]> git.ipfire.org Git - thirdparty/squid.git/blame_incremental - src/cf.data.pre
projects / thirdparty / squid.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Bug 3322: adapt:: and icap:: format codes do not parse
[thirdparty/squid.git] / src / cf.data.pre
... / ...
CommitLineData
1#
2# SQUID Web Proxy Cache http://www.squid-cache.org/
3# ----------------------------------------------------------
4#
5# Squid is the result of efforts by numerous individuals from
6# the Internet community; see the CONTRIBUTORS file for full
7# details. Many organizations have provided support for Squid's
8# development; see the SPONSORS file for full details. Squid is
9# Copyrighted (C) 2000 by the Regents of the University of
10# California; see the COPYRIGHT file for full details. Squid
11# incorporates software developed and/or copyrighted by other
12# sources; see the CREDITS file for full details.
13#
14# This program is free software; you can redistribute it and/or modify
15# it under the terms of the GNU General Public License as published by
16# the Free Software Foundation; either version 2 of the License, or
17# (at your option) any later version.
18#
19# This program is distributed in the hope that it will be useful,
20# but WITHOUT ANY WARRANTY; without even the implied warranty of
21# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22# GNU General Public License for more details.
23#
24# You should have received a copy of the GNU General Public License
25# along with this program; if not, write to the Free Software
26# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
27#
28
29COMMENT_START
30 WELCOME TO @SQUID@
31 ----------------------------
32
33 This is the default Squid configuration file. You may wish
34 to look at the Squid home page (http://www.squid-cache.org/)
35 for the FAQ and other documentation.
36
37 The default Squid config file shows what the defaults for
38 various options happen to be. If you don't need to change the
39 default, you shouldn't uncomment the line. Doing so may cause
40 run-time problems. In some cases "none" refers to no default
41 setting at all, while in other cases it refers to a valid
42 option - the comments for that keyword indicate if this is the
43 case.
44
45COMMENT_END
46
47COMMENT_START
48 Configuration options can be included using the "include" directive.
49 Include takes a list of files to include. Quoting and wildcards is
50 supported.
51
52 For example,
53
54 include /path/to/included/file/squid.acl.config
55
56 Includes can be nested up to a hard-coded depth of 16 levels.
57 This arbitrary restriction is to prevent recursive include references
58 from causing Squid entering an infinite loop whilst trying to load
59 configuration files.
60
61
62 Conditional configuration
63
64 If-statements can be used to make configuration directives
65 depend on conditions:
66
67 if <CONDITION>
68 ... regular configuration directives ...
69 [else
70 ... regular configuration directives ...]
71 endif
72
73 The else part is optional. The keywords "if", "else", and "endif"
74 must be typed on their own lines, as if they were regular
75 configuration directives.
76
77 These individual conditions types are supported:
78
79 true
80 Always evaluates to true.
81 false
82 Always evaluates to false.
83 <integer> = <integer>
84 Equality comparison of two integer numbers.
85
86
87 SMP-Related Macros
88
89 The following SMP-related preprocessor macