]> git.ipfire.org Git - thirdparty/squid.git/blame_incremental - src/cf.data.pre
! is an shell extension not supported on all platforms.. use a dummy
[thirdparty/squid.git] / src / cf.data.pre
... / ...
CommitLineData
1
2#
3# $Id: cf.data.pre,v 1.226 2001/10/01 12:46:13 hno Exp $
4#
5#
6# SQUID Web Proxy Cache http://www.squid-cache.org/
7# ----------------------------------------------------------
8#
9# Squid is the result of efforts by numerous individuals from
10# the Internet community; see the CONTRIBUTORS file for full
11# details. Many organizations have provided support for Squid's
12# development; see the SPONSORS file for full details. Squid is
13# Copyrighted (C) 2000 by the Regents of the University of
14# California; see the COPYRIGHT file for full details. Squid
15# incorporates software developed and/or copyrighted by other
16# sources; see the CREDITS file for full details.
17#
18# This program is free software; you can redistribute it and/or modify
19# it under the terms of the GNU General Public License as published by
20# the Free Software Foundation; either version 2 of the License, or
21# (at your option) any later version.
22#
23# This program is distributed in the hope that it will be useful,
24# but WITHOUT ANY WARRANTY; without even the implied warranty of
25# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26# GNU General Public License for more details.
27#
28# You should have received a copy of the GNU General Public License
29# along with this program; if not, write to the Free Software
30# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
31#
32
33COMMENT_START
34 WELCOME TO SQUID 2
35 ------------------
36
37 This is the default Squid configuration file. You may wish
38 to look at the Squid home page (http://www.squid-cache.org/)
39 for the FAQ and other documentation.
40
41 The default Squid config file shows what the defaults for
42 various options happen to be. If you don't need to change the
43 default, you shouldn't uncomment the line. Doing so may cause
44 run-time problems. In some cases "none" refers to no default
45 setting at all, while in other cases it refers to a valid
46 option - the comments for that keyword indicate if this is the
47 case.
48
49COMMENT_END
50
51COMMENT_START
52 NETWORK OPTIONS
53 -----------------------------------------------------------------------------
54COMMENT_END
55
56NAME: http_port ascii_port
57TYPE: sockaddr_in_list
58DEFAULT: none
59DEFAULT_IF_NONE: 3128
60LOC: Config.Sockaddr.http
61DOC_START
62 Usage: port
63 hostname:port
64 1.2.3.4:port
65
66 The socket addresses where Squid will listen for HTTP client
67 requests. You may specify multiple socket addresses.
68 There are three forms: port alone, hostname with port, and
69 IP address with port. If you specify a hostname or IP
70 address, then Squid binds the socket to that specific
71 address. This replaces the old 'tcp_incoming_address'
72 option. Most likely, you do not need to bind to a specific
73 address, so you can use the port number alone.
74
75 The default port number is 3128.
76
77 If you are running Squid in accelerator mode, then you
78 probably want to listen on port 80 also, or instead.
79
80 The -a command line option will override the *first* port
81 number listed here. That option will NOT override an IP
82 address, however.
83
84 You may specify multiple socket addresses on multiple lines.
85DOC_END
86
87NAME: https_port
88IFDEF: USE_SSL
89TYPE: https_port_list
90DEFAULT: none
91LOC: Config.Sockaddr.https
92DOC_START
93 Usage: [ip:]port cert=certificate.pem [key=key.pem]
94
95 The socket address where Squid will listen for HTTPS client
96 requests.
97
98 This is really only useful for situations where you are running
99 squid in accelerator mode and you want to do the SSL work at the
100 accelerator level.
101
102 If key is not specified then the given certificate is assumed to be a
103 combined certificate and key file.
104
105 You may specify multiple socket addresses on multiple lines,
106 each with their own SSL certificate.
107DOC_END
108
109NAME: ssl_version
110IFDEF: USE_SSL
111TYPE: int
112DEFAULT: 1
113LOC: Config.SSL.version
114DOC_START
115 Determines the version of SSL/TLS used.
116 1: SSLv2/SSLv3
117 2: SSLv2 only
118 3: SSLv3 only
119 4: TLSv1
120DOC_END
121
122
123NAME: icp_port udp_port
124TYPE: ushort
125DEFAULT: 3130
126LOC: Config.Port.icp
127DOC_START
128 The port number where Squid sends and receives ICP queries to
129 and from neighbor caches. Default is 3130. To disable use
130 "0". May be overridden with -u on the command line.
131DOC_END
132
133NAME: htcp_port
134IFDEF: USE_HTCP
135TYPE: ushort
136DEFAULT: 4827
137LOC: Config.Port.htcp
138DOC_START
139 The port number where Squid sends and receives HTCP queries to
140 and from neighbor caches. Default is 4827. To disable use
141 "0".
142
143 To enable this option, you must use --enable-htcp with the
144 configure script.
145DOC_END
146
147
148NAME: mcast_groups
149TYPE: wordlist
150LOC: Config.mcast_group_list
151DEFAULT: none
152DOC_START
153 This tag specifies a list of multicast groups which your server
154 should join to receive multicasted ICP queries.
155
156 NOTE! Be very careful what you put here! Be sure you
157 understand the difference between an ICP _query_ and an ICP
158 _reply_. This option is to be set only if you want to RECEIVE
159 multicast queries. Do NOT set this option to SEND multicast
160 ICP (use cache_peer for that). ICP replies are always sent via
161 unicast, so this option does not affect whether or not you will
162 receive replies from multicast group members.
163
164 You must be very careful to NOT use a multicast address which
165 is already in use by another group of caches.
166
167 If you are unsure about multicast, please read the Multicast
168 chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
169
170 Usage: mcast_groups 239.128.16.128 224.0.1.20
171
172 By default, Squid doesn't listen on any multicast groups.
173DOC_END
174
175
176NAME: tcp_outgoing_address outbound_address
177TYPE: address
178LOC: Config.Addrs.tcp_outgoing
179DEFAULT: 255.255.255.255
180DOC_NONE
181
182NAME: udp_incoming_address
183TYPE: address
184LOC:Config.Addrs.udp_incoming
185DEFAULT: 0.0.0.0
186DOC_NONE
187
188NAME: udp_outgoing_address
189TYPE: address
190LOC: Config.Addrs.udp_outgoing
191DEFAULT: 255.255.255.255
192DOC_START
193 Usage: tcp_incoming_address 10.20.30.40
194 udp_outgoing_address fully.qualified.domain.name
195
196 tcp_outgoing_address is used for connections made to remote
197 servers and other caches.
198 udp_incoming_address is used for the ICP socket receiving packets
199 from other caches.
200 udp_outgoing_address is used for ICP packets sent out to other
201 caches.
202
203 The default behavior is to not bind to any specific address.
204
205 A *_incoming_address value of 0.0.0.0 indicates that Squid should
206 listen on all available interfaces.
207
208 If udp_outgoing_address is set to 255.255.255.255 (the default)
209 then it will use the same socket as udp_incoming_address. Only
210 change this if you want to have ICP queries sent using another
211 address than where this Squid listens for ICP queries from other
212 caches.
213
214 NOTE, udp_incoming_address and udp_outgoing_address can not
215 have the same value since they both use port 3130.
216
217 NOTE, tcp_incoming_address has been removed. You can now
218 specify IP addresses on the 'http_port' line.
219DOC_END
220
221COMMENT_START
222 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
223 -----------------------------------------------------------------------------
224COMMENT_END
225
226NAME: cache_peer
227TYPE: peer
228DEFAULT: none
229LOC: Config.peers
230DOC_START
231 To specify other caches in a hierarchy, use the format:
232
233 cache_peer hostname type http_port icp_port
234
235 For example,
236
237 # proxy icp
238 # hostname type port port options
239 # -------------------- -------- ----- ----- -----------
240 cache_peer parent.foo.net parent 3128 3130 [proxy-only]
241 cache_peer sib1.foo.net sibling 3128 3130 [proxy-only]
242 cache_peer sib2.foo.net sibling 3128 3130 [proxy-only]
243
244 type: either 'parent', 'sibling', or 'multicast'.
245
246 proxy_port: The port number where the cache listens for proxy
247 requests.
248
249 icp_port: Used for querying neighbor caches about
250 objects. To have a non-ICP neighbor
251 specify '7' for the ICP port and make sure the
252 neighbor machine has the UDP echo port
253 enabled in its /etc/inetd.conf file.
254
255 options: proxy-only
256 weight=n
257 ttl=n
258 no-query
259 default
260 round-robin
261 multicast-responder
262 closest-only
263 no-digest
264 no-netdb-exchange
265 no-delay
266 login=user:password | PASS | *:password
267 connect-timeout=nn
268 digest-url=url
269 allow-miss
270 max-conn
271
272 use 'proxy-only' to specify that objects fetched
273 from this cache should not be saved locally.
274
275 use 'weight=n' to specify a weighted parent.
276 The weight must be an integer. The default weight
277 is 1, larger weights are favored more.
278
279 use 'ttl=n' to specify a IP multicast TTL to use
280 when sending an ICP queries to this address.
281 Only useful when sending to a multicast group.
282 Because we don't accept ICP replies from random
283 hosts, you must configure other group members as
284 peers with the 'multicast-responder' option below.
285
286 use 'no-query' to NOT send ICP queries to this
287 neighbor.
288
289 use 'default' if this is a parent cache which can
290 be used as a "last-resort." You should probably
291 only use 'default' in situations where you cannot
292 use ICP with your parent cache(s).
293
294 use 'round-robin' to define a set of parents which
295 should be used in a round-robin fashion in the
296 absence of any ICP queries.
297
298 'multicast-responder' indicates that the named peer
299 is a member of a multicast group. ICP queries will
300 not be sent directly to the peer, but ICP replies
301 will be accepted from it.
302
303 'closest-only' indicates that, for ICP_OP_MISS
304 replies, we'll only forward CLOSEST_PARENT_MISSes
305 and never FIRST_PARENT_MISSes.
306
307 use 'no-digest' to NOT request cache digests from
308 this neighbor.
309
310 'no-netdb-exchange' disables requesting ICMP
311 RTT database (NetDB) from the neighbor.
312
313 use 'no-delay' to prevent access to this neighbor
314 from influencing the delay pools.
315
316 use 'login=user:password' if this is a personal/workgroup
317 proxy and your parent requires proxy authentication.
318 Note: The string can include URL escapes (i.e. %20 for
319 spaces). This also means that % must be written as %%.
320
321 use 'login=PASS' if users must authenticate against
322 the upstream proxy. Note: To combine this with
323 proxy_auth both proxies must share the same user
324 database as HTTP only allows for one proxy login.
325 Also be warned that this will expose your users proxy
326 password to the parent. USE WITH CAUTION
327
328 use 'login=*:password' to pass the username to the
329 upstream cache, but with a fixed password. This is meant
330 to be used when the peer is in another administrative
331 domain, but it is still needed to identify each user.
332 The star can optionally be followed by some extra
333 information which is added to the username. This can
334 be used to identify this proxy to the peer, similar to
335 the login=username:password option above.
336
337 use 'connect-timeout=nn' to specify a peer
338 specific connect timeout (also see the
339 peer_connect_timeout directive)
340
341 use 'digest-url=url' to tell Squid to fetch the cache
342 digest (if digests are enabled) for this host from
343 the specified URL rather than the Squid default
344 location.
345
346 use 'allow-miss' to disable Squid's use of only-if-cached
347 when forwarding requests to siblings. This is primarily
348 useful when icp_hit_stale is used by the sibling. To
349 extensive use of this option may result in forwarding
350 loops, and you should avoid having two-way peerings
351 with this option. (for example to deny peer usage on
352 requests from peer by denying cache_peer_access if the
353 source is a peer)
354
355 use 'max-conn' to limit the amount of connections Squid
356 may open to this peer.
357
358 NOTE: non-ICP neighbors must be specified as 'parent'.
359DOC_END
360
361NAME: cache_peer_domain cache_host_domain
362TYPE: hostdomain
363DEFAULT: none
364LOC: none
365DOC_START
366 Use to limit the domains for which a neighbor cache will be
367 queried. Usage:
368
369 cache_peer_domain cache-host domain [domain ...]
370 cache_peer_domain cache-host !domain
371
372 For example, specifying
373
374 cache_peer_domain parent.foo.net .edu
375
376 has the effect such that UDP query packets are sent to
377 'bigserver' only when the requested object exists on a
378 server in the .edu domain. Prefixing the domainname
379 with '!' means that the cache will be queried for objects
380 NOT in that domain.
381
382 NOTE: * Any number of domains may be given for a cache-host,
383 either on the same or separate lines.
384 * When multiple domains are given for a particular
385 cache-host, the first matched domain is applied.
386 * Cache hosts with no domain restrictions are queried
387 for all requests.
388 * There are no defaults.
389 * There is also a 'cache_peer_access' tag in the ACL
390 section.
391DOC_END
392
393
394NAME: neighbor_type_domain
395TYPE: hostdomaintype
396DEFAULT: none
397LOC: none
398DOC_START
399 usage: neighbor_type_domain parent|sibling domain domain ...
400
401 Modifying the neighbor type for specific domains is now
402 possible. You can treat some domains differently than the the
403 default neighbor type specified on the 'cache_peer' line.
404 Normally it should only be necessary to list domains which
405 should be treated differently because the default neighbor type
406 applies for hostnames which do not match domains listed here.
407
408EXAMPLE:
409 cache_peer parent cache.foo.org 3128 3130
410 neighbor_type_domain cache.foo.org sibling .com .net
411 neighbor_type_domain cache.foo.org sibling .au .de
412DOC_END
413
414NAME: icp_query_timeout
415COMMENT: (msec)
416DEFAULT: 0
417TYPE: int
418LOC: Config.Timeout.icp_query
419DOC_START
420 Normally Squid will automatically determine an optimal ICP
421 query timeout value based on the round-trip-time of recent ICP
422 queries. If you want to override the value determined by
423 Squid, set this 'icp_query_timeout' to a non-zero value. This
424 value is specified in MILLISECONDS, so, to use a 2-second
425 timeout (the old default), you would write:
426
427 icp_query_timeout 2000
428DOC_END
429
430NAME: maximum_icp_query_timeout
431COMMENT: (msec)
432DEFAULT: 2000
433TYPE: int
434LOC: Config.Timeout.icp_query_max
435DOC_START
436 Normally the ICP query timeout is determined dynamically. But
437 sometimes it can lead to very large values (say 5 seconds).
438 Use this option to put an upper limit on the dynamic timeout
439 value. Do NOT use this option to always use a fixed (instead
440 of a dynamic) timeout value. To set a fixed timeout see the
441 'icp_query_timeout' directive.
442DOC_END
443
444NAME: mcast_icp_query_timeout
445COMMENT: (msec)
446DEFAULT: 2000
447TYPE: int
448LOC: Config.Timeout.mcast_icp_query
449DOC_START
450 For Multicast peers, Squid regularly sends out ICP "probes" to
451 count how many other peers are listening on the given multicast
452 address. This value specifies how long Squid should wait to
453 count all the replies. The default is 2000 msec, or 2
454 seconds.
455DOC_END
456
457NAME: dead_peer_timeout
458COMMENT: (seconds)
459DEFAULT: 10 seconds
460TYPE: time_t
461LOC: Config.Timeout.deadPeer
462DOC_START
463 This controls how long Squid waits to declare a peer cache
464 as "dead." If there are no ICP replies received in this
465 amount of time, Squid will declare the peer dead and not
466 expect to receive any further ICP replies. However, it
467 continues to send ICP queries, and will mark the peer as
468 alive upon receipt of the first subsequent ICP reply.
