]> git.ipfire.org Git - thirdparty/squid.git/blame - src/cf.data.pre
projects / thirdparty / squid.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Summary: Apply the correct cf.data.pre patch for %<sS and %<sH
[thirdparty/squid.git] / src / cf.data.pre
CommitLineData
3a278cb8 1
9cef6668 2#
fe08087a 3# $Id: cf.data.pre,v 1.337 2003/08/13 00:26:21 robertc Exp $
9cef6668 4#
5#
2b6662ba 6# SQUID Web Proxy Cache http://www.squid-cache.org/
9cef6668 7# ----------------------------------------------------------
8#
2b6662ba 9# Squid is the result of efforts by numerous individuals from
10# the Internet community; see the CONTRIBUTORS file for full
11# details. Many organizations have provided support for Squid's
12# development; see the SPONSORS file for full details. Squid is
13# Copyrighted (C) 2000 by the Regents of the University of
14# California; see the COPYRIGHT file for full details. Squid
15# incorporates software developed and/or copyrighted by other
16# sources; see the CREDITS file for full details.
9cef6668 17#
18# This program is free software; you can redistribute it and/or modify
19# it under the terms of the GNU General Public License as published by
20# the Free Software Foundation; either version 2 of the License, or
21# (at your option) any later version.
96d88dcb 22#
9cef6668 23# This program is distributed in the hope that it will be useful,
24# but WITHOUT ANY WARRANTY; without even the implied warranty of
25# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26# GNU General Public License for more details.
96d88dcb 27#
9cef6668 28# You should have received a copy of the GNU General Public License
29# along with this program; if not, write to the Free Software
30# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
31#
32
0f74202c 33COMMENT_START
cccac0a2 34 WELCOME TO SQUID @VERSION@
35 ----------------------------
3a278cb8 36
cccac0a2 37 This is the default Squid configuration file. You may wish
38 to look at the Squid home page (http://www.squid-cache.org/)
39 for the FAQ and other documentation.
3a278cb8 40
cccac0a2 41 The default Squid config file shows what the defaults for
42 various options happen to be. If you don't need to change the
43 default, you shouldn't uncomment the line. Doing so may cause
44 run-time problems. In some cases "none" refers to no default
45 setting at all, while in other cases it refers to a valid
46 option - the comments for that keyword indicate if this is the
47 case.
debd9a31 48
cccac0a2 49COMMENT_END
3a278cb8 50
cccac0a2 51COMMENT_START
52 NETWORK OPTIONS
53 -----------------------------------------------------------------------------
54COMMENT_END
55
56NAME: http_port ascii_port
57TYPE: http_port_list
58DEFAULT: none
59LOC: Config.Sockaddr.http
60DOC_START
61 Usage: port [options]
62 hostname:port [options]
63 1.2.3.4:port [options]
64
65 The socket addresses where Squid will listen for HTTP client
66 requests. You may specify multiple socket addresses.
67 There are three forms: port alone, hostname with port, and
68 IP address with port. If you specify a hostname or IP
69 address, then Squid binds the socket to that specific
70 address. This replaces the old 'tcp_incoming_address'
71 option. Most likely, you do not need to bind to a specific
72 address, so you can use the port number alone.
73
74 If you are running Squid in accelerator mode, then you
75 probably want to listen on port 80 also, or instead.
76
77 The -a command line option will override the *first* port
78 number listed here. That option will NOT override an IP
79 address, however.
80
81 You may specify multiple socket addresses on multiple lines.
82
83 options are:
84 accel Accelerator mode
85 transparent Support for transparent proxies
86 vhost Accelerator using Host directive
87 vport Accelerator with IP virtual host support
88 vport=NN As above, but uses specified port number
89 rather than the http_port number.
90 defaultsite=xx Main web site name for accelerators.
91 also implies accel
92 protocol= Protocol to reconstruct accelerated
93 requests with. Defaults to http.
94
95 If you run Squid on a dual-homed machine with an internal
96 and an external interface then we recommend you to specify the
97 internal address:port in http_port. This way Squid will only be
98 visible on the internal address.
99NOCOMMENT_START
100# Squid normally listens to port 3128
101http_port 3128
102NOCOMMENT_END
103DOC_END
104
105NAME: https_port
106IFDEF: USE_SSL
107TYPE: https_port_list
108DEFAULT: none
109LOC: Config.Sockaddr.https
110DOC_START
111 Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
112
113 The socket address where Squid will listen for HTTPS client
114 requests.
115
116 This is really only useful for situations where you are running
117 squid in accelerator mode and you want to do the SSL work at the
118 accelerator level.
119
120 You may specify multiple socket addresses on multiple lines,
121 each with their own SSL certificate and/or options.
122
123 Options:
124
125 defaultsite= The name of the https site presented on
126 this port.
127
128 protocol= Protocol to reconstruct accelerated requests
129 with. Defaults to https.
130
131 cert= Path to SSL certificate (PEM format)
132
133 key= Path to SSL private key file (PEM format)
134 if not specified, the certificate file is
135 assumed to be a combined certificate and
136 key file
137
138 version= The version of SSL/TLS supported
139 1 automatic (default)
140 2 SSLv2 only
141 3 SSLv3 only
142 4 TLSv1 only
143
144 cipher= Colon separated list of supported ciphers
145
146 options= Varions SSL engine options. The most important
147 being:
148 NO_SSLv2 Disallow the use of SSLv2
149 NO_SSLv3 Disallow the use of SSLv3
150 NO_TLSv1 Disallow the use of TLSv1
151 SINGLE_DH_USE Always create a new key when using
152 temporary/ephemeral DH key exchanges
153 See src/ssl_support.c or OpenSSL SSL_CTX_set_options
154 documentation for a complete list of options.
155
156 clientca= File containing the list of CAs to use when
157 requesting a client certificate
158
159 cafile= File containing additional CA certificates to
160 use when verifying client certificates. If unset
161 clientca will be used.
162
163 capath= Directory containing additional CA certificates
164 to use when verifying client certificates
165
166 dhparams= File containing DH parameters for temporary/ephemeral
167 DH key exchanges
168
169 sslflags= Various flags modifying the use of SSL:
170 DELAYED_AUTH
171 Don't request client certificates
172 immediately, but wait until acl processing
173 requires a certificate
174 NO_DEFAULT_CA
175 Don't use the default CA list built in
176 to OpenSSL.
177
178DOC_END
179
180NAME: ssl_unclean_shutdown
181IFDEF: USE_SSL
182TYPE: onoff
183DEFAULT: off
184LOC: Config.SSL.unclean_shutdown
185DOC_START
186 Some browsers (especially MSIE) bugs out on SSL shutdown
187 messages.
188DOC_END
189
190NAME: ssl_engine
191IFDEF: USE_SSL
192TYPE: string
193LOC: Config.SSL.ssl_engine
194DEFAULT: none
195DOC_START
196 The openssl engine to use. You will need to set this if you
197 would like to use hardware SSL acceleration for example.
198DOC_END
199
200NAME: sslproxy_client_certificate
201IFDEF: USE_SSL
202DEFAULT: none
203LOC: Config.ssl_client.cert
204TYPE: string
205DOC_START
206 Client SSL Certificate to use when proxying https:// URLs
207DOC_END
208
209NAME: sslproxy_client_key
210IFDEF: USE_SSL
211DEFAULT: none
212LOC: Config.ssl_client.key
213TYPE: string
214DOC_START
215 Client SSL Key to use when proxying https:// URLs
216DOC_END
217
218NAME: sslproxy_version
219IFDEF: USE_SSL
220DEFAULT: 1
221LOC: Config.ssl_client.version
222TYPE: int
223DOC_START
224 SSL version level to use when proxying https:// URLs
225DOC_END
226
227NAME: sslproxy_options
228IFDEF: USE_SSL
229DEFAULT: none
230LOC: Config.ssl_client.options
231TYPE: string
232DOC_START
233 SSL engine options to use when proxying https:// URLs
234DOC_END
235
236NAME: sslproxy_cipher
237IFDEF: USE_SSL
238DEFAULT: none
239LOC: Config.ssl_client.cipher
240TYPE: string
241DOC_START
242 SSL cipher list to use when proxying https:// URLs
243DOC_END
244
245NAME: sslproxy_cafile
246IFDEF: USE_SSL
247DEFAULT: none
248LOC: Config.ssl_client.cafile
249TYPE: string
250DOC_START
251 file containing CA certificates to use when verifying server
252 certificates while proxying https:// URLs
253DOC_END
254
255NAME: sslproxy_capath
256IFDEF: USE_SSL
257DEFAULT: none
258LOC: Config.ssl_client.capath
259TYPE: string
260DOC_START
261 directory containing CA certificates to use when verifying
262 server certificates while proxying https:// URLs
263DOC_END
264
265NAME: sslproxy_flags
266IFDEF: USE_SSL
267DEFAULT: none
268LOC: Config.ssl_client.flags
269TYPE: string
270DOC_START
271 Various flags modifying the use of SSL while proxying https:// URLs:
272 DONT_VERIFY_PEER Accept certificates even if they fail to
273 verify.
274 NO_DEFAULT_CA Don't use the default CA list built in
275 to OpenSSL.
276DOC_END
277
278NAME: icp_port udp_port
279TYPE: ushort
280DEFAULT: 0
281LOC: Config.Port.icp
282DOC_START
283 The port number where Squid sends and receives ICP queries to
284 and from neighbor caches. The standard UDP port for ICP is 3130.
285 Default is disabled (0).
286NOCOMMENT_START
287icp_port 3130
288NOCOMMENT_END
289DOC_END
290
291NAME: htcp_port
292IFDEF: USE_HTCP
293TYPE: ushort
294DEFAULT: 4827
295LOC: Config.Port.htcp
296DOC_START
297 The port number where Squid sends and receives HTCP queries to
298 and from neighbor caches. Default is 4827. To disable use
299 "0".
300DOC_END
301
302
303NAME: mcast_groups
304TYPE: wordlist
305LOC: Config.mcast_group_list
306DEFAULT: none
307DOC_START
308 This tag specifies a list of multicast groups which your server
309 should join to receive multicasted ICP queries.
310
311 NOTE! Be very careful what you put here! Be sure you
312 understand the difference between an ICP _query_ and an ICP
313 _reply_. This option is to be set only if you want to RECEIVE
314 multicast queries. Do NOT set this option to SEND multicast
315 ICP (use cache_peer for that). ICP replies are always sent via
316 unicast, so this option does not affect whether or not you will
317 receive replies from multicast group members.
318
319 You must be very careful to NOT use a multicast address which
320 is already in use by another group of caches.
321
322 If you are unsure about multicast, please read the Multicast
323 chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
324
325 Usage: mcast_groups 239.128.16.128 224.0.1.20
326
327 By default, Squid doesn't listen on any multicast groups.
328DOC_END
329
330
331NAME: udp_incoming_address
332TYPE: address
333LOC:Config.Addrs.udp_incoming
334DEFAULT: 0.0.0.0
335DOC_NONE
336
337NAME: udp_outgoing_address
338TYPE: address
339LOC: Config.Addrs.udp_outgoing
340DEFAULT: 255.255.255.255
341DOC_START
342 udp_incoming_address is used for the ICP socket receiving packets
343 from other caches.
344 udp_outgoing_address is used for ICP packets sent out to other
345 caches.
346
347 The default behavior is to not bind to any specific address.
348
349 A udp_incoming_address value of 0.0.0.0 indicates that Squid should
350 listen for UDP messages on all available interfaces.
351
352 If udp_outgoing_address is set to 255.255.255.255 (the default)
353 then it will use the same socket as udp_incoming_address. Only
354 change this if you want to have ICP queries sent using another
355 address than where this Squid listens for ICP queries from other
356 caches.
357
358 NOTE, udp_incoming_address and udp_outgoing_address can not
359 have the same value since they both use port 3130.
360DOC_END
9e7dbc51 361
cccac0a2 362COMMENT_START
363 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
364 -----------------------------------------------------------------------------
365COMMENT_END
9e7dbc51 366
cccac0a2 367NAME: cache_peer
368TYPE: peer
369DEFAULT: none
370LOC: Config.peers
371DOC_START
372 To specify other caches in a hierarchy, use the format:
9e7dbc51 373
cccac0a2 374 cache_peer hostname type http_port icp_port [options]
0fdafae7 375
cccac0a2 376 For example,
d1b63fc8 377
cccac0a2 378 # proxy icp
379 # hostname type port port options
380 # -------------------- -------- ----- ----- -----------
381 cache_peer parent.foo.net parent 3128 3130 [proxy-only]
382 cache_peer sib1.foo.net sibling 3128 3130 [proxy-only]
383 cache_peer sib2.foo.net sibling 3128 3130 [proxy-only]
384
385 type: either 'parent', 'sibling', or 'multicast'.
386
387 proxy_port: The port number where the cache listens for proxy
388 requests.
389
390 icp_port: Used for querying neighbor caches about
391 objects. To have a non-ICP neighbor
392 specify '7' for the ICP port and make sure the
393 neighbor machine has the UDP echo port
394 enabled in its /etc/inetd.conf file.
395
396 options: proxy-only
397 weight=n
398 basetime=n
399 ttl=n
400 no-query
401 background-ping
402 default
403 round-robin
404 weighted-round-robin
405 carp
406 multicast-responder
407 closest-only
408 no-digest
409 no-netdb-exchange
410 no-delay
411 login=user:password | PASS | *:password
412 connect-timeout=nn
413 digest-url=url
414 allow-miss
415 max-conn
416 htcp
417 originserver
418 name=xxx
419 forceddomain=name
420 ssl
421 sslcert=/path/to/ssl/certificate
422 sslkey=/path/to/ssl/key
423 sslversion=1|2|3|4
424 sslcipher=...
425 ssloptions=...
426 front-end-https[=on|auto]
427
428 use 'proxy-only' to specify that objects fetched
429 from this cache should not be saved locally.
430
431 use 'weight=n' to specify a weighted parent.
432 The weight must be an integer. The default weight
433 is 1, larger weights are favored more.
434
435 use 'basetime=n' to specify a base amount to
436 be subtracted from round trip times of parents.
437 It is subtracted before division by weight in calculating
438 which parent to fectch from. If the rtt is less than the
439 base time then the rtt is set to a minimal value.
440
441 use 'ttl=n' to specify a IP multicast TTL to use
442 when sending an ICP queries to this address.
443 Only useful when sending to a multicast group.
444 Because we don't accept ICP replies from random
445 hosts, you must configure other group members as
446 peers with the 'multicast-responder' option below.
447
448 use 'no-query' to NOT send ICP queries to this
449 neighbor.
450
451 use 'background-ping' to only send ICP queries to this
452 neighbor infrequently. This is used to keep the neighbor
453 round trip time updated and is usually used in
454 conjunction with weighted-round-robin.
455
456 use 'default' if this is a parent cache which can
457 be used as a "last-resort." You should probably
458 only use 'default' in situations where you cannot
459 use ICP with your parent cache(s).
460
461 use 'round-robin' to define a set of parents which
462 should be used in a round-robin fashion in the
463 absence of any ICP queries.
464
465 use 'weighted-round-robin' to define a set of parents
466 which should be used in a round-robin fashion with the
467 frequency of each parent being based on the round trip
468 time. Closer parents are used more often.
469 Usually used for background-ping parents.
470
471 use 'carp' to define a set of parents which should
472 be used as a CARP array. The requests will then be
473 distributed among the parents based on the CARP load
474 balancing hash function based on their weigth.
475
476 'multicast-responder' indicates that the named peer
477 is a member of a multicast group. ICP queries will
478 not be sent directly to the peer, but ICP replies
479 will be accepted from it.
480
481 'closest-only' indicates that, for ICP_OP_MISS
482 replies, we'll only forward CLOSEST_PARENT_MISSes
483 and never FIRST_PARENT_MISSes.
484
485 use 'no-digest' to NOT request cache digests from
486 this neighbor.
487
488 'no-netdb-exchange' disables requesting ICMP
489 RTT database (NetDB) from the neighbor.
490
491 use 'no-delay' to prevent access to this neighbor
492 from influencing the delay pools.
493
494 use 'login=user:password' if this is a personal/workgroup
495 proxy and your parent requires proxy authentication.
496 Note: The string can include URL escapes (i.e. %20 for
497 spaces). This also means that % must be written as %%.
498
499 use 'login=PASS' if users must authenticate against
500 the upstream proxy. This will pass the users credentials
501 as they are to the peer proxy. This only works for the
502 Basic HTTP authentication sheme. Note: To combine this
503 with proxy_auth both proxies must share the same user
504 database as HTTP only allows for one proxy login.
505 Also be warned that this will expose your users proxy
506 password to the peer. USE WITH CAUTION
507
508 use 'login=*:password' to pass the username to the
509 upstream cache, but with a fixed password. This is meant
510 to be used when the peer is in another administrative
511 domain, but it is still needed to identify each user.
512 The star can optionally be followed by some extra
513 information which is added to the username. This can
514 be used to identify this proxy to the peer, similar to
515 the login=username:password option above.
516
517 use 'connect-timeout=nn' to specify a peer
518 specific connect timeout (also see the
519 peer_connect_timeout directive)
520
521 use 'digest-url=url' to tell Squid to fetch the cache
522 digest (if digests are enabled) for this host from
523 the specified URL rather than the Squid default
524 location.
525
526 use 'allow-miss' to disable Squid's use of only-if-cached
527 when forwarding requests to siblings. This is primarily
528 useful when icp_hit_stale is used by the sibling. To
529 extensive use of this option may result in forwarding
530 loops, and you should avoid having two-way peerings
531 with this option. (for example to deny peer usage on
532 requests from peer by denying cache_peer_access if the
533 source is a peer)
534
535 use 'max-conn' to limit the amount of connections Squid
536 may open to this peer.
537
538 use 'htcp' to send HTCP, instead of ICP, queries
539 to the neighbor. You probably also want to
540 set the "icp port" to 4827 instead of 3130.
541
542 'originserver' causes this parent peer to be contacted as
543 a origin server. Meant to be used in accelerator setups.
544
545 use 'name=xxx' if you have multiple peers on the same
546 host but different ports. This name can then be used to
547 differentiate the peers in cache_peer_access and similar
548 directives.
549
550 use 'forceddomain=name' to forcibly set the Host header
551 of requests forwarded to this peer. Useful in accelerator
552 setups where the server (peer) expects a certain domain
553 name and using redirectors to feed this domainname
554 is not feasible.
555
556 use 'ssl' to indicate that connections to this peer should
557 bs SSL/TLS encrypted.
558
559 use 'sslcert=/path/to/ssl/certificate' to specify a client
560 SSL certificate to use when connecting to this peer.
561
562 use 'sslkey=/path/to/ssl/key' to specify the private SSL
563 key corresponding to sslcert above. If 'sslkey' is not
564 specified then 'sslcert' is assumed to reference a
565 combined file containing both the certificate and the key.
566
567 use sslversion=1|2|3|4 to specify the SSL version to use
568 when connecting to this peer
569 1 = automatic (default)
570 2 = SSL v2 only
571 3 = SSL v3 only
572 4 = TLS v1 only
573
574 use sslcipher=... to specify the list of valid SSL chipers
575 to use when connecting to this peer
576
577 use ssloptions=... to specify various SSL engine options:
578 NO_SSLv2 Disallow the use of SSLv2
579 NO_SSLv3 Disallow the use of SSLv3
580 NO_TLSv1 Disallow the use of TLSv1
581 See src/ssl_support.c or the OpenSSL documentation for
582 a more complete list.
583
584 use cafile=... to specify a file containing additional
585 CA certificates to use when verifying the peer certificate
586
587 use capath=... to specify a directory containing additional
588 CA certificates to use when verifying the peer certificate
589
590 use sslflags=... to specify various flags modifying the
591 SSL implementation:
592 DONT_VERIFY_PEER
593 Accept certificates even if they fail to
594 verify.
595 NO_DEFAULT_CA
596 Don't use the default CA list built in
597 to OpenSSL.
598 DONT_VERIFY_DOMAIN
599 Don't verify that the peer certificate
600 matches the server name
601
602 use sslname= to specify the peer name as advertised
603 in it's certificate. Used for verifying the correctness
604 of the received peer certificate. If not specified the
605 peer hostname will be used.
606
607 use front-end-https to enable the "Front-End-Https: On"
608 header needed when using Squid as a SSL frontend infront
609 of Microsoft OWA. See MS KB document Q307347 for details
610 on this header. If set to auto then the header will
611 only be added if the request is forwarded as a https://
612 URL.
613
614 NOTE: non-ICP neighbors must be specified as 'parent'.
615DOC_END
616
617NAME: cache_peer_domain cache_host_domain
618TYPE: hostdomain
619DEFAULT: none
620LOC: none
621DOC_START
622 Use to limit the domains for which a neighbor cache will be
623 queried. Usage:
624
625 cache_peer_domain cache-host domain [domain ...]
626 cache_peer_domain cache-host !domain
627
628 For example, specifying
629
630 cache_peer_domain parent.foo.net .edu
631
632 has the effect such that UDP query packets are sent to
633 'bigserver' only when the requested object exists on a
634 server in the .edu domain. Prefixing the domainname
635 with '!' means that the cache will be queried for objects
636 NOT in that domain.
637
638 NOTE: * Any number of domains may be given for a cache-host,
639 either on the same or separate lines.
640 * When multiple domains are given for a particular
641 cache-host, the first matched domain is applied.
642 * Cache hosts with no domain restrictions are queried
643 for all requests.
644 * There are no defaults.
645 * There is also a 'cache_peer_access' tag in the ACL
646 section.
647DOC_END
648
649
650NAME: neighbor_type_domain
651TYPE: hostdomaintype
652DEFAULT: none
653LOC: none
654DOC_START
655 usage: neighbor_type_domain neighbor parent|sibling domain domain ...
656
657 Modifying the neighbor type for specific domains is now
658 possible. You can treat some domains differently than the the
659 default neighbor type specified on the 'cache_peer' line.
660 Normally it should only be necessary to list domains which
661 should be treated differently because the default neighbor type
662 applies for hostnames which do not match domains listed here.
663
664EXAMPLE:
665 cache_peer parent cache.foo.org 3128 3130
666 neighbor_type_domain cache.foo.org sibling .com .net
667 neighbor_type_domain cache.foo.org sibling .au .de
668DOC_END
669
670NAME: icp_query_timeout
671COMMENT: (msec)
672DEFAULT: 0
673TYPE: int
674LOC: Config.Timeout.icp_query
675DOC_START
676 Normally Squid will automatically determine an optimal ICP
677 query timeout value based on the round-trip-time of recent ICP
678 queries. If you want to override the value determined by
679 Squid, set this 'icp_query_timeout' to a non-zero value. This
680 value is specified in MILLISECONDS, so, to use a 2-second
681 timeout (the old default), you would write:
682
683 icp_query_timeout 2000
684DOC_END
685
686NAME: maximum_icp_query_timeout
687COMMENT: (msec)
688DEFAULT: 2000
689TYPE: int
690LOC: Config.Timeout.icp_query_max
691DOC_START
692 Normally the ICP query timeout is determined dynamically. But
693 sometimes it can lead to very large values (say 5 seconds).
694 Use this option to put an upper limit on the dynamic timeout
695 value. Do NOT use this option to always use a fixed (instead
696 of a dynamic) timeout value. To set a fixed timeout see the
697 'icp_query_timeout' directive.
698DOC_END
699
700NAME: minimum_icp_query_timeout
701COMMENT: (msec)
702DEFAULT: 5
703TYPE: int
704LOC: Config.Timeout.icp_query_min
705DOC_START
706 Normally the ICP query timeout is determined dynamically. But
707 sometimes it can lead to very small timeouts, even lower than
708 the normal latency variance on your link due to traffic.
709 Use this option to put an lower limit on the dynamic timeout
710 value. Do NOT use this option to always use a fixed (instead
711 of a dynamic) timeout value. To set a fixed timeout see the
712 'icp_query_timeout' directive.
713DOC_END
714
715NAME: mcast_icp_query_timeout
716COMMENT: (msec)
717DEFAULT: 2000
718TYPE: int
719LOC: Config.Timeout.mcast_icp_query
720DOC_START
721 For Multicast peers, Squid regularly sends out ICP "probes" to
722 count how many other peers are listening on the given multicast
723 address. This value specifies how long Squid should wait to
724 count all the replies. The default is 2000 msec, or 2
725 seconds.
726DOC_END
727
728NAME: dead_peer_timeout
729COMMENT: (seconds)
730DEFAULT: 10 seconds
731TYPE: time_t
732LOC: Config.Timeout.deadPeer
733DOC_START
734 This controls how long Squid waits to declare a peer cache
735 as "dead." If there are no ICP replies received in this
736 amount of time, Squid will declare the peer dead and not
737 expect to receive any further ICP replies. However, it
738 continues to send ICP queries, and will mark the peer as
739 alive upon receipt of the first subsequent ICP reply.
740
741 This timeout also affects when Squid expects to receive ICP
742 replies from peers. If more than 'dead_peer' seconds have
743 passed since the last ICP reply was received, Squid will not
744 expect to receive an ICP reply on the next query. Thus, if
745 your time between requests is greater than this timeout, you
746 will see a lot of requests sent DIRECT to origin servers
747 instead of to your parents.
748DOC_END
749
750
751NAME: hierarchy_stoplist
752TYPE: wordlist
753DEFAULT: none
754LOC: Config.hierarchy_stoplist
755DOC_START
756 A list of words which, if found in a URL, cause the object to
757 be handled directly by this cache. In other words, use this
758 to not query neighbor caches for certain objects. You may
759 list this option multiple times.
760NOCOMMENT_START
761#We recommend you to use at least the following line.
762hierarchy_stoplist cgi-bin ?
763NOCOMMENT_END
764DOC_END
934b03fc 765
6a566b9c 766
cccac0a2 767NAME: no_cache
768TYPE: acl_access
769DEFAULT: none
770LOC: Config.accessList.noCache
771DOC_START
772 A list of ACL elements which, if matched, cause the request to
773 not be satisfied from the cache and the reply to not be cached.
774 In other words, use this to force certain objects to never be cached.
6a566b9c 775
cccac0a2 776 You must use the word 'DENY' to indicate the ACL names which should
777 NOT be cached.
1e5562e3 778
cccac0a2 779NOCOMMENT_START
780#We recommend you to use the following two lines.
781acl QUERY urlpath_regex cgi-bin \?
782no_cache deny QUERY
783NOCOMMENT_END
784DOC_END
785
786NAME: background_ping_rate
787COMMENT: time-units
788TYPE: time_t
789DEFAULT: 10 seconds
790LOC: Config.backgroundPingRate
791DOC_START
792 Controls how often the ICP pings are sent to siblings that
793 have background-ping set.
794DOC_END
1e5562e3 795
934b03fc 796
cccac0a2 797COMMENT_START
798 OPTIONS WHICH AFFECT THE CACHE SIZE
799 -----------------------------------------------------------------------------
800COMMENT_END
801
802NAME: cache_mem
803COMMENT: (bytes)
804TYPE: b_size_t
805DEFAULT: 8 MB
806LOC: Config.memMaxSize
807DOC_START
808 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
809 IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
810 USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
811 THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
812
813 'cache_mem' specifies the ideal amount of memory to be used
814 for:
815 * In-Transit objects
816 * Hot Objects
817 * Negative-Cached objects
818
819 Data for these objects are stored in 4 KB blocks. This
820 parameter specifies the ideal upper limit on the total size of
821 4 KB blocks allocated. In-Transit objects take the highest
822 priority.
823
824 In-transit objects have priority over the others. When
825 additional space is needed for incoming data, negative-cached
826 and hot objects will be released. In other words, the
827 negative-cached and hot objects will fill up any unused space
828 not needed for in-transit objects.
829
830 If circumstances require, this limit will be exceeded.
831 Specifically, if your incoming request rate requires more than
832 'cache_mem' of memory to hold in-transit objects, Squid will
833 exceed this limit to satisfy the new requests. When the load
834 decreases, blocks will be freed until the high-water mark is
835 reached. Thereafter, blocks will be used to store hot
836 objects.
837DOC_END
838
839
840NAME: cache_swap_low
841COMMENT: (percent, 0-100)
842TYPE: int
843DEFAULT: 90
844LOC: Config.Swap.lowWaterMark
845DOC_NONE
846
847NAME: cache_swap_high
848COMMENT: (percent, 0-100)
849TYPE: int
850DEFAULT: 95
851LOC: Config.Swap.highWaterMark
852DOC_START
853
854 The low- and high-water marks for cache object replacement.
855 Replacement begins when the swap (disk) usage is above the
856 low-water mark and attempts to maintain utilization near the
857 low-water mark. As swap utilization gets close to high-water
858 mark object eviction becomes more aggressive. If utilization is
859 close to the low-water mark less replacement is done each time.
860
861 Defaults are 90% and 95%. If you have a large cache, 5% could be
862 hundreds of MB. If this is the case you may wish to set these
863 numbers closer together.
864DOC_END
865
866NAME: maximum_object_size
867COMMENT: (bytes)
868TYPE: b_size_t
869DEFAULT: 4096 KB
870LOC: Config.Store.maxObjectSize
871DOC_START
872 Objects larger than this size will NOT be saved on disk. The
873 value is specified in kilobytes, and the default is 4MB. If
874 you wish to get a high BYTES hit ratio, you should probably
875 increase this (one 32 MB object hit counts for 3200 10KB
876 hits). If you wish to increase speed more than your want to
877 save bandwidth you should leave this low.
878
879 NOTE: if using the LFUDA replacement policy you should increase
880 this value to maximize the byte hit rate improvement of LFUDA!
881 See replacement_policy below for a discussion of this policy.
882DOC_END
883
884NAME: minimum_object_size
885COMMENT: (bytes)
886TYPE: b_size_t
887DEFAULT: 0 KB
888LOC: Config.Store.minObjectSize
889DOC_START
890 Objects smaller than this size will NOT be saved on disk. The
891 value is specified in kilobytes, and the default is 0 KB, which
892 means there is no minimum.
893DOC_END
894
895NAME: maximum_object_size_in_memory
896COMMENT: (bytes)
897TYPE: b_size_t
898DEFAULT: 8 KB
899LOC: Config.Store.maxInMemObjSize
900DOC_START
901 Objects greater than this size will not be attempted to kept in
902 the memory cache. This should be set high enough to keep objects
903 accessed frequently in memory to improve performance whilst low
904 enough to keep larger objects from hoarding cache_mem .
905DOC_END
906
907NAME: ipcache_size
908COMMENT: (number of entries)
909TYPE: int
910DEFAULT: 1024
911LOC: Config.ipcache.size
912DOC_NONE
913
914NAME: ipcache_low
915COMMENT: (percent)
916TYPE: int
917DEFAULT: 90
918LOC: Config.ipcache.low
919DOC_NONE
920
921NAME: ipcache_high
922COMMENT: (percent)
923TYPE: int
924DEFAULT: 95
925LOC: Config.ipcache.high
926DOC_START
927 The size, low-, and high-water marks for the IP cache.
928DOC_END
929
930NAME: fqdncache_size
931COMMENT: (number of entries)
932TYPE: int
933DEFAULT: 1024
934LOC: Config.fqdncache.size
935DOC_START
936 Maximum number of FQDN cache entries.
937DOC_END
938
939NAME: cache_replacement_policy
940TYPE: removalpolicy
941LOC: Config.replPolicy
942DEFAULT: lru
943DOC_START
944 The cache replacement policy parameter determines which
945 objects are evicted (replaced) when disk space is needed.
946
947 lru : Squid's original list based LRU policy
948 heap GDSF : Greedy-Dual Size Frequency
949 heap LFUDA: Least Frequently Used with Dynamic Aging
950 heap LRU : LRU policy implemented using a heap
951
952 Applies to any cache_dir lines listed below this.
953
954 The LRU policies keeps recently referenced objects.
955
956 The heap GDSF policy optimizes object hit rate by keeping smaller
957 popular objects in cache so it has a better chance of getting a
958 hit. It achieves a lower byte hit rate than LFUDA though since
959 it evicts larger (possibly popular) objects.
960
961 The heap LFUDA policy keeps popular objects in cache regardless of
962 their size and thus optimizes byte hit rate at the expense of
963 hit rate since one large, popular object will prevent many
964 smaller, slightly less popular objects from being cached.
965
966 Both policies utilize a dynamic aging mechanism that prevents
967 cache pollution that can otherwise occur with frequency-based
968 replacement policies.
969
970 NOTE: if using the LFUDA replacement policy you should increase
971 the value of maximum_object_size above its default of 4096 KB to
972 to maximize the potential byte hit rate improvement of LFUDA.
973
974 For more information about the GDSF and LFUDA cache replacement
975 policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
976 and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
977DOC_END
978
979NAME: memory_replacement_policy
980TYPE: removalpolicy
981LOC: Config.memPolicy
982DEFAULT: lru
983DOC_START
984 The memory replacement policy parameter determines which
985 objects are purged from memory when memory space is needed.
986
987 See cache_replacement_policy for details.
988DOC_END
934b03fc 989
1f7c9178 990
cccac0a2 991COMMENT_START
992 LOGFILE PATHNAMES AND CACHE DIRECTORIES
993 -----------------------------------------------------------------------------
994COMMENT_END
9bc73deb 995
cccac0a2 996NAME: cache_dir
997TYPE: cachedir
998DEFAULT: none
999DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256
1000LOC: Config.cacheSwap
1001DOC_START
1002 Usage:
1003
1004 cache_dir Type Directory-Name Fs-specific-data [options]
cf5cc17e 1005
cccac0a2 1006 You can specify multiple cache_dir lines to spread the
1007 cache among different disk partitions.
8e8d4f30 1008
cccac0a2 1009 Type specifies the kind of storage system to use. Only "ufs"
1010 is built by default. To eanble any of the other storage systems
1011 see the --enable-storeio configure option.
934b03fc 1012
cccac0a2 1013 'Directory' is a top-level directory where cache swap
1014 files will be stored. If you want to use an entire disk
1015 for caching, then this can be the mount-point directory.
1016 The directory must exist and be writable by the Squid
1017 process. Squid will NOT create this directory for you.
1e5562e3 1018
cccac0a2 1019 The ufs store type:
1020
1021 "ufs" is the old well-known Squid storage format that has always
1022 been there.
1023
1024 cache_dir ufs Directory-Name Mbytes L1 L2 [options]
1025
1026 'Mbytes' is the amount of disk space (MB) to use under this
1027 directory. The default is 100 MB. Change this to suit your
1028 configuration. Do NOT put the size of your disk drive here.
1029 Instead, if you want Squid to use the entire disk drive,
1030 subtract 20% and use that value.
1031
1032 'Level-1' is the number of first-level subdirectories which
1033 will be created under the 'Directory'. The default is 16.
1034
1035 'Level-2' is the number of second-level subdirectories which
1036 will be created under each first-level directory. The default
1037 is 256.
1038
1039 The aufs store type:
1040
1041 "aufs" uses the same storage format as "ufs", utilizing
1042 POSIX-threads to avoid blocking the main Squid process on
1043 disk-I/O. This was formerly known in Squid as async-io.
1044
1045 cache_dir aufs Directory-Name Mbytes L1 L2 [options]
1046
1047 see argument descriptions under ufs above
1048
1049 The diskd store type:
1050
1051 "diskd" uses the same storage format as "ufs", utilizing a
1052 separate process to avoid blocking the main Squid process on
1053 disk-I/O.
1054
1055 cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
1056
1057 see argument descriptions under ufs above
1058
1059 Q1 specifies the number of unacknowledged I/O requests when Squid
1060 stops opening new files. If this many messages are in the queues,
1061 Squid won't open new files. Default is 64
1062
1063 Q2 specifies the number of unacknowledged messages when Squid
1064 starts blocking. If this many messages are in the queues,
1065 Squid blocks until it recevies some replies. Default is 72
1066
1067 Common options:
1068
1069 read-only, this cache_dir is read only.
1070
1071 max-size=n, refers to the max object size this storedir supports.
1072 It is used to initially choose the storedir to dump the object.
1073 Note: To make optimal use of the max-size limits you should order
1074 the cache_dir lines with the smallest max-size value first and the
1075 ones with no max-size specification last.
1076DOC_END
1077
1078
1079NAME: logformat
1080TYPE: logformat
1081LOC: Config.Log.logformats
1082DEFAULT: none
1083DOC_START
1084 Usage:
1085
1086 logformat <name> <format specification>
1087
1088 Defines an access log format.
1089
1090 The <format specification> is a string with embedded % format codes
1091
1092 % format codes all follow the same basic structure where all but
1093 the formatcode is optional. Output strings are automatically quoted
1094 as required according to their context and the output format
1095 modifiers are usually unneeded but can be specified if an explicit
1096 quoting format is desired.
1097
1098 % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
1099
1100 " quoted string output format
1101 [ squid log quoted format as used by log_mime_hdrs
1102 # URL quoted output format
1103 ' No automatic quoting
1104 - left aligned
1105 width field width. If starting with 0 then the
1106 output is zero padded
1107 {arg} argument such as header name etc
1108
1109 Format codes:
1110
1111 >a Client source IP address
1112 >A Client FQDN
1113 <A Server IP address or peer name
1114 la Local IP address (http_port)
1115 lp Local port number (http_port)
1116 ts Seconds since epoch
1117 tu subsecond time (milliseconds)
1118 tl Local time. Optional strftime format argument
1119 default %d/%b/%Y:%H:%M:S %z
1120 tg GMT time. Optional strftime format argument
1121 default %d/%b/%Y:%H:%M:S %z
1122 tr Response time (milliseconds)
1123 >h Request header. Optional header name argument
1124 on the format header[:[separator]element]
1125 <h Reply header. Optional header name argument
1126 as for >h
1127 un User name
1128 ul User login
1129 ui User ident
1130 ue User from external acl
1131 Hs HTTP status code
1132 Ss Squid request status (TCP_MISS etc)
1133 Sh Squid hierarchy status (DEFAULT_PARENT etc)
1134 mt MIME content type
1135 rm Request method (GET/POST etc)
1136 ru Request URL
1137 rv Request protocol version
1138 et Tag returned by external acl
1139 ea Log string returned by external acl
1140 <st Reply size including HTTP headers
fe08087a 1141 <sH Reply high offset sent
1142 <sS Upstream object size
cccac0a2 1143 % a literal % character
1144
1145logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
1146logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
1147logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
1148logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
1149DOC_END
1150
1151NAME: access_log cache_access_log
1152TYPE: access_log
1153LOC: Config.Log.accesslogs
1154DEFAULT: none
1155DEFAULT_IF_NONE: @DEFAULT_ACCESS_LOG@
1156DOC_START
1157 These files log client request activities. Has a line every HTTP or
1158 ICP request. The format is:
1159 access_log <filepath> [<logformat name> [acl acl ...]]
1160 access_log none [acl acl ...]]
1161
1162 Will log to the specified file using the specified format (which
1163 must be defined in a logformat directive) those entries which match
1164 ALL the acl's specified (which must be defined in acl clauses).
1165 If no acl is specified, all requests will be logged to this file.
1166
1167 To disable logging of a request specify "none".
1168DOC_END
1169
1170
1171NAME: cache_log
1172TYPE: string
1173DEFAULT: @DEFAULT_CACHE_LOG@
1174LOC: Config.Log.log
1175DOC_START
1176 Cache logging file. This is where general information about
1177 your cache's behavior goes. You can increase the amount of data
1178 logged to this file with the "debug_options" tag below.
1179DOC_END
1180
1181
1182NAME: cache_store_log
1183TYPE: string
1184DEFAULT: @DEFAULT_STORE_LOG@
1185LOC: Config.Log.store
1186DOC_START
1187 Logs the activities of the storage manager. Shows which
1188 objects are ejected from the cache, and which objects are
1189 saved and for how long. To disable, enter "none". There are
1190 not really utilities to analyze this data, so you can safely
1191 disable it.
1192DOC_END
1193
1194
1195NAME: cache_swap_log
1196TYPE: string
1197LOC: Config.Log.swap
1198DEFAULT: none
1199DOC_START
1200 Location for the cache "swap.log." This log file holds the
1201 metadata of objects saved on disk. It is used to rebuild the
1202 cache during startup. Normally this file resides in each
1203 'cache_dir' directory, but you may specify an alternate
1204 pathname here. Note you must give a full filename, not just
1205 a directory. Since this is the index for the whole object
1206 list you CANNOT periodically rotate it!
1207
1208 If %s can be used in the file name then it will be replaced with a
1209 a representation of the cache_dir name where each / is replaced
1210 with '.'. This is needed to allow adding/removing cache_dir
1211 lines when cache_swap_log is being used.
1212
1213 If have more than one 'cache_dir', and %s is not used in the name
1214 then these swap logs will have names such as:
1215
1216 cache_swap_log.00
1217 cache_swap_log.01
1218 cache_swap_log.02
1219
1220 The numbered extension (which is added automatically)
1221 corresponds to the order of the 'cache_dir' lines in this
1222 configuration file. If you change the order of the 'cache_dir'
1223 lines in this file, then these log files will NOT correspond to
1224 the correct 'cache_dir' entry (unless you manually rename
1225 them). We recommend that you do NOT use this option. It is
1226 better to keep these log files in each 'cache_dir' directory.
1227DOC_END
1228
1229
1230NAME: emulate_httpd_log
1231COMMENT: on|off
1232TYPE: onoff
1233DEFAULT: off
1234LOC: Config.onoff.common_log
1235DOC_START
1236 The Cache can emulate the log file format which many 'httpd'
1237 programs use. To disable/enable this emulation, set
1238 emulate_httpd_log to 'off' or 'on'. The default
1239 is to use the native log format since it includes useful
1240 information that Squid-specific log analyzers use.
1241DOC_END
1242
1243NAME: log_ip_on_direct
1244COMMENT: on|off
1245TYPE: onoff
1246DEFAULT: on
1247LOC: Config.onoff.log_ip_on_direct
1248DOC_START
1249 Log the destination IP address in the hierarchy log tag when going
1250 direct. Earlier Squid versions logged the hostname here. If you
1251 prefer the old way set this to off.
1252DOC_END
1253
1254NAME: mime_table
1255TYPE: string
1256DEFAULT: @DEFAULT_MIME_TABLE@
1257LOC: Config.mimeTablePathname
1258DOC_START
1259 Pathname to Squid's MIME table. You shouldn't need to change
1260 this, but the default file contains examples and formatting
1261 information if you do.
1262DOC_END
1263
1264
1265NAME: log_mime_hdrs
1266COMMENT: on|off
1267TYPE: onoff
1268LOC: Config.onoff.log_mime_hdrs
1269DEFAULT: off
1270DOC_START
1271 The Cache can record both the request and the response MIME
1272 headers for each HTTP transaction. The headers are encoded
1273 safely and will appear as two bracketed fields at the end of
1274 the access log (for either the native or httpd-emulated log
1275 formats). To enable this logging set log_mime_hdrs to 'on'.
1276DOC_END
1277
1278
1279NAME: useragent_log
1280TYPE: string
1281LOC: Config.Log.useragent
1282DEFAULT: none
1283IFDEF: USE_USERAGENT_LOG
1284DOC_START
1285 Squid will write the User-Agent field from HTTP requests
1286 to the filename specified here. By default useragent_log
1287 is disabled.
1288DOC_END
1289
1290
1291NAME: referer_log
1292TYPE: string
1293LOC: Config.Log.referer
1294DEFAULT: none
1295IFDEF: USE_REFERER_LOG
1296DOC_START
1297 Squid will write the Referer field from HTTP requests to the
1298 filename specified here. By default referer_log is disabled.
1299DOC_END
1300
1301
1302NAME: pid_filename
1303TYPE: string
1304DEFAULT: @DEFAULT_PID_FILE@
1305LOC: Config.pidFilename
1306DOC_START
1307 A filename to write the process-id to. To disable, enter "none".
1308DOC_END
1309
1310
1311NAME: debug_options
1312TYPE: eol
1313DEFAULT: ALL,1
1314LOC: Config.debugOptions
1315DOC_START
1316 Logging options are set as section,level where each source file
1317 is assigned a unique section. Lower levels result in less
1318 output, Full debugging (level 9) can result in a very large
1319 log file, so be careful. The magic word "ALL" sets debugging
1320 levels for all sections. We recommend normally running with
1321 "ALL,1".
1322DOC_END
1323
1324
1325NAME: log_fqdn
1326COMMENT: on|off
1327TYPE: onoff
1328DEFAULT: off
1329LOC: Config.onoff.log_fqdn
1330DOC_START
1331 Turn this on if you wish to log fully qualified domain names
1332 in the access.log. To do this Squid does a DNS lookup of all
1333 IP's connecting to it. This can (in some situations) increase
1334 latency, which makes your cache seem slower for interactive
1335 browsing.
1336DOC_END
1337
1338
1339NAME: client_netmask
1340TYPE: address
1341LOC: Config.Addrs.client_netmask
1342DEFAULT: 255.255.255.255
1343DOC_START
1344 A netmask for client addresses in logfiles and cachemgr output.
1345 Change this to protect the privacy of your cache clients.
1346 A netmask of 255.255.255.0 will log all IP's in that range with
1347 the last digit set to '0'.
1348DOC_END
0976f8db 1349
0976f8db 1350
cccac0a2 1351COMMENT_START
1352 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
1353 -----------------------------------------------------------------------------
1354COMMENT_END
1355
1356NAME: ftp_user
1357TYPE: string
1358DEFAULT: Squid@
1359LOC: Config.Ftp.anon_user
1360DOC_START
1361 If you want the anonymous login password to be more informative
1362 (and enable the use of picky ftp servers), set this to something
1363 reasonable for your domain, like wwwuser@somewhere.net
1364
1365 The reason why this is domainless by default is that the
1366 request can be made on the behalf of a user in any domain,
1367 depending on how the cache is used.
1368 Some ftp server also validate that the email address is valid
1369 (for example perl.com).
1370DOC_END
1371
1372NAME: ftp_list_width
1373TYPE: size_t
1374DEFAULT: 32
1375LOC: Config.Ftp.list_width
1376DOC_START
1377 Sets the width of ftp listings. This should be set to fit in
1378 the width of a standard browser. Setting this too small
1379 can cut off long filenames when browsing ftp sites.
1380DOC_END
1381
1382NAME: ftp_passive
1383TYPE: onoff
1384DEFAULT: on
1385LOC: Config.Ftp.passive
1386DOC_START
1387 If your firewall does not allow Squid to use passive
1388 connections, then turn off this option.
1389DOC_END
1390
1391NAME: ftp_sanitycheck
1392TYPE: onoff
1393DEFAULT: on
1394LOC: Config.Ftp.sanitycheck
1395DOC_START
1396 For security and data integrity reasons Squid by default performs
1397 sanity checks of the addresses of FTP data connections ensure the
1398 data connection is to the requested server. If you need to allow
1399 FTP connections to servers using another IP address for the data
1400 connection then turn this off.
1401DOC_END
1402
1403NAME: check_hostnames
1404TYPE: onoff
1405DEFAULT: on
1406LOC: Config.onoff.check_hostnames
1407DOC_START
1408 For security and stability reasons Squid by default checks
1409 hostnames for Internet standard RFC compliance. If you do not want
1410 Squid to perform these checks then turn this directive off.
1411DOC_END
1412
1413NAME: cache_dns_program
1414TYPE: string
1415IFDEF: USE_DNSSERVERS
1416DEFAULT: @DEFAULT_DNSSERVER@
1417LOC: Config.Program.dnsserver
1418DOC_START
1419 Specify the location of the executable for dnslookup process.
1420DOC_END
1421
1422NAME: dns_children
1423TYPE: int
1424IFDEF: USE_DNSSERVERS
1425DEFAULT: 5
1426LOC: Config.dnsChildren
1427DOC_START
1428 The number of processes spawn to service DNS name lookups.
1429 For heavily loaded caches on large servers, you should
1430 probably increase this value to at least 10. The maximum
1431 is 32. The default is 5.
1432
1433 You must have at least one dnsserver process.
1434DOC_END
1435
1436NAME: dns_retransmit_interval
1437TYPE: time_t
1438DEFAULT: 5 seconds
1439LOC: Config.Timeout.idns_retransmit
1440IFDEF: !USE_DNSSERVERS
1441DOC_START
1442 Initial retransmit interval for DNS queries. The interval is
1443 doubled each time all configured DNS servers have been tried.
1444
1445DOC_END
1446
1447NAME: dns_timeout
1448TYPE: time_t
1449DEFAULT: 5 minutes
1450LOC: Config.Timeout.idns_query
1451IFDEF: !USE_DNSSERVERS
1452DOC_START
1453 DNS Query timeout. If no response is received to a DNS query
1454 within this time then all DNS servers for the queried domain
1455 is assumed to be unavailable.
1456DOC_END
1457
1458NAME: dns_defnames
1459COMMENT: on|off
1460IFDEF: USE_DNSSERVERS
1461TYPE: onoff
1462DEFAULT: off
1463LOC: Config.onoff.res_defnames
1464IFDEF: USE_DNSSERVERS
1465DOC_START
1466 Normally the 'dnsserver' disables the RES_DEFNAMES resolver
1467 option (see res_init(3)). This prevents caches in a hierarchy
1468 from interpreting single-component hostnames locally. To allow
1469 dnsserver to handle single-component names, enable this
1470 option.
1471DOC_END
1472
1473NAME: dns_nameservers
1474TYPE: wordlist
1475DEFAULT: none
1476LOC: Config.dns_nameservers
1477DOC_START
1478 Use this if you want to specify a list of DNS name servers
1479 (IP addresses) to use instead of those given in your
1480 /etc/resolv.conf file.
1481 On Windows platforms, if no value is specified here or in
1482 the /etc/resolv.conf file, the list of DNS name servers are
1483 taken from the Windows registry, both static and dynamic DHCP
1484 configurations are supported.
1485
1486 Example: dns_nameservers 10.0.0.1 192.172.0.4
1487DOC_END
1488
1489NAME: hosts_file
1490TYPE: string
1491DEFAULT: @DEFAULT_HOSTS@
1492LOC: Config.etcHostsPath
1493DOC_START
1494 Location of the host-local IP name-address associations
1495 database. Most Operating Systems have such a file on different
1496 default locations:
1497 - Un*X & Linux: /etc/hosts
1498 - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
1499 (%SystemRoot% value install default is c:\winnt)
1500 - Windows XP: %SystemRoot%\system32\drivers\etc\hosts
1501 (%SystemRoot% value install default is c:\windows)
1502 - Windows 9x/Me: %windir%\hosts
1503 (%windir% value is usually c:\windows)
1504 - Cygwin: /etc/hosts
1505
1506 The file contains newline-separated definitions, in the
1507 form ip_address_in_dotted_form name [name ...] names are
1508 whitespace-separated. Lines beginnng with an hash (#)
1509 character are comments.
1510
1511 The file is checked at startup and upon configuration.
1512 If set to 'none', it won't be checked.
1513 If append_domain is used, that domain will be added to
1514 domain-local (i.e. not containing any dot character) host
1515 definitions.
1516DOC_END
1517
1518NAME: diskd_program
1519TYPE: string
1520DEFAULT: @DEFAULT_DISKD@
1521LOC: Config.Program.diskd
1522DOC_START
1523 Specify the location of the diskd executable.
1524 Note that this is only useful if you have compiled in
1525 diskd as one of the store io modules.
1526DOC_END
1527
1528NAME: unlinkd_program
1529IFDEF: USE_UNLINKD
1530TYPE: string
1531DEFAULT: @DEFAULT_UNLINKD@
1532LOC: Config.Program.unlinkd
1533DOC_START
1534 Specify the location of the executable for file deletion process.
1535DOC_END
1536
1537NAME: pinger_program
1538TYPE: string
1539DEFAULT: @DEFAULT_PINGER@
1540LOC: Config.Program.pinger
1541IFDEF: USE_ICMP
1542DOC_START
1543 Specify the location of the executable for the pinger process.
1544DOC_END
1545
1546
1547NAME: redirect_program
1548TYPE: wordlist
1549LOC: Config.Program.redirect
1550DEFAULT: none
1551DOC_START
1552 Specify the location of the executable for the URL redirector.
1553 Since they can perform almost any function there isn't one included.
1554 See the FAQ (section 15) for information on how to write one.
1555 By default, a redirector is not used.
1556DOC_END
1557
1558
1559NAME: redirect_children
1560TYPE: int
1561DEFAULT: 5
1562LOC: Config.redirectChildren
1563DOC_START
1564 The number of redirector processes to spawn. If you start
1565 too few Squid will have to wait for them to process a backlog of
1566 URLs, slowing it down. If you start too many they will use RAM
1567 and other system resources.
1568DOC_END
1569
1570NAME: redirect_concurrency
1571TYPE: int
1572DEFAULT: 0
1573LOC: Config.redirectConcurrency
1574DOC_START
1575 The number of requests each redirector helper can handle in
1576 parallell. Defaults to 0 which indicates that the redirector
1577 is a old-style singlethreaded redirector.
1578DOC_END
1579
1580NAME: redirect_rewrites_host_header
1581TYPE: onoff
1582DEFAULT: on
1583LOC: Config.onoff.redir_rewrites_host
1584DOC_START
1585 By default Squid rewrites any Host: header in redirected
1586 requests. If you are running an accelerator then this may
1587 not be a wanted effect of a redirector.
1588
1589 WARNING: Entries are cached on the result of the URL rewriting
1590 process, so be careful if you have domain-virtual hosts.
1591DOC_END
1592
1593NAME: redirector_access
1594TYPE: acl_access
1595DEFAULT: none
1596LOC: Config.accessList.redirector
1597DOC_START
1598 If defined, this access list specifies which requests are
1599 sent to the redirector processes. By default all requests
1600 are sent.
1601DOC_END
1602
1603NAME: auth_param
1604TYPE: authparam
1605LOC: Config.authConfiguration
1606DEFAULT: none
1607DOC_START
1608 This is used to pass parameters to the various authentication
1609 schemes.
1610 format: auth_param scheme parameter [setting]
1611
1612 auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
1613 would tell the basic authentication scheme it's program parameter.
1614
1615 The order that authentication prompts are presented to the client_agent
1616 is dependant on the order the scheme first appears in config file.
1617 IE has a bug (it's not rfc 2617 compliant) in that it will use the basic
1618 scheme if basic is the first entry presented, even if more secure schemes
1619 are presented. For now use the order in the file below. If other browsers
1620 have difficulties (don't recognise the schemes offered even if you are using
1621 basic) then either put basic first, or disable the other schemes (by commenting
1622 out their program entry).
1623
1624 Once an authentication scheme is fully configured, it can only be shutdown
1625 by shutting squid down and restarting. Changes can be made on the fly and
1626 activated with a reconfigure. I.E. You can change to a different helper,
1627 but not unconfigure the helper completely.
1628
1629 === Parameters for the basic scheme follow. ===
1630
1631 "program" cmdline
1632 Specify the command for the external authenticator. Such a
1633 program reads a line containing "username password" and replies
1634 "OK" or "ERR" in an endless loop. If you use an authenticator,
1635 make sure you have 1 acl of type proxy_auth. By default, the
1636 basic authentication sheme is not used unless a program is specified.
1637
1638 If you want to use the traditional proxy authentication,
1639 jump over to the ../auth_modules/NCSA directory and
1640 type:
1641 % make
1642 % make install
1643
1644 Then, set this line to something like
1645
1646 auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
1647
1648 "children" numberofchildren
1649 The number of authenticator processes to spawn (no default).
1650 If you start too few Squid will have to wait for them to
1651 process a backlog of usercode/password verifications, slowing
1652 it down. When password verifications are done via a (slow)
1653 network you are likely to need lots of authenticator
1654 processes.
1655 auth_param basic children 5
1656
1657 "concurrency" concurrency
1658 The number of concurrent requests the helper can process.
1659 The default of 0 is used for helpers who only supports
1660 one request at a time.
1661 auth_param basic concurrency 0
1662
1663 "realm" realmstring
1664 Specifies the realm name which is to be reported to the
1665 client for the basic proxy authentication scheme (part of
1666 the text the user will see when prompted their username and
1667 password). There is no default.
1668 auth_param basic realm Squid proxy-caching web server
1669
1670 "credentialsttl" timetolive
1671 Specifies how long squid assumes an externally validated
1672 username:password pair is valid for - in other words how
1673 often the helper program is called for that user. Set this
1674 low to force revalidation with short lived passwords. Note
1675 that setting this high does not impact your susceptability
1676 to replay attacks unless you are using an one-time password
1677 system (such as SecureID). If you are using such a system,
1678 you will be vulnerable to replay attacks unless you also
1679 use the max_user_ip ACL in an http_access rule.
1680
1681 === Parameters for the digest scheme follow ===
1682
1683 "program" cmdline
1684 Specify the command for the external authenticator. Such
1685 a program reads a line containing "username":"realm" and
1686 replies with the appropriate H(A1) value base64 encoded.
1687 See rfc 2616 for the definition of H(A1). If you use an
1688 authenticator, make sure you have 1 acl of type proxy_auth.
1689 By default, authentication is not used.
1690
1691 If you want to use build an authenticator,
1692 jump over to the ../digest_auth_modules directory and choose the
1693 authenticator to use. It it's directory type
1694 % make
1695 % make install
1696
1697 Then, set this line to something like
1698
1699 auth_param digest program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass
1700
1701
1702 "children" numberofchildren
1703 The number of authenticator processes to spawn (no default).
1704 If you start too few Squid will have to wait for them to
1705 process a backlog of H(A1) calculations, slowing it down.
1706 When the H(A1) calculations are done via a (slow) network
1707 you are likely to need lots of authenticator processes.
1708 auth_param digest children 5
1709
1710 "realm" realmstring
1711 Specifies the realm name which is to be reported to the
1712 client for the digest proxy authentication scheme (part of
1713 the text the user will see when prompted their username and
1714 password). There is no default.
1715 auth_param digest realm Squid proxy-caching web server
1716
1717 "nonce_garbage_interval" timeinterval
1718 Specifies the interval that nonces that have been issued
1719 to client_agent's are checked for validity.
1720
1721 "nonce_max_duration" timeinterval
1722 Specifies the maximum length of time a given nonce will be
1723 valid for.
1724
1725 "nonce_max_count" number
1726 Specifies the maximum number of times a given nonce can be
1727 used.
1728
1729 "nonce_strictness" on|off
1730 Determines if squid requires strict increment-by-1 behaviour
1731 for nonce counts, or just incrementing (off - for use when
1732 useragents generate nonce counts that occasionally miss 1
1733 (ie, 1,2,4,6)). Default off.
1734
1735 "check_nonce_count" on|off
1736 This directive if set to off can disable the nonce count check
1737 completely to work around buggy digest qop implementations in
1738 certain mainstream browser versions. Default on to check the
1739 nonce count to protect from authentication replay attacks.
1740
1741 "post_workaround" on|off
1742 This is a workaround to certain buggy browsers who sends
1743 an incorrect request digest in POST requests when reusing
1744 the same nonce as aquired earlier on a GET request.
1745
1746
1747 === NTLM scheme options follow ===
1748
1749 "program" cmdline
1750 Specify the command for the external ntlm authenticator.
1751 Such a program reads a line containing the uuencoded NEGOTIATE
1752 and replies with the ntlm CHALLENGE, then waits for the
1753 response and answers with "OK" or "ERR" in an endless loop.
1754 If you use an ntlm authenticator, make sure you have 1 acl
1755 of type proxy_auth. By default, the ntlm authenticator_program
1756 is not used.
1757
1758 auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
1759
1760 "children" numberofchildren
1761 The number of authenticator processes to spawn (no default).
1762 If you start too few Squid will have to wait for them to
1763 process a backlog of credential verifications, slowing it
1764 down. When crendential verifications are done via a (slow)
1765 network you are likely to need lots of authenticator
1766 processes.
1767 auth_param ntlm children 5
1768
1769 "max_challenge_reuses" number
1770 The maximum number of times a challenge given by a ntlm
1771 authentication helper can be reused. Increasing this number
1772 increases your exposure to replay attacks on your network.
1773 0 means use the challenge only once. (disable challenge
1774 caching) See max_ntlm_challenge_lifetime for more information.
1775 auth_param ntlm max_challenge_reuses 0
1776
1777 "max_challenge_lifetime" timespan
1778 The maximum time period that a ntlm challenge is reused
1779 over. The actual period will be the minimum of this time
1780 AND the number of reused challenges.
1781 auth_param ntlm max_challenge_lifetime 2 minutes
1782
1783NOCOMMENT_START
94439e4e 1784#Recommended minimum configuration:
2d70df72 1785#auth_param digest program <uncomment and complete this line>
1786#auth_param digest children 5
1787#auth_param digest realm Squid proxy-caching web server
1788#auth_param digest nonce_garbage_interval 5 minutes
1789#auth_param digest nonce_max_duration 30 minutes
1790#auth_param digest nonce_max_count 50
94439e4e 1791#auth_param ntlm program <uncomment and complete this line to activate>
2d70df72 1792#auth_param ntlm children 5
1793#auth_param ntlm max_challenge_reuses 0
1794#auth_param ntlm max_challenge_lifetime 2 minutes
94439e4e 1795#auth_param basic program <uncomment and complete this line>
0976f8db 1796 auth_param basic children 5
1797 auth_param basic realm Squid proxy-caching web server
1798 auth_param basic credentialsttl 2 hours
1799 NOCOMMENT_END
1800 DOC_END
1801
1802 NAME: authenticate_cache_garbage_interval
1803 TYPE: time_t
1804 DEFAULT: 1 hour
1805 LOC: Config.authenticateGCInterval
1806 DOC_START
1807 The time period between garbage collection across the
1808 username cache. This is a tradeoff between memory utilisation
1809 (long intervals - say 2 days) and CPU (short intervals -
1810 say 1 minute). Only change if you have good reason to.
1811 DOC_END
1812
1813 NAME: authenticate_ttl
1814 TYPE: time_t
1815 DEFAULT: 1 hour
1816 LOC: Config.authenticateTTL
1817 DOC_START
1818 The time a user & their credentials stay in the logged in
1819 user cache since their last request. When the garbage
1820 interval passes, all user credentials that have passed their
1821 TTL are removed from memory.
1822 DOC_END
1823
1824 NAME: authenticate_ip_ttl
1825 TYPE: time_t
1826 LOC: Config.authenticateIpTTL
1827 DEFAULT: 0 seconds
1828 DOC_START
1829 If you use proxy authentication and the 'max_user_ip' ACL,
1830 this directive controls how long Squid remembers the IP
1831 addresses associated with each user. Use a small value
1832 (e.g., 60 seconds) if your users might change addresses
1833 quickly, as is the case with dialups. You might be safe
1834 using a larger value (e.g., 2 hours) in a corporate LAN
1835 environment with relatively static address assignments.
1836 DOC_END
1837
1838 NAME: external_acl_type
1839 TYPE: externalAclHelper
1840 LOC: Config.externalAclHelperList
1841 DEFAULT: none
1842 DOC_START
1843 This option defines external acl classes using a helper program
1844 to look up the status
1845
1846 external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
1847
1848 Options:
1849
1850 ttl=n TTL in seconds for cached results (defaults to 3600
1851 for 1 hour)
1852 negative_ttl=n
1853 TTL for cached negative lookups (default same
1854 as ttl)
1855 children=n Number of acl helper processes spawn to service
1856 external acl lookups of this type.
1857 concurrency=n concurrency level per process. Use 0 for old style
1858 helpers who can only process a single request at a
1859 time.
1860 cache=n result cache size, 0 is unbounded (default)
1861 grace=n Percentage remaining of TTL where a refresh of a
1862 cached entry should be initiated without needing to
1863 wait for a new reply. (default 0 for no grace period)
1864
1865 FORMAT specifications
1866
1867 %LOGIN Authenticated user login name
1868 %IDENT Ident user name
1869 %SRC Client IP
1870 %SRCPORT Client source port
1871 %DST Requested host
1872 %PROTO Requested protocol
1873 %PORT Requested port
1874 %PATH Requested URL path
1875 %METHOD Request method
1876 %MYADDR Squid interface address
1877 %MYPORT Squid http_port number
1878 %USER_CERT_xx SSL User certificate attribute xx
1879 %USER_CA_xx SSL User certificate CA attribute xx
1880 %{Header}
1881
1882 HTTP request header
1883
1884 %{Hdr:member} HTTP request header list member
1885
1886 %{Hdr:;member}
1887 HTTP request header list member using ; as
1888 list separator. ; can be any non-alphanumeric
1889 character.
1890
1891 In addition, any string specified in the referencing acl will
1892 also be included in the helper request line, after the specified
1893 formats (see the "acl external" directive)
1894
1895 The helper receives lines per the above format specification,
1896 and returns lines starting with OK or ERR indicating the validity
1897 of the request and optionally followed by additional keywords with
1898 more details.
1899
1900 General result syntax:
1901
1902 OK/ERR keyword=value ...
1903
1904 Defined keywords:
1905
1906 user= The users name (login)
1907 password= The users password (for login= cache_peer option)
1908 message= Message describing the reason. Available as %o
1909 in error pages
1910 tag= Apply a tag to a request (for both ERR and OK results)
1911 Only sets a tag, does not alter existing tags.
1912 log= String to be logged in access.log. Available as
1913 %ea in logformat specifications
1914
1915 Keyword values need to be enclosed in quotes if they may
1916 contain whitespace, or the whitespace escaped using \. Any
1917 quotes or \ characters within the keyword value must be \
1918 escaped.
1919 DOC_END
9e7dbc51 1920
0976f8db 1921 COMMENT_START
1922 OPTIONS FOR TUNING THE CACHE
1923 -----------------------------------------------------------------------------
1924 COMMENT_END
9e7dbc51 1925
0976f8db 1926 NAME: wais_relay_host
9e7dbc51 1927
0976f8db 1928 TYPE: string
1929
1930 DEFAULT: none
1931
1932 LOC: Config.Wais.relayHost
1933 DOC_NONE
1934
1935 NAME: wais_relay_port
1936
1937 TYPE: ushort
1938
1939 DEFAULT: 0
1940
1941 LOC: Config.Wais.relayPort
1942 DOC_START
1943 Relay WAIS request to host (1st arg) at port (2 arg).
1944 DOC_END
1945
1946
1947 NAME: request_header_max_size
1948
1949 COMMENT: (KB)
1950
1951 TYPE: b_size_t
1952
1953 DEFAULT: 10 KB
1954
1955 LOC: Config.maxRequestHeaderSize
1956 DOC_START
1957 This specifies the maximum size for HTTP headers in a request.
1958 Request headers are usually relatively small (about 512 bytes).
1959 Placing a limit on the request header size will catch certain
1960 bugs (for example with persistent connections) and possibly
1961 buffer-overflow or denial-of-service attacks.
1962 DOC_END
1963
1964 NAME: request_body_max_size
1965
1966 COMMENT: (KB)
1967
1968 TYPE: b_size_t
1969
1970 DEFAULT: 0 KB
1971
1972 LOC: Config.maxRequestBodySize
1973 DOC_START
1974 This specifies the maximum size for an HTTP request body.
1975 In other words, the maximum size of a PUT/POST request.
1976 A user who attempts to send a request with a body larger
1977 than this limit receives an "Invalid Request" error message.
1978 If you set this parameter to a zero (the default), there will
1979 be no limit imposed.
1980 DOC_END
1981
1982 NAME: refresh_pattern
1983
1984 TYPE: refreshpattern
1985
1986 LOC: Config.Refresh
1987
1988 DEFAULT: none
1989 DOC_START
1990
1991 usage: refresh_pattern [-i] regex min percent max [options]
1992
1993 By default, regular expressions are CASE-SENSITIVE. To make
1994 them case-insensitive, use the -i option.
1995
1996 'Min' is the time (in minutes) an object without an explicit
1997 expiry time should be considered fresh. The recommended
1998 value is 0, any higher values may cause dynamic applications
1999 to be erroneously cached unless the application designer
2000 has taken the appropriate actions.
2001
2002 'Percent' is a percentage of the objects age (time since last
2003 modification age) an object without explicit expiry time
2004 will be considered fresh.
2005
2006 'Max' is an upper limit on how long objects without an explicit
2007 expiry time will be considered fresh.
2008
2009 options: override-expire
2010 override-lastmod
2011 reload-into-ims
2012 ignore-reload
2013
2014 override-expire enforces min age even if the server
2015
2016 sent a Expires: header. Doing this VIOLATES the HTTP
2017 standard. Enabling this feature could make you liable
2018 for problems which it causes.
2019
2020 override-lastmod enforces min age even on objects
2021 that was modified recently.
2022
2023 reload-into-ims changes client no-cache or ``reload''
2024 to If-Modified-Since requests. Doing this VIOLATES the
2025 HTTP standard. Enabling this feature could make you
2026 liable for problems which it causes.
2027
2028 ignore-reload ignores a client no-cache or ``reload''
2029 header. Doing this VIOLATES the HTTP standard. Enabling
2030 this feature could make you liable for problems which
2031 it causes.
2032
2033 Basically a cached object is:
2034
2035 FRESH if expires < now, else STALE
2036 STALE if age > max
2037 FRESH if lm-factor < percent, else STALE
2038 FRESH if age < min
2039 else STALE
2040
2041 The refresh_pattern lines are checked in the order listed here.
2042 The first entry which matches is used. If none of the entries
2043 match, then the default will be used.
2044
2045 Note, you must uncomment all the default lines if you want
2046 to change one. The default setting is only active if none is
2047 used.
2048
2049 Suggested default:
2050 NOCOMMENT_START
2051
2052 refresh_pattern ^ftp: 1440 20% 10080
2053
2054 refresh_pattern ^gopher: 1440 0% 1440
2055 refresh_pattern . 0 20% 4320
2056 NOCOMMENT_END
2057 DOC_END
2058
2059 NAME: quick_abort_min
2060
2061 COMMENT: (KB)
2062
2063 TYPE: kb_size_t
2064
2065 DEFAULT: 16 KB
2066
2067 LOC: Config.quickAbort.min
2068 DOC_NONE
2069
2070 NAME: quick_abort_max
2071
2072 COMMENT: (KB)
2073
2074 TYPE: kb_size_t
2075
2076 DEFAULT: 16 KB
2077
2078 LOC: Config.quickAbort.max
2079 DOC_NONE
2080
2081 NAME: quick_abort_pct
2082
2083 COMMENT: (percent)
2084
2085 TYPE: int
2086
2087 DEFAULT: 95
2088
2089 LOC: Config.quickAbort.pct
2090 DOC_START
2091 The cache by default continues downloading aborted requests
2092 which are almost completed (less than 16 KB remaining). This
2093 may be undesirable on slow (e.g. SLIP) links and/or very busy
2094 caches. Impatient users may tie up file descriptors and
2095 bandwidth by repeatedly requesting and immediately aborting
2096 downloads.
2097
2098 When the user aborts a request, Squid will check the
2099 quick_abort values to the amount of data transfered until
2100 then.
2101
2102 If the transfer has less than 'quick_abort_min' KB remaining,
2103 it will finish the retrieval.
2104
2105 If the transfer has more than 'quick_abort_max' KB remaining,
2106 it will abort the retrieval.
2107
2108 If more than 'quick_abort_pct' of the transfer has completed,
2109 it will finish the retrieval.
2110
2111 If you do not want any retrieval to continue after the client
2112 has aborted, set both 'quick_abort_min' and 'quick_abort_max'
2113 to '0 KB'.
2114
2115 If you want retrievals to always continue if they are being
2116 cached then set 'quick_abort_min' to '-1 KB'.
2117 DOC_END
2118
2119 NAME: read_ahead_gap
2120
2121 COMMENT: buffer-size
2122
2123 TYPE: kb_size_t
2124
2125 LOC: Config.readAheadGap
2126
2127 DEFAULT: 16 KB
2128 DOC_START
2129 The amount of data the cache will buffer ahead of what has been
2130 sent to the client when retrieving an object from another server.
2131 DOC_END
2132
2133 NAME: negative_ttl
2134
2135 COMMENT: time-units
2136
2137 TYPE: time_t
2138
2139 LOC: Config.negativeTtl
2140
2141 DEFAULT: 5 minutes
2142 DOC_START
2143 Time-to-Live (TTL) for failed requests. Certain types of
2144 failures (such as "connection refused" and "404 Not Found") are
2145 negatively-cached for a configurable amount of time. The
2146 default is 5 minutes. Note that this is different from
2147 negative caching of DNS lookups.
2148 DOC_END
9e7dbc51 2149
9e7dbc51 2150
0976f8db 2151 NAME: positive_dns_ttl
9e7dbc51 2152
0976f8db 2153 COMMENT: time-units
9e7dbc51 2154
0976f8db 2155 TYPE: time_t
9e7dbc51 2156
0976f8db 2157 LOC: Config.positiveDnsTtl
9e7dbc51 2158
0976f8db 2159 DEFAULT: 6 hours
2160 DOC_START
2161 Time-to-Live (TTL) for positive caching of successful DNS lookups.
2162 Default is 6 hours (360 minutes). If you want to minimize the
2163 use of Squid's ipcache, set this to 1, not 0.
2164 DOC_END
9e7dbc51 2165
9e7dbc51 2166
0976f8db 2167 NAME: negative_dns_ttl
2168 COMMENT: time-units
2169 TYPE: time_t
2170 LOC: Config.negativeDnsTtl
2171 DEFAULT: 5 minutes
2172 DOC_START
2173 Time-to-Live (TTL) for negative caching of failed DNS lookups.
2174 DOC_END
2175
2176 NAME: range_offset_limit
2177 COMMENT: (bytes)
2178 TYPE: b_size_t
2179 LOC: Config.rangeOffsetLimit
2180 DEFAULT: 0 KB
2181 DOC_START
2182 Sets a upper limit on how far into the the file a Range request
2183 may be to cause Squid to prefetch the whole file. If beyond this
2184 limit then Squid forwards the Range request as it is and the result
2185 is NOT cached.
2186
2187 This is to stop a far ahead range request (lets say start at 17MB)
2188 from making Squid fetch the whole object up to that point before
2189 sending anything to the client.
2190
2191 A value of -1 causes Squid to always fetch the object from the
2192 beginning so that it may cache the result. (2.0 style)
2193
2194 A value of 0 causes Squid to never fetch more than the
2195 client requested. (default)
2196 DOC_END
2197
2198
2199 COMMENT_START
2200 TIMEOUTS
2201 -----------------------------------------------------------------------------
2202 COMMENT_END
2203
2204 NAME: connect_timeout
2205 COMMENT: time-units
2206 TYPE: time_t
2207 LOC: Config.Timeout.connect
2208 DEFAULT: 2 minutes
2209 DOC_START
2210 Some systems (notably Linux) can not be relied upon to properly
2211 time out connect(2) requests. Therefore the Squid process
2212 enforces its own timeout on server connections. This parameter
2213 specifies how long to wait for the connect to complete. The
2214 default is two minutes (120 seconds).
2215 DOC_END
2216
2217 NAME: peer_connect_timeout
2218 COMMENT: time-units
2219 TYPE: time_t
2220 LOC: Config.Timeout.peer_connect
2221 DEFAULT: 30 seconds
2222 DOC_START
2223 This parameter specifies how long to wait for a pending TCP
2224 connection to a peer cache. The default is 30 seconds. You
2225 may also set different timeout values for individual neighbors
2226 with the 'connect-timeout' option on a 'cache_peer' line.
2227 DOC_END
2228
2229 NAME: read_timeout
2230 COMMENT: time-units
2231 TYPE: time_t
2232 LOC: Config.Timeout.read
2233 DEFAULT: 15 minutes
2234 DOC_START
2235 The read_timeout is applied on server-side connections. After
2236 each successful read(), the timeout will be extended by this
2237 amount. If no data is read again after this amount of time,
2238 the request is aborted and logged with ERR_READ_TIMEOUT. The
2239 default is 15 minutes.
2240 DOC_END
2241
2242
2243 NAME: request_timeout
2244 TYPE: time_t
2245 LOC: Config.Timeout.request
2246 DEFAULT: 5 minutes
2247 DOC_START
2248 How long to wait for an HTTP request after initial
2249 connection establishment.
2250 DOC_END
2251
2252
2253 NAME: persistent_request_timeout
2254 TYPE: time_t
2255 LOC: Config.Timeout.persistent_request
2256 DEFAULT: 1 minute
2257 DOC_START
2258 How long to wait for the next HTTP request on a persistent
2259 connection after the previous request completes.
2260 DOC_END
2261
2262
2263 NAME: client_lifetime
2264 COMMENT: time-units
2265 TYPE: time_t
2266 LOC: Config.Timeout.lifetime
2267 DEFAULT: 1 day
2268 DOC_START
2269 The maximum amount of time that a client (browser) is allowed to
2270 remain connected to the cache process. This protects the Cache
2271 from having a lot of sockets (and hence file descriptors) tied up
2272 in a CLOSE_WAIT state from remote clients that go away without
2273 properly shutting down (either because of a network failure or
2274 because of a poor client implementation). The default is one
2275 day, 1440 minutes.
2276
2277 NOTE: The default value is intended to be much larger than any
2278 client would ever need to be connected to your cache. You
2279 should probably change client_lifetime only as a last resort.
2280 If you seem to have many client connections tying up
2281 filedescriptors, we recommend first tuning the read_timeout,
2282 request_timeout, persistent_request_timeout and quick_abort values.
2283 DOC_END
2284
2285 NAME: half_closed_clients
2286 TYPE: onoff
2287 LOC: Config.onoff.half_closed_clients
2288 DEFAULT: on
2289 DOC_START
2290 Some clients may shutdown the sending side of their TCP
2291 connections, while leaving their receiving sides open. Sometimes,
2292 Squid can not tell the difference between a half-closed and a
2293 fully-closed TCP connection. By default, half-closed client
2294 connections are kept open until a read(2) or write(2) on the
2295 socket returns an error. Change this option to 'off' and Squid
2296 will immediately close client connections when read(2) returns
2297 "no more data to read."
2298 DOC_END
2299
2300 NAME: pconn_timeout
2301 TYPE: time_t
2302 LOC: Config.Timeout.pconn
2303 DEFAULT: 120 seconds
2304 DOC_START
2305 Timeout for idle persistent connections to servers and other
2306 proxies.
2307 DOC_END
2308
2309 NAME: ident_timeout
2310 TYPE: time_t
2311 IFDEF: USE_IDENT
2312 LOC: Config.Timeout.ident
2313 DEFAULT: 10 seconds
2314 DOC_START
2315 Maximum time to wait for IDENT lookups to complete.
2316
2317 If this is too high, and you enabled IDENT lookups from untrusted
2318 users, then you might be susceptible to denial-of-service by having
2319 many ident requests going at once.
2320 DOC_END
2321
2322
2323 NAME: shutdown_lifetime
2324 COMMENT: time-units
2325 TYPE: time_t
2326 LOC: Config.shutdownLifetime
2327 DEFAULT: 30 seconds
2328 DOC_START
2329 When SIGTERM or SIGHUP is received, the cache is put into
2330 "shutdown pending" mode until all active sockets are closed.
2331 This value is the lifetime to set for all open descriptors
2332 during shutdown mode. Any active clients after this many
2333 seconds will receive a 'timeout' message.
2334 DOC_END
2335
2336 COMMENT_START
2337 ACCESS CONTROLS
2338 -----------------------------------------------------------------------------
2339 COMMENT_END
2340
2341 NAME: acl
2342 TYPE: acl
2343 LOC: Config.aclList
2344 DEFAULT: none
2345 DOC_START
2346 Defining an Access List
2347
2348 acl aclname acltype string1 ...
2349 acl aclname acltype "file" ...
2350
2351 when using "file", the file should contain one item per line
2352
2353 acltype is one of the types described below
2354
2355 By default, regular expressions are CASE-SENSITIVE. To make
2356 them case-insensitive, use the -i option.
2357
2358 acl aclname src ip-address/netmask ... (clients IP address)
2359 acl aclname src addr1-addr2/netmask ... (range of addresses)
2360 acl aclname dst ip-address/netmask ... (URL host's IP address)
2361 acl aclname myip ip-address/netmask ... (local socket IP address)
2362
2363 acl aclname srcdomain .foo.com ... # reverse lookup, client IP
2364 acl aclname dstdomain .foo.com ... # Destination server from URL
2365 acl aclname srcdom_regex [-i] xxx ... # regex matching client name
2366 acl aclname dstdom_regex [-i] xxx ... # regex matching server
9e7dbc51 2367 # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
2368 # based URL is used. The name "none" is used if the reverse lookup
2369 # fails.
2370
0976f8db 2371 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
2372
2373 day-abbrevs:
2374 S - Sunday
2375 M - Monday
2376 T - Tuesday
2377 W - Wednesday
2378 H - Thursday
2379 F - Friday
2380 A - Saturday
2381
2382 h1:m1 must be less than h2:m2
2383
2384 acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
2385 acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
2386 acl aclname port 80 70 21 ...
2387 acl aclname port 0-1024 ... # ranges allowed
2388 acl aclname myport 3128 ... # (local socket TCP port)
2389 acl aclname proto HTTP FTP ...
2390 acl aclname method GET POST ...
2391 acl aclname browser [-i] regexp ...
2392# pattern match on User-Agent header
2393 acl aclname referer_regex [-i] regexp ...
2394# pattern match on Referer header
9e7dbc51 2395 # Referer is highly unreliable, so use with care
0976f8db 2396 acl aclname ident username ...
2397 acl aclname ident_regex [-i] pattern ...
2398# string match on ident output.
9e7dbc51 2399 # use REQUIRED to accept any non-null ident.
0976f8db 2400 acl aclname src_as number ...
2401 acl aclname dst_as number ...
2402# Except for access control, AS numbers can be used for
9e7dbc51 2403 # routing of requests to specific caches. Here's an
2404 # example for routing all requests for AS#1241 and only
6468fe10 2405 # those to mycache.mydomain.net:
2406 # acl asexample dst_as 1241
d87ebd78 2407 # cache_peer_access mycache.mydomain.net allow asexample
2408 # cache_peer_access mycache_mydomain.net deny all
6468fe10 2409
0976f8db 2410 acl aclname proxy_auth [-i] username ...
2411 acl aclname proxy_auth_regex [-i] pattern ...
2412# list of valid usernames
c68e9c6b 2413 # use REQUIRED to accept any valid username.
73e67ee0 2414 #
2415 # NOTE: when a Proxy-Authentication header is sent but it is not
2416 # needed during ACL checking the username is NOT logged
2417 # in access.log.
c68e9c6b 2418 #
2419 # NOTE: proxy_auth requires a EXTERNAL authentication program
2420 # to check username/password combinations (see
f7d2a450 2421 # auth_param directive).
c68e9c6b 2422 #
d048c262 2423 # NOTE: proxy_auth can't be used in a transparent proxy as
2424 # the browser needs to be configured for using a proxy in order
2425 # to respond to proxy authentication.
934b03fc 2426
0976f8db 2427 acl aclname snmp_community string ...
2428# A community string to limit access to your SNMP Agent
dba79ac5 2429 # Example:
96d88dcb 2430 #
dba79ac5 2431 # acl snmppublic snmp_community public
2432
0976f8db 2433 acl aclname maxconn number
2434# This will be matched when the client's IP address has
9bc73deb 2435 # more than <number> HTTP connections established.
2436
0976f8db 2437 acl aclname max_user_ip [-s] number
2438# This will be matched when the user attempts to log in from more
c23e89cd 2439 # than <number> different ip addresses. The authenticate_ip_ttl
60d096f4 2440 # parameter controls the timeout on the ip entries.
be5caa55 2441 # If -s is specified then the limit is strict, denying browsing
2442 # from any further IP addresses until the ttl has expired. Without
c23e89cd 2443 # -s Squid will just annoy the user by "randomly" denying requests.
be5caa55 2444 # (the counter is then reset each time the limit is reached and a
2445 # request is denied)
2446 # NOTE: in acceleration mode or where there is mesh of child proxies,
c23e89cd 2447 # clients may appear to come from multiple addresses if they are
be5caa55 2448 # going through proxy farms, so a limit of 1 may cause user problems.
60d096f4 2449
cccac0a2 2450 acl aclname req_mime_type mime-type1 ...
2451 # regex match agains the mime type of the request generated
ba2b31a8 2452 # by the client. Can be used to detect file upload or some
2453 # types HTTP tunelling requests.
2454 # NOTE: This does NOT match the reply. You cannot use this
2455 # to match the returned file type.
c68e9c6b 2456
cccac0a2 2457 acl aclname rep_mime_type mime-type1 ...
2458 # regex match against the mime type of the reply recieved by
c4ab8329 2459 # squid. Can be used to detect file download or some
2460 # types HTTP tunelling requests.
2461 # NOTE: This has no effect in http_access rules. It only has
2462 # effect in rules that affect the reply data stream such as
2463 # http_reply_access.
2464
cccac0a2 2465 acl acl_name external class_name [arguments...]
2466 # external ACL lookup via a helper class defined by the
d9572179 2467 # external_acl_type directive.
c4ab8329 2468
cccac0a2 2469 acl aclname user_cert attribute values...
2470 # match against attributes in a user SSL certificate
a7ad6e4e 2471 # attribute is one of DN/C/O/CN/L/ST
2472
cccac0a2 2473 acl aclname ca_cert attribute values...
2474 # match against attributes a users issuing CA SSL certificate
a7ad6e4e 2475 # attribute is one of DN/C/O/CN/L/ST
2476
cccac0a2 2477 acl aclname ext_user username ...
2478 acl aclname ext_user_regex [-i] pattern ...
2479 # string match on username returned by external acl processing
d95b862f 2480 # use REQUIRED to accept any non-null user name.
2481
cccac0a2 2482Examples:
2483acl myexample dst_as 1241
2484acl password proxy_auth REQUIRED
2485acl fileupload req_mime_type -i ^multipart/form-data$
2486acl javascript rep_mime_type -i ^application/x-javascript$
c68e9c6b 2487
cccac0a2 2488NOCOMMENT_START
6b53c392 2489#Recommended minimum configuration:
cccac0a2 2490acl all src 0.0.0.0/0.0.0.0
2491acl manager proto cache_object
2492acl localhost src 127.0.0.1/255.255.255.255
2493acl to_localhost dst 127.0.0.0/8
2494acl SSL_ports port 443 563
2495acl Safe_ports port 80 # http
2496acl Safe_ports port 21 # ftp
2497acl Safe_ports port 443 563 # https, snews
2498acl Safe_ports port 70 # gopher
2499acl Safe_ports port 210 # wais
2500acl Safe_ports port 1025-65535 # unregistered ports
2501acl Safe_ports port 280 # http-mgmt
2502acl Safe_ports port 488 # gss-http
2503acl Safe_ports port 591 # filemaker
2504acl Safe_ports port 777 # multiling http
2505acl CONNECT method CONNECT
2506NOCOMMENT_END
2507DOC_END
2508
2509NAME: http_access
2510TYPE: acl_access
2511LOC: Config.accessList.http
2512DEFAULT: none
2513DEFAULT_IF_NONE: deny all
2514DOC_START
2515 Allowing or Denying access based on defined access lists
2516
2517 Access to the HTTP port:
2518 http_access allow|deny [!]aclname ...
2519
2520 NOTE on default values:
2521
2522 If there are no "access" lines present, the default is to deny
2523 the request.
2524
2525 If none of the "access" lines cause a match, the default is the
2526 opposite of the last line in the list. If the last line was
2527 deny, then the default is allow. Conversely, if the last line
2528 is allow, the default will be deny. For these reasons, it is a
2529 good idea to have an "deny all" or "allow all" entry at the end
2530 of your access lists to avoid potential confusion.
2531
2532NOCOMMENT_START
6b53c392 2533#Recommended minimum configuration:
2534#
2535# Only allow cachemgr access from localhost
cccac0a2 2536http_access allow manager localhost
2537http_access deny manager
6b53c392 2538# Deny requests to unknown ports
cccac0a2 2539http_access deny !Safe_ports
6b53c392 2540# Deny CONNECT to other than SSL ports
cccac0a2 2541http_access deny CONNECT !SSL_ports
c68e9c6b 2542#
4cc6eb12 2543# We strongly recommend to uncomment the following to protect innocent
2544# web applications running on the proxy server who think that the only
2545# one who can access services on "localhost" is a local user
2546#http_access deny to_localhost
c68e9c6b 2547#
4cc6eb12 2548# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
2549
b9d7fe3e 2550# Exampe rule allowing access from your local networks. Adapt
2551# to list your (internal) IP networks from where browsing should
2552# be allowed
2553#acl our_networks src 192.168.1.0/24 192.168.2.0/24
2554#http_access allow our_networks
2555
6b53c392 2556# And finally deny all other access to this proxy
cccac0a2 2557http_access deny all
2558NOCOMMENT_END
2559DOC_END
c4ab8329 2560
cccac0a2 2561NAME: http_reply_access
2562TYPE: acl_access
2563LOC: Config.accessList.reply
2564DEFAULT: none
2565DEFAULT_IF_NONE: allow all
2566DOC_START
2567 Allow replies to client requests. This is complementary to http_access.
c4ab8329 2568
cccac0a2 2569 http_reply_access allow|deny [!] aclname ...
0976f8db 2570
cccac0a2 2571 NOTE: if there are no access lines present, the default is to allow
2572 all replies
0976f8db 2573
cccac0a2 2574 If none of the access lines cause a match, then the opposite of the
2575 last line will apply. Thus it is good practice to end the rules
2576 with an "allow all" or "deny all" entry.
0976f8db 2577
cccac0a2 2578NOCOMMENT_START
c4ab8329 2579#Recommended minimum configuration:
2580#
2581# Insert your own rules here.
2582#
2583#
2584# and finally allow by default
cccac0a2 2585http_reply_access allow all
2586NOCOMMENT_END
2587DOC_END
6b53c392 2588
6b53c392 2589
cccac0a2 2590NAME: icp_access
2591TYPE: acl_access
2592LOC: Config.accessList.icp
2593DEFAULT: none
2594DEFAULT_IF_NONE: deny all
2595DOC_START
2596 Allowing or Denying access to the ICP port based on defined
2597 access lists
934b03fc 2598
cccac0a2 2599 icp_access allow|deny [!]aclname ...
0976f8db 2600
cccac0a2 2601 See http_access for details
0976f8db 2602
cccac0a2 2603NOCOMMENT_START
403b5e7b 2604#Allow ICP queries from everyone
cccac0a2 2605icp_access allow all
2606NOCOMMENT_END
2607DOC_END
934b03fc 2608
2609
cccac0a2 2610NAME: miss_access
2611TYPE: acl_access
2612LOC: Config.accessList.miss
2613DEFAULT: none
2614DOC_START
2615 Use to force your neighbors to use you as a sibling instead of
2616 a parent. For example:
934b03fc 2617
cccac0a2 2618 acl localclients src 172.16.0.0/16
2619 miss_access allow localclients
2620 miss_access deny !localclients
934b03fc 2621
cccac0a2 2622 This means that only your local clients are allowed to fetch
2623 MISSES and all other clients can only fetch HITS.
934b03fc 2624
cccac0a2 2625 By default, allow all clients who passed the http_access rules
2626 to fetch MISSES from us.
6b53c392 2627
cccac0a2 2628NOCOMMENT_START
6b53c392 2629#Default setting:
2630# miss_access allow all
cccac0a2 2631NOCOMMENT_END
2632DOC_END
2633
2634
2635NAME: cache_peer_access
2636TYPE: peer_access
2637DEFAULT: none
2638LOC: none
2639DOC_START
2640 Similar to 'cache_peer_domain' but provides more flexibility by
2641 using ACL elements.
2642
2643 cache_peer_access cache-host allow|deny [!]aclname ...
2644
2645 The syntax is identical to 'http_access' and the other lists of
2646 ACL elements. See the comments for 'http_access' below, or
2647 the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html).
2648DOC_END
2649
2650NAME: ident_lookup_access
2651TYPE: acl_access
2652IFDEF: USE_IDENT
2653DEFAULT: none
2654DEFAULT_IF_NONE: deny all
2655LOC: Config.accessList.identLookup
2656DOC_START
2657 A list of ACL elements which, if matched, cause an ident
2658 (RFC 931) lookup to be performed for this request. For
2659 example, you might choose to always perform ident lookups
2660 for your main multi-user Unix boxes, but not for your Macs
2661 and PCs. By default, ident lookups are not performed for
2662 any requests.
2663
2664 To enable ident lookups for specific client addresses, you
2665 can follow this example:
2666
2667 acl ident_aware_hosts src 198.168.1.0/255.255.255.0
2668 ident_lookup_access allow ident_aware_hosts
2669 ident_lookup_access deny all
2670
2671 Only src type ACL checks are fully supported. A src_domain
2672 ACL might work at times, but it will not always provide
2673 the correct result.
2674DOC_END
2675
2676NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
2677TYPE: acl_tos
2678DEFAULT: none
2679LOC: Config.accessList.outgoing_tos
2680DOC_START
2681 Allows you to select a TOS/Diffserv value to mark outgoing
2682 connections with, based on the username or source address
2683 making the request.
