SNI matches at least one of the
1445 # certificate subject names) or "none" (otherwise). When the server
1446 # certificate is unavailable, the consensus server name is SNI.
1447 #
1448 # Combining multiple options in one ACL is a fatal configuration
1449 # error.
1450 #
1451 # For all options: If no SNI is available, then the CONNECT request
1452 # target (a.k.a. URI) is used instead of SNI (for an intercepted
1453 # connection, this target is the destination IP address).
69f69080
CT		 1454
1455 acl aclname ssl::server_name_regex [-i] \.foo\.com ...
1456 # regex matches server name obtained from various sources [fast]
88df846b
CT		 1457
1458 acl aclname connections_encrypted
1459 # matches transactions with all HTTP messages received over TLS
1460 # transport connections. [fast]
1461 #
1462 # The master transaction deals with HTTP messages received from
1463 # various sources. All sources used by the master transaction in the
1464 # past are considered by the ACL. The following rules define whether
1465 # a given message source taints the entire master transaction,
1466 # resulting in ACL mismatches:
1467 #
1468 # * The HTTP client transport connection is not TLS.
1469 # * An adaptation service connection-encryption flag is off.
1470 # * The peer or origin server transport connection is not TLS.
1471 #
1472 # Caching currently does not affect these rules. This cache ignorance
1473 # implies that only the current HTTP client transport and REQMOD
1474 # services status determine whether this ACL matches a from-cache
1475 # transaction. The source of the cached response does not have any
1476 # effect on future transaction that use the cached response without
1477 # revalidation. This may change.
1478 #
1479 # DNS, ICP, and HTCP exchanges during the master transaction do not
1480 # affect these rules.
cf1c09f6 1481ENDIF
6f58d7d7
AR		 1482 acl aclname any-of acl1 acl2 ...
1483 # match any one of the acls [fast or slow]
1484 # The first matching ACL stops further ACL evaluation.
1485 #
1486 # ACLs from multiple any-of lines with the same name are ORed.
1487 # For example, A = (a1 or a2) or (a3 or a4) can be written as
1488 # acl A any-of a1 a2
1489 # acl A any-of a3 a4
1490 #
1491 # This group ACL is fast if all evaluated ACLs in the group are fast
1492 # and slow otherwise.
1493
1494 acl aclname all-of acl1 acl2 ...
1495 # match all of the acls [fast or slow]
1496 # The first mismatching ACL stops further ACL evaluation.
1497 #
1498 # ACLs from multiple all-of lines with the same name are ORed.
1499 # For example, B = (b1 and b2) or (b3 and b4) can be written as
1500 # acl B all-of b1 b2
1501 # acl B all-of b3 b4
1502 #
1503 # This group ACL is fast if all evaluated ACLs in the group are fast
1504 # and slow otherwise.
cf1c09f6 1505
e0855596
AJ		 1506 Examples:
1507 acl macaddress arp 09:00:2b:23:45:67
1508 acl myexample dst_as 1241
1509 acl password proxy_auth REQUIRED
1510 acl fileupload req_mime_type -i ^multipart/form-data$
1511 acl javascript rep_mime_type -i ^application/x-javascript$
cccac0a2 1512
41bd17a4 1513NOCOMMENT_START
e0855596
AJ		 1514#
1515# Recommended minimum configuration:
1516#
e0855596 1517
ee776778 1518# Example rule allowing access from your local networks.
1519# Adapt to list your (internal) IP networks from where browsing
1520# should be allowed
fe204e1d
AJ		 1521acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
1522acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
1523acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
1524acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
1525acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
1526acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
1527acl localnet src fc00::/7 # RFC 4193 local private network range
1528acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
e0855596 1529
41bd17a4 1530acl SSL_ports port 443
1531acl Safe_ports port 80 # http
1532acl Safe_ports port 21 # ftp
1533acl Safe_ports port 443 # https
1534acl Safe_ports port 70 # gopher
1535acl Safe_ports port 210 # wais
1536acl Safe_ports port 1025-65535 # unregistered ports
1537acl Safe_ports port 280 # http-mgmt
1538acl Safe_ports port 488 # gss-http
1539acl Safe_ports port 591 # filemaker
1540acl Safe_ports port 777 # multiling http
41bd17a4 1541NOCOMMENT_END
1542DOC_END
cccac0a2 1543
d3d92daa 1544NAME: proxy_protocol_access
3d674977 1545TYPE: acl_access
d3d92daa
AJ		 1546LOC: Config.accessList.proxyProtocol
1547DEFAULT: none
c390580b 1548DEFAULT_DOC: all TCP connections to ports with require-proxy-header will be denied
d3d92daa
AJ		 1549DOC_START
1550 Determine which client proxies can be trusted to provide correct
1551 information regarding real client IP address using PROXY protocol.
1552
1553 Requests may pass through a chain of several other proxies
1554 before reaching us. The original source details may by sent in:
1555 * HTTP message Forwarded header, or
1556 * HTTP message X-Forwarded-For header, or
1557 * PROXY protocol connection header.
1558
1559 This directive is solely for validating new PROXY protocol
1560 connections received from a port flagged with require-proxy-header.
1561 It is checked only once after TCP connection setup.
1562
1563 A deny match results in TCP connection closure.
1564
1565 An allow match is required for Squid to permit the corresponding
1566 TCP connection, before Squid even looks for HTTP request headers.
1567 If there is an allow match, Squid starts using PROXY header information
1568 to determine the source address of the connection for all future ACL
1569 checks, logging, etc.
1570
1571 SECURITY CONSIDERATIONS:
1572
c390580b 1573 Any host from which we accept client IP details can place
d3d92daa
AJ		 1574 incorrect information in the relevant header, and Squid
1575 will use the incorrect information as if it were the
1576 source address of the request. This may enable remote
1577 hosts to bypass any access control restrictions that are
1578 based on the client's source addresses.
1579
1580 This clause only supports fast acl types.
1581 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1582DOC_END
1583
1584NAME: follow_x_forwarded_for
1585TYPE: acl_access
1586IFDEF: FOLLOW_X_FORWARDED_FOR
3d674977 1587LOC: Config.accessList.followXFF
3d674977 1588DEFAULT_IF_NONE: deny all
9353df52 1589DEFAULT_DOC: X-Forwarded-For header will be ignored.
3d674977 1590DOC_START
00d0ce87
AJ		 1591 Determine which client proxies can be trusted to provide correct
1592 information regarding real client IP address.
1593
3d674977 1594 Requests may pass through a chain of several other proxies
70a16fea
AJ		 1595 before reaching us. The original source details may by sent in:
1596 * HTTP message Forwarded header, or
1597 * HTTP message X-Forwarded-For header, or
1598 * PROXY protocol connection header.
3d674977 1599
d3d92daa
AJ		 1600 PROXY protocol connections are controlled by the proxy_protocol_access
1601 directive which is checked before this.
1602
3d674977 1603 If a request reaches us from a source that is allowed by this
70a16fea
AJ		 1604 directive, then we trust the information it provides regarding
1605 the IP of the client it received from (if any).
1606
1607 For the purpose of ACLs used in this directive the src ACL type always
1608 matches the address we are testing and srcdomain matches its rDNS.
1609
70a16fea
AJ		 1610 On each HTTP request Squid checks for X-Forwarded-For header fields.
1611 If found the header values are iterated in reverse order and an allow
1612 match is required for Squid to continue on to the next value.
1613 The verification ends when a value receives a deny match, cannot be
1614 tested, or there are no more values to test.
1615 NOTE: Squid does not yet follow the Forwarded HTTP header.
3d674977
AJ		 1616
1617 The end result of this process is an IP address that we will
1618 refer to as the indirect client address. This address may
57d76dd4 1619 be treated as the client address for access control, ICAP, delay
3d674977 1620 pools and logging, depending on the acl_uses_indirect_client,
96d64448
AJ		 1621 icap_uses_indirect_client, delay_pool_uses_indirect_client,
1622 log_uses_indirect_client and tproxy_uses_indirect_client options.
3d674977 1623
b3567eb5
FC		 1624 This clause only supports fast acl types.
1625 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1626
3d674977
AJ		 1627 SECURITY CONSIDERATIONS:
1628
c390580b 1629 Any host from which we accept client IP details can place
70a16fea 1630 incorrect information in the relevant header, and Squid
3d674977
AJ		 1631 will use the incorrect information as if it were the
1632 source address of the request. This may enable remote
1633 hosts to bypass any access control restrictions that are
1634 based on the client's source addresses.
1635
1636 For example:
1637
1638 acl localhost src 127.0.0.1
1639 acl my_other_proxy srcdomain .proxy.example.com
1640 follow_x_forwarded_for allow localhost
1641 follow_x_forwarded_for allow my_other_proxy
1642DOC_END
1643
1644NAME: acl_uses_indirect_client
1645COMMENT: on|off
1646TYPE: onoff
1647IFDEF: FOLLOW_X_FORWARDED_FOR
1648DEFAULT: on
1649LOC: Config.onoff.acl_uses_indirect_client
1650DOC_START
1651 Controls whether the indirect client address
1652 (see follow_x_forwarded_for) is used instead of the
1653 direct client address in acl matching.
55d0fae8
AJ		 1654
1655 NOTE: maxconn ACL considers direct TCP links and indirect
1656 clients will always have zero. So no match.
3d674977
AJ		 1657DOC_END
1658
1659NAME: delay_pool_uses_indirect_client
1660COMMENT: on|off
1661TYPE: onoff
9a0a18de 1662IFDEF: FOLLOW_X_FORWARDED_FOR&&USE_DELAY_POOLS
3d674977
AJ		 1663DEFAULT: on
1664LOC: Config.onoff.delay_pool_uses_indirect_client
1665DOC_START
1666 Controls whether the indirect client address
1667 (see follow_x_forwarded_for) is used instead of the
1668 direct client address in delay pools.
1669DOC_END
1670
1671NAME: log_uses_indirect_client
1672COMMENT: on|off
1673TYPE: onoff
1674IFDEF: FOLLOW_X_FORWARDED_FOR
1675DEFAULT: on
1676LOC: Config.onoff.log_uses_indirect_client
1677DOC_START
1678 Controls whether the indirect client address
1679 (see follow_x_forwarded_for) is used instead of the
1680 direct client address in the access log.
1681DOC_END
1682
96d64448
AJ		 1683NAME: tproxy_uses_indirect_client
1684COMMENT: on|off
1685TYPE: onoff
1686IFDEF: FOLLOW_X_FORWARDED_FOR&&LINUX_NETFILTER
4d7ab5a2 1687DEFAULT: off
96d64448
AJ		 1688LOC: Config.onoff.tproxy_uses_indirect_client
1689DOC_START
1690 Controls whether the indirect client address
1691 (see follow_x_forwarded_for) is used instead of the
1692 direct client address when spoofing the outgoing client.
4d7ab5a2
AJ		 1693
1694 This has no effect on requests arriving in non-tproxy
1695 mode ports.
1696
1697 SECURITY WARNING: Usage of this option is dangerous
1698 and should not be used trivially. Correct configuration
16ae256c 1699 of follow_x_forwarded_for with a limited set of trusted
4d7ab5a2 1700 sources is required to prevent abuse of your proxy.
96d64448
AJ		 1701DOC_END
1702
0d901ef4
SH		 1703NAME: spoof_client_ip
1704TYPE: acl_access
1705LOC: Config.accessList.spoof_client_ip
1706DEFAULT: none
1707DEFAULT_DOC: Allow spoofing on all TPROXY traffic.
1708DOC_START
1709 Control client IP address spoofing of TPROXY traffic based on
1710 defined access lists.
1711
1712 spoof_client_ip allow|deny [!]aclname ...
1713
1714 If there are no "spoof_client_ip" lines present, the default
1715 is to "allow" spoofing of any suitable request.
1716
1717 Note that the cache_peer "no-tproxy" option overrides this ACL.
1718
1719 This clause supports fast acl types.
1720 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1721DOC_END
1722
41bd17a4 1723NAME: http_access
1724TYPE: acl_access
1725LOC: Config.accessList.http
41bd17a4 1726DEFAULT_IF_NONE: deny all
638402dd 1727DEFAULT_DOC: Deny, unless rules exist in squid.conf.
41bd17a4 1728DOC_START
1729 Allowing or Denying access based on defined access lists
cccac0a2 1730
8a2f40dd 1731 To allow or deny a message received on an HTTP, HTTPS, or FTP port:
41bd17a4 1732 http_access allow|deny [!]aclname ...
cccac0a2 1733
41bd17a4 1734 NOTE on default values:
cccac0a2 1735
41bd17a4 1736 If there are no "access" lines present, the default is to deny
1737 the request.
cccac0a2 1738
41bd17a4 1739 If none of the "access" lines cause a match, the default is the
1740 opposite of the last line in the list. If the last line was
1741 deny, the default is allow. Conversely, if the last line
1742 is allow, the default will be deny. For these reasons, it is a
51ae86b2
HN		 1743 good idea to have an "deny all" entry at the end of your access
1744 lists to avoid potential confusion.
cccac0a2 1745
b3567eb5
FC		 1746 This clause supports both fast and slow acl types.
1747 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1748
41bd17a4 1749NOCOMMENT_START
e0855596
AJ		 1750
1751#
1752# Recommended minimum Access Permission configuration:
41bd17a4 1753#
e0855596 1754# Deny requests to certain unsafe ports
41bd17a4 1755http_access deny !Safe_ports
e0855596
AJ		 1756
1757# Deny CONNECT to other than secure SSL ports
41bd17a4 1758http_access deny CONNECT !SSL_ports
e0855596 1759
baa3ea7e
AJ		 1760# Only allow cachemgr access from localhost
1761http_access allow localhost manager
1762http_access deny manager
1763
41bd17a4 1764# We strongly recommend the following be uncommented to protect innocent
1765# web applications running on the proxy server who think the only
1766# one who can access services on "localhost" is a local user
1767#http_access deny to_localhost
e0855596 1768
41bd17a4 1769#
1770# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
e0855596 1771#
c8f4eac4 1772
ee776778 1773# Example rule allowing access from your local networks.
1774# Adapt localnet in the ACL section to list your (internal) IP networks
1775# from where browsing should be allowed
1776http_access allow localnet
afb33856 1777http_access allow localhost
7d90757b 1778
41bd17a4 1779# And finally deny all other access to this proxy
1780http_access deny all
1781NOCOMMENT_END
1782DOC_END
7d90757b 1783
533493da
AJ		 1784NAME: adapted_http_access http_access2
1785TYPE: acl_access
1786LOC: Config.accessList.adapted_http
1787DEFAULT: none
638402dd 1788DEFAULT_DOC: Allow, unless rules exist in squid.conf.
533493da
AJ		 1789DOC_START
1790 Allowing or Denying access based on defined access lists
1791
1792 Essentially identical to http_access, but runs after redirectors
1793 and ICAP/eCAP adaptation. Allowing access control based on their
1794 output.
1795
1796 If not set then only http_access is used.
1797DOC_END
1798
41bd17a4 1799NAME: http_reply_access
1800TYPE: acl_access
1801LOC: Config.accessList.reply
1802DEFAULT: none
638402dd 1803DEFAULT_DOC: Allow, unless rules exist in squid.conf.
41bd17a4 1804DOC_START
1805 Allow replies to client requests. This is complementary to http_access.
cccac0a2 1806
41bd17a4 1807 http_reply_access allow|deny [!] aclname ...
cccac0a2 1808
41bd17a4 1809 NOTE: if there are no access lines present, the default is to allow
638402dd 1810 all replies.
1a224843 1811
41bd17a4 1812 If none of the access lines cause a match the opposite of the
1813 last line will apply. Thus it is good practice to end the rules
1814 with an "allow all" or "deny all" entry.
b3567eb5
FC		 1815
1816 This clause supports both fast and slow acl types.
1817 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
cccac0a2 1818DOC_END
1819
41bd17a4 1820NAME: icp_access
1821TYPE: acl_access
1822LOC: Config.accessList.icp
638402dd
AJ		 1823DEFAULT: none
1824DEFAULT_DOC: Deny, unless rules exist in squid.conf.
5473c134 1825DOC_START
41bd17a4 1826 Allowing or Denying access to the ICP port based on defined
1827 access lists
5473c134 1828
41bd17a4 1829 icp_access allow|deny [!]aclname ...
5473c134 1830
638402dd
AJ		 1831 NOTE: The default if no icp_access lines are present is to
1832 deny all traffic. This default may cause problems with peers
1833 using ICP.
41bd17a4 1834
b3567eb5
FC		 1835 This clause only supports fast acl types.
1836 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
e0855596
AJ		 1837
1838# Allow ICP queries from local networks only
df2eec10
AJ		 1839#icp_access allow localnet
1840#icp_access deny all
5473c134 1841DOC_END
1842
41bd17a4 1843NAME: htcp_access
1844IFDEF: USE_HTCP
1845TYPE: acl_access
1846LOC: Config.accessList.htcp
638402dd
AJ		 1847DEFAULT: none
1848DEFAULT_DOC: Deny, unless rules exist in squid.conf.
5473c134 1849DOC_START
41bd17a4 1850 Allowing or Denying access to the HTCP port based on defined
1851 access lists
5473c134 1852
41bd17a4 1853 htcp_access allow|deny [!]aclname ...
5473c134 1854
638402dd
AJ		 1855 See also htcp_clr_access for details on access control for
1856 cache purge (CLR) HTCP messages.
5473c134 1857
0b48417e 1858 NOTE: The default if no htcp_access lines are present is to
1859 deny all traffic. This default may cause problems with peers
18191440 1860 using the htcp option.
0b48417e 1861
b3567eb5
FC		 1862 This clause only supports fast acl types.
1863 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
e0855596
AJ		 1864
1865# Allow HTCP queries from local networks only
df2eec10
AJ		 1866#htcp_access allow localnet
1867#htcp_access deny all
41bd17a4 1868DOC_END
5473c134 1869
41bd17a4 1870NAME: htcp_clr_access
1871IFDEF: USE_HTCP
1872TYPE: acl_access
1873LOC: Config.accessList.htcp_clr
638402dd
AJ		 1874DEFAULT: none
1875DEFAULT_DOC: Deny, unless rules exist in squid.conf.
41bd17a4 1876DOC_START
1877 Allowing or Denying access to purge content using HTCP based
638402dd
AJ		 1878 on defined access lists.
1879 See htcp_access for details on general HTCP access control.
5473c134 1880
41bd17a4 1881 htcp_clr_access allow|deny [!]aclname ...
5473c134 1882
b3567eb5
FC		 1883 This clause only supports fast acl types.
1884 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
e0855596
AJ		 1885
1886# Allow HTCP CLR requests from trusted peers
638402dd 1887acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
41bd17a4 1888htcp_clr_access allow htcp_clr_peer
638402dd 1889htcp_clr_access deny all
5473c134 1890DOC_END
1891
41bd17a4 1892NAME: miss_access
1893TYPE: acl_access
1894LOC: Config.accessList.miss
b8a25eaa 1895DEFAULT: none
638402dd 1896DEFAULT_DOC: Allow, unless rules exist in squid.conf.
5473c134 1897DOC_START
18d1eddf 1898 Determines whether network access is permitted when satisfying a request.
0b4fb91a
AJ		 1899
1900 For example;
1901 to force your neighbors to use you as a sibling instead of
1902 a parent.
5473c134 1903
638402dd 1904 acl localclients src 192.0.2.0/24 2001:DB8::a:0/64
41bd17a4 1905 miss_access deny !localclients
638402dd 1906 miss_access allow all
5473c134 1907
0b4fb91a
AJ		 1908 This means only your local clients are allowed to fetch relayed/MISS
1909 replies from the network and all other clients can only fetch cached
1910 objects (HITs).
1911
0b4fb91a
AJ		 1912 The default for this setting allows all clients who passed the
1913 http_access rules to relay via this proxy.
b3567eb5
FC		 1914
1915 This clause only supports fast acl types.
1916 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 1917DOC_END
1918
1919NAME: ident_lookup_access
1920TYPE: acl_access
1921IFDEF: USE_IDENT
638402dd
AJ		 1922DEFAULT: none
1923DEFAULT_DOC: Unless rules exist in squid.conf, IDENT is not fetched.
4daaf3cb 1924LOC: Ident::TheConfig.identLookup
5473c134 1925DOC_START
41bd17a4 1926 A list of ACL elements which, if matched, cause an ident
1927 (RFC 931) lookup to be performed for this request. For
1928 example, you might choose to always perform ident lookups
1929 for your main multi-user Unix boxes, but not for your Macs
1930 and PCs. By default, ident lookups are not performed for
1931 any requests.
5473c134 1932
41bd17a4 1933 To enable ident lookups for specific client addresses, you
1934 can follow this example:
5473c134 1935
4daaf3cb 1936 acl ident_aware_hosts src 198.168.1.0/24
41bd17a4 1937 ident_lookup_access allow ident_aware_hosts
1938 ident_lookup_access deny all
5473c134 1939
4daaf3cb 1940 Only src type ACL checks are fully supported. A srcdomain
41bd17a4 1941 ACL might work at times, but it will not always provide
1942 the correct result.
b3567eb5
FC		 1943
1944 This clause only supports fast acl types.
1945 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 1946DOC_END
5473c134 1947
5b0f5383 1948NAME: reply_body_max_size
1949COMMENT: size [acl acl...]
1950TYPE: acl_b_size_t
1951DEFAULT: none
638402dd 1952DEFAULT_DOC: No limit is applied.
5b0f5383 1953LOC: Config.ReplyBodySize
1954DOC_START
1955 This option specifies the maximum size of a reply body. It can be
1956 used to prevent users from downloading very large files, such as
1957 MP3's and movies. When the reply headers are received, the
1958 reply_body_max_size lines are processed, and the first line where
1959 all (if any) listed ACLs are true is used as the maximum body size
1960 for this reply.
1961
1962 This size is checked twice. First when we get the reply headers,
1963 we check the content-length value. If the content length value exists
1964 and is larger than the allowed size, the request is denied and the
1965 user receives an error message that says "the request or reply
1966 is too large." If there is no content-length, and the reply
1967 size exceeds this limit, the client's connection is just closed
1968 and they will receive a partial reply.
1969
1970 WARNING: downstream caches probably can not detect a partial reply
1971 if there is no content-length header, so they will cache
1972 partial responses and give them out as hits. You should NOT
1973 use this option if you have downstream caches.
1974
1975 WARNING: A maximum size smaller than the size of squid's error messages
1976 will cause an infinite loop and crash squid. Ensure that the smallest
1977 non-zero value you use is greater that the maximum header size plus
1978 the size of your largest error page.
1979
1980 If you set this parameter none (the default), there will be
1981 no limit imposed.
3bc32f2f
AJ		 1982
1983 Configuration Format is:
1984 reply_body_max_size SIZE UNITS [acl ...]
1985 ie.
1986 reply_body_max_size 10 MB
1987
5b0f5383 1988DOC_END
1989
3248e962
CT		 1990NAME: on_unsupported_protocol
1991TYPE: on_unsupported_protocol
1992LOC: Config.accessList.on_unsupported_protocol
1993DEFAULT: none
1994DEFAULT_DOC: Respond with an error message to unidentifiable traffic
1995DOC_START
1996 Determines Squid behavior when encountering strange requests at the
56d089f3
CT		 1997 beginning of an accepted TCP connection or the beginning of a bumped
1998 CONNECT tunnel. Controlling Squid reaction to unexpected traffic is
1999 especially useful in interception environments where Squid is likely
2000 to see connections for unsupported protocols that Squid should either
2001 terminate or tunnel at TCP level.
3248e962
CT		 2002
2003 on_unsupported_protocol <action> [!]acl ...
2004
56d089f3 2005 The first matching action wins. Only fast ACLs are supported.
3248e962
CT		 2006
2007 Supported actions are:
2008
2009 tunnel: Establish a TCP connection with the intended server and
2010 blindly shovel TCP packets between the client and server.
2011
2012 respond: Respond with an error message, using the transfer protocol
2013 for the Squid port that received the request (e.g., HTTP
2014 for connections intercepted at the http_port). This is the
2015 default.
56d089f3
CT		 2016
2017 Squid expects the following traffic patterns:
2018
2019 http_port: a plain HTTP request
2020 https_port: SSL/TLS handshake followed by an [encrypted] HTTP request
2021 ftp_port: a plain FTP command (no on_unsupported_protocol support yet!)
2022 CONNECT tunnel on http_port: same as https_port
2023 CONNECT tunnel on https_port: same as https_port
2024
9155253a 2025 Currently, this directive has effect on intercepted connections and
56d089f3
CT		 2026 bumped tunnels only. Other cases are not supported because Squid
2027 cannot know the intended destination of other traffic.
3248e962
CT		 2028
2029 For example:
2030 # define what Squid errors indicate receiving non-HTTP traffic:
2031 acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
2032 # define what Squid errors indicate receiving nothing:
2033 acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
2034 # tunnel everything that does not look like HTTP:
2035 on_unsupported_protocol tunnel foreignProtocol
2036 # tunnel if we think the client waits for the server to talk first:
2037 on_unsupported_protocol tunnel serverTalksFirstProtocol
2038 # in all other error cases, just send an HTTP "error page" response:
2039 on_unsupported_protocol respond all
2040
2041 See also: squid_error ACL
2042DOC_END
2043
d6e94bda
AJ		 2044NAME: auth_schemes
2045TYPE: AuthSchemes
2046IFDEF: USE_AUTH
2047LOC: Auth::TheConfig.schemeAccess
2048DEFAULT: none
2049DEFAULT_DOC: use all auth_param schemes in their configuration order
2050DOC_START
2051 Use this directive to customize authentication schemes presence and
2052 order in Squid's Unauthorized and Authentication Required responses.
2053
2054 auth_schemes scheme1,scheme2,... [!]aclname ...
2055
2056 where schemeN is the name of one of the authentication schemes
2057 configured using auth_param directives. At least one scheme name is
2058 required. Multiple scheme names are separated by commas. Either
2059 avoid whitespace or quote the entire schemes list.
2060
2061 A special "ALL" scheme name expands to all auth_param-configured
2062 schemes in their configuration order. This directive cannot be used
2063 to configure Squid to offer no authentication schemes at all.
2064
2065 The first matching auth_schemes rule determines the schemes order
2066 for the current Authentication Required transaction. Note that the
2067 future response is not yet available during auth_schemes evaluation.
2068
2069 If this directive is not used or none of its rules match, then Squid
2070 responds with all configured authentication schemes in the order of
2071 auth_param directives in the configuration file.
2072
2073 This directive does not determine when authentication is used or
2074 how each authentication scheme authenticates clients.
2075
2076 The following example sends basic and negotiate authentication
2077 schemes, in that order, when requesting authentication of HTTP
2078 requests matching the isIE ACL (not shown) while sending all
2079 auth_param schemes in their configuration order to other clients:
2080
2081 auth_schemes basic,negotiate isIE
2082 auth_schemes ALL all # explicit default
2083
2084 This directive supports fast ACLs only.
2085
2086 See also: auth_param.
2087DOC_END
2088
5b0f5383 2089COMMENT_START
2090 NETWORK OPTIONS
2091 -----------------------------------------------------------------------------
2092COMMENT_END
2093
2094NAME: http_port ascii_port
65d448bc 2095TYPE: PortCfg
5b0f5383 2096DEFAULT: none
fa720bfb 2097LOC: HttpPortList
5b0f5383 2098DOC_START
c7b1dd5d
AJ		 2099 Usage: port [mode] [options]
2100 hostname:port [mode] [options]
2101 1.2.3.4:port [mode] [options]
5b0f5383 2102
2103 The socket addresses where Squid will listen for HTTP client
2104 requests. You may specify multiple socket addresses.
2105 There are three forms: port alone, hostname with port, and
2106 IP address with port. If you specify a hostname or IP
2107 address, Squid binds the socket to that specific
c7b1dd5d 2108 address. Most likely, you do not need to bind to a specific
5b0f5383 2109 address, so you can use the port number alone.
2110
2111 If you are running Squid in accelerator mode, you
2112 probably want to listen on port 80 also, or instead.
2113
2114 The -a command line option may be used to specify additional
2115 port(s) where Squid listens for proxy request. Such ports will
2116 be plain proxy ports with no options.
2117
2118 You may specify multiple socket addresses on multiple lines.
2119
c7b1dd5d 2120 Modes:
5b0f5383 2121
16ae256c
AJ		 2122 intercept Support for IP-Layer NAT interception delivering
2123 traffic to this Squid port.
2124 NP: disables authentication on the port.
5b0f5383 2125
16ae256c
AJ		 2126 tproxy Support Linux TPROXY (or BSD divert-to) with spoofing
2127 of outgoing connections using the client IP address.
2128 NP: disables authentication on the port.
5b0f5383 2129
7f45065d 2130 accel Accelerator / reverse proxy mode
5b0f5383 2131
caf3666d 2132 ssl-bump For each CONNECT request allowed by ssl_bump ACLs,
c7b1dd5d 2133 establish secure connection with the client and with
caf3666d 2134 the server, decrypt HTTPS messages as they pass through
c7b1dd5d
AJ		 2135 Squid, and treat them as unencrypted HTTP messages,
2136 becoming the man-in-the-middle.
2137
7a957a93 2138 The ssl_bump option is required to fully enable
caf3666d 2139 bumping of CONNECT requests.
c7b1dd5d
AJ		 2140
2141 Omitting the mode flag causes default forward proxy mode to be used.
2142
2143
2144 Accelerator Mode Options:
2145
5b0f5383 2146 defaultsite=domainname
2147 What to use for the Host: header if it is not present
2148 in a request. Determines what site (not origin server)
2149 accelerators should consider the default.
5b0f5383 2150
cf673853 2151 no-vhost Disable using HTTP/1.1 Host header for virtual domain support.
5b0f5383 2152
a9f60805
AJ		 2153 protocol= Protocol to reconstruct accelerated and intercepted
2154 requests with. Defaults to HTTP/1.1 for http_port and
2155 HTTPS/1.1 for https_port.
2156 When an unsupported value is configured Squid will
2157 produce a FATAL error.
2158 Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1
5b0f5383 2159
cf673853
AJ		 2160 vport Virtual host port support. Using the http_port number
2161 instead of the port passed on Host: headers.
5b0f5383 2162
cf673853
AJ		 2163 vport=NN Virtual host port support. Using the specified port
2164 number instead of the port passed on Host: headers.
5b0f5383 2165
7f45065d
HN		 2166 act-as-origin
2167 Act as if this Squid is the origin server.
2168 This currently means generate new Date: and Expires:
2169 headers on HIT instead of adding Age:.
5b0f5383 2170
432bc83c
HN		 2171 ignore-cc Ignore request Cache-Control headers.
2172
7f45065d 2173 WARNING: This option violates HTTP specifications if
432bc83c
HN		 2174 used in non-accelerator setups.
2175
7f45065d
HN		 2176 allow-direct Allow direct forwarding in accelerator mode. Normally
2177 accelerated requests are denied direct forwarding as if
2178 never_direct was used.
2179
2180 WARNING: this option opens accelerator mode to security
2181 vulnerabilities usually only affecting in interception
2182 mode. Make sure to protect forwarding with suitable
2183 http_access rules when using this.
2184
c7b1dd5d
AJ		 2185
2186 SSL Bump Mode Options:
859741ed
AJ		 2187 In addition to these options ssl-bump requires TLS/SSL options.
2188
2189 generate-host-certificates[=<on|off>]
2190 Dynamically create SSL server certificates for the
2191 destination hosts of bumped CONNECT requests.When
2192 enabled, the cert and key options are used to sign
2193 generated certificates. Otherwise generated
2194 certificate will be selfsigned.
2195 If there is a CA certificate lifetime of the generated
2196 certificate equals lifetime of the CA certificate. If
2197 generated certificate is selfsigned lifetime is three
2198 years.
2199 This option is enabled by default when ssl-bump is used.
2200 See the ssl-bump option above for more information.
2201
2202 dynamic_cert_mem_cache_size=SIZE
2203 Approximate total RAM size spent on cached generated
2204 certificates. If set to zero, caching is disabled. The
23bb0ebf 2205 default value is 4MB.
859741ed
AJ		 2206
2207 TLS / SSL Options:
c7b1dd5d
AJ		 2208
2209 cert= Path to SSL certificate (PEM format).
2210
2211 key= Path to SSL private key file (PEM format)
2212 if not specified, the certificate file is
2213 assumed to be a combined certificate and
2214 key file.
2215
c7b1dd5d 2216 cipher= Colon separated list of supported ciphers.
bebdc6fb
AJ		 2217 NOTE: some ciphers such as EDH ciphers depend on
2218 additional settings. If those settings are
2219 omitted the ciphers may be silently ignored
2220 by the OpenSSL library.
c7b1dd5d 2221
943c5f16 2222 options= Various SSL implementation options. The most important
c7b1dd5d 2223 being:
7905e7be 2224
3d96b0e8 2225 NO_SSLv3 Disallow the use of SSLv3
1f1f29e8 2226
3d96b0e8 2227 NO_TLSv1 Disallow the use of TLSv1.0
1f1f29e8 2228
3d96b0e8 2229 NO_TLSv1_1 Disallow the use of TLSv1.1
1f1f29e8 2230
3d96b0e8 2231 NO_TLSv1_2 Disallow the use of TLSv1.2
1f1f29e8 2232
7905e7be
AJ		 2233 SINGLE_DH_USE
2234 Always create a new key when using
c7b1dd5d 2235 temporary/ephemeral DH key exchanges
1f1f29e8 2236
54fbe371
PM		 2237 SINGLE_ECDH_USE
2238 Enable ephemeral ECDH key exchange.
2239 The adopted curve should be specified
2240 using the tls-dh option.
2241
36092741 2242 NO_TICKET
1f1f29e8
AJ		 2243 Disable use of RFC5077 session tickets.
2244 Some servers may have problems
2245 understanding the TLS extension due
2246 to ambiguous specification in RFC4507.
2247
943c5f16
HN		 2248 ALL Enable various bug workarounds
2249 suggested as "harmless" by OpenSSL
2250 Be warned that this reduces SSL/TLS
2251 strength to some attacks.
7905e7be
AJ		 2252
2253 See the OpenSSL SSL_CTX_set_options documentation for a
2254 more complete list.
c7b1dd5d
AJ		 2255
2256 clientca= File containing the list of CAs to use when
2257 requesting a client certificate.
2258
86a84cc0
AJ		 2259 tls-cafile= PEM file containing CA certificates to use when verifying
2260 client certificates. If not configured clientca will be
2261 used. May be repeated to load multiple files.
c7b1dd5d
AJ		 2262
2263 capath= Directory containing additional CA certificates
2264 and CRL lists to use when verifying client certificates.
86a84cc0 2265 Requires OpenSSL or LibreSSL.
c7b1dd5d
AJ		 2266
2267 crlfile= File of additional CRL lists to use when verifying
2268 the client certificate, in addition to CRLs stored in
2269 the capath. Implies VERIFY_CRL flag below.
2270
54fbe371
PM		 2271 tls-dh=[curve:]file
2272 File containing DH parameters for temporary/ephemeral DH key
2273 exchanges, optionally prefixed by a curve for ephemeral ECDH
2274 key exchanges.
2275 See OpenSSL documentation for details on how to create the
2276 DH parameter file. Supported curves for ECDH can be listed
2277 using the "openssl ecparam -list_curves" command.
2278 WARNING: EDH and EECDH ciphers will be silently disabled if
2279 this option is not set.
c7b1dd5d
AJ		 2280
2281 sslflags= Various flags modifying the use of SSL:
2282 DELAYED_AUTH
2283 Don't request client certificates
2284 immediately, but wait until acl processing
2285 requires a certificate (not yet implemented).
c7b1dd5d
AJ		 2286 NO_SESSION_REUSE
2287 Don't allow for session reuse. Each connection
2288 will result in a new SSL session.
2289 VERIFY_CRL
2290 Verify CRL lists when accepting client
2291 certificates.
2292 VERIFY_CRL_ALL
2293 Verify CRL lists for all certificates in the
2294 client certificate chain.
2295
435c72b0
AJ		 2296 tls-default-ca[=off]
2297 Whether to use the system Trusted CAs. Default is OFF.
8b253b83 2298
b05d749d
AJ		 2299 tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1.
2300
c7b1dd5d
AJ		 2301 sslcontext= SSL session ID context identifier.
2302
c7b1dd5d
AJ		 2303 Other Options:
2304
6b185b50
AJ		 2305 connection-auth[=on|off]
2306 use connection-auth=off to tell Squid to prevent
2307 forwarding Microsoft connection oriented authentication
d67acb4e
AJ		 2308 (NTLM, Negotiate and Kerberos)
2309
5b0f5383 2310 disable-pmtu-discovery=
2311 Control Path-MTU discovery usage:
2312 off lets OS decide on what to do (default).
2313 transparent disable PMTU discovery when transparent
2314 support is enabled.
2315 always disable always PMTU discovery.
2316
2317 In many setups of transparently intercepting proxies
2318 Path-MTU discovery can not work on traffic towards the
2319 clients. This is the case when the intercepting device
2320 does not fully track connections and fails to forward
2321 ICMP must fragment messages to the cache server. If you
2322 have such setup and experience that certain clients
2323 sporadically hang or never complete requests set
2324 disable-pmtu-discovery option to 'transparent'.
2325
81b6e9a7 2326 name= Specifies a internal name for the port. Defaults to
2327 the port specification (port or addr:port)
2328
68924b6d 2329 tcpkeepalive[=idle,interval,timeout]
fb6c6dbe
AJ		 2330 Enable TCP keepalive probes of idle connections.
2331 In seconds; idle is the initial time before TCP starts
2332 probing the connection, interval how often to probe, and
b2130d58 2333 timeout the time before giving up.
2334
d3d92daa 2335 require-proxy-header
151ba0d4 2336 Require PROXY protocol version 1 or 2 connections.
d3d92daa 2337 The proxy_protocol_access is required to whitelist
151ba0d4
AJ		 2338 downstream proxies which can be trusted.
2339
5b0f5383 2340 If you run Squid on a dual-homed machine with an internal
2341 and an external interface we recommend you to specify the
2342 internal address:port in http_port. This way Squid will only be
2343 visible on the internal address.
2344
2345NOCOMMENT_START
e0855596 2346
5b0f5383 2347# Squid normally listens to port 3128
2348http_port @DEFAULT_HTTP_PORT@
2349NOCOMMENT_END
2350DOC_END
2351
2352NAME: https_port
339e4d7a 2353IFDEF: USE_GNUTLS||USE_OPENSSL
65d448bc 2354TYPE: PortCfg
5b0f5383 2355DEFAULT: none
339e4d7a 2356LOC: HttpPortList
5b0f5383 2357DOC_START
9155253a 2358 Usage: [ip:]port [mode] cert=certificate.pem [options]
5b0f5383 2359
859741ed
AJ		 2360 The socket address where Squid will listen for client requests made
2361 over TLS or SSL connections. Commonly referred to as HTTPS.
5b0f5383 2362
859741ed 2363 This is most useful for situations where you are running squid in
9155253a 2364 accelerator mode and you want to do the TLS work at the accelerator level.
5b0f5383 2365
2366 You may specify multiple socket addresses on multiple lines,
9155253a 2367 each with their own certificate and/or options.
5b0f5383 2368
9155253a 2369 The TLS cert= option is mandatory on HTTPS ports.
379e8c1c 2370
9155253a 2371 See http_port for a list of modes and options.
5b0f5383 2372DOC_END
2373
434a79b0
DK		 2374NAME: ftp_port
2375TYPE: PortCfg
2376DEFAULT: none
8ea0d847 2377LOC: FtpPortList
434a79b0 2378DOC_START
8a2f40dd
AR		 2379 Enables Native FTP proxy by specifying the socket address where Squid
2380 listens for FTP client requests. See http_port directive for various
2381 ways to specify the listening address and mode.
2382
2383 Usage: ftp_port address [mode] [options]
2384
2385 WARNING: This is a new, experimental, complex feature that has seen
2386 limited production exposure. Some Squid modules (e.g., caching) do not
2387 currently work with native FTP proxying, and many features have not
2388 even been tested for compatibility. Test well before deploying!
2389
2390 Native FTP proxying differs substantially from proxying HTTP requests
2391 with ftp:// URIs because Squid works as an FTP server and receives
2392 actual FTP commands (rather than HTTP requests with FTP URLs).
2393
2394 Native FTP commands accepted at ftp_port are internally converted or
2395 wrapped into HTTP-like messages. The same happens to Native FTP
2396 responses received from FTP origin servers. Those HTTP-like messages
2397 are shoveled through regular access control and adaptation layers
2398 between the FTP client and the FTP origin server. This allows Squid to
2399 examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP
2400 mechanisms when shoveling wrapped FTP messages. For example,
2401 http_access and adaptation_access directives are used.
2402
2403 Modes:
2404
3cc0f4e7 2405 intercept Same as http_port intercept. The FTP origin address is
8a2f40dd
AR		 2406 determined based on the intended destination of the
2407 intercepted connection.
2408
3cc0f4e7
AR		 2409 tproxy Support Linux TPROXY for spoofing outgoing
2410 connections using the client IP address.
2411 NP: disables authentication and maybe IPv6 on the port.
2412
8a2f40dd
AR		 2413 By default (i.e., without an explicit mode option), Squid extracts the
2414 FTP origin address from the login@origin parameter of the FTP USER
2415 command. Many popular FTP clients support such native FTP proxying.
2416
2417 Options:
2418
3cc0f4e7
AR		 2419 name=token Specifies an internal name for the port. Defaults to
2420 the port address. Usable with myportname ACL.
2421
aea65fec 2422 ftp-track-dirs
8a2f40dd
AR		 2423 Enables tracking of FTP directories by injecting extra
2424 PWD commands and adjusting Request-URI (in wrapping
2425 HTTP requests) to reflect the current FTP server
aea65fec 2426 directory. Tracking is disabled by default.
8a2f40dd 2427
3cc0f4e7
AR		 2428 protocol=FTP Protocol to reconstruct accelerated and intercepted
2429 requests with. Defaults to FTP. No other accepted
2430 values have been tested with. An unsupported value
2431 results in a FATAL error. Accepted values are FTP,
2432 HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1).
2433
8a2f40dd
AR		 2434 Other http_port modes and options that are not specific to HTTP and
2435 HTTPS may also work.
2436DOC_END
434a79b0 2437
41bd17a4 2438NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
2439TYPE: acl_tos
5473c134 2440DEFAULT: none
425de4c8 2441LOC: Ip::Qos::TheConfig.tosToServer
5473c134 2442DOC_START
425de4c8
AJ		 2443 Allows you to select a TOS/Diffserv value for packets outgoing
2444 on the server side, based on an ACL.
5473c134 2445
41bd17a4 2446 tcp_outgoing_tos ds-field [!]aclname ...
cccac0a2 2447
41bd17a4 2448 Example where normal_service_net uses the TOS value 0x00
7def7206 2449 and good_service_net uses 0x20
cccac0a2 2450
864a62b5
AJ		 2451 acl normal_service_net src 10.0.0.0/24
2452 acl good_service_net src 10.0.1.0/24
2c73de90 2453 tcp_outgoing_tos 0x00 normal_service_net
41bd17a4 2454 tcp_outgoing_tos 0x20 good_service_net
fa38076e 2455
41bd17a4 2456 TOS/DSCP values really only have local significance - so you should
575cb927
AJ		 2457 know what you're specifying. For more information, see RFC2474,
2458 RFC2475, and RFC3260.
cccac0a2 2459
41bd17a4 2460 The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
5f53baab
SM		 2461 "default" to use whatever default your host has.
2462 Note that only multiples of 4 are usable as the two rightmost bits have
2463 been redefined for use by ECN (RFC 3168 section 23.1).
2464 The squid parser will enforce this by masking away the ECN bits.
cccac0a2 2465
41bd17a4 2466 Processing proceeds in the order specified, and stops at first fully
2467 matching line.
c6f168c1
CT		 2468
2469 Only fast ACLs are supported.
cccac0a2 2470DOC_END
2471
41bd17a4 2472NAME: clientside_tos
2473TYPE: acl_tos
cccac0a2 2474DEFAULT: none
425de4c8
AJ		 2475LOC: Ip::Qos::TheConfig.tosToClient
2476DOC_START
5f53baab 2477 Allows you to select a TOS/DSCP value for packets being transmitted
425de4c8
AJ		 2478 on the client-side, based on an ACL.
2479
2480 clientside_tos ds-field [!]aclname ...
2481
2482 Example where normal_service_net uses the TOS value 0x00
2483 and good_service_net uses 0x20
2484
2485 acl normal_service_net src 10.0.0.0/24
2486 acl good_service_net src 10.0.1.0/24
2487 clientside_tos 0x00 normal_service_net
2488 clientside_tos 0x20 good_service_net
2489
2490 Note: This feature is incompatible with qos_flows. Any TOS values set here
2491 will be overwritten by TOS values in qos_flows.
5f53baab
SM		 2492
2493 The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
2494 "default" to use whatever default your host has.
2495 Note that only multiples of 4 are usable as the two rightmost bits have
2496 been redefined for use by ECN (RFC 3168 section 23.1).
2497 The squid parser will enforce this by masking away the ECN bits.
2498
83a846a3
AR		 2499 This clause only supports fast acl types.
2500 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
425de4c8
AJ		 2501DOC_END
2502
2503NAME: tcp_outgoing_mark
2504TYPE: acl_nfmark
11e8cfe3 2505IFDEF: SO_MARK&&USE_LIBCAP
425de4c8
AJ		 2506DEFAULT: none
2507LOC: Ip::Qos::TheConfig.nfmarkToServer
2508DOC_START
2509 Allows you to apply a Netfilter mark value to outgoing packets
2510 on the server side, based on an ACL.
2511
2512 tcp_outgoing_mark mark-value [!]aclname ...
2513
2514 Example where normal_service_net uses the mark value 0x00
2515 and good_service_net uses 0x20
2516
2517 acl normal_service_net src 10.0.0.0/24
2518 acl good_service_net src 10.0.1.0/24
2519 tcp_outgoing_mark 0x00 normal_service_net
2520 tcp_outgoing_mark 0x20 good_service_net
c6f168c1
CT		 2521
2522 Only fast ACLs are supported.
425de4c8
AJ		 2523DOC_END
2524
2525NAME: clientside_mark
2526TYPE: acl_nfmark
11e8cfe3 2527IFDEF: SO_MARK&&USE_LIBCAP
425de4c8
AJ		 2528DEFAULT: none
2529LOC: Ip::Qos::TheConfig.nfmarkToClient
cccac0a2 2530DOC_START
425de4c8
AJ		 2531 Allows you to apply a Netfilter mark value to packets being transmitted
2532 on the client-side, based on an ACL.
2533
2534 clientside_mark mark-value [!]aclname ...
2535
2536 Example where normal_service_net uses the mark value 0x00
2537 and good_service_net uses 0x20
2538
2539 acl normal_service_net src 10.0.0.0/24
2540 acl good_service_net src 10.0.1.0/24
2541 clientside_mark 0x00 normal_service_net
2542 clientside_mark 0x20 good_service_net
2543
2544 Note: This feature is incompatible with qos_flows. Any mark values set here
2545 will be overwritten by mark values in qos_flows.
83a846a3
AR		 2546
2547 This clause only supports fast acl types.
2548 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 2549DOC_END
cccac0a2 2550
575cb927
AJ		 2551NAME: qos_flows
2552TYPE: QosConfig
425de4c8 2553IFDEF: USE_QOS_TOS
575cb927 2554DEFAULT: none
b7ac5457 2555LOC: Ip::Qos::TheConfig
7172612f 2556DOC_START
575cb927 2557 Allows you to select a TOS/DSCP value to mark outgoing
196a7776
AB		 2558 connections to the client, based on where the reply was sourced.
2559 For platforms using netfilter, allows you to set a netfilter mark
425de4c8 2560 value instead of, or in addition to, a TOS value.
7172612f 2561
196a7776
AB		 2562 By default this functionality is disabled. To enable it with the default
2563 settings simply use "qos_flows mark" or "qos_flows tos". Default
2564 settings will result in the netfilter mark or TOS value being copied
2565 from the upstream connection to the client. Note that it is the connection
2566 CONNMARK value not the packet MARK value that is copied.
2567
2568 It is not currently possible to copy the mark or TOS value from the
2569 client to the upstream connection request.
2570
575cb927
AJ		 2571 TOS values really only have local significance - so you should
2572 know what you're specifying. For more information, see RFC2474,
2573 RFC2475, and RFC3260.
7172612f 2574
5f53baab
SM		 2575 The TOS/DSCP byte must be exactly that - a octet value 0 - 255.
2576 Note that only multiples of 4 are usable as the two rightmost bits have
2577 been redefined for use by ECN (RFC 3168 section 23.1).
2578 The squid parser will enforce this by masking away the ECN bits.
425de4c8
AJ		 2579
2580 Mark values can be any unsigned 32-bit integer value.
7172612f 2581
425de4c8
AJ		 2582 This setting is configured by setting the following values:
2583
2584 tos|mark Whether to set TOS or netfilter mark values
575cb927
AJ		 2585
2586 local-hit=0xFF Value to mark local cache hits.
2587
2588 sibling-hit=0xFF Value to mark hits from sibling peers.
2589
2590 parent-hit=0xFF Value to mark hits from parent peers.
2591
a29d2a95
AB		 2592 miss=0xFF[/mask] Value to mark cache misses. Takes precedence
2593 over the preserve-miss feature (see below), unless
2594 mask is specified, in which case only the bits
2595 specified in the mask are written.
575cb927 2596
425de4c8
AJ		 2597 The TOS variant of the following features are only possible on Linux
2598 and require your kernel to be patched with the TOS preserving ZPH
2599 patch, available from http://zph.bratcheda.org
2600 No patch is needed to preserve the netfilter mark, which will work
2601 with all variants of netfilter.
575cb927 2602
575cb927 2603 disable-preserve-miss
425de4c8
AJ		 2604 This option disables the preservation of the TOS or netfilter
2605 mark. By default, the existing TOS or netfilter mark value of
2606 the response coming from the remote server will be retained
2607 and masked with miss-mark.
2608 NOTE: in the case of a netfilter mark, the mark must be set on
2609 the connection (using the CONNMARK target) not on the packet
2610 (MARK target).
575cb927
AJ		 2611
2612 miss-mask=0xFF
425de4c8
AJ		 2613 Allows you to mask certain bits in the TOS or mark value
2614 received from the remote server, before copying the value to
2615 the TOS sent towards clients.
2616 Default for tos: 0xFF (TOS from server is not changed).
2617 Default for mark: 0xFFFFFFFF (mark from server is not changed).
2618
2619 All of these features require the --enable-zph-qos compilation flag
2620 (enabled by default). Netfilter marking also requires the
2621 libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
2622 libcap 2.09+ (--with-libcap).
7172612f 2623
7172612f
AJ		 2624DOC_END
2625
41bd17a4 2626NAME: tcp_outgoing_address
2627TYPE: acl_address
2628DEFAULT: none
638402dd 2629DEFAULT_DOC: Address selection is performed by the operating system.
41bd17a4 2630LOC: Config.accessList.outgoing_address
2631DOC_START
2632 Allows you to map requests to different outgoing IP addresses
2633 based on the username or source address of the user making
2634 the request.
7f7db318 2635
41bd17a4 2636 tcp_outgoing_address ipaddr [[!]aclname] ...
c33aa074 2637
2dd51400
AJ		 2638 For example;
2639 Forwarding clients with dedicated IPs for certain subnets.
9197cd13 2640
2dd51400
AJ		 2641 acl normal_service_net src 10.0.0.0/24
2642 acl good_service_net src 10.0.2.0/24
2643
2644 tcp_outgoing_address 2001:db8::c001 good_service_net
2645 tcp_outgoing_address 10.1.0.2 good_service_net
2646
2647 tcp_outgoing_address 2001:db8::beef normal_service_net
2648 tcp_outgoing_address 10.1.0.1 normal_service_net
2649
2650 tcp_outgoing_address 2001:db8::1
2651 tcp_outgoing_address 10.1.0.3
9197cd13 2652
41bd17a4 2653 Processing proceeds in the order specified, and stops at first fully
2654 matching line.
cccac0a2 2655
2dd51400
AJ		 2656 Squid will add an implicit IP version test to each line.
2657 Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
2658 Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
2659
2660
2661 NOTE: The use of this directive using client dependent ACLs is
41bd17a4 2662 incompatible with the use of server side persistent connections. To
2663 ensure correct results it is best to set server_persistent_connections
2664 to off when using this directive in such configurations.
cc192b50 2665
2dd51400 2666 NOTE: The use of this directive to set a local IP on outgoing TCP links
4ed968be 2667 is incompatible with using TPROXY to set client IP out outbound TCP links.
2dd51400
AJ		 2668 When needing to contact peers use the no-tproxy cache_peer option and the
2669 client_dst_passthru directive re-enable normal forwarding such as this.
cc192b50 2670
83a846a3
AR		 2671 This clause only supports fast acl types.
2672 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
cccac0a2 2673DOC_END
6db78a1a 2674
90529125
AJ		 2675NAME: host_verify_strict
2676TYPE: onoff
2677DEFAULT: off
2678LOC: Config.onoff.hostStrictVerify
2679DOC_START
d8821934
AR		 2680 Regardless of this option setting, when dealing with intercepted
2681 traffic, Squid always verifies that the destination IP address matches
2962f8b8 2682 the Host header domain or IP (called 'authority form URL').
d8821934
AR		 2683
2684 This enforcement is performed to satisfy a MUST-level requirement in
2685 RFC 2616 section 14.23: "The Host field value MUST represent the naming
2686 authority of the origin server or gateway given by the original URL".
2962f8b8
AJ		 2687
2688 When set to ON:
2689 Squid always responds with an HTTP 409 (Conflict) error
2690 page and logs a security warning if there is no match.
2691
2692 Squid verifies that the destination IP address matches
2693 the Host header for forward-proxy and reverse-proxy traffic
2694 as well. For those traffic types, Squid also enables the
2695 following checks, comparing the corresponding Host header
2696 and Request-URI components:
2697
2698 * The host names (domain or IP) must be identical,
2699 but valueless or missing Host header disables all checks.
2700 For the two host names to match, both must be either IP
2701 or FQDN.
2702
2703 * Port numbers must be identical, but if a port is missing
2704 the scheme-default port is assumed.
2705
2706
2707 When set to OFF (the default):
2708 Squid allows suspicious requests to continue but logs a
2709 security warning and blocks caching of the response.
2710
2711 * Forward-proxy traffic is not checked at all.
2712
2713 * Reverse-proxy traffic is not checked at all.
2714
2715 * Intercepted traffic which passes verification is handled
32c32865 2716 according to client_dst_passthru.
2962f8b8 2717
7177edfb
AJ		 2718 * Intercepted requests which fail verification are sent
2719 to the client original destination instead of DIRECT.
2720 This overrides 'client_dst_passthru off'.
2962f8b8
AJ		 2721
2722 For now suspicious intercepted CONNECT requests are always
2723 responded to with an HTTP 409 (Conflict) error page.
bfe4e2fe 2724
bfe4e2fe 2725
7177edfb 2726 SECURITY NOTE:
bfe4e2fe
AJ		 2727
2728 As described in CVE-2009-0801 when the Host: header alone is used
2729 to determine the destination of a request it becomes trivial for
2730 malicious scripts on remote websites to bypass browser same-origin
2731 security policy and sandboxing protections.
2732
2733 The cause of this is that such applets are allowed to perform their
2734 own HTTP stack, in which case the same-origin policy of the browser
2735 sandbox only verifies that the applet tries to contact the same IP
2736 as from where it was loaded at the IP level. The Host: header may
2737 be different from the connected IP and approved origin.
7177edfb
AJ		 2738
2739DOC_END
6b185b50 2740
7177edfb
AJ		 2741NAME: client_dst_passthru
2742TYPE: onoff
2743DEFAULT: on
2744LOC: Config.onoff.client_dst_passthru
2745DOC_START
2746 With NAT or TPROXY intercepted traffic Squid may pass the request
2747 directly to the original client destination IP or seek a faster
2748 source using the HTTP Host header.
2749
2750 Using Host to locate alternative servers can provide faster
2751 connectivity with a range of failure recovery options.
2752 But can also lead to connectivity trouble when the client and
2753 server are attempting stateful interactions unaware of the proxy.
2754
2755 This option (on by default) prevents alternative DNS entries being
2756 located to send intercepted traffic DIRECT to an origin server.
2757 The clients original destination IP and port will be used instead.
2758
2759 Regardless of this option setting, when dealing with intercepted
2760 traffic Squid will verify the Host: header and any traffic which
2761 fails Host verification will be treated as if this option were ON.
2762
2763 see host_verify_strict for details on the verification process.
cccac0a2 2764DOC_END
2765
195f8adb
AJ		 2766COMMENT_START
2767 TLS OPTIONS
2768 -----------------------------------------------------------------------------
2769COMMENT_END
2770
2771NAME: tls_outgoing_options
2772IFDEF: USE_GNUTLS||USE_OPENSSL
2773TYPE: securePeerOptions
2fbb02b1 2774DEFAULT: min-version=1.0
7e62a74f 2775LOC: Security::ProxyOutgoingConfig
195f8adb
AJ		 2776DOC_START
2777 disable Do not support https:// URLs.
2778
2779 cert=/path/to/client/certificate
2780 A client TLS certificate to use when connecting.
2781
2782 key=/path/to/client/private_key
2783 The private TLS key corresponding to the cert= above.
2784 If key= is not specified cert= is assumed to reference
2785 a PEM file containing both the certificate and the key.
2786
195f8adb 2787 cipher=... The list of valid TLS ciphers to use.
1cc44095
AJ		 2788
2789 min-version=1.N
2fbb02b1
AJ		 2790 The minimum TLS protocol version to permit.
2791 To control SSLv3 use the options= parameter.
1cc44095
AJ		 2792 Supported Values: 1.0 (default), 1.1, 1.2
2793
3f5b28fe 2794 options=... Specify various TLS/SSL implementation options.
195f8adb 2795
3f5b28fe 2796 OpenSSL options most important are:
7905e7be 2797
3f5b28fe 2798 NO_SSLv3 Disallow the use of SSLv3
7905e7be 2799
195f8adb
AJ		 2800 SINGLE_DH_USE
2801 Always create a new key when using
2802 temporary/ephemeral DH key exchanges
7905e7be 2803
ce0adf1a 2804 NO_TICKET
7905e7be
AJ		 2805 Disable use of RFC5077 session tickets.
2806 Some servers may have problems
2807 understanding the TLS extension due
2808 to ambiguous specification in RFC4507.
2809
195f8adb
AJ		 2810 ALL Enable various bug workarounds
2811 suggested as "harmless" by OpenSSL
7905e7be 2812 Be warned that this reduces SSL/TLS
195f8adb
AJ		 2813 strength to some attacks.
2814
3f5b28fe
AJ		 2815 See the OpenSSL SSL_CTX_set_options documentation
2816 for a more complete list.
2817
2818 GnuTLS options most important are:
2819
2820 %NO_TICKETS
2821 Disable use of RFC5077 session tickets.
2822 Some servers may have problems
2823 understanding the TLS extension due
2824 to ambiguous specification in RFC4507.
2825
2826 See the GnuTLS Priority Strings documentation
2827 for a more complete list.
2828 http://www.gnutls.org/manual/gnutls.html#Priority-Strings
2829
195f8adb 2830
86a84cc0
AJ		 2831 cafile= PEM file containing CA certificates to use when verifying
2832 the peer certificate. May be repeated to load multiple files.
2833
2834 capath= A directory containing additional CA certificates to
195f8adb 2835 use when verifying the peer certificate.
86a84cc0 2836 Requires OpenSSL or LibreSSL.
195f8adb
AJ		 2837
2838 crlfile=... A certificate revocation list file to use when
2839 verifying the peer certificate.
2840
2841 flags=... Specify various flags modifying the TLS implementation:
2842
2843 DONT_VERIFY_PEER
2844 Accept certificates even if they fail to
2845 verify.
195f8adb
AJ		 2846 DONT_VERIFY_DOMAIN
2847 Don't verify the peer certificate
2848 matches the server name
2849
435c72b0
AJ		 2850 default-ca[=off]
2851 Whether to use the system Trusted CAs. Default is ON.
8b253b83 2852
195f8adb
AJ		 2853 domain= The peer name as advertised in its certificate.
2854 Used for verifying the correctness of the received peer
2855 certificate. If not specified the peer hostname will be
2856 used.
2857DOC_END
2858
41bd17a4 2859COMMENT_START
2860 SSL OPTIONS
2861 -----------------------------------------------------------------------------
2862COMMENT_END
2863
2864NAME: ssl_unclean_shutdown
cb4f4424 2865IFDEF: USE_OPENSSL
cccac0a2 2866TYPE: onoff
2867DEFAULT: off
41bd17a4 2868LOC: Config.SSL.unclean_shutdown
cccac0a2 2869DOC_START
41bd17a4 2870 Some browsers (especially MSIE) bugs out on SSL shutdown
2871 messages.
cccac0a2 2872DOC_END
2873
41bd17a4 2874NAME: ssl_engine
cb4f4424 2875IFDEF: USE_OPENSSL
cccac0a2 2876TYPE: string
41bd17a4 2877LOC: Config.SSL.ssl_engine
2878DEFAULT: none
cccac0a2 2879DOC_START
41bd17a4 2880 The OpenSSL engine to use. You will need to set this if you
2881 would like to use hardware SSL acceleration for example.
cccac0a2 2882DOC_END
2883
10a69fc0 2884NAME: sslproxy_session_ttl
cb4f4424 2885IFDEF: USE_OPENSSL
10a69fc0
CT		 2886DEFAULT: 300
2887LOC: Config.SSL.session_ttl
2888TYPE: int
2889DOC_START
2890 Sets the timeout value for SSL sessions
2891DOC_END
2892
2893NAME: sslproxy_session_cache_size
cb4f4424 2894IFDEF: USE_OPENSSL
10a69fc0
CT		 2895DEFAULT: 2 MB
2896LOC: Config.SSL.sessionCacheSize
2897TYPE: b_size_t
2898DOC_START
2899 Sets the cache size to use for ssl session
2900DOC_END
2901
866be11c
CT		 2902NAME: sslproxy_foreign_intermediate_certs
2903IFDEF: USE_OPENSSL
2904DEFAULT: none
2905LOC: Config.ssl_client.foreignIntermediateCertsPath
2906TYPE: string
2907DOC_START
2908 Many origin servers fail to send their full server certificate
2909 chain for verification, assuming the client already has or can
2910 easily locate any missing intermediate certificates.
2911
2912 Squid uses the certificates from the specified file to fill in
2913 these missing chains when trying to validate origin server
2914 certificate chains.
2915
2916 The file is expected to contain zero or more PEM-encoded
2917 intermediate certificates. These certificates are not treated
2918 as trusted root certificates, and any self-signed certificate in
2919 this file will be ignored.
866be11c
CT		 2920DOC_END
2921
3c26b00a
CT		 2922NAME: sslproxy_cert_sign_hash
2923IFDEF: USE_OPENSSL
2924DEFAULT: none
2925LOC: Config.SSL.certSignHash
2926TYPE: string
2927DOC_START
2928 Sets the hashing algorithm to use when signing generated certificates.
2929 Valid algorithm names depend on the OpenSSL library used. The following
2930 names are usually available: sha1, sha256, sha512, and md5. Please see
2931 your OpenSSL library manual for the available hashes. By default, Squids
2932 that support this option use sha256 hashes.
2933
2934 Squid does not forcefully purge cached certificates that were generated
2935 with an algorithm other than the currently configured one. They remain
2936 in the cache, subject to the regular cache eviction policy, and become
2937 useful if the algorithm changes again.
2938DOC_END
2939
4c9da963 2940NAME: ssl_bump
cb4f4424 2941IFDEF: USE_OPENSSL
caf3666d 2942TYPE: sslproxy_ssl_bump
4c9da963 2943LOC: Config.accessList.ssl_bump
8f165829 2944DEFAULT_DOC: Become a TCP tunnel without decrypting proxied traffic.
4c9da963 2945DEFAULT: none
2946DOC_START
caf3666d
AR		 2947 This option is consulted when a CONNECT request is received on
2948 an http_port (or a new connection is intercepted at an
2949 https_port), provided that port was configured with an ssl-bump
2950 flag. The subsequent data on the connection is either treated as
2951 HTTPS and decrypted OR tunneled at TCP level without decryption,
8f165829
AR		 2952 depending on the first matching bumping "action".
2953
2954 ssl_bump <action> [!]acl ...
caf3666d 2955
8f165829 2956 The following bumping actions are currently supported:
caf3666d 2957
5d65362c 2958 splice
8f165829
AR		 2959 Become a TCP tunnel without decrypting proxied traffic.
2960 This is the default action.
5d65362c
CT		 2961
2962 bump
6e0516b3
CT		 2963 When used on step SslBump1, establishes a secure connection
2964 with the client first, then connect to the server.
2965 When used on step SslBump2 or SslBump3, establishes a secure
2966 connection with the server and, using a mimicked server
2967 certificate, with the client.
caf3666d 2968
5d65362c 2969 peek
1110989a 2970 Receive client (step SslBump1) or server (step SslBump2)
8f165829
AR		 2971 certificate while preserving the possibility of splicing the
2972 connection. Peeking at the server certificate (during step 2)
2973 usually precludes bumping of the connection at step 3.
caf3666d 2974
5d65362c 2975 stare
1110989a 2976 Receive client (step SslBump1) or server (step SslBump2)
8f165829
AR		 2977 certificate while preserving the possibility of bumping the
2978 connection. Staring at the server certificate (during step 2)
2979 usually precludes splicing of the connection at step 3.
5d65362c
CT		 2980
2981 terminate
2982 Close client and server connections.
2983
1110989a 2984 Backward compatibility actions available at step SslBump1:
caf3666d
AR		 2985
2986 client-first
8f165829
AR		 2987 Bump the connection. Establish a secure connection with the
2988 client first, then connect to the server. This old mode does
2989 not allow Squid to mimic server SSL certificate and does not
2990 work with intercepted SSL connections.
caf3666d
AR		 2991
2992 server-first
8f165829
AR		 2993 Bump the connection. Establish a secure connection with the
2994 server first, then establish a secure connection with the
2995 client, using a mimicked server certificate. Works with both
2996 CONNECT requests and intercepted SSL connections, but does
2997 not allow to make decisions based on SSL handshake info.
caf3666d 2998
8f165829
AR		 2999 peek-and-splice
3000 Decide whether to bump or splice the connection based on
d620ae0e 3001 client-to-squid and server-to-squid SSL hello messages.
8f165829 3002 XXX: Remove.
caf3666d 3003
caf3666d 3004 none
8f165829 3005 Same as the "splice" action.
caf3666d 3006
8f165829
AR		 3007 All ssl_bump rules are evaluated at each of the supported bumping
3008 steps. Rules with actions that are impossible at the current step are
3009 ignored. The first matching ssl_bump action wins and is applied at the
3010 end of the current step. If no rules match, the splice action is used.
652fcffd 3011 See the at_step ACL for a list of the supported SslBump steps.
4c9da963 3012
e0c0d54c 3013 This clause supports both fast and slow acl types.
b3567eb5 3014 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
e0855596 3015
652fcffd 3016 See also: http_port ssl-bump, https_port ssl-bump, and acl at_step.
caf3666d 3017
e0855596 3018
f3fece95 3019 # Example: Bump all TLS connections except those originating from
638402dd 3020 # localhost or those going to example.com.
e0855596 3021
f3fece95 3022 acl broken_sites ssl::server_name .example.com
8f165829
AR		 3023 ssl_bump splice localhost
3024 ssl_bump splice broken_sites
3025 ssl_bump bump all
4c9da963 3026DOC_END
3027
4c9da963 3028NAME: sslproxy_cert_error
cb4f4424 3029IFDEF: USE_OPENSSL
4c9da963 3030DEFAULT: none
638402dd 3031DEFAULT_DOC: Server certificate errors terminate the transaction.
4c9da963 3032LOC: Config.ssl_client.cert_error
3033TYPE: acl_access
3034DOC_START
3035 Use this ACL to bypass server certificate validation errors.
3036
3037 For example, the following lines will bypass all validation errors
3b8f558c 3038 when talking to servers for example.com. All other
4c9da963 3039 validation errors will result in ERR_SECURE_CONNECT_FAIL error.
3040
a87bfd3b
AR		 3041 acl BrokenButTrustedServers dstdomain example.com
3042 sslproxy_cert_error allow BrokenButTrustedServers
4c9da963 3043 sslproxy_cert_error deny all
3044
b3567eb5
FC		 3045 This clause only supports fast acl types.
3046 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3047 Using slow acl types may result in server crashes
4c9da963 3048
3049 Without this option, all server certificate validation errors
638402dd 3050 terminate the transaction to protect Squid and the client.
4c9da963 3051
0ad3ff51
CT		 3052 SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed
3053 but should not happen unless your OpenSSL library is buggy.
3054
638402dd
AJ		 3055 SECURITY WARNING:
3056 Bypassing validation errors is dangerous because an
3057 error usually implies that the server cannot be trusted
3058 and the connection may be insecure.
4c9da963 3059
638402dd 3060 See also: sslproxy_flags and DONT_VERIFY_PEER.
4c9da963 3061DOC_END
3062
aebe6888 3063NAME: sslproxy_cert_sign
cb4f4424 3064IFDEF: USE_OPENSSL
aebe6888 3065DEFAULT: none
10d914f6
CT		 3066POSTSCRIPTUM: signUntrusted ssl::certUntrusted
3067POSTSCRIPTUM: signSelf ssl::certSelfSigned
3068POSTSCRIPTUM: signTrusted all
aebe6888
CT		 3069TYPE: sslproxy_cert_sign
3070LOC: Config.ssl_client.cert_sign
3071DOC_START
3072
69742b76 3073 sslproxy_cert_sign <signing algorithm> acl ...
aebe6888 3074
69742b76 3075 The following certificate signing algorithms are supported:
638402dd 3076
aebe6888 3077 signTrusted
69742b76
AR		 3078 Sign using the configured CA certificate which is usually
3079 placed in and trusted by end-user browsers. This is the
3080 default for trusted origin server certificates.
638402dd 3081
aebe6888 3082 signUntrusted
69742b76
AR		 3083 Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
3084 This is the default for untrusted origin server certificates
3085 that are not self-signed (see ssl::certUntrusted).
638402dd 3086
aebe6888 3087 signSelf
69742b76 3088 Sign using a self-signed certificate with the right CN to
aebe6888 3089 generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
69742b76
AR		 3090 browser. This is the default for self-signed origin server
3091 certificates (see ssl::certSelfSigned).
aebe6888 3092
cf1c09f6
CT		 3093 This clause only supports fast acl types.
3094
69742b76
AR		 3095 When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
3096 signing algorithm to generate the certificate and ignores all
3097 subsequent sslproxy_cert_sign options (the first match wins). If no
3098 acl(s) match, the default signing algorithm is determined by errors
3099 detected when obtaining and validating the origin server certificate.
cf1c09f6 3100
4b0d23b7
CT		 3101 WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
3102 be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
3103 CONNECT request that carries a domain name. In all other cases (CONNECT
3104 to an IP address or an intercepted SSL connection), Squid cannot detect
3105 the domain mismatch at certificate generation time when
3106 bump-server-first is used.
aebe6888
CT		 3107DOC_END
3108
638402dd 3109NAME: sslproxy_cert_adapt
cb4f4424 3110IFDEF: USE_OPENSSL
fb2178bb
CT		 3111DEFAULT: none
3112TYPE: sslproxy_cert_adapt
3113LOC: Config.ssl_client.cert_adapt
3114DOC_START
3115
3116 sslproxy_cert_adapt <adaptation algorithm> acl ...
3117
69742b76 3118 The following certificate adaptation algorithms are supported:
638402dd 3119
fb2178bb 3120 setValidAfter
69742b76
AR		 3121 Sets the "Not After" property to the "Not After" property of
3122 the CA certificate used to sign generated certificates.
638402dd 3123
fb2178bb 3124 setValidBefore
69742b76
AR		 3125 Sets the "Not Before" property to the "Not Before" property of
3126 the CA certificate used to sign generated certificates.
638402dd 3127
69742b76
AR		 3128 setCommonName or setCommonName{CN}
3129 Sets Subject.CN property to the host name specified as a
3130 CN parameter or, if no explicit CN parameter was specified,
3131 extracted from the CONNECT request. It is a misconfiguration
3132 to use setCommonName without an explicit parameter for
3133 intercepted or tproxied SSL connections.
fb2178bb 3134
cf1c09f6
CT		 3135 This clause only supports fast acl types.
3136
69742b76
AR		 3137 Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
3138 Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
3139 corresponding adaptation algorithm to generate the certificate and
3140 ignores all subsequent sslproxy_cert_adapt options in that algorithm's
3141 group (i.e., the first match wins within each algorithm group). If no
3142 acl(s) match, the default mimicking action takes place.
cf1c09f6 3143
4b0d23b7
CT		 3144 WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
3145 be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
3146 CONNECT request that carries a domain name. In all other cases (CONNECT
3147 to an IP address or an intercepted SSL connection), Squid cannot detect
3148 the domain mismatch at certificate generation time when
3149 bump-server-first is used.
fb2178bb
CT		 3150DOC_END
3151
41bd17a4 3152NAME: sslpassword_program
cb4f4424 3153IFDEF: USE_OPENSSL
41bd17a4 3154DEFAULT: none
3155LOC: Config.Program.ssl_password
3156TYPE: string
5473c134 3157DOC_START
41bd17a4 3158 Specify a program used for entering SSL key passphrases
3159 when using encrypted SSL certificate keys. If not specified
3160 keys must either be unencrypted, or Squid started with the -N
3161 option to allow it to query interactively for the passphrase.
7acb9ddd
HN		 3162
3163 The key file name is given as argument to the program allowing
3164 selection of the right password if you have multiple encrypted
3165 keys.
5473c134 3166DOC_END
3167
95d2589c
CT		 3168COMMENT_START
3169 OPTIONS RELATING TO EXTERNAL SSL_CRTD
3170 -----------------------------------------------------------------------------
3171COMMENT_END
3172
3173NAME: sslcrtd_program
3174TYPE: eol
3175IFDEF: USE_SSL_CRTD
3176DEFAULT: @DEFAULT_SSL_CRTD@ -s @DEFAULT_SSL_DB_DIR@ -M 4MB
3177LOC: Ssl::TheConfig.ssl_crtd
3178DOC_START
cb0b3d63
AJ		 3179 Specify the location and options of the executable for certificate
3180 generator.
95d2589c
CT		 3181 @DEFAULT_SSL_CRTD@ program requires -s and -M parameters
3182 For more information use:
3183 @DEFAULT_SSL_CRTD@ -h
3184DOC_END
3185
3186NAME: sslcrtd_children
3187TYPE: HelperChildConfig
3188IFDEF: USE_SSL_CRTD
3189DEFAULT: 32 startup=5 idle=1
3190LOC: Ssl::TheConfig.ssl_crtdChildren
3191DOC_START
3192 The maximum number of processes spawn to service ssl server.
3193 The maximum this may be safely set to is 32.
3194
3195 The startup= and idle= options allow some measure of skew in your
3196 tuning.
3197
3198 startup=N
3199
3200 Sets the minimum number of processes to spawn when Squid
3201 starts or reconfigures. When set to zero the first request will
3202 cause spawning of the first child process to handle it.
3203
3204 Starting too few children temporary slows Squid under load while it
3205 tries to spawn enough additional processes to cope with traffic.
3206
3207 idle=N
3208
3209 Sets a minimum of how many processes Squid is to try and keep available
3210 at all times. When traffic begins to rise above what the existing
3211 processes can handle this many more will be spawned up to the maximum
3212 configured. A minimum setting of 1 is required.
6825b101
CT		 3213
3214 queue-size=N
3215
3216 Sets the maximum number of queued requests.
3217 If the queued requests exceed queue size for more than 3 minutes
3218 squid aborts its operation.
3219 The default value is set to 2*numberofchildren.
95d2589c
CT		 3220
3221 You must have at least one ssl_crtd process.
3222DOC_END
3223
2cef0ca6
AR		 3224NAME: sslcrtvalidator_program
3225TYPE: eol
cb4f4424 3226IFDEF: USE_OPENSSL
2cef0ca6
AR		 3227DEFAULT: none
3228LOC: Ssl::TheConfig.ssl_crt_validator
3229DOC_START
3230 Specify the location and options of the executable for ssl_crt_validator
638402dd
AJ		 3231 process.
3232
3233 Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ...
14798e73
CT		 3234
3235 Options:
638402dd 3236 ttl=n TTL in seconds for cached results. The default is 60 secs
14798e73 3237 cache=n limit the result cache size. The default value is 2048
2cef0ca6
AR		 3238DOC_END
3239
3240NAME: sslcrtvalidator_children
3241TYPE: HelperChildConfig
cb4f4424 3242IFDEF: USE_OPENSSL
413bb969 3243DEFAULT: 32 startup=5 idle=1 concurrency=1
2cef0ca6
AR		 3244LOC: Ssl::TheConfig.ssl_crt_validator_Children
3245DOC_START
638402dd 3246 The maximum number of processes spawn to service SSL server.
2cef0ca6
AR		 3247 The maximum this may be safely set to is 32.
3248
3249 The startup= and idle= options allow some measure of skew in your
3250 tuning.
3251
3252 startup=N
3253
3254 Sets the minimum number of processes to spawn when Squid
3255 starts or reconfigures. When set to zero the first request will
3256 cause spawning of the first child process to handle it.
3257
3258 Starting too few children temporary slows Squid under load while it
3259 tries to spawn enough additional processes to cope with traffic.
3260
3261 idle=N
3262
3263 Sets a minimum of how many processes Squid is to try and keep available
3264 at all times. When traffic begins to rise above what the existing
3265 processes can handle this many more will be spawned up to the maximum
3266 configured. A minimum setting of 1 is required.
4a77bb4e
CT		 3267
3268 concurrency=
3269
3270 The number of requests each certificate validator helper can handle in
dffc462a
CT		 3271 parallel. A value of 0 indicates the certficate validator does not
3272 support concurrency. Defaults to 1.
4a77bb4e
CT		 3273
3274 When this directive is set to a value >= 1 then the protocol
3275 used to communicate with the helper is modified to include
3276 a request ID in front of the request/response. The request
3277 ID from the request must be echoed back with the response
3278 to that request.
6825b101
CT		 3279
3280 queue-size=N
3281
3282 Sets the maximum number of queued requests.
3283 If the queued requests exceed queue size for more than 3 minutes
3284 squid aborts its operation.
3285 The default value is set to 2*numberofchildren.
2cef0ca6
AR		 3286
3287 You must have at least one ssl_crt_validator process.
3288DOC_END
3289
cccac0a2 3290COMMENT_START
41bd17a4 3291 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
cccac0a2 3292 -----------------------------------------------------------------------------
3293COMMENT_END
3294
41bd17a4 3295NAME: cache_peer
3296TYPE: peer
3297DEFAULT: none
3298LOC: Config.peers
cccac0a2 3299DOC_START
41bd17a4 3300 To specify other caches in a hierarchy, use the format:
2b94f655 3301
41bd17a4 3302 cache_peer hostname type http-port icp-port [options]
2b94f655 3303
41bd17a4 3304 For example,
2b94f655 3305
41bd17a4 3306 # proxy icp
3307 # hostname type port port options
3308 # -------------------- -------- ----- ----- -----------
2b94f655 3309 cache_peer parent.foo.net parent 3128 3130 default
41bd17a4 3310 cache_peer sib1.foo.net sibling 3128 3130 proxy-only
3311 cache_peer sib2.foo.net sibling 3128 3130 proxy-only
2e9993e1 3312 cache_peer example.com parent 80 0 default
2b94f655
AJ		 3313 cache_peer cdn.example.com sibling 3128 0
3314
3315 type: either 'parent', 'sibling', or 'multicast'.
3316
3317 proxy-port: The port number where the peer accept HTTP requests.
3318 For other Squid proxies this is usually 3128
3319 For web servers this is usually 80
3320
3321 icp-port: Used for querying neighbor caches about objects.
3322 Set to 0 if the peer does not support ICP or HTCP.
3323 See ICP and HTCP options below for additional details.
3324
3325
3326 ==== ICP OPTIONS ====
3327
3328 You MUST also set icp_port and icp_access explicitly when using these options.
3329 The defaults will prevent peer traffic using ICP.
3330
3331
3332 no-query Disable ICP queries to this neighbor.
3333
3334 multicast-responder
3335 Indicates the named peer is a member of a multicast group.
3336 ICP queries will not be sent directly to the peer, but ICP
3337 replies will be accepted from it.
3338
3339 closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward
3340 CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
3341
3342 background-ping
3343 To only send ICP queries to this neighbor infrequently.
3344 This is used to keep the neighbor round trip time updated
3345 and is usually used in conjunction with weighted-round-robin.
3346
3347
3348 ==== HTCP OPTIONS ====
3349
3350 You MUST also set htcp_port and htcp_access explicitly when using these options.
3351 The defaults will prevent peer traffic using HTCP.
3352
3353
3354 htcp Send HTCP, instead of ICP, queries to the neighbor.
3355 You probably also want to set the "icp-port" to 4827
18191440
AJ		 3356 instead of 3130. This directive accepts a comma separated
3357 list of options described below.
2b94f655 3358
18191440 3359 htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier).
2b94f655 3360
18191440 3361 htcp=no-clr Send HTCP to the neighbor but without
2b94f655 3362 sending any CLR requests. This cannot be used with
18191440 3363 only-clr.
2b94f655 3364
18191440
AJ		 3365 htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests.
3366 This cannot be used with no-clr.
2b94f655 3367
18191440 3368 htcp=no-purge-clr
2b94f655
AJ		 3369 Send HTCP to the neighbor including CLRs but only when
3370 they do not result from PURGE requests.
3371
18191440 3372 htcp=forward-clr
2b94f655
AJ		 3373 Forward any HTCP CLR requests this proxy receives to the peer.
3374
3375
3376 ==== PEER SELECTION METHODS ====
3377
3378 The default peer selection method is ICP, with the first responding peer
3379 being used as source. These options can be used for better load balancing.
3380
3381
3382 default This is a parent cache which can be used as a "last-resort"
3383 if a peer cannot be located by any of the peer-selection methods.
3384 If specified more than once, only the first is used.
3385
3386 round-robin Load-Balance parents which should be used in a round-robin
3387 fashion in the absence of any ICP queries.
3388 weight=N can be used to add bias.
3389
3390 weighted-round-robin
3391 Load-Balance parents which should be used in a round-robin
3392 fashion with the frequency of each parent being based on the
3393 round trip time. Closer parents are used more often.
3394 Usually used for background-ping parents.
3395 weight=N can be used to add bias.
3396
3397 carp Load-Balance parents which should be used as a CARP array.
3398 The requests will be distributed among the parents based on the
3399 CARP load balancing hash function based on their weight.
3400
3401 userhash Load-balance parents based on the client proxy_auth or ident username.
3402
3403 sourcehash Load-balance parents based on the client source IP.
8a368316
AJ		 3404
3405 multicast-siblings
3406 To be used only for cache peers of type "multicast".
3407 ALL members of this multicast group have "sibling"
2e9993e1 3408 relationship with it, not "parent". This is to a multicast
8a368316
AJ		 3409 group when the requested object would be fetched only from
3410 a "parent" cache, anyway. It's useful, e.g., when
3411 configuring a pool of redundant Squid proxies, being
3412 members of the same multicast group.
2b94f655
AJ		 3413
3414
3415 ==== PEER SELECTION OPTIONS ====
3416
3417 weight=N use to affect the selection of a peer during any weighted
3418 peer-selection mechanisms.
3419 The weight must be an integer; default is 1,
3420 larger weights are favored more.
3421 This option does not affect parent selection if a peering
3422 protocol is not in use.
3423
3424 basetime=N Specify a base amount to be subtracted from round trip
3425 times of parents.
3426 It is subtracted before division by weight in calculating
3427 which parent to fectch from. If the rtt is less than the
3428 base time the rtt is set to a minimal value.
3429
3c72389f
AJ		 3430 ttl=N Specify a TTL to use when sending multicast ICP queries
3431 to this address.
2b94f655
AJ		 3432 Only useful when sending to a multicast group.
3433 Because we don't accept ICP replies from random
3434 hosts, you must configure other group members as
3435 peers with the 'multicast-responder' option.
3436
3437 no-delay To prevent access to this neighbor from influencing the
3438 delay pools.
3439
3440 digest-url=URL Tell Squid to fetch the cache digest (if digests are
3441 enabled) for this host from the specified URL rather
3442 than the Squid default location.
3443
3444
de03b596
FC		 3445 ==== CARP OPTIONS ====
3446
3447 carp-key=key-specification
3448 use a different key than the full URL to hash against the peer.
3449 the key-specification is a comma-separated list of the keywords
3450 scheme, host, port, path, params
3451 Order is not important.
3452
2b94f655
AJ		 3453 ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
3454
3455 originserver Causes this parent to be contacted as an origin server.
3456 Meant to be used in accelerator setups when the peer
3457 is a web server.
3458
3459 forceddomain=name
3460 Set the Host header of requests forwarded to this peer.
3461 Useful in accelerator setups where the server (peer)
3462 expects a certain domain name but clients may request
3463 others. ie example.com or www.example.com
3464
3465 no-digest Disable request of cache digests.
3466
3467 no-netdb-exchange
3468 Disables requesting ICMP RTT database (NetDB).
3469
3470
3471 ==== AUTHENTICATION OPTIONS ====
3472
3473 login=user:password
3474 If this is a personal/workgroup proxy and your parent
3475 requires proxy authentication.
3476
3477 Note: The string can include URL escapes (i.e. %20 for
3478 spaces). This also means % must be written as %%.
3479
11e4c5e5
AJ		 3480 login=PASSTHRU
3481 Send login details received from client to this peer.
3482 Both Proxy- and WWW-Authorization headers are passed
3483 without alteration to the peer.
3484 Authentication is not required by Squid for this to work.
3485
3486 Note: This will pass any form of authentication but
3487 only Basic auth will work through a proxy unless the
3488 connection-auth options are also used.
ee0b94f4 3489
2b94f655
AJ		 3490 login=PASS Send login details received from client to this peer.
3491 Authentication is not required by this option.
11e4c5e5 3492
2b94f655
AJ		 3493 If there are no client-provided authentication headers
3494 to pass on, but username and password are available
ee0b94f4
HN		 3495 from an external ACL user= and password= result tags
3496 they may be sent instead.
2b94f655
AJ		 3497
3498 Note: To combine this with proxy_auth both proxies must
3499 share the same user database as HTTP only allows for
3500 a single login (one for proxy, one for origin server).
3501 Also be warned this will expose your users proxy
3502 password to the peer. USE WITH CAUTION
3503
3504 login=*:password
3505 Send the username to the upstream cache, but with a
3506 fixed password. This is meant to be used when the peer
3507 is in another administrative domain, but it is still
3508 needed to identify each user.
3509 The star can optionally be followed by some extra
3510 information which is added to the username. This can
3511 be used to identify this proxy to the peer, similar to
3512 the login=username:password option above.
3513
9ca29d23
AJ		 3514 login=NEGOTIATE
3515 If this is a personal/workgroup proxy and your parent
3516 requires a secure proxy authentication.
3517 The first principal from the default keytab or defined by
3518 the environment variable KRB5_KTNAME will be used.
3519
63f03f79
PL		 3520 WARNING: The connection may transmit requests from multiple
3521 clients. Negotiate often assumes end-to-end authentication
3522 and a single-client. Which is not strictly true here.
3523
9ca29d23
AJ		 3524 login=NEGOTIATE:principal_name
3525 If this is a personal/workgroup proxy and your parent
3526 requires a secure proxy authentication.
3527 The principal principal_name from the default keytab or
3528 defined by the environment variable KRB5_KTNAME will be
3529 used.
3530
63f03f79
PL		 3531 WARNING: The connection may transmit requests from multiple
3532 clients. Negotiate often assumes end-to-end authentication
3533 and a single-client. Which is not strictly true here.
3534
2b94f655
AJ		 3535 connection-auth=on|off
3536 Tell Squid that this peer does or not support Microsoft
3537 connection oriented authentication, and any such
3538 challenges received from there should be ignored.
3539 Default is auto to automatically determine the status
3540 of the peer.
3541
9825b398
AJ		 3542 auth-no-keytab
3543 Do not use a keytab to authenticate to a peer when
3544 login=NEGOTIATE is specified. Let the GSSAPI
3545 implementation determine which already existing
3546 credentials cache to use instead.
3547
2b94f655
AJ		 3548
3549 ==== SSL / HTTPS / TLS OPTIONS ====
3550
0ff7e52d 3551 tls Encrypt connections to this peer with TLS.
2b94f655
AJ		 3552
3553 sslcert=/path/to/ssl/certificate
3554 A client SSL certificate to use when connecting to
3555 this peer.
3556
3557 sslkey=/path/to/ssl/key
3558 The private SSL key corresponding to sslcert above.
3559 If 'sslkey' is not specified 'sslcert' is assumed to
3560 reference a combined file containing both the
3561 certificate and the key.
3562
2b94f655
AJ		 3563 sslcipher=... The list of valid SSL ciphers to use when connecting
3564 to this peer.
1cc44095
AJ		 3565
3566 tls-min-version=1.N
3567 The minimum TLS protocol version to permit. To control
3f5b28fe 3568 SSLv3 use the tls-options= parameter.
1cc44095
AJ		 3569 Supported Values: 1.0 (default), 1.1, 1.2
3570
3f5b28fe 3571 tls-options=... Specify various TLS implementation options.
943c5f16 3572
3f5b28fe 3573 OpenSSL options most important are:
1f1f29e8 3574
3f5b28fe 3575 NO_SSLv3 Disallow the use of SSLv3
1f1f29e8 3576
943c5f16
HN		 3577 SINGLE_DH_USE
3578 Always create a new key when using
3579 temporary/ephemeral DH key exchanges
1f1f29e8 3580
ce0adf1a 3581 NO_TICKET
1f1f29e8
AJ		 3582 Disable use of RFC5077 session tickets.
3583 Some servers may have problems
3584 understanding the TLS extension due
3585 to ambiguous specification in RFC4507.
3586
943c5f16
HN		 3587 ALL Enable various bug workarounds
3588 suggested as "harmless" by OpenSSL
3589 Be warned that this reduces SSL/TLS
3590 strength to some attacks.
3591
3592 See the OpenSSL SSL_CTX_set_options documentation for a
3593 more complete list.
3f5b28fe
AJ		 3594
3595 GnuTLS options most important are:
3596
3597 %NO_TICKETS
3598 Disable use of RFC5077 session tickets.
3599 Some servers may have problems
3600 understanding the TLS extension due
3601 to ambiguous specification in RFC4507.
3602
3603 See the GnuTLS Priority Strings documentation
3604 for a more complete list.
3605 http://www.gnutls.org/manual/gnutls.html#Priority-Strings
3606
86a84cc0
AJ		 3607 tls-cafile= PEM file containing CA certificates to use when verifying
3608 the peer certificate. May be repeated to load multiple files.
2b94f655
AJ		 3609
3610 sslcapath=... A directory containing additional CA certificates to
3611 use when verifying the peer certificate.
86a84cc0 3612 Requires OpenSSL or LibreSSL.
2b94f655
AJ		 3613
3614 sslcrlfile=... A certificate revocation list file to use when
3615 verifying the peer certificate.
3616
3617 sslflags=... Specify various flags modifying the SSL implementation:
3618
41bd17a4 3619 DONT_VERIFY_PEER
3620 Accept certificates even if they fail to
3621 verify.
1f1f29e8 3622
41bd17a4 3623 DONT_VERIFY_DOMAIN
3624 Don't verify the peer certificate
3625 matches the server name
2b94f655
AJ		 3626
3627 ssldomain= The peer name as advertised in it's certificate.
3628 Used for verifying the correctness of the received peer
3629 certificate. If not specified the peer hostname will be
3630 used.
3631
bad9c5e4 3632 front-end-https[=off|on|auto]
2b94f655
AJ		 3633 Enable the "Front-End-Https: On" header needed when
3634 using Squid as a SSL frontend in front of Microsoft OWA.
3635 See MS KB document Q307347 for details on this header.
3636 If set to auto the header will only be added if the
3637 request is forwarded as a https:// URL.
435c72b0
AJ		 3638
3639 tls-default-ca[=off]
3640 Whether to use the system Trusted CAs. Default is ON.
2b94f655 3641
b05d749d
AJ		 3642 tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1.
3643
2b94f655
AJ		 3644 ==== GENERAL OPTIONS ====
3645
3646 connect-timeout=N
3647 A peer-specific connect timeout.
3648 Also see the peer_connect_timeout directive.
3649
3650 connect-fail-limit=N
3651 How many times connecting to a peer must fail before
e8dca475
CT		 3652 it is marked as down. Standby connection failures
3653 count towards this limit. Default is 10.
2b94f655
AJ		 3654
3655 allow-miss Disable Squid's use of only-if-cached when forwarding
3656 requests to siblings. This is primarily useful when
a5bb0c26
AR		 3657 icp_hit_stale is used by the sibling. Excessive use
3658 of this option may result in forwarding loops. One way
3659 to prevent peering loops when using this option, is to
3660 deny cache peer usage on requests from a peer:
3661 acl fromPeer ...
3662 cache_peer_access peerName deny fromPeer
2b94f655 3663
e8dca475
CT		 3664 max-conn=N Limit the number of concurrent connections the Squid
3665 may open to this peer, including already opened idle
3666 and standby connections. There is no peer-specific
3667 connection limit by default.
3668
3669 A peer exceeding the limit is not used for new
3670 requests unless a standby connection is available.
3671
3672 max-conn currently works poorly with idle persistent
3673 connections: When a peer reaches its max-conn limit,
3674 and there are idle persistent connections to the peer,
3675 the peer may not be selected because the limiting code
3676 does not know whether Squid can reuse those idle
3677 connections.
3678
3679 standby=N Maintain a pool of N "hot standby" connections to an
3680 UP peer, available for requests when no idle
3681 persistent connection is available (or safe) to use.
3682 By default and with zero N, no such pool is maintained.
3683 N must not exceed the max-conn limit (if any).
3684
3685 At start or after reconfiguration, Squid opens new TCP
3686 standby connections until there are N connections
3687 available and then replenishes the standby pool as
3688 opened connections are used up for requests. A used
3689 connection never goes back to the standby pool, but
3690 may go to the regular idle persistent connection pool
3691 shared by all peers and origin servers.
3692
3693 Squid never opens multiple new standby connections
3694 concurrently. This one-at-a-time approach minimizes
3695 flooding-like effect on peers. Furthermore, just a few
3696 standby connections should be sufficient in most cases
3697 to supply most new requests with a ready-to-use
3698 connection.
3699
3700 Standby connections obey server_idle_pconn_timeout.
3701 For the feature to work as intended, the peer must be
3702 configured to accept and keep them open longer than
3703 the idle timeout at the connecting Squid, to minimize
3704 race conditions typical to idle used persistent
3705 connections. Default request_timeout and
3706 server_idle_pconn_timeout values ensure such a
3707 configuration.
2b94f655
AJ		 3708
3709 name=xxx Unique name for the peer.
3710 Required if you have multiple peers on the same host
3711 but different ports.
3712 This name can be used in cache_peer_access and similar
a5bb0c26 3713 directives to identify the peer.
2b94f655
AJ		 3714 Can be used by outgoing access controls through the
3715 peername ACL type.
3716
b0758e04
AJ		 3717 no-tproxy Do not use the client-spoof TPROXY support when forwarding
3718 requests to this peer. Use normal address selection instead.
0d901ef4 3719 This overrides the spoof_client_ip ACL.
b0758e04 3720
2b94f655
AJ		 3721 proxy-only objects fetched from the peer will not be stored locally.
3722
41bd17a4 3723DOC_END
cccac0a2 3724
41bd17a4 3725NAME: cache_peer_access
3726TYPE: peer_access
3727DEFAULT: none
a5bb0c26 3728DEFAULT_DOC: No peer usage restrictions.
41bd17a4 3729LOC: none
3730DOC_START
a5bb0c26 3731 Restricts usage of cache_peer proxies.
cccac0a2 3732
638402dd 3733 Usage:
a5bb0c26
AR		 3734 cache_peer_access peer-name allow|deny [!]aclname ...
3735
3736 For the required peer-name parameter, use either the value of the
3737 cache_peer name=value parameter or, if name=value is missing, the
3738 cache_peer hostname parameter.
3739
3740 This directive narrows down the selection of peering candidates, but
3741 does not determine the order in which the selected candidates are
3742 contacted. That order is determined by the peer selection algorithms
3743 (see PEER SELECTION sections in the cache_peer documentation).
3744
3745 If a deny rule matches, the corresponding peer will not be contacted
3746 for the current transaction -- Squid will not send ICP queries and
3747 will not forward HTTP requests to that peer. An allow match leaves
3748 the corresponding peer in the selection. The first match for a given
3749 peer wins for that peer.
3750
3751 The relative order of cache_peer_access directives for the same peer
3752 matters. The relative order of any two cache_peer_access directives
3753 for different peers does not matter. To ease interpretation, it is a
3754 good idea to group cache_peer_access directives for the same peer
3755 together.
3756
3757 A single cache_peer_access directive may be evaluated multiple times
3758 for a given transaction because individual peer selection algorithms
3759 may check it independently from each other. These redundant checks
3760 may be optimized away in future Squid versions.
3761
3762 This clause only supports fast acl types.
3763 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
dd9b1776 3764
41bd17a4 3765DOC_END
dd9b1776 3766
41bd17a4 3767NAME: neighbor_type_domain
3768TYPE: hostdomaintype
3769DEFAULT: none
638402dd 3770DEFAULT_DOC: The peer type from cache_peer directive is used for all requests to that peer.
41bd17a4 3771LOC: none
3772DOC_START
638402dd
AJ		 3773 Modify the cache_peer neighbor type when passing requests
3774 about specific domains to the peer.
cccac0a2 3775
638402dd
AJ		 3776 Usage:
3777 neighbor_type_domain neighbor parent|sibling domain domain ...
6bf4f823 3778
638402dd
AJ		 3779 For example:
3780 cache_peer foo.example.com parent 3128 3130
3781 neighbor_type_domain foo.example.com sibling .au .de
6bf4f823 3782
638402dd
AJ		 3783 The above configuration treats all requests to foo.example.com as a
3784 parent proxy unless the request is for a .au or .de ccTLD domain name.
41bd17a4 3785DOC_END
6bf4f823 3786
41bd17a4 3787NAME: dead_peer_timeout
3788COMMENT: (seconds)
3789DEFAULT: 10 seconds
3790TYPE: time_t
3791LOC: Config.Timeout.deadPeer
3792DOC_START
3793 This controls how long Squid waits to declare a peer cache
3794 as "dead." If there are no ICP replies received in this
3795 amount of time, Squid will declare the peer dead and not
3796 expect to receive any further ICP replies. However, it
3797 continues to send ICP queries, and will mark the peer as
3798 alive upon receipt of the first subsequent ICP reply.
699acd19 3799
41bd17a4 3800 This timeout also affects when Squid expects to receive ICP
3801 replies from peers. If more than 'dead_peer' seconds have
3802 passed since the last ICP reply was received, Squid will not
3803 expect to receive an ICP reply on the next query. Thus, if
3804 your time between requests is greater than this timeout, you
3805 will see a lot of requests sent DIRECT to origin servers
3806 instead of to your parents.
3807DOC_END
cccac0a2 3808
437823b4 3809NAME: forward_max_tries
6c367206 3810DEFAULT: 25
437823b4
AJ		 3811TYPE: int
3812LOC: Config.forward_max_tries
3813DOC_START
3814 Controls how many different forward paths Squid will try
3815 before giving up. See also forward_timeout.
31ef19cd
AJ		 3816
3817 NOTE: connect_retries (default: none) can make each of these
3818 possible forwarding paths be tried multiple times.
437823b4
AJ		 3819DOC_END
3820
41bd17a4 3821COMMENT_START
3822 MEMORY CACHE OPTIONS
3823 -----------------------------------------------------------------------------
3824COMMENT_END
3825
3826NAME: cache_mem
3827COMMENT: (bytes)
3828TYPE: b_size_t
df2eec10 3829DEFAULT: 256 MB
41bd17a4 3830LOC: Config.memMaxSize
6b698a21 3831DOC_START
41bd17a4 3832 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
3833 IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
3834 USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
3835 THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
3836
3837 'cache_mem' specifies the ideal amount of memory to be used
3838 for:
3839 * In-Transit objects
3840 * Hot Objects
3841 * Negative-Cached objects
3842
3843 Data for these objects are stored in 4 KB blocks. This
3844 parameter specifies the ideal upper limit on the total size of
3845 4 KB blocks allocated. In-Transit objects take the highest
3846 priority.
3847
3848 In-transit objects have priority over the others. When
3849 additional space is needed for incoming data, negative-cached
3850 and hot objects will be released. In other words, the
3851 negative-cached and hot objects will fill up any unused space
3852 not needed for in-transit objects.
3853
3854 If circumstances require, this limit will be exceeded.
3855 Specifically, if your incoming request rate requires more than
3856 'cache_mem' of memory to hold in-transit objects, Squid will
3857 exceed this limit to satisfy the new requests. When the load
3858 decreases, blocks will be freed until the high-water mark is
3859 reached. Thereafter, blocks will be used to store hot
3860 objects.
29f35ca5
AR		 3861
3862 If shared memory caching is enabled, Squid does not use the shared
3863 cache space for in-transit objects, but they still consume as much
3864 local memory as they need. For more details about the shared memory
3865 cache, see memory_cache_shared.
6b698a21 3866DOC_END
0976f8db 3867
41bd17a4 3868NAME: maximum_object_size_in_memory
3869COMMENT: (bytes)
3870TYPE: b_size_t
df2eec10 3871DEFAULT: 512 KB
41bd17a4 3872LOC: Config.Store.maxInMemObjSize
6b698a21 3873DOC_START
41bd17a4 3874 Objects greater than this size will not be attempted to kept in
3875 the memory cache. This should be set high enough to keep objects
3876 accessed frequently in memory to improve performance whilst low
3877 enough to keep larger objects from hoarding cache_mem.
6b698a21 3878DOC_END
0976f8db 3879
57af1e3f
AR		 3880NAME: memory_cache_shared
3881COMMENT: on|off
3882TYPE: YesNoNone
3883LOC: Config.memShared
3884DEFAULT: none
70f856bc 3885DEFAULT_DOC: "on" where supported if doing memory caching with multiple SMP workers.
57af1e3f
AR		 3886DOC_START
3887 Controls whether the memory cache is shared among SMP workers.
3888
70f856bc
AR		 3889 The shared memory cache is meant to occupy cache_mem bytes and replace
3890 the non-shared memory cache, although some entities may still be
3891 cached locally by workers for now (e.g., internal and in-transit
3892 objects may be served from a local memory cache even if shared memory
3893 caching is enabled).
3894
65b81b27 3895 By default, the memory cache is shared if and only if all of the
70f856bc
AR		 3896 following conditions are satisfied: Squid runs in SMP mode with
3897 multiple workers, cache_mem is positive, and Squid environment
3898 supports required IPC primitives (e.g., POSIX shared memory segments
3899 and GCC-style atomic operations).
3900
3901 To avoid blocking locks, shared memory uses opportunistic algorithms
3902 that do not guarantee that every cachable entity that could have been
3903 shared among SMP workers will actually be shared.
57af1e3f
AR		 3904DOC_END
3905
ea21d497
HN		 3906NAME: memory_cache_mode
3907TYPE: memcachemode
3908LOC: Config
3909DEFAULT: always
638402dd 3910DEFAULT_DOC: Keep the most recently fetched objects in memory
ff4b33f4 3911DOC_START
ea21d497 3912 Controls which objects to keep in the memory cache (cache_mem)
ff4b33f4 3913
ea21d497
HN		 3914 always Keep most recently fetched objects in memory (default)
3915
3916 disk Only disk cache hits are kept in memory, which means
3917 an object must first be cached on disk and then hit
3918 a second time before cached in memory.
3919
3920 network Only objects fetched from network is kept in memory
ff4b33f4
HN		 3921DOC_END
3922
41bd17a4 3923NAME: memory_replacement_policy
3924TYPE: removalpolicy
3925LOC: Config.memPolicy
3926DEFAULT: lru
6b698a21 3927DOC_START
41bd17a4 3928 The memory replacement policy parameter determines which
3929 objects are purged from memory when memory space is needed.
7f7db318 3930
638402dd 3931 See cache_replacement_policy for details on algorithms.
41bd17a4 3932DOC_END
6b698a21 3933
41bd17a4 3934COMMENT_START
3935 DISK CACHE OPTIONS
3936 -----------------------------------------------------------------------------
3937COMMENT_END
6b698a21 3938
41bd17a4 3939NAME: cache_replacement_policy
3940TYPE: removalpolicy
3941LOC: Config.replPolicy
3942DEFAULT: lru
3943DOC_START
3944 The cache replacement policy parameter determines which
3945 objects are evicted (replaced) when disk space is needed.
6b698a21 3946
41bd17a4 3947 lru : Squid's original list based LRU policy
3948 heap GDSF : Greedy-Dual Size Frequency
3949 heap LFUDA: Least Frequently Used with Dynamic Aging
3950 heap LRU : LRU policy implemented using a heap
6b698a21 3951
638402dd 3952 Applies to any cache_dir lines listed below this directive.
7f7db318 3953
41bd17a4 3954 The LRU policies keeps recently referenced objects.
0976f8db 3955
41bd17a4 3956 The heap GDSF policy optimizes object hit rate by keeping smaller
3957 popular objects in cache so it has a better chance of getting a
3958 hit. It achieves a lower byte hit rate than LFUDA though since
3959 it evicts larger (possibly popular) objects.
0976f8db 3960
41bd17a4 3961 The heap LFUDA policy keeps popular objects in cache regardless of
3962 their size and thus optimizes byte hit rate at the expense of
3963 hit rate since one large, popular object will prevent many
3964 smaller, slightly less popular objects from being cached.
0976f8db 3965
41bd17a4 3966 Both policies utilize a dynamic aging mechanism that prevents
3967 cache pollution that can otherwise occur with frequency-based
3968 replacement policies.
7d90757b 3969
41bd17a4 3970 NOTE: if using the LFUDA replacement policy you should increase
b51ec8c8 3971 the value of maximum_object_size above its default of 4 MB to
41bd17a4 3972 to maximize the potential byte hit rate improvement of LFUDA.
dc1af3cf 3973
41bd17a4 3974 For more information about the GDSF and LFUDA cache replacement
3975 policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
3976 and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
6b698a21 3977DOC_END
0976f8db 3978
a345387f
AJ		 3979NAME: minimum_object_size
3980COMMENT: (bytes)
3981TYPE: b_int64_t
3982DEFAULT: 0 KB
3983DEFAULT_DOC: no limit
3984LOC: Config.Store.minObjectSize
3985DOC_START
3986 Objects smaller than this size will NOT be saved on disk. The
3987 value is specified in bytes, and the default is 0 KB, which
3988 means all responses can be stored.
3989DOC_END
3990
3991NAME: maximum_object_size
3992COMMENT: (bytes)
3993TYPE: b_int64_t
3994DEFAULT: 4 MB
3995LOC: Config.Store.maxObjectSize
3996DOC_START
499f852c 3997 Set the default value for max-size parameter on any cache_dir.
a345387f
AJ		 3998 The value is specified in bytes, and the default is 4 MB.
3999
4000 If you wish to get a high BYTES hit ratio, you should probably
4001 increase this (one 32 MB object hit counts for 3200 10KB
4002 hits).
4003
4004 If you wish to increase hit ratio more than you want to
4005 save bandwidth you should leave this low.
4006
4007 NOTE: if using the LFUDA replacement policy you should increase
4008 this value to maximize the byte hit rate improvement of LFUDA!
4009 See cache_replacement_policy for a discussion of this policy.
4010DOC_END
4011
41bd17a4 4012NAME: cache_dir
4013TYPE: cachedir
4014DEFAULT: none
638402dd 4015DEFAULT_DOC: No disk cache. Store cache ojects only in memory.
41bd17a4 4016LOC: Config.cacheSwap
6b698a21 4017DOC_START
638402dd
AJ		 4018 Format:
4019 cache_dir Type Directory-Name Fs-specific-data [options]
0976f8db 4020
41bd17a4 4021 You can specify multiple cache_dir lines to spread the
4022 cache among different disk partitions.
0976f8db 4023
41bd17a4 4024 Type specifies the kind of storage system to use. Only "ufs"
4025 is built by default. To enable any of the other storage systems
4026 see the --enable-storeio configure option.
0976f8db 4027
41bd17a4 4028 'Directory' is a top-level directory where cache swap
4029 files will be stored. If you want to use an entire disk
4030 for caching, this can be the mount-point directory.
4031 The directory must exist and be writable by the Squid
4032 process. Squid will NOT create this directory for you.
0976f8db 4033
acf69d74
AJ		 4034 In SMP configurations, cache_dir must not precede the workers option
4035 and should use configuration macros or conditionals to give each
4036 worker interested in disk caching a dedicated cache directory.
4037
638402dd
AJ		 4038
4039 ==== The ufs store type ====
0976f8db 4040
41bd17a4 4041 "ufs" is the old well-known Squid storage format that has always
4042 been there.
0976f8db 4043
638402dd
AJ		 4044 Usage:
4045 cache_dir ufs Directory-Name Mbytes L1 L2 [options]
0976f8db 4046
41bd17a4 4047 'Mbytes' is the amount of disk space (MB) to use under this
4048 directory. The default is 100 MB. Change this to suit your
4049 configuration. Do NOT put the size of your disk drive here.
4050 Instead, if you want Squid to use the entire disk drive,
4051 subtract 20% and use that value.
0976f8db 4052
56fba4d0 4053 'L1' is the number of first-level subdirectories which
41bd17a4 4054 will be created under the 'Directory'. The default is 16.
0976f8db 4055
56fba4d0 4056 'L2' is the number of second-level subdirectories which
41bd17a4 4057 will be created under each first-level directory. The default
4058 is 256.
0976f8db 4059
638402dd
AJ		 4060
4061 ==== The aufs store type ====
7f7db318 4062
41bd17a4 4063 "aufs" uses the same storage format as "ufs", utilizing
4064 POSIX-threads to avoid blocking the main Squid process on
4065 disk-I/O. This was formerly known in Squid as async-io.
38f9c547 4066
638402dd
AJ		 4067 Usage:
4068 cache_dir aufs Directory-Name Mbytes L1 L2 [options]
38f9c547 4069
41bd17a4 4070 see argument descriptions under ufs above
38f9c547 4071
638402dd
AJ		 4072
4073 ==== The diskd store type ====
38f9c547 4074
41bd17a4 4075 "diskd" uses the same storage format as "ufs", utilizing a
4076 separate process to avoid blocking the main Squid process on
4077 disk-I/O.
4c3ef9b2 4078
638402dd
AJ		 4079 Usage:
4080 cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
0976f8db 4081
41bd17a4 4082 see argument descriptions under ufs above
0976f8db 4083
41bd17a4 4084 Q1 specifies the number of unacknowledged I/O requests when Squid
4085 stops opening new files. If this many messages are in the queues,
4086 Squid won't open new files. Default is 64
0976f8db 4087
41bd17a4 4088 Q2 specifies the number of unacknowledged messages when Squid
4089 starts blocking. If this many messages are in the queues,
4090 Squid blocks until it receives some replies. Default is 72
0976f8db 4091
41bd17a4 4092 When Q1 < Q2 (the default), the cache directory is optimized
4093 for lower response time at the expense of a decrease in hit
4094 ratio. If Q1 > Q2, the cache directory is optimized for
4095 higher hit ratio at the expense of an increase in response
4096 time.
0976f8db 4097
e2851fe7 4098
638402dd
AJ		 4099 ==== The rock store type ====
4100
4101 Usage:
e51ce7da 4102 cache_dir rock Directory-Name Mbytes [options]
e2851fe7 4103
2e55f083 4104 The Rock Store type is a database-style storage. All cached
e51ce7da
AR		 4105 entries are stored in a "database" file, using fixed-size slots.
4106 A single entry occupies one or more slots.
e2851fe7 4107
3e1dfe3d
AR		 4108 If possible, Squid using Rock Store creates a dedicated kid
4109 process called "disker" to avoid blocking Squid worker(s) on disk
4110 I/O. One disker kid is created for each rock cache_dir. Diskers
4111 are created only when Squid, running in daemon mode, has support
4112 for the IpcIo disk I/O module.
4113
43ebbac3
AR		 4114 swap-timeout=msec: Squid will not start writing a miss to or
4115 reading a hit from disk if it estimates that the swap operation
4116 will take more than the specified number of milliseconds. By
4117 default and when set to zero, disables the disk I/O time limit
4118 enforcement. Ignored when using blocking I/O module because
4119 blocking synchronous I/O does not allow Squid to estimate the
4120 expected swap wait time.
4121
df881a0f 4122 max-swap-rate=swaps/sec: Artificially limits disk access using
1e614370 4123 the specified I/O rate limit. Swap out requests that
df881a0f 4124 would cause the average I/O rate to exceed the limit are
1e614370
DK		 4125 delayed. Individual swap in requests (i.e., hits or reads) are
4126 not delayed, but they do contribute to measured swap rate and
4127 since they are placed in the same FIFO queue as swap out
4128 requests, they may wait longer if max-swap-rate is smaller.
4129 This is necessary on file systems that buffer "too
df881a0f
AR		 4130 many" writes and then start blocking Squid and other processes
4131 while committing those writes to disk. Usually used together
4132 with swap-timeout to avoid excessive delays and queue overflows
4133 when disk demand exceeds available disk "bandwidth". By default
4134 and when set to zero, disables the disk I/O rate limit
4135 enforcement. Currently supported by IpcIo module only.
4136
e51ce7da
AR		 4137 slot-size=bytes: The size of a database "record" used for
4138 storing cached responses. A cached response occupies at least
4139 one slot and all database I/O is done using individual slots so
4140 increasing this parameter leads to more disk space waste while
4141 decreasing it leads to more disk I/O overheads. Should be a
4142 multiple of your operating system I/O page size. Defaults to
4143 16KBytes. A housekeeping header is stored with each slot and
4144 smaller slot-sizes will be rejected. The header is smaller than
4145 100 bytes.
4146
df881a0f 4147
638402dd 4148 ==== COMMON OPTIONS ====
0976f8db 4149
638402dd
AJ		 4150 no-store no new objects should be stored to this cache_dir.
4151
4152 min-size=n the minimum object size in bytes this cache_dir
4153 will accept. It's used to restrict a cache_dir
4154 to only store large objects (e.g. AUFS) while
4155 other stores are optimized for smaller objects
73656056 4156 (e.g. Rock).
638402dd 4157 Defaults to 0.
0976f8db 4158
638402dd
AJ		 4159 max-size=n the maximum object size in bytes this cache_dir
4160 supports.
499f852c
A		 4161 The value in maximum_object_size directive sets
4162 the default unless more specific details are
4163 available (ie a small store capacity).
b6662ffd 4164
41bd17a4 4165 Note: To make optimal use of the max-size limits you should order
638402dd 4166 the cache_dir lines with the smallest max-size value first.
0976f8db 4167
bebc043b 4168NOCOMMENT_START
e0855596
AJ		 4169
4170# Uncomment and adjust the following to add a disk cache directory.
4171#cache_dir ufs @DEFAULT_SWAP_DIR@ 100 16 256
bebc043b 4172NOCOMMENT_END
6b698a21 4173DOC_END
0976f8db 4174
41bd17a4 4175NAME: store_dir_select_algorithm
4176TYPE: string
4177LOC: Config.store_dir_select_algorithm
4178DEFAULT: least-load
6b698a21 4179DOC_START
638402dd
AJ		 4180 How Squid selects which cache_dir to use when the response
4181 object will fit into more than one.
4182
4183 Regardless of which algorithm is used the cache_dir min-size
4184 and max-size parameters are obeyed. As such they can affect
4185 the selection algorithm by limiting the set of considered
4186 cache_dir.
4187
4188 Algorithms:
4189
4190 least-load
4191
4192 This algorithm is suited to caches with similar cache_dir
4193 sizes and disk speeds.
4194
4195 The disk with the least I/O pending is selected.
4196 When there are multiple disks with the same I/O load ranking
4197 the cache_dir with most available capacity is selected.
4198
4199 When a mix of cache_dir sizes are configured the faster disks
4200 have a naturally lower I/O loading and larger disks have more
4201 capacity. So space used to store objects and data throughput
4202 may be very unbalanced towards larger disks.
4203
4204
4205 round-robin
4206
4207 This algorithm is suited to caches with unequal cache_dir
4208 disk sizes.
4209
4210 Each cache_dir is selected in a rotation. The next suitable
4211 cache_dir is used.
4212
4213 Available cache_dir capacity is only considered in relation
4214 to whether the object will fit and meets the min-size and
4215 max-size parameters.
4216
4217 Disk I/O loading is only considered to prevent overload on slow
4218 disks. This algorithm does not spread objects by size, so any
4219 I/O loading per-disk may appear very unbalanced and volatile.
4220
29a238a3
AR		 4221 If several cache_dirs use similar min-size, max-size, or other
4222 limits to to reject certain responses, then do not group such
4223 cache_dir lines together, to avoid round-robin selection bias
4224 towards the first cache_dir after the group. Instead, interleave
4225 cache_dir lines from different groups. For example:
4226
4227 store_dir_select_algorithm round-robin
4228 cache_dir rock /hdd1 ... min-size=100000
4229 cache_dir rock /ssd1 ... max-size=99999
4230 cache_dir rock /hdd2 ... min-size=100000
4231 cache_dir rock /ssd2 ... max-size=99999
4232 cache_dir rock /hdd3 ... min-size=100000
4233 cache_dir rock /ssd3 ... max-size=99999
6b698a21 4234DOC_END
0976f8db 4235
41bd17a4 4236NAME: max_open_disk_fds
4237TYPE: int
4238LOC: Config.max_open_disk_fds
4239DEFAULT: 0
638402dd 4240DEFAULT_DOC: no limit
6b698a21 4241DOC_START
41bd17a4 4242 To avoid having disk as the I/O bottleneck Squid can optionally
4243 bypass the on-disk cache if more than this amount of disk file
4244 descriptors are open.
4245
4246 A value of 0 indicates no limit.
6b698a21 4247DOC_END
0976f8db 4248
41bd17a4 4249NAME: cache_swap_low
4250COMMENT: (percent, 0-100)
5473c134 4251TYPE: int
41bd17a4 4252DEFAULT: 90
4253LOC: Config.Swap.lowWaterMark
638402dd 4254DOC_START
5f662601
AJ		 4255 The low-water mark for AUFS/UFS/diskd cache object eviction by
4256 the cache_replacement_policy algorithm.
4257
4258 Removal begins when the swap (disk) usage of a cache_dir is
4259 above this low-water mark and attempts to maintain utilization
4260 near the low-water mark.
4261
4262 As swap utilization increases towards the high-water mark set
4263 by cache_swap_high object eviction becomes more agressive.
4264
4265 The value difference in percentages between low- and high-water
7bcaf76f 4266 marks represent an eviction rate of 300 objects per second and
5f662601
AJ		 4267 the rate continues to scale in agressiveness by multiples of
4268 this above the high-water mark.
638402dd
AJ		 4269
4270 Defaults are 90% and 95%. If you have a large cache, 5% could be
4271 hundreds of MB. If this is the case you may wish to set these
4272 numbers closer together.
4273
5f662601 4274 See also cache_swap_high and cache_replacement_policy
638402dd 4275DOC_END
41bd17a4 4276
4277NAME: cache_swap_high
4278COMMENT: (percent, 0-100)
4279TYPE: int
4280DEFAULT: 95
4281LOC: Config.Swap.highWaterMark
6b698a21 4282DOC_START
5f662601
AJ		 4283 The high-water mark for AUFS/UFS/diskd cache object eviction by
4284 the cache_replacement_policy algorithm.
4285
4286 Removal begins when the swap (disk) usage of a cache_dir is
4287 above the low-water mark set by cache_swap_low and attempts to
4288 maintain utilization near the low-water mark.
4289
4290 As swap utilization increases towards this high-water mark object
4291 eviction becomes more agressive.
4292
4293 The value difference in percentages between low- and high-water
7bcaf76f 4294 marks represent an eviction rate of 300 objects per second and
5f662601
AJ		 4295 the rate continues to scale in agressiveness by multiples of
4296 this above the high-water mark.
41bd17a4 4297
4298 Defaults are 90% and 95%. If you have a large cache, 5% could be
4299 hundreds of MB. If this is the case you may wish to set these
4300 numbers closer together.
638402dd 4301
5f662601 4302 See also cache_swap_low and cache_replacement_policy
6b698a21 4303DOC_END
0976f8db 4304
5473c134 4305COMMENT_START
41bd17a4 4306 LOGFILE OPTIONS
5473c134 4307 -----------------------------------------------------------------------------
4308COMMENT_END
0976f8db 4309
41bd17a4 4310NAME: logformat
4311TYPE: logformat
20efa1c2 4312LOC: Log::TheConfig
5473c134 4313DEFAULT: none
638402dd 4314DEFAULT_DOC: The format definitions squid, common, combined, referrer, useragent are built in.
6b698a21 4315DOC_START
41bd17a4 4316 Usage:
0976f8db 4317
41bd17a4 4318 logformat <name> <format specification>
0976f8db 4319
41bd17a4 4320 Defines an access log format.
6b698a21 4321
41bd17a4 4322 The <format specification> is a string with embedded % format codes
5473c134 4323
41bd17a4 4324 % format codes all follow the same basic structure where all but
4325 the formatcode is optional. Output strings are automatically escaped
4326 as required according to their context and the output format
4327 modifiers are usually not needed, but can be specified if an explicit
4328 output format is desired.
6b698a21 4329
95d78f10 4330 % ["|[|'|#|/] [-] [[0]width] [{arg}] formatcode [{arg}]
0976f8db 4331
41bd17a4 4332 " output in quoted string format
4333 [ output in squid text log format as used by log_mime_hdrs
4334 # output in URL quoted format
95d78f10 4335 / output in shell \-escaped format
41bd17a4 4336 ' output as-is
5473c134 4337
41bd17a4 4338 - left aligned
c32c6db7
AR		 4339
4340 width minimum and/or maximum field width:
4341 [width_min][.width_max]
e2851fe7
AR		 4342 When minimum starts with 0, the field is zero-padded.
4343 String values exceeding maximum width are truncated.
c32c6db7 4344
4e56d7f6
AJ		 4345 {arg} argument such as header name etc. This field may be
4346 placed before or after the token, but not both at once.
5473c134 4347
41bd17a4 4348 Format codes:
5473c134 4349
3ff65596 4350 % a literal % character
f4b68e1a
AJ		 4351 sn Unique sequence number per log line entry
4352 err_code The ID of an error response served by Squid or
4353 a similar internal error identifier.
4354 err_detail Additional err_code-dependent error information.
c7bcf010 4355 note The annotation specified by the argument. Also
d7f4a0b7
CT		 4356 logs the adaptation meta headers set by the
4357 adaptation_meta configuration parameter.
c7bcf010
CT		 4358 If no argument given all annotations logged.
4359 The argument may include a separator to use with
4360 annotation values:
4361 name[:separator]
4362 By default, multiple note values are separated with ","
4363 and multiple notes are separated with "\r\n".
4364 When logging named notes with %{name}note, the
4365 explicitly configured separator is used between note
4366 values. When logging all notes with %note, the
4367 explicitly configured separator is used between
4368 individual notes. There is currently no way to
4369 specify both value and notes separators when logging
4370 all notes with %note.
f4b68e1a
AJ		 4371
4372 Connection related format codes:
4373
41bd17a4 4374 >a Client source IP address
4375 >A Client FQDN
4376 >p Client source port
8652f8e7
AJ		 4377 >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
4378 >la Local IP address the client connected to
4379 >lp Local port number the client connected to
f123f5e9
CT		 4380 >qos Client connection TOS/DSCP value set by Squid
4381 >nfmark Client connection netfilter mark set by Squid
8652f8e7 4382
28417506
CT		 4383 la Local listening IP address the client connection was connected to.
4384 lp Local listening port number the client connection was connected to.
4385
8652f8e7
AJ		 4386 <a Server IP address of the last server or peer connection
4387 <A Server FQDN or peer name
4388 <p Server port number of the last server or peer connection
c3a082ae 4389 <la Local IP address of the last server or peer connection
152e24b3 4390 <lp Local port number of the last server or peer connection
f123f5e9
CT		 4391 <qos Server connection TOS/DSCP value set by Squid
4392 <nfmark Server connection netfilter mark set by Squid
f4b68e1a
AJ		 4393
4394 Time related format codes:
4395
41bd17a4 4396 ts Seconds since epoch
4397 tu subsecond time (milliseconds)
4398 tl Local time. Optional strftime format argument
3ff65596 4399 default %d/%b/%Y:%H:%M:%S %z
41bd17a4 4400 tg GMT time. Optional strftime format argument
3ff65596 4401 default %d/%b/%Y:%H:%M:%S %z
41bd17a4 4402 tr Response time (milliseconds)
3ff65596 4403 dt Total time spent making DNS lookups (milliseconds)
af0ded40
CT		 4404 tS Approximate master transaction start time in
4405 <full seconds since epoch>.<fractional seconds> format.
4406 Currently, Squid considers the master transaction
4407 started when a complete HTTP request header initiating
4408 the transaction is received from the client. This is
4409 the same value that Squid uses to calculate transaction
4410 response time when logging %tr to access.log. Currently,
4411 Squid uses millisecond resolution for %tS values,
4412 similar to the default access.log "current time" field
4413 (%ts.%03tu).
3ff65596 4414
8652f8e7
AJ		 4415 Access Control related format codes:
4416
4417 et Tag returned by external acl
4418 ea Log string returned by external acl
4419 un User name (any available)
4420 ul User name from authentication
4421 ue User name from external acl helper
4422 ui User name from ident
50b5c983
AJ		 4423 un A user name. Expands to the first available name
4424 from the following list of information sources:
4425 - authenticated user name, like %ul
4426 - user name supplied by an external ACL, like %ue
4427 - SSL client name, like %us
4428 - ident user name, like %ui
d4806c91
CT		 4429 credentials Client credentials. The exact meaning depends on
4430 the authentication scheme: For Basic authentication,
4431 it is the password; for Digest, the realm sent by the
4432 client; for NTLM and Negotiate, the client challenge
4433 or client credentials prefixed with "YR " or "KK ".
8652f8e7
AJ		 4434
4435 HTTP related format codes:
3ff65596 4436
d6df21d2
AJ		 4437 REQUEST
4438
4439 [http::]rm Request method (GET/POST etc)
4440 [http::]>rm Request method from client
4441 [http::]<rm Request method sent to server or peer
4442 [http::]ru Request URL from client (historic, filtered for logging)
4443 [http::]>ru Request URL from client
4444 [http::]<ru Request URL sent to server or peer
5aca9cf2
AJ		 4445 [http::]>rs Request URL scheme from client
4446 [http::]<rs Request URL scheme sent to server or peer
fa450988 4447 [http::]>rd Request URL domain from client
f42ac6e6 4448 [http::]<rd Request URL domain sent to server or peer
5aca9cf2
AJ		 4449 [http::]>rP Request URL port from client
4450 [http::]<rP Request URL port sent to server or peer
4451 [http::]rp Request URL path excluding hostname
4452 [http::]>rp Request URL path excluding hostname from client
4453 [http::]<rp Request URL path excluding hostname sent to server or peer
d6df21d2
AJ		 4454 [http::]rv Request protocol version
4455 [http::]>rv Request protocol version from client
4456 [http::]<rv Request protocol version sent to server or peer
4457
5aca9cf2 4458 [http::]>h Original received request header.
19483c50
AR		 4459 Usually differs from the request header sent by
4460 Squid, although most fields are often preserved.
4461 Accepts optional header field name/value filter
4462 argument using name[:[separator]element] format.
4463 [http::]>ha Received request header after adaptation and
4464 redirection (pre-cache REQMOD vectoring point).
4465 Usually differs from the request header sent by
4466 Squid, although most fields are often preserved.
6fca33e0 4467 Optional header name argument as for >h
d6df21d2 4468
d6df21d2
AJ		 4469 RESPONSE
4470
4471 [http::]<Hs HTTP status code received from the next hop
4472 [http::]>Hs HTTP status code sent to the client
4473
3ff65596
AR		 4474 [http::]<h Reply header. Optional header name argument
4475 as for >h
d6df21d2
AJ		 4476
4477 [http::]mt MIME content type
4478
4479
4480 SIZE COUNTERS
4481
4482 [http::]st Total size of request + reply traffic with client
4483 [http::]>st Total size of request received from client.
4484 Excluding chunked encoding bytes.
4485 [http::]<st Total size of reply sent to client (after adaptation)
4486
4487 [http::]>sh Size of request headers received from client
4488 [http::]<sh Size of reply headers sent to client (after adaptation)
4489
4490 [http::]<sH Reply high offset sent
4491 [http::]<sS Upstream object size
4492
bae917ac
CT		 4493 [http::]<bs Number of HTTP-equivalent message body bytes
4494 received from the next hop, excluding chunked
4495 transfer encoding and control messages.
4496 Generated FTP/Gopher listings are treated as
4497 received bodies.
d6df21d2 4498
d6df21d2
AJ		 4499 TIMING
4500
3ff65596
AR		 4501 [http::]<pt Peer response time in milliseconds. The timer starts
4502 when the last request byte is sent to the next hop
4503 and stops when the last response byte is received.
d5430dc8 4504 [http::]<tt Total time in milliseconds. The timer
3ff65596
AR		 4505 starts with the first connect request (or write I/O)
4506 sent to the first selected peer. The timer stops
4507 with the last I/O with the last peer.
4508
8652f8e7
AJ		 4509 Squid handling related format codes:
4510
4511 Ss Squid request status (TCP_MISS etc)
4512 Sh Squid hierarchy status (DEFAULT_PARENT etc)
4513
08097970
AR		 4514 SSL-related format codes:
4515
4516 ssl::bump_mode SslBump decision for the transaction:
4517
4518 For CONNECT requests that initiated bumping of
4519 a connection and for any request received on
4520 an already bumped connection, Squid logs the
bf352fb2
CT		 4521 corresponding SslBump mode ("splice", "bump",
4522 "peek", "stare", "terminate", "server-first"
4523 or "client-first"). See the ssl_bump option
4524 for more information about these modes.
08097970
AR		 4525
4526 A "none" token is logged for requests that
4527 triggered "ssl_bump" ACL evaluation matching
bf352fb2 4528 a "none" rule.
08097970
AR		 4529
4530 In all other cases, a single dash ("-") is
4531 logged.
4532
4f6990ec 4533 ssl::>sni SSL client SNI sent to Squid.
cedca6e7 4534
c28b9a0e
AJ		 4535 ssl::>cert_subject
4536 The Subject field of the received client
4537 SSL certificate or a dash ('-') if Squid has
4538 received an invalid/malformed certificate or
4539 no certificate at all. Consider encoding the
4540 logged value because Subject often has spaces.
4541
4542 ssl::>cert_issuer
4543 The Issuer field of the received client
4544 SSL certificate or a dash ('-') if Squid has
4545 received an invalid/malformed certificate or
4546 no certificate at all. Consider encoding the
4547 logged value because Issuer often has spaces.
4548
e2e33acc
CT		 4549 ssl::<cert_subject
4550 The Subject field of the received server
4551 TLS certificate or a dash ('-') if this is
4552 not available. Consider encoding the logged
4553 value because Subject often has spaces.
4554
4555 ssl::>cert_issuer
4556 The Issuer field of the received server
4557 TLS certificate or a dash ('-') if this is
4558 not available. Consider encoding the logged
4559 value because Issuer often has spaces.
4560
c28b9a0e
AJ		 4561 ssl::<cert_errors
4562 The list of certificate validation errors
4563 detected by Squid (including OpenSSL and
4564 certificate validation helper components). The
4565 errors are listed in the discovery order. By
4566 default, the error codes are separated by ':'.
4567 Accepts an optional separator argument.
4568
2bcab852
CT		 4569 %ssl::>negotiated_version The negotiated TLS version of the
4570 client connection.
4571
4572 %ssl::<negotiated_version The negotiated TLS version of the
4573 last server or peer connection.
4574
4575 %ssl::>received_hello_version The TLS version of the Hello
4576 message received from TLS client.
4577
4578 %ssl::<received_hello_version The TLS version of the Hello
4579 message received from TLS server.
4580
4581 %ssl::>received_supported_version The maximum TLS version
4582 supported by the TLS client.
4583
4584 %ssl::<received_supported_version The maximum TLS version
4585 supported by the TLS server.
4586
4587 %ssl::>negotiated_cipher The negotiated cipher of the
4588 client connection.
4589
4590 %ssl::<negotiated_cipher The negotiated cipher of the
4591 last server or peer connection.
4592
5038f9d8 4593 If ICAP is enabled, the following code becomes available (as
3ff65596
AR		 4594 well as ICAP log codes documented with the icap_log option):
4595
4596 icap::tt Total ICAP processing time for the HTTP
4597 transaction. The timer ticks when ICAP
4598 ACLs are checked and when ICAP
4599 transaction is in progress.
4600
c28b9a0e 4601 If adaptation is enabled the following codes become available:
3ff65596 4602
5038f9d8
AR		 4603 adapt::<last_h The header of the last ICAP response or
4604 meta-information from the last eCAP
4605 transaction related to the HTTP transaction.
4606 Like <h, accepts an optional header name
4607 argument.
3ff65596
AR		 4608
4609 adapt::sum_trs Summed adaptation transaction response
4610 times recorded as a comma-separated list in
4611 the order of transaction start time. Each time
4612 value is recorded as an integer number,
4613 representing response time of one or more
4614 adaptation (ICAP or eCAP) transaction in
4615 milliseconds. When a failed transaction is
4616 being retried or repeated, its time is not
4617 logged individually but added to the
4618 replacement (next) transaction. See also:
4619 adapt::all_trs.
4620
4621 adapt::all_trs All adaptation transaction response times.
4622 Same as adaptation_strs but response times of
4623 individual transactions are never added
4624 together. Instead, all transaction response
4625 times are recorded individually.
4626
4627 You can prefix adapt::*_trs format codes with adaptation
4628 service name in curly braces to record response time(s) specific
4629 to that service. For example: %{my_service}adapt::sum_trs
5473c134 4630
7d9acc3c
AJ		 4631 The default formats available (which do not need re-defining) are:
4632
bd85ea1f
AJ		 4633logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
4634logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
4635logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
20efa1c2
AJ		 4636logformat referrer %ts.%03tu %>a %{Referer}>h %ru
4637logformat useragent %>a [%tl] "%{User-Agent}>h"
4638
8652f8e7
AJ		 4639 NOTE: When the log_mime_hdrs directive is set to ON.
4640 The squid, common and combined formats have a safely encoded copy
4641 of the mime headers appended to each line within a pair of brackets.
4642
4643 NOTE: The common and combined formats are not quite true to the Apache definition.
4644 The logs from Squid contain an extra status and hierarchy code appended.
20efa1c2 4645
5473c134 4646DOC_END
4647
41bd17a4 4648NAME: access_log cache_access_log
4649TYPE: access_log
4650LOC: Config.Log.accesslogs
82b7abe3 4651DEFAULT_IF_NONE: daemon:@DEFAULT_ACCESS_LOG@ squid
5473c134 4652DOC_START
fb0c2f17
NH		 4653 Configures whether and how Squid logs HTTP and ICP transactions.
4654 If access logging is enabled, a single line is logged for every
4655 matching HTTP or ICP request. The recommended directive formats are:
4656
4657 access_log <module>:<place> [option ...] [acl acl ...]
4658 access_log none [acl acl ...]
4659
4660 The following directive format is accepted but may be deprecated:
82b7abe3 4661 access_log <module>:<place> [<logformat name> [acl acl ...]]
fb0c2f17
NH		 4662
4663 In most cases, the first ACL name must not contain the '=' character
4664 and should not be equal to an existing logformat name. You can always
4665 start with an 'all' ACL to work around those restrictions.
82b7abe3
AJ		 4666
4667 Will log to the specified module:place using the specified format (which
41bd17a4 4668 must be defined in a logformat directive) those entries which match
4669 ALL the acl's specified (which must be defined in acl clauses).
82b7abe3
AJ		 4670 If no acl is specified, all requests will be logged to this destination.
4671
fb0c2f17
NH		 4672 ===== Available options for the recommended directive format =====
4673
4674 logformat=name Names log line format (either built-in or
4675 defined by a logformat directive). Defaults
4676 to 'squid'.
4677
4678 buffer-size=64KB Defines approximate buffering limit for log
4679 records (see buffered_logs). Squid should not
4680 keep more than the specified size and, hence,
4681 should flush records before the buffer becomes
4682 full to avoid overflows under normal
4683 conditions (the exact flushing algorithm is
4684 module-dependent though). The on-error option
4685 controls overflow handling.
4686
4687 on-error=die|drop Defines action on unrecoverable errors. The
4688 'drop' action ignores (i.e., does not log)
4689 affected log records. The default 'die' action
4690 kills the affected worker. The drop action
4691 support has not been tested for modules other
4692 than tcp.
4693
efc23871
AJ		 4694 rotate=N Specifies the number of log file rotations to
4695 make when you run 'squid -k rotate'. The default
4696 is to obey the logfile_rotate directive. Setting
4697 rotate=0 will disable the file name rotation,
4698 but the log files are still closed and re-opened.
4699 This will enable you to rename the logfiles
4700 yourself just before sending the rotate signal.
4701 Only supported by the stdio module.
4702
82b7abe3
AJ		 4703 ===== Modules Currently available =====
4704
bb7a1781 4705 none Do not log any requests matching these ACL.
82b7abe3
AJ		 4706 Do not specify Place or logformat name.
4707
4708 stdio Write each log line to disk immediately at the completion of
4709 each request.
4710 Place: the filename and path to be written.
4711
4712 daemon Very similar to stdio. But instead of writing to disk the log
4713 line is passed to a daemon helper for asychronous handling instead.
4714 Place: varies depending on the daemon.
4715
4716 log_file_daemon Place: the file name and path to be written.
4717
4718 syslog To log each request via syslog facility.
4719 Place: The syslog facility and priority level for these entries.
4720 Place Format: facility.priority
5473c134 4721
82b7abe3
AJ		 4722 where facility could be any of:
4723 authpriv, daemon, local0 ... local7 or user.
5473c134 4724
82b7abe3
AJ		 4725 And priority could be any of:
4726 err, warning, notice, info, debug.
4727
4728 udp To send each log line as text data to a UDP receiver.
4729 Place: The destination host name or IP and port.
f4fc8610 4730 Place Format: //host:port
df2eec10 4731
2bf4e8fa 4732 tcp To send each log line as text data to a TCP receiver.
fb0c2f17 4733 Lines may be accumulated before sending (see buffered_logs).
2bf4e8fa 4734 Place: The destination host name or IP and port.
f4fc8610 4735 Place Format: //host:port
df2eec10
AJ		 4736
4737 Default:
82b7abe3 4738 access_log daemon:@DEFAULT_ACCESS_LOG@ squid
41bd17a4 4739DOC_END
5473c134 4740
3ff65596
AR		 4741NAME: icap_log
4742TYPE: access_log
4743IFDEF: ICAP_CLIENT
4744LOC: Config.Log.icaplogs
4745DEFAULT: none
4746DOC_START
4747 ICAP log files record ICAP transaction summaries, one line per
4748 transaction.
4749
4750 The icap_log option format is:
4751 icap_log <filepath> [<logformat name> [acl acl ...]]
4752 icap_log none [acl acl ...]]
4753
4754 Please see access_log option documentation for details. The two
4755 kinds of logs share the overall configuration approach and many
4756 features.
4757
4758 ICAP processing of a single HTTP message or transaction may
4759 require multiple ICAP transactions. In such cases, multiple
4760 ICAP transaction log lines will correspond to a single access
4761 log line.
4762
bd59d61c
EB		 4763 ICAP log supports many access.log logformat %codes. In ICAP context,
4764 HTTP message-related %codes are applied to the HTTP message embedded
4765 in an ICAP message. Logformat "%http::>..." codes are used for HTTP
4766 messages embedded in ICAP requests while "%http::<..." codes are used
4767 for HTTP messages embedded in ICAP responses. For example:
4768
4769 http::>h To-be-adapted HTTP message headers sent by Squid to
4770 the ICAP service. For REQMOD transactions, these are
4771 HTTP request headers. For RESPMOD, these are HTTP
4772 response headers, but Squid currently cannot log them
4773 (i.e., %http::>h will expand to "-" for RESPMOD).
4774
4775 http::<h Adapted HTTP message headers sent by the ICAP
4776 service to Squid (i.e., HTTP request headers in regular
4777 REQMOD; HTTP response headers in RESPMOD and during
4778 request satisfaction in REQMOD).
4779
4780 ICAP OPTIONS transactions do not embed HTTP messages.
4781
4782 Several logformat codes below deal with ICAP message bodies. An ICAP
4783 message body, if any, typically includes a complete HTTP message
4784 (required HTTP headers plus optional HTTP message body). When
4785 computing HTTP message body size for these logformat codes, Squid
4786 either includes or excludes chunked encoding overheads; see
4787 code-specific documentation for details.
4788
4789 For Secure ICAP services, all size-related information is currently
4790 computed before/after TLS encryption/decryption, as if TLS was not
4791 in use at all.
3ff65596
AR		 4792
4793 The following format codes are also available for ICAP logs:
4794
4795 icap::<A ICAP server IP address. Similar to <A.
4796
4797 icap::<service_name ICAP service name from the icap_service
4798 option in Squid configuration file.
4799
4800 icap::ru ICAP Request-URI. Similar to ru.
4801
4802 icap::rm ICAP request method (REQMOD, RESPMOD, or
4803 OPTIONS). Similar to existing rm.
4804
bd59d61c
EB		 4805 icap::>st The total size of the ICAP request sent to the ICAP
4806 server (ICAP headers + ICAP body), including chunking
4807 metadata (if any).
3ff65596 4808
bd59d61c
EB		 4809 icap::<st The total size of the ICAP response received from the
4810 ICAP server (ICAP headers + ICAP body), including
4811 chunking metadata (if any).
3ff65596 4812
bd59d61c
EB		 4813 icap::<bs The size of the ICAP response body received from the
4814 ICAP server, excluding chunking metadata (if any).
bae917ac 4815
3ff65596
AR		 4816 icap::tr Transaction response time (in
4817 milliseconds). The timer starts when
4818 the ICAP transaction is created and
4819 stops when the transaction is completed.
4820 Similar to tr.
4821
4822 icap::tio Transaction I/O time (in milliseconds). The
4823 timer starts when the first ICAP request
4824 byte is scheduled for sending. The timers
4825 stops when the last byte of the ICAP response
4826 is received.
4827
4828 icap::to Transaction outcome: ICAP_ERR* for all
4829 transaction errors, ICAP_OPT for OPTION
4830 transactions, ICAP_ECHO for 204
4831 responses, ICAP_MOD for message
4832 modification, and ICAP_SAT for request
4833 satisfaction. Similar to Ss.
4834
4835 icap::Hs ICAP response status code. Similar to Hs.
4836
4837 icap::>h ICAP request header(s). Similar to >h.
4838
4839 icap::<h ICAP response header(s). Similar to <h.
4840
4841 The default ICAP log format, which can be used without an explicit
4842 definition, is called icap_squid:
4843
bd59d61c 4844logformat icap_squid %ts.%03tu %6icap::tr %>A %icap::to/%03icap::Hs %icap::<st %icap::rm %icap::ru %un -/%icap::<A -
3ff65596 4845
bd59d61c 4846 See also: logformat and %adapt::<last_h
3ff65596
AR		 4847DOC_END
4848
82b7abe3
AJ		 4849NAME: logfile_daemon
4850TYPE: string
4851DEFAULT: @DEFAULT_LOGFILED@
4852LOC: Log::TheConfig.logfile_daemon
4853DOC_START
4854 Specify the path to the logfile-writing daemon. This daemon is
4855 used to write the access and store logs, if configured.
14b24caf
HN		 4856
4857 Squid sends a number of commands to the log daemon:
4858 L<data>\n - logfile data
4859 R\n - rotate file
4860 T\n - truncate file
dd68402f 4861 O\n - reopen file
14b24caf
HN		 4862 F\n - flush file
4863 r<n>\n - set rotate count to <n>
4864 b<n>\n - 1 = buffer output, 0 = don't buffer output
4865
4866 No responses is expected.
82b7abe3
AJ		 4867DOC_END
4868
8ebad780 4869NAME: stats_collection
3ff65596 4870TYPE: acl_access
8ebad780 4871LOC: Config.accessList.stats_collection
3ff65596 4872DEFAULT: none
638402dd 4873DEFAULT_DOC: Allow logging for all transactions.
5b0f5383 4874COMMENT: allow|deny acl acl...
3ff65596 4875DOC_START
8ebad780
CT		 4876 This options allows you to control which requests gets accounted
4877 in performance counters.
b3567eb5
FC		 4878
4879 This clause only supports fast acl types.
4880 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3ff65596
AR		 4881DOC_END
4882
41bd17a4 4883NAME: cache_store_log
4884TYPE: string
df2eec10 4885DEFAULT: none
41bd17a4 4886LOC: Config.Log.store
4887DOC_START
4888 Logs the activities of the storage manager. Shows which
4889 objects are ejected from the cache, and which objects are
6d1dfcfc 4890 saved and for how long.
df2eec10 4891 There are not really utilities to analyze this data, so you can safely
6d1dfcfc
AJ		 4892 disable it (the default).
4893
4894 Store log uses modular logging outputs. See access_log for the list
4895 of modules supported.
4896
e0855596 4897 Example:
6d1dfcfc
AJ		 4898 cache_store_log stdio:@DEFAULT_STORE_LOG@
4899 cache_store_log daemon:@DEFAULT_STORE_LOG@
5473c134 4900DOC_END
4901
41bd17a4 4902NAME: cache_swap_state cache_swap_log
4903TYPE: string
4904LOC: Config.Log.swap
5473c134 4905DEFAULT: none
638402dd 4906DEFAULT_DOC: Store the journal inside its cache_dir
5473c134 4907DOC_START
41bd17a4 4908 Location for the cache "swap.state" file. This index file holds
4909 the metadata of objects saved on disk. It is used to rebuild
4910 the cache during startup. Normally this file resides in each
4911 'cache_dir' directory, but you may specify an alternate
4912 pathname here. Note you must give a full filename, not just
4913 a directory. Since this is the index for the whole object
4914 list you CANNOT periodically rotate it!
5473c134 4915
41bd17a4 4916 If %s can be used in the file name it will be replaced with a
4917 a representation of the cache_dir name where each / is replaced
4918 with '.'. This is needed to allow adding/removing cache_dir
4919 lines when cache_swap_log is being used.
5473c134 4920
41bd17a4 4921 If have more than one 'cache_dir', and %s is not used in the name
4922 these swap logs will have names such as:
5473c134 4923
41bd17a4 4924 cache_swap_log.00
4925 cache_swap_log.01
4926 cache_swap_log.02
5473c134 4927
41bd17a4 4928 The numbered extension (which is added automatically)
4929 corresponds to the order of the 'cache_dir' lines in this
4930 configuration file. If you change the order of the 'cache_dir'
4931 lines in this file, these index files will NOT correspond to
4932 the correct 'cache_dir' entry (unless you manually rename
4933 them). We recommend you do NOT use this option. It is
4934 better to keep these index files in each 'cache_dir' directory.
5473c134 4935DOC_END
4936
41bd17a4 4937NAME: logfile_rotate
4938TYPE: int
4939DEFAULT: 10
4940LOC: Config.Log.rotateNumber
5473c134 4941DOC_START
efc23871 4942 Specifies the default number of logfile rotations to make when you
41bd17a4 4943 type 'squid -k rotate'. The default is 10, which will rotate
4944 with extensions 0 through 9. Setting logfile_rotate to 0 will
4945 disable the file name rotation, but the logfiles are still closed
4946 and re-opened. This will enable you to rename the logfiles
4947 yourself just before sending the rotate signal.
5473c134 4948
efc23871
AJ		 4949 Note, from Squid-3.1 this option is only a default for cache.log,
4950 that log can be rotated separately by using debug_options.
4951
4952 Note, from Squid-3.6 this option is only a default for access.log
4953 recorded by stdio: module. Those logs can be rotated separately by
4954 using the rotate=N option on their access_log directive.
4955
41bd17a4 4956 Note, the 'squid -k rotate' command normally sends a USR1
4957 signal to the running squid process. In certain situations
4958 (e.g. on Linux with Async I/O), USR1 is used for other
4959 purposes, so -k rotate uses another signal. It is best to get
4960 in the habit of using 'squid -k rotate' instead of 'kill -USR1
4961 <pid>'.
62493678 4962
41bd17a4 4963DOC_END
5473c134 4964
41bd17a4 4965NAME: mime_table
4966TYPE: string
4967DEFAULT: @DEFAULT_MIME_TABLE@
4968LOC: Config.mimeTablePathname
4969DOC_START
638402dd
AJ		 4970 Path to Squid's icon configuration file.
4971
4972 You shouldn't need to change this, but the default file contains
4973 examples and formatting information if you do.
5473c134 4974DOC_END
4975
41bd17a4 4976NAME: log_mime_hdrs
4977COMMENT: on|off
4978TYPE: onoff
4979LOC: Config.onoff.log_mime_hdrs
4980DEFAULT: off
4981DOC_START
4982 The Cache can record both the request and the response MIME
4983 headers for each HTTP transaction. The headers are encoded
4984 safely and will appear as two bracketed fields at the end of
4985 the access log (for either the native or httpd-emulated log
4986 formats). To enable this logging set log_mime_hdrs to 'on'.
4987DOC_END
5473c134 4988
41bd17a4 4989NAME: pid_filename
4990TYPE: string
4991DEFAULT: @DEFAULT_PID_FILE@
4992LOC: Config.pidFilename
5473c134 4993DOC_START
41bd17a4 4994 A filename to write the process-id to. To disable, enter "none".
5473c134 4995DOC_END
4996
41bd17a4 4997NAME: client_netmask
4998TYPE: address
4999LOC: Config.Addrs.client_netmask
0eb08770 5000DEFAULT: no_addr
638402dd 5001DEFAULT_DOC: Log full client IP address
5473c134 5002DOC_START
41bd17a4 5003 A netmask for client addresses in logfiles and cachemgr output.
5004 Change this to protect the privacy of your cache clients.
5005 A netmask of 255.255.255.0 will log all IP's in that range with
5006 the last digit set to '0'.
5473c134 5007DOC_END
5008
41bd17a4 5009NAME: strip_query_terms
5473c134 5010TYPE: onoff
41bd17a4 5011LOC: Config.onoff.strip_query_terms
5473c134 5012DEFAULT: on
5013DOC_START
41bd17a4 5014 By default, Squid strips query terms from requested URLs before
638402dd
AJ		 5015 logging. This protects your user's privacy and reduces log size.
5016
5017 When investigating HIT/MISS or other caching behaviour you
5018 will need to disable this to see the full URL used by Squid.
5473c134 5019DOC_END
5020
41bd17a4 5021NAME: buffered_logs
5022COMMENT: on|off
5023TYPE: onoff
5024DEFAULT: off
5025LOC: Config.onoff.buffered_logs
5473c134 5026DOC_START
638402dd
AJ		 5027 Whether to write/send access_log records ASAP or accumulate them and
5028 then write/send them in larger chunks. Buffering may improve
5029 performance because it decreases the number of I/Os. However,
5030 buffering increases the delay before log records become available to
5031 the final recipient (e.g., a disk file or logging daemon) and,
5032 hence, increases the risk of log records loss.
5033
5034 Note that even when buffered_logs are off, Squid may have to buffer
5035 records if it cannot write/send them immediately due to pending I/Os
5036 (e.g., the I/O writing the previous log record) or connectivity loss.
5037
fb0c2f17 5038 Currently honored by 'daemon' and 'tcp' access_log modules only.
6b698a21 5039DOC_END
0976f8db 5040
2b753521 5041NAME: netdb_filename
5042TYPE: string
221faecb 5043DEFAULT: stdio:@DEFAULT_NETDB_FILE@
2b753521 5044LOC: Config.netdbFilename
fb6a61d1 5045IFDEF: USE_ICMP
2b753521 5046DOC_START
638402dd
AJ		 5047 Where Squid stores it's netdb journal.
5048 When enabled this journal preserves netdb state between restarts.
5049
2b753521 5050 To disable, enter "none".
5051DOC_END
5052
62493678
AJ		 5053COMMENT_START
5054 OPTIONS FOR TROUBLESHOOTING
5055 -----------------------------------------------------------------------------
5056COMMENT_END
5057
5058NAME: cache_log
5059TYPE: string
62493678
AJ		 5060DEFAULT_IF_NONE: @DEFAULT_CACHE_LOG@
5061LOC: Debug::cache_log
5062DOC_START
638402dd
AJ		 5063 Squid administrative logging file.
5064
5065 This is where general information about Squid behavior goes. You can
5066 increase the amount of data logged to this file and how often it is
5067 rotated with "debug_options"
62493678
AJ		 5068DOC_END
5069
5070NAME: debug_options
5071TYPE: eol
47df1aa7 5072DEFAULT: ALL,1
638402dd 5073DEFAULT_DOC: Log all critical and important messages.
62493678
AJ		 5074LOC: Debug::debugOptions
5075DOC_START
5076 Logging options are set as section,level where each source file
5077 is assigned a unique section. Lower levels result in less
5078 output, Full debugging (level 9) can result in a very large
5079 log file, so be careful.
5080
5081 The magic word "ALL" sets debugging levels for all sections.
638402dd 5082 The default is to run with "ALL,1" to record important warnings.
62493678 5083
47df1aa7
AJ		 5084 The rotate=N option can be used to keep more or less of these logs
5085 than would otherwise be kept by logfile_rotate.
62493678
AJ		 5086 For most uses a single log should be enough to monitor current
5087 events affecting Squid.
5088DOC_END
5089
5090NAME: coredump_dir
5091TYPE: string
5092LOC: Config.coredump_dir
62493678 5093DEFAULT_IF_NONE: none
638402dd 5094DEFAULT_DOC: Use the directory from where Squid was started.
62493678
AJ		 5095DOC_START
5096 By default Squid leaves core files in the directory from where
5097 it was started. If you set 'coredump_dir' to a directory
5098 that exists, Squid will chdir() to that directory at startup
5099 and coredump files will be left there.
5100
5101NOCOMMENT_START
e0855596 5102
62493678
AJ		 5103# Leave coredumps in the first cache dir
5104coredump_dir @DEFAULT_SWAP_DIR@
5105NOCOMMENT_END
5106DOC_END
5107
5108
41bd17a4 5109COMMENT_START
5110 OPTIONS FOR FTP GATEWAYING
5111 -----------------------------------------------------------------------------
5112COMMENT_END
5113
5114NAME: ftp_user
5115TYPE: string
5116DEFAULT: Squid@
5117LOC: Config.Ftp.anon_user
6b698a21 5118DOC_START
41bd17a4 5119 If you want the anonymous login password to be more informative
638402dd 5120 (and enable the use of picky FTP servers), set this to something
41bd17a4 5121 reasonable for your domain, like wwwuser@somewhere.net
7f7db318 5122
41bd17a4 5123 The reason why this is domainless by default is the
5124 request can be made on the behalf of a user in any domain,
5125 depending on how the cache is used.
638402dd 5126 Some FTP server also validate the email address is valid
41bd17a4 5127 (for example perl.com).
6b698a21 5128DOC_END
0976f8db 5129
41bd17a4 5130NAME: ftp_passive
5131TYPE: onoff
5132DEFAULT: on
5133LOC: Config.Ftp.passive
6b698a21 5134DOC_START
41bd17a4 5135 If your firewall does not allow Squid to use passive
5136 connections, turn off this option.
a689bd4e 5137
5138 Use of ftp_epsv_all option requires this to be ON.
5139DOC_END
5140
5141NAME: ftp_epsv_all
5142TYPE: onoff
5143DEFAULT: off
5144LOC: Config.Ftp.epsv_all
5145DOC_START
5146 FTP Protocol extensions permit the use of a special "EPSV ALL" command.
5147
5148 NATs may be able to put the connection on a "fast path" through the
5149 translator, as the EPRT command will never be used and therefore,
5150 translation of the data portion of the segments will never be needed.
5151
b3567eb5
FC		 5152 When a client only expects to do two-way FTP transfers this may be
5153 useful.
a689bd4e 5154 If squid finds that it must do a three-way FTP transfer after issuing
5155 an EPSV ALL command, the FTP session will fail.
5156
5157 If you have any doubts about this option do not use it.
5158 Squid will nicely attempt all other connection methods.
5159
51ee534d
AJ		 5160 Requires ftp_passive to be ON (default) for any effect.
5161DOC_END
5162
5163NAME: ftp_epsv
ddf5aa2b
CT		 5164TYPE: ftp_epsv
5165DEFAULT: none
5166LOC: Config.accessList.ftp_epsv
51ee534d
AJ		 5167DOC_START
5168 FTP Protocol extensions permit the use of a special "EPSV" command.
5169
5170 NATs may be able to put the connection on a "fast path" through the
b3567eb5
FC		 5171 translator using EPSV, as the EPRT command will never be used
5172 and therefore, translation of the data portion of the segments
5173 will never be needed.
51ee534d 5174
ddf5aa2b
CT		 5175 EPSV is often required to interoperate with FTP servers on IPv6
5176 networks. On the other hand, it may break some IPv4 servers.
5177
5178 By default, EPSV may try EPSV with any FTP server. To fine tune
5179 that decision, you may restrict EPSV to certain clients or servers
5180 using ACLs:
5181
5182 ftp_epsv allow|deny al1 acl2 ...
5183
5184 WARNING: Disabling EPSV may cause problems with external NAT and IPv6.
51ee534d 5185
ddf5aa2b 5186 Only fast ACLs are supported.
51ee534d 5187 Requires ftp_passive to be ON (default) for any effect.
41bd17a4 5188DOC_END
9e7dbc51 5189
63ee5443
AJ		 5190NAME: ftp_eprt
5191TYPE: onoff
5192DEFAULT: on
5193LOC: Config.Ftp.eprt
5194DOC_START
5195 FTP Protocol extensions permit the use of a special "EPRT" command.
5196
5197 This extension provides a protocol neutral alternative to the
5198 IPv4-only PORT command. When supported it enables active FTP data
5199 channels over IPv6 and efficient NAT handling.
5200
5201 Turning this OFF will prevent EPRT being attempted and will skip
5202 straight to using PORT for IPv4 servers.
5203
5204 Some devices are known to not handle this extension correctly and
5205 may result in crashes. Devices which suport EPRT enough to fail
5206 cleanly will result in Squid attempting PORT anyway. This directive
5207 should only be disabled when EPRT results in device failures.
5208
5209 WARNING: Doing so will convert Squid back to the old behavior with all
5210 the related problems with external NAT devices/layers and IPv4-only FTP.
5211DOC_END
5212
41bd17a4 5213NAME: ftp_sanitycheck
5214TYPE: onoff
5215DEFAULT: on
5216LOC: Config.Ftp.sanitycheck
5217DOC_START
5218 For security and data integrity reasons Squid by default performs
5219 sanity checks of the addresses of FTP data connections ensure the
5220 data connection is to the requested server. If you need to allow
5221 FTP connections to servers using another IP address for the data
5222 connection turn this off.
5223DOC_END
9e7dbc51 5224
41bd17a4 5225NAME: ftp_telnet_protocol
5226TYPE: onoff
5227DEFAULT: on
5228LOC: Config.Ftp.telnet
5229DOC_START
5230 The FTP protocol is officially defined to use the telnet protocol
5231 as transport channel for the control connection. However, many
5232 implementations are broken and does not respect this aspect of
5233 the FTP protocol.
5234
5235 If you have trouble accessing files with ASCII code 255 in the
5236 path or similar problems involving this ASCII code you can
5237 try setting this directive to off. If that helps, report to the
5238 operator of the FTP server in question that their FTP server
5239 is broken and does not follow the FTP standard.
5240DOC_END
5241
5242COMMENT_START
5243 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
5244 -----------------------------------------------------------------------------
5245COMMENT_END
5246
5247NAME: diskd_program
5248TYPE: string
5249DEFAULT: @DEFAULT_DISKD@
5250LOC: Config.Program.diskd
5251DOC_START
5252 Specify the location of the diskd executable.
5253 Note this is only useful if you have compiled in
5254 diskd as one of the store io modules.
5255DOC_END
5256
5257NAME: unlinkd_program
5258IFDEF: USE_UNLINKD
5259TYPE: string
5260DEFAULT: @DEFAULT_UNLINKD@
5261LOC: Config.Program.unlinkd
5262DOC_START
5263 Specify the location of the executable for file deletion process.
5264DOC_END
5265
5266NAME: pinger_program
41bd17a4 5267IFDEF: USE_ICMP
7a9d36e3
AJ		 5268TYPE: icmp
5269DEFAULT: @DEFAULT_PINGER@
5270LOC: IcmpCfg
41bd17a4 5271DOC_START
5272 Specify the location of the executable for the pinger process.
5273DOC_END
5274
cc192b50 5275NAME: pinger_enable
5276TYPE: onoff
5277DEFAULT: on
7a9d36e3 5278LOC: IcmpCfg.enable
cc192b50 5279IFDEF: USE_ICMP
5280DOC_START
5281 Control whether the pinger is active at run-time.
b3567eb5
FC		 5282 Enables turning ICMP pinger on and off with a simple
5283 squid -k reconfigure.
cc192b50 5284DOC_END
5285
5286
41bd17a4 5287COMMENT_START
5288 OPTIONS FOR URL REWRITING
5289 -----------------------------------------------------------------------------
5290COMMENT_END
5291
5292NAME: url_rewrite_program redirect_program
5293TYPE: wordlist
5294LOC: Config.Program.redirect
5295DEFAULT: none
5296DOC_START
2c7aad89 5297 Specify the location of the executable URL rewriter to use.
41bd17a4 5298 Since they can perform almost any function there isn't one included.
5299
2c7aad89 5300 For each requested URL, the rewriter will receive on line with the format
41bd17a4 5301
b11724bb 5302 [channel-ID <SP>] URL [<SP> extras]<NL>
5269ec0e 5303
457857fe
CT		 5304 See url_rewrite_extras on how to send "extras" with optional values to
5305 the helper.
5269ec0e
AJ		 5306 After processing the request the helper must reply using the following format:
5307
24eac830 5308 [channel-ID <SP>] result [<SP> kv-pairs]
5269ec0e
AJ		 5309
5310 The result code can be:
5311
5312 OK status=30N url="..."
5313 Redirect the URL to the one supplied in 'url='.
5314 'status=' is optional and contains the status code to send
5315 the client in Squids HTTP response. It must be one of the
5316 HTTP redirect status codes: 301, 302, 303, 307, 308.
5317 When no status is given Squid will use 302.
c71adec1 5318
5269ec0e
AJ		 5319 OK rewrite-url="..."
5320 Rewrite the URL to the one supplied in 'rewrite-url='.
5321 The new URL is fetched directly by Squid and returned to
5322 the client as the response to its request.
5323
c2cbbb02
AJ		 5324 OK
5325 When neither of url= and rewrite-url= are sent Squid does
5326 not change the URL.
5327
5269ec0e
AJ		 5328 ERR
5329 Do not change the URL.
5330
5331 BH
4ded749e 5332 An internal error occurred in the helper, preventing
c2cbbb02
AJ		 5333 a result being identified. The 'message=' key name is
5334 reserved for delivering a log message.
5269ec0e
AJ		 5335
5336
457857fe
CT		 5337 In addition to the above kv-pairs Squid also understands the following
5338 optional kv-pairs received from URL rewriters:
5339 clt_conn_tag=TAG
5340 Associates a TAG with the client TCP connection.
5341 The TAG is treated as a regular annotation but persists across
5342 future requests on the client connection rather than just the
5343 current request. A helper may update the TAG during subsequent
5344 requests be returning a new kv-pair.
41bd17a4 5345
5269ec0e
AJ		 5346 When using the concurrency= option the protocol is changed by
5347 introducing a query channel tag in front of the request/response.
5348 The query channel tag is a number between 0 and concurrency-1.
5349 This value must be echoed back unchanged to Squid as the first part
5350 of the response relating to its request.
5351
5352 WARNING: URL re-writing ability should be avoided whenever possible.
5353 Use the URL redirect form of response instead.
41bd17a4 5354
5269ec0e
AJ		 5355 Re-write creates a difference in the state held by the client
5356 and server. Possibly causing confusion when the server response
5357 contains snippets of its view state. Embeded URLs, response
5358 and content Location headers, etc. are not re-written by this
5359 interface.
41bd17a4 5360
5361 By default, a URL rewriter is not used.
5362DOC_END
5363
5364NAME: url_rewrite_children redirect_children
48d54e4d 5365TYPE: HelperChildConfig
5b708d95 5366DEFAULT: 20 startup=0 idle=1 concurrency=0
41bd17a4 5367LOC: Config.redirectChildren
5368DOC_START
48d54e4d
AJ		 5369 The maximum number of redirector processes to spawn. If you limit
5370 it too few Squid will have to wait for them to process a backlog of
5371 URLs, slowing it down. If you allow too many they will use RAM
5372 and other system resources noticably.
5373
5374 The startup= and idle= options allow some measure of skew in your
5375 tuning.
5376
5377 startup=
5378
5379 Sets a minimum of how many processes are to be spawned when Squid
5380 starts or reconfigures. When set to zero the first request will
5381 cause spawning of the first child process to handle it.
5382
5383 Starting too few will cause an initial slowdown in traffic as Squid
5384 attempts to simultaneously spawn enough processes to cope.
5385
5386 idle=
5387
5388 Sets a minimum of how many processes Squid is to try and keep available
5389 at all times. When traffic begins to rise above what the existing
5390 processes can handle this many more will be spawned up to the maximum
5391 configured. A minimum setting of 1 is required.
5392
5393 concurrency=
41bd17a4 5394
41bd17a4 5395 The number of requests each redirector helper can handle in
5396 parallel. Defaults to 0 which indicates the redirector
5397 is a old-style single threaded redirector.
6a171502
AJ		 5398
5399 When this directive is set to a value >= 1 then the protocol
5400 used to communicate with the helper is modified to include
9bef05b1
AJ		 5401 an ID in front of the request/response. The ID from the request
5402 must be echoed back with the response to that request.
6825b101
CT		 5403
5404 queue-size=N
5405
6082a0e2
EB		 5406 Sets the maximum number of queued requests to N. The default maximum
5407 is 2*numberofchildren. If the queued requests exceed queue size and
5408 redirector_bypass configuration option is set, then redirector is bypassed.
5409 Otherwise, Squid is allowed to temporarily exceed the configured maximum,
5410 marking the affected helper as "overloaded". If the helper overload lasts
5411 more than 3 minutes, the action prescribed by the on-persistent-overload
5412 option applies.
5413
5414 on-persistent-overload=action
5415
5416 Specifies Squid reaction to a new helper request arriving when the helper
5417 has been overloaded for more that 3 minutes already. The number of queued
5418 requests determines whether the helper is overloaded (see the queue-size
5419 option).
5420
5421 Two actions are supported:
5422
5423 die Squid worker quits. This is the default behavior.
5424
5425 ERR Squid treats the helper request as if it was
5426 immediately submitted, and the helper immediately
5427 replied with an ERR response. This action has no effect
5428 on the already queued and in-progress helper requests.
41bd17a4 5429DOC_END
5430
5431NAME: url_rewrite_host_header redirect_rewrites_host_header
5432TYPE: onoff
5433DEFAULT: on
5434LOC: Config.onoff.redir_rewrites_host
5435DOC_START
3ce33807
AJ		 5436 To preserve same-origin security policies in browsers and
5437 prevent Host: header forgery by redirectors Squid rewrites
5438 any Host: header in redirected requests.
5439
5440 If you are running an accelerator this may not be a wanted
5441 effect of a redirector. This directive enables you disable
5442 Host: alteration in reverse-proxy traffic.
5443
41bd17a4 5444 WARNING: Entries are cached on the result of the URL rewriting
5445 process, so be careful if you have domain-virtual hosts.
3ce33807
AJ		 5446
5447 WARNING: Squid and other software verifies the URL and Host
5448 are matching, so be careful not to relay through other proxies
5449 or inspecting firewalls with this disabled.
41bd17a4 5450DOC_END
5451
5452NAME: url_rewrite_access redirector_access
5453TYPE: acl_access
5454DEFAULT: none
638402dd 5455DEFAULT_DOC: Allow, unless rules exist in squid.conf.
41bd17a4 5456LOC: Config.accessList.redirector
5457DOC_START
5458 If defined, this access list specifies which requests are
638402dd 5459 sent to the redirector processes.
b3567eb5
FC		 5460
5461 This clause supports both fast and slow acl types.
5462 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 5463DOC_END
5464
5465NAME: url_rewrite_bypass redirector_bypass
5466TYPE: onoff
5467LOC: Config.onoff.redirector_bypass
5468DEFAULT: off
5469DOC_START
5470 When this is 'on', a request will not go through the
6082a0e2
EB		 5471 redirector if all the helpers are busy. If this is 'off' and the
5472 redirector queue grows too large, the action is prescribed by the
5473 on-persistent-overload option. You should only enable this if the
5474 redirectors are not critical to your caching system. If you use
41bd17a4 5475 redirectors for access control, and you enable this option,
5476 users may have access to pages they should not
5477 be allowed to request.
6825b101
CT		 5478 This options sets default queue-size option of the url_rewrite_children
5479 to 0.
41bd17a4 5480DOC_END
5481
fe7966ec 5482NAME: url_rewrite_extras
b11724bb
CT		 5483TYPE: TokenOrQuotedString
5484LOC: Config.redirector_extras
5485DEFAULT: "%>a/%>A %un %>rm myip=%la myport=%lp"
5486DOC_START
5487 Specifies a string to be append to request line format for the
5488 rewriter helper. "Quoted" format values may contain spaces and
5489 logformat %macros. In theory, any logformat %macro can be used.
5490 In practice, a %macro expands as a dash (-) if the helper request is
5491 sent before the required macro information is available to Squid.
5492DOC_END
5493
32fd6d8a 5494NAME: url_rewrite_timeout
ced8def3
AJ		 5495TYPE: UrlHelperTimeout
5496LOC: Config.onUrlRewriteTimeout
32fd6d8a
CT		 5497DEFAULT: none
5498DEFAULT_DOC: Squid waits for the helper response forever
5499DOC_START
5500 Squid times active requests to redirector. The timeout value and Squid
5501 reaction to a timed out request are configurable using the following
5502 format:
5503
ced8def3 5504 url_rewrite_timeout timeout time-units on_timeout=<action> [response=<quoted-response>]
32fd6d8a
CT		 5505
5506 supported timeout actions:
ced8def3 5507 fail Squid return a ERR_GATEWAY_FAILURE error page
32fd6d8a 5508
ced8def3 5509 bypass Do not re-write the URL
32fd6d8a 5510
ced8def3 5511 retry Send the lookup to the helper again
32fd6d8a 5512
ced8def3
AJ		 5513 use_configured_response
5514 Use the <quoted-response> as helper response
32fd6d8a
CT		 5515DOC_END
5516
a8a0b1c2
EC		 5517COMMENT_START
5518 OPTIONS FOR STORE ID
5519 -----------------------------------------------------------------------------
5520COMMENT_END
5521
5522NAME: store_id_program storeurl_rewrite_program
5523TYPE: wordlist
5524LOC: Config.Program.store_id
5525DEFAULT: none
5526DOC_START
5527 Specify the location of the executable StoreID helper to use.
5528 Since they can perform almost any function there isn't one included.
5529
5530 For each requested URL, the helper will receive one line with the format
5531
b11724bb 5532 [channel-ID <SP>] URL [<SP> extras]<NL>
a8a0b1c2
EC		 5533
5534
5535 After processing the request the helper must reply using the following format:
5536
5537 [channel-ID <SP>] result [<SP> kv-pairs]
5538
5539 The result code can be:
5540
5541 OK store-id="..."
5542 Use the StoreID supplied in 'store-id='.
5543
5544 ERR
5545 The default is to use HTTP request URL as the store ID.
5546
5547 BH
5548 An internal error occured in the helper, preventing
5549 a result being identified.
5550
457857fe
CT		 5551 In addition to the above kv-pairs Squid also understands the following
5552 optional kv-pairs received from URL rewriters:
5553 clt_conn_tag=TAG
5554 Associates a TAG with the client TCP connection.
5555 Please see url_rewrite_program related documentation for this
5556 kv-pair
a8a0b1c2 5557
b11724bb
CT		 5558 Helper programs should be prepared to receive and possibly ignore
5559 additional whitespace-separated tokens on each input line.
a8a0b1c2
EC		 5560
5561 When using the concurrency= option the protocol is changed by
5562 introducing a query channel tag in front of the request/response.
5563 The query channel tag is a number between 0 and concurrency-1.
5564 This value must be echoed back unchanged to Squid as the first part
5565 of the response relating to its request.
5566
5567 NOTE: when using StoreID refresh_pattern will apply to the StoreID
5568 returned from the helper and not the URL.
5569
5570 WARNING: Wrong StoreID value returned by a careless helper may result
5571 in the wrong cached response returned to the user.
5572
5573 By default, a StoreID helper is not used.
5574DOC_END
5575
fe7966ec 5576NAME: store_id_extras
b11724bb
CT		 5577TYPE: TokenOrQuotedString
5578LOC: Config.storeId_extras
5579DEFAULT: "%>a/%>A %un %>rm myip=%la myport=%lp"
5580DOC_START
5581 Specifies a string to be append to request line format for the
5582 StoreId helper. "Quoted" format values may contain spaces and
5583 logformat %macros. In theory, any logformat %macro can be used.
5584 In practice, a %macro expands as a dash (-) if the helper request is
5585 sent before the required macro information is available to Squid.
5586DOC_END
5587
a8a0b1c2
EC		 5588NAME: store_id_children storeurl_rewrite_children
5589TYPE: HelperChildConfig
5590DEFAULT: 20 startup=0 idle=1 concurrency=0
5591LOC: Config.storeIdChildren
5592DOC_START
5593 The maximum number of StoreID helper processes to spawn. If you limit
5594 it too few Squid will have to wait for them to process a backlog of
5595 requests, slowing it down. If you allow too many they will use RAM
5596 and other system resources noticably.
5597
5598 The startup= and idle= options allow some measure of skew in your
5599 tuning.
5600
5601 startup=
5602
5603 Sets a minimum of how many processes are to be spawned when Squid
5604 starts or reconfigures. When set to zero the first request will
5605 cause spawning of the first child process to handle it.
5606
5607 Starting too few will cause an initial slowdown in traffic as Squid
5608 attempts to simultaneously spawn enough processes to cope.
5609
5610 idle=
5611
5612 Sets a minimum of how many processes Squid is to try and keep available
5613 at all times. When traffic begins to rise above what the existing
5614 processes can handle this many more will be spawned up to the maximum
5615 configured. A minimum setting of 1 is required.
5616
5617 concurrency=
5618
5619 The number of requests each storeID helper can handle in
5620 parallel. Defaults to 0 which indicates the helper
5621 is a old-style single threaded program.
5622
5623 When this directive is set to a value >= 1 then the protocol
5624 used to communicate with the helper is modified to include
5625 an ID in front of the request/response. The ID from the request
5626 must be echoed back with the response to that request.
6825b101
CT		 5627
5628 queue-size=N
5629
6082a0e2
EB		 5630 Sets the maximum number of queued requests to N. The default maximum
5631 is 2*numberofchildren. If the queued requests exceed queue size and
5632 redirector_bypass configuration option is set, then redirector is bypassed.
5633 Otherwise, Squid is allowed to temporarily exceed the configured maximum,
5634 marking the affected helper as "overloaded". If the helper overload lasts
5635 more than 3 minutes, the action prescribed by the on-persistent-overload
5636 option applies.
5637
5638 on-persistent-overload=action
5639
5640 Specifies Squid reaction to a new helper request arriving when the helper
5641 has been overloaded for more that 3 minutes already. The number of queued
5642 requests determines whether the helper is overloaded (see the queue-size
5643 option).
5644
5645 Two actions are supported:
5646
5647 die Squid worker quits. This is the default behavior.
5648
5649 ERR Squid treats the helper request as if it was
5650 immediately submitted, and the helper immediately
5651 replied with an ERR response. This action has no effect
5652 on the already queued and in-progress helper requests.
a8a0b1c2
EC		 5653DOC_END
5654
5655NAME: store_id_access storeurl_rewrite_access
5656TYPE: acl_access
5657DEFAULT: none
638402dd 5658DEFAULT_DOC: Allow, unless rules exist in squid.conf.
a8a0b1c2
EC		 5659LOC: Config.accessList.store_id
5660DOC_START
5661 If defined, this access list specifies which requests are
5662 sent to the StoreID processes. By default all requests
5663 are sent.
5664
5665 This clause supports both fast and slow acl types.
5666 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5667DOC_END
5668
5669NAME: store_id_bypass storeurl_rewrite_bypass
5670TYPE: onoff
5671LOC: Config.onoff.store_id_bypass
5672DEFAULT: on
5673DOC_START
5674 When this is 'on', a request will not go through the
6082a0e2
EB		 5675 helper if all helpers are busy. If this is 'off' and the helper
5676 queue grows too large, the action is prescribed by the
5677 on-persistent-overload option. You should only enable this if the
5678 helpers are not critical to your caching system. If you use
a8a0b1c2
EC		 5679 helpers for critical caching components, and you enable this
5680 option, users may not get objects from cache.
6825b101
CT		 5681 This options sets default queue-size option of the store_id_children
5682 to 0.
a8a0b1c2
EC		 5683DOC_END
5684
41bd17a4 5685COMMENT_START
5686 OPTIONS FOR TUNING THE CACHE
5687 -----------------------------------------------------------------------------
5688COMMENT_END
5689
f04b37d8 5690NAME: cache no_cache
5691TYPE: acl_access
5692DEFAULT: none
70706149 5693DEFAULT_DOC: By default, this directive is unused and has no effect.
f04b37d8 5694LOC: Config.accessList.noCache
41bd17a4 5695DOC_START
70706149
AR		 5696 Requests denied by this directive will not be served from the cache
5697 and their responses will not be stored in the cache. This directive
5698 has no effect on other transactions and on already cached responses.
f04b37d8 5699
b3567eb5
FC		 5700 This clause supports both fast and slow acl types.