469
470 This timeout also affects when Squid expects to receive ICP
471 replies from peers. If more than 'dead_peer' seconds have
472 passed since the last ICP reply was received, Squid will not
473 expect to receive an ICP reply on the next query. Thus, if
474 your time between requests is greater than this timeout, you
475 will see a lot of requests sent DIRECT to origin servers
476 instead of to your parents.
477DOC_END
478
479
480NAME: hierarchy_stoplist
481TYPE: wordlist
482DEFAULT: none
483LOC: Config.hierarchy_stoplist
484DOC_START
485 A list of words which, if found in a URL, cause the object to
486 be handled directly by this cache. In other words, use this
487 to not query neighbor caches for certain objects. You may
488 list this option multiple times.
489NOCOMMENT_START
490#We recommend you to use at least the following line.
491hierarchy_stoplist cgi-bin ?
492NOCOMMENT_END
493DOC_END
494
495
496NAME: no_cache
497TYPE: acl_access
498DEFAULT: none
499LOC: Config.accessList.noCache
500DOC_START
501 A list of ACL elements which, if matched, cause the reply to
502 immediately removed from the cache. In other words, use this
503 to force certain objects to never be cached.
504
505 You must use the word 'DENY' to indicate the ACL names which should
506 NOT be cached.
507
508NOCOMMENT_START
509#We recommend you to use the following two lines.
510acl QUERY urlpath_regex cgi-bin \?
511no_cache deny QUERY
512NOCOMMENT_END
513DOC_END
514
515
516COMMENT_START
517 OPTIONS WHICH AFFECT THE CACHE SIZE
518 -----------------------------------------------------------------------------
519COMMENT_END
520
521NAME: cache_mem
522COMMENT: (bytes)
523TYPE: b_size_t
524DEFAULT: 8 MB
525LOC: Config.memMaxSize
526DOC_START
527 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS
528 SIZE. IT PLACES A LIMIT ON ONE ASPECT OF SQUID'S MEMORY
529 USAGE. SQUID USES MEMORY FOR OTHER THINGS AS WELL.
530 YOUR PROCESS WILL PROBABLY BECOME TWICE OR THREE TIMES
531 BIGGER THAN THE VALUE YOU PUT HERE
532
533 'cache_mem' specifies the ideal amount of memory to be used
534 for:
535 * In-Transit objects
536 * Hot Objects
537 * Negative-Cached objects
538
539 Data for these objects are stored in 4 KB blocks. This
540 parameter specifies the ideal upper limit on the total size of
541 4 KB blocks allocated. In-Transit objects take the highest
542 priority.
543
544 In-transit objects have priority over the others. When
545 additional space is needed for incoming data, negative-cached
546 and hot objects will be released. In other words, the
547 negative-cached and hot objects will fill up any unused space
548 not needed for in-transit objects.
549
550 If circumstances require, this limit will be exceeded.
551 Specifically, if your incoming request rate requires more than
552 'cache_mem' of memory to hold in-transit objects, Squid will
553 exceed this limit to satisfy the new requests. When the load
554 decreases, blocks will be freed until the high-water mark is
555 reached. Thereafter, blocks will be used to store hot
556 objects.
557DOC_END
558
559
560NAME: cache_swap_low
561COMMENT: (percent, 0-100)
562TYPE: int
563DEFAULT: 90
564LOC: Config.Swap.lowWaterMark
565DOC_NONE
566
567NAME: cache_swap_high
568COMMENT: (percent, 0-100)
569TYPE: int
570DEFAULT: 95
571LOC: Config.Swap.highWaterMark
572DOC_START
573
574 The low- and high-water marks for cache object replacement.
575 Replacement begins when the swap (disk) usage is above the
576 low-water mark and attempts to maintain utilization near the
577 low-water mark. As swap utilization gets close to high-water
578 mark object eviction becomes more aggressive. If utilization is
579 close to the low-water mark less replacement is done each time.
580
581 Defaults are 90% and 95%. If you have a large cache, 5% could be
582 hundreds of MB. If this is the case you may wish to set these
583 numbers closer together.
584DOC_END
585
586NAME: maximum_object_size
587COMMENT: (bytes)
588TYPE: b_size_t
589DEFAULT: 4096 KB
590LOC: Config.Store.maxObjectSize
591DOC_START
592 Objects larger than this size will NOT be saved on disk. The
593 value is specified in kilobytes, and the default is 4MB. If
594 you wish to get a high BYTES hit ratio, you should probably
595 increase this (one 32 MB object hit counts for 3200 10KB
596 hits). If you wish to increase speed more than your want to
597 save bandwidth you should leave this low.
598
599 NOTE: if using the LFUDA replacement policy you should increase
600 this value to maximize the byte hit rate improvement of LFUDA!
601 See replacement_policy below for a discussion of this policy.
602DOC_END
603
604NAME: minimum_object_size
605COMMENT: (bytes)
606TYPE: b_size_t
607DEFAULT: 0 KB
608LOC: Config.Store.minObjectSize
609DOC_START
610 Objects smaller than this size will NOT be saved on disk. The
611 value is specified in kilobytes, and the default is 0 KB, which
612 means there is no minimum.
613DOC_END
614
615NAME: maximum_object_size_in_memory
616COMMENT: (bytes)
617TYPE: b_size_t
618DEFAULT: 8 KB
619LOC: Config.Store.maxInMemObjSize
620DOC_START
621 Objects greater than this size will not be attempted to kept in
622 the memory cache. This should be set high enough to keep objects
623 accessed frequently in memory to improve performance whilst low
624 enough to keep larger objects from hoarding cache_mem .
625DOC_END
626
627NAME: ipcache_size
628COMMENT: (number of entries)
629TYPE: int
630DEFAULT: 1024
631LOC: Config.ipcache.size
632DOC_NONE
633
634NAME: ipcache_low
635COMMENT: (percent)
636TYPE: int
637DEFAULT: 90
638LOC: Config.ipcache.low
639DOC_NONE
640
641NAME: ipcache_high
642COMMENT: (percent)
643TYPE: int
644DEFAULT: 95
645LOC: Config.ipcache.high
646DOC_START
647 The size, low-, and high-water marks for the IP cache.
648DOC_END
649
650NAME: fqdncache_size
651COMMENT: (number of entries)
652TYPE: int
653DEFAULT: 1024
654LOC: Config.fqdncache.size
655DOC_START
656 Maximum number of FQDN cache entries.
657DOC_END
658
659NAME: cache_replacement_policy
660TYPE: removalpolicy
661LOC: Config.replPolicy
662DEFAULT: lru
663DOC_START
664 The cache replacement policy parameter determines which
665 objects are evicted (replaced) when disk space is needed.
666
667 lru : Squid's original list based LRU policy
668 heap GDSF : Greedy-Dual Size Frequency
669 heap LFUDA: Least Frequently Used with Dynamic Aging
670 heap LRU : LRU policy implemented using a heap
671
672 Applies to any cache_dir lines listed below this.
673
674 The LRU policies keeps recently referenced objects.
675
676 The heap GDSF policy optimizes object hit rate by keeping smaller
677 popular objects in cache so it has a better chance of getting a
678 hit. It achieves a lower byte hit rate than LFUDA though since
679 it evicts larger (possibly popular) objects.
680
681 The heap LFUDA policy keeps popular objects in cache regardless of
682 their size and thus optimizes byte hit rate at the expense of
683 hit rate since one large, popular object will prevent many
684 smaller, slightly less popular objects from being cached.
685
686 Both policies utilize a dynamic aging mechanism that prevents
687 cache pollution that can otherwise occur with frequency-based
688 replacement policies.
689
690 NOTE: if using the LFUDA replacement policy you should increase
691 the value of maximum_object_size above its default of 4096 KB to
692 to maximize the potential byte hit rate improvement of LFUDA.
693
694 For more information about the GDSF and LFUDA cache replacement
695 policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
696 and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
697DOC_END
698
699NAME: memory_replacement_policy
700TYPE: removalpolicy
701LOC: Config.memPolicy
702DEFAULT: lru
703DOC_START
704 The memory replacement policy parameter determines which
705 objects are purged from memory when memory space is needed.
706
707 See cache_replacement_policy for details.
708DOC_END
709
710
711COMMENT_START
712 LOGFILE PATHNAMES AND CACHE DIRECTORIES
713 -----------------------------------------------------------------------------
714COMMENT_END
715
716NAME: cache_dir
717TYPE: cachedir
718DEFAULT: none
719DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256
720LOC: Config.cacheSwap
721DOC_START
722 Usage:
723
724 cache_dir Type Directory-Name Fs-specific-data [options]
725
726 cache_dir diskd Maxobjsize Directory-Name MB L1 L2 Q1 Q2
727
728 You can specify multiple cache_dir lines to spread the
729 cache among different disk partitions.
730
731 Type specifies the kind of storage system to use. Most
732 everyone will want to use "ufs" as the type. If you are using
733 Async I/O (--enable async-io) on Linux or Solaris, then you may
734 want to try "aufs" as the type. Async IO support may be
735 buggy, however, so beware.
736
737 'Directory' is a top-level directory where cache swap
738 files will be stored. If you want to use an entire disk
739 for caching, then this can be the mount-point directory.
740 The directory must exist and be writable by the Squid
741 process. Squid will NOT create this directory for you.
742
743 The ufs store type:
744
745 "ufs" is the old well-known Squid storage format that has always
746 been there.
747
748 cache_dir ufs Directory-Name Mbytes L1 L2 [options]
749
750 'Mbytes' is the amount of disk space (MB) to use under this
751 directory. The default is 100 MB. Change this to suit your
752 configuration.
753
754 'Level-1' is the number of first-level subdirectories which
755 will be created under the 'Directory'. The default is 16.
756
757 'Level-2' is the number of second-level subdirectories which
758 will be created under each first-level directory. The default
759 is 256.
760
761 The aufs store type:
762
763 "aufs" uses the same storage format as "ufs", utilizing
764 POSIX-threads to avoid blocking the main Squid process on
765 disk-I/O. This was formerly known in Squid as async-io.
766
767 cache_dir aufs Directory-Name Mbytes L1 L2 [options]
768
769 see argument descriptions under ufs above
770
771 The diskd store type:
772
773 "diskd" uses the same storage format as "ufs", utilizing a
774 separate process to avoid blocking the main Squid process on
775 disk-I/O.
776
777 cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
778
779 see argument descriptions under ufs above
780
781 Q1 specifies the number of unacknowledged I/O requests when Squid
782 stops opening new files. If this many messages are in the queues,
783 Squid won't open new files. Default is 64
784
785 Q2 specifies the number of unacknowledged messages when Squid
786 starts blocking. If this many messages are in the queues,
787 Squid blocks until it recevies some replies. Default is 72
788
789 Common options:
790
791 read-only, this cache_dir is read only.
792
793 max-size=n, refers to the max object size this storedir supports.
794 It is used to initially choose the storedir to dump the object.
795 Note: To make optimal use of the max-size limits you should order
796 the cache_dir lines with the smallest max-size value first and the
797 ones with no max-size specification last.
798DOC_END
799
800
801NAME: cache_access_log
802TYPE: string
803DEFAULT: @DEFAULT_ACCESS_LOG@
804LOC: Config.Log.access
805DOC_START
806 Logs the client request activity. Contains an entry for
807 every HTTP and ICP queries received. To disable, enter "none".
808DOC_END
809
810
811NAME: cache_log
812TYPE: string
813DEFAULT: @DEFAULT_CACHE_LOG@
814LOC: Config.Log.log
815DOC_START
816 Cache logging file. This is where general information about
817 your cache's behavior goes. You can increase the amount of data
818 logged to this file with the "debug_options" tag below.
819DOC_END
820
821
822NAME: cache_store_log
823TYPE: string
824DEFAULT: @DEFAULT_STORE_LOG@
825LOC: Config.Log.store
826DOC_START
827 Logs the activities of the storage manager. Shows which
828 objects are ejected from the cache, and which objects are
829 saved and for how long. To disable, enter "none". There are
830 not really utilities to analyze this data, so you can safely
831 disable it.
832DOC_END
833
834
835NAME: cache_swap_log
836TYPE: string
837LOC: Config.Log.swap
838DEFAULT: none
839DOC_START
840 Location for the cache "swap.log." This log file holds the
841 metadata of objects saved on disk. It is used to rebuild the
842 cache during startup. Normally this file resides in each
843 'cache_dir' directory, but you may specify an alternate
844 pathname here. Note you must give a full filename, not just
845 a directory. Since this is the index for the whole object
846 list you CANNOT periodically rotate it!
847
848 If %s can be used in the file name then it will be replaced with a
849 a representation of the cache_dir name where each / is replaced
850 with '.'. This is needed to allow adding/removing cache_dir
851 lines when cache_swap_log is being used.
852
853 If have more than one 'cache_dir', and %s is not used in the name
854 then these swap logs will have names such as:
855
856 cache_swap_log.00
857 cache_swap_log.01
858 cache_swap_log.02
859
860 The numbered extension (which is added automatically)
861 corresponds to the order of the 'cache_dir' lines in this
862 configuration file. If you change the order of the 'cache_dir'
863 lines in this file, then these log files will NOT correspond to
864 the correct 'cache_dir' entry (unless you manually rename
865 them). We recommend that you do NOT use this option. It is
866 better to keep these log files in each 'cache_dir' directory.
867DOC_END
868
869
870NAME: emulate_httpd_log
871COMMENT: on|off
872TYPE: onoff
873DEFAULT: off
874LOC: Config.onoff.common_log
875DOC_START
876 The Cache can emulate the log file format which many 'httpd'
877 programs use. To disable/enable this emulation, set
878 emulate_httpd_log to 'off' or 'on'. The default
879 is to use the native log format since it includes useful
880 information that Squid-specific log analyzers use.
881DOC_END
882
883NAME: log_ip_on_direct
884COMMENT: on|off
885TYPE: onoff
886DEFAULT: on
887LOC: Config.onoff.log_ip_on_direct
888DOC_START
889 Log the destination IP address in the hierarchy log tag when going
890 direct. Earlier Squid versions logged the hostname here. If you
891 prefer the old way set this to off.
892DOC_END
893
894NAME: mime_table
895TYPE: string
896DEFAULT: @DEFAULT_MIME_TABLE@
897LOC: Config.mimeTablePathname
898DOC_START
899 Pathname to Squid's MIME table. You shouldn't need to change
900 this, but the default file contains examples and formatting
901 information if you do.
902DOC_END
903
904
905NAME: log_mime_hdrs
906COMMENT: on|off
907TYPE: onoff
908LOC: Config.onoff.log_mime_hdrs
909DEFAULT: off
910DOC_START
911 The Cache can record both the request and the response MIME
912 headers for each HTTP transaction. The headers are encoded
913 safely and will appear as two bracketed fields at the end of
914 the access log (for either the native or httpd-emulated log
915 formats). To enable this logging set log_mime_hdrs to 'on'.
916DOC_END
917
918
919NAME: useragent_log
920TYPE: string
921LOC: Config.Log.useragent
922DEFAULT: none
923IFDEF: USE_USERAGENT_LOG
924DOC_START
925 Squid will write the User-Agent field from HTTP requests
926 to the filename specified here. By default useragent_log
927 is disabled.
928DOC_END
929
930
931NAME: referer_log
932TYPE: string
933LOC: Config.Log.referer
934DEFAULT: none
935IFDEF: USE_REFERER_LOG
936DOC_START
937 Squid will write the Referer field from HTTP requests to the
938 filename specified here. By default referer_log is disabled.