2684
2685 tcp_outgoing_tos ds-field [!]aclname ...
2686
2687 Example where normal_service_net uses the TOS value 0x00
2688 and normal_service_net uses 0x20
2689
2690 acl normal_service_net src 10.0.0.0/255.255.255.0
2691 acl good_service_net src 10.0.1.0/255.255.255.0
2692 tcp_outgoing_tos 0x00 normal_service_net 0x00
2693 tcp_outgoing_tos 0x20 good_service_net
2694
2695 TOS/DSCP values really only have local significance - so you should
2696 know what you're specifying. For more, see RFC 2474
2697
2698 The TOS/DSCP byte must be exactly that - a byte, value 0 - 255, or
2699 "default" to use whatever default your host has.
2700
2701 Processing proceeds in the order specified, and stops at first fully
2702 matching line.
2703DOC_END
2704
2705NAME: tcp_outgoing_address
2706TYPE: acl_address
2707DEFAULT: none
2708LOC: Config.accessList.outgoing_address
2709DOC_START
2710 Allows you to map requests to different outgoing IP addresses
2711 based on the username or sourceaddress of the user making
2712 the request.
2713
2714 tcp_outgoing_address ipaddr [[!]aclname] ...
2715
2716 Example where requests from 10.0.0.0/24 will be forwareded
2717 with source address 10.1.0.1, 10.0.2.0/24 forwarded with
2718 source address 10.1.0.2 and the rest will be forwarded with
2719 source address 10.1.0.3.
2720
2721 acl normal_service_net src 10.0.0.0/255.255.255.0
2722 acl good_service_net src 10.0.1.0/255.255.255.0
2723 tcp_outgoing_address 10.0.0.1 normal_service_net
2724 tcp_outgoing_address 10.0.0.2 good_service_net
2725 tcp_outgoing_address 10.0.0.3
2726
2727 Processing proceeds in the order specified, and stops at first fully
2728 matching line.
2729DOC_END
2730
2731NAME: reply_body_max_size
2732COMMENT: size [acl acl...]
2733TYPE: acl_b_size_t
2734DEFAULT: none
2735LOC: Config.ReplyBodySize
2736DOC_START
2737 This option specifies the maximum size of a reply body. It can be
2738 used to prevent users from downloading very large files, such as
2739 MP3's and movies. When the reply headers are recieved, the
2740 reply_body_max_size lines are processed, and the first line where
2741 all (if any) listed acls are true is used as the maximum body size
2742 for this reply.
2743
2744 This size is then checked twice. First when we get the reply headers,
2745 we check the content-length value. If the content length value exists
2746 and is larger than the allowed size, the request is denied and the
2747 user receives an error message that says "the request or reply
2748 is too large." If there is no content-length, and the reply
2749 size exceeds this limit, the client's connection is just closed
2750 and they will receive a partial reply.
2751
2752 WARNING: downstream caches probably can not detect a partial reply
2753 if there is no content-length header, so they will cache
2754 partial responses and give them out as hits. You should NOT
2755 use this option if you have downstream caches.
2756
2757 WARNING: A maximum size smaller than the size of squid's error messages
2758 will cause an infinite loop and crash squid. Ensure that the smallest
2759 non-zero value you use is greater that the maximum header size plus
2760 the size of your largest error page.
2761
2762 If you set this parameter none (the default), there will be
2763 no limit imposed.
2764DOC_END
2765
2766NAME: log_access
2767TYPE: acl_access
2768LOC: Config.accessList.log
2769DEFAULT: none
2770COMMENT: allow|deny acl acl...
2771DOC_START
2772 This options allows you to control which requests gets logged
2773 to access.log (see access_log directive). Requests denied for
2774 logging will also not be accounted for in performance counters.
2775DOC_END
0976f8db 2776
cccac0a2 2777COMMENT_START
2778 ADMINISTRATIVE PARAMETERS
2779 -----------------------------------------------------------------------------
2780COMMENT_END
2781
2782NAME: cache_mgr
2783TYPE: string
2784DEFAULT: webmaster
2785LOC: Config.adminEmail
2786DOC_START
2787 Email-address of local cache manager who will receive
2788 mail if the cache dies. The default is "webmaster."
2789DOC_END
2790
2791
2792NAME: cache_effective_user
2793TYPE: string
2794DEFAULT: nobody
2795LOC: Config.effectiveUser
2796DOC_NONE
2797
2798NAME: cache_effective_group
2799TYPE: string
2800DEFAULT: none
2801LOC: Config.effectiveGroup
2802DOC_START
2803
2804 If you start Squid as root, it will change its effective/real
2805 UID/GID to the UID/GID specified below. The default is to
2806 change to UID to nobody. If you define cache_effective_user,
2807 but not cache_effective_group, Squid sets the GID the
2808 effective user's default group ID (taken from the password
2809 file).
2810
2811 If Squid is not started as root, the cache_effective_user
2812 value is ignored and the GID value is unchanged by default.
2813 However, you can make Squid change its GID to another group
2814 that the process owner is a member of. Note that if Squid
2815 is not started as root then you cannot set http_port to a
2816 value lower than 1024.
2817DOC_END
2818
2819
2820NAME: visible_hostname
2821TYPE: string
2822LOC: Config.visibleHostname
2823DEFAULT: none
2824DOC_START
2825 If you want to present a special hostname in error messages, etc,
2826 then define this. Otherwise, the return value of gethostname()
2827 will be used. If you have multiple caches in a cluster and
2828 get errors about IP-forwarding you must set them to have individual
2829 names with this setting.
2830DOC_END
2831
2832
2833NAME: unique_hostname
2834TYPE: string
2835LOC: Config.uniqueHostname
2836DEFAULT: none
2837DOC_START
2838 If you want to have multiple machines with the same
2839 'visible_hostname' then you must give each machine a different
2840 'unique_hostname' so that forwarding loops can be detected.
2841DOC_END
2842
2843
2844NAME: hostname_aliases
2845TYPE: wordlist
2846LOC: Config.hostnameAliases
2847DEFAULT: none
2848DOC_START
2849 A list of other DNS names that your cache has.
2850DOC_END
0976f8db 2851
cccac0a2 2852COMMENT_START
2853 OPTIONS FOR THE CACHE REGISTRATION SERVICE
2854 -----------------------------------------------------------------------------
2855
2856 This section contains parameters for the (optional) cache
2857 announcement service. This service is provided to help
2858 cache administrators locate one another in order to join or
2859 create cache hierarchies.
2860
2861 An 'announcement' message is sent (via UDP) to the registration
2862 service by Squid. By default, the announcement message is NOT
2863 SENT unless you enable it with 'announce_period' below.
2864
2865 The announcement message includes your hostname, plus the
2866 following information from this configuration file:
2867
2868 http_port
2869 icp_port
2870 cache_mgr
2871
2872 All current information is processed regularly and made
2873 available on the Web at http://www.ircache.net/Cache/Tracker/.
2874COMMENT_END
2875
2876NAME: announce_period
2877TYPE: time_t
2878LOC: Config.Announce.period
2879DEFAULT: 0
2880DOC_START
2881 This is how frequently to send cache announcements. The
2882 default is `0' which disables sending the announcement
2883 messages.
2884
2885 To enable announcing your cache, just uncomment the line
2886 below.
2887
2888NOCOMMENT_START
9e7dbc51 2889#To enable announcing your cache, just uncomment the line below.
2890#announce_period 1 day
cccac0a2 2891NOCOMMENT_END
2892DOC_END
2893
2894
2895NAME: announce_host
2896TYPE: string
2897DEFAULT: tracker.ircache.net
2898LOC: Config.Announce.host
2899DOC_NONE
2900
2901NAME: announce_file
2902TYPE: string
2903DEFAULT: none
2904LOC: Config.Announce.file
2905DOC_NONE
2906
2907NAME: announce_port
2908TYPE: ushort
2909DEFAULT: 3131
2910LOC: Config.Announce.port
2911DOC_START
2912 announce_host and announce_port set the hostname and port
2913 number where the registration message will be sent.
2914
2915 Hostname will default to 'tracker.ircache.net' and port will
2916 default default to 3131. If the 'filename' argument is given,
2917 the contents of that file will be included in the announce
2918 message.
2919DOC_END
2920
2921NAME: httpd_accel_surrogate_id
2922IFDEF: ESI
2923TYPE: string
2924LOC: Config.Accel.surrogate_id
2925DEFAULT: unset-id
2926DOC_START
2927 Surrogates (http://www.esi.org/architecture_spec_1.0.html)
2928 need an identification token to allow control targeting. Because
2929 a farm of surrogates may all perform the same tasks, they may share
2930 an identification token.
2931DOC_END
2932
2933NAME: http_accel_surrogate_remote
2934IFDEF: ESI
2935COMMENT: on|off
2936TYPE: onoff
2937DEFAULT: off
2938LOC: Config.onoff.surrogate_is_remote
2939DOC_START
2940 Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
2941 Set this to on to have squid behave as a remote surrogate.
2942DOC_END
2943
2944NAME: esi_parser
2945IFDEF: ESI
2946COMMENT: expat|custom
2947TYPE: string
2948LOC: ESIParser::Type
2949DEFAULT: custom
2950DOC_START
2951 ESI markup is not strictly XML compatible. The custom ESI parser
2952 will give higher performance, but cannot handle non ASCII character
2953 encodings.
2954DOC_END
0976f8db 2955
cccac0a2 2956COMMENT_START
2957 MISCELLANEOUS
2958 -----------------------------------------------------------------------------
2959COMMENT_END
2960
2961NAME: dns_testnames
2962TYPE: wordlist
2963LOC: Config.dns_testname_list
2964DEFAULT: none
2965DEFAULT_IF_NONE: netscape.com internic.net nlanr.net microsoft.com
2966DOC_START
2967 The DNS tests exit as soon as the first site is successfully looked up
2968
2969 This test can be disabled with the -D command line option.
2970DOC_END
2971
2972
2973NAME: logfile_rotate
2974TYPE: int
2975DEFAULT: 10
2976LOC: Config.Log.rotateNumber
2977DOC_START
2978 Specifies the number of logfile rotations to make when you
2979 type 'squid -k rotate'. The default is 10, which will rotate
2980 with extensions 0 through 9. Setting logfile_rotate to 0 will
2981 disable the rotation, but the logfiles are still closed and
2982 re-opened. This will enable you to rename the logfiles
2983 yourself just before sending the rotate signal.
2984
2985 Note, the 'squid -k rotate' command normally sends a USR1
2986 signal to the running squid process. In certain situations
2987 (e.g. on Linux with Async I/O), USR1 is used for other
2988 purposes, so -k rotate uses another signal. It is best to get
2989 in the habit of using 'squid -k rotate' instead of 'kill -USR1
2990 <pid>'.
2991DOC_END
2992
2993
2994NAME: append_domain
2995TYPE: string
2996LOC: Config.appendDomain
2997DEFAULT: none
2998DOC_START
2999 Appends local domain name to hostnames without any dots in
3000 them. append_domain must begin with a period.
3001
3002 Be warned that there today is Internet names with no dots in
3003 them using only top-domain names, so setting this may
3004 cause some Internet sites to become unavailable.
3005
3006Example:
3007 append_domain .yourdomain.com
3008DOC_END
3009
3010
3011NAME: tcp_recv_bufsize
3012COMMENT: (bytes)
3013TYPE: b_size_t
3014DEFAULT: 0 bytes
3015LOC: Config.tcpRcvBufsz
3016DOC_START
3017 Size of receive buffer to set for TCP sockets. Probably just
3018 as easy to change your kernel's default. Set to zero to use
3019 the default buffer size.
3020DOC_END
3021
3022NAME: err_html_text
3023TYPE: eol
3024LOC: Config.errHtmlText
3025DEFAULT: none
3026DOC_START
3027 HTML text to include in error messages. Make this a "mailto"
3028 URL to your admin address, or maybe just a link to your
3029 organizations Web page.
3030
3031 To include this in your error messages, you must rewrite
3032 the error template files (found in the "errors" directory).
3033 Wherever you want the 'err_html_text' line to appear,
3034 insert a %L tag in the error template file.
3035DOC_END
3036
3037NAME: email_err_data
3038COMMENT: on|off
3039TYPE: onoff
3040LOC: Config.onoff.emailErrData
3041DEFAULT: on
3042DOC_START
3043 If enabled, information about the occurred error will be
3044 included in the mailto links of the ERR pages (if %W is set)
3045 so that the email body then contains the data.
3046 Syntax is <A HREF="mailto:%w%W">%w</A>
3047DOC_END
3048
3049
3050NAME: deny_info
3051TYPE: denyinfo
3052LOC: Config.denyInfoList
3053DEFAULT: none
3054DOC_START
3055 Usage: deny_info err_page_name acl
3056 or deny_info http://... acl
3057 Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
3058
3059 This can be used to return a ERR_ page for requests which
3060 do not pass the 'http_access' rules. A single ACL will cause
3061 the http_access check to fail. If a 'deny_info' line exists
3062 for that ACL then Squid returns a corresponding error page.
3063
3064 You may use ERR_ pages that come with Squid or create your own pages
3065 and put them into the configured errors/ directory.
3066
3067 Alternatively you can specify an error URL. The browsers will then
3068 get redirected (302) to the specified URL. %s in the redirection
3069 URL will be replaced by the requested URL.
3070
3071 Alternatively you can tell Squid to reset the TCP connection
3072 by specifying TCP_RESET.
3073DOC_END
3074
3075NAME: memory_pools
3076COMMENT: on|off
3077TYPE: onoff
3078DEFAULT: on
3079LOC: Config.onoff.mem_pools
3080DOC_START
3081 If set, Squid will keep pools of allocated (but unused) memory
3082 available for future use. If memory is a premium on your
3083 system and you believe your malloc library outperforms Squid
3084 routines, disable this.
3085DOC_END
3086
3087NAME: memory_pools_limit
3088COMMENT: (bytes)
3089TYPE: b_size_t
3090DEFAULT: none
3091LOC: Config.MemPools.limit
3092DOC_START
3093 Used only with memory_pools on:
3094 memory_pools_limit 50 MB
3095
3096 If set to a non-zero value, Squid will keep at most the specified
3097 limit of allocated (but unused) memory in memory pools. All free()
3098 requests that exceed this limit will be handled by your malloc
3099 library. Squid does not pre-allocate any memory, just safe-keeps
3100 objects that otherwise would be free()d. Thus, it is safe to set
3101 memory_pools_limit to a reasonably high value even if your
3102 configuration will use less memory.
3103
3104 If not set (default) or set to zero, Squid will keep all memory it
3105 can. That is, there will be no limit on the total amount of memory
3106 used for safe-keeping.
3107
3108 To disable memory allocation optimization, do not set
3109 memory_pools_limit to 0. Set memory_pools to "off" instead.
3110
3111 An overhead for maintaining memory pools is not taken into account
3112 when the limit is checked. This overhead is close to four bytes per
3113 object kept. However, pools may actually _save_ memory because of
3114 reduced memory thrashing in your malloc library.
3115DOC_END
3116
3117NAME: via
3118IFDEF: HTTP_VIOLATIONS
3119COMMENT: on|off
3120TYPE: onoff
3121DEFAULT: on
3122LOC: Config.onoff.via
3123DOC_START
3124 If set (default), Squid will include a Via header in requests and
3125 replies as required by RFC2616.
3126DOC_END
3127
3128NAME: forwarded_for
3129COMMENT: on|off
3130TYPE: onoff
3131DEFAULT: on
3132LOC: opt_forwarded_for
3133DOC_START
3134 If set, Squid will include your system's IP address or name
3135 in the HTTP requests it forwards. By default it looks like
3136 this:
3137
3138 X-Forwarded-For: 192.1.2.3
3139
3140 If you disable this, it will appear as
3141
3142 X-Forwarded-For: unknown
3143DOC_END
3144
3145NAME: log_icp_queries
3146COMMENT: on|off
3147TYPE: onoff
3148DEFAULT: on
3149LOC: Config.onoff.log_udp
3150DOC_START
3151 If set, ICP queries are logged to access.log. You may wish
3152 do disable this if your ICP load is VERY high to speed things
3153 up or to simplify log analysis.
3154DOC_END
3155
3156NAME: icp_hit_stale
3157COMMENT: on|off
3158TYPE: onoff
3159DEFAULT: off
3160LOC: Config.onoff.icp_hit_stale
3161DOC_START
3162 If you want to return ICP_HIT for stale cache objects, set this
3163 option to 'on'. If you have sibling relationships with caches
3164 in other administrative domains, this should be 'off'. If you only
3165 have sibling relationships with caches under your control, then
3166 it is probably okay to set this to 'on'.
3167 If set to 'on', then your siblings should use the option "allow-miss"
3168 on their cache_peer lines for connecting to you.
3169DOC_END
3170
3171
3172NAME: minimum_direct_hops
3173TYPE: int
3174DEFAULT: 4
3175LOC: Config.minDirectHops
3176DOC_START
3177 If using the ICMP pinging stuff, do direct fetches for sites
3178 which are no more than this many hops away.
3179DOC_END
3180
3181NAME: minimum_direct_rtt
3182TYPE: int
3183DEFAULT: 400
3184LOC: Config.minDirectRtt
3185DOC_START
3186 If using the ICMP pinging stuff, do direct fetches for sites
3187 which are no more than this many rtt milliseconds away.
3188DOC_END
3189
3190NAME: cachemgr_passwd
3191TYPE: cachemgrpasswd
3192DEFAULT: none
3193LOC: Config.passwd_list
3194DOC_START
3195 Specify passwords for cachemgr operations.
3196
3197 Usage: cachemgr_passwd password action action ...
3198
3199 Some valid actions are (see cache manager menu for a full list):
3200 5min
3201 60min
3202 asndb
3203 authenticator
3204 cbdata
3205 client_list
3206 comm_incoming
3207 config *
3208 counters
3209 delay
3210 digest_stats
3211 dns
3212 events
3213 filedescriptors
3214 fqdncache
3215 histograms
3216 http_headers
3217 info
3218 io
3219 ipcache
3220 mem
3221 menu
3222 netdb
3223 non_peers
3224 objects
3225 offline_toggle *
3226 pconn
3227 peer_select
3228 redirector
3229 refresh
3230 server_list
3231 shutdown *
3232 store_digest
3233 storedir
3234 utilization
3235 via_headers
3236 vm_objects
3237
3238 * Indicates actions which will not be performed without a
3239 valid password, others can be performed if not listed here.
3240
3241 To disable an action, set the password to "disable".
3242 To allow performing an action without a password, set the
3243 password to "none".