5701 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
70706149
AR		 5702
5703 This and the two other similar caching directives listed below are
5704 checked at different transaction processing stages, have different
5705 access to response information, affect different cache operations,
5706 and differ in slow ACLs support:
5707
5708 * cache: Checked before Squid makes a hit/miss determination.
5709 No access to reply information!
5710 Denies both serving a hit and storing a miss.
5711 Supports both fast and slow ACLs.
5712 * send_hit: Checked after a hit was detected.
5713 Has access to reply (hit) information.
5714 Denies serving a hit only.
5715 Supports fast ACLs only.
5716 * store_miss: Checked before storing a cachable miss.
5717 Has access to reply (miss) information.
5718 Denies storing a miss only.
5719 Supports fast ACLs only.
5720
5721 If you are not sure which of the three directives to use, apply the
5722 following decision logic:
5723
5724 * If your ACL(s) are of slow type _and_ need response info, redesign.
5725 Squid does not support that particular combination at this time.
5726 Otherwise:
5727 * If your directive ACL(s) are of slow type, use "cache"; and/or
5728 * if your directive ACL(s) need no response info, use "cache".
5729 Otherwise:
5730 * If you do not want the response cached, use store_miss; and/or
5731 * if you do not want a hit on a cached response, use send_hit.
5732DOC_END
5733
5734NAME: send_hit
5735TYPE: acl_access
5736DEFAULT: none
5737DEFAULT_DOC: By default, this directive is unused and has no effect.
5738LOC: Config.accessList.sendHit
5739DOC_START
5740 Responses denied by this directive will not be served from the cache
5741 (but may still be cached, see store_miss). This directive has no
5742 effect on the responses it allows and on the cached objects.
5743
5744 Please see the "cache" directive for a summary of differences among
5745 store_miss, send_hit, and cache directives.
5746
5747 Unlike the "cache" directive, send_hit only supports fast acl
5748 types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5749
5750 For example:
5751
5752 # apply custom Store ID mapping to some URLs
5753 acl MapMe dstdomain .c.example.com
5754 store_id_program ...
5755 store_id_access allow MapMe
5756
5757 # but prevent caching of special responses
5758 # such as 302 redirects that cause StoreID loops
5759 acl Ordinary http_status 200-299
5760 store_miss deny MapMe !Ordinary
5761
5762 # and do not serve any previously stored special responses
5763 # from the cache (in case they were already cached before
5764 # the above store_miss rule was in effect).
5765 send_hit deny MapMe !Ordinary
5766DOC_END
5767
5768NAME: store_miss
5769TYPE: acl_access
5770DEFAULT: none
5771DEFAULT_DOC: By default, this directive is unused and has no effect.
5772LOC: Config.accessList.storeMiss
5773DOC_START
5774 Responses denied by this directive will not be cached (but may still
5775 be served from the cache, see send_hit). This directive has no
5776 effect on the responses it allows and on the already cached responses.
5777
5778 Please see the "cache" directive for a summary of differences among
5779 store_miss, send_hit, and cache directives. See the
5780 send_hit directive for a usage example.
5781
5782 Unlike the "cache" directive, store_miss only supports fast acl
5783 types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
41bd17a4 5784DOC_END
5785
570d3f75
AJ		 5786NAME: max_stale
5787COMMENT: time-units
5788TYPE: time_t
5789LOC: Config.maxStale
5790DEFAULT: 1 week
5791DOC_START
5792 This option puts an upper limit on how stale content Squid
5793 will serve from the cache if cache validation fails.
5794 Can be overriden by the refresh_pattern max-stale option.
5795DOC_END
5796
41bd17a4 5797NAME: refresh_pattern
5798TYPE: refreshpattern
5799LOC: Config.Refresh
5800DEFAULT: none
5801DOC_START
5802 usage: refresh_pattern [-i] regex min percent max [options]
9e7dbc51 5803
6b698a21 5804 By default, regular expressions are CASE-SENSITIVE. To make
5805 them case-insensitive, use the -i option.
9e7dbc51 5806
41bd17a4 5807 'Min' is the time (in minutes) an object without an explicit
5808 expiry time should be considered fresh. The recommended
5809 value is 0, any higher values may cause dynamic applications
5810 to be erroneously cached unless the application designer
5811 has taken the appropriate actions.
9e7dbc51 5812
41bd17a4 5813 'Percent' is a percentage of the objects age (time since last
5814 modification age) an object without explicit expiry time
5815 will be considered fresh.
5b807763 5816
41bd17a4 5817 'Max' is an upper limit on how long objects without an explicit
6d612a9d
GD		 5818 expiry time will be considered fresh. The value is also used
5819 to form Cache-Control: max-age header for a request sent from
5820 Squid to origin/parent.
9e7dbc51 5821
41bd17a4 5822 options: override-expire
5823 override-lastmod
5824 reload-into-ims
5825 ignore-reload
41bd17a4 5826 ignore-no-store
5827 ignore-private
570d3f75 5828 max-stale=NN
41bd17a4 5829 refresh-ims
3d8b6ba4 5830 store-stale
a0ec9f68 5831
41bd17a4 5832 override-expire enforces min age even if the server
9b2ad080
HN		 5833 sent an explicit expiry time (e.g., with the
5834 Expires: header or Cache-Control: max-age). Doing this
5835 VIOLATES the HTTP standard. Enabling this feature
5836 could make you liable for problems which it causes.
6468fe10 5837
04925576
AJ		 5838 Note: override-expire does not enforce staleness - it only extends
5839 freshness / min. If the server returns a Expires time which
5840 is longer than your max time, Squid will still consider
5841 the object fresh for that period of time.
5842
41bd17a4 5843 override-lastmod enforces min age even on objects
5844 that were modified recently.
934b03fc 5845
46017fdd
CT		 5846 reload-into-ims changes a client no-cache or ``reload''
5847 request for a cached entry into a conditional request using
5848 If-Modified-Since and/or If-None-Match headers, provided the
5849 cached entry has a Last-Modified and/or a strong ETag header.
5850 Doing this VIOLATES the HTTP standard. Enabling this feature
5851 could make you liable for problems which it causes.
dba79ac5 5852
41bd17a4 5853 ignore-reload ignores a client no-cache or ``reload''
5854 header. Doing this VIOLATES the HTTP standard. Enabling
5855 this feature could make you liable for problems which
5856 it causes.
9bc73deb 5857
41bd17a4 5858 ignore-no-store ignores any ``Cache-control: no-store''
5859 headers received from a server. Doing this VIOLATES
5860 the HTTP standard. Enabling this feature could make you
5861 liable for problems which it causes.
5862
5863 ignore-private ignores any ``Cache-control: private''
5864 headers received from a server. Doing this VIOLATES
5865 the HTTP standard. Enabling this feature could make you
5866 liable for problems which it causes.
5867
41bd17a4 5868 refresh-ims causes squid to contact the origin server
5869 when a client issues an If-Modified-Since request. This
5870 ensures that the client will receive an updated version
5871 if one is available.
5872
3d8b6ba4
AJ		 5873 store-stale stores responses even if they don't have explicit
5874 freshness or a validator (i.e., Last-Modified or an ETag)
5875 present, or if they're already stale. By default, Squid will
5876 not cache such responses because they usually can't be
5877 reused. Note that such responses will be stale by default.
5878
570d3f75
AJ		 5879 max-stale=NN provide a maximum staleness factor. Squid won't
5880 serve objects more stale than this even if it failed to
5881 validate the object. Default: use the max_stale global limit.
5882
41bd17a4 5883 Basically a cached object is:
5884
fb41bbb2 5885 FRESH if expire > now, else STALE
41bd17a4 5886 STALE if age > max
5887 FRESH if lm-factor < percent, else STALE
5888 FRESH if age < min
5889 else STALE
5890
5891 The refresh_pattern lines are checked in the order listed here.
5892 The first entry which matches is used. If none of the entries
5893 match the default will be used.
5894
5895 Note, you must uncomment all the default lines if you want
5896 to change one. The default setting is only active if none is
5897 used.
5898
41bd17a4 5899NOCOMMENT_START
e0855596 5900
638402dd 5901#
e0855596 5902# Add any of your own refresh_pattern entries above these.
638402dd 5903#
41bd17a4 5904refresh_pattern ^ftp: 1440 20% 10080
5905refresh_pattern ^gopher: 1440 0% 1440
89db45fa 5906refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
41bd17a4 5907refresh_pattern . 0 20% 4320
5908NOCOMMENT_END
5909DOC_END
5910
5911NAME: quick_abort_min
5912COMMENT: (KB)
5913TYPE: kb_int64_t
5914DEFAULT: 16 KB
5915LOC: Config.quickAbort.min
5916DOC_NONE
5917
5918NAME: quick_abort_max
5919COMMENT: (KB)
5920TYPE: kb_int64_t
5921DEFAULT: 16 KB
5922LOC: Config.quickAbort.max
5923DOC_NONE
5924
5925NAME: quick_abort_pct
5926COMMENT: (percent)
5927TYPE: int
5928DEFAULT: 95
5929LOC: Config.quickAbort.pct
5930DOC_START
5931 The cache by default continues downloading aborted requests
5932 which are almost completed (less than 16 KB remaining). This
5933 may be undesirable on slow (e.g. SLIP) links and/or very busy
5934 caches. Impatient users may tie up file descriptors and
5935 bandwidth by repeatedly requesting and immediately aborting
5936 downloads.
5937
5938 When the user aborts a request, Squid will check the
2d4eefd9 5939 quick_abort values to the amount of data transferred until
41bd17a4 5940 then.
5941
5942 If the transfer has less than 'quick_abort_min' KB remaining,
5943 it will finish the retrieval.
5944
5945 If the transfer has more than 'quick_abort_max' KB remaining,
5946 it will abort the retrieval.
5947
5948 If more than 'quick_abort_pct' of the transfer has completed,
5949 it will finish the retrieval.
5950
5951 If you do not want any retrieval to continue after the client
5952 has aborted, set both 'quick_abort_min' and 'quick_abort_max'
5953 to '0 KB'.
5954
5955 If you want retrievals to always continue if they are being
5956 cached set 'quick_abort_min' to '-1 KB'.
5957DOC_END
60d096f4 5958
41bd17a4 5959NAME: read_ahead_gap
5960COMMENT: buffer-size
5961TYPE: b_int64_t
5962LOC: Config.readAheadGap
5963DEFAULT: 16 KB
5964DOC_START
5965 The amount of data the cache will buffer ahead of what has been
5966 sent to the client when retrieving an object from another server.
5967DOC_END
53e738c6 5968
41bd17a4 5969NAME: negative_ttl
626096be 5970IFDEF: USE_HTTP_VIOLATIONS
41bd17a4 5971COMMENT: time-units
5972TYPE: time_t
5973LOC: Config.negativeTtl
ac9cc053 5974DEFAULT: 0 seconds
41bd17a4 5975DOC_START
ac9cc053
AJ		 5976 Set the Default Time-to-Live (TTL) for failed requests.
5977 Certain types of failures (such as "connection refused" and
5978 "404 Not Found") are able to be negatively-cached for a short time.
5979 Modern web servers should provide Expires: header, however if they
5980 do not this can provide a minimum TTL.
5981 The default is not to cache errors with unknown expiry details.
5982
5983 Note that this is different from negative caching of DNS lookups.
39956c7c
AJ		 5984
5985 WARNING: Doing this VIOLATES the HTTP standard. Enabling
5986 this feature could make you liable for problems which it
5987 causes.
41bd17a4 5988DOC_END
53e738c6 5989
41bd17a4 5990NAME: positive_dns_ttl
5991COMMENT: time-units
5992TYPE: time_t
5993LOC: Config.positiveDnsTtl
5994DEFAULT: 6 hours
5995DOC_START
5996 Upper limit on how long Squid will cache positive DNS responses.
5997 Default is 6 hours (360 minutes). This directive must be set
5998 larger than negative_dns_ttl.
5999DOC_END
c4ab8329 6000
41bd17a4 6001NAME: negative_dns_ttl
6002COMMENT: time-units
6003TYPE: time_t
6004LOC: Config.negativeDnsTtl
6005DEFAULT: 1 minutes
6006DOC_START
6007 Time-to-Live (TTL) for negative caching of failed DNS lookups.
6008 This also sets the lower cache limit on positive lookups.
6009 Minimum value is 1 second, and it is not recommendable to go
6010 much below 10 seconds.
6011DOC_END
7df0bfd7 6012
41bd17a4 6013NAME: range_offset_limit
11e3fa1c
AJ		 6014COMMENT: size [acl acl...]
6015TYPE: acl_b_size_t
41bd17a4 6016LOC: Config.rangeOffsetLimit
11e3fa1c 6017DEFAULT: none
41bd17a4 6018DOC_START
11e3fa1c
AJ		 6019 usage: (size) [units] [[!]aclname]
6020
6021 Sets an upper limit on how far (number of bytes) into the file
6022 a Range request may be to cause Squid to prefetch the whole file.
6023 If beyond this limit, Squid forwards the Range request as it is and
6024 the result is NOT cached.
6025
41bd17a4 6026 This is to stop a far ahead range request (lets say start at 17MB)
6027 from making Squid fetch the whole object up to that point before
6028 sending anything to the client.
11e3fa1c
AJ		 6029
6030 Multiple range_offset_limit lines may be specified, and they will
6031 be searched from top to bottom on each request until a match is found.
6032 The first match found will be used. If no line matches a request, the
6033 default limit of 0 bytes will be used.
6034
6035 'size' is the limit specified as a number of units.
6036
6037 'units' specifies whether to use bytes, KB, MB, etc.
6038 If no units are specified bytes are assumed.
6039
6040 A size of 0 causes Squid to never fetch more than the
ab275c7b 6041 client requested. (default)
11e3fa1c
AJ		 6042
6043 A size of 'none' causes Squid to always fetch the object from the
41bd17a4 6044 beginning so it may cache the result. (2.0 style)
11e3fa1c
AJ		 6045
6046 'aclname' is the name of a defined ACL.
6047
6048 NP: Using 'none' as the byte value here will override any quick_abort settings
6049 that may otherwise apply to the range request. The range request will
ab275c7b
AJ		 6050 be fully fetched from start to finish regardless of the client
6051 actions. This affects bandwidth usage.
41bd17a4 6052DOC_END
d95b862f 6053
41bd17a4 6054NAME: minimum_expiry_time
6055COMMENT: (seconds)
6056TYPE: time_t
6057LOC: Config.minimum_expiry_time
6058DEFAULT: 60 seconds
6059DOC_START
6060 The minimum caching time according to (Expires - Date)
638402dd
AJ		 6061 headers Squid honors if the object can't be revalidated.
6062 The default is 60 seconds.
6063
6064 In reverse proxy environments it might be desirable to honor
6065 shorter object lifetimes. It is most likely better to make
6066 your server return a meaningful Last-Modified header however.
6067
6068 In ESI environments where page fragments often have short
6069 lifetimes, this will often be best set to 0.
41bd17a4 6070DOC_END
c68e9c6b 6071
41bd17a4 6072NAME: store_avg_object_size
58d5c5dd
DK		 6073COMMENT: (bytes)
6074TYPE: b_int64_t
41bd17a4 6075DEFAULT: 13 KB
6076LOC: Config.Store.avgObjectSize
6077DOC_START
6078 Average object size, used to estimate number of objects your
6079 cache can hold. The default is 13 KB.
638402dd
AJ		 6080
6081 This is used to pre-seed the cache index memory allocation to
6082 reduce expensive reallocate operations while handling clients
6083 traffic. Too-large values may result in memory allocation during
6084 peak traffic, too-small values will result in wasted memory.
6085
6086 Check the cache manager 'info' report metrics for the real
6087 object sizes seen by your Squid before tuning this.
cccac0a2 6088DOC_END
6089
41bd17a4 6090NAME: store_objects_per_bucket
6091TYPE: int
6092DEFAULT: 20
6093LOC: Config.Store.objectsPerBucket
6094DOC_START
6095 Target number of objects per bucket in the store hash table.
6096 Lowering this value increases the total number of buckets and
6097 also the storage maintenance rate. The default is 20.
6098DOC_END
6099
6100COMMENT_START
6101 HTTP OPTIONS
6102 -----------------------------------------------------------------------------
6103COMMENT_END
6104
f04b37d8 6105NAME: request_header_max_size
6106COMMENT: (KB)
6107TYPE: b_size_t
df2eec10 6108DEFAULT: 64 KB
f04b37d8 6109LOC: Config.maxRequestHeaderSize
6110DOC_START
6111 This specifies the maximum size for HTTP headers in a request.
6112 Request headers are usually relatively small (about 512 bytes).
6113 Placing a limit on the request header size will catch certain
6114 bugs (for example with persistent connections) and possibly
6115 buffer-overflow or denial-of-service attacks.
6116DOC_END
6117
6118NAME: reply_header_max_size
6119COMMENT: (KB)
6120TYPE: b_size_t
df2eec10 6121DEFAULT: 64 KB
f04b37d8 6122LOC: Config.maxReplyHeaderSize
6123DOC_START
6124 This specifies the maximum size for HTTP headers in a reply.
6125 Reply headers are usually relatively small (about 512 bytes).
6126 Placing a limit on the reply header size will catch certain
6127 bugs (for example with persistent connections) and possibly
6128 buffer-overflow or denial-of-service attacks.
6129DOC_END
6130
6131NAME: request_body_max_size
6132COMMENT: (bytes)
6133TYPE: b_int64_t
6134DEFAULT: 0 KB
638402dd 6135DEFAULT_DOC: No limit.
f04b37d8 6136LOC: Config.maxRequestBodySize
6137DOC_START
6138 This specifies the maximum size for an HTTP request body.
6139 In other words, the maximum size of a PUT/POST request.
6140 A user who attempts to send a request with a body larger
6141 than this limit receives an "Invalid Request" error message.
6142 If you set this parameter to a zero (the default), there will
6143 be no limit imposed.
638402dd
AJ		 6144
6145 See also client_request_buffer_max_size for an alternative
6146 limitation on client uploads which can be configured.
f04b37d8 6147DOC_END
6148
1368d115
CT		 6149NAME: client_request_buffer_max_size
6150COMMENT: (bytes)
6151TYPE: b_size_t
6152DEFAULT: 512 KB
6153LOC: Config.maxRequestBufferSize
6154DOC_START
6155 This specifies the maximum buffer size of a client request.
6156 It prevents squid eating too much memory when somebody uploads
6157 a large file.
6158DOC_END
6159
41bd17a4 6160NAME: broken_posts
626096be 6161IFDEF: USE_HTTP_VIOLATIONS
cccac0a2 6162TYPE: acl_access
cccac0a2 6163DEFAULT: none
638402dd 6164DEFAULT_DOC: Obey RFC 2616.
41bd17a4 6165LOC: Config.accessList.brokenPosts
cccac0a2 6166DOC_START
41bd17a4 6167 A list of ACL elements which, if matched, causes Squid to send
6168 an extra CRLF pair after the body of a PUT/POST request.
cccac0a2 6169
41bd17a4 6170 Some HTTP servers has broken implementations of PUT/POST,
6171 and rely on an extra CRLF pair sent by some WWW clients.
cccac0a2 6172
41bd17a4 6173 Quote from RFC2616 section 4.1 on this matter:
cccac0a2 6174
41bd17a4 6175 Note: certain buggy HTTP/1.0 client implementations generate an
6176 extra CRLF's after a POST request. To restate what is explicitly
6177 forbidden by the BNF, an HTTP/1.1 client must not preface or follow
6178 a request with an extra CRLF.
cccac0a2 6179
b3567eb5
FC		 6180 This clause only supports fast acl types.
6181 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
6182
41bd17a4 6183Example:
6184 acl buggy_server url_regex ^http://....
6185 broken_posts allow buggy_server
6186DOC_END
cccac0a2 6187
22fff3bf 6188NAME: adaptation_uses_indirect_client icap_uses_indirect_client
57d76dd4
AJ		 6189COMMENT: on|off
6190TYPE: onoff
22fff3bf 6191IFDEF: FOLLOW_X_FORWARDED_FOR&&USE_ADAPTATION
57d76dd4 6192DEFAULT: on
22fff3bf 6193LOC: Adaptation::Config::use_indirect_client
57d76dd4 6194DOC_START
ea3ae478
AR		 6195 Controls whether the indirect client IP address (instead of the direct
6196 client IP address) is passed to adaptation services.
6197
6198 See also: follow_x_forwarded_for adaptation_send_client_ip
57d76dd4
AJ		 6199DOC_END
6200
41bd17a4 6201NAME: via
626096be 6202IFDEF: USE_HTTP_VIOLATIONS
41bd17a4 6203COMMENT: on|off
6204TYPE: onoff
6205DEFAULT: on
6206LOC: Config.onoff.via
6207DOC_START
6208 If set (default), Squid will include a Via header in requests and
6209 replies as required by RFC2616.
6210DOC_END
4cc6eb12 6211
41bd17a4 6212NAME: vary_ignore_expire
6213COMMENT: on|off
6214TYPE: onoff
6215LOC: Config.onoff.vary_ignore_expire
6216DEFAULT: off
6217DOC_START
6218 Many HTTP servers supporting Vary gives such objects
6219 immediate expiry time with no cache-control header
6220 when requested by a HTTP/1.0 client. This option
6221 enables Squid to ignore such expiry times until
6222 HTTP/1.1 is fully implemented.
7e73cd78
AJ		 6223
6224 WARNING: If turned on this may eventually cause some
6225 varying objects not intended for caching to get cached.
cccac0a2 6226DOC_END
c4ab8329 6227
41bd17a4 6228NAME: request_entities
6229TYPE: onoff
6230LOC: Config.onoff.request_entities
6231DEFAULT: off
6232DOC_START
6233 Squid defaults to deny GET and HEAD requests with request entities,
6234 as the meaning of such requests are undefined in the HTTP standard
6235 even if not explicitly forbidden.
0976f8db 6236
41bd17a4 6237 Set this directive to on if you have clients which insists
6238 on sending request entities in GET or HEAD requests. But be warned
6239 that there is server software (both proxies and web servers) which
6240 can fail to properly process this kind of request which may make you
6241 vulnerable to cache pollution attacks if enabled.
cccac0a2 6242DOC_END
6b53c392 6243
41bd17a4 6244NAME: request_header_access
626096be 6245IFDEF: USE_HTTP_VIOLATIONS
3b07476b 6246TYPE: http_header_access
41bd17a4 6247LOC: Config.request_header_access
cccac0a2 6248DEFAULT: none
638402dd 6249DEFAULT_DOC: No limits.
cccac0a2 6250DOC_START
41bd17a4 6251 Usage: request_header_access header_name allow|deny [!]aclname ...
0976f8db 6252
41bd17a4 6253 WARNING: Doing this VIOLATES the HTTP standard. Enabling
6254 this feature could make you liable for problems which it
6255 causes.
0976f8db 6256
41bd17a4 6257 This option replaces the old 'anonymize_headers' and the
6258 older 'http_anonymizer' option with something that is much
3b07476b
CT		 6259 more configurable. A list of ACLs for each header name allows
6260 removal of specific header fields under specific conditions.
6261
6262 This option only applies to outgoing HTTP request headers (i.e.,
6263 headers sent by Squid to the next HTTP hop such as a cache peer
6264 or an origin server). The option has no effect during cache hit
6265 detection. The equivalent adaptation vectoring point in ICAP
6266 terminology is post-cache REQMOD.
6267
6268 The option is applied to individual outgoing request header
6269 fields. For each request header field F, Squid uses the first
6270 qualifying sets of request_header_access rules:
6271
6272 1. Rules with header_name equal to F's name.
6273 2. Rules with header_name 'Other', provided F's name is not
6274 on the hard-coded list of commonly used HTTP header names.
6275 3. Rules with header_name 'All'.
6276
6277 Within that qualifying rule set, rule ACLs are checked as usual.
6278 If ACLs of an "allow" rule match, the header field is allowed to
6279 go through as is. If ACLs of a "deny" rule match, the header is
6280 removed and request_header_replace is then checked to identify
6281 if the removed header has a replacement. If no rules within the
6282 set have matching ACLs, the header field is left as is.
5401aa8d 6283
41bd17a4 6284 For example, to achieve the same behavior as the old
6285 'http_anonymizer standard' option, you should use:
5401aa8d 6286
41bd17a4 6287 request_header_access From deny all
6288 request_header_access Referer deny all
41bd17a4 6289 request_header_access User-Agent deny all
5401aa8d 6290
41bd17a4 6291 Or, to reproduce the old 'http_anonymizer paranoid' feature
6292 you should use:
5401aa8d 6293
41bd17a4 6294 request_header_access Authorization allow all
41bd17a4 6295 request_header_access Proxy-Authorization allow all
41bd17a4 6296 request_header_access Cache-Control allow all
41bd17a4 6297 request_header_access Content-Length allow all
6298 request_header_access Content-Type allow all
6299 request_header_access Date allow all
41bd17a4 6300 request_header_access Host allow all
6301 request_header_access If-Modified-Since allow all
41bd17a4 6302 request_header_access Pragma allow all
6303 request_header_access Accept allow all
6304 request_header_access Accept-Charset allow all
6305 request_header_access Accept-Encoding allow all
6306 request_header_access Accept-Language allow all
41bd17a4 6307 request_header_access Connection allow all
41bd17a4 6308 request_header_access All deny all
5401aa8d 6309
638402dd 6310 HTTP reply headers are controlled with the reply_header_access directive.
5401aa8d 6311
638402dd 6312 By default, all headers are allowed (no anonymizing is performed).
5401aa8d 6313DOC_END
6314
41bd17a4 6315NAME: reply_header_access
626096be 6316IFDEF: USE_HTTP_VIOLATIONS
3b07476b 6317TYPE: http_header_access
41bd17a4 6318LOC: Config.reply_header_access
cccac0a2 6319DEFAULT: none
638402dd 6320DEFAULT_DOC: No limits.
cccac0a2 6321DOC_START
41bd17a4 6322 Usage: reply_header_access header_name allow|deny [!]aclname ...
934b03fc 6323
41bd17a4 6324 WARNING: Doing this VIOLATES the HTTP standard. Enabling
6325 this feature could make you liable for problems which it
6326 causes.
934b03fc 6327
41bd17a4 6328 This option only applies to reply headers, i.e., from the
6329 server to the client.
934b03fc 6330
41bd17a4 6331 This is the same as request_header_access, but in the other
3b07476b
CT		 6332 direction. Please see request_header_access for detailed
6333 documentation.
cccac0a2 6334
41bd17a4 6335 For example, to achieve the same behavior as the old
6336 'http_anonymizer standard' option, you should use:
cccac0a2 6337
41bd17a4 6338 reply_header_access Server deny all
41bd17a4 6339 reply_header_access WWW-Authenticate deny all
6340 reply_header_access Link deny all
cccac0a2 6341
41bd17a4 6342 Or, to reproduce the old 'http_anonymizer paranoid' feature
6343 you should use:
cccac0a2 6344
41bd17a4 6345 reply_header_access Allow allow all
41bd17a4 6346 reply_header_access WWW-Authenticate allow all
41bd17a4 6347 reply_header_access Proxy-Authenticate allow all
6348 reply_header_access Cache-Control allow all
6349 reply_header_access Content-Encoding allow all
6350 reply_header_access Content-Length allow all
6351 reply_header_access Content-Type allow all
6352 reply_header_access Date allow all
6353 reply_header_access Expires allow all
41bd17a4 6354 reply_header_access Last-Modified allow all
6355 reply_header_access Location allow all
6356 reply_header_access Pragma allow all
41bd17a4 6357 reply_header_access Content-Language allow all
41bd17a4 6358 reply_header_access Retry-After allow all
6359 reply_header_access Title allow all
638402dd 6360 reply_header_access Content-Disposition allow all
41bd17a4 6361 reply_header_access Connection allow all
41bd17a4 6362 reply_header_access All deny all
cccac0a2 6363
638402dd 6364 HTTP request headers are controlled with the request_header_access directive.
cccac0a2 6365
41bd17a4 6366 By default, all headers are allowed (no anonymizing is
6367 performed).
cccac0a2 6368DOC_END
6369
75e4f2ea 6370NAME: request_header_replace header_replace
626096be 6371IFDEF: USE_HTTP_VIOLATIONS
3b07476b 6372TYPE: http_header_replace
41bd17a4 6373LOC: Config.request_header_access
cccac0a2 6374DEFAULT: none
41bd17a4 6375DOC_START
75e4f2ea
MB		 6376 Usage: request_header_replace header_name message
6377 Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
cccac0a2 6378
41bd17a4 6379 This option allows you to change the contents of headers
75e4f2ea 6380 denied with request_header_access above, by replacing them
638402dd 6381 with some fixed string.
cccac0a2 6382
41bd17a4 6383 This only applies to request headers, not reply headers.
cccac0a2 6384
41bd17a4 6385 By default, headers are removed if denied.
6386DOC_END
cccac0a2 6387
75e4f2ea
MB		 6388NAME: reply_header_replace
6389IFDEF: USE_HTTP_VIOLATIONS
3b07476b 6390TYPE: http_header_replace
75e4f2ea
MB		 6391LOC: Config.reply_header_access
6392DEFAULT: none
6393DOC_START
6394 Usage: reply_header_replace header_name message
6395 Example: reply_header_replace Server Foo/1.0
6396
6397 This option allows you to change the contents of headers
6398 denied with reply_header_access above, by replacing them
6399 with some fixed string.
6400
6401 This only applies to reply headers, not request headers.
6402
6403 By default, headers are removed if denied.
6404DOC_END
6405
f4698e0b
CT		 6406NAME: request_header_add
6407TYPE: HeaderWithAclList
6408LOC: Config.request_header_add
6409DEFAULT: none
6410DOC_START
cde8f31b 6411 Usage: request_header_add field-name field-value [ acl ... ]
f4698e0b
CT		 6412 Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
6413
6414 This option adds header fields to outgoing HTTP requests (i.e.,
6415 request headers sent by Squid to the next HTTP hop such as a
6416 cache peer or an origin server). The option has no effect during
6417 cache hit detection. The equivalent adaptation vectoring point
6418 in ICAP terminology is post-cache REQMOD.
6419
6420 Field-name is a token specifying an HTTP header name. If a
6421 standard HTTP header name is used, Squid does not check whether
6422 the new header conflicts with any existing headers or violates
6423 HTTP rules. If the request to be modified already contains a
6424 field with the same name, the old field is preserved but the
6425 header field values are not merged.
6426
6427 Field-value is either a token or a quoted string. If quoted
6428 string format is used, then the surrounding quotes are removed
6429 while escape sequences and %macros are processed.
6430
f4698e0b
CT		 6431 One or more Squid ACLs may be specified to restrict header
6432 injection to matching requests. As always in squid.conf, all
cde8f31b
NH		 6433 ACLs in the ACL list must be satisfied for the insertion to
6434 happen. The request_header_add supports fast ACLs only.
6435
6436 See also: reply_header_add.
6437DOC_END
6438
6439NAME: reply_header_add
6440TYPE: HeaderWithAclList
6441LOC: Config.reply_header_add
6442DEFAULT: none
6443DOC_START
6444 Usage: reply_header_add field-name field-value [ acl ... ]
6445 Example: reply_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
6446
6447 This option adds header fields to outgoing HTTP responses (i.e., response
6448 headers delivered by Squid to the client). This option has no effect on
6449 cache hit detection. The equivalent adaptation vectoring point in
6450 ICAP terminology is post-cache RESPMOD. This option does not apply to
6451 successful CONNECT replies.
6452
6453 Field-name is a token specifying an HTTP header name. If a
6454 standard HTTP header name is used, Squid does not check whether
6455 the new header conflicts with any existing headers or violates
6456 HTTP rules. If the response to be modified already contains a
6457 field with the same name, the old field is preserved but the
6458 header field values are not merged.
6459
6460 Field-value is either a token or a quoted string. If quoted
6461 string format is used, then the surrounding quotes are removed
6462 while escape sequences and %macros are processed.
6463
6464 One or more Squid ACLs may be specified to restrict header
6465 injection to matching responses. As always in squid.conf, all
6466 ACLs in the ACL list must be satisfied for the insertion to
6467 happen. The reply_header_add option supports fast ACLs only.
6468
6469 See also: request_header_add.
f4698e0b
CT		 6470DOC_END
6471
d7f4a0b7
CT		 6472NAME: note
6473TYPE: note
6474LOC: Config.notes
6475DEFAULT: none
6476DOC_START
6477 This option used to log custom information about the master
6478 transaction. For example, an admin may configure Squid to log
6479 which "user group" the transaction belongs to, where "user group"
6480 will be determined based on a set of ACLs and not [just]
6481 authentication information.
6482 Values of key/value pairs can be logged using %{key}note macros:
6483
6484 note key value acl ...
6485 logformat myFormat ... %{key}note ...
6486DOC_END
6487
41bd17a4 6488NAME: relaxed_header_parser
6489COMMENT: on|off|warn
6490TYPE: tristate
6491LOC: Config.onoff.relaxed_header_parser
6492DEFAULT: on
6493DOC_START
6494 In the default "on" setting Squid accepts certain forms
6495 of non-compliant HTTP messages where it is unambiguous
6496 what the sending application intended even if the message
6497 is not correctly formatted. The messages is then normalized
6498 to the correct form when forwarded by Squid.
cccac0a2 6499
41bd17a4 6500 If set to "warn" then a warning will be emitted in cache.log
6501 each time such HTTP error is encountered.
cccac0a2 6502
41bd17a4 6503 If set to "off" then such HTTP errors will cause the request
6504 or response to be rejected.
6505DOC_END
7d90757b 6506
55eae904
AR		 6507NAME: collapsed_forwarding
6508COMMENT: (on|off)
6509TYPE: onoff
6510LOC: Config.onoff.collapsed_forwarding
6511DEFAULT: off
6512DOC_START
6513 This option controls whether Squid is allowed to merge multiple
6514 potentially cachable requests for the same URI before Squid knows
6515 whether the response is going to be cachable.
6516
1a210de4
EB		 6517 When enabled, instead of forwarding each concurrent request for
6518 the same URL, Squid just sends the first of them. The other, so
6519 called "collapsed" requests, wait for the response to the first
6520 request and, if it happens to be cachable, use that response.
6521 Here, "concurrent requests" means "received after the first
6522 request headers were parsed and before the corresponding response
6523 headers were parsed".
6524
6525 This feature is disabled by default: enabling collapsed
6526 forwarding needlessly delays forwarding requests that look
6527 cachable (when they are collapsed) but then need to be forwarded
6528 individually anyway because they end up being for uncachable
6529 content. However, in some cases, such as acceleration of highly
6530 cachable content with periodic or grouped expiration times, the
6531 gains from collapsing [large volumes of simultaneous refresh
6532 requests] outweigh losses from such delays.
6533
6534 Squid collapses two kinds of requests: regular client requests
6535 received on one of the listening ports and internal "cache
6536 revalidation" requests which are triggered by those regular
6537 requests hitting a stale cached object. Revalidation collapsing
6538 is currently disabled for Squid instances containing SMP-aware
6539 disk or memory caches and for Vary-controlled cached objects.
55eae904
AR		 6540DOC_END
6541
8f7dbf74
DD		 6542NAME: collapsed_forwarding_shared_entries_limit
6543COMMENT: (number of entries)
6544TYPE: int64_t
6545LOC: Config.collapsed_forwarding_shared_entries_limit
6546DEFAULT: 16384
6547DOC_START
6548 This limits the size of a table used for sharing information
6549 about collapsible entries among SMP workers. Limiting sharing
6550 too much results in cache content duplication and missed
6551 collapsing opportunities. Using excessively large values
6552 wastes shared memory.
6553
6554 The limit should be significantly larger then the number of
6555 concurrent collapsible entries one wants to share. For a cache
6556 that handles less than 5000 concurrent requests, the default
6557 setting of 16384 should be plenty.
6558
6559 If the limit is set to zero, it disables sharing of collapsed
6560 forwarding between SMP workers.
6561DOC_END
6562
41bd17a4 6563COMMENT_START
6564 TIMEOUTS
6565 -----------------------------------------------------------------------------
6566COMMENT_END
6567
6568NAME: forward_timeout
6569COMMENT: time-units
6570TYPE: time_t
6571LOC: Config.Timeout.forward
6572DEFAULT: 4 minutes
6573DOC_START
6574 This parameter specifies how long Squid should at most attempt in
6575 finding a forwarding path for the request before giving up.
cccac0a2 6576DOC_END
6577
41bd17a4 6578NAME: connect_timeout
6579COMMENT: time-units
6580TYPE: time_t
6581LOC: Config.Timeout.connect
6582DEFAULT: 1 minute
057f5854 6583DOC_START
41bd17a4 6584 This parameter specifies how long to wait for the TCP connect to
6585 the requested server or peer to complete before Squid should
6586 attempt to find another path where to forward the request.
057f5854 6587DOC_END
6588
41bd17a4 6589NAME: peer_connect_timeout
6590COMMENT: time-units
6591TYPE: time_t
6592LOC: Config.Timeout.peer_connect
6593DEFAULT: 30 seconds
cccac0a2 6594DOC_START
41bd17a4 6595 This parameter specifies how long to wait for a pending TCP
6596 connection to a peer cache. The default is 30 seconds. You
6597 may also set different timeout values for individual neighbors
6598 with the 'connect-timeout' option on a 'cache_peer' line.
6599DOC_END
7f7db318 6600
41bd17a4 6601NAME: read_timeout
6602COMMENT: time-units
6603TYPE: time_t
6604LOC: Config.Timeout.read
6605DEFAULT: 15 minutes
6606DOC_START
d5430dc8
AJ		 6607 Applied on peer server connections.
6608
6609 After each successful read(), the timeout will be extended by this
41bd17a4 6610 amount. If no data is read again after this amount of time,
d5430dc8
AJ		 6611 the request is aborted and logged with ERR_READ_TIMEOUT.
6612
6613 The default is 15 minutes.
41bd17a4 6614DOC_END
cccac0a2 6615
5ef5e5cc
AJ		 6616NAME: write_timeout
6617COMMENT: time-units
6618TYPE: time_t
6619LOC: Config.Timeout.write
6620DEFAULT: 15 minutes
6621DOC_START
6622 This timeout is tracked for all connections that have data
6623 available for writing and are waiting for the socket to become
6624 ready. After each successful write, the timeout is extended by
6625 the configured amount. If Squid has data to write but the
6626 connection is not ready for the configured duration, the
6627 transaction associated with the connection is terminated. The
6628 default is 15 minutes.
6629DOC_END
6630
41bd17a4 6631NAME: request_timeout
6632TYPE: time_t
6633LOC: Config.Timeout.request
6634DEFAULT: 5 minutes
6635DOC_START
6b2a2108 6636 How long to wait for complete HTTP request headers after initial
41bd17a4 6637 connection establishment.
6638DOC_END
cccac0a2 6639
3248e962
CT		 6640NAME: request_start_timeout
6641TYPE: time_t
6642LOC: Config.Timeout.request_start_timeout
6643DEFAULT: 5 minutes
6644DOC_START
6645 How long to wait for the first request byte after initial
6646 connection establishment.
6647DOC_END
6648
97b32442 6649NAME: client_idle_pconn_timeout persistent_request_timeout
41bd17a4 6650TYPE: time_t
97b32442 6651LOC: Config.Timeout.clientIdlePconn
41bd17a4 6652DEFAULT: 2 minutes
6653DOC_START
6654 How long to wait for the next HTTP request on a persistent
97b32442 6655 client connection after the previous request completes.
41bd17a4 6656DOC_END
cccac0a2 6657
f6e8754a
AR		 6658NAME: ftp_client_idle_timeout
6659TYPE: time_t
6660LOC: Config.Timeout.ftpClientIdle
6661DEFAULT: 30 minutes
6662DOC_START
6663 How long to wait for an FTP request on a connection to Squid ftp_port.
6664 Many FTP clients do not deal with idle connection closures well,
6665 necessitating a longer default timeout than client_idle_pconn_timeout
6666 used for incoming HTTP requests.
6667DOC_END
6668
41bd17a4 6669NAME: client_lifetime
6670COMMENT: time-units
6671TYPE: time_t
6672LOC: Config.Timeout.lifetime
6673DEFAULT: 1 day
6674DOC_START
6675 The maximum amount of time a client (browser) is allowed to
6676 remain connected to the cache process. This protects the Cache
6677 from having a lot of sockets (and hence file descriptors) tied up
6678 in a CLOSE_WAIT state from remote clients that go away without
6679 properly shutting down (either because of a network failure or
6680 because of a poor client implementation). The default is one
6681 day, 1440 minutes.
7d90757b 6682
41bd17a4 6683 NOTE: The default value is intended to be much larger than any
6684 client would ever need to be connected to your cache. You
6685 should probably change client_lifetime only as a last resort.
6686 If you seem to have many client connections tying up
6687 filedescriptors, we recommend first tuning the read_timeout,
6688 request_timeout, persistent_request_timeout and quick_abort values.
cccac0a2 6689DOC_END
6690
c5c06f02
CT		 6691NAME: pconn_lifetime
6692COMMENT: time-units
6693TYPE: time_t
6694LOC: Config.Timeout.pconnLifetime
6695DEFAULT: 0 seconds
6696DOC_START
6697 Desired maximum lifetime of a persistent connection.
6698 When set, Squid will close a now-idle persistent connection that
6699 exceeded configured lifetime instead of moving the connection into
6700 the idle connection pool (or equivalent). No effect on ongoing/active
6701 transactions. Connection lifetime is the time period from the
6702 connection acceptance or opening time until "now".
6703
6704 This limit is useful in environments with long-lived connections
6705 where Squid configuration or environmental factors change during a
6706 single connection lifetime. If unrestricted, some connections may
6707 last for hours and even days, ignoring those changes that should
6708 have affected their behavior or their existence.
6709
6710 Currently, a new lifetime value supplied via Squid reconfiguration
6711 has no effect on already idle connections unless they become busy.
6712
6713 When set to '0' this limit is not used.
6714DOC_END
6715
41bd17a4 6716NAME: half_closed_clients
6717TYPE: onoff
6718LOC: Config.onoff.half_closed_clients
0c2f5c4f 6719DEFAULT: off
4eb368f9 6720DOC_START
41bd17a4 6721 Some clients may shutdown the sending side of their TCP
6722 connections, while leaving their receiving sides open. Sometimes,
6723 Squid can not tell the difference between a half-closed and a
0c2f5c4f
AJ		 6724 fully-closed TCP connection.
6725
6726 By default, Squid will immediately close client connections when
6727 read(2) returns "no more data to read."
6728
abdf1651 6729 Change this option to 'on' and Squid will keep open connections
0c2f5c4f
AJ		 6730 until a read(2) or write(2) on the socket returns an error.
6731 This may show some benefits for reverse proxies. But if not
6732 it is recommended to leave OFF.
4eb368f9 6733DOC_END
6734
97b32442 6735NAME: server_idle_pconn_timeout pconn_timeout
41bd17a4 6736TYPE: time_t
97b32442 6737LOC: Config.Timeout.serverIdlePconn
41bd17a4 6738DEFAULT: 1 minute
cccac0a2 6739DOC_START
41bd17a4 6740 Timeout for idle persistent connections to servers and other
6741 proxies.
6742DOC_END
cccac0a2 6743
41bd17a4 6744NAME: ident_timeout
6745TYPE: time_t
6746IFDEF: USE_IDENT
4daaf3cb 6747LOC: Ident::TheConfig.timeout
41bd17a4 6748DEFAULT: 10 seconds
6749DOC_START
6750 Maximum time to wait for IDENT lookups to complete.
cccac0a2 6751
41bd17a4 6752 If this is too high, and you enabled IDENT lookups from untrusted
6753 users, you might be susceptible to denial-of-service by having
6754 many ident requests going at once.
cccac0a2 6755DOC_END
6756
41bd17a4 6757NAME: shutdown_lifetime
6758COMMENT: time-units
6759TYPE: time_t
6760LOC: Config.shutdownLifetime
6761DEFAULT: 30 seconds
cccac0a2 6762DOC_START
41bd17a4 6763 When SIGTERM or SIGHUP is received, the cache is put into
6764 "shutdown pending" mode until all active sockets are closed.
6765 This value is the lifetime to set for all open descriptors
6766 during shutdown mode. Any active clients after this many
6767 seconds will receive a 'timeout' message.
cccac0a2 6768DOC_END
0976f8db 6769
cccac0a2 6770COMMENT_START
6771 ADMINISTRATIVE PARAMETERS
6772 -----------------------------------------------------------------------------
6773COMMENT_END
6774
6775NAME: cache_mgr
6776TYPE: string
6777DEFAULT: webmaster
6778LOC: Config.adminEmail
6779DOC_START
6780 Email-address of local cache manager who will receive
638402dd 6781 mail if the cache dies. The default is "webmaster".
cccac0a2 6782DOC_END
6783
abacf776 6784NAME: mail_from
6785TYPE: string
6786DEFAULT: none
6787LOC: Config.EmailFrom
6788DOC_START
6789 From: email-address for mail sent when the cache dies.
638402dd
AJ		 6790 The default is to use 'squid@unique_hostname'.
6791
6792 See also: unique_hostname directive.
abacf776 6793DOC_END
6794
d084bf20 6795NAME: mail_program
6796TYPE: eol
6797DEFAULT: mail
6798LOC: Config.EmailProgram
6799DOC_START
6800 Email program used to send mail if the cache dies.
846a5e31 6801 The default is "mail". The specified program must comply
d084bf20 6802 with the standard Unix mail syntax:
846a5e31 6803 mail-program recipient < mailfile
6804
d084bf20 6805 Optional command line options can be specified.
6806DOC_END
6807
cccac0a2 6808NAME: cache_effective_user
6809TYPE: string
5483d916 6810DEFAULT: @DEFAULT_CACHE_EFFECTIVE_USER@
cccac0a2 6811LOC: Config.effectiveUser
e3d74828 6812DOC_START
6813 If you start Squid as root, it will change its effective/real
6814 UID/GID to the user specified below. The default is to change
5483d916 6815 to UID of @DEFAULT_CACHE_EFFECTIVE_USER@.
64e288bd 6816 see also; cache_effective_group
e3d74828 6817DOC_END
6818
cccac0a2 6819NAME: cache_effective_group
6820TYPE: string
6821DEFAULT: none
638402dd 6822DEFAULT_DOC: Use system group memberships of the cache_effective_user account
cccac0a2 6823LOC: Config.effectiveGroup
6824DOC_START
64e288bd 6825 Squid sets the GID to the effective user's default group ID
6826 (taken from the password file) and supplementary group list
6827 from the groups membership.
6828
e3d74828 6829 If you want Squid to run with a specific GID regardless of
6830 the group memberships of the effective user then set this
6831 to the group (or GID) you want Squid to run as. When set
64e288bd 6832 all other group privileges of the effective user are ignored
e3d74828 6833 and only this GID is effective. If Squid is not started as
64e288bd 6834 root the user starting Squid MUST be member of the specified
e3d74828 6835 group.
64e288bd 6836
6837 This option is not recommended by the Squid Team.
6838 Our preference is for administrators to configure a secure
6839 user account for squid with UID/GID matching system policies.
cccac0a2 6840DOC_END
6841
d3caee79 6842NAME: httpd_suppress_version_string
6843COMMENT: on|off
6844TYPE: onoff
6845DEFAULT: off
6846LOC: Config.onoff.httpd_suppress_version_string
6847DOC_START
6848 Suppress Squid version string info in HTTP headers and HTML error pages.
6849DOC_END
6850
cccac0a2 6851NAME: visible_hostname
6852TYPE: string
6853LOC: Config.visibleHostname
6854DEFAULT: none
638402dd 6855DEFAULT_DOC: Automatically detect the system host name
cccac0a2 6856DOC_START
6857 If you want to present a special hostname in error messages, etc,
7f7db318 6858 define this. Otherwise, the return value of gethostname()
cccac0a2 6859 will be used. If you have multiple caches in a cluster and
6860 get errors about IP-forwarding you must set them to have individual
6861 names with this setting.
6862DOC_END
6863
cccac0a2 6864NAME: unique_hostname
6865TYPE: string
6866LOC: Config.uniqueHostname
6867DEFAULT: none
638402dd 6868DEFAULT_DOC: Copy the value from visible_hostname
cccac0a2 6869DOC_START
6870 If you want to have multiple machines with the same
7f7db318 6871 'visible_hostname' you must give each machine a different
6872 'unique_hostname' so forwarding loops can be detected.
cccac0a2 6873DOC_END
6874
cccac0a2 6875NAME: hostname_aliases
6876TYPE: wordlist
6877LOC: Config.hostnameAliases
6878DEFAULT: none
6879DOC_START
7f7db318 6880 A list of other DNS names your cache has.
cccac0a2 6881DOC_END
0976f8db 6882
c642c141
AJ		 6883NAME: umask
6884TYPE: int
6885LOC: Config.umask
6886DEFAULT: 027
6887DOC_START
6888 Minimum umask which should be enforced while the proxy
6889 is running, in addition to the umask set at startup.
6890
6891 For a traditional octal representation of umasks, start
6892 your value with 0.
6893DOC_END
6894
cccac0a2 6895COMMENT_START
6896 OPTIONS FOR THE CACHE REGISTRATION SERVICE
6897 -----------------------------------------------------------------------------
6898
6899 This section contains parameters for the (optional) cache
6900 announcement service. This service is provided to help
6901 cache administrators locate one another in order to join or
6902 create cache hierarchies.
6903
6904 An 'announcement' message is sent (via UDP) to the registration
6905 service by Squid. By default, the announcement message is NOT
6906 SENT unless you enable it with 'announce_period' below.
6907
6908 The announcement message includes your hostname, plus the
6909 following information from this configuration file:
6910
6911 http_port
6912 icp_port
6913 cache_mgr
6914
6915 All current information is processed regularly and made
6916 available on the Web at http://www.ircache.net/Cache/Tracker/.
6917COMMENT_END
6918
6919NAME: announce_period
6920TYPE: time_t
6921LOC: Config.Announce.period
6922DEFAULT: 0
638402dd 6923DEFAULT_DOC: Announcement messages disabled.
cccac0a2 6924DOC_START
638402dd 6925 This is how frequently to send cache announcements.
cccac0a2 6926
e0855596 6927 To enable announcing your cache, just set an announce period.
cccac0a2 6928
e0855596
AJ		 6929 Example:
6930 announce_period 1 day
cccac0a2 6931DOC_END
6932
cccac0a2 6933NAME: announce_host
6934TYPE: string
6935DEFAULT: tracker.ircache.net
6936LOC: Config.Announce.host
638402dd
AJ		 6937DOC_START
6938 Set the hostname where announce registration messages will be sent.
6939
6940 See also announce_port and announce_file
6941DOC_END
cccac0a2 6942
6943NAME: announce_file
6944TYPE: string
6945DEFAULT: none
6946LOC: Config.Announce.file
638402dd
AJ		 6947DOC_START
6948 The contents of this file will be included in the announce
6949 registration messages.
6950DOC_END
cccac0a2 6951
6952NAME: announce_port
ae870270 6953TYPE: u_short
cccac0a2 6954DEFAULT: 3131
6955LOC: Config.Announce.port
6956DOC_START
638402dd 6957 Set the port where announce registration messages will be sent.
cccac0a2 6958
638402dd 6959 See also announce_host and announce_file
cccac0a2 6960DOC_END
6961
8d6275c0 6962COMMENT_START
6963 HTTPD-ACCELERATOR OPTIONS
6964 -----------------------------------------------------------------------------
6965COMMENT_END
6966
cccac0a2 6967NAME: httpd_accel_surrogate_id
cccac0a2 6968TYPE: string
b2b40d8c 6969DEFAULT: none
638402dd 6970DEFAULT_DOC: visible_hostname is used if no specific ID is set.
cccac0a2 6971LOC: Config.Accel.surrogate_id
cccac0a2 6972DOC_START
6973 Surrogates (http://www.esi.org/architecture_spec_1.0.html)
6974 need an identification token to allow control targeting. Because
6975 a farm of surrogates may all perform the same tasks, they may share
6976 an identification token.
6977DOC_END
6978
6979NAME: http_accel_surrogate_remote
cccac0a2 6980COMMENT: on|off
6981TYPE: onoff
6982DEFAULT: off
6983LOC: Config.onoff.surrogate_is_remote
6984DOC_START
638402dd
AJ		 6985 Remote surrogates (such as those in a CDN) honour the header
6986 "Surrogate-Control: no-store-remote".
6987
cccac0a2 6988 Set this to on to have squid behave as a remote surrogate.
6989DOC_END
6990
6991NAME: esi_parser
f41735ea 6992IFDEF: USE_SQUID_ESI
964b44c3 6993COMMENT: libxml2|expat|custom
cccac0a2 6994TYPE: string
6995LOC: ESIParser::Type
6996DEFAULT: custom
6997DOC_START
6998 ESI markup is not strictly XML compatible. The custom ESI parser
6999 will give higher performance, but cannot handle non ASCII character
7000 encodings.
7001DOC_END
0976f8db 7002
9edd9041 7003COMMENT_START
8d6275c0 7004 DELAY POOL PARAMETERS
9edd9041 7005 -----------------------------------------------------------------------------
7006COMMENT_END
7007
7008NAME: delay_pools
7009TYPE: delay_pool_count
7010DEFAULT: 0
9a0a18de 7011IFDEF: USE_DELAY_POOLS
9edd9041 7012LOC: Config.Delay
7013DOC_START
7014 This represents the number of delay pools to be used. For example,
7015 if you have one class 2 delay pool and one class 3 delays pool, you
7016 have a total of 2 delay pools.
638402dd
AJ		 7017
7018 See also delay_parameters, delay_class, delay_access for pool
7019 configuration details.
9edd9041 7020DOC_END
7021
7022NAME: delay_class
7023TYPE: delay_pool_class
7024DEFAULT: none
9a0a18de 7025IFDEF: USE_DELAY_POOLS
9edd9041 7026LOC: Config.Delay
7027DOC_START
7028 This defines the class of each delay pool. There must be exactly one
7029 delay_class line for each delay pool. For example, to define two
7030 delay pools, one of class 2 and one of class 3, the settings above
7031 and here would be:
7032
b1fb3348
AJ		 7033 Example:
7034 delay_pools 4 # 4 delay pools
7035 delay_class 1 2 # pool 1 is a class 2 pool
7036 delay_class 2 3 # pool 2 is a class 3 pool
7037 delay_class 3 4 # pool 3 is a class 4 pool
7038 delay_class 4 5 # pool 4 is a class 5 pool
9edd9041 7039
7040 The delay pool classes are:
7041
7042 class 1 Everything is limited by a single aggregate
7043 bucket.
7044
7045 class 2 Everything is limited by a single aggregate
7046 bucket as well as an "individual" bucket chosen
b1fb3348 7047 from bits 25 through 32 of the IPv4 address.
9edd9041 7048
7049 class 3 Everything is limited by a single aggregate
7050 bucket as well as a "network" bucket chosen
7051 from bits 17 through 24 of the IP address and a
7052 "individual" bucket chosen from bits 17 through
b1fb3348 7053 32 of the IPv4 address.
9edd9041 7054
7055 class 4 Everything in a class 3 delay pool, with an
7056 additional limit on a per user basis. This
7057 only takes effect if the username is established
7058 in advance - by forcing authentication in your
7059 http_access rules.
7060
7061 class 5 Requests are grouped according their tag (see
7062 external_acl's tag= reply).
7063
0b68481a
AJ		 7064
7065 Each pool also requires a delay_parameters directive to configure the pool size
7066 and speed limits used whenever the pool is applied to a request. Along with
7067 a set of delay_access directives to determine when it is used.
7068
9edd9041 7069 NOTE: If an IP address is a.b.c.d
7070 -> bits 25 through 32 are "d"
7071 -> bits 17 through 24 are "c"
7072 -> bits 17 through 32 are "c * 256 + d"
b1fb3348
AJ		 7073
7074 NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
7075 IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
638402dd
AJ		 7076
7077 This clause only supports fast acl types.
7078 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
7079
7080 See also delay_parameters and delay_access.
9edd9041 7081DOC_END
7082
7083NAME: delay_access
7084TYPE: delay_pool_access
7085DEFAULT: none
638402dd 7086DEFAULT_DOC: Deny using the pool, unless allow rules exist in squid.conf for the pool.
9a0a18de 7087IFDEF: USE_DELAY_POOLS
9edd9041 7088LOC: Config.Delay
7089DOC_START
7090 This is used to determine which delay pool a request falls into.
7091
7092 delay_access is sorted per pool and the matching starts with pool 1,
7093 then pool 2, ..., and finally pool N. The first delay pool where the
7094 request is allowed is selected for the request. If it does not allow
7095 the request to any pool then the request is not delayed (default).
7096
7097 For example, if you want some_big_clients in delay
7098 pool 1 and lotsa_little_clients in delay pool 2:
7099
638402dd
AJ		 7100 delay_access 1 allow some_big_clients
7101 delay_access 1 deny all
7102 delay_access 2 allow lotsa_little_clients
7103 delay_access 2 deny all
7104 delay_access 3 allow authenticated_clients
7105
7106 See also delay_parameters and delay_class.
7107
9edd9041 7108DOC_END
7109
7110NAME: delay_parameters
7111TYPE: delay_pool_rates
7112DEFAULT: none
9a0a18de 7113IFDEF: USE_DELAY_POOLS
9edd9041 7114LOC: Config.Delay
7115DOC_START
7116 This defines the parameters for a delay pool. Each delay pool has
7117 a number of "buckets" associated with it, as explained in the
0b68481a 7118 description of delay_class.
9edd9041 7119
0b68481a 7120 For a class 1 delay pool, the syntax is:
6e7502cc 7121 delay_class pool 1
0b68481a 7122 delay_parameters pool aggregate
9edd9041 7123
7124 For a class 2 delay pool:
6e7502cc 7125 delay_class pool 2
0b68481a 7126 delay_parameters pool aggregate individual
9edd9041 7127
7128 For a class 3 delay pool:
6e7502cc 7129 delay_class pool 3
0b68481a 7130 delay_parameters pool aggregate network individual
9edd9041 7131
7132 For a class 4 delay pool:
6e7502cc 7133 delay_class pool 4
0b68481a 7134 delay_parameters pool aggregate network individual user
9edd9041 7135
7136 For a class 5 delay pool:
6e7502cc 7137 delay_class pool 5
0b68481a 7138 delay_parameters pool tagrate
9edd9041 7139
0b68481a 7140 The option variables are:
9edd9041 7141
7142 pool a pool number - ie, a number between 1 and the
7143 number specified in delay_pools as used in
7144 delay_class lines.
7145
fdb47ac6 7146 aggregate the speed limit parameters for the aggregate bucket
9edd9041 7147 (class 1, 2, 3).
7148
fdb47ac6 7149 individual the speed limit parameters for the individual
9edd9041 7150 buckets (class 2, 3).
7151
fdb47ac6 7152 network the speed limit parameters for the network buckets
9edd9041 7153 (class 3).
7154
fdb47ac6 7155 user the speed limit parameters for the user buckets
9edd9041 7156 (class 4).
7157
fdb47ac6 7158 tagrate the speed limit parameters for the tag buckets
9edd9041 7159 (class 5).
7160
7161 A pair of delay parameters is written restore/maximum, where restore is
7162 the number of bytes (not bits - modem and network speeds are usually
7163 quoted in bits) per second placed into the bucket, and maximum is the
7164 maximum number of bytes which can be in the bucket at any time.
7165
0b68481a
AJ		 7166 There must be one delay_parameters line for each delay pool.
7167
7168
9edd9041 7169 For example, if delay pool number 1 is a class 2 delay pool as in the
0b68481a 7170 above example, and is being used to strictly limit each host to 64Kbit/sec
9edd9041 7171 (plus overheads), with no overall limit, the line is:
7172
6e7502cc 7173 delay_parameters 1 none 8000/8000
0b68481a 7174
c3e31a3a 7175 Note that 8 x 8K Byte/sec -> 64K bit/sec.
9edd9041 7176
6e7502cc 7177 Note that the word 'none' is used to represent no limit.
9edd9041 7178
0b68481a 7179
9edd9041 7180 And, if delay pool number 2 is a class 3 delay pool as in the above
0b68481a
AJ		 7181 example, and you want to limit it to a total of 256Kbit/sec (strict limit)
7182 with each 8-bit network permitted 64Kbit/sec (strict limit) and each
7183 individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
9edd9041 7184 to permit a decent web page to be downloaded at a decent speed
7185 (if the network is not being limited due to overuse) but slow down
7186 large downloads more significantly:
7187
0b68481a
AJ		 7188 delay_parameters 2 32000/32000 8000/8000 600/8000
7189
c3e31a3a
AJ		 7190 Note that 8 x 32K Byte/sec -> 256K bit/sec.
7191 8 x 8K Byte/sec -> 64K bit/sec.
7192 8 x 600 Byte/sec -> 4800 bit/sec.
9edd9041 7193
9edd9041 7194
7195 Finally, for a class 4 delay pool as in the example - each user will
0b68481a 7196 be limited to 128Kbits/sec no matter how many workstations they are logged into.:
9edd9041 7197
0b68481a 7198 delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
638402dd
AJ		 7199
7200
7201 See also delay_class and delay_access.
7202
9edd9041 7203DOC_END
7204
7205NAME: delay_initial_bucket_level
7206COMMENT: (percent, 0-100)
ae870270 7207TYPE: u_short
9edd9041 7208DEFAULT: 50
9a0a18de 7209IFDEF: USE_DELAY_POOLS
9edd9041 7210LOC: Config.Delay.initial
7211DOC_START
7212 The initial bucket percentage is used to determine how much is put
7213 in each bucket when squid starts, is reconfigured, or first notices
7214 a host accessing it (in class 2 and class 3, individual hosts and
7215 networks only have buckets associated with them once they have been
7216 "seen" by squid).
7217DOC_END
7218
b4cd430a
CT		 7219COMMENT_START
7220 CLIENT DELAY POOL PARAMETERS
7221 -----------------------------------------------------------------------------
7222COMMENT_END
7223
7224NAME: client_delay_pools
7225TYPE: client_delay_pool_count
7226DEFAULT: 0
9a0a18de 7227IFDEF: USE_DELAY_POOLS
b4cd430a
CT		 7228LOC: Config.ClientDelay
7229DOC_START
7230 This option specifies the number of client delay pools used. It must
7231 preceed other client_delay_* options.
7232
638402dd
AJ		 7233 Example:
7234 client_delay_pools 2
7235
7236 See also client_delay_parameters and client_delay_access.
b4cd430a
CT		 7237DOC_END
7238
7239NAME: client_delay_initial_bucket_level
7240COMMENT: (percent, 0-no_limit)
ae870270 7241TYPE: u_short
b4cd430a 7242DEFAULT: 50
9a0a18de 7243IFDEF: USE_DELAY_POOLS
b4cd430a
CT		 7244LOC: Config.ClientDelay.initial
7245DOC_START
7246 This option determines the initial bucket size as a percentage of
7247 max_bucket_size from client_delay_parameters. Buckets are created
7248 at the time of the "first" connection from the matching IP. Idle
7249 buckets are periodically deleted up.
7250
7251 You can specify more than 100 percent but note that such "oversized"
7252 buckets are not refilled until their size goes down to max_bucket_size
7253 from client_delay_parameters.
7254
638402dd
AJ		 7255 Example:
7256 client_delay_initial_bucket_level 50
b4cd430a
CT		 7257DOC_END
7258
7259NAME: client_delay_parameters
7260TYPE: client_delay_pool_rates
7261DEFAULT: none
9a0a18de 7262IFDEF: USE_DELAY_POOLS
b4cd430a
CT		 7263LOC: Config.ClientDelay
7264DOC_START
7265
7266 This option configures client-side bandwidth limits using the
7267 following format:
7268
7269 client_delay_parameters pool speed_limit max_bucket_size
7270
7271 pool is an integer ID used for client_delay_access matching.
7272
7273 speed_limit is bytes added to the bucket per second.
7274
7275 max_bucket_size is the maximum size of a bucket, enforced after any
7276 speed_limit additions.
7277
7278 Please see the delay_parameters option for more information and
7279 examples.
7280
638402dd
AJ		 7281 Example:
7282 client_delay_parameters 1 1024 2048
7283 client_delay_parameters 2 51200 16384
7284
7285 See also client_delay_access.
7286
b4cd430a
CT		 7287DOC_END
7288
7289NAME: client_delay_access
7290TYPE: client_delay_pool_access
7291DEFAULT: none
638402dd 7292DEFAULT_DOC: Deny use of the pool, unless allow rules exist in squid.conf for the pool.
9a0a18de 7293IFDEF: USE_DELAY_POOLS
b4cd430a
CT		 7294LOC: Config.ClientDelay
7295DOC_START
b4cd430a
CT		 7296 This option determines the client-side delay pool for the
7297 request:
7298
7299 client_delay_access pool_ID allow|deny acl_name
7300
7301 All client_delay_access options are checked in their pool ID
7302 order, starting with pool 1. The first checked pool with allowed
7303 request is selected for the request. If no ACL matches or there
7304 are no client_delay_access options, the request bandwidth is not
7305 limited.
7306
7307 The ACL-selected pool is then used to find the
7308 client_delay_parameters for the request. Client-side pools are
7309 not used to aggregate clients. Clients are always aggregated
7310 based on their source IP addresses (one bucket per source IP).
7311
638402dd
AJ		 7312 This clause only supports fast acl types.
7313 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
7314 Additionally, only the client TCP connection details are available.
7315 ACLs testing HTTP properties will not work.
7316
b4cd430a
CT		 7317 Please see delay_access for more examples.
7318
638402dd
AJ		 7319 Example:
7320 client_delay_access 1 allow low_rate_network
7321 client_delay_access 2 allow vips_network
7322
7323
7324 See also client_delay_parameters and client_delay_pools.
b4cd430a
CT		 7325DOC_END
7326
b27668ec
EB		 7327NAME: response_delay_pool
7328TYPE: response_delay_pool_parameters
7329DEFAULT: none
7330IFDEF: USE_DELAY_POOLS
7331LOC: Config.MessageDelay
7332DOC_START
7333 This option configures client response bandwidth limits using the
7334 following format:
7335
7336 response_delay_pool name [option=value] ...
7337
7338 name the response delay pool name
7339
7340 available options:
7341
7342 individual-restore The speed limit of an individual
7343 bucket(bytes/s). To be used in conjunction
7344 with 'individual-maximum'.
7345
7346 individual-maximum The maximum number of bytes which can
7347 be placed into the individual bucket. To be used
7348 in conjunction with 'individual-restore'.
7349
7350 aggregate-restore The speed limit for the aggregate
7351 bucket(bytes/s). To be used in conjunction with
7352 'aggregate-maximum'.
7353
7354 aggregate-maximum The maximum number of bytes which can
7355 be placed into the aggregate bucket. To be used
7356 in conjunction with 'aggregate-restore'.
7357
7358 initial-bucket-level The initial bucket size as a percentage
7359 of individual-maximum.
7360
7361 Individual and(or) aggregate bucket options may not be specified,
7362 meaning no individual and(or) aggregate speed limitation.
7363 See also response_delay_pool_access and delay_parameters for
7364 terminology details.
7365DOC_END
7366
7367NAME: response_delay_pool_access
7368TYPE: response_delay_pool_access
7369DEFAULT: none
7370DEFAULT_DOC: Deny use of the pool, unless allow rules exist in squid.conf for the pool.
7371IFDEF: USE_DELAY_POOLS
7372LOC: Config.MessageDelay
7373DOC_START
7374 Determines whether a specific named response delay pool is used
7375 for the transaction. The syntax for this directive is:
7376
7377 response_delay_pool_access pool_name allow|deny acl_name
7378
7379 All response_delay_pool_access options are checked in the order
7380 they appear in this configuration file. The first rule with a
7381 matching ACL wins. If (and only if) an "allow" rule won, Squid
7382 assigns the response to the corresponding named delay pool.
7383DOC_END
7384
cccac0a2 7385COMMENT_START
8d6275c0 7386 WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
cccac0a2 7387 -----------------------------------------------------------------------------
7388COMMENT_END
7389
8d6275c0 7390NAME: wccp_router
7391TYPE: address
7392LOC: Config.Wccp.router
0eb08770 7393DEFAULT: any_addr
638402dd 7394DEFAULT_DOC: WCCP disabled.
8d6275c0 7395IFDEF: USE_WCCP
e313ab0a
AJ		 7396DOC_START
7397 Use this option to define your WCCP ``home'' router for
7398 Squid.
7399
7400 wccp_router supports a single WCCP(v1) router
7401
7402 wccp2_router supports multiple WCCPv2 routers
7403
7404 only one of the two may be used at the same time and defines
7405 which version of WCCP to use.
7406DOC_END
df2eec10 7407
8d6275c0 7408NAME: wccp2_router
9fb4efad 7409TYPE: IpAddress_list
8d6275c0 7410LOC: Config.Wccp2.router
cccac0a2 7411DEFAULT: none
638402dd 7412DEFAULT_DOC: WCCPv2 disabled.
8d6275c0 7413IFDEF: USE_WCCPv2
cccac0a2 7414DOC_START
8d6275c0 7415 Use this option to define your WCCP ``home'' router for
7416 Squid.
cccac0a2 7417
8d6275c0 7418 wccp_router supports a single WCCP(v1) router
cccac0a2 7419
8d6275c0 7420 wccp2_router supports multiple WCCPv2 routers
cccac0a2 7421
8d6275c0 7422 only one of the two may be used at the same time and defines
7423 which version of WCCP to use.
7424DOC_END
7425
7426NAME: wccp_version
cccac0a2 7427TYPE: int
8d6275c0 7428LOC: Config.Wccp.version
7429DEFAULT: 4
7430IFDEF: USE_WCCP
cccac0a2 7431DOC_START
8d6275c0 7432 This directive is only relevant if you need to set up WCCP(v1)
7433 to some very old and end-of-life Cisco routers. In all other
7434 setups it must be left unset or at the default setting.
7435 It defines an internal version in the WCCP(v1) protocol,
7436 with version 4 being the officially documented protocol.
cccac0a2 7437
8d6275c0 7438 According to some users, Cisco IOS 11.2 and earlier only
7439 support WCCP version 3. If you're using that or an earlier
7440 version of IOS, you may need to change this value to 3, otherwise
7441 do not specify this parameter.
cccac0a2 7442DOC_END
7443
8d6275c0 7444NAME: wccp2_rebuild_wait
7445TYPE: onoff
7446LOC: Config.Wccp2.rebuildwait
7447DEFAULT: on
7448IFDEF: USE_WCCPv2
7449DOC_START
7450 If this is enabled Squid will wait for the cache dir rebuild to finish
7451 before sending the first wccp2 HereIAm packet
7452DOC_END
cccac0a2 7453
8d6275c0 7454NAME: wccp2_forwarding_method
e313ab0a 7455TYPE: wccp2_method
8d6275c0 7456LOC: Config.Wccp2.forwarding_method
451c4786 7457DEFAULT: gre
8d6275c0 7458IFDEF: USE_WCCPv2
cccac0a2 7459DOC_START
699acd19 7460 WCCP2 allows the setting of forwarding methods between the
8d6275c0 7461 router/switch and the cache. Valid values are as follows:
cccac0a2 7462
451c4786
AJ		 7463 gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
7464 l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
cccac0a2 7465
8d6275c0 7466 Currently (as of IOS 12.4) cisco routers only support GRE.
7467 Cisco switches only support the L2 redirect assignment method.
cccac0a2 7468DOC_END
7469
8d6275c0 7470NAME: wccp2_return_method
e313ab0a 7471TYPE: wccp2_method
8d6275c0 7472LOC: Config.Wccp2.return_method
451c4786 7473DEFAULT: gre
8d6275c0 7474IFDEF: USE_WCCPv2
cccac0a2 7475DOC_START
699acd19 7476 WCCP2 allows the setting of return methods between the
8d6275c0 7477 router/switch and the cache for packets that the cache
7478 decides not to handle. Valid values are as follows:
cccac0a2 7479
451c4786
AJ		 7480 gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
7481 l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
cccac0a2 7482
8d6275c0 7483 Currently (as of IOS 12.4) cisco routers only support GRE.
7484 Cisco switches only support the L2 redirect assignment.
cccac0a2 7485
699acd19 7486 If the "ip wccp redirect exclude in" command has been
8d6275c0 7487 enabled on the cache interface, then it is still safe for
7488 the proxy server to use a l2 redirect method even if this
7489 option is set to GRE.
cccac0a2 7490DOC_END
7491
8d6275c0 7492NAME: wccp2_assignment_method
451c4786 7493TYPE: wccp2_amethod
8d6275c0 7494LOC: Config.Wccp2.assignment_method
451c4786 7495DEFAULT: hash
8d6275c0 7496IFDEF: USE_WCCPv2
cccac0a2 7497DOC_START
8d6275c0 7498 WCCP2 allows the setting of methods to assign the WCCP hash
7499 Valid values are as follows:
cccac0a2 7500
451c4786 7501 hash - Hash assignment
bb7a1781 7502 mask - Mask assignment
cccac0a2 7503
8d6275c0 7504 As a general rule, cisco routers support the hash assignment method
7505 and cisco switches support the mask assignment method.
7506DOC_END
cccac0a2 7507
8d6275c0 7508NAME: wccp2_service
7509TYPE: wccp2_service
7510LOC: Config.Wccp2.info
8d6275c0 7511DEFAULT_IF_NONE: standard 0
638402dd 7512DEFAULT_DOC: Use the 'web-cache' standard service.
8d6275c0 7513IFDEF: USE_WCCPv2
7514DOC_START
7515 WCCP2 allows for multiple traffic services. There are two
7516 types: "standard" and "dynamic". The standard type defines
7517 one service id - http (id 0). The dynamic service ids can be from
7518 51 to 255 inclusive. In order to use a dynamic service id
7519 one must define the type of traffic to be redirected; this is done
7520 using the wccp2_service_info option.
7521
7522 The "standard" type does not require a wccp2_service_info option,
7523 just specifying the service id will suffice.
7524
7525 MD5 service authentication can be enabled by adding
7526 "password=<password>" to the end of this service declaration.
7527
7528 Examples:
7529
7530 wccp2_service standard 0 # for the 'web-cache' standard service
7531 wccp2_service dynamic 80 # a dynamic service type which will be
7532 # fleshed out with subsequent options.
7533 wccp2_service standard 0 password=foo
8d6275c0 7534DOC_END
7535
7536NAME: wccp2_service_info
7537TYPE: wccp2_service_info
7538LOC: Config.Wccp2.info
7539DEFAULT: none
7540IFDEF: USE_WCCPv2
7541DOC_START
7542 Dynamic WCCPv2 services require further information to define the
7543 traffic you wish to have diverted.
7544
7545 The format is:
7546
7547 wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
7548 priority=<priority> ports=<port>,<port>..
7549
7550 The relevant WCCPv2 flags:
7551 + src_ip_hash, dst_ip_hash
005fe566 7552 + source_port_hash, dst_port_hash
8d6275c0 7553 + src_ip_alt_hash, dst_ip_alt_hash
7554 + src_port_alt_hash, dst_port_alt_hash
7555 + ports_source
7556
7557 The port list can be one to eight entries.
7558
7559 Example:
7560
7561 wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
7562 priority=240 ports=80
7563
7564 Note: the service id must have been defined by a previous
7565 'wccp2_service dynamic <id>' entry.
7566DOC_END
7567
7568NAME: wccp2_weight
7569TYPE: int
7570LOC: Config.Wccp2.weight
7571DEFAULT: 10000
7572IFDEF: USE_WCCPv2
7573DOC_START
7574 Each cache server gets assigned a set of the destination
7575 hash proportional to their weight.
7576DOC_END
7577
7578NAME: wccp_address
7579TYPE: address
7580LOC: Config.Wccp.address
7581DEFAULT: 0.0.0.0
638402dd 7582DEFAULT_DOC: Address selected by the operating system.
8d6275c0 7583IFDEF: USE_WCCP
638402dd
AJ		 7584DOC_START
7585 Use this option if you require WCCPv2 to use a specific
7586 interface address.
7587
7588 The default behavior is to not bind to any specific address.
7589DOC_END
df2eec10 7590
8d6275c0 7591NAME: wccp2_address
7592TYPE: address
7593LOC: Config.Wccp2.address
7594DEFAULT: 0.0.0.0
638402dd 7595DEFAULT_DOC: Address selected by the operating system.
8d6275c0 7596IFDEF: USE_WCCPv2
7597DOC_START
7598 Use this option if you require WCCP to use a specific
7599 interface address.
7600
7601 The default behavior is to not bind to any specific address.
7602DOC_END
7603
7604COMMENT_START
7605 PERSISTENT CONNECTION HANDLING
7606 -----------------------------------------------------------------------------
7607
7608 Also see "pconn_timeout" in the TIMEOUTS section
7609COMMENT_END
7610
7611NAME: client_persistent_connections
7612TYPE: onoff
7613LOC: Config.onoff.client_pconns
7614DEFAULT: on
638402dd
AJ		 7615DOC_START
7616 Persistent connection support for clients.
7617 Squid uses persistent connections (when allowed). You can use
7618 this option to disable persistent connections with clients.
7619DOC_END
8d6275c0 7620
7621NAME: server_persistent_connections
7622TYPE: onoff
7623LOC: Config.onoff.server_pconns
7624DEFAULT: on
7625DOC_START
638402dd
AJ		 7626 Persistent connection support for servers.
7627 Squid uses persistent connections (when allowed). You can use
7628 this option to disable persistent connections with servers.
8d6275c0 7629DOC_END
7630
7631NAME: persistent_connection_after_error
7632TYPE: onoff
7633LOC: Config.onoff.error_pconns
0fccfb7f 7634DEFAULT: on
8d6275c0 7635DOC_START
7636 With this directive the use of persistent connections after
7637 HTTP errors can be disabled. Useful if you have clients
7638 who fail to handle errors on persistent connections proper.
7639DOC_END
7640
7641NAME: detect_broken_pconn
7642TYPE: onoff
7643LOC: Config.onoff.detect_broken_server_pconns
7644DEFAULT: off
7645DOC_START
7646 Some servers have been found to incorrectly signal the use
7647 of HTTP/1.0 persistent connections even on replies not
7648 compatible, causing significant delays. This server problem
7649 has mostly been seen on redirects.
7650
7651 By enabling this directive Squid attempts to detect such
7652 broken replies and automatically assume the reply is finished
7653 after 10 seconds timeout.
7654DOC_END
7655
7656COMMENT_START
7657 CACHE DIGEST OPTIONS
7658 -----------------------------------------------------------------------------
7659COMMENT_END
7660
7661NAME: digest_generation
7662IFDEF: USE_CACHE_DIGESTS
7663TYPE: onoff
7664LOC: Config.onoff.digest_generation
7665DEFAULT: on
7666DOC_START
7667 This controls whether the server will generate a Cache Digest
7668 of its contents. By default, Cache Digest generation is
13e917b5 7669 enabled if Squid is compiled with --enable-cache-digests defined.
8d6275c0 7670DOC_END
7671
7672NAME: digest_bits_per_entry
7673IFDEF: USE_CACHE_DIGESTS
7674TYPE: int
7675LOC: Config.digest.bits_per_entry
7676DEFAULT: 5
7677DOC_START
7678 This is the number of bits of the server's Cache Digest which
7679 will be associated with the Digest entry for a given HTTP
7680 Method and URL (public key) combination. The default is 5.
7681DOC_END
7682
7683NAME: digest_rebuild_period
7684IFDEF: USE_CACHE_DIGESTS
7685COMMENT: (seconds)
7686TYPE: time_t
7687LOC: Config.digest.rebuild_period
7688DEFAULT: 1 hour
7689DOC_START
749ceff8 7690 This is the wait time between Cache Digest rebuilds.
8d6275c0 7691DOC_END
7692
7693NAME: digest_rewrite_period
7694COMMENT: (seconds)
7695IFDEF: USE_CACHE_DIGESTS
7696TYPE: time_t
7697LOC: Config.digest.rewrite_period
7698DEFAULT: 1 hour
7699DOC_START
749ceff8 7700 This is the wait time between Cache Digest writes to
8d6275c0 7701 disk.
7702DOC_END
7703
7704NAME: digest_swapout_chunk_size
7705COMMENT: (bytes)
7706TYPE: b_size_t
7707IFDEF: USE_CACHE_DIGESTS
7708LOC: Config.digest.swapout_chunk_size
7709DEFAULT: 4096 bytes
7710DOC_START
7711 This is the number of bytes of the Cache Digest to write to
7712 disk at a time. It defaults to 4096 bytes (4KB), the Squid
7713 default swap page.
7714DOC_END
7715
7716NAME: digest_rebuild_chunk_percentage
7717COMMENT: (percent, 0-100)
7718IFDEF: USE_CACHE_DIGESTS
7719TYPE: int
7720LOC: Config.digest.rebuild_chunk_percentage
7721DEFAULT: 10
7722DOC_START
7723 This is the percentage of the Cache Digest to be scanned at a
7724 time. By default it is set to 10% of the Cache Digest.
7725DOC_END
7726
1db9eacd 7727COMMENT_START
5473c134 7728 SNMP OPTIONS
1db9eacd 7729 -----------------------------------------------------------------------------
7730COMMENT_END
7731
5473c134 7732NAME: snmp_port
ae870270 7733TYPE: u_short
5473c134 7734LOC: Config.Port.snmp
87630341 7735DEFAULT: 0
638402dd 7736DEFAULT_DOC: SNMP disabled.
5473c134 7737IFDEF: SQUID_SNMP
8d6275c0 7738DOC_START
87630341 7739 The port number where Squid listens for SNMP requests. To enable
7740 SNMP support set this to a suitable port number. Port number
7741 3401 is often used for the Squid SNMP agent. By default it's
7742 set to "0" (disabled)
e0855596
AJ		 7743
7744 Example:
7745 snmp_port 3401
8d6275c0 7746DOC_END
7747
5473c134 7748NAME: snmp_access
7749TYPE: acl_access
7750LOC: Config.accessList.snmp
638402dd
AJ		 7751DEFAULT: none
7752DEFAULT_DOC: Deny, unless rules exist in squid.conf.
5473c134 7753IFDEF: SQUID_SNMP
8d6275c0 7754DOC_START
5473c134 7755 Allowing or denying access to the SNMP port.
8d6275c0 7756
5473c134 7757 All access to the agent is denied by default.
7758 usage:
8d6275c0 7759
5473c134 7760 snmp_access allow|deny [!]aclname ...
8d6275c0 7761
b3567eb5
FC		 7762 This clause only supports fast acl types.
7763 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
638402dd 7764
5473c134 7765Example:
7766 snmp_access allow snmppublic localhost
7767 snmp_access deny all
cccac0a2 7768DOC_END
7769
5473c134 7770NAME: snmp_incoming_address
7771TYPE: address
7772LOC: Config.Addrs.snmp_incoming
0eb08770 7773DEFAULT: any_addr
638402dd 7774DEFAULT_DOC: Accept SNMP packets from all machine interfaces.
5473c134 7775IFDEF: SQUID_SNMP
638402dd
AJ		 7776DOC_START
7777 Just like 'udp_incoming_address', but for the SNMP port.
7778
7779 snmp_incoming_address is used for the SNMP socket receiving
7780 messages from SNMP agents.
7781
7782 The default snmp_incoming_address is to listen on all
7783 available network interfaces.
7784DOC_END
df2eec10 7785
5473c134 7786NAME: snmp_outgoing_address
7787TYPE: address
7788LOC: Config.Addrs.snmp_outgoing
0eb08770 7789DEFAULT: no_addr
638402dd 7790DEFAULT_DOC: Use snmp_incoming_address or an address selected by the operating system.
5473c134 7791IFDEF: SQUID_SNMP
cccac0a2 7792DOC_START
638402dd 7793 Just like 'udp_outgoing_address', but for the SNMP port.
cccac0a2 7794
5473c134 7795 snmp_outgoing_address is used for SNMP packets returned to SNMP
7796 agents.
cccac0a2 7797
0eb08770
HN		 7798 If snmp_outgoing_address is not set it will use the same socket
7799 as snmp_incoming_address. Only change this if you want to have
7800 SNMP replies sent using another address than where this Squid
7801 listens for SNMP queries.
cccac0a2 7802
5473c134 7803 NOTE, snmp_incoming_address and snmp_outgoing_address can not have
638402dd 7804 the same value since they both use the same port.
cccac0a2 7805DOC_END
7806
5473c134 7807COMMENT_START
7808 ICP OPTIONS
7809 -----------------------------------------------------------------------------
7810COMMENT_END
7811
7812NAME: icp_port udp_port
ae870270 7813TYPE: u_short
5473c134 7814DEFAULT: 0
638402dd 7815DEFAULT_DOC: ICP disabled.
5473c134 7816LOC: Config.Port.icp
cccac0a2 7817DOC_START
5473c134 7818 The port number where Squid sends and receives ICP queries to
7819 and from neighbor caches. The standard UDP port for ICP is 3130.
e0855596
AJ		 7820
7821 Example:
7822 icp_port @DEFAULT_ICP_PORT@
cccac0a2 7823DOC_END
7824
5473c134 7825NAME: htcp_port
7826IFDEF: USE_HTCP
ae870270 7827TYPE: u_short
87630341 7828DEFAULT: 0
638402dd 7829DEFAULT_DOC: HTCP disabled.
5473c134 7830LOC: Config.Port.htcp
cccac0a2 7831DOC_START
5473c134 7832 The port number where Squid sends and receives HTCP queries to
87630341 7833 and from neighbor caches. To turn it on you want to set it to
638402dd 7834 4827.
e0855596
AJ		 7835
7836 Example:
7837 htcp_port 4827
cccac0a2 7838DOC_END
7839
7840NAME: log_icp_queries
7841COMMENT: on|off
7842TYPE: onoff
7843DEFAULT: on
7844LOC: Config.onoff.log_udp
7845DOC_START
7846 If set, ICP queries are logged to access.log. You may wish
7847 do disable this if your ICP load is VERY high to speed things
7848 up or to simplify log analysis.
7849DOC_END
7850
5473c134 7851NAME: udp_incoming_address
7852TYPE: address
7853LOC:Config.Addrs.udp_incoming
0eb08770 7854DEFAULT: any_addr
638402dd 7855DEFAULT_DOC: Accept packets from all machine interfaces.
8524d4b2 7856DOC_START
7857 udp_incoming_address is used for UDP packets received from other
7858 caches.
7859
7860 The default behavior is to not bind to any specific address.
7861
7862 Only change this if you want to have all UDP queries received on
7863 a specific interface/address.
7864
7865 NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
7866 modules. Altering it will affect all of them in the same manner.
7867
7868 see also; udp_outgoing_address
7869
7870 NOTE, udp_incoming_address and udp_outgoing_address can not
7871 have the same value since they both use the same port.
7872DOC_END
cccac0a2 7873
5473c134 7874NAME: udp_outgoing_address
7875TYPE: address
7876LOC: Config.Addrs.udp_outgoing
0eb08770 7877DEFAULT: no_addr
638402dd 7878DEFAULT_DOC: Use udp_incoming_address or an address selected by the operating system.
cccac0a2 7879DOC_START
8524d4b2 7880 udp_outgoing_address is used for UDP packets sent out to other
5473c134 7881 caches.
cccac0a2 7882
5473c134 7883 The default behavior is to not bind to any specific address.
cccac0a2 7884
8524d4b2 7885 Instead it will use the same socket as udp_incoming_address.
7886 Only change this if you want to have UDP queries sent using another
7887 address than where this Squid listens for UDP queries from other
5473c134 7888 caches.
7889
8524d4b2 7890 NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
7891 modules. Altering it will affect all of them in the same manner.
7892
7893 see also; udp_incoming_address
7894
5473c134 7895 NOTE, udp_incoming_address and udp_outgoing_address can not
8524d4b2 7896 have the same value since they both use the same port.
cccac0a2 7897DOC_END
7898
3d1e3e43 7899NAME: icp_hit_stale
7900COMMENT: on|off
7901TYPE: onoff
7902DEFAULT: off
7903LOC: Config.onoff.icp_hit_stale
7904DOC_START
7905 If you want to return ICP_HIT for stale cache objects, set this
7906 option to 'on'. If you have sibling relationships with caches
7907 in other administrative domains, this should be 'off'. If you only
7908 have sibling relationships with caches under your control,
7909 it is probably okay to set this to 'on'.
7910 If set to 'on', your siblings should use the option "allow-miss"
7911 on their cache_peer lines for connecting to you.
7912DOC_END
7913
5473c134 7914NAME: minimum_direct_hops
cccac0a2 7915TYPE: int
5473c134 7916DEFAULT: 4
7917LOC: Config.minDirectHops
cccac0a2 7918DOC_START
5473c134 7919 If using the ICMP pinging stuff, do direct fetches for sites
7920 which are no more than this many hops away.
cccac0a2 7921DOC_END
7922
5473c134 7923NAME: minimum_direct_rtt
638402dd 7924COMMENT: (msec)
5473c134 7925TYPE: int
7926DEFAULT: 400
7927LOC: Config.minDirectRtt
cccac0a2 7928DOC_START
5473c134 7929 If using the ICMP pinging stuff, do direct fetches for sites
7930 which are no more than this many rtt milliseconds away.
cccac0a2 7931DOC_END
7932
cccac0a2 7933NAME: netdb_low
7934TYPE: int
7935DEFAULT: 900
7936LOC: Config.Netdb.low
638402dd
AJ		 7937DOC_START
7938 The low water mark for the ICMP measurement database.
7939
7940 Note: high watermark controlled by netdb_high directive.
7941
7942 These watermarks are counts, not percents. The defaults are
7943 (low) 900 and (high) 1000. When the high water mark is
7944 reached, database entries will be deleted until the low
7945 mark is reached.