939DOC_END
940
941
942NAME: pid_filename
943TYPE: string
944DEFAULT: @DEFAULT_PID_FILE@
945LOC: Config.pidFilename
946DOC_START
947 A filename to write the process-id to. To disable, enter "none".
948DOC_END
949
950
951NAME: debug_options
952TYPE: eol
953DEFAULT: ALL,1
954LOC: Config.debugOptions
955DOC_START
956 Logging options are set as section,level where each source file
957 is assigned a unique section. Lower levels result in less
958 output, Full debugging (level 9) can result in a very large
959 log file, so be careful. The magic word "ALL" sets debugging
960 levels for all sections. We recommend normally running with
961 "ALL,1".
962DOC_END
963
964
965NAME: log_fqdn
966COMMENT: on|off
967TYPE: onoff
968DEFAULT: off
969LOC: Config.onoff.log_fqdn
970DOC_START
971 Turn this on if you wish to log fully qualified domain names
972 in the access.log. To do this Squid does a DNS lookup of all
973 IP's connecting to it. This can (in some situations) increase
974 latency, which makes your cache seem slower for interactive
975 browsing.
976DOC_END
977
978
979NAME: client_netmask
980TYPE: address
981LOC: Config.Addrs.client_netmask
982DEFAULT: 255.255.255.255
983DOC_START
984 A netmask for client addresses in logfiles and cachemgr output.
985 Change this to protect the privacy of your cache clients.
986 A netmask of 255.255.255.0 will log all IP's in that range with
987 the last digit set to '0'.
988DOC_END
989
990
991COMMENT_START
992 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
993 -----------------------------------------------------------------------------
994COMMENT_END
995
996NAME: ftp_user
997TYPE: string
998DEFAULT: Squid@
999LOC: Config.Ftp.anon_user
1000DOC_START
1001 If you want the anonymous login password to be more informative
1002 (and enable the use of picky ftp servers), set this to something
1003 reasonable for your domain, like wwwuser@somewhere.net
1004
1005 The reason why this is domainless by default is that the
1006 request can be made on the behalf of a user in any domain,
1007 depending on how the cache is used.
1008 Some ftp server also validate that the email address is valid
1009 (for example perl.com).
1010DOC_END
1011
1012NAME: ftp_list_width
1013TYPE: size_t
1014DEFAULT: 32
1015LOC: Config.Ftp.list_width
1016DOC_START
1017 Sets the width of ftp listings. This should be set to fit in
1018 the width of a standard browser. Setting this too small
1019 can cut off long filenames when browsing ftp sites.
1020DOC_END
1021
1022NAME: ftp_passive
1023TYPE: onoff
1024DEFAULT: on
1025LOC: Config.Ftp.passive
1026DOC_START
1027 If your firewall does not allow Squid to use passive
1028 connections, then turn off this option.
1029DOC_END
1030
1031NAME: cache_dns_program
1032TYPE: string
1033IFDEF: USE_DNSSERVERS
1034DEFAULT: @DEFAULT_DNSSERVER@
1035LOC: Config.Program.dnsserver
1036DOC_START
1037 Specify the location of the executable for dnslookup process.
1038DOC_END
1039
1040NAME: dns_children
1041TYPE: int
1042IFDEF: USE_DNSSERVERS
1043DEFAULT: 5
1044LOC: Config.dnsChildren
1045DOC_START
1046 The number of processes spawn to service DNS name lookups.
1047 For heavily loaded caches on large servers, you should
1048 probably increase this value to at least 10. The maximum
1049 is 32. The default is 5.
1050
1051 You must have at least one dnsserver process.
1052DOC_END
1053
1054NAME: dns_retransmit_interval
1055TYPE: time_t
1056DEFAULT: 5 seconds
1057LOC: Config.Timeout.idns_retransmit
1058IFDEF: !USE_DNSSERVERS
1059DOC_START
1060 Initial retransmit interval for DNS queries. The interval is
1061 doubled each time all configured DNS servers have been tried.
1062
1063DOC_END
1064
1065NAME: dns_timeout
1066TYPE: time_t
1067DEFAULT: 5 minutes
1068LOC: Config.Timeout.idns_query
1069IFDEF: !USE_DNSSERVERS
1070DOC_START
1071 DNS Query timeout. If no response is received to a DNS query
1072 within this time then all DNS servers for the queried domain
1073 is assumed to be unavailable.
1074DOC_END
1075
1076NAME: dns_defnames
1077COMMENT: on|off
1078IFDEF: USE_DNSSERVERS
1079TYPE: onoff
1080DEFAULT: off
1081LOC: Config.onoff.res_defnames
1082IFDEF: USE_DNSSERVERS
1083DOC_START
1084 Normally the 'dnsserver' disables the RES_DEFNAMES resolver
1085 option (see res_init(3)). This prevents caches in a hierarchy
1086 from interpreting single-component hostnames locally. To allow
1087 dnsserver to handle single-component names, enable this
1088 option.
1089DOC_END
1090
1091NAME: dns_nameservers
1092TYPE: wordlist
1093DEFAULT: none
1094LOC: Config.dns_nameservers
1095DOC_START
1096 Use this if you want to specify a list of DNS name servers
1097 (IP addresses) to use instead of those given in your
1098 /etc/resolv.conf file.
1099
1100 Example: dns_nameservers 10.0.0.1 192.172.0.4
1101DOC_END
1102
1103NAME: hosts_file
1104TYPE: string
1105DEFAULT: /etc/hosts
1106LOC: Config.etcHostsPath
1107DOC_START
1108 Location of the host-local IP name-address associations
1109 database. Most Operating Systems have such a file: under
1110 Un*X it's by default in /etc/hosts MS-Windows NT/2000 places
1111 that in %SystemRoot%(by default
1112 c:\winnt)\system32\drivers\etc\hosts, while Windows 9x/ME
1113 places that in %windir%(usually c:\windows)\hosts
1114
1115 The file contains newline-separated definitions, in the
1116 form ip_address_in_dotted_form name [name ...] names are
1117 whitespace-separated. lines beginnng with an hash (#)
1118 character are comments.
1119
1120 The file is checked at startup and upon configuration. If
1121 set to 'none', it won't be checked. If append_domain is
1122 used, that domain will be added to domain-local (i.e. not
1123 containing any dot character) host definitions.
1124DOC_END
1125
1126NAME: diskd_program
1127TYPE: string
1128DEFAULT: @DEFAULT_DISKD@
1129LOC: Config.Program.diskd
1130DOC_START
1131 Specify the location of the diskd executable.
1132 Note that this is only useful if you have compiled in
1133 diskd as one of the store io modules.
1134DOC_END
1135
1136NAME: unlinkd_program
1137IFDEF: USE_UNLINKD
1138TYPE: string
1139DEFAULT: @DEFAULT_UNLINKD@
1140LOC: Config.Program.unlinkd
1141DOC_START
1142 Specify the location of the executable for file deletion process.
1143DOC_END
1144
1145NAME: pinger_program
1146TYPE: string
1147DEFAULT: @DEFAULT_PINGER@
1148LOC: Config.Program.pinger
1149IFDEF: USE_ICMP
1150DOC_START
1151 Specify the location of the executable for the pinger process.
1152 This is only useful if you configured Squid (during compilation)
1153 with the '--enable-icmp' option.
1154DOC_END
1155
1156
1157NAME: redirect_program
1158TYPE: wordlist
1159LOC: Config.Program.redirect
1160DEFAULT: none
1161DOC_START
1162 Specify the location of the executable for the URL redirector.
1163 Since they can perform almost any function there isn't one included.
1164 See the FAQ (section 15) for information on how to write one.
1165 By default, a redirector is not used.
1166DOC_END
1167
1168
1169NAME: redirect_children
1170TYPE: int
1171DEFAULT: 5
1172LOC: Config.redirectChildren
1173DOC_START
1174 The number of redirector processes to spawn. If you start
1175 too few Squid will have to wait for them to process a backlog of
1176 URLs, slowing it down. If you start too many they will use RAM
1177 and other system resources.
1178DOC_END
1179
1180NAME: redirect_rewrites_host_header
1181TYPE: onoff
1182DEFAULT: on
1183LOC: Config.onoff.redir_rewrites_host
1184DOC_START
1185 By default Squid rewrites any Host: header in redirected
1186 requests. If you are running a accelerator then this may
1187 not be a wanted effect of a redirector.
1188DOC_END
1189
1190NAME: redirector_access
1191TYPE: acl_access
1192DEFAULT: none
1193LOC: Config.accessList.redirector
1194DOC_START
1195 If defined, this access list specifies which requests are
1196 sent to the redirector processes. By default all requests
1197 are sent.
1198DOC_END
1199
1200NAME: auth_param
1201TYPE: authparam
1202LOC: Config.authConfig
1203DEFAULT: none
1204DOC_START
1205 This is used to pass parameters to the various authentication
1206 schemes.
1207 format: auth_param scheme parameter [setting]
1208
1209 auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
1210 would tell the basic authentication scheme it's program parameter.
1211
1212 The order that authentication prompts are presented to the client_agent
1213 is dependant on the order the scheme first appears in config file.
1214 IE has a bug (it's not rfc 2617 compliant) in that it will use the basic
1215 scheme if basic is the first entry presented, even if more secure schemes
1216 are presented. For now use the order in the file below. If other browsers
1217 have difficulties (don't recognise the schemes offered even if you are using
1218 basic) then either put basic first, or disable the other schemes (by commenting
1219 out their program entry).
1220
1221 Once an authentication scheme is fully configured, it can only be shutdown
1222 by shutting squid down and restarting. Changes can be made on the fly and
1223 activated with a reconfigure. I.E. You can change to a different helper,
1224 but not unconfigure the helper completely.
1225
1226 === Parameters for the basic scheme follow. ===
1227
1228 "program" cmdline
1229 Specify the command for the external authenticator. Such a
1230 program reads a line containing "username password" and replies
1231 "OK" or "ERR" in an endless loop. If you use an authenticator,
1232 make sure you have 1 acl of type proxy_auth. By default, the
1233 authenticate_program is not used.
1234
1235 If you want to use the traditional proxy authentication,
1236 jump over to the ../auth_modules/NCSA directory and
1237 type:
1238 % make
1239 % make install
1240
1241 Then, set this line to something like
1242
1243 auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
1244
1245 "children" numberofchildren
1246 The number of authenticator processes to spawn (no default). If you
1247 start too few Squid will have to wait for them to process a backlog
1248 of usercode/password verifications, slowing it down. When password
1249 verifications are done via a (slow) network you are likely to need
1250 lots of authenticator processes.
1251 auth_param basic children 5
1252
1253 "realm" realmstring
1254 Specifies the realm name which is to be reported to the client for
1255 the basic proxy authentication scheme (part of the text the user will
1256 see when prompted their username and password). Their is no default.
1257 auth_param basic realm Squid proxy-caching web server
1258
1259 "credentialsttl" timetolive
1260 Specifies how long squid assumes an externally validated username:password
1261 pair is valid for - in other words how often the helper program is called
1262 for that user. Set this low to force revalidation with short lived passwords.
1263 Note that setting this high does not impact your susceptability to replay
1264 attacks unless you are using a one-time password system (such as SecureID).
1265 If you are using such a system, you will be vulnerable to replay attacks
1266 unless you also enable the IP ttl is strict option.
1267
1268 === Parameters for the digest scheme follow ===
1269
1270 "program" cmdline
1271 Specify the command for the external authenticator. Such a
1272 program reads a line containing "username":"realm" and replies
1273 with the appropriate H(A1) value base64 encoded. See rfc 2616 for
1274 the definition of H(A1). If you use an authenticator,
1275 make sure you have 1 acl of type proxy_auth. By default,
1276 authentication is not used.
1277
1278 If you want to use build a authenticator,
1279 jump over to the ../digest_auth_modules directory and choose the
1280 authenticator to use. It it's directory type
1281 % make
1282 % make install
1283
1284 Then, set this line to something like
1285
1286 auth_param digest program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass
1287
1288
1289 "children" numberofchildren
1290 The number of authenticator processes to spawn (no default). If you
1291 start too few Squid will have to wait for them to process a backlog
1292 of H(A1) calculations, slowing it down. When the H(A1) calculations
1293 are done via a (slow) network you are likely to need lots of
1294 authenticator processes.
1295 auth_param digest children 5
1296
1297 "realm" realmstring
1298 Specifies the realm name which is to be reported to the client for
1299 the digest proxy authentication scheme (part of the text the user will
1300 see when prompted their username and password). There is no default.
1301 auth_param digest realm Squid proxy-caching web server
1302
1303 "nonce_garbage_interval" timeinterval
1304 Specifies the interval that nonces that have been issued to client_agent's
1305 are checked for validity.
1306
1307 "nonce_max_duration" timeinterval
1308 Specifies the maximum length of time a given nonce will be valid for.
1309
1310 "nonce_max_count" number
1311 Specifies the maximum number of times a given nonce can be used.
1312
1313 === NTLM scheme options follow ===
1314
1315 "program" cmdline
1316 Specify the command for the external ntlm authenticator. Such a
1317 program reads a line containing the uuencoded NEGOTIATE and replies
1318 with the ntlm CHALLENGE, then waits for the response and answers with
1319 "OK" or "ERR" in an endless loop. If you use an ntlm authenticator,
1320 make sure you have 1 acl of type proxy_auth. By default, the
1321 ntlm authenticator_program is not used.
1322
1323 auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
1324
1325 "children" numberofchildren
1326 The number of authenticator processes to spawn (no default). If you
1327 start too few Squid will have to wait for them to process a backlog
1328 of credential verifications, slowing it down. When crendential
1329 verifications are done via a (slow) network you are likely to need
1330 lots of authenticator processes.
1331 auth_param ntlm children 5
1332
1333 "max_challenge_reuses" number
1334 The maximum number of times a challenge given by a ntlm authentication
1335 helper can be reused. Increasing this number increases your exposure
1336 to replay attacks on your network. 0 means use the challenge only once.
1337 (disable challenge caching)
1338 See max_ntlm_challenge_lifetime for more information.
1339 auth_param ntlm max_challenge_reuses 0
1340
1341 "max_challenge_lifetime" timespan
1342 The maximum time period that a ntlm challenge is reused over.
1343 The actual period will be the minimum of this time AND the number of
1344 reused challenges.
1345 auth_param ntlm max_challenge_lifetime 2 minutes
1346
1347NOCOMMENT_START
1348#Recommended minimum configuration:
1349#auth_param digest program <uncomment and complete this line>
1350#auth_param digest children 5
1351#auth_param digest realm Squid proxy-caching web server
1352#auth_param digest nonce_garbage_interval 5 minutes
1353#auth_param digest nonce_max_duration 30 minutes
1354#auth_param digest nonce_max_count 50
1355#auth_param ntlm program <uncomment and complete this line to activate>
1356#auth_param ntlm children 5
1357#auth_param ntlm max_challenge_reuses 0
1358#auth_param ntlm max_challenge_lifetime 2 minutes
1359#auth_param basic program <uncomment and complete this line>
1360auth_param basic children 5
1361auth_param basic realm Squid proxy-caching web server
1362auth_param basic credentialsttl 2 hours
1363NOCOMMENT_END
1364DOC_END
1365
1366NAME: authenticate_cache_garbage_interval
1367TYPE: time_t
1368DEFAULT: 1 hour
1369LOC: Config.authenticateGCInterval
1370DOC_START
1371 The time period between garbage collection across the username cache.
1372 This is a tradeoff between memory utilisation (long intervals - say
1373 2 days) and CPU (short intervals - say 1 minute). Only change if
1374 you have good reason to.
1375DOC_END
1376
1377NAME: authenticate_ttl
1378TYPE: time_t
1379DEFAULT: 1 hour
1380LOC: Config.authenticateTTL
1381DOC_START
1382 The time a user & their credentials stay in the logged in user cache
1383 since their last request. When the garbage interval passes, all
1384 user credentials that have passed their TTL are removed from memory.