3244
3245 Use the keyword "all" to set the same password for all actions.
3246
3247Example:
3248 cachemgr_passwd secret shutdown
3249 cachemgr_passwd lesssssssecret info stats/objects
3250 cachemgr_passwd disable all
3251DOC_END
3252
3253NAME: store_avg_object_size
3254COMMENT: (kbytes)
3255TYPE: kb_size_t
3256DEFAULT: 13 KB
3257LOC: Config.Store.avgObjectSize
3258DOC_START
3259 Average object size, used to estimate number of objects your
3260 cache can hold. See doc/Release-Notes-1.1.txt. The default is
3261 13 KB.
3262DOC_END
3263
3264NAME: store_objects_per_bucket
3265TYPE: int
3266DEFAULT: 20
3267LOC: Config.Store.objectsPerBucket
3268DOC_START
3269 Target number of objects per bucket in the store hash table.
3270 Lowering this value increases the total number of buckets and
3271 also the storage maintenance rate. The default is 50.
3272DOC_END
3273
3274NAME: client_db
3275COMMENT: on|off
3276TYPE: onoff
3277DEFAULT: on
3278LOC: Config.onoff.client_db
3279DOC_START
3280 If you want to disable collecting per-client statistics, then
3281 turn off client_db here.
3282DOC_END
3283
3284
3285NAME: netdb_low
3286TYPE: int
3287DEFAULT: 900
3288LOC: Config.Netdb.low
3289DOC_NONE
3290
3291NAME: netdb_high
3292TYPE: int
3293DEFAULT: 1000
3294LOC: Config.Netdb.high
3295DOC_START
3296 The low and high water marks for the ICMP measurement
3297 database. These are counts, not percents. The defaults are
3298 900 and 1000. When the high water mark is reached, database
3299 entries will be deleted until the low mark is reached.
3300DOC_END
3301
3302
3303NAME: netdb_ping_period
3304TYPE: time_t
3305LOC: Config.Netdb.period
3306DEFAULT: 5 minutes
3307DOC_START
3308 The minimum period for measuring a site. There will be at
3309 least this much delay between successive pings to the same
3310 network. The default is five minutes.
3311DOC_END
3312
3313
3314NAME: query_icmp
3315COMMENT: on|off
3316TYPE: onoff
3317DEFAULT: off
3318LOC: Config.onoff.query_icmp
3319DOC_START
3320 If you want to ask your peers to include ICMP data in their ICP
3321 replies, enable this option.
3322
3323 If your peer has configured Squid (during compilation) with
3324 '--enable-icmp' then that peer will send ICMP pings to origin server
3325 sites of the URLs it receives. If you enable this option then the
3326 ICP replies from that peer will include the ICMP data (if available).
3327 Then, when choosing a parent cache, Squid will choose the parent with
3328 the minimal RTT to the origin server. When this happens, the
3329 hierarchy field of the access.log will be
3330 "CLOSEST_PARENT_MISS". This option is off by default.
3331DOC_END
3332
3333NAME: test_reachability
3334COMMENT: on|off
3335TYPE: onoff
3336DEFAULT: off
3337LOC: Config.onoff.test_reachability
3338DOC_START
3339 When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
3340 instead of ICP_MISS if the target host is NOT in the ICMP
3341 database, or has a zero RTT.
3342DOC_END
3343
3344NAME: buffered_logs
3345COMMENT: on|off
3346TYPE: onoff
3347DEFAULT: off
3348LOC: Config.onoff.buffered_logs
3349DOC_START
3350 cache.log log file is written with stdio functions, and as such
3351 it can be buffered or unbuffered. By default it will be unbuffered.
3352 Buffering it can speed up the writing slightly (though you are
3353 unlikely to need to worry unless you run with tons of debugging
3354 enabled in which case performance will suffer badly anyway..).
3355DOC_END
3356
3357NAME: reload_into_ims
3358IFDEF: HTTP_VIOLATIONS
3359COMMENT: on|off
3360TYPE: onoff
3361DEFAULT: off
3362LOC: Config.onoff.reload_into_ims
3363DOC_START
3364 When you enable this option, client no-cache or ``reload''
3365 requests will be changed to If-Modified-Since requests.
3366 Doing this VIOLATES the HTTP standard. Enabling this
3367 feature could make you liable for problems which it
3368 causes.
3369
3370 see also refresh_pattern for a more selective approach.
3371DOC_END
3372
3373NAME: always_direct
3374TYPE: acl_access
3375LOC: Config.accessList.AlwaysDirect
3376DEFAULT: none
3377DOC_START
3378 Usage: always_direct allow|deny [!]aclname ...
3379
3380 Here you can use ACL elements to specify requests which should
3381 ALWAYS be forwarded directly to origin servers. For example,
3382 to always directly forward requests for local servers use
3383 something like:
3384
3385 acl local-servers dstdomain my.domain.net
3386 always_direct allow local-servers
3387
3388 To always forward FTP requests directly, use
3389
3390 acl FTP proto FTP
3391 always_direct allow FTP
3392
3393 NOTE: There is a similar, but opposite option named
3394 'never_direct'. You need to be aware that "always_direct deny
3395 foo" is NOT the same thing as "never_direct allow foo". You
3396 may need to use a deny rule to exclude a more-specific case of
3397 some other rule. Example:
3398
3399 acl local-external dstdomain external.foo.net
3400 acl local-servers dstdomain .foo.net
3401 always_direct deny local-external
3402 always_direct allow local-servers
3403
3404 This option replaces some v1.1 options such as local_domain
3405 and local_ip.
3406DOC_END
3407
3408NAME: never_direct
3409TYPE: acl_access
3410LOC: Config.accessList.NeverDirect
3411DEFAULT: none
3412DOC_START
3413 Usage: never_direct allow|deny [!]aclname ...
3414
3415 never_direct is the opposite of always_direct. Please read
3416 the description for always_direct if you have not already.
3417
3418 With 'never_direct' you can use ACL elements to specify
3419 requests which should NEVER be forwarded directly to origin
3420 servers. For example, to force the use of a proxy for all
3421 requests, except those in your local domain use something like:
3422
3423 acl local-servers dstdomain .foo.net
3424 acl all src 0.0.0.0/0.0.0.0
3425 never_direct deny local-servers
3426 never_direct allow all
3427
3428 or if squid is inside a firewall and there is local intranet
3429 servers inside the firewall then use something like:
3430
3431 acl local-intranet dstdomain .foo.net
3432 acl local-external dstdomain external.foo.net
3433 always_direct deny local-external
3434 always_direct allow local-intranet
3435 never_direct allow all
3436
3437 This option replaces some v1.1 options such as inside_firewall
3438 and firewall_ip.
3439DOC_END
3440
3441NAME: header_access
3442IFDEF: HTTP_VIOLATIONS
3443TYPE: http_header_access[]
3444LOC: Config.header_access
3445DEFAULT: none
3446DOC_START
3447 Usage: header_access header_name allow|deny [!]aclname ...
3448
3449 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3450 this feature could make you liable for problems which it
3451 causes.
3452
3453 This option replaces the old 'anonymize_headers' and the
3454 older 'http_anonymizer' option with something that is much
3455 more configurable. This new method creates a list of ACLs
3456 for each header, allowing you very fine-tuned header
3457 mangling.
3458
3459 You can only specify known headers for the header name.
3460 Other headers are reclassified as 'Other'. You can also
3461 refer to all the headers with 'All'.
3462
3463 For example, to achieve the same behaviour as the old
3464 'http_anonymizer standard' option, you should use:
3465
3466 header_access From deny all
3467 header_access Referer deny all
3468 header_access Server deny all
3469 header_access User-Agent deny all
3470 header_access WWW-Authenticate deny all
3471 header_access Link deny all
3472
3473 Or, to reproduce the old 'http_anonymizer paranoid' feature
3474 you should use:
3475
3476 header_access Allow allow all
3477 header_access Authorization allow all
3478 header_access WWW-Authenticate allow all
3479 header_access Cache-Control allow all
3480 header_access Content-Encoding allow all
3481 header_access Content-Length allow all
3482 header_access Content-Type allow all
3483 header_access Date allow all
3484 header_access Expires allow all
3485 header_access Host allow all
3486 header_access If-Modified-Since allow all
3487 header_access Last-Modified allow all
3488 header_access Location allow all
3489 header_access Pragma allow all
3490 header_access Accept allow all
3491 header_access Accept-Charset allow all
3492 header_access Accept-Encoding allow all
3493 header_access Accept-Language allow all
3494 header_access Content-Language allow all
3495 header_access Mime-Version allow all
3496 header_access Retry-After allow all
3497 header_access Title allow all
3498 header_access Connection allow all
3499 header_access Proxy-Connection allow all
3500 header_access All deny all
3501
3502 By default, all headers are allowed (no anonymizing is
3503 performed).
3504DOC_END
3505
3506NAME: header_replace
3507IFDEF: HTTP_VIOLATIONS
3508TYPE: http_header_replace[]
3509LOC: Config.header_access
3510DEFAULT: none
3511DOC_START
3512 Usage: header_replace header_name message
3513 Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
3514
3515 This option allows you to change the contents of headers
3516 denied with header_access above, by replacing them with
3517 some fixed string. This replaces the old fake_user_agent
3518 option.
3519
3520 By default, headers are removed if denied.
3521DOC_END
3522
3523NAME: icon_directory
3524TYPE: string
3525LOC: Config.icons.directory
3526DEFAULT: @DEFAULT_ICON_DIR@
3527DOC_START
3528 Where the icons are stored. These are normally kept in
3529 @DEFAULT_ICON_DIR@
3530DOC_END
3531
3532NAME: error_directory
3533TYPE: string
3534LOC: Config.errorDirectory
3535DEFAULT: @DEFAULT_ERROR_DIR@
3536DOC_START
3537 If you wish to create your own versions of the default
3538 (English) error files, either to customize them to suit your
3539 language or company copy the template English files to another
3540 directory and point this tag at them.
3541DOC_END
3542
3543NAME: maximum_single_addr_tries
3544TYPE: int
3545LOC: Config.retry.maxtries
3546DEFAULT: 3
3547DOC_START
3548 This sets the maximum number of connection attempts for a
3549 host that only has one address (for multiple-address hosts,
3550 each address is tried once).
3551
3552 The default value is three tries, the (not recommended)
3553 maximum is 255 tries. A warning message will be generated
3554 if it is set to a value greater than ten.
3555DOC_END
3556
3557NAME: snmp_port
3558TYPE: ushort
3559LOC: Config.Port.snmp
3560DEFAULT: 3401
3561IFDEF: SQUID_SNMP
3562DOC_START
3563 Squid can now serve statistics and status information via SNMP.
3564 By default it listens to port 3401 on the machine. If you don't
3565 wish to use SNMP, set this to "0".
3566DOC_END
3567
3568NAME: snmp_access
3569TYPE: acl_access
3570LOC: Config.accessList.snmp
3571DEFAULT: none
3572DEFAULT_IF_NONE: deny all
3573IFDEF: SQUID_SNMP
3574DOC_START
3575 Allowing or denying access to the SNMP port.
3576
3577 All access to the agent is denied by default.
3578 usage:
3579
3580 snmp_access allow|deny [!]aclname ...
3581
3582Example:
3583 snmp_access allow snmppublic localhost
3584 snmp_access deny all
3585DOC_END
3586
3587NAME: snmp_incoming_address
3588TYPE: address
3589LOC: Config.Addrs.snmp_incoming
3590DEFAULT: 0.0.0.0
3591IFDEF: SQUID_SNMP
3592DOC_NONE
3593NAME: snmp_outgoing_address
3594TYPE: address
3595LOC: Config.Addrs.snmp_outgoing
3596DEFAULT: 255.255.255.255
3597IFDEF: SQUID_SNMP
3598DOC_START
3599 Just like 'udp_incoming_address' above, but for the SNMP port.
3600
3601 snmp_incoming_address is used for the SNMP socket receiving
3602 messages from SNMP agents.
3603 snmp_outgoing_address is used for SNMP packets returned to SNMP
3604 agents.
3605
3606 The default snmp_incoming_address (0.0.0.0) is to listen on all
3607 available network interfaces.
3608
3609 If snmp_outgoing_address is set to 255.255.255.255 (the default)
3610 then it will use the same socket as snmp_incoming_address. Only
3611 change this if you want to have SNMP replies sent using another
3612 address than where this Squid listens for SNMP queries.
3613
3614 NOTE, snmp_incoming_address and snmp_outgoing_address can not have
3615 the same value since they both use port 3401.
3616DOC_END
3617
3618NAME: as_whois_server
3619TYPE: string
3620LOC: Config.as_whois_server
3621DEFAULT: whois.ra.net
3622DEFAULT_IF_NONE: whois.ra.net
3623DOC_START
3624 WHOIS server to query for AS numbers. NOTE: AS numbers are
3625 queried only when Squid starts up, not for every request.
3626DOC_END
3627
3628NAME: wccp_router
3629TYPE: address
3630LOC: Config.Wccp.router
3631DEFAULT: 0.0.0.0
3632IFDEF: USE_WCCP
3633DOC_START
3634 Use this option to define your WCCP ``home'' router for
3635 Squid. Setting the 'wccp_router' to 0.0.0.0 (the default)
3636 disables WCCP.
3637DOC_END
3638
3639NAME: wccp_version
3640TYPE: int
3641LOC: Config.Wccp.version
3642DEFAULT: 4
3643IFDEF: USE_WCCP
3644DOC_START
3645 According to some users, Cisco IOS 11.2 only supports WCCP
3646 version 3. If you're using that version of IOS, change
3647 this value to 3.
3648DOC_END
3649
3650NAME: wccp_incoming_address
3651TYPE: address
3652LOC: Config.Wccp.incoming
3653DEFAULT: 0.0.0.0
3654IFDEF: USE_WCCP
3655DOC_NONE
3656NAME: wccp_outgoing_address
3657TYPE: address
3658LOC: Config.Wccp.outgoing
3659DEFAULT: 255.255.255.255
3660IFDEF: USE_WCCP
3661DOC_START
3662 wccp_incoming_address Use this option if you require WCCP
3663 messages to be received on only one
3664 interface. Do NOT use this option if
3665 you're unsure how many interfaces you
3666 have, or if you know you have only one
3667 interface.
3668
3669 wccp_outgoing_address Use this option if you require WCCP
3670 messages to be sent out on only one
3671 interface. Do NOT use this option if
3672 you're unsure how many interfaces you
3673 have, or if you know you have only one
3674 interface.
3675
3676 The default behavior is to not bind to any specific address.
3677
3678 NOTE, wccp_incoming_address and wccp_outgoing_address can not have
3679 the same value since they both use port 2048.
3680DOC_END
0976f8db 3681
0976f8db 3682
cccac0a2 3683COMMENT_START
3684 DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
3685 -----------------------------------------------------------------------------
3686COMMENT_END
3687
3688NAME: delay_pools
3689TYPE: delay_pool_count
3690DEFAULT: 0
3691IFDEF: DELAY_POOLS
3692LOC: Config.Delay
3693DOC_START
3694 This represents the number of delay pools to be used. For example,
3695 if you have one class 2 delay pool and one class 3 delays pool, you
3696 have a total of 2 delay pools.
3697DOC_END
3698
3699NAME: delay_class
3700TYPE: delay_pool_class
3701DEFAULT: none
3702IFDEF: DELAY_POOLS
3703LOC: Config.Delay
3704DOC_START
3705 This defines the class of each delay pool. There must be exactly one
3706 delay_class line for each delay pool. For example, to define two
3707 delay pools, one of class 2 and one of class 3, the settings above
3708 and here would be:
3709
3710Example:
3711 delay_pools 4 # 4 delay pools
3712 delay_class 1 2 # pool 1 is a class 2 pool
3713 delay_class 2 3 # pool 2 is a class 3 pool
3714 delay_class 3 4 # pool 3 is a class 4 pool
3715 delay_class 4 5 # pool 4 is a class 5 pool
3716
3717 The delay pool classes are:
3718
3719 class 1 Everything is limited by a single aggregate
3720 bucket.
3721
3722 class 2 Everything is limited by a single aggregate
3723 bucket as well as an "individual" bucket chosen
3724 from bits 25 through 32 of the IP address.
3725
3726 class 3 Everything is limited by a single aggregate
3727 bucket as well as a "network" bucket chosen
3728 from bits 17 through 24 of the IP address and a
3729 "individual" bucket chosen from bits 17 through
3730 32 of the IP address.
3731
3732 class 4 Everything in a class 3 delay pool, with an
3733 additional limit on a per user basis. This
3734 only takes effect if the username is established
3735 in advance - by forcing authentication in your
3736 http_access rules.
3737
3738 class 5 Requests are grouped according their tag (see
3739 external_acl's tag= reply).
3740
3741 NOTE: If an IP address is a.b.c.d
3742 -> bits 25 through 32 are "d"
3743 -> bits 17 through 24 are "c"
3744 -> bits 17 through 32 are "c * 256 + d"
3745DOC_END
3746
3747NAME: delay_access
3748TYPE: delay_pool_access
3749DEFAULT: none
3750IFDEF: DELAY_POOLS
3751LOC: Config.Delay
3752DOC_START
3753 This is used to determine which delay pool a request falls into.
3754 The first matched delay pool is always used, i.e., if a request falls
3755 into delay pool number one, no more delay are checked, otherwise the
3756 rest are checked in order of their delay pool number until they have
3757 all been checked. For example, if you want some_big_clients in delay
3758 pool 1 and lotsa_little_clients in delay pool 2:
3759
3760Example:
3761 delay_access 1 allow some_big_clients
3762 delay_access 1 deny all
3763 delay_access 2 allow lotsa_little_clients
3764 delay_access 2 deny all
3765 delay_access 3 allow authenticated_clients
3766DOC_END
3767
3768NAME: delay_parameters
3769TYPE: delay_pool_rates
3770DEFAULT: none
3771IFDEF: DELAY_POOLS
3772LOC: Config.Delay
3773DOC_START
3774 This defines the parameters for a delay pool. Each delay pool has
3775 a number of "buckets" associated with it, as explained in the
3776 description of delay_class. For a class 1 delay pool, the syntax is:
3777
3778delay_parameters pool aggregate
3779
3780 For a class 2 delay pool:
3781
3782delay_parameters pool aggregate individual
3783
3784 For a class 3 delay pool:
3785
3786delay_parameters pool aggregate network individual
3787
3788 For a class 4 delay pool:
3789
3790delay_parameters pool aggregate network individual user
3791
3792 For a class 5 delay pool:
3793
3794delay_parameters pool tag
3795
3796 The variables here are:
3797
3798 pool a pool number - ie, a number between 1 and the
3799 number specified in delay_pools as used in
3800 delay_class lines.
3801
3802 aggregate the "delay parameters" for the aggregate bucket
3803 (class 1, 2, 3).
3804
3805 individual the "delay parameters" for the individual
3806 buckets (class 2, 3).
3807
3808 network the "delay parameters" for the network buckets
3809 (class 3).