7946DOC_END
cccac0a2 7947
7948NAME: netdb_high
7949TYPE: int
7950DEFAULT: 1000
7951LOC: Config.Netdb.high
7952DOC_START
638402dd
AJ		 7953 The high water mark for the ICMP measurement database.
7954
7955 Note: low watermark controlled by netdb_low directive.
7956
7957 These watermarks are counts, not percents. The defaults are
7958 (low) 900 and (high) 1000. When the high water mark is
7959 reached, database entries will be deleted until the low
7960 mark is reached.
cccac0a2 7961DOC_END
7962
cccac0a2 7963NAME: netdb_ping_period
7964TYPE: time_t
7965LOC: Config.Netdb.period
7966DEFAULT: 5 minutes
7967DOC_START
7968 The minimum period for measuring a site. There will be at
7969 least this much delay between successive pings to the same
7970 network. The default is five minutes.
7971DOC_END
7972
cccac0a2 7973NAME: query_icmp
7974COMMENT: on|off
7975TYPE: onoff
7976DEFAULT: off
7977LOC: Config.onoff.query_icmp
7978DOC_START
7979 If you want to ask your peers to include ICMP data in their ICP
7980 replies, enable this option.
7981
7982 If your peer has configured Squid (during compilation) with
7f7db318 7983 '--enable-icmp' that peer will send ICMP pings to origin server
7984 sites of the URLs it receives. If you enable this option the
cccac0a2 7985 ICP replies from that peer will include the ICMP data (if available).
7986 Then, when choosing a parent cache, Squid will choose the parent with
7987 the minimal RTT to the origin server. When this happens, the
7988 hierarchy field of the access.log will be
7989 "CLOSEST_PARENT_MISS". This option is off by default.
7990DOC_END
7991
7992NAME: test_reachability
7993COMMENT: on|off
7994TYPE: onoff
7995DEFAULT: off
7996LOC: Config.onoff.test_reachability
7997DOC_START
7998 When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
7999 instead of ICP_MISS if the target host is NOT in the ICMP
8000 database, or has a zero RTT.
8001DOC_END
8002
5473c134 8003NAME: icp_query_timeout
8004COMMENT: (msec)
8005DEFAULT: 0
638402dd 8006DEFAULT_DOC: Dynamic detection.
5473c134 8007TYPE: int
8008LOC: Config.Timeout.icp_query
4c3ef9b2 8009DOC_START
5473c134 8010 Normally Squid will automatically determine an optimal ICP
8011 query timeout value based on the round-trip-time of recent ICP
8012 queries. If you want to override the value determined by
8013 Squid, set this 'icp_query_timeout' to a non-zero value. This
8014 value is specified in MILLISECONDS, so, to use a 2-second
8015 timeout (the old default), you would write:
4c3ef9b2 8016
5473c134 8017 icp_query_timeout 2000
4c3ef9b2 8018DOC_END
8019
5473c134 8020NAME: maximum_icp_query_timeout
8021COMMENT: (msec)
8022DEFAULT: 2000
8023TYPE: int
8024LOC: Config.Timeout.icp_query_max
cccac0a2 8025DOC_START
5473c134 8026 Normally the ICP query timeout is determined dynamically. But
8027 sometimes it can lead to very large values (say 5 seconds).
8028 Use this option to put an upper limit on the dynamic timeout
8029 value. Do NOT use this option to always use a fixed (instead
8030 of a dynamic) timeout value. To set a fixed timeout see the
8031 'icp_query_timeout' directive.
cccac0a2 8032DOC_END
8033
5473c134 8034NAME: minimum_icp_query_timeout
8035COMMENT: (msec)
8036DEFAULT: 5
8037TYPE: int
8038LOC: Config.Timeout.icp_query_min
cccac0a2 8039DOC_START
5473c134 8040 Normally the ICP query timeout is determined dynamically. But
8041 sometimes it can lead to very small timeouts, even lower than
8042 the normal latency variance on your link due to traffic.
8043 Use this option to put an lower limit on the dynamic timeout
8044 value. Do NOT use this option to always use a fixed (instead
8045 of a dynamic) timeout value. To set a fixed timeout see the
8046 'icp_query_timeout' directive.
cccac0a2 8047DOC_END
8048
5473c134 8049NAME: background_ping_rate
8050COMMENT: time-units
8051TYPE: time_t
8052DEFAULT: 10 seconds
8053LOC: Config.backgroundPingRate
cccac0a2 8054DOC_START
5473c134 8055 Controls how often the ICP pings are sent to siblings that
8056 have background-ping set.
cccac0a2 8057DOC_END
8058
5473c134 8059COMMENT_START
8060 MULTICAST ICP OPTIONS
8061 -----------------------------------------------------------------------------
8062COMMENT_END
8063
8064NAME: mcast_groups
8065TYPE: wordlist
8066LOC: Config.mcast_group_list
8c01ada0 8067DEFAULT: none
8068DOC_START
5473c134 8069 This tag specifies a list of multicast groups which your server
8070 should join to receive multicasted ICP queries.
8c01ada0 8071
5473c134 8072 NOTE! Be very careful what you put here! Be sure you
8073 understand the difference between an ICP _query_ and an ICP
8074 _reply_. This option is to be set only if you want to RECEIVE
8075 multicast queries. Do NOT set this option to SEND multicast
8076 ICP (use cache_peer for that). ICP replies are always sent via
8077 unicast, so this option does not affect whether or not you will
8078 receive replies from multicast group members.
8c01ada0 8079
5473c134 8080 You must be very careful to NOT use a multicast address which
8081 is already in use by another group of caches.
8c01ada0 8082
5473c134 8083 If you are unsure about multicast, please read the Multicast
8084 chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
8c01ada0 8085
5473c134 8086 Usage: mcast_groups 239.128.16.128 224.0.1.20
8c01ada0 8087
5473c134 8088 By default, Squid doesn't listen on any multicast groups.
8089DOC_END
8c01ada0 8090
5473c134 8091NAME: mcast_miss_addr
8092IFDEF: MULTICAST_MISS_STREAM
8093TYPE: address
8094LOC: Config.mcast_miss.addr
0eb08770 8095DEFAULT: no_addr
638402dd 8096DEFAULT_DOC: disabled.
5473c134 8097DOC_START
8098 If you enable this option, every "cache miss" URL will
8099 be sent out on the specified multicast address.
cccac0a2 8100
5473c134 8101 Do not enable this option unless you are are absolutely
8102 certain you understand what you are doing.
cccac0a2 8103DOC_END
8104
5473c134 8105NAME: mcast_miss_ttl
8106IFDEF: MULTICAST_MISS_STREAM
ae870270 8107TYPE: u_short
5473c134 8108LOC: Config.mcast_miss.ttl
8109DEFAULT: 16
cccac0a2 8110DOC_START
5473c134 8111 This is the time-to-live value for packets multicasted
8112 when multicasting off cache miss URLs is enabled. By
8113 default this is set to 'site scope', i.e. 16.
8114DOC_END
cccac0a2 8115
5473c134 8116NAME: mcast_miss_port
8117IFDEF: MULTICAST_MISS_STREAM
ae870270 8118TYPE: u_short
5473c134 8119LOC: Config.mcast_miss.port
8120DEFAULT: 3135
8121DOC_START
8122 This is the port number to be used in conjunction with
8123 'mcast_miss_addr'.
8124DOC_END
cccac0a2 8125
5473c134 8126NAME: mcast_miss_encode_key
8127IFDEF: MULTICAST_MISS_STREAM
8128TYPE: string
8129LOC: Config.mcast_miss.encode_key
8130DEFAULT: XXXXXXXXXXXXXXXX
8131DOC_START
8132 The URLs that are sent in the multicast miss stream are
8133 encrypted. This is the encryption key.
8134DOC_END
8c01ada0 8135
5473c134 8136NAME: mcast_icp_query_timeout
8137COMMENT: (msec)
8138DEFAULT: 2000
8139TYPE: int
8140LOC: Config.Timeout.mcast_icp_query
8141DOC_START
8142 For multicast peers, Squid regularly sends out ICP "probes" to
8143 count how many other peers are listening on the given multicast
8144 address. This value specifies how long Squid should wait to
8145 count all the replies. The default is 2000 msec, or 2
8146 seconds.
cccac0a2 8147DOC_END
8148
5473c134 8149COMMENT_START
8150 INTERNAL ICON OPTIONS
8151 -----------------------------------------------------------------------------
8152COMMENT_END
8153
cccac0a2 8154NAME: icon_directory
8155TYPE: string
8156LOC: Config.icons.directory
8157DEFAULT: @DEFAULT_ICON_DIR@
8158DOC_START
8159 Where the icons are stored. These are normally kept in
8160 @DEFAULT_ICON_DIR@
8161DOC_END
8162
f024c970 8163NAME: global_internal_static
8164TYPE: onoff
8165LOC: Config.onoff.global_internal_static
8166DEFAULT: on
8167DOC_START
8168 This directive controls is Squid should intercept all requests for
8169 /squid-internal-static/ no matter which host the URL is requesting
8170 (default on setting), or if nothing special should be done for
8171 such URLs (off setting). The purpose of this directive is to make
8172 icons etc work better in complex cache hierarchies where it may
8173 not always be possible for all corners in the cache mesh to reach
8174 the server generating a directory listing.
8175DOC_END
8176
5473c134 8177NAME: short_icon_urls
8178TYPE: onoff
8179LOC: Config.icons.use_short_names
8180DEFAULT: on
8181DOC_START
8182 If this is enabled Squid will use short URLs for icons.
8183 If disabled it will revert to the old behavior of including
8184 it's own name and port in the URL.
8185
8186 If you run a complex cache hierarchy with a mix of Squid and
8187 other proxies you may need to disable this directive.
8188DOC_END
8189
8190COMMENT_START
8191 ERROR PAGE OPTIONS
8192 -----------------------------------------------------------------------------
8193COMMENT_END
8194
8195NAME: error_directory
8196TYPE: string
8197LOC: Config.errorDirectory
43000484 8198DEFAULT: none
638402dd 8199DEFAULT_DOC: Send error pages in the clients preferred language
5473c134 8200DOC_START
8201 If you wish to create your own versions of the default
43000484
AJ		 8202 error files to customize them to suit your company copy
8203 the error/template files to another directory and point
8204 this tag at them.
8205
8206 WARNING: This option will disable multi-language support
8207 on error pages if used.
5473c134 8208
8209 The squid developers are interested in making squid available in
8210 a wide variety of languages. If you are making translations for a
43000484 8211 language that Squid does not currently provide please consider
5473c134 8212 contributing your translation back to the project.
43000484
AJ		 8213 http://wiki.squid-cache.org/Translations
8214
8215 The squid developers working on translations are happy to supply drop-in
8216 translated error files in exchange for any new language contributions.
8217DOC_END
8218
8219NAME: error_default_language
8220IFDEF: USE_ERR_LOCALES
8221TYPE: string
8222LOC: Config.errorDefaultLanguage
8223DEFAULT: none
638402dd 8224DEFAULT_DOC: Generate English language pages.
43000484
AJ		 8225DOC_START
8226 Set the default language which squid will send error pages in
8227 if no existing translation matches the clients language
8228 preferences.
8229
8230 If unset (default) generic English will be used.
8231
8232 The squid developers are interested in making squid available in
8233 a wide variety of languages. If you are interested in making
8234 translations for any language see the squid wiki for details.
8235 http://wiki.squid-cache.org/Translations
5473c134 8236DOC_END
8237
c411820c
AJ		 8238NAME: error_log_languages
8239IFDEF: USE_ERR_LOCALES
8240TYPE: onoff
8241LOC: Config.errorLogMissingLanguages
8242DEFAULT: on
8243DOC_START
8244 Log to cache.log what languages users are attempting to
8245 auto-negotiate for translations.
8246
8247 Successful negotiations are not logged. Only failures
8248 have meaning to indicate that Squid may need an upgrade
0c49f10e 8249 of its error page translations.
c411820c
AJ		 8250DOC_END
8251
5b52cb6c
AJ		 8252NAME: err_page_stylesheet
8253TYPE: string
8254LOC: Config.errorStylesheet
8255DEFAULT: @DEFAULT_CONFIG_DIR@/errorpage.css
8256DOC_START
8257 CSS Stylesheet to pattern the display of Squid default error pages.
8258
8259 For information on CSS see http://www.w3.org/Style/CSS/
8260DOC_END
8261
5473c134 8262NAME: err_html_text
8263TYPE: eol
8264LOC: Config.errHtmlText
8265DEFAULT: none
8266DOC_START
8267 HTML text to include in error messages. Make this a "mailto"
8268 URL to your admin address, or maybe just a link to your
8269 organizations Web page.
8270
8271 To include this in your error messages, you must rewrite
8272 the error template files (found in the "errors" directory).
8273 Wherever you want the 'err_html_text' line to appear,
8274 insert a %L tag in the error template file.
8275DOC_END
8276
8277NAME: email_err_data
8278COMMENT: on|off
8279TYPE: onoff
8280LOC: Config.onoff.emailErrData
8281DEFAULT: on
8282DOC_START
8283 If enabled, information about the occurred error will be
8284 included in the mailto links of the ERR pages (if %W is set)
8285 so that the email body contains the data.
8286 Syntax is <A HREF="mailto:%w%W">%w</A>
8287DOC_END
8288
8289NAME: deny_info
8290TYPE: denyinfo
8291LOC: Config.denyInfoList
8292DEFAULT: none
8293DOC_START
8294 Usage: deny_info err_page_name acl
8295 or deny_info http://... acl
43000484 8296 or deny_info TCP_RESET acl
5473c134 8297
8298 This can be used to return a ERR_ page for requests which
8299 do not pass the 'http_access' rules. Squid remembers the last
8300 acl it evaluated in http_access, and if a 'deny_info' line exists
8301 for that ACL Squid returns a corresponding error page.
8302
8303 The acl is typically the last acl on the http_access deny line which
8304 denied access. The exceptions to this rule are:
8305 - When Squid needs to request authentication credentials. It's then
8306 the first authentication related acl encountered
8307 - When none of the http_access lines matches. It's then the last
8308 acl processed on the last http_access line.
3af10ac0
AR		 8309 - When the decision to deny access was made by an adaptation service,
8310 the acl name is the corresponding eCAP or ICAP service_name.
5473c134 8311
43000484
AJ		 8312 NP: If providing your own custom error pages with error_directory
8313 you may also specify them by your custom file name:
8314 Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
5473c134 8315
aed9a15b
AJ		 8316 By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
8317 may be specified by prefixing the file name with the code and a colon.
8318 e.g. 404:ERR_CUSTOM_ACCESS_DENIED
8319
5473c134 8320 Alternatively you can tell Squid to reset the TCP connection
8321 by specifying TCP_RESET.
15b02e9a
AJ		 8322
8323 Or you can specify an error URL or URL pattern. The browsers will
aed9a15b
AJ		 8324 get redirected to the specified URL after formatting tags have
8325 been replaced. Redirect will be done with 302 or 307 according to
8326 HTTP/1.1 specs. A different 3xx code may be specified by prefixing
8327 the URL. e.g. 303:http://example.com/
15b02e9a
AJ		 8328
8329 URL FORMAT TAGS:
8330 %a - username (if available. Password NOT included)
8331 %B - FTP path URL
8332 %e - Error number
8333 %E - Error description
8334 %h - Squid hostname
8335 %H - Request domain name
8336 %i - Client IP Address
8337 %M - Request Method
05dbf66c 8338 %O - Unescaped message result from external ACL helper
15b02e9a
AJ		 8339 %o - Message result from external ACL helper
8340 %p - Request Port number
8341 %P - Request Protocol name
8342 %R - Request URL path
8343 %T - Timestamp in RFC 1123 format
8344 %U - Full canonical URL from client
8345 (HTTPS URLs terminate with *)
8346 %u - Full canonical URL from client
8347 %w - Admin email from squid.conf
e4a8468d 8348 %x - Error name
15b02e9a
AJ		 8349 %% - Literal percent (%) code
8350
5473c134 8351DOC_END
8352
8353COMMENT_START
8354 OPTIONS INFLUENCING REQUEST FORWARDING
8355 -----------------------------------------------------------------------------
8356COMMENT_END
8357
8358NAME: nonhierarchical_direct
e72a0ec0 8359TYPE: onoff
5473c134 8360LOC: Config.onoff.nonhierarchical_direct
e72a0ec0 8361DEFAULT: on
8362DOC_START
5473c134 8363 By default, Squid will send any non-hierarchical requests
9967aef6 8364 (not cacheable request type) direct to origin servers.
e72a0ec0 8365
638402dd 8366 When this is set to "off", Squid will prefer to send these
5473c134 8367 requests to parents.
0b0cfcf2 8368
5473c134 8369 Note that in most configurations, by turning this off you will only
8370 add latency to these request without any improvement in global hit
8371 ratio.
0b0cfcf2 8372
638402dd
AJ		 8373 This option only sets a preference. If the parent is unavailable a
8374 direct connection to the origin server may still be attempted. To
8375 completely prevent direct connections use never_direct.
8d6275c0 8376DOC_END
0b0cfcf2 8377
5473c134 8378NAME: prefer_direct
8d6275c0 8379TYPE: onoff
5473c134 8380LOC: Config.onoff.prefer_direct
8d6275c0 8381DEFAULT: off
8382DOC_START
5473c134 8383 Normally Squid tries to use parents for most requests. If you for some
8384 reason like it to first try going direct and only use a parent if
8385 going direct fails set this to on.
0b0cfcf2 8386
5473c134 8387 By combining nonhierarchical_direct off and prefer_direct on you
8388 can set up Squid to use a parent as a backup path if going direct
8389 fails.
8390
8391 Note: If you want Squid to use parents for all requests see
8392 the never_direct directive. prefer_direct only modifies how Squid
8393 acts on cacheable requests.
cccac0a2 8394DOC_END
8395
96598f93
AJ		 8396NAME: cache_miss_revalidate
8397COMMENT: on|off
8398TYPE: onoff
8399DEFAULT: on
8400LOC: Config.onoff.cache_miss_revalidate
8401DOC_START
2d4eefd9
AJ		 8402 RFC 7232 defines a conditional request mechanism to prevent
8403 response objects being unnecessarily transferred over the network.
8404 If that mechanism is used by the client and a cache MISS occurs
8405 it can prevent new cache entries being created.
8406
8407 This option determines whether Squid on cache MISS will pass the
8408 client revalidation request to the server or tries to fetch new
8409 content for caching. It can be useful while the cache is mostly
8410 empty to more quickly have the cache populated by generating
8411 non-conditional GETs.
96598f93
AJ		 8412
8413 When set to 'on' (default), Squid will pass all client If-* headers
2d4eefd9
AJ		 8414 to the server. This permits server responses without a cacheable
8415 payload to be delivered and on MISS no new cache entry is created.
96598f93
AJ		 8416
8417 When set to 'off' and if the request is cacheable, Squid will
8418 remove the clients If-Modified-Since and If-None-Match headers from
2d4eefd9
AJ		 8419 the request sent to the server. This requests a 200 status response
8420 from the server to create a new cache entry with.
96598f93
AJ		 8421DOC_END
8422
5473c134 8423NAME: always_direct
8d6275c0 8424TYPE: acl_access
5473c134 8425LOC: Config.accessList.AlwaysDirect
0b0cfcf2 8426DEFAULT: none
638402dd 8427DEFAULT_DOC: Prevent any cache_peer being used for this request.
0b0cfcf2 8428DOC_START
5473c134 8429 Usage: always_direct allow|deny [!]aclname ...
0b0cfcf2 8430
5473c134 8431 Here you can use ACL elements to specify requests which should
8432 ALWAYS be forwarded by Squid to the origin servers without using
8433 any peers. For example, to always directly forward requests for
8434 local servers ignoring any parents or siblings you may have use
8435 something like:
0b0cfcf2 8436
5473c134 8437 acl local-servers dstdomain my.domain.net
8438 always_direct allow local-servers
0b0cfcf2 8439
5473c134 8440 To always forward FTP requests directly, use
f16fbc82 8441
5473c134 8442 acl FTP proto FTP
8443 always_direct allow FTP
cccac0a2 8444
5473c134 8445 NOTE: There is a similar, but opposite option named
8446 'never_direct'. You need to be aware that "always_direct deny
8447 foo" is NOT the same thing as "never_direct allow foo". You
8448 may need to use a deny rule to exclude a more-specific case of
8449 some other rule. Example:
8d6275c0 8450
5473c134 8451 acl local-external dstdomain external.foo.net
8452 acl local-servers dstdomain .foo.net
8453 always_direct deny local-external
8454 always_direct allow local-servers
8d6275c0 8455
5473c134 8456 NOTE: If your goal is to make the client forward the request
8457 directly to the origin server bypassing Squid then this needs
8458 to be done in the client configuration. Squid configuration
8459 can only tell Squid how Squid should fetch the object.
8d6275c0 8460
5473c134 8461 NOTE: This directive is not related to caching. The replies
8462 is cached as usual even if you use always_direct. To not cache
b3567eb5 8463 the replies see the 'cache' directive.
5473c134 8464
b3567eb5
FC		 8465 This clause supports both fast and slow acl types.
8466 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
cccac0a2 8467DOC_END
0976f8db 8468
5473c134 8469NAME: never_direct
8470TYPE: acl_access
8471LOC: Config.accessList.NeverDirect
8472DEFAULT: none
638402dd 8473DEFAULT_DOC: Allow DNS results to be used for this request.
8d6275c0 8474DOC_START
5473c134 8475 Usage: never_direct allow|deny [!]aclname ...
8476
8477 never_direct is the opposite of always_direct. Please read
8478 the description for always_direct if you have not already.
8479
8480 With 'never_direct' you can use ACL elements to specify
8481 requests which should NEVER be forwarded directly to origin
8482 servers. For example, to force the use of a proxy for all
8483 requests, except those in your local domain use something like:
8484
8485 acl local-servers dstdomain .foo.net
5473c134 8486 never_direct deny local-servers
8487 never_direct allow all
8488
8489 or if Squid is inside a firewall and there are local intranet
8490 servers inside the firewall use something like:
8491
8492 acl local-intranet dstdomain .foo.net
8493 acl local-external dstdomain external.foo.net
8494 always_direct deny local-external
8495 always_direct allow local-intranet
8496 never_direct allow all
8497
b3567eb5
FC		 8498 This clause supports both fast and slow acl types.
8499 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
8d6275c0 8500DOC_END
0976f8db 8501
5473c134 8502COMMENT_START
8503 ADVANCED NETWORKING OPTIONS
8504 -----------------------------------------------------------------------------
8505COMMENT_END
8506
65d448bc 8507NAME: incoming_udp_average incoming_icp_average
cccac0a2 8508TYPE: int
8509DEFAULT: 6
65d448bc
AJ		 8510LOC: Config.comm_incoming.udp.average
8511DOC_START
8512 Heavy voodoo here. I can't even believe you are reading this.
8513 Are you crazy? Don't even think about adjusting these unless
8514 you understand the algorithms in comm_select.c first!
8515DOC_END
cccac0a2 8516
65d448bc 8517NAME: incoming_tcp_average incoming_http_average
cccac0a2 8518TYPE: int
8519DEFAULT: 4
65d448bc
AJ		 8520LOC: Config.comm_incoming.tcp.average
8521DOC_START
8522 Heavy voodoo here. I can't even believe you are reading this.
8523 Are you crazy? Don't even think about adjusting these unless
8524 you understand the algorithms in comm_select.c first!
8525DOC_END
cccac0a2 8526
8527NAME: incoming_dns_average
8528TYPE: int
8529DEFAULT: 4
65d448bc
AJ		 8530LOC: Config.comm_incoming.dns.average
8531DOC_START
8532 Heavy voodoo here. I can't even believe you are reading this.
8533 Are you crazy? Don't even think about adjusting these unless
8534 you understand the algorithms in comm_select.c first!
8535DOC_END
cccac0a2 8536
65d448bc 8537NAME: min_udp_poll_cnt min_icp_poll_cnt
cccac0a2 8538TYPE: int
8539DEFAULT: 8
65d448bc
AJ		 8540LOC: Config.comm_incoming.udp.min_poll
8541DOC_START
8542 Heavy voodoo here. I can't even believe you are reading this.
8543 Are you crazy? Don't even think about adjusting these unless
8544 you understand the algorithms in comm_select.c first!
8545DOC_END
cccac0a2 8546
8547NAME: min_dns_poll_cnt
8548TYPE: int
8549DEFAULT: 8
65d448bc
AJ		 8550LOC: Config.comm_incoming.dns.min_poll
8551DOC_START
8552 Heavy voodoo here. I can't even believe you are reading this.
8553 Are you crazy? Don't even think about adjusting these unless
8554 you understand the algorithms in comm_select.c first!
8555DOC_END
cccac0a2 8556
65d448bc 8557NAME: min_tcp_poll_cnt min_http_poll_cnt
cccac0a2 8558TYPE: int
8559DEFAULT: 8
65d448bc 8560LOC: Config.comm_incoming.tcp.min_poll
cccac0a2 8561DOC_START
5473c134 8562 Heavy voodoo here. I can't even believe you are reading this.
8563 Are you crazy? Don't even think about adjusting these unless
8564 you understand the algorithms in comm_select.c first!
8565DOC_END
8566
8567NAME: accept_filter
5473c134 8568TYPE: string
8569DEFAULT: none
8570LOC: Config.accept_filter
8571DOC_START
0b4d4be5 8572 FreeBSD:
8573
5473c134 8574 The name of an accept(2) filter to install on Squid's
8575 listen socket(s). This feature is perhaps specific to
8576 FreeBSD and requires support in the kernel.
8577
8578 The 'httpready' filter delays delivering new connections
2324cda2 8579 to Squid until a full HTTP request has been received.
0b4d4be5 8580 See the accf_http(9) man page for details.
8581
8582 The 'dataready' filter delays delivering new connections
8583 to Squid until there is some data to process.
8584 See the accf_dataready(9) man page for details.
8585
8586 Linux:
8587
8588 The 'data' filter delays delivering of new connections
8589 to Squid until there is some data to process by TCP_ACCEPT_DEFER.
8590 You may optionally specify a number of seconds to wait by
8591 'data=N' where N is the number of seconds. Defaults to 30
8592 if not specified. See the tcp(7) man page for details.
5473c134 8593EXAMPLE:
0b4d4be5 8594# FreeBSD
5473c134 8595accept_filter httpready
0b4d4be5 8596# Linux
8597accept_filter data
5473c134 8598DOC_END
8599
ab2ecb0e
AJ		 8600NAME: client_ip_max_connections
8601TYPE: int
8602LOC: Config.client_ip_max_connections
8603DEFAULT: -1
638402dd 8604DEFAULT_DOC: No limit.
ab2ecb0e
AJ		 8605DOC_START
8606 Set an absolute limit on the number of connections a single
8607 client IP can use. Any more than this and Squid will begin to drop
8608 new connections from the client until it closes some links.
8609
8610 Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
8611 connections from the client. For finer control use the ACL access controls.
8612
8613 Requires client_db to be enabled (the default).
8614
8615 WARNING: This may noticably slow down traffic received via external proxies
8616 or NAT devices and cause them to rebound error messages back to their clients.
8617DOC_END
8618
5473c134 8619NAME: tcp_recv_bufsize
8620COMMENT: (bytes)
8621TYPE: b_size_t
8622DEFAULT: 0 bytes
638402dd 8623DEFAULT_DOC: Use operating system TCP defaults.
5473c134 8624LOC: Config.tcpRcvBufsz
8625DOC_START
8626 Size of receive buffer to set for TCP sockets. Probably just
638402dd
AJ		 8627 as easy to change your kernel's default.
8628 Omit from squid.conf to use the default buffer size.
5473c134 8629DOC_END
8630
8631COMMENT_START
8632 ICAP OPTIONS
8633 -----------------------------------------------------------------------------
8634COMMENT_END
8635
8636NAME: icap_enable
8637TYPE: onoff
8638IFDEF: ICAP_CLIENT
8639COMMENT: on|off
26cc52cb 8640LOC: Adaptation::Icap::TheConfig.onoff
5473c134 8641DEFAULT: off
8642DOC_START
53e738c6 8643 If you want to enable the ICAP module support, set this to on.
5473c134 8644DOC_END
8645
8646NAME: icap_connect_timeout
8647TYPE: time_t
8648DEFAULT: none
26cc52cb 8649LOC: Adaptation::Icap::TheConfig.connect_timeout_raw
5473c134 8650IFDEF: ICAP_CLIENT
8651DOC_START
8652 This parameter specifies how long to wait for the TCP connect to
8653 the requested ICAP server to complete before giving up and either
8654 terminating the HTTP transaction or bypassing the failure.
8655
8656 The default for optional services is peer_connect_timeout.
8657 The default for essential services is connect_timeout.
8658 If this option is explicitly set, its value applies to all services.
8659DOC_END
8660
8661NAME: icap_io_timeout
8662COMMENT: time-units
8663TYPE: time_t
8664DEFAULT: none
638402dd 8665DEFAULT_DOC: Use read_timeout.
26cc52cb 8666LOC: Adaptation::Icap::TheConfig.io_timeout_raw
5473c134 8667IFDEF: ICAP_CLIENT
8668DOC_START
8669 This parameter specifies how long to wait for an I/O activity on
8670 an established, active ICAP connection before giving up and
8671 either terminating the HTTP transaction or bypassing the
8672 failure.
5473c134 8673DOC_END
8674
8675NAME: icap_service_failure_limit
8277060a
CT		 8676COMMENT: limit [in memory-depth time-units]
8677TYPE: icap_service_failure_limit
5473c134 8678IFDEF: ICAP_CLIENT
8277060a 8679LOC: Adaptation::Icap::TheConfig
5473c134 8680DEFAULT: 10
8681DOC_START
8682 The limit specifies the number of failures that Squid tolerates
8683 when establishing a new TCP connection with an ICAP service. If
8684 the number of failures exceeds the limit, the ICAP service is
8685 not used for new ICAP requests until it is time to refresh its
8277060a 8686 OPTIONS.
5473c134 8687
8688 A negative value disables the limit. Without the limit, an ICAP
8689 service will not be considered down due to connectivity failures
8690 between ICAP OPTIONS requests.
8277060a
CT		 8691
8692 Squid forgets ICAP service failures older than the specified
8693 value of memory-depth. The memory fading algorithm
8694 is approximate because Squid does not remember individual
8695 errors but groups them instead, splitting the option
8696 value into ten time slots of equal length.
8697
8698 When memory-depth is 0 and by default this option has no
8699 effect on service failure expiration.
8700
8701 Squid always forgets failures when updating service settings
8702 using an ICAP OPTIONS transaction, regardless of this option
8703 setting.
8704
8705 For example,
8706 # suspend service usage after 10 failures in 5 seconds:
8707 icap_service_failure_limit 10 in 5 seconds
cccac0a2 8708DOC_END
8709
5473c134 8710NAME: icap_service_revival_delay
cccac0a2 8711TYPE: int
5473c134 8712IFDEF: ICAP_CLIENT
26cc52cb 8713LOC: Adaptation::Icap::TheConfig.service_revival_delay
5473c134 8714DEFAULT: 180
cccac0a2 8715DOC_START
5473c134 8716 The delay specifies the number of seconds to wait after an ICAP
8717 OPTIONS request failure before requesting the options again. The
8718 failed ICAP service is considered "down" until fresh OPTIONS are
8719 fetched.
cccac0a2 8720
5473c134 8721 The actual delay cannot be smaller than the hardcoded minimum
8722 delay of 30 seconds.
cccac0a2 8723DOC_END
8724
5473c134 8725NAME: icap_preview_enable
cccac0a2 8726TYPE: onoff
5473c134 8727IFDEF: ICAP_CLIENT
8728COMMENT: on|off
26cc52cb 8729LOC: Adaptation::Icap::TheConfig.preview_enable
ac7a62f9 8730DEFAULT: on
cccac0a2 8731DOC_START
ac7a62f9 8732 The ICAP Preview feature allows the ICAP server to handle the
8733 HTTP message by looking only at the beginning of the message body
8734 or even without receiving the body at all. In some environments,
8735 previews greatly speedup ICAP processing.
8736
8737 During an ICAP OPTIONS transaction, the server may tell Squid what
8738 HTTP messages should be previewed and how big the preview should be.
8739 Squid will not use Preview if the server did not request one.
8740
8741 To disable ICAP Preview for all ICAP services, regardless of
8742 individual ICAP server OPTIONS responses, set this option to "off".
8743Example:
8744icap_preview_enable off
cccac0a2 8745DOC_END
8746
5473c134 8747NAME: icap_preview_size
8748TYPE: int
8749IFDEF: ICAP_CLIENT
26cc52cb 8750LOC: Adaptation::Icap::TheConfig.preview_size
5473c134 8751DEFAULT: -1
638402dd 8752DEFAULT_DOC: No preview sent.
cccac0a2 8753DOC_START
53e738c6 8754 The default size of preview data to be sent to the ICAP server.
638402dd 8755 This value might be overwritten on a per server basis by OPTIONS requests.
cccac0a2 8756DOC_END
8757
83c51da9
CT		 8758NAME: icap_206_enable
8759TYPE: onoff
8760IFDEF: ICAP_CLIENT
8761COMMENT: on|off
8762LOC: Adaptation::Icap::TheConfig.allow206_enable
8763DEFAULT: on
8764DOC_START
8765 206 (Partial Content) responses is an ICAP extension that allows the
8766 ICAP agents to optionally combine adapted and original HTTP message
8767 content. The decision to combine is postponed until the end of the
8768 ICAP response. Squid supports Partial Content extension by default.
8769
8770 Activation of the Partial Content extension is negotiated with each
8771 ICAP service during OPTIONS exchange. Most ICAP servers should handle
8772 negotation correctly even if they do not support the extension, but
8773 some might fail. To disable Partial Content support for all ICAP
8774 services and to avoid any negotiation, set this option to "off".
8775
8776 Example:
8777 icap_206_enable off
8778DOC_END
8779
5473c134 8780NAME: icap_default_options_ttl
8781TYPE: int
8782IFDEF: ICAP_CLIENT
26cc52cb 8783LOC: Adaptation::Icap::TheConfig.default_options_ttl
5473c134 8784DEFAULT: 60
cccac0a2 8785DOC_START
53e738c6 8786 The default TTL value for ICAP OPTIONS responses that don't have
5473c134 8787 an Options-TTL header.
cccac0a2 8788DOC_END
8789
5473c134 8790NAME: icap_persistent_connections
8791TYPE: onoff
8792IFDEF: ICAP_CLIENT
8793COMMENT: on|off
26cc52cb 8794LOC: Adaptation::Icap::TheConfig.reuse_connections
5473c134 8795DEFAULT: on
cccac0a2 8796DOC_START
5473c134 8797 Whether or not Squid should use persistent connections to
8798 an ICAP server.
cccac0a2 8799DOC_END
8800
22fff3bf 8801NAME: adaptation_send_client_ip icap_send_client_ip
5473c134 8802TYPE: onoff
22fff3bf 8803IFDEF: USE_ADAPTATION
5473c134 8804COMMENT: on|off
22fff3bf 8805LOC: Adaptation::Config::send_client_ip
5473c134 8806DEFAULT: off
cccac0a2 8807DOC_START
ea3ae478
AR		 8808 If enabled, Squid shares HTTP client IP information with adaptation
8809 services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
8810 For eCAP, Squid sets the libecap::metaClientIp transaction option.
8811
8812 See also: adaptation_uses_indirect_client
cccac0a2 8813DOC_END
8814
22fff3bf 8815NAME: adaptation_send_username icap_send_client_username
5473c134 8816TYPE: onoff
22fff3bf 8817IFDEF: USE_ADAPTATION
5473c134 8818COMMENT: on|off
22fff3bf 8819LOC: Adaptation::Config::send_username
5473c134 8820DEFAULT: off
cccac0a2 8821DOC_START
5473c134 8822 This sends authenticated HTTP client username (if available) to
22fff3bf
AR		 8823 the adaptation service.
8824
8825 For ICAP, the username value is encoded based on the
5473c134 8826 icap_client_username_encode option and is sent using the header
8827 specified by the icap_client_username_header option.
cccac0a2 8828DOC_END
8829
5473c134 8830NAME: icap_client_username_header
cccac0a2 8831TYPE: string
5473c134 8832IFDEF: ICAP_CLIENT
26cc52cb 8833LOC: Adaptation::Icap::TheConfig.client_username_header
5473c134 8834DEFAULT: X-Client-Username
cccac0a2 8835DOC_START
db49f682 8836 ICAP request header name to use for adaptation_send_username.
cccac0a2 8837DOC_END
8838
5473c134 8839NAME: icap_client_username_encode
cccac0a2 8840TYPE: onoff
5473c134 8841IFDEF: ICAP_CLIENT
8842COMMENT: on|off
26cc52cb 8843LOC: Adaptation::Icap::TheConfig.client_username_encode
5473c134 8844DEFAULT: off
cccac0a2 8845DOC_START
5473c134 8846 Whether to base64 encode the authenticated client username.
cccac0a2 8847DOC_END
8848
5473c134 8849NAME: icap_service
8850TYPE: icap_service_type
8851IFDEF: ICAP_CLIENT
26cc52cb 8852LOC: Adaptation::Icap::TheConfig
5473c134 8853DEFAULT: none
cccac0a2 8854DOC_START
a22e6cd3 8855 Defines a single ICAP service using the following format:
cccac0a2 8856
c25c2836 8857 icap_service id vectoring_point uri [option ...]
7d90757b 8858
c25c2836
CT		 8859 id: ID
8860 an opaque identifier or name which is used to direct traffic to
8861 this specific service. Must be unique among all adaptation
8862 services in squid.conf.
a22e6cd3
AR		 8863
8864 vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
f3db09e2 8865 This specifies at which point of transaction processing the
8866 ICAP service should be activated. *_postcache vectoring points
8867 are not yet supported.
a22e6cd3 8868
c25c2836 8869 uri: icap://servername:port/servicepath
a22e6cd3 8870 ICAP server and service location.
1b091aec
CT		 8871 icaps://servername:port/servicepath
8872 The "icap:" URI scheme is used for traditional ICAP server and
8873 service location (default port is 1344, connections are not
8874 encrypted). The "icaps:" URI scheme is for Secure ICAP
8875 services that use SSL/TLS-encrypted ICAP connections (by
8876 default, on port 11344).
a22e6cd3
AR		 8877
8878 ICAP does not allow a single service to handle both REQMOD and RESPMOD
8879 transactions. Squid does not enforce that requirement. You can specify
8880 services with the same service_url and different vectoring_points. You
8881 can even specify multiple identical services as long as their
8882 service_names differ.
8883
3caa16d2
AR		 8884 To activate a service, use the adaptation_access directive. To group
8885 services, use adaptation_service_chain and adaptation_service_set.
a22e6cd3
AR		 8886
8887 Service options are separated by white space. ICAP services support
8888 the following name=value options:
8889
8890 bypass=on|off|1|0
8891 If set to 'on' or '1', the ICAP service is treated as
8892 optional. If the service cannot be reached or malfunctions,
8893 Squid will try to ignore any errors and process the message as
8894 if the service was not enabled. No all ICAP errors can be
8895 bypassed. If set to 0, the ICAP service is treated as
8896 essential and all ICAP errors will result in an error page
8897 returned to the HTTP client.
8898
8899 Bypass is off by default: services are treated as essential.
8900
8901 routing=on|off|1|0
8902 If set to 'on' or '1', the ICAP service is allowed to
8903 dynamically change the current message adaptation plan by
8904 returning a chain of services to be used next. The services
8905 are specified using the X-Next-Services ICAP response header
8906 value, formatted as a comma-separated list of service names.
e2851fe7
AR		 8907 Each named service should be configured in squid.conf. Other
8908 services are ignored. An empty X-Next-Services value results
8909 in an empty plan which ends the current adaptation.
8910
8911 Dynamic adaptation plan may cross or cover multiple supported
8912 vectoring points in their natural processing order.
a22e6cd3
AR		 8913
8914 Routing is not allowed by default: the ICAP X-Next-Services
8915 response header is ignored.
8916
e6713f4e
AJ		 8917 ipv6=on|off
8918 Only has effect on split-stack systems. The default on those systems
8919 is to use IPv4-only connections. When set to 'on' this option will
8920 make Squid use IPv6-only connections to contact this ICAP service.
8921
2dba5b8e
CT		 8922 on-overload=block|bypass|wait|force
8923 If the service Max-Connections limit has been reached, do
8924 one of the following for each new ICAP transaction:
8925 * block: send an HTTP error response to the client
8926 * bypass: ignore the "over-connected" ICAP service
8927 * wait: wait (in a FIFO queue) for an ICAP connection slot
8928 * force: proceed, ignoring the Max-Connections limit
8929
8930 In SMP mode with N workers, each worker assumes the service
8931 connection limit is Max-Connections/N, even though not all
8932 workers may use a given service.
8933
8934 The default value is "bypass" if service is bypassable,
8935 otherwise it is set to "wait".
8936
8937
8938 max-conn=number
8939 Use the given number as the Max-Connections limit, regardless
8940 of the Max-Connections value given by the service, if any.
8941
88df846b
CT		 8942 connection-encryption=on|off
8943 Determines the ICAP service effect on the connections_encrypted
8944 ACL.
8945
8946 The default is "on" for Secure ICAP services (i.e., those
8947 with the icaps:// service URIs scheme) and "off" for plain ICAP
8948 services.
8949
8950 Does not affect ICAP connections (e.g., does not turn Secure
8951 ICAP on or off).
8952
4dd2c9d6 8953 ==== ICAPS / TLS OPTIONS ====
1b091aec
CT		 8954
8955 These options are used for Secure ICAP (icaps://....) services only.
8956
4dd2c9d6 8957 tls-cert=/path/to/ssl/certificate
1b091aec
CT		 8958 A client SSL certificate to use when connecting to
8959 this icap server.
8960
4dd2c9d6
AJ		 8961 tls-key=/path/to/ssl/key
8962 The private TLS/SSL key corresponding to sslcert above.
8963 If 'tls-key' is not specified 'tls-cert' is assumed to
8964 reference a combined PEM format file containing both the
1b091aec
CT		 8965 certificate and the key.
8966
4dd2c9d6 8967 tls-cipher=... The list of valid TLS/SSL ciphers to use when connecting
1b091aec
CT		 8968 to this icap server.
8969
1cc44095
AJ		 8970 tls-min-version=1.N
8971 The minimum TLS protocol version to permit. To control
3f5b28fe 8972 SSLv3 use the tls-options= parameter.
1cc44095
AJ		 8973 Supported Values: 1.0 (default), 1.1, 1.2
8974
4dd2c9d6 8975 tls-options=... Specify various OpenSSL library options:
1b091aec
CT		 8976
8977 NO_SSLv3 Disallow the use of SSLv3
4dd2c9d6 8978
1b091aec
CT		 8979 SINGLE_DH_USE
8980 Always create a new key when using
8981 temporary/ephemeral DH key exchanges
4dd2c9d6 8982
1b091aec 8983 ALL Enable various bug workarounds
4dd2c9d6
AJ		 8984 suggested as "harmless" by OpenSSL
8985 Be warned that this reduces SSL/TLS
8986 strength to some attacks.
1b091aec
CT		 8987
8988 See the OpenSSL SSL_CTX_set_options documentation for a
4dd2c9d6
AJ		 8989 more complete list. Options relevant only to SSLv2 are
8990 not supported.
1b091aec 8991
86a84cc0
AJ		 8992 tls-cafile= PEM file containing CA certificates to use when verifying
8993 the icap server certificate.
8994 Use to specify intermediate CA certificate(s) if not sent
8995 by the server. Or the full CA chain for the server when
435c72b0 8996 using the tls-default-ca=off flag.
86a84cc0 8997 May be repeated to load multiple files.
1b091aec 8998
4dd2c9d6 8999 tls-capath=... A directory containing additional CA certificates to
1b091aec 9000 use when verifying the icap server certificate.
86a84cc0 9001 Requires OpenSSL or LibreSSL.
1b091aec 9002
4dd2c9d6 9003 tls-crlfile=... A certificate revocation list file to use when
1b091aec
CT		 9004 verifying the icap server certificate.
9005
4dd2c9d6 9006 tls-flags=... Specify various flags modifying the Squid TLS implementation:
1b091aec
CT		 9007
9008 DONT_VERIFY_PEER
9009 Accept certificates even if they fail to
9010 verify.
1b091aec
CT		 9011 DONT_VERIFY_DOMAIN
9012 Don't verify the icap server certificate
9013 matches the server name
9014
435c72b0
AJ		 9015 tls-default-ca[=off]
9016 Whether to use the system Trusted CAs. Default is ON.
8b253b83 9017
4dd2c9d6 9018 tls-domain= The icap server name as advertised in it's certificate.