1385DOC_END
1386
1387NAME: authenticate_ip_ttl
1388TYPE: time_t
1389LOC: Config.authenticateIpTTL
1390DEFAULT: 0 seconds
1391DOC_START
1392 With this option you control how long a proxy authentication
1393 will be bound to a specific IP address. If a request using
1394 the same user name is received during this time then access
1395 will be denied and both users are required to reauthenticate
1396 them selves. The idea behind this is to make it annoying
1397 for people to share their password to their friends, but
1398 yet allow a dialup user to reconnect on a different dialup
1399 port.
1400
1401 The default is 0 to disable the check. Recommended value
1402 if you have dialup users are no more than 60 seconds to allow
1403 the user to redial without hassle. If all your users are
1404 stationary then higher values may be used.
1405
1406 See also the acl max_user_ip.
1407DOC_END
1408
1409COMMENT_START
1410 OPTIONS FOR TUNING THE CACHE
1411 -----------------------------------------------------------------------------
1412COMMENT_END
1413
1414NAME: wais_relay_host
1415TYPE: string
1416DEFAULT: none
1417LOC: Config.Wais.relayHost
1418DOC_NONE
1419
1420NAME: wais_relay_port
1421TYPE: ushort
1422DEFAULT: 0
1423LOC: Config.Wais.relayPort
1424DOC_START
1425 Relay WAIS request to host (1st arg) at port (2 arg).
1426DOC_END
1427
1428
1429NAME: request_header_max_size
1430COMMENT: (KB)
1431TYPE: b_size_t
1432DEFAULT: 10 KB
1433LOC: Config.maxRequestHeaderSize
1434DOC_START
1435 This specifies the maximum size for HTTP headers in a request.
1436 Request headers are usually relatively small (about 512 bytes).
1437 Placing a limit on the request header size will catch certain
1438 bugs (for example with persistent connections) and possibly
1439 buffer-overflow or denial-of-service attacks.
1440DOC_END
1441
1442NAME: request_body_max_size
1443COMMENT: (KB)
1444TYPE: b_size_t
1445DEFAULT: 1 MB
1446LOC: Config.maxRequestBodySize
1447DOC_START
1448 This specifies the maximum size for an HTTP request body.
1449 In other words, the maximum size of a PUT/POST request.
1450 A user who attempts to send a request with a body larger
1451 than this limit receives an "Invalid Request" error message.
1452 If you set this parameter to a zero, there will be no limit
1453 imposed.
1454DOC_END
1455
1456NAME: refresh_pattern
1457TYPE: refreshpattern
1458LOC: Config.Refresh
1459DEFAULT: none
1460DEFAULT_IF_NONE: ^ftp: 1440 20% 10080
1461DEFAULT_IF_NONE: ^gopher: 1440 0% 1440
1462DEFAULT_IF_NONE: . 0 20% 4320
1463DOC_START
1464 usage: refresh_pattern [-i] regex min percent max [options]
1465
1466 By default, regular expressions are CASE-SENSITIVE. To make
1467 them case-insensitive, use the -i option.
1468
1469 'Min' is the time (in minutes) an object without an explicit
1470 expiry time should be considered fresh. The recommended
1471 value is 0, any higher values may cause dynamic applications
1472 to be erroneously cached unless the application designer
1473 has taken the appropriate actions.
1474
1475 'Percent' is a percentage of the objects age (time since last
1476 modification age) an object without explicit expiry time
1477 will be considered fresh.
1478
1479 'Max' is an upper limit on how long objects without an explicit
1480 expiry time will be considered fresh.
1481
1482 options: overrsde-expire
1483 override-lastmod
1484 reload-into-ims
1485 ignore-reload
1486
1487 override-expire enforces min age even if the server
1488 sent a Expires: header. Doing this VIOLATES the HTTP
1489 standard. Enabling this feature could make you liable
1490 for problems which it causes.
1491
1492 override-lastmod enforces min age even on objects
1493 that was modified recently.
1494
1495 reload-into-ims changes client no-cache or ``reload''
1496 to If-Modified-Since requests. Doing this VIOLATES the
1497 HTTP standard. Enabling this feature could make you
1498 liable for problems which it causes.
1499
1500 ignore-reload ignores a client no-cache or ``reload''
1501 header. Doing this VIOLATES the HTTP standard. Enabling
1502 this feature could make you liable for problems which
1503 it causes.
1504
1505 Please see the file doc/Release-Notes-1.1.txt for a full
1506 description of Squid's refresh algorithm. Basically a
1507 cached object is: (the order is changed from 1.1.X)
1508
1509 FRESH if expires < now, else STALE
1510 STALE if age > max
1511 FRESH if lm-factor < percent, else STALE
1512 FRESH if age < min
1513 else STALE
1514
1515 The refresh_pattern lines are checked in the order listed here.
1516 The first entry which matches is used. If none of the entries
1517 match, then the default will be used.
1518
1519 Note, you must uncomment all the default lines if you want
1520 to change one. The default setting is only active if none is
1521 used.
1522DOC_END
1523
1524NAME: reference_age
1525TYPE: time_t
1526LOC: Config.referenceAge
1527DEFAULT: 1 year
1528DOC_START
1529 As a part of normal operation, Squid performs Least Recently
1530 Used removal of cached objects. The LRU age for removal is
1531 computed dynamically, based on the amount of disk space in
1532 use. The dynamic value can be seen in the Cache Manager 'info'
1533 output.
1534
1535 The 'reference_age' parameter defines the maximum LRU age. For
1536 example, setting reference_age to '1 week' will cause objects
1537 to be removed if they have not been accessed for a week or
1538 more. The default value is one year.
1539
1540 Specify a number here, followed by units of time. For example:
1541 1 week
1542 3.5 days
1543 4 months
1544 2.2 hours
1545
1546 NOTE: this parameter is not used when using the enhanced
1547 replacement policies, GDSH or LFUDA.
1548DOC_END
1549
1550
1551NAME: quick_abort_min
1552COMMENT: (KB)
1553TYPE: kb_size_t
1554DEFAULT: 16 KB
1555LOC: Config.quickAbort.min
1556DOC_NONE
1557
1558NAME: quick_abort_max
1559COMMENT: (KB)
1560TYPE: kb_size_t
1561DEFAULT: 16 KB
1562LOC: Config.quickAbort.max
1563DOC_NONE
1564
1565NAME: quick_abort_pct
1566COMMENT: (percent)
1567TYPE: int
1568DEFAULT: 95
1569LOC: Config.quickAbort.pct
1570DOC_START
1571 The cache can be configured to continue downloading aborted
1572 requests. This may be undesirable on slow (e.g. SLIP) links
1573 and/or very busy caches. Impatient users may tie up file
1574 descriptors and bandwidth by repeatedly requesting and
1575 immediately aborting downloads.
1576
1577 When the user aborts a request, Squid will check the
1578 quick_abort values to the amount of data transfered until
1579 then.
1580
1581 If the transfer has less than 'quick_abort_min' KB remaining,
1582 it will finish the retrieval. Setting 'quick_abort_min' to -1
1583 will disable the quick_abort feature.
1584
1585 If the transfer has more than 'quick_abort_max' KB remaining,
1586 it will abort the retrieval.
1587
1588 If more than 'quick_abort_pct' of the transfer has completed,
1589 it will finish the retrieval.
1590DOC_END
1591
1592
1593NAME: negative_ttl
1594COMMENT: time-units
1595TYPE: time_t
1596LOC: Config.negativeTtl
1597DEFAULT: 5 minutes
1598DOC_START
1599 Time-to-Live (TTL) for failed requests. Certain types of
1600 failures (such as "connection refused" and "404 Not Found") are
1601 negatively-cached for a configurable amount of time. The
1602 default is 5 minutes. Note that this is different from
1603 negative caching of DNS lookups.
1604DOC_END
1605
1606
1607NAME: positive_dns_ttl
1608COMMENT: time-units
1609TYPE: time_t
1610LOC: Config.positiveDnsTtl
1611DEFAULT: 6 hours
1612DOC_START
1613 Time-to-Live (TTL) for positive caching of successful DNS lookups.
1614 Default is 6 hours (360 minutes). If you want to minimize the
1615 use of Squid's ipcache, set this to 1, not 0.
1616DOC_END
1617
1618
1619NAME: negative_dns_ttl
1620COMMENT: time-units
1621TYPE: time_t
1622LOC: Config.negativeDnsTtl
1623DEFAULT: 5 minutes
1624DOC_START
1625 Time-to-Live (TTL) for negative caching of failed DNS lookups.
1626DOC_END
1627
1628NAME: range_offset_limit
1629COMMENT: (bytes)
1630TYPE: b_size_t
1631LOC: Config.rangeOffsetLimit
1632DEFAULT: 0 KB
1633DOC_START
1634 Sets a upper limit on how far into the the file a Range request
1635 may be to cause Squid to prefetch the whole file. If beyond this
1636 limit then Squid forwards the Range request as it is and the result
1637 is NOT cached.
1638
1639 This is to stop a far ahead range request (lets say start at 17MB)
1640 from making Squid fetch the whole object up to that point before
1641 sending anything to the client.
1642
1643 A value of -1 causes Squid to always fetch the object from the
1644 beginning so that it may cache the result. (2.0 style)
1645
1646 A value of 0 causes Squid to never fetch more than the
1647 client requested. (default)
1648DOC_END
1649
1650
1651COMMENT_START
1652 TIMEOUTS
1653 -----------------------------------------------------------------------------
1654COMMENT_END
1655
1656NAME: connect_timeout
1657COMMENT: time-units
1658TYPE: time_t
1659LOC: Config.Timeout.connect
1660DEFAULT: 2 minutes
1661DOC_START
1662 Some systems (notably Linux) can not be relied upon to properly
1663 time out connect(2) requests. Therefore the Squid process
1664 enforces its own timeout on server connections. This parameter
1665 specifies how long to wait for the connect to complete. The
1666 default is two minutes (120 seconds).
1667DOC_END
1668
1669NAME: peer_connect_timeout
1670COMMENT: time-units
1671TYPE: time_t
1672LOC: Config.Timeout.peer_connect
1673DEFAULT: 30 seconds
1674DOC_START
1675 This parameter specifies how long to wait for a pending TCP
1676 connection to a peer cache. The default is 30 seconds. You
1677 may also set different timeout values for individual neighbors
1678 with the 'connect-timeout' option on a 'cache_peer' line.
1679DOC_END
1680
1681NAME: siteselect_timeout
1682COMMENT: time-units
1683TYPE: time_t
1684LOC: Config.Timeout.siteSelect
1685DEFAULT: 4 seconds
1686DOC_START
1687 For URN to multiple URL's URL selection
1688DOC_END
1689
1690NAME: read_timeout
1691COMMENT: time-units
1692TYPE: time_t
1693LOC: Config.Timeout.read
1694DEFAULT: 15 minutes
1695DOC_START
1696 The read_timeout is applied on server-side connections. After
1697 each successful read(), the timeout will be extended by this
1698 amount. If no data is read again after this amount of time,
1699 the request is aborted and logged with ERR_READ_TIMEOUT. The
1700 default is 15 minutes.
1701DOC_END
1702
1703
1704NAME: request_timeout
1705TYPE: time_t
1706LOC: Config.Timeout.request
1707DEFAULT: 30 seconds
1708DOC_START
1709 How long to wait for an HTTP request after connection
1710 establishment. For persistent connections, wait this long
1711 after the previous request completes.
1712DOC_END
1713
1714
1715NAME: client_lifetime
1716COMMENT: time-units
1717TYPE: time_t
1718LOC: Config.Timeout.lifetime
1719DEFAULT: 1 day
1720DOC_START
1721 The maximum amount of time that a client (browser) is allowed to
1722 remain connected to the cache process. This protects the Cache
1723 from having a lot of sockets (and hence file descriptors) tied up
1724 in a CLOSE_WAIT state from remote clients that go away without
1725 properly shutting down (either because of a network failure or
1726 because of a poor client implementation). The default is one
1727 day, 1440 minutes.
1728
1729 NOTE: The default value is intended to be much larger than any
1730 client would ever need to be connected to your cache. You
1731 should probably change client_lifetime only as a last resort.
1732 If you seem to have many client connections tying up
1733 filedescriptors, we recommend first tuning the read_timeout,
1734 request_timeout, pconn_timeout and quick_abort values.
1735DOC_END
1736
1737NAME: half_closed_clients
1738TYPE: onoff
1739LOC: Config.onoff.half_closed_clients
1740DEFAULT: on
1741DOC_START
1742 Some clients may shutdown the sending side of their TCP
1743 connections, while leaving their receiving sides open. Sometimes,
1744 Squid can not tell the difference between a half-closed and a
1745 fully-closed TCP connection. By default, half-closed client
1746 connections are kept open until a read(2) or write(2) on the
1747 socket returns an error. Change this option to 'off' and Squid
1748 will immediately close client connections when read(2) returns
1749 "no more data to read."
1750DOC_END
1751
1752NAME: pconn_timeout
1753TYPE: time_t
1754LOC: Config.Timeout.pconn
1755DEFAULT: 120 seconds
1756DOC_START
1757 Timeout for idle persistent connections to servers and other
1758 proxies.
1759DOC_END
1760
1761NAME: ident_timeout
1762TYPE: time_t
1763IFDEF: USE_IDENT
1764LOC: Config.Timeout.ident
1765DEFAULT: 10 seconds
1766DOC_START
1767 Maximum time to wait for IDENT requests. If this is too high,
1768 and you enabled 'ident_lookup', then you might be susceptible
1769 to denial-of-service by having many ident requests going at
1770 once.
1771
1772 Only src type ACL checks are fully supported. A src_domain
1773 ACL might work at times, but it will not always provide
1774 the correct result.
1775
1776 This option may be disabled by using --disable-ident with
1777 the configure script.
1778DOC_END
1779
1780
1781NAME: shutdown_lifetime
1782COMMENT: time-units
1783TYPE: time_t
1784LOC: Config.shutdownLifetime
1785DEFAULT: 30 seconds
1786DOC_START
1787 When SIGTERM or SIGHUP is received, the cache is put into
1788 "shutdown pending" mode until all active sockets are closed.
1789 This value is the lifetime to set for all open descriptors
1790 during shutdown mode. Any active clients after this many
1791 seconds will receive a 'timeout' message.
1792DOC_END
1793
1794COMMENT_START
1795 ACCESS CONTROLS
1796 -----------------------------------------------------------------------------
1797COMMENT_END
1798
1799NAME: acl
1800TYPE: acl
1801LOC: Config.aclList
1802DEFAULT: none
1803DOC_START
1804 Defining an Access List
1805
1806 acl aclname acltype string1 ...
1807 acl aclname acltype "file" ...
1808
1809 when using "file", the file should contain one item per line
1810
1811 acltype is one of src dst srcdomain dstdomain url_pattern
1812 urlpath_pattern time port proto method browser user
1813
1814 By default, regular expressions are CASE-SENSITIVE. To make
1815 them case-insensitive, use the -i option.
1816
1817 acl aclname src ip-address/netmask ... (clients IP address)
1818 acl aclname src addr1-addr2/netmask ... (range of addresses)
1819 acl aclname dst ip-address/netmask ... (URL host's IP address)
1820 acl aclname myip ip-address/netmask ... (local socket IP address)
1821
1822 acl aclname srcdomain .foo.com ... # reverse lookup, client IP
1823 acl aclname dstdomain .foo.com ... # Destination server from URL
1824 acl aclname srcdom_regex [-i] xxx ... # regex matching client name
1825 acl aclname dstdom_regex [-i] xxx ... # regex matching server
1826 # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
1827 # based URL is used. The name "none" is used if the reverse lookup
1828 # fails.