3810
3811 user the delay parameters for the user buckets
3812 (class 4).
3813
3814 tag the delay parameters for the tag buckets
3815 (class 5).
3816
3817 A pair of delay parameters is written restore/maximum, where restore is
3818 the number of bytes (not bits - modem and network speeds are usually
3819 quoted in bits) per second placed into the bucket, and maximum is the
3820 maximum number of bytes which can be in the bucket at any time.
3821
3822 For example, if delay pool number 1 is a class 2 delay pool as in the
3823 above example, and is being used to strictly limit each host to 64kbps
3824 (plus overheads), with no overall limit, the line is:
3825
3826delay_parameters 1 -1/-1 8000/8000
3827
3828 Note that the figure -1 is used to represent "unlimited".
3829
3830 And, if delay pool number 2 is a class 3 delay pool as in the above
3831 example, and you want to limit it to a total of 256kbps (strict limit)
3832 with each 8-bit network permitted 64kbps (strict limit) and each
3833 individual host permitted 4800bps with a bucket maximum size of 64kb
3834 to permit a decent web page to be downloaded at a decent speed
3835 (if the network is not being limited due to overuse) but slow down
3836 large downloads more significantly:
3837
3838delay_parameters 2 32000/32000 8000/8000 600/8000
3839
3840 There must be one delay_parameters line for each delay pool.
3841
3842 Finally, for a class 4 delay pool as in the example - each user will
3843 be limited to 128Kb no matter how many workstations they are logged into.:
3844
3845delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
3846DOC_END
3847
3848NAME: delay_initial_bucket_level
3849COMMENT: (percent, 0-100)
3850TYPE: ushort
3851DEFAULT: 50
3852IFDEF: DELAY_POOLS
3853LOC: Config.Delay.initial
3854DOC_START
3855 The initial bucket percentage is used to determine how much is put
3856 in each bucket when squid starts, is reconfigured, or first notices
3857 a host accessing it (in class 2 and class 3, individual hosts and
3858 networks only have buckets associated with them once they have been
3859 "seen" by squid).
3860DOC_END
3861
3862NAME: incoming_icp_average
3863TYPE: int
3864DEFAULT: 6
3865LOC: Config.comm_incoming.icp_average
3866DOC_NONE
3867
3868NAME: incoming_http_average
3869TYPE: int
3870DEFAULT: 4
3871LOC: Config.comm_incoming.http_average
3872DOC_NONE
3873
3874NAME: incoming_dns_average
3875TYPE: int
3876DEFAULT: 4
3877LOC: Config.comm_incoming.dns_average
3878DOC_NONE
3879
3880NAME: min_icp_poll_cnt
3881TYPE: int
3882DEFAULT: 8
3883LOC: Config.comm_incoming.icp_min_poll
3884DOC_NONE
3885
3886NAME: min_dns_poll_cnt
3887TYPE: int
3888DEFAULT: 8
3889LOC: Config.comm_incoming.dns_min_poll
3890DOC_NONE
3891
3892NAME: min_http_poll_cnt
3893TYPE: int
3894DEFAULT: 8
3895LOC: Config.comm_incoming.http_min_poll
3896DOC_START
3897 Heavy voodoo here. I can't even believe you are reading this.
3898 Are you crazy? Don't even think about adjusting these unless
3899 you understand the algorithms in comm_select.c first!
3900DOC_END
3901
3902NAME: max_open_disk_fds
3903TYPE: int
3904LOC: Config.max_open_disk_fds
3905DEFAULT: 0
3906DOC_START
3907 To avoid having disk as the I/O bottleneck Squid can optionally
3908 bypass the on-disk cache if more than this amount of disk file
3909 descriptors are open.
3910
3911 A value of 0 indicates no limit.
3912DOC_END
3913
3914NAME: offline_mode
3915TYPE: onoff
3916LOC: Config.onoff.offline
3917DEFAULT: off
3918DOC_START
3919 Enable this option and Squid will never try to validate cached
3920 objects.
3921DOC_END
3922
3923NAME: uri_whitespace
3924TYPE: uri_whitespace
3925LOC: Config.uri_whitespace
3926DEFAULT: strip
3927DOC_START
3928 What to do with requests that have whitespace characters in the
3929 URI. Options:
3930
3931 strip: The whitespace characters are stripped out of the URL.
3932 This is the behavior recommended by RFC2396.
3933 deny: The request is denied. The user receives an "Invalid
3934 Request" message.
3935 allow: The request is allowed and the URI is not changed. The
3936 whitespace characters remain in the URI. Note the
3937 whitespace is passed to redirector processes if they
3938 are in use.
3939 encode: The request is allowed and the whitespace characters are
3940 encoded according to RFC1738. This could be considered
3941 a violation of the HTTP/1.1
3942 RFC because proxies are not allowed to rewrite URI's.
3943 chop: The request is allowed and the URI is chopped at the
3944 first whitespace. This might also be considered a
3945 violation.
3946DOC_END
3947
3948NAME: broken_posts
3949TYPE: acl_access
3950DEFAULT: none
3951LOC: Config.accessList.brokenPosts
3952DOC_START
3953 A list of ACL elements which, if matched, causes Squid to send
3954 an extra CRLF pair after the body of a PUT/POST request.
3955
3956 Some HTTP servers has broken implementations of PUT/POST,
3957 and rely on an extra CRLF pair sent by some WWW clients.
3958
3959 Quote from RFC 2068 section 4.1 on this matter:
3960
3961 Note: certain buggy HTTP/1.0 client implementations generate an
3962 extra CRLF's after a POST request. To restate what is explicitly
3963 forbidden by the BNF, an HTTP/1.1 client must not preface or follow
3964 a request with an extra CRLF.
3965
3966Example:
3967 acl buggy_server url_regex ^http://....
3968 broken_posts allow buggy_server
3969DOC_END
3970
3971NAME: mcast_miss_addr
3972IFDEF: MULTICAST_MISS_STREAM
3973TYPE: address
3974LOC: Config.mcast_miss.addr
3975DEFAULT: 255.255.255.255
3976DOC_START
3977 If you enable this option, every "cache miss" URL will
3978 be sent out on the specified multicast address.
3979
3980 Do not enable this option unless you are are absolutely
3981 certain you understand what you are doing.
3982DOC_END
3983
3984NAME: mcast_miss_ttl
3985IFDEF: MULTICAST_MISS_TTL
3986TYPE: ushort
3987LOC: Config.mcast_miss.ttl
3988DEFAULT: 16
3989DOC_START
3990 This is the time-to-live value for packets multicasted
3991 when multicasting off cache miss URLs is enabled. By
3992 default this is set to 'site scope', i.e. 16.
3993DOC_END
3994
3995NAME: mcast_miss_port
3996IFDEF: MULTICAST_MISS_STREAM
3997TYPE: ushort
3998LOC: Config.mcast_miss.port
3999DEFAULT: 3135
4000DOC_START
4001 This is the port number to be used in conjunction with
4002 'mcast_miss_addr'.
4003DOC_END
4004
4005NAME: mcast_miss_encode_key
4006IFDEF: MULTICAST_MISS_STREAM
4007TYPE: string
4008LOC: Config.mcast_miss.encode_key
4009DEFAULT: XXXXXXXXXXXXXXXX
4010DOC_START
4011 The URLs that are sent in the multicast miss stream are
4012 encrypted. This is the encryption key.
4013DOC_END
4014
4015NAME: nonhierarchical_direct
4016TYPE: onoff
4017LOC: Config.onoff.nonhierarchical_direct
4018DEFAULT: on
4019DOC_START
4020 By default, Squid will send any non-hierarchical requests
4021 (matching hierarchy_stoplist or not cachable request type) direct
4022 to origin servers.
4023
4024 If you set this to off, then Squid will prefer to send these
4025 requests to parents.
4026
4027 Note that in most configurations, by turning this off you will only
4028 add latency to these request without any improvement in global hit
4029 ratio.
4030
4031 If you are inside an firewall then see never_direct instead of
4032 this directive.
4033DOC_END
4034
4035NAME: prefer_direct
4036TYPE: onoff
4037LOC: Config.onoff.prefer_direct
4038DEFAULT: off
4039DOC_START
4040 Normally Squid tries to use parents for most requests. If you by some
4041 reason like it to first try going direct and only use a parent if
4042 going direct fails then set this to on.
4043
4044 By combining nonhierarchical_direct off and prefer_direct on you
4045 can set up Squid to use a parent as a backup path if going direct
4046 fails.
4047DOC_END
4048
4049NAME: strip_query_terms
4050TYPE: onoff
4051LOC: Config.onoff.strip_query_terms
4052DEFAULT: on
4053DOC_START
4054 By default, Squid strips query terms from requested URLs before
4055 logging. This protects your user's privacy.
4056DOC_END
4057
4058NAME: coredump_dir
4059TYPE: string
4060LOC: Config.coredump_dir
4061DEFAULT: none
4062DEFAULT_IF_NONE: none
4063DOC_START
4064 By default Squid leaves core files in the directory from where
4065 it was started. If you set 'coredump_dir' to a directory
4066 that exists, Squid will chdir() to that directory at startup
4067 and coredump files will be left there.
4068
4069NOCOMMENT_START
5ff76111 4070# Leave coredumps in the first cache dir
cccac0a2 4071coredump_dir @DEFAULT_SWAP_DIR@
4072NOCOMMENT_END
4073DOC_END
4074
4075NAME: redirector_bypass
4076TYPE: onoff
4077LOC: Config.onoff.redirector_bypass
4078DEFAULT: off
4079DOC_START
4080 When this is 'on', a request will not go through the
4081 redirector if all redirectors are busy. If this is 'off'
4082 and the redirector queue grows too large, Squid will exit
4083 with a FATAL error and ask you to increase the number of
4084 redirectors. You should only enable this if the redirectors
4085 are not critical to your caching system. If you use
4086 redirectors for access control, and you enable this option,
4087 then users may have access to pages that they should not
4088 be allowed to request.
4089DOC_END
4090
4091NAME: ignore_unknown_nameservers
4092TYPE: onoff
4093LOC: Config.onoff.ignore_unknown_nameservers
4094DEFAULT: on
4095DOC_START
4096 By default Squid checks that DNS responses are received
4097 from the same IP addresses that they are sent to. If they
4098 don't match, Squid ignores the response and writes a warning
4099 message to cache.log. You can allow responses from unknown
4100 nameservers by setting this option to 'off'.
4101DOC_END
4102
4103NAME: digest_generation
4104IFDEF: USE_CACHE_DIGESTS
4105TYPE: onoff
4106LOC: Config.onoff.digest_generation
4107DEFAULT: on
4108DOC_START
4109 This controls whether the server will generate a Cache Digest
4110 of its contents. By default, Cache Digest generation is
4111 enabled if Squid is compiled with USE_CACHE_DIGESTS defined.
4112DOC_END
4113
4114NAME: digest_bits_per_entry
4115IFDEF: USE_CACHE_DIGESTS
4116TYPE: int
4117LOC: Config.digest.bits_per_entry
4118DEFAULT: 5
4119DOC_START
4120 This is the number of bits of the server's Cache Digest which
4121 will be associated with the Digest entry for a given HTTP
4122 Method and URL (public key) combination. The default is 5.
4123DOC_END
4124
4125NAME: digest_rebuild_period
4126IFDEF: USE_CACHE_DIGESTS
4127COMMENT: (seconds)
4128TYPE: time_t
4129LOC: Config.digest.rebuild_period
4130DEFAULT: 1 hour
4131DOC_START
4132 This is the number of seconds between Cache Digest rebuilds.
4133DOC_END
4134
4135NAME: digest_rewrite_period
4136COMMENT: (seconds)
4137IFDEF: USE_CACHE_DIGESTS
4138TYPE: time_t
4139LOC: Config.digest.rewrite_period
4140DEFAULT: 1 hour
4141DOC_START
4142 This is the number of seconds between Cache Digest writes to
4143 disk.
4144DOC_END
4145
4146NAME: digest_swapout_chunk_size
4147COMMENT: (bytes)
4148TYPE: b_size_t
4149IFDEF: USE_CACHE_DIGESTS
4150LOC: Config.digest.swapout_chunk_size
4151DEFAULT: 4096 bytes
4152DOC_START
4153 This is the number of bytes of the Cache Digest to write to
4154 disk at a time. It defaults to 4096 bytes (4KB), the Squid
4155 default swap page.
4156DOC_END
4157
4158NAME: digest_rebuild_chunk_percentage
4159COMMENT: (percent, 0-100)
4160IFDEF: USE_CACHE_DIGESTS
4161TYPE: int
4162LOC: Config.digest.rebuild_chunk_percentage
4163DEFAULT: 10
4164DOC_START
4165 This is the percentage of the Cache Digest to be scanned at a
4166 time. By default it is set to 10% of the Cache Digest.
4167DOC_END
4168
4169NAME: chroot
4170TYPE: string
4171LOC: Config.chroot_dir
4172DEFAULT: none
4173DOC_START
4174 Use this to have Squid do a chroot() while initializing. This
4175 also causes Squid to fully drop root privileges after
4176 initializing. This means, for example, that if you use a HTTP
4177 port less than 1024 and try to reconfigure, you will get an
4178 error.
4179DOC_END
4180
4181NAME: client_persistent_connections
4182TYPE: onoff
4183LOC: Config.onoff.client_pconns
4184DEFAULT: on
4185DOC_NONE
4186
4187NAME: server_persistent_connections
4188TYPE: onoff
4189LOC: Config.onoff.server_pconns
4190DEFAULT: on
4191DOC_START
4192 Persistent connection support for clients and servers. By
4193 default, Squid uses persistent connections (when allowed)
4194 with its clients and servers. You can use these options to
4195 disable persistent connections with clients and/or servers.
4196DOC_END
4197
4198NAME: pipeline_prefetch
4199TYPE: onoff
4200LOC: Config.onoff.pipeline_prefetch
4201DEFAULT: off
4202DOC_START
4203 To boost the performance of pipelined requests to closer
4204 match that of a non-proxied environment Squid can try to fetch
4205 up to two requests in parallell from a pipeline.
4206
4207 Defaults to off for bandwidth management and access logging
4208 reasons.
4209DOC_END
4210
4211NAME: extension_methods
4212TYPE: wordlist
4213LOC: Config.ext_methods
4214DEFAULT: none
4215DOC_START
4216 Squid only knows about standardized HTTP request methods.
4217 You can add up to 20 additional "extension" methods here.
4218DOC_END
4219
4220NAME: request_entities
4221TYPE: onoff
4222LOC: Config.onoff.request_entities
4223DEFAULT: off
4224DOC_START
4225 Squid defaults to deny GET and HEAD requests with request entities,
4226 as the meaning of such requests are undefined in the HTTP standard
4227 even if not explicitly forbidden.
4228
4229 Set this directive to on if you have clients which insists
4230 on sending request entities in GET or HEAD requests.
4231DOC_END
4232
4233NAME: high_response_time_warning
4234TYPE: int
4235COMMENT: (msec)
4236LOC: Config.warnings.high_rptm
4237DEFAULT: 0
4238DOC_START
4239 If the one-minute median response time exceeds this value,
4240 Squid prints a WARNING with debug level 0 to get the
4241 administrators attention. The value is in milliseconds.
4242DOC_END
4243
4244NAME: high_page_fault_warning
4245TYPE: int
4246LOC: Config.warnings.high_pf
4247DEFAULT: 0
4248DOC_START
4249 If the one-minute average page fault rate exceeds this
4250 value, Squid prints a WARNING with debug level 0 to get
4251 the administrators attention. The value is in page faults
4252 per second.
4253DOC_END
4254
4255NAME: high_memory_warning
4256TYPE: b_size_t
4257LOC: Config.warnings.high_memory
4258DEFAULT: 0
4259DOC_START
4260 If the memory usage (as determined by mallinfo) exceeds
4261 value, Squid prints a WARNING with debug level 0 to get
4262 the administrators attention.
4263DOC_END
4264
4265NAME: store_dir_select_algorithm
4266TYPE: string
4267LOC: Config.store_dir_select_algorithm
4268DEFAULT: least-load
4269DOC_START
4270 Set this to 'round-robin' as an alternative.
4271DOC_END
4272
4273NAME: forward_log
4274IFDEF: WIP_FWD_LOG
4275TYPE: string
4276DEFAULT: none
4277LOC: Config.Log.forward
4278DOC_START
4279 Logs the server-side requests.
4280
4281 This is currently work in progress.
4282DOC_END
4283
4284NAME: ie_refresh
4285COMMENT: on|off
4286TYPE: onoff
4287LOC: Config.onoff.ie_refresh
4288DEFAULT: off
4289DOC_START
4290 Microsoft Internet Explorer up until version 5.5 Service
4291 Pack 1 has an issue with transparent proxies, wherein it
4292 is impossible to force a refresh. Turning this on provides
4293 a partial fix to the problem, by causing all IMS-REFRESH
4294 requests from older IE versions to check the origin server
4295 for fresh content. This reduces hit ratio by some amount
4296 (~10% in my experience), but allows users to actually get
4297 fresh content when they want it. Note that because Squid
4298 cannot tell if the user is using 5.5 or 5.5SP1, the behavior
4299 of 5.5 is unchanged from old versions of Squid (i.e. a
4300 forced refresh is impossible). Newer versions of IE will,
4301 hopefully, continue to have the new behavior and will be
4302 handled based on that assumption. This option defaults to
4303 the old Squid behavior, which is better for hit ratios but
4304 worse for clients using IE, if they need to be able to
4305 force fresh content.
4306DOC_END
4307
4308NAME: vary_ignore_expire
4309COMMENT: on|off
4310TYPE: onoff
4311LOC: Config.onoff.vary_ignore_expire
4312DEFAULT: off
4313DOC_START
4314 Many HTTP servers supporting Vary gives such objects
4315 immediate expiry time with no cache-control header
4316 when requested by a HTTP/1.0 client. This option
4317 enables Squid to ignore such expiry times until
4318 HTTP/1.1 is fully implemented.
4319 WARNING: This may eventually cause some varying
4320 objects not intended for caching to get cached.
4321DOC_END
4322
4323NAME: sleep_after_fork
4324COMMENT: (microseconds)
4325TYPE: int
4326LOC: Config.sleep_after_fork
4327DEFAULT: 0
4328DOC_START
4329 When this is set to a non-zero value, the main Squid process
4330 sleeps the specified number of microseconds after a fork()
4331 system call. This sleep may help the situation where your
4332 system reports fork() failures due to lack of (virtual)
4333 memory. Note, however, that if you have a lot of child
4334 processes, then these sleep delays will add up and your
4335 Squid will not service requests for some amount of time
4336 until all the child processes have been started.
4337DOC_END
4338
4339EOF
Mirror of https://github.com/squid-cache/squid.git