1b091aec
CT		 9019 Used for verifying the correctness of the received icap
9020 server certificate. If not specified the icap server
9021 hostname extracted from ICAP URI will be used.
9022
a22e6cd3
AR		 9023 Older icap_service format without optional named parameters is
9024 deprecated but supported for backward compatibility.
5473c134 9025
5473c134 9026Example:
c25c2836 9027icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0
1b091aec 9028icap_service svcLogger reqmod_precache icaps://icap2.mydomain.net:11344/reqmod routing=on
cccac0a2 9029DOC_END
9030
5473c134 9031NAME: icap_class
9032TYPE: icap_class_type
9033IFDEF: ICAP_CLIENT
21a26d31 9034LOC: none
5473c134 9035DEFAULT: none
cccac0a2 9036DOC_START
a22e6cd3 9037 This deprecated option was documented to define an ICAP service
62c7f90e
AR		 9038 chain, even though it actually defined a set of similar, redundant
9039 services, and the chains were not supported.
5473c134 9040
62c7f90e 9041 To define a set of redundant services, please use the
a22e6cd3
AR		 9042 adaptation_service_set directive. For service chains, use
9043 adaptation_service_chain.
cccac0a2 9044DOC_END
9045
5473c134 9046NAME: icap_access
9047TYPE: icap_access_type
9048IFDEF: ICAP_CLIENT
21a26d31 9049LOC: none
cccac0a2 9050DEFAULT: none
cccac0a2 9051DOC_START
a22e6cd3 9052 This option is deprecated. Please use adaptation_access, which
62c7f90e
AR		 9053 has the same ICAP functionality, but comes with better
9054 documentation, and eCAP support.
cccac0a2 9055DOC_END
9056
57afc994
AR		 9057COMMENT_START
9058 eCAP OPTIONS
9059 -----------------------------------------------------------------------------
9060COMMENT_END
9061
21a26d31
AR		 9062NAME: ecap_enable
9063TYPE: onoff
9064IFDEF: USE_ECAP
9065COMMENT: on|off
574b508c 9066LOC: Adaptation::Ecap::TheConfig.onoff
21a26d31
AR		 9067DEFAULT: off
9068DOC_START
9069 Controls whether eCAP support is enabled.
9070DOC_END
9071
9072NAME: ecap_service
9073TYPE: ecap_service_type
9074IFDEF: USE_ECAP
574b508c 9075LOC: Adaptation::Ecap::TheConfig
21a26d31
AR		 9076DEFAULT: none
9077DOC_START
9078 Defines a single eCAP service
9079
c25c2836 9080 ecap_service id vectoring_point uri [option ...]
21a26d31 9081
c25c2836
CT		 9082 id: ID
9083 an opaque identifier or name which is used to direct traffic to
9084 this specific service. Must be unique among all adaptation
9085 services in squid.conf.
9086
9087 vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
21a26d31
AR		 9088 This specifies at which point of transaction processing the
9089 eCAP service should be activated. *_postcache vectoring points
9090 are not yet supported.
c25c2836
CT		 9091
9092 uri: ecap://vendor/service_name?custom&cgi=style&parameters=optional
9093 Squid uses the eCAP service URI to match this configuration
9094 line with one of the dynamically loaded services. Each loaded
9095 eCAP service must have a unique URI. Obtain the right URI from
9096 the service provider.
9097
3caa16d2
AR		 9098 To activate a service, use the adaptation_access directive. To group
9099 services, use adaptation_service_chain and adaptation_service_set.
c25c2836
CT		 9100
9101 Service options are separated by white space. eCAP services support
9102 the following name=value options:
9103
9104 bypass=on|off|1|0
9105 If set to 'on' or '1', the eCAP service is treated as optional.
9106 If the service cannot be reached or malfunctions, Squid will try
9107 to ignore any errors and process the message as if the service
21a26d31 9108 was not enabled. No all eCAP errors can be bypassed.
c25c2836
CT		 9109 If set to 'off' or '0', the eCAP service is treated as essential
9110 and all eCAP errors will result in an error page returned to the
21a26d31 9111 HTTP client.
c25c2836
CT		 9112
9113 Bypass is off by default: services are treated as essential.
9114
9115 routing=on|off|1|0
9116 If set to 'on' or '1', the eCAP service is allowed to
9117 dynamically change the current message adaptation plan by
9118 returning a chain of services to be used next.
9119
9120 Dynamic adaptation plan may cross or cover multiple supported
9121 vectoring points in their natural processing order.
9122
9123 Routing is not allowed by default.
9124
88df846b
CT		 9125 connection-encryption=on|off
9126 Determines the eCAP service effect on the connections_encrypted
9127 ACL.
9128
9129 Defaults to "on", which does not taint the master transaction
9130 w.r.t. that ACL.
9131
9132 Does not affect eCAP API calls.
9133
c25c2836
CT		 9134 Older ecap_service format without optional named parameters is
9135 deprecated but supported for backward compatibility.
9136
21a26d31
AR		 9137
9138Example:
c25c2836
CT		 9139ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off
9140ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on
21a26d31
AR		 9141DOC_END
9142
57afc994
AR		 9143NAME: loadable_modules
9144TYPE: wordlist
9145IFDEF: USE_LOADABLE_MODULES
9146LOC: Config.loadable_module_names
9147DEFAULT: none
9148DOC_START
9149 Instructs Squid to load the specified dynamic module(s) or activate
9150 preloaded module(s).
9151Example:
9152loadable_modules @DEFAULT_PREFIX@/lib/MinimalAdapter.so
9153DOC_END
9154
62c7f90e
AR		 9155COMMENT_START
9156 MESSAGE ADAPTATION OPTIONS
9157 -----------------------------------------------------------------------------
9158COMMENT_END
9159
9160NAME: adaptation_service_set
9161TYPE: adaptation_service_set_type
9162IFDEF: USE_ADAPTATION
9163LOC: none
9164DEFAULT: none
9165DOC_START
9166
a22e6cd3
AR		 9167 Configures an ordered set of similar, redundant services. This is
9168 useful when hot standby or backup adaptation servers are available.
9169
9170 adaptation_service_set set_name service_name1 service_name2 ...
9171
9172 The named services are used in the set declaration order. The first
9173 applicable adaptation service from the set is used first. The next
9174 applicable service is tried if and only if the transaction with the
9175 previous service fails and the message waiting to be adapted is still
9176 intact.
62c7f90e 9177
a22e6cd3
AR		 9178 When adaptation starts, broken services are ignored as if they were
9179 not a part of the set. A broken service is a down optional service.
62c7f90e 9180
a22e6cd3
AR		 9181 The services in a set must be attached to the same vectoring point
9182 (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
9183
9184 If all services in a set are optional then adaptation failures are
9185 bypassable. If all services in the set are essential, then a
9186 transaction failure with one service may still be retried using
9187 another service from the set, but when all services fail, the master
9188 transaction fails as well.
9189
9190 A set may contain a mix of optional and essential services, but that
9191 is likely to lead to surprising results because broken services become
9192 ignored (see above), making previously bypassable failures fatal.
9193 Technically, it is the bypassability of the last failed service that
9194 matters.
9195
9196 See also: adaptation_access adaptation_service_chain
62c7f90e
AR		 9197
9198Example:
9199adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
9200adaptation service_set svcLogger loggerLocal loggerRemote
9201DOC_END
9202
a22e6cd3
AR		 9203NAME: adaptation_service_chain
9204TYPE: adaptation_service_chain_type
9205IFDEF: USE_ADAPTATION
9206LOC: none
9207DEFAULT: none
9208DOC_START
9209
9210 Configures a list of complementary services that will be applied
9211 one-by-one, forming an adaptation chain or pipeline. This is useful
9212 when Squid must perform different adaptations on the same message.
9213
9214 adaptation_service_chain chain_name service_name1 svc_name2 ...
9215
9216 The named services are used in the chain declaration order. The first
9217 applicable adaptation service from the chain is used first. The next
9218 applicable service is applied to the successful adaptation results of
9219 the previous service in the chain.
9220
9221 When adaptation starts, broken services are ignored as if they were
9222 not a part of the chain. A broken service is a down optional service.
9223
9224 Request satisfaction terminates the adaptation chain because Squid
9225 does not currently allow declaration of RESPMOD services at the
9226 "reqmod_precache" vectoring point (see icap_service or ecap_service).
9227
9228 The services in a chain must be attached to the same vectoring point
9229 (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
9230
9231 A chain may contain a mix of optional and essential services. If an
9232 essential adaptation fails (or the failure cannot be bypassed for
9233 other reasons), the master transaction fails. Otherwise, the failure
9234 is bypassed as if the failed adaptation service was not in the chain.
9235
9236 See also: adaptation_access adaptation_service_set
9237
9238Example:
9239adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
9240DOC_END
9241
62c7f90e
AR		 9242NAME: adaptation_access
9243TYPE: adaptation_access_type
9244IFDEF: USE_ADAPTATION
9245LOC: none
9246DEFAULT: none
638402dd 9247DEFAULT_DOC: Allow, unless rules exist in squid.conf.
62c7f90e
AR		 9248DOC_START
9249 Sends an HTTP transaction to an ICAP or eCAP adaptation service.
9250
9251 adaptation_access service_name allow|deny [!]aclname...
9252 adaptation_access set_name allow|deny [!]aclname...
9253
9254 At each supported vectoring point, the adaptation_access
9255 statements are processed in the order they appear in this
9256 configuration file. Statements pointing to the following services
9257 are ignored (i.e., skipped without checking their ACL):
9258
9259 - services serving different vectoring points
9260 - "broken-but-bypassable" services
9261 - "up" services configured to ignore such transactions
9262 (e.g., based on the ICAP Transfer-Ignore header).
9263
9264 When a set_name is used, all services in the set are checked
9265 using the same rules, to find the first applicable one. See
9266 adaptation_service_set for details.
9267
9268 If an access list is checked and there is a match, the
9269 processing stops: For an "allow" rule, the corresponding
9270 adaptation service is used for the transaction. For a "deny"
9271 rule, no adaptation service is activated.
9272
9273 It is currently not possible to apply more than one adaptation
9274 service at the same vectoring point to the same HTTP transaction.
9275
9276 See also: icap_service and ecap_service
9277
9278Example:
9279adaptation_access service_1 allow all
9280DOC_END
9281
a22e6cd3
AR		 9282NAME: adaptation_service_iteration_limit
9283TYPE: int
9284IFDEF: USE_ADAPTATION
9285LOC: Adaptation::Config::service_iteration_limit
9286DEFAULT: 16
9287DOC_START
9288 Limits the number of iterations allowed when applying adaptation
9289 services to a message. If your longest adaptation set or chain
9290 may have more than 16 services, increase the limit beyond its
9291 default value of 16. If detecting infinite iteration loops sooner
9292 is critical, make the iteration limit match the actual number
9293 of services in your longest adaptation set or chain.
9294
9295 Infinite adaptation loops are most likely with routing services.
9296
9297 See also: icap_service routing=1
9298DOC_END
9299
3ff65596
AR		 9300NAME: adaptation_masterx_shared_names
9301TYPE: string
9302IFDEF: USE_ADAPTATION
9303LOC: Adaptation::Config::masterx_shared_name
9304DEFAULT: none
9305DOC_START
9306 For each master transaction (i.e., the HTTP request and response
9307 sequence, including all related ICAP and eCAP exchanges), Squid
9308 maintains a table of metadata. The table entries are (name, value)
9309 pairs shared among eCAP and ICAP exchanges. The table is destroyed
9310 with the master transaction.
9311
9312 This option specifies the table entry names that Squid must accept
9313 from and forward to the adaptation transactions.
9314
9315 An ICAP REQMOD or RESPMOD transaction may set an entry in the
9316 shared table by returning an ICAP header field with a name
6666da11
AR		 9317 specified in adaptation_masterx_shared_names.
9318
9319 An eCAP REQMOD or RESPMOD transaction may set an entry in the
9320 shared table by implementing the libecap::visitEachOption() API
9321 to provide an option with a name specified in
9322 adaptation_masterx_shared_names.
5038f9d8
AR		 9323
9324 Squid will store and forward the set entry to subsequent adaptation
3ff65596
AR		 9325 transactions within the same master transaction scope.
9326
9327 Only one shared entry name is supported at this time.
9328
9329Example:
9330# share authentication information among ICAP services
9331adaptation_masterx_shared_names X-Subscriber-ID
9332DOC_END
9333
71be37e0 9334NAME: adaptation_meta
d7f4a0b7 9335TYPE: note
71be37e0
CT		 9336IFDEF: USE_ADAPTATION
9337LOC: Adaptation::Config::metaHeaders
9338DEFAULT: none
9339DOC_START
9340 This option allows Squid administrator to add custom ICAP request
9341 headers or eCAP options to Squid ICAP requests or eCAP transactions.
9342 Use it to pass custom authentication tokens and other
9343 transaction-state related meta information to an ICAP/eCAP service.
9344
9345 The addition of a meta header is ACL-driven:
9346 adaptation_meta name value [!]aclname ...
9347
9348 Processing for a given header name stops after the first ACL list match.
9349 Thus, it is impossible to add two headers with the same name. If no ACL
9350 lists match for a given header name, no such header is added. For
9351 example:
9352
9353 # do not debug transactions except for those that need debugging
9354 adaptation_meta X-Debug 1 needs_debugging
9355
9356 # log all transactions except for those that must remain secret
9357 adaptation_meta X-Log 1 !keep_secret
9358
9359 # mark transactions from users in the "G 1" group
9360 adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1
9361
9362 The "value" parameter may be a regular squid.conf token or a "double
9363 quoted string". Within the quoted string, use backslash (\) to escape
9364 any character, which is currently only useful for escaping backslashes
9365 and double quotes. For example,
9366 "this string has one backslash (\\) and two \"quotes\""
d7f4a0b7
CT		 9367
9368 Used adaptation_meta header values may be logged via %note
9369 logformat code. If multiple adaptation_meta headers with the same name
9370 are used during master transaction lifetime, the header values are
9371 logged in the order they were used and duplicate values are ignored
9372 (only the first repeated value will be logged).
71be37e0
CT		 9373DOC_END
9374
3ff65596
AR		 9375NAME: icap_retry
9376TYPE: acl_access
9377IFDEF: ICAP_CLIENT
9378LOC: Adaptation::Icap::TheConfig.repeat
3ff65596
AR		 9379DEFAULT_IF_NONE: deny all
9380DOC_START
9381 This ACL determines which retriable ICAP transactions are
9382 retried. Transactions that received a complete ICAP response
9383 and did not have to consume or produce HTTP bodies to receive
9384 that response are usually retriable.
9385
9386 icap_retry allow|deny [!]aclname ...
9387
9388 Squid automatically retries some ICAP I/O timeouts and errors
9389 due to persistent connection race conditions.
9390
9391 See also: icap_retry_limit
9392DOC_END
9393
9394NAME: icap_retry_limit
9395TYPE: int
9396IFDEF: ICAP_CLIENT
9397LOC: Adaptation::Icap::TheConfig.repeat_limit
9398DEFAULT: 0
638402dd 9399DEFAULT_DOC: No retries are allowed.
3ff65596 9400DOC_START
638402dd 9401 Limits the number of retries allowed.
3ff65596
AR		 9402
9403 Communication errors due to persistent connection race
9404 conditions are unavoidable, automatically retried, and do not
9405 count against this limit.
9406
9407 See also: icap_retry
9408DOC_END
9409
9410
5473c134 9411COMMENT_START
9412 DNS OPTIONS
9413 -----------------------------------------------------------------------------
9414COMMENT_END
9415
9416NAME: check_hostnames
cccac0a2 9417TYPE: onoff
cccac0a2 9418DEFAULT: off
5473c134 9419LOC: Config.onoff.check_hostnames
cccac0a2 9420DOC_START
5473c134 9421 For security and stability reasons Squid can check
9422 hostnames for Internet standard RFC compliance. If you want
9423 Squid to perform these checks turn this directive on.
cccac0a2 9424DOC_END
9425
5473c134 9426NAME: allow_underscore
cccac0a2 9427TYPE: onoff
cccac0a2 9428DEFAULT: on
5473c134 9429LOC: Config.onoff.allow_underscore
cccac0a2 9430DOC_START
5473c134 9431 Underscore characters is not strictly allowed in Internet hostnames
9432 but nevertheless used by many sites. Set this to off if you want
9433 Squid to be strict about the standard.
9434 This check is performed only when check_hostnames is set to on.
cccac0a2 9435DOC_END
9436
5473c134 9437NAME: dns_retransmit_interval
fd0f51c4 9438TYPE: time_msec
5473c134 9439DEFAULT: 5 seconds
9440LOC: Config.Timeout.idns_retransmit
cccac0a2 9441DOC_START
5473c134 9442 Initial retransmit interval for DNS queries. The interval is
9443 doubled each time all configured DNS servers have been tried.
cccac0a2 9444DOC_END
9445
5473c134 9446NAME: dns_timeout
fd0f51c4 9447TYPE: time_msec
a541c34e 9448DEFAULT: 30 seconds
5473c134 9449LOC: Config.Timeout.idns_query
cccac0a2 9450DOC_START
5473c134 9451 DNS Query timeout. If no response is received to a DNS query
9452 within this time all DNS servers for the queried domain
9453 are assumed to be unavailable.
cccac0a2 9454DOC_END
9455
e210930b
AJ		 9456NAME: dns_packet_max
9457TYPE: b_ssize_t
638402dd 9458DEFAULT_DOC: EDNS disabled
e210930b
AJ		 9459DEFAULT: none
9460LOC: Config.dns.packet_max
e210930b
AJ		 9461DOC_START
9462 Maximum number of bytes packet size to advertise via EDNS.
9463 Set to "none" to disable EDNS large packet support.
9464
9465 For legacy reasons DNS UDP replies will default to 512 bytes which
9466 is too small for many responses. EDNS provides a means for Squid to
9467 negotiate receiving larger responses back immediately without having
9468 to failover with repeat requests. Responses larger than this limit
9469 will retain the old behaviour of failover to TCP DNS.
9470
9471 Squid has no real fixed limit internally, but allowing packet sizes
9472 over 1500 bytes requires network jumbogram support and is usually not
9473 necessary.
9474
9475 WARNING: The RFC also indicates that some older resolvers will reply
9476 with failure of the whole request if the extension is added. Some
9477 resolvers have already been identified which will reply with mangled
9478 EDNS response on occasion. Usually in response to many-KB jumbogram
9479 sizes being advertised by Squid.
9480 Squid will currently treat these both as an unable-to-resolve domain
9481 even if it would be resolvable without EDNS.
9482DOC_END
9483
5473c134 9484NAME: dns_defnames
9485COMMENT: on|off
cccac0a2 9486TYPE: onoff
cccac0a2 9487DEFAULT: off
638402dd 9488DEFAULT_DOC: Search for single-label domain names is disabled.
5473c134 9489LOC: Config.onoff.res_defnames
cccac0a2 9490DOC_START
5473c134 9491 Normally the RES_DEFNAMES resolver option is disabled
9492 (see res_init(3)). This prevents caches in a hierarchy
9493 from interpreting single-component hostnames locally. To allow
9494 Squid to handle single-component names, enable this option.
cccac0a2 9495DOC_END
9496
bce61b00
AJ		 9497NAME: dns_multicast_local
9498COMMENT: on|off
9499TYPE: onoff
9500DEFAULT: off
9501DEFAULT_DOC: Search for .local and .arpa names is disabled.
9502LOC: Config.onoff.dns_mdns
9503DOC_START
9504 When set to on, Squid sends multicast DNS lookups on the local
9505 network for domains ending in .local and .arpa.
9506 This enables local servers and devices to be contacted in an
9507 ad-hoc or zero-configuration network environment.
9508DOC_END
9509
5473c134 9510NAME: dns_nameservers
5a1098fb 9511TYPE: SBufList
5473c134 9512DEFAULT: none
638402dd 9513DEFAULT_DOC: Use operating system definitions
5a1098fb 9514LOC: Config.dns.nameservers
cccac0a2 9515DOC_START
5473c134 9516 Use this if you want to specify a list of DNS name servers
9517 (IP addresses) to use instead of those given in your
9518 /etc/resolv.conf file.
638402dd 9519
5473c134 9520 On Windows platforms, if no value is specified here or in
9521 the /etc/resolv.conf file, the list of DNS name servers are
9522 taken from the Windows registry, both static and dynamic DHCP
9523 configurations are supported.
cccac0a2 9524
5473c134 9525 Example: dns_nameservers 10.0.0.1 192.172.0.4
cccac0a2 9526DOC_END
9527
5473c134 9528NAME: hosts_file
cccac0a2 9529TYPE: string
5473c134 9530DEFAULT: @DEFAULT_HOSTS@
9531LOC: Config.etcHostsPath
cccac0a2 9532DOC_START
5473c134 9533 Location of the host-local IP name-address associations
9534 database. Most Operating Systems have such a file on different
9535 default locations:
9536 - Un*X & Linux: /etc/hosts
9537 - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
9538 (%SystemRoot% value install default is c:\winnt)
9539 - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
9540 (%SystemRoot% value install default is c:\windows)
9541 - Windows 9x/Me: %windir%\hosts
9542 (%windir% value is usually c:\windows)
9543 - Cygwin: /etc/hosts
cccac0a2 9544
5473c134 9545 The file contains newline-separated definitions, in the
9546 form ip_address_in_dotted_form name [name ...] names are
9547 whitespace-separated. Lines beginning with an hash (#)
9548 character are comments.
cccac0a2 9549
5473c134 9550 The file is checked at startup and upon configuration.
9551 If set to 'none', it won't be checked.
9552 If append_domain is used, that domain will be added to
9553 domain-local (i.e. not containing any dot character) host
9554 definitions.
cccac0a2 9555DOC_END
9556
5473c134 9557NAME: append_domain
9558TYPE: string
9559LOC: Config.appendDomain
9560DEFAULT: none
638402dd 9561DEFAULT_DOC: Use operating system definitions
6a2f3fcf 9562DOC_START
5473c134 9563 Appends local domain name to hostnames without any dots in
9564 them. append_domain must begin with a period.
9565
9566 Be warned there are now Internet names with no dots in
9567 them using only top-domain names, so setting this may
9568 cause some Internet sites to become unavailable.
9569
9570Example:
9571 append_domain .yourdomain.com
6a2f3fcf 9572DOC_END
9573
5473c134 9574NAME: ignore_unknown_nameservers
9575TYPE: onoff
9576LOC: Config.onoff.ignore_unknown_nameservers
df6fd596 9577DEFAULT: on
9578DOC_START
5473c134 9579 By default Squid checks that DNS responses are received
9580 from the same IP addresses they are sent to. If they
9581 don't match, Squid ignores the response and writes a warning
9582 message to cache.log. You can allow responses from unknown
9583 nameservers by setting this option to 'off'.
df6fd596 9584DOC_END
9585
5a0da9ec
AJ		 9586NAME: dns_v4_first
9587TYPE: onoff
9588DEFAULT: off
9589LOC: Config.dns.v4_first
5a0da9ec
AJ		 9590DOC_START
9591 With the IPv6 Internet being as fast or faster than IPv4 Internet
9592 for most networks Squid prefers to contact websites over IPv6.
9593
9594 This option reverses the order of preference to make Squid contact
9595 dual-stack websites over IPv4 first. Squid will still perform both
9596 IPv6 and IPv4 DNS lookups before connecting.
9597
9598 WARNING:
9599 This option will restrict the situations under which IPv6
9600 connectivity is used (and tested). Hiding network problems
9601 which would otherwise be detected and warned about.
9602DOC_END
9603
6bc15a4f 9604NAME: ipcache_size
9605COMMENT: (number of entries)
9606TYPE: int
9607DEFAULT: 1024
9608LOC: Config.ipcache.size
638402dd
AJ		 9609DOC_START
9610 Maximum number of DNS IP cache entries.
9611DOC_END
6bc15a4f 9612
9613NAME: ipcache_low
9614COMMENT: (percent)
9615TYPE: int
9616DEFAULT: 90
9617LOC: Config.ipcache.low
9618DOC_NONE
9619
9620NAME: ipcache_high
9621COMMENT: (percent)
9622TYPE: int
9623DEFAULT: 95
9624LOC: Config.ipcache.high
9625DOC_START
9626 The size, low-, and high-water marks for the IP cache.
9627DOC_END
9628
9629NAME: fqdncache_size
9630COMMENT: (number of entries)
9631TYPE: int
9632DEFAULT: 1024
9633LOC: Config.fqdncache.size
9634DOC_START
9635 Maximum number of FQDN cache entries.
9636DOC_END
9637
a58ff010 9638COMMENT_START
5473c134 9639 MISCELLANEOUS
a58ff010 9640 -----------------------------------------------------------------------------
9641COMMENT_END
9642
2eceb328
CT		 9643NAME: configuration_includes_quoted_values
9644COMMENT: on|off
bde7a8ce
CT		 9645TYPE: configuration_includes_quoted_values
9646DEFAULT: off
2eceb328
CT		 9647LOC: ConfigParser::RecognizeQuotedValues
9648DOC_START
9649 If set, Squid will recognize each "quoted string" after a configuration
9650 directive as a single parameter. The quotes are stripped before the
9651 parameter value is interpreted or used.
9652 See "Values with spaces, quotes, and other special characters"
9653 section for more details.
9654DOC_END
9655
5473c134 9656NAME: memory_pools
a58ff010 9657COMMENT: on|off
5473c134 9658TYPE: onoff
9659DEFAULT: on
9660LOC: Config.onoff.mem_pools
a58ff010 9661DOC_START
5473c134 9662 If set, Squid will keep pools of allocated (but unused) memory
9663 available for future use. If memory is a premium on your
9664 system and you believe your malloc library outperforms Squid
9665 routines, disable this.
a58ff010 9666DOC_END
9667
5473c134 9668NAME: memory_pools_limit
9669COMMENT: (bytes)
70be1349 9670TYPE: b_int64_t
5473c134 9671DEFAULT: 5 MB
9672LOC: Config.MemPools.limit
ec1245f8 9673DOC_START
5473c134 9674 Used only with memory_pools on:
9675 memory_pools_limit 50 MB
ec1245f8 9676
5473c134 9677 If set to a non-zero value, Squid will keep at most the specified
9678 limit of allocated (but unused) memory in memory pools. All free()
9679 requests that exceed this limit will be handled by your malloc
9680 library. Squid does not pre-allocate any memory, just safe-keeps
9681 objects that otherwise would be free()d. Thus, it is safe to set
9682 memory_pools_limit to a reasonably high value even if your
9683 configuration will use less memory.
ec1245f8 9684
89646bd7 9685 If set to none, Squid will keep all memory it can. That is, there
5473c134 9686 will be no limit on the total amount of memory used for safe-keeping.
ec1245f8 9687
5473c134 9688 To disable memory allocation optimization, do not set
70be1349 9689 memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
5473c134 9690
9691 An overhead for maintaining memory pools is not taken into account
9692 when the limit is checked. This overhead is close to four bytes per
9693 object kept. However, pools may actually _save_ memory because of
9694 reduced memory thrashing in your malloc library.
ec1245f8 9695DOC_END
9696
5473c134 9697NAME: forwarded_for
67c06f0d
AJ		 9698COMMENT: on|off|transparent|truncate|delete
9699TYPE: string
5473c134 9700DEFAULT: on
9701LOC: opt_forwarded_for
5f8252d2 9702DOC_START
67c06f0d
AJ		 9703 If set to "on", Squid will append your client's IP address
9704 in the HTTP requests it forwards. By default it looks like:
5f8252d2 9705
5473c134 9706 X-Forwarded-For: 192.1.2.3
9707
67c06f0d 9708 If set to "off", it will appear as
5473c134 9709
9710 X-Forwarded-For: unknown
67c06f0d
AJ		 9711
9712 If set to "transparent", Squid will not alter the
9713 X-Forwarded-For header in any way.
9714
9715 If set to "delete", Squid will delete the entire
9716 X-Forwarded-For header.
9717
9718 If set to "truncate", Squid will remove all existing
dd68402f 9719 X-Forwarded-For entries, and place the client IP as the sole entry.
5f8252d2 9720DOC_END
9721
5473c134 9722NAME: cachemgr_passwd
9723TYPE: cachemgrpasswd
9724DEFAULT: none
638402dd 9725DEFAULT_DOC: No password. Actions which require password are denied.
5473c134 9726LOC: Config.passwd_list
5f8252d2 9727DOC_START
5473c134 9728 Specify passwords for cachemgr operations.
5f8252d2 9729
5473c134 9730 Usage: cachemgr_passwd password action action ...
9731
9732 Some valid actions are (see cache manager menu for a full list):
9733 5min
9734 60min
9735 asndb
9736 authenticator
9737 cbdata
9738 client_list
9739 comm_incoming
9740 config *
9741 counters
9742 delay
9743 digest_stats
9744 dns
9745 events
9746 filedescriptors
9747 fqdncache
9748 histograms
9749 http_headers
9750 info
9751 io
9752 ipcache
9753 mem
9754 menu
9755 netdb
9756 non_peers
9757 objects
9758 offline_toggle *
9759 pconn
9760 peer_select
b360c477 9761 reconfigure *
5473c134 9762 redirector
9763 refresh
9764 server_list
9765 shutdown *
9766 store_digest
9767 storedir
9768 utilization
9769 via_headers
9770 vm_objects
9771
9772 * Indicates actions which will not be performed without a
9773 valid password, others can be performed if not listed here.
9774
9775 To disable an action, set the password to "disable".
9776 To allow performing an action without a password, set the
9777 password to "none".
9778
9779 Use the keyword "all" to set the same password for all actions.
9780
9781Example:
9782 cachemgr_passwd secret shutdown
9783 cachemgr_passwd lesssssssecret info stats/objects
9784 cachemgr_passwd disable all
5f8252d2 9785DOC_END
9786
5473c134 9787NAME: client_db
a58ff010 9788COMMENT: on|off
5473c134 9789TYPE: onoff
9790DEFAULT: on
9791LOC: Config.onoff.client_db
a58ff010 9792DOC_START
5473c134 9793 If you want to disable collecting per-client statistics,
9794 turn off client_db here.
a58ff010 9795DOC_END
9796
5473c134 9797NAME: refresh_all_ims
9798COMMENT: on|off
9799TYPE: onoff
9800DEFAULT: off
9801LOC: Config.onoff.refresh_all_ims
a58ff010 9802DOC_START
5473c134 9803 When you enable this option, squid will always check
9804 the origin server for an update when a client sends an
9805 If-Modified-Since request. Many browsers use IMS
9806 requests when the user requests a reload, and this
9807 ensures those clients receive the latest version.
a58ff010 9808
5473c134 9809 By default (off), squid may return a Not Modified response
9810 based on the age of the cached version.
78e8cfc4 9811DOC_END
9812
5473c134 9813NAME: reload_into_ims
626096be 9814IFDEF: USE_HTTP_VIOLATIONS
12b91c99 9815COMMENT: on|off
5473c134 9816TYPE: onoff
9817DEFAULT: off
9818LOC: Config.onoff.reload_into_ims
12b91c99 9819DOC_START
5473c134 9820 When you enable this option, client no-cache or ``reload''
9821 requests will be changed to If-Modified-Since requests.
9822 Doing this VIOLATES the HTTP standard. Enabling this
9823 feature could make you liable for problems which it
9824 causes.
9825
9826 see also refresh_pattern for a more selective approach.
12b91c99 9827DOC_END
9828
31ef19cd 9829NAME: connect_retries
5473c134 9830TYPE: int
31ef19cd
AJ		 9831LOC: Config.connect_retries
9832DEFAULT: 0
638402dd 9833DEFAULT_DOC: Do not retry failed connections.
a58ff010 9834DOC_START
aed188fd
AJ		 9835 This sets the maximum number of connection attempts made for each
9836 TCP connection. The connect_retries attempts must all still
9837 complete within the connection timeout period.
31ef19cd
AJ		 9838
9839 The default is not to re-try if the first connection attempt fails.
9840 The (not recommended) maximum is 10 tries.
5473c134 9841
31ef19cd
AJ		 9842 A warning message will be generated if it is set to a too-high
9843 value and the configured value will be over-ridden.
5473c134 9844
31ef19cd
AJ		 9845 Note: These re-tries are in addition to forward_max_tries
9846 which limit how many different addresses may be tried to find
9847 a useful server.
a58ff010 9848DOC_END
9849
5473c134 9850NAME: retry_on_error
a58ff010 9851TYPE: onoff
5473c134 9852LOC: Config.retry.onerror
a58ff010 9853DEFAULT: off
9854DOC_START
aea8548b
AJ		 9855 If set to ON Squid will automatically retry requests when
9856 receiving an error response with status 403 (Forbidden),
9857 500 (Internal Error), 501 or 503 (Service not available).
9858 Status 502 and 504 (Gateway errors) are always retried.
9859
9860 This is mainly useful if you are in a complex cache hierarchy to
9861 work around access control errors.
9862
9863 NOTE: This retry will attempt to find another working destination.
9864 Which is different from the server which just failed.
5f8252d2 9865DOC_END
9866
5473c134 9867NAME: as_whois_server
5f8252d2 9868TYPE: string
5473c134 9869LOC: Config.as_whois_server
9870DEFAULT: whois.ra.net
5f8252d2 9871DOC_START
5473c134 9872 WHOIS server to query for AS numbers. NOTE: AS numbers are
9873 queried only when Squid starts up, not for every request.
5f8252d2 9874DOC_END
9875
5473c134 9876NAME: offline_mode
5f8252d2 9877TYPE: onoff
5473c134 9878LOC: Config.onoff.offline
5f8252d2 9879DEFAULT: off
9880DOC_START
5473c134 9881 Enable this option and Squid will never try to validate cached
9882 objects.
a58ff010 9883DOC_END
9884
5473c134 9885NAME: uri_whitespace
9886TYPE: uri_whitespace
9887LOC: Config.uri_whitespace
9888DEFAULT: strip
a58ff010 9889DOC_START
5473c134 9890 What to do with requests that have whitespace characters in the
9891 URI. Options:
a58ff010 9892
5473c134 9893 strip: The whitespace characters are stripped out of the URL.
82806837
AJ		 9894 This is the behavior recommended by RFC2396 and RFC3986
9895 for tolerant handling of generic URI.
9896 NOTE: This is one difference between generic URI and HTTP URLs.
9897
5473c134 9898 deny: The request is denied. The user receives an "Invalid
9899 Request" message.
82806837
AJ		 9900 This is the behaviour recommended by RFC2616 for safe
9901 handling of HTTP request URL.
9902
5473c134 9903 allow: The request is allowed and the URI is not changed. The
9904 whitespace characters remain in the URI. Note the
9905 whitespace is passed to redirector processes if they
9906 are in use.
82806837
AJ		 9907 Note this may be considered a violation of RFC2616
9908 request parsing where whitespace is prohibited in the
9909 URL field.
9910
5473c134 9911 encode: The request is allowed and the whitespace characters are
82806837
AJ		 9912 encoded according to RFC1738.
9913
5473c134 9914 chop: The request is allowed and the URI is chopped at the
82806837
AJ		 9915 first whitespace.
9916
9917
9918 NOTE the current Squid implementation of encode and chop violates
9919 RFC2616 by not using a 301 redirect after altering the URL.
5473c134 9920DOC_END
a58ff010 9921
5473c134 9922NAME: chroot
9923TYPE: string
9924LOC: Config.chroot_dir
a58ff010 9925DEFAULT: none
9926DOC_START
9f37c18a 9927 Specifies a directory where Squid should do a chroot() while
2d89f399
HN		 9928 initializing. This also causes Squid to fully drop root
9929 privileges after initializing. This means, for example, if you
9930 use a HTTP port less than 1024 and try to reconfigure, you may
9931 get an error saying that Squid can not open the port.
5473c134 9932DOC_END
a58ff010 9933
5473c134 9934NAME: balance_on_multiple_ip
9935TYPE: onoff
9936LOC: Config.onoff.balance_on_multiple_ip
cc192b50 9937DEFAULT: off
5473c134 9938DOC_START
cc192b50 9939 Modern IP resolvers in squid sort lookup results by preferred access.
9940 By default squid will use these IP in order and only rotates to
9941 the next listed when the most preffered fails.
9942
5473c134 9943 Some load balancing servers based on round robin DNS have been
9944 found not to preserve user session state across requests
9945 to different IP addresses.
a58ff010 9946
cc192b50 9947 Enabling this directive Squid rotates IP's per request.
a58ff010 9948DOC_END
9949
5473c134 9950NAME: pipeline_prefetch
079a8480
AJ		 9951TYPE: pipelinePrefetch
9952LOC: Config.pipeline_max_prefetch
9953DEFAULT: 0
9954DEFAULT_DOC: Do not pre-parse pipelined requests.
a58ff010 9955DOC_START
079a8480
AJ		 9956 HTTP clients may send a pipeline of 1+N requests to Squid using a
9957 single connection, without waiting for Squid to respond to the first
9958 of those requests. This option limits the number of concurrent
9959 requests Squid will try to handle in parallel. If set to N, Squid
9960 will try to receive and process up to 1+N requests on the same
9961 connection concurrently.
a58ff010 9962
079a8480 9963 Defaults to 0 (off) for bandwidth management and access logging
5473c134 9964 reasons.
a0e23afd 9965
079a8480
AJ		 9966 NOTE: pipelining requires persistent connections to clients.
9967
a0e23afd 9968 WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
5473c134 9969DOC_END
a58ff010 9970
5473c134 9971NAME: high_response_time_warning
9972TYPE: int
9973COMMENT: (msec)
9974LOC: Config.warnings.high_rptm
9975DEFAULT: 0
638402dd 9976DEFAULT_DOC: disabled.
5473c134 9977DOC_START
9978 If the one-minute median response time exceeds this value,
9979 Squid prints a WARNING with debug level 0 to get the
9980 administrators attention. The value is in milliseconds.
a58ff010 9981DOC_END
9982
5473c134 9983NAME: high_page_fault_warning
9984TYPE: int
9985LOC: Config.warnings.high_pf
9986DEFAULT: 0
638402dd 9987DEFAULT_DOC: disabled.
cc9f92d4 9988DOC_START
5473c134 9989 If the one-minute average page fault rate exceeds this
9990 value, Squid prints a WARNING with debug level 0 to get
9991 the administrators attention. The value is in page faults
9992 per second.
9993DOC_END
cc9f92d4 9994
5473c134 9995NAME: high_memory_warning
9996TYPE: b_size_t
9997LOC: Config.warnings.high_memory
f2228f3b 9998IFDEF: HAVE_MSTATS&&HAVE_GNUMALLOC_H
904971da 9999DEFAULT: 0 KB
638402dd 10000DEFAULT_DOC: disabled.
5473c134 10001DOC_START
4bf2a476
FC		 10002 If the memory usage (as determined by gnumalloc, if available and used)
10003 exceeds this amount, Squid prints a WARNING with debug level 0 to get
5473c134 10004 the administrators attention.
10005DOC_END
4bf2a476 10006# TODO: link high_memory_warning to mempools?
cc9f92d4 10007
5473c134 10008NAME: sleep_after_fork
10009COMMENT: (microseconds)
10010TYPE: int
10011LOC: Config.sleep_after_fork
10012DEFAULT: 0
10013DOC_START
10014 When this is set to a non-zero value, the main Squid process
10015 sleeps the specified number of microseconds after a fork()
10016 system call. This sleep may help the situation where your
10017 system reports fork() failures due to lack of (virtual)
10018 memory. Note, however, if you have a lot of child
10019 processes, these sleep delays will add up and your
10020 Squid will not service requests for some amount of time
10021 until all the child processes have been started.
10022 On Windows value less then 1000 (1 milliseconds) are
10023 rounded to 1000.
cc9f92d4 10024DOC_END
10025
b6696974 10026NAME: windows_ipaddrchangemonitor
7aa9bb3e 10027IFDEF: _SQUID_WINDOWS_
b6696974
GS		 10028COMMENT: on|off
10029TYPE: onoff
10030DEFAULT: on
10031LOC: Config.onoff.WIN32_IpAddrChangeMonitor
10032DOC_START
10033 On Windows Squid by default will monitor IP address changes and will
10034 reconfigure itself after any detected event. This is very useful for
10035 proxies connected to internet with dial-up interfaces.
10036 In some cases (a Proxy server acting as VPN gateway is one) it could be
10037 desiderable to disable this behaviour setting this to 'off'.
10038 Note: after changing this, Squid service must be restarted.
10039DOC_END
10040
a98c2da5
AJ		 10041NAME: eui_lookup
10042TYPE: onoff
10043IFDEF: USE_SQUID_EUI
10044DEFAULT: on
10045LOC: Eui::TheConfig.euiLookup
10046DOC_START
10047 Whether to lookup the EUI or MAC address of a connected client.
10048DOC_END
10049
f3f0f563
AJ		 10050NAME: max_filedescriptors max_filedesc
10051TYPE: int
10052DEFAULT: 0
638402dd 10053DEFAULT_DOC: Use operating system limits set by ulimit.
f3f0f563
AJ		 10054LOC: Config.max_filedescriptors
10055DOC_START
638402dd
AJ		 10056 Reduce the maximum number of filedescriptors supported below
10057 the usual operating system defaults.
f3f0f563 10058
638402dd 10059 Remove from squid.conf to inherit the current ulimit setting.
f3f0f563
AJ		 10060
10061 Note: Changing this requires a restart of Squid. Also
638402dd 10062 not all I/O types supports large values (eg on Windows).
f3f0f563
AJ		 10063DOC_END
10064
ec69bdb2
CT		 10065NAME: force_request_body_continuation
10066TYPE: acl_access
10067LOC: Config.accessList.forceRequestBodyContinuation
10068DEFAULT: none
10069DEFAULT_DOC: Deny, unless rules exist in squid.conf.
10070DOC_START
10071 This option controls how Squid handles data upload requests from HTTP
10072 and FTP agents that require a "Please Continue" control message response
10073 to actually send the request body to Squid. It is mostly useful in
10074 adaptation environments.
10075
10076 When Squid receives an HTTP request with an "Expect: 100-continue"
10077 header or an FTP upload command (e.g., STOR), Squid normally sends the
10078 request headers or FTP command information to an adaptation service (or
10079 peer) and waits for a response. Most adaptation services (and some
10080 broken peers) may not respond to Squid at that stage because they may
10081 decide to wait for the HTTP request body or FTP data transfer. However,
10082 that request body or data transfer may never come because Squid has not
10083 responded with the HTTP 100 or FTP 150 (Please Continue) control message
10084 to the request sender yet!
10085
10086 An allow match tells Squid to respond with the HTTP 100 or FTP 150
10087 (Please Continue) control message on its own, before forwarding the
10088 request to an adaptation service or peer. Such a response usually forces
10089 the request sender to proceed with sending the body. A deny match tells
10090 Squid to delay that control response until the origin server confirms
10091 that the request body is needed. Delaying is the default behavior.
10092DOC_END
10093
afc753f3
EB		 10094NAME: server_pconn_for_nonretriable
10095TYPE: acl_access
10096DEFAULT: none
10097DEFAULT_DOC: Open new connections for forwarding requests Squid cannot retry safely.
10098LOC: Config.accessList.serverPconnForNonretriable
10099DOC_START
10100 This option provides fine-grained control over persistent connection
10101 reuse when forwarding HTTP requests that Squid cannot retry. It is useful
10102 in environments where opening new connections is very expensive
10103 (e.g., all connections are secured with TLS with complex client and server
10104 certificate validation) and race conditions associated with persistent
10105 connections are very rare and/or only cause minor problems.
10106
10107 HTTP prohibits retrying unsafe and non-idempotent requests (e.g., POST).
10108 Squid limitations also prohibit retrying all requests with bodies (e.g., PUT).
10109 By default, when forwarding such "risky" requests, Squid opens a new
10110 connection to the server or cache_peer, even if there is an idle persistent
10111 connection available. When Squid is configured to risk sending a non-retriable
10112 request on a previously used persistent connection, and the server closes
10113 the connection before seeing that risky request, the user gets an error response
10114 from Squid. In most cases, that error response will be HTTP 502 (Bad Gateway)
10115 with ERR_ZERO_SIZE_OBJECT or ERR_WRITE_ERROR (peer connection reset) error detail.
10116
10117 If an allow rule matches, Squid reuses an available idle persistent connection
10118 (if any) for the request that Squid cannot retry. If a deny rule matches, then
10119 Squid opens a new connection for the request that Squid cannot retry.
10120
10121 This option does not affect requests that Squid can retry. They will reuse idle
10122 persistent connections (if any).
10123
10124 This clause only supports fast acl types.
10125 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
10126
10127 Example:
10128 acl SpeedIsWorthTheRisk method POST
10129 server_pconn_for_nonretriable allow SpeedIsWorthTheRisk
10130DOC_END
10131
cccac0a2 10132EOF
Mirror of https://github.com/squid-cache/squid.git