1829
1830 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
1831 day-abbrevs:
1832 S - Sunday
1833 M - Monday
1834 T - Tuesday
1835 W - Wednesday
1836 H - Thursday
1837 F - Friday
1838 A - Saturday
1839 h1:m1 must be less than h2:m2
1840 acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
1841 acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
1842 acl aclname port 80 70 21 ...
1843 acl aclname port 0-1024 ... # ranges allowed
1844 acl aclname myport 3128 ... # (local socket TCP port)
1845 acl aclname proto HTTP FTP ...
1846 acl aclname method GET POST ...
1847 acl aclname browser [-i] regexp
1848 # pattern match on User-Agent header
1849 acl aclname ident username ...
1850 acl aclname ident_regex [-i] pattern ...
1851 # string match on ident output.
1852 # use REQUIRED to accept any non-null ident.
1853 acl aclname src_as number ...
1854 acl aclname dst_as number ...
1855 # Except for access control, AS numbers can be used for
1856 # routing of requests to specific caches. Here's an
1857 # example for routing all requests for AS#1241 and only
1858 # those to mycache.mydomain.net:
1859 # acl asexample dst_as 1241
1860 # cache_peer_access mycache.mydomain.net allow asexample
1861 # cache_peer_access mycache_mydomain.net deny all
1862
1863 acl aclname proxy_auth username ...
1864 acl aclname proxy_auth_regex [-i] pattern ...
1865 # list of valid usernames
1866 # use REQUIRED to accept any valid username.
1867 #
1868 # NOTE: when a Proxy-Authentication header is sent but it is not
1869 # needed during ACL checking the username is NOT logged
1870 # in access.log.
1871 #
1872 # NOTE: proxy_auth requires a EXTERNAL authentication program
1873 # to check username/password combinations (see
1874 # authenticate_program).
1875 #
1876 # WARNING: proxy_auth can't be used in a transparent proxy. It
1877 # collides with any authentication done by origin servers. It may
1878 # seem like it works at first, but it doesn't.
1879
1880 acl aclname snmp_community string ...
1881 # A community string to limit access to your SNMP Agent
1882 # Example:
1883 #
1884 # acl snmppublic snmp_community public
1885
1886 acl aclname maxconn number
1887 # This will be matched when the client's IP address has
1888 # more than <number> HTTP connections established.
1889
1890 acl aclname max_user_ip
1891 # This will be matched when the user attempts to log in from more
1892 # than <number> different ip address's. The authenticate_ip_ttl
1893 # parameter controls the timeout on the ip entries.
1894 # NOTE: in acceleration mode, clients may appear to come from
1895 # multiple address's if they are going through proxy farms,
1896 # so a limit of 1 may cause user problems.
1897
1898
1899 acl aclname req_mime_type mime-type1 ...
1900 # regex match agains the mime type of the request generated
1901 # by the client. Can be used to detect file upload or some
1902 # types HTTP tunelling requests.
1903 # NOTE: This does NOT match the reply. You cannot use this
1904 # to match the returned file type.
1905
1906 acl aclname rep_mime_type mime-type1 ...
1907 # regex match against the mime type of the reply recieved by
1908 # squid. Can be used to detect file download or some
1909 # types HTTP tunelling requests.
1910 # NOTE: This has no effect in http_access rules. It only has
1911 # effect in rules that affect the reply data stream such as
1912 # http_reply_access.
1913
1914
1915Examples:
1916acl myexample dst_as 1241
1917acl password proxy_auth REQUIRED
1918acl fileupload req_mime_type -i ^multipart/form-data$
1919acl javascript rep_mime_type -i ^application/x-javascript$
1920
1921NOCOMMENT_START
1922#Recommended minimum configuration:
1923acl all src 0.0.0.0/0.0.0.0
1924acl manager proto cache_object
1925acl localhost src 127.0.0.1/255.255.255.255
1926acl SSL_ports port 443 563
1927acl Safe_ports port 80 # http
1928acl Safe_ports port 21 # ftp
1929acl Safe_ports port 443 563 # https, snews
1930acl Safe_ports port 70 # gopher
1931acl Safe_ports port 210 # wais
1932acl Safe_ports port 1025-65535 # unregistered ports
1933acl Safe_ports port 280 # http-mgmt
1934acl Safe_ports port 488 # gss-http
1935acl Safe_ports port 591 # filemaker
1936acl Safe_ports port 777 # multiling http
1937acl CONNECT method CONNECT
1938NOCOMMENT_END
1939DOC_END
1940
1941NAME: http_access
1942TYPE: acl_access
1943LOC: Config.accessList.http
1944DEFAULT: none
1945DEFAULT_IF_NONE: deny all
1946DOC_START
1947 Allowing or Denying access based on defined access lists
1948
1949 Access to the HTTP port:
1950 http_access allow|deny [!]aclname ...
1951
1952 NOTE on default values:
1953
1954 If there are no "access" lines present, the default is to deny
1955 the request.
1956
1957 If none of the "access" lines cause a match, the default is the
1958 opposite of the last line in the list. If the last line was
1959 deny, then the default is allow. Conversely, if the last line
1960 is allow, the default will be deny. For these reasons, it is a
1961 good idea to have an "deny all" or "allow all" entry at the end
1962 of your access lists to avoid potential confusion.
1963
1964NOCOMMENT_START
1965#Recommended minimum configuration:
1966#
1967# Only allow cachemgr access from localhost
1968http_access allow manager localhost
1969http_access deny manager
1970# Deny requests to unknown ports
1971http_access deny !Safe_ports
1972# Deny CONNECT to other than SSL ports
1973http_access deny CONNECT !SSL_ports
1974#
1975# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
1976#
1977# And finally deny all other access to this proxy
1978http_access deny all
1979NOCOMMENT_END
1980DOC_END
1981
1982NAME: http_reply_access
1983TYPE: acl_access
1984LOC: Config.accessList.reply
1985DEFAULT: none
1986DEFAULT_IF_NONE: allow all
1987DOC_START
1988 Allow replies to client requests. This is complementary to http_access.
1989
1990 http_reply_access allow|deny [!] aclname ...
1991
1992 NOTE: if there are no access lines present, the default is to allow
1993 all replies
1994
1995 If none of the access lines cause a match, then the opposite of the
1996 last line will apply. Thus it is good practice to end the rules
1997 with an "allow all" or "deny all" entry.
1998
1999NOCOMMENT_START
2000#Recommended minimum configuration:
2001#
2002# Insert your own rules here.
2003#
2004#
2005# and finally allow by default
2006http_reply_access allow all
2007NOCOMMENT_END
2008DOC_END
2009
2010
2011NAME: icp_access
2012TYPE: acl_access
2013LOC: Config.accessList.icp
2014DEFAULT: none
2015DEFAULT_IF_NONE: deny all
2016DOC_START
2017 Allowing or Denying access to the ICP port based on defined
2018 access lists
2019
2020 icp_access allow|deny [!]aclname ...
2021
2022 See http_access for details
2023
2024NOCOMMENT_START
2025#Allow ICP queries from eveyone
2026icp_access allow all
2027NOCOMMENT_END
2028DOC_END
2029
2030
2031NAME: miss_access
2032TYPE: acl_access
2033LOC: Config.accessList.miss
2034DEFAULT: none
2035DOC_START
2036 Use to force your neighbors to use you as a sibling instead of
2037 a parent. For example:
2038
2039 acl localclients src 172.16.0.0/16
2040 miss_access allow localclients
2041 miss_access deny !localclients
2042
2043 This means that only your local clients are allowed to fetch
2044 MISSES and all other clients can only fetch HITS.
2045
2046 By default, allow all clients who passed the http_access rules
2047 to fetch MISSES from us.
2048
2049NOCOMMENT_START
2050#Default setting:
2051# miss_access allow all
2052NOCOMMENT_END
2053DOC_END
2054
2055
2056NAME: cache_peer_access
2057TYPE: peer_access
2058DEFAULT: none
2059LOC: none
2060DOC_START
2061 Similar to 'cache_peer_domain' but provides more flexibility by
2062 using ACL elements.
2063
2064 cache_peer_access cache-host allow|deny [!]aclname ...
2065
2066 The syntax is identical to 'http_access' and the other lists of
2067 ACL elements. See the comments for 'http_access' below, or
2068 the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html).
2069DOC_END
2070
2071NAME: ident_lookup_access
2072TYPE: acl_access
2073IFDEF: USE_IDENT
2074DEFAULT: none
2075DEFAULT_IF_NONE: deny all
2076LOC: Config.accessList.identLookup
2077DOC_START
2078 A list of ACL elements which, if matched, cause an ident
2079 (RFC 931) lookup to be performed for this request. For
2080 example, you might choose to always perform ident lookups
2081 for your main multi-user Unix boxes, but not for your Macs
2082 and PCs. By default, ident lookups are not performed for
2083 any requests.
2084
2085 To enable ident lookups for specific client addresses, you
2086 can follow this example:
2087
2088 acl ident_aware_hosts src 198.168.1.0/255.255.255.0
2089 ident_lookup_access allow ident_aware_hosts
2090 ident_lookup_access deny all
2091
2092 This option may be disabled by using --disable-ident with
2093 the configure script.
2094DOC_END
2095
2096
2097NAME: reply_body_max_size
2098COMMENT: bytes allow|deny acl acl...
2099TYPE: body_size_t
2100DEFAULT: none
2101DEFAULT_IF_NONE: 0 allow all
2102LOC: Config.ReplyBodySize
2103DOC_START
2104 This option specifies the maximum size of a reply body. It
2105 can be used to prevent users from downloading very large files,
2106 such as MP3's and movies. When the reply headers are recieved,
2107 the reply_body_max_size lines are processed, and the first line with
2108 a result of "allow" is used as the maximum body size for this reply.
2109 This size is then checked twice. First when we get the reply headers,
2110 we check the content-length value. If the content length value exists
2111 and is larger than the allowed size, the request is denied and the
2112 user receives an error message that says "the request or reply
2113 is too large." If there is no content-length, and the reply
2114 size exceeds this limit, the client's connection is just closed
2115 and they will receive a partial reply.
2116
2117 WARNING: downstream caches probably can not detect a partial reply
2118 if there is no content-length header, so they will cache
2119 partial responses and give them out as hits. You should NOT
2120 use this option if you have downstream caches.
2121
2122 WARNING: A maximum size larger than the size of squid's error messages
2123 will cause an infinite loop and crash squid. Ensure that the smallest
2124 non-zero value you use is greater that the maximum header size plus
2125 the size of your largest error page.
2126
2127 If you set this parameter to zero (the default), there will be
2128 no limit imposed.
2129DOC_END
2130
2131COMMENT_START
2132 ADMINISTRATIVE PARAMETERS
2133 -----------------------------------------------------------------------------
2134COMMENT_END
2135
2136NAME: cache_mgr
2137TYPE: string
2138DEFAULT: webmaster
2139LOC: Config.adminEmail
2140DOC_START
2141 Email-address of local cache manager who will receive
2142 mail if the cache dies. The default is "webmaster."
2143DOC_END
2144
2145
2146NAME: cache_effective_user
2147TYPE: string
2148DEFAULT: nobody
2149LOC: Config.effectiveUser
2150DOC_NONE
2151
2152NAME: cache_effective_group
2153TYPE: string
2154DEFAULT: none
2155LOC: Config.effectiveGroup
2156DOC_START
2157
2158 If the cache is run as root, it will change its effective/real
2159 UID/GID to the UID/GID specified below. The default is to
2160 change to UID to nobody and GID to the default group of nobody.
2161
2162 If Squid is not started as root, the default is to keep the
2163 current UID/GID, and only the GID can be changed to any of
2164 the groups the user starting Squid is member of. Note that if
2165 Squid is not started as root then you cannot set http_port to
2166 a value lower than 1024.
2167DOC_END
2168
2169
2170NAME: visible_hostname
2171TYPE: string
2172LOC: Config.visibleHostname
2173DEFAULT: none
2174DOC_START
2175 If you want to present a special hostname in error messages, etc,
2176 then define this. Otherwise, the return value of gethostname()
2177 will be used. If you have multiple caches in a cluster and
2178 get errors about IP-forwarding you must set them to have individual
2179 names with this setting.
2180DOC_END
2181
2182
2183NAME: unique_hostname
2184TYPE: string
2185LOC: Config.uniqueHostname
2186DEFAULT: none
2187DOC_START
2188 If you want to have multiple machines with the same
2189 'visible_hostname' then you must give each machine a different
2190 'unique_hostname' so that forwarding loops can be detected.
2191DOC_END
2192
2193
2194NAME: hostname_aliases
2195TYPE: wordlist
2196LOC: Config.hostnameAliases
2197DEFAULT: none
2198DOC_START
2199 A list of other DNS names that your cache has.
2200DOC_END
2201
2202COMMENT_START
2203 OPTIONS FOR THE CACHE REGISTRATION SERVICE
2204 -----------------------------------------------------------------------------
2205
2206 This section contains parameters for the (optional) cache
2207 announcement service. This service is provided to help
2208 cache administrators locate one another in order to join or
2209 create cache hierarchies.
2210
2211 An 'announcement' message is sent (via UDP) to the registration
2212 service by Squid. By default, the announcement message is NOT
2213 SENT unless you enable it with 'announce_period' below.
2214
2215 The announcement message includes your hostname, plus the
2216 following information from this configuration file:
2217
2218 http_port
2219 icp_port
2220 cache_mgr
2221
2222 All current information is processed regularly and made
2223 available on the Web at http://www.ircache.net/Cache/Tracker/.
2224COMMENT_END
2225
2226NAME: announce_period
2227TYPE: time_t
2228LOC: Config.Announce.period
2229DEFAULT: 0
2230DOC_START
2231 This is how frequently to send cache announcements. The
2232 default is `0' which disables sending the announcement
2233 messages.
2234
2235 To enable announcing your cache, just uncomment the line
2236 below.
2237
2238NOCOMMENT_START
2239#To enable announcing your cache, just uncomment the line below.
2240#announce_period 1 day
2241NOCOMMENT_END
2242DOC_END
2243
2244
2245NAME: announce_host
2246TYPE: string
2247DEFAULT: tracker.ircache.net
2248LOC: Config.Announce.host
2249DOC_NONE
2250
2251NAME: announce_file
2252TYPE: string
2253DEFAULT: none
2254LOC: Config.Announce.file
2255DOC_NONE
2256
2257NAME: announce_port
2258TYPE: ushort
2259DEFAULT: 3131
2260LOC: Config.Announce.port
2261DOC_START
2262 announce_host and announce_port set the hostname and port
2263 number where the registration message will be sent.
2264
2265 Hostname will default to 'tracker.ircache.net' and port will
2266 default default to 3131. If the 'filename' argument is given,
2267 the contents of that file will be included in the announce
2268 message.
2269DOC_END
2270
2271COMMENT_START
2272 HTTPD-ACCELERATOR OPTIONS
2273 -----------------------------------------------------------------------------
2274COMMENT_END
2275
2276NAME: httpd_accel_host
2277TYPE: string
2278LOC: Config.Accel.host
2279DEFAULT: none
2280DOC_NONE
2281
2282NAME: httpd_accel_port
2283TYPE: ushort
2284LOC: Config.Accel.port
2285DEFAULT: 80
2286DOC_START
2287 If you want to run Squid as an httpd accelerator, define the
2288 host name and port number where the real HTTP server is.
2289
2290 If you want virtual host support then specify the hostname
2291 as "virtual".
2292
2293 If you want virtual port support then specify the port as "0".
2294
2295 NOTE: enabling httpd_accel_host disables proxy-caching and
2296 ICP. If you want these features enabled also, then set
2297 the 'httpd_accel_with_proxy' option.
2298DOC_END
2299
2300NAME: httpd_accel_single_host
2301COMMENT: on|off
2302TYPE: onoff
2303LOC: Config.Accel.single_host
2304DEFAULT: off
2305DOC_START
2306 If you are running Squid as a accelerator and have a single backend
2307 server then set this to on. This causes Squid to forward the request
2308 to this server irregardles of what any redirectors or Host headers
2309 says.
2310
2311 Leave this at off if you have multiple backend servers, and use a
2312 redirector (or host table or private DNS) to map the requests to the
2313 appropriate backend servers. Note that the mapping needs to be a
2314 1-1 mapping between requested and backend (from redirector) domain
2315 names or caching will fail, as cacing is performed using the
2316 URL returned from the redirector.
2317
2318 See also redirect_rewrites_host_header.
2319DOC_END
2320
2321NAME: httpd_accel_with_proxy
2322COMMENT: on|off
2323TYPE: onoff
2324DEFAULT: off
2325LOC: Config.onoff.accel_with_proxy
2326DOC_START
2327 If you want to use Squid as both a local httpd accelerator
2328 and as a proxy, change this to 'on'. Note however that your
2329 proxy users may have trouble to reach the accelerated domains
2330 unless their browsers are configured not to use this proxy for
2331 those domains (for example via the no_proxy browser configuration
2332 setting)
2333DOC_END
2334
2335NAME: httpd_accel_uses_host_header
2336COMMENT: on|off
2337TYPE: onoff
2338DEFAULT: off
2339LOC: opt_accel_uses_host
2340DOC_START
2341 HTTP/1.1 requests include a Host: header which is basically the
2342 hostname from the URL. Squid can be an accelerator for
2343 different HTTP servers by looking at this header. However,
2344 Squid does NOT check the value of the Host header, so it opens
2345 a big security hole. We recommend that this option remain
2346 disabled unless you are sure of what you are doing.
2347
2348 However, you will need to enable this option if you run Squid
2349 as a transparent proxy. Otherwise, virtual servers which
2350 require the Host: header will not be properly cached.
2351DOC_END
2352
2353COMMENT_START
2354 MISCELLANEOUS
2355 -----------------------------------------------------------------------------
2356COMMENT_END
2357
2358NAME: dns_testnames
2359TYPE: wordlist
2360LOC: Config.dns_testname_list
2361DEFAULT: none
2362DEFAULT_IF_NONE: netscape.com internic.net nlanr.net microsoft.com
2363DOC_START
2364 The DNS tests exit as soon as the first site is successfully looked up
2365
2366 This test can be disabled with the -D command line option.
2367DOC_END
2368
2369
2370NAME: logfile_rotate
2371TYPE: int
2372DEFAULT: 10
2373LOC: Config.Log.rotateNumber
2374DOC_START
2375 Specifies the number of logfile rotations to make when you
2376 type 'squid -k rotate'. The default is 10, which will rotate
2377 with extensions 0 through 9. Setting logfile_rotate to 0 will
2378 disable the rotation, but the logfiles are still closed and
2379 re-opened. This will enable you to rename the logfiles
2380 yourself just before sending the rotate signal.
2381
2382 Note, the 'squid -k rotate' command normally sends a USR1
2383 signal to the running squid process. In certain situations
2384 (e.g. on Linux with Async I/O), USR1 is used for other
2385 purposes, so -k rotate uses another signal. It is best to get
2386 in the habit of using 'squid -k rotate' instead of 'kill -USR1
2387 <pid>'.
2388DOC_END
2389
2390
2391NAME: append_domain
2392TYPE: string
2393LOC: Config.appendDomain
2394DEFAULT: none
2395DOC_START
2396 Appends local domain name to hostnames without any dots in
2397 them. append_domain must begin with a period.
2398
2399Example:
2400 append_domain .yourdomain.com
2401DOC_END
2402
2403
2404NAME: tcp_recv_bufsize
2405COMMENT: (bytes)
2406TYPE: b_size_t
2407DEFAULT: 0 bytes
2408LOC: Config.tcpRcvBufsz
2409DOC_START
2410 Size of receive buffer to set for TCP sockets. Probably just
2411 as easy to change your kernel's default. Set to zero to use
2412 the default buffer size.
2413DOC_END
2414
2415NAME: err_html_text
2416TYPE: eol
2417LOC: Config.errHtmlText
2418DEFAULT: none
2419DOC_START
2420 HTML text to include in error messages. Make this a "mailto"
2421 URL to your admin address, or maybe just a link to your
2422 organizations Web page.
2423
2424 To include this in your error messages, you must rewrite
2425 the error template files (found in the "errors" directory).
2426 Wherever you want the 'err_html_text' line to appear,
2427 insert a %L tag in the error template file.
2428DOC_END
2429
2430
2431NAME: deny_info
2432TYPE: denyinfo
2433LOC: Config.denyInfoList
2434DEFAULT: none
2435DOC_START
2436 Usage: deny_info err_page_name acl
2437 Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
2438
2439 This can be used to return a ERR_ page for requests which
2440 do not pass the 'http_access' rules. A single ACL will cause
2441 the http_access check to fail. If a 'deny_info' line exists
2442 for that ACL then Squid returns a corresponding error page.
2443
2444 You may use ERR_ pages that come with Squid or create your own pages
2445 and put them into the configured errors/ directory.
2446DOC_END
2447
2448NAME: memory_pools
2449COMMENT: on|off
2450TYPE: onoff
2451DEFAULT: on
2452LOC: Config.onoff.mem_pools
2453DOC_START
2454 If set, Squid will keep pools of allocated (but unused) memory
2455 available for future use. If memory is a premium on your
2456 system and you believe your malloc library outperforms Squid
2457 routines, disable this.
2458DOC_END
2459
2460NAME: memory_pools_limit
2461COMMENT: (bytes)
2462TYPE: b_size_t
2463DEFAULT: none
2464LOC: Config.MemPools.limit
2465DOC_START
2466 Used only with memory_pools on:
2467 memory_pools_limit 50 MB
2468
2469 If set to a non-zero value, Squid will keep at most the specified
2470 limit of allocated (but unused) memory in memory pools. All free()
2471 requests that exceed this limit will be handled by your malloc
2472 library. Squid does not pre-allocate any memory, just safe-keeps
2473 objects that otherwise would be free()d. Thus, it is safe to set
2474 memory_pools_limit to a reasonably high value even if your
2475 configuration will use less memory.
2476
2477 If not set (default) or set to zero, Squid will keep all memory it
2478 can. That is, there will be no limit on the total amount of memory
2479 used for safe-keeping.
2480
2481 To disable memory allocation optimization, do not set
2482 memory_pools_limit to 0. Set memory_pools to "off" instead.
2483
2484 An overhead for maintaining memory pools is not taken into account
2485 when the limit is checked. This overhead is close to four bytes per
2486 object kept. However, pools may actually _save_ memory because of
2487 reduced memory thrashing in your malloc library.
2488DOC_END
2489
2490NAME: forwarded_for
2491COMMENT: on|off
2492TYPE: onoff
2493DEFAULT: on
2494LOC: opt_forwarded_for
2495DOC_START
2496 If set, Squid will include your system's IP address or name
2497 in the HTTP requests it forwards. By default it looks like
2498 this:
2499
2500 X-Forwarded-For: 192.1.2.3
2501
2502 If you disable this, it will appear as
2503
2504 X-Forwarded-For: unknown
2505DOC_END
2506
2507NAME: log_icp_queries
2508COMMENT: on|off
2509TYPE: onoff
2510DEFAULT: on
2511LOC: Config.onoff.log_udp
2512DOC_START
2513 If set, ICP queries are logged to access.log. You may wish
2514 do disable this if your ICP load is VERY high to speed things
2515 up or to simplify log analysis.
2516DOC_END
2517
2518NAME: icp_hit_stale
2519COMMENT: on|off
2520TYPE: onoff
2521DEFAULT: off
2522LOC: Config.onoff.icp_hit_stale
2523DOC_START
2524 If you want to return ICP_HIT for stale cache objects, set this
2525 option to 'on'. If you have sibling relationships with caches
2526 in other administrative domains, this should be 'off'. If you only
2527 have sibling relationships with caches under your control, then
2528 it is probably okay to set this to 'on'.
2529DOC_END
2530
2531
2532NAME: minimum_direct_hops
2533TYPE: int
2534DEFAULT: 4
2535LOC: Config.minDirectHops
2536DOC_START
2537 If using the ICMP pinging stuff, do direct fetches for sites
2538 which are no more than this many hops away.
2539DOC_END
2540
2541NAME: minimum_direct_rtt
2542TYPE: int
2543DEFAULT: 400
2544LOC: Config.minDirectRtt
2545DOC_START
2546 If using the ICMP pinging stuff, do direct fetches for sites
2547 which are no more than this many rtt milliseconds away.
2548DOC_END
2549
2550NAME: cachemgr_passwd
2551TYPE: cachemgrpasswd
2552DEFAULT: none
2553LOC: Config.passwd_list
2554DOC_START
2555 Specify passwords for cachemgr operations.
2556
2557 Usage: cachemgr_passwd password action action ...
2558
2559 Some valid actions are (see cache manager menu for a full list):
2560 5min
2561 60min
2562 asndb
2563 authenticator
2564 cbdata
2565 client_list
2566 comm_incoming
2567 config *
2568 counters
2569 delay
2570 digest_stats
2571 dns
2572 events
2573 filedescriptors
2574 fqdncache
2575 histograms
2576 http_headers
2577 info
2578 io
2579 ipcache
2580 mem
2581 menu
2582 netdb
2583 non_peers
2584 objects
2585 pconn
2586 peer_select
2587 redirector
2588 refresh
2589 server_list
2590 shutdown *
2591 store_digest
2592 storedir
2593 utilization
2594 via_headers
2595 vm_objects
2596
2597 * Indicates actions which will not be performed without a
2598 valid password, others can be performed if not listed here.
2599
2600 To disable an action, set the password to "disable".
2601 To allow performing an action without a password, set the
2602 password to "none".
2603
2604 Use the keyword "all" to set the same password for all actions.
2605
2606Example:
2607 cachemgr_passwd secret shutdown
2608 cachemgr_passwd lesssssssecret info stats/objects
2609 cachemgr_passwd disable all
2610DOC_END
2611
2612NAME: store_avg_object_size
2613COMMENT: (kbytes)
2614TYPE: kb_size_t
2615DEFAULT: 13 KB
2616LOC: Config.Store.avgObjectSize
2617DOC_START
2618 Average object size, used to estimate number of objects your
2619 cache can hold. See doc/Release-Notes-1.1.txt. The default is
2620 13 KB.
2621DOC_END
2622
2623NAME: store_objects_per_bucket
2624TYPE: int
2625DEFAULT: 20
2626LOC: Config.Store.objectsPerBucket
2627DOC_START
2628 Target number of objects per bucket in the store hash table.
2629 Lowering this value increases the total number of buckets and
2630 also the storage maintenance rate. The default is 50.
2631DOC_END
2632
2633NAME: client_db
2634COMMENT: on|off
2635TYPE: onoff
2636DEFAULT: on
2637LOC: Config.onoff.client_db
2638DOC_START
2639 If you want to disable collecting per-client statistics, then
2640 turn off client_db here.
2641DOC_END
2642
2643
2644NAME: netdb_low
2645TYPE: int
2646DEFAULT: 900
2647LOC: Config.Netdb.low
2648DOC_NONE
2649
2650NAME: netdb_high
2651TYPE: int
2652DEFAULT: 1000
2653LOC: Config.Netdb.high
2654DOC_START
2655 The low and high water marks for the ICMP measurement
2656 database. These are counts, not percents. The defaults are
2657 900 and 1000. When the high water mark is reached, database
2658 entries will be deleted until the low mark is reached.
2659DOC_END
2660
2661
2662NAME: netdb_ping_period
2663TYPE: time_t
2664LOC: Config.Netdb.period
2665DEFAULT: 5 minutes
2666DOC_START
2667 The minimum period for measuring a site. There will be at
2668 least this much delay between successive pings to the same
2669 network. The default is five minutes.
2670DOC_END
2671
2672
2673NAME: query_icmp
2674COMMENT: on|off
2675TYPE: onoff
2676DEFAULT: off
2677LOC: Config.onoff.query_icmp
2678DOC_START
2679 If you want to ask your peers to include ICMP data in their ICP
2680 replies, enable this option.
2681
2682 If your peer has configured Squid (during compilation) with
2683 '--enable-icmp' then that peer will send ICMP pings to origin server
2684 sites of the URLs it receives. If you enable this option then the
2685 ICP replies from that peer will include the ICMP data (if available).
2686 Then, when choosing a parent cache, Squid will choose the parent with
2687 the minimal RTT to the origin server. When this happens, the
2688 hierarchy field of the access.log will be
2689 "CLOSEST_PARENT_MISS". This option is off by default.
2690DOC_END
2691
2692NAME: test_reachability
2693COMMENT: on|off
2694TYPE: onoff
2695DEFAULT: off
2696LOC: Config.onoff.test_reachability
2697DOC_START
2698 When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
2699 instead of ICP_MISS if the target host is NOT in the ICMP
2700 database, or has a zero RTT.
2701DOC_END
2702
2703NAME: buffered_logs
2704COMMENT: on|off
2705TYPE: onoff
2706DEFAULT: off
2707LOC: Config.onoff.buffered_logs
2708DOC_START
2709 Some log files (cache.log, useragent.log) are written with
2710 stdio functions, and as such they can be buffered or
2711 unbuffered. By default they will be unbuffered. Buffering them
2712 can speed up the writing slightly (though you are unlikely to
2713 need to worry).
2714DOC_END
2715
2716NAME: reload_into_ims
2717IFDEF: HTTP_VIOLATIONS
2718COMMENT: on|off
2719TYPE: onoff
2720DEFAULT: off
2721LOC: Config.onoff.reload_into_ims
2722DOC_START
2723 When you enable this option, client no-cache or ``reload''
2724 requests will be changed to If-Modified-Since requests.
2725 Doing this VIOLATES the HTTP standard. Enabling this
2726 feature could make you liable for problems which it
2727 causes.
2728
2729 see also refresh_pattern for a more selective approach.
2730
2731 This option may be disabled by using --disable-http-violations
2732 with the configure script.
2733DOC_END
2734
2735NAME: always_direct
2736TYPE: acl_access
2737LOC: Config.accessList.AlwaysDirect
2738DEFAULT: none
2739DOC_START
2740 Usage: always_direct allow|deny [!]aclname ...
2741
2742 Here you can use ACL elements to specify requests which should
2743 ALWAYS be forwarded directly to origin servers. For example,
2744 to always directly forward requests for local servers use
2745 something like:
2746
2747 acl local-servers dstdomain my.domain.net
2748 always_direct allow local-servers
2749
2750 To always forward FTP requests directly, use
2751
2752 acl FTP proto FTP
2753 always_direct allow FTP
2754
2755 NOTE: There is a similar, but opposite option named
2756 'never_direct'. You need to be aware that "always_direct deny
2757 foo" is NOT the same thing as "never_direct allow foo". You
2758 may need to use a deny rule to exclude a more-specific case of
2759 some other rule. Example:
2760
2761 acl local-external dstdomain external.foo.net
2762 acl local-servers dstdomain foo.net
2763 always_direct deny local-external
2764 always_direct allow local-servers
2765
2766 This option replaces some v1.1 options such as local_domain
2767 and local_ip.
2768DOC_END
2769
2770NAME: never_direct
2771TYPE: acl_access
2772LOC: Config.accessList.NeverDirect
2773DEFAULT: none
2774DOC_START
2775 Usage: never_direct allow|deny [!]aclname ...
2776
2777 never_direct is the opposite of always_direct. Please read
2778 the description for always_direct if you have not already.
2779
2780 With 'never_direct' you can use ACL elements to specify
2781 requests which should NEVER be forwarded directly to origin
2782 servers. For example, to force the use of a proxy for all
2783 requests, except those in your local domain use something like:
2784
2785 acl local-servers dstdomain foo.net
2786 acl all src 0.0.0.0/0.0.0.0
2787 never_direct deny local-servers
2788 never_direct allow all
2789
2790 or if squid is inside a firewall and there is local intranet
2791 servers inside the firewall then use something like:
2792
2793 acl local-intranet dstdomain foo.net
2794 acl local-external dstdomain external.foo.net
2795 always_direct deny local-external
2796 always_direct allow local-intranet
2797 never_direct allow all
2798
2799 This option replaces some v1.1 options such as inside_firewall
2800 and firewall_ip.
2801DOC_END
2802
2803NAME: header_access
2804TYPE: http_header_access[]
2805LOC: Config.header_access
2806DEFAULT: none
2807DOC_START
2808 Usage: header_access header_name allow|deny [!]aclname ...
2809
2810 This option replaces the old 'anonymize_headers' and the
2811 older 'http_anonymizer' option with something that is much
2812 more configurable. This new method creates a list of ACLs
2813 for each header, allowing you very fine-tuned header
2814 mangling.
2815
2816 You can only specify known headers for the header name.
2817 Other headers are reclassified as 'Other'. You can also
2818 refer to all the headers with 'All'.
2819
2820 For example, to achieve the same behaviour as the old
2821 'http_anonymizer standard' option, you should use:
2822
2823 header_access From deny all
2824 header_access Referer deny all
2825 header_access Server deny all
2826 header_access User-Agent deny all
2827 header_access WWW-Authenticate deny all
2828 header_access Link deny all
2829
2830 Or, to reproduce the old 'http_anonymizer paranoid' feature
2831 you should use:
2832
2833 header_access Allow allow all
2834 header_access Authorization allow all
2835 header_access Cache-Control allow all
2836 header_access Content-Encoding allow all
2837 header_access Content-Length allow all
2838 header_access Content-Type allow all
2839 header_access Date allow all
2840 header_access Expires allow all
2841 header_access Host allow all
2842 header_access If-Modified-Since allow all
2843 header_access Last-Modified allow all
2844 header_access Location allow all
2845 header_access Pragma allow all
2846 header_access Accept allow all
2847 header_access Charset allow all
2848 header_access Accept-Encoding allow all
2849 header_access Accept-Language allow all
2850 header_access Content-Language allow all
2851 header_access Mime-Version allow all
2852 header_access Retry-After allow all
2853 header_access Title allow all
2854 header_access Connection allow all
2855 header_access Proxy-Connection allow all
2856 header_access All deny all
2857
2858 By default, all headers are allowed (no anonymizing is
2859 performed).
2860DOC_END
2861
2862NAME: header_replace
2863TYPE: http_header_replace[]
2864LOC: Config.header_access
2865DEFAULT: none
2866DOC_START
2867 Usage: header_replace header_name message
2868 Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
2869
2870 This option allows you to change the contents of headers
2871 denied with header_access above, by replacing them with
2872 some fixed string. This replaces the old fake_user_agent
2873 option.
2874
2875 By default, headers are removed if denied.
2876DOC_END
2877
2878NAME: icon_directory
2879TYPE: string
2880LOC: Config.icons.directory
2881DEFAULT: @DEFAULT_ICON_DIR@
2882DOC_START
2883 Where the icons are stored. These are normally kept in
2884 @DEFAULT_ICON_DIR@
2885DOC_END
2886
2887NAME: error_directory
2888TYPE: string
2889LOC: Config.errorDirectory
2890DEFAULT: @DEFAULT_ERROR_DIR@
2891DOC_START
2892 If you wish to create your own versions of the default
2893 (English) error files, either to customize them to suit your
2894 language or company copy the template English files to another
2895 directory and point this tag at them.
2896DOC_END
2897
2898NAME: minimum_retry_timeout
2899COMMENT: (seconds)
2900TYPE: time_t
2901LOC: Config.retry.timeout
2902DEFAULT: 5 seconds
2903DOC_START
2904 This specifies the minimum connect timeout, for when the
2905 connect timeout is reduced to compensate for the availability
2906 of multiple IP addresses.
2907
2908 When a connection to a host is initiated, and that host has
2909 several IP addresses, the default connection timeout is reduced
2910 by dividing it by the number of addresses. So, a site with 15
2911 addresses would then have a timeout of 8 seconds for each
2912 address attempted. To avoid having the timeout reduced to the
2913 point where even a working host would not have a chance to
2914 respond, this setting is provided. The default, and the
2915 minimum value, is five seconds, and the maximum value is sixty
2916 seconds, or half of connect_timeout, whichever is greater and
2917 less than connect_timeout.
2918DOC_END
2919
2920NAME: maximum_single_addr_tries
2921TYPE: int
2922LOC: Config.retry.maxtries
2923DEFAULT: 3
2924DOC_START
2925 This sets the maximum number of connection attempts for a
2926 host that only has one address (for multiple-address hosts,
2927 each address is tried once).
2928
2929 The default value is three tries, the (not recommended)
2930 maximum is 255 tries. A warning message will be generated
2931 if it is set to a value greater than ten.
2932DOC_END
2933
2934NAME: snmp_port
2935TYPE: ushort
2936LOC: Config.Port.snmp
2937DEFAULT: 3401
2938IFDEF: SQUID_SNMP
2939DOC_START
2940 Squid can now serve statistics and status information via SNMP.
2941 By default it listens to port 3401 on the machine. If you don't
2942 wish to use SNMP, set this to "0".
2943
2944 NOTE: SNMP support requires use the --enable-snmp configure
2945 command line option.
2946DOC_END
2947
2948NAME: snmp_access
2949TYPE: acl_access
2950LOC: Config.accessList.snmp
2951DEFAULT: none
2952DEFAULT_IF_NONE: deny all
2953IFDEF: SQUID_SNMP
2954DOC_START
2955 Allowing or denying access to the SNMP port.
2956
2957 All access to the agent is denied by default.
2958 usage:
2959
2960 snmp_access allow|deny [!]aclname ...
2961
2962Example:
2963 snmp_access allow snmppublic localhost
2964 snmp_access deny all
2965DOC_END
2966
2967NAME: snmp_incoming_address
2968TYPE: address
2969LOC: Config.Addrs.snmp_incoming
2970DEFAULT: 0.0.0.0
2971IFDEF: SQUID_SNMP
2972DOC_NONE
2973NAME: snmp_outgoing_address
2974TYPE: address
2975LOC: Config.Addrs.snmp_outgoing
2976DEFAULT: 255.255.255.255
2977IFDEF: SQUID_SNMP
2978DOC_START
2979 Just like 'udp_incoming_address' above, but for the SNMP port.
2980
2981 snmp_incoming_address is used for the SNMP socket receiving
2982 messages from SNMP agents.
2983 snmp_outgoing_address is used for SNMP packets returned to SNMP
2984 agents.
2985
2986 The default snmp_incoming_address (0.0.0.0) is to listen on all
2987 available network interfaces.
2988
2989 If snmp_outgoing_address is set to 255.255.255.255 (the default)
2990 then it will use the same socket as snmp_incoming_address. Only
2991 change this if you want to have SNMP replies sent using another
2992 address than where this Squid listens for SNMP queries.
2993
2994 NOTE, snmp_incoming_address and snmp_outgoing_address can not have
2995 the same value since they both use port 3401.
2996DOC_END
2997
2998NAME: as_whois_server
2999TYPE: string
3000LOC: Config.as_whois_server
3001DEFAULT: whois.ra.net
3002DEFAULT_IF_NONE: whois.ra.net
3003DOC_START
3004 WHOIS server to query for AS numbers. NOTE: AS numbers are
3005 queried only when Squid starts up, not for every request.
3006DOC_END
3007
3008NAME: wccp_router
3009TYPE: address
3010LOC: Config.Wccp.router
3011DEFAULT: 0.0.0.0
3012IFDEF: USE_WCCP
3013DOC_START
3014 Use this option to define your WCCP ``home'' router for
3015 Squid. Setting the 'wccp_router' to 0.0.0.0 (the default)
3016 disables WCCP.
3017DOC_END
3018
3019NAME: wccp_version
3020TYPE: int
3021LOC: Config.Wccp.version
3022DEFAULT: 4
3023IFDEF: USE_WCCP
3024DOC_START
3025 According to some users, Cisco IOS 11.2 only supports WCCP
3026 version 3. If you're using that version of IOS, change
3027 this value to 3.
3028DOC_END
3029
3030NAME: wccp_incoming_address
3031TYPE: address
3032LOC: Config.Wccp.incoming
3033DEFAULT: 0.0.0.0
3034IFDEF: USE_WCCP
3035DOC_NONE
3036NAME: wccp_outgoing_address
3037TYPE: address
3038LOC: Config.Wccp.outgoing
3039DEFAULT: 255.255.255.255
3040IFDEF: USE_WCCP
3041DOC_START
3042 wccp_incoming_address Use this option if you require WCCP
3043 messages to be received on only one
3044 interface. Do NOT use this option if
3045 you're unsure how many interfaces you
3046 have, or if you know you have only one
3047 interface.
3048
3049 wccp_outgoing_address Use this option if you require WCCP
3050 messages to be sent out on only one
3051 interface. Do NOT use this option if
3052 you're unsure how many interfaces you
3053 have, or if you know you have only one
3054 interface.
3055
3056 The default behavior is to not bind to any specific address.
3057
3058 NOTE, wccp_incoming_address and wccp_outgoing_address can not have
3059 the same value since they both use port 2048.
3060DOC_END
3061
3062
3063COMMENT_START
3064 DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
3065 -----------------------------------------------------------------------------
3066COMMENT_END
3067
3068NAME: delay_pools
3069TYPE: delay_pool_count
3070DEFAULT: 0
3071IFDEF: DELAY_POOLS
3072LOC: Config.Delay
3073DOC_START
3074 This represents the number of delay pools to be used. For example,
3075 if you have one class 2 delay pool and one class 3 delays pool, you
3076 have a total of 2 delay pools.
3077
3078 To enable this option, you must use --enable-delay-pools with the
3079 configure script.
3080DOC_END
3081
3082NAME: delay_class
3083TYPE: delay_pool_class
3084DEFAULT: none
3085IFDEF: DELAY_POOLS
3086LOC: Config.Delay
3087DOC_START
3088 This defines the class of each delay pool. There must be exactly one
3089 delay_class line for each delay pool. For example, to define two
3090 delay pools, one of class 2 and one of class 3, the settings above
3091 and here would be:
3092
3093Example:
3094 delay_pools 2 # 2 delay pools
3095 delay_class 1 2 # pool 1 is a class 2 pool
3096 delay_class 2 3 # pool 2 is a class 3 pool
3097
3098 The delay pool classes are:
3099
3100 class 1 Everything is limited by a single aggregate
3101 bucket.
3102
3103 class 2 Everything is limited by a single aggregate
3104 bucket as well as an "individual" bucket chosen
3105 from bits 25 through 32 of the IP address.
3106
3107 class 3 Everything is limited by a single aggregate
3108 bucket as well as a "network" bucket chosen
3109 from bits 17 through 24 of the IP address and a
3110 "individual" bucket chosen from bits 17 through
3111 32 of the IP address.
3112
3113 NOTE: If an IP address is a.b.c.d
3114 -> bits 25 through 32 are "d"
3115 -> bits 17 through 24 are "c"
3116 -> bits 17 through 32 are "c * 256 + d"
3117DOC_END
3118
3119NAME: delay_access
3120TYPE: delay_pool_access
3121DEFAULT: none
3122IFDEF: DELAY_POOLS
3123LOC: Config.Delay
3124DOC_START
3125 This is used to determine which delay pool a request falls into.
3126 The first matched delay pool is always used, i.e., if a request falls
3127 into delay pool number one, no more delay are checked, otherwise the
3128 rest are checked in order of their delay pool number until they have
3129 all been checked. For example, if you want some_big_clients in delay
3130 pool 1 and lotsa_little_clients in delay pool 2:
3131
3132Example:
3133 delay_access 1 allow some_big_clients
3134 delay_access 1 deny all
3135 delay_access 2 allow lotsa_little_clients
3136 delay_access 2 deny all
3137DOC_END
3138
3139NAME: delay_parameters
3140TYPE: delay_pool_rates
3141DEFAULT: none
3142IFDEF: DELAY_POOLS
3143LOC: Config.Delay
3144DOC_START
3145 This defines the parameters for a delay pool. Each delay pool has
3146 a number of "buckets" associated with it, as explained in the
3147 description of delay_class. For a class 1 delay pool, the syntax is:
3148
3149delay_parameters pool aggregate
3150
3151 For a class 2 delay pool:
3152
3153delay_parameters pool aggregate individual
3154
3155 For a class 3 delay pool:
3156
3157delay_parameters pool aggregate network individual
3158
3159 The variables here are:
3160
3161 pool a pool number - ie, a number between 1 and the
3162 number specified in delay_pools as used in
3163 delay_class lines.
3164
3165 aggregate the "delay parameters" for the aggregate bucket
3166 (class 1, 2, 3).
3167
3168 individual the "delay parameters" for the individual
3169 buckets (class 2, 3).
3170
3171 network the "delay parameters" for the network buckets
3172 (class 3).
3173
3174 A pair of delay parameters is written restore/maximum, where restore is
3175 the number of bytes (not bits - modem and network speeds are usually
3176 quoted in bits) per second placed into the bucket, and maximum is the
3177 maximum number of bytes which can be in the bucket at any time.
3178
3179 For example, if delay pool number 1 is a class 2 delay pool as in the
3180 above example, and is being used to strictly limit each host to 64kbps
3181 (plus overheads), with no overall limit, the line is:
3182
3183delay_parameters 1 -1/-1 8000/8000
3184
3185 Note that the figure -1 is used to represent "unlimited".
3186
3187 And, if delay pool number 2 is a class 3 delay pool as in the above
3188 example, and you want to limit it to a total of 256kbps (strict limit)
3189 with each 8-bit network permitted 64kbps (strict limit) and each
3190 individual host permitted 4800bps with a bucket maximum size of 64kb
3191 to permit a decent web page to be downloaded at a decent speed
3192 (if the network is not being limited due to overuse) but slow down
3193 large downloads more significantly:
3194
3195delay_parameters 2 32000/32000 8000/8000 600/64000
3196
3197 There must be one delay_parameters line for each delay pool.
3198DOC_END
3199
3200NAME: delay_initial_bucket_level
3201COMMENT: (percent, 0-100)
3202TYPE: ushort
3203DEFAULT: 50
3204IFDEF: DELAY_POOLS
3205LOC: Config.Delay.initial
3206DOC_START
3207 The initial bucket percentage is used to determine how much is put
3208 in each bucket when squid starts, is reconfigured, or first notices
3209 a host accessing it (in class 2 and class 3, individual hosts and
3210 networks only have buckets associated with them once they have been
3211 "seen" by squid).
3212DOC_END
3213
3214NAME: incoming_icp_average
3215TYPE: int
3216DEFAULT: 6
3217LOC: Config.comm_incoming.icp_average
3218DOC_NONE
3219
3220NAME: incoming_http_average
3221TYPE: int
3222DEFAULT: 4
3223LOC: Config.comm_incoming.http_average
3224DOC_NONE
3225
3226NAME: incoming_dns_average
3227TYPE: int
3228DEFAULT: 4
3229LOC: Config.comm_incoming.dns_average
3230DOC_NONE
3231
3232NAME: min_icp_poll_cnt
3233TYPE: int
3234DEFAULT: 8
3235LOC: Config.comm_incoming.icp_min_poll
3236DOC_NONE
3237
3238NAME: min_dns_poll_cnt
3239TYPE: int
3240DEFAULT: 8
3241LOC: Config.comm_incoming.dns_min_poll
3242DOC_NONE
3243
3244NAME: min_http_poll_cnt
3245TYPE: int
3246DEFAULT: 8
3247LOC: Config.comm_incoming.http_min_poll
3248DOC_START
3249 Heavy voodoo here. I can't even believe you are reading this.
3250 Are you crazy? Don't even think about adjusting these unless
3251 you understand the algorithms in comm_select.c first!
3252DOC_END
3253
3254NAME: max_open_disk_fds
3255TYPE: int
3256LOC: Config.max_open_disk_fds
3257DEFAULT: 0
3258DOC_START
3259 To avoid having disk as the I/O bottleneck Squid can optionally
3260 bypass the on-disk cache if more than this amount of disk file
3261 descriptors are open.
3262
3263 A value of 0 indicates no limit.
3264DOC_END
3265
3266NAME: offline_mode
3267TYPE: onoff
3268LOC: Config.onoff.offline
3269DEFAULT: off
3270DOC_START
3271 Enable this option and Squid will never try to validate cached
3272 objects.
3273DOC_END
3274
3275NAME: uri_whitespace
3276TYPE: uri_whitespace
3277LOC: Config.uri_whitespace
3278DEFAULT: strip
3279DOC_START
3280 What to do with requests that have whitespace characters in the
3281 URI. Options:
3282
3283 strip: The whitespace characters are stripped out of the URL.
3284 This is the behavior recommended by RFC2616.
3285 deny: The request is denied. The user receives an "Invalid
3286 Request" message.
3287 allow: The request is allowed and the URI is not changed. The
3288 whitespace characters remain in the URI. Note the
3289 whitespace is passed to redirector processes if they
3290 are in use.
3291 encode: The request is allowed and the whitespace characters are
3292 encoded according to RFC1738. This could be considered
3293 a violation of the HTTP/1.1
3294 RFC because proxies are not allowed to rewrite URI's.
3295 chop: The request is allowed and the URI is chopped at the
3296 first whitespace. This might also be considered a
3297 violation.
3298DOC_END
3299
3300NAME: broken_posts
3301TYPE: acl_access
3302DEFAULT: none
3303LOC: Config.accessList.brokenPosts
3304DOC_START
3305 A list of ACL elements which, if matched, causes Squid to send
3306 a extra CRLF pair after the body of a PUT/POST request.
3307
3308 Some HTTP servers has broken implementations of PUT/POST,
3309 and rely on a extra CRLF pair sent by some WWW clients.
3310
3311 Quote from RFC 2068 section 4.1 on this matter:
3312
3313 Note: certain buggy HTTP/1.0 client implementations generate an
3314 extra CRLF's after a POST request. To restate what is explicitly
3315 forbidden by the BNF, an HTTP/1.1 client must not preface or follow
3316 a request with an extra CRLF.
3317
3318Example:
3319 acl buggy_server url_regex ^http://....
3320 broken_posts allow buggy_server
3321DOC_END
3322
3323NAME: mcast_miss_addr
3324IFDEF: MULTICAST_MISS_STREAM
3325TYPE: address
3326LOC: Config.mcast_miss.addr
3327DEFAULT: 255.255.255.255
3328DOC_START
3329 If you enable this option, every "cache miss" URL will
3330 be sent out on the specified multicast address.
3331
3332 Do not enable this option unless you are are absolutely
3333 certain you understand what you are doing.
3334DOC_END
3335
3336NAME: mcast_miss_ttl
3337IFDEF: MULTICAST_MISS_TTL
3338TYPE: ushort
3339LOC: Config.mcast_miss.ttl
3340DEFAULT: 16
3341DOC_START
3342 This is the time-to-live value for packets multicasted
3343 when multicasting off cache miss URLs is enabled. By
3344 default this is set to 'site scope', i.e. 16.
3345DOC_END
3346
3347NAME: mcast_miss_port
3348IFDEF: MULTICAST_MISS_STREAM
3349TYPE: ushort
3350LOC: Config.mcast_miss.port
3351DEFAULT: 3135
3352DOC_START
3353 This is the port number to be used in conjunction with
3354 'mcast_miss_addr'.
3355DOC_END
3356
3357NAME: mcast_miss_encode_key
3358IFDEF: MULTICAST_MISS_STREAM
3359TYPE: string
3360LOC: Config.mcast_miss.encode_key
3361DEFAULT: XXXXXXXXXXXXXXXX
3362DOC_START
3363 The URLs that are sent in the multicast miss stream are
3364 encrypted. This is the encryption key.
3365DOC_END
3366
3367NAME: nonhierarchical_direct
3368TYPE: onoff
3369LOC: Config.onoff.nonhierarchical_direct
3370DEFAULT: on
3371DOC_START
3372 By default, Squid will send any non-hierarchical requests
3373 (matching hierarchy_stoplist or not cachable request type) direct
3374 to origin servers.
3375
3376 If you set this to off, then Squid will prefer to send these
3377 requests to parents.
3378
3379 Note that in most configurations, by turning this off you will only
3380 add latency to these request without any improvement in global hit
3381 ratio.
3382
3383 If you are inside an firewall then see never_direct instead of
3384 this directive.
3385DOC_END
3386
3387NAME: prefer_direct
3388TYPE: onoff
3389LOC: Config.onoff.prefer_direct
3390DEFAULT: off
3391DOC_START
3392 Normally Squid tries to use parents for most requests. If you by some
3393 reason like it to first try going direct and only use a parent if
3394 going direct fails then set this to off.
3395
3396 By combining nonhierarchical_direct off and prefer_direct on you
3397 can set up Squid to use a parent as a backup path if going direct
3398 fails.
3399DOC_END
3400
3401NAME: strip_query_terms
3402TYPE: onoff
3403LOC: Config.onoff.strip_query_terms
3404DEFAULT: on
3405DOC_START
3406 By default, Squid strips query terms from requested URLs before
3407 logging. This protects your user's privacy.
3408DOC_END
3409
3410NAME: coredump_dir
3411TYPE: string
3412LOC: Config.coredump_dir
3413DEFAULT: none
3414DEFAULT_IF_NONE: none
3415DOC_START
3416 By default Squid leaves core files in the directory from where
3417 it was started. If you set 'coredump_dir' to a directory
3418 that exists, Squid will chdir() to that directory at startup
3419 and coredump files will be left there.
3420
3421NOCOMMENT_START
3422# Leave coredumps in the first cache dir
3423coredump_dir @DEFAULT_SWAP_DIR@
3424NOCOMMENT_END
3425DOC_END
3426
3427NAME: redirector_bypass
3428TYPE: onoff
3429LOC: Config.onoff.redirector_bypass
3430DEFAULT: off
3431DOC_START
3432 When this is 'on', a request will not go through the
3433 redirector if all redirectors are busy. If this is 'off'
3434 and the redirector queue grows too large, Squid will exit
3435 with a FATAL error and ask you to increase the number of
3436 redirectors. You should only enable this if the redirectors
3437 are not critical to your caching system. If you use
3438 redirectors for access control, and you enable this option,
3439 then users may have access to pages that they should not
3440 be allowed to request.
3441DOC_END
3442
3443NAME: ignore_unknown_nameservers
3444TYPE: onoff
3445LOC: Config.onoff.ignore_unknown_nameservers
3446DEFAULT: on
3447DOC_START
3448 By default Squid checks that DNS responses are received
3449 from the same IP addresses that they are sent to. If they
3450 don't match, Squid ignores the response and writes a warning
3451 message to cache.log. You can allow responses from unknown
3452 nameservers by setting this option to 'off'.
3453DOC_END
3454
3455NAME: digest_generation
3456IFDEF: USE_CACHE_DIGESTS
3457TYPE: onoff
3458LOC: Config.onoff.digest_generation
3459DEFAULT: on
3460DOC_START
3461 This controls whether the server will generate a Cache Digest
3462 of its contents. By default, Cache Digest generation is
3463 enabled if Squid is compiled with USE_CACHE_DIGESTS defined.
3464DOC_END
3465
3466NAME: digest_bits_per_entry
3467IFDEF: USE_CACHE_DIGESTS
3468TYPE: int
3469LOC: Config.digest.bits_per_entry
3470DEFAULT: 5
3471DOC_START
3472 This is the number of bits of the server's Cache Digest which
3473 will be associated with the Digest entry for a given HTTP
3474 Method and URL (public key) combination. The default is 5.
3475DOC_END
3476
3477NAME: digest_rebuild_period
3478IFDEF: USE_CACHE_DIGESTS
3479COMMENT: (seconds)
3480TYPE: time_t
3481LOC: Config.digest.rebuild_period
3482DEFAULT: 1 hour
3483DOC_START
3484 This is the number of seconds between Cache Digest rebuilds.
3485DOC_END
3486
3487NAME: digest_rewrite_period
3488COMMENT: (seconds)
3489IFDEF: USE_CACHE_DIGESTS
3490TYPE: time_t
3491LOC: Config.digest.rewrite_period
3492DEFAULT: 1 hour
3493DOC_START
3494 This is the number of seconds between Cache Digest writes to
3495 disk.
3496DOC_END
3497
3498NAME: digest_swapout_chunk_size
3499COMMENT: (bytes)
3500TYPE: b_size_t
3501IFDEF: USE_CACHE_DIGESTS
3502LOC: Config.digest.swapout_chunk_size
3503DEFAULT: 4096 bytes
3504DOC_START
3505 This is the number of bytes of the Cache Digest to write to
3506 disk at a time. It defaults to 4096 bytes (4KB), the Squid
3507 default swap page.
3508DOC_END
3509
3510NAME: digest_rebuild_chunk_percentage
3511COMMENT: (percent, 0-100)
3512IFDEF: USE_CACHE_DIGESTS
3513TYPE: int
3514LOC: Config.digest.rebuild_chunk_percentage
3515DEFAULT: 10
3516DOC_START
3517 This is the percentage of the Cache Digest to be scanned at a
3518 time. By default it is set to 10% of the Cache Digest.
3519DOC_END
3520
3521NAME: chroot
3522TYPE: string
3523LOC: Config.chroot_dir
3524DEFAULT: none
3525DOC_START
3526 Use this to have Squid do a chroot() while initializing. This
3527 also causes Squid to fully drop root privileges after
3528 initializing. This means, for example, that if you use a HTTP
3529 port less than 1024 and try to reconfigure, you will get an
3530 error.
3531DOC_END
3532
3533NAME: client_persistent_connections
3534TYPE: onoff
3535LOC: Config.onoff.client_pconns
3536DEFAULT: on
3537DOC_NONE
3538
3539NAME: server_persistent_connections
3540TYPE: onoff
3541LOC: Config.onoff.server_pconns
3542DEFAULT: on
3543DOC_START
3544 Persistent connection support for clients and servers. By
3545 default, Squid uses persistent connections (when allowed)
3546 with its clients and servers. You can use these options to
3547 disable persistent connections with clients and/or servers.
3548DOC_END
3549
3550NAME: pipeline_prefetch
3551TYPE: onoff
3552LOC: Config.onoff.pipeline_prefetch
3553DEFAULT: on
3554DOC_START
3555 To boost the performance of pipelined requests to closer
3556 match that of a non-proxied environment Squid tries to fetch
3557 up to two requests in parallell from a pipeline.
3558DOC_END
3559
3560NAME: extension_methods
3561TYPE: wordlist
3562LOC: Config.ext_methods
3563DEFAULT: none
3564DOC_START
3565 Squid only knows about standardized HTTP request methods.
3566 You can add up to 20 additional "extension" methods here.
3567DOC_END
3568
3569NAME: high_response_time_warning
3570TYPE: int
3571COMMENT: (msec)
3572LOC: Config.warnings.high_rptm
3573DEFAULT: 0
3574DOC_START
3575 If the one-minute median response time exceeds this value,
3576 Squid prints a WARNING with debug level 0 to get the
3577 administrators attention. The value is in milliseconds.
3578DOC_END
3579
3580NAME: high_page_fault_warning
3581TYPE: int
3582LOC: Config.warnings.high_pf
3583DEFAULT: 0
3584DOC_START
3585 If the one-minute average page fault rate exceeds this
3586 value, Squid prints a WARNING with debug level 0 to get
3587 the administrators attention. The value is in page faults
3588 per second.
3589DOC_END
3590
3591NAME: high_memory_warning
3592TYPE: b_size_t
3593LOC: Config.warnings.high_memory
3594DEFAULT: 0
3595DOC_START
3596 If the memory usage (as determined by mallinfo) exceeds
3597 value, Squid prints a WARNING with debug level 0 to get
3598 the administrators attention.
3599DOC_END
3600
3601NAME: store_dir_select_algorithm
3602TYPE: string
3603LOC: Config.store_dir_select_algorithm
3604DEFAULT: least-load
3605DOC_START
3606 Set this to 'round-robin' as an alternative.
3607DOC_END
3608
3609NAME: forward_log
3610IFDEF: WIP_FWD_LOG
3611TYPE: string
3612DEFAULT: none
3613LOC: Config.Log.forward
3614DOC_START
3615 Logs the server-side requests.
3616
3617 This is currently work in progress.
3618DOC_END
3619
3620NAME: ie_refresh
3621COMMENT: on|off
3622TYPE: onoff
3623LOC: Config.onoff.ie_refresh
3624DEFAULT: off
3625DOC_START
3626 Microsoft Internet Explorer up until version 5.5 Service
3627 Pack 1 has an issue with transparent proxies, wherein it
3628 is impossible to force a refresh. Turning this on provides
3629 a partial fix to the problem, by causing all IMS-REFRESH
3630 requests from older IE versions to check the origin server
3631 for fresh content. This reduces hit ratio by some amount
3632 (~10% in my experience), but allows users to actually get
3633 fresh content when they want it. Note that because Squid
3634 cannot tell if the user is using 5.5 or 5.5SP1, the behavior
3635 of 5.5 is unchanged from old versions of Squid (i.e. a
3636 forced refresh is impossible). Newer versions of IE will,
3637 hopefully, continue to have the new behavior and will be
3638 handled based on that assumption. This option defaults to
3639 the old Squid behavior, which is better for hit ratios but
3640 worse for clients using IE, if they need to be able to
3641 force fresh content.
3642DOC_END
3643
3644NAME: vary_ignore_expire
3645COMMENT: on|off
3646TYPE: onoff
3647LOC: Config.onoff.vary_ignore_expire
3648DEFAULT: off
3649DOC_START
3650 Many HTTP servers supporting Vary gives such objects
3651 immediate expiry time with no cache-control header
3652 when requested by a HTTP/1.0 client. This option
3653 enables Squid to ignore such expiry times until
3654 HTTP/1.1 is fully implemented.
3655 WARNING: This may eventually cause some varying
3656 objects not intended for caching to get cached.
3657DOC_END
3658
3659NAME: sleep_after_fork
3660COMMENT: (microseconds)
3661TYPE: int
3662LOC: Config.sleep_after_fork
3663DEFAULT: 0
3664DOC_START
3665 When this is set to a non-zero value, the main Squid process
3666 sleeps the specified number of microseconds after a fork()
3667 system call. This sleep may help the situation where your
3668 system reports fork() failures due to lack of (virtual)
3669 memory. Note, however, that if you have a lot of child
3670 processes, then these sleep delays will add up and your
3671 Squid will not service requests for some amount of time
3672 until all the child processes have been started.
3673DOC_END
3674
3675EOF
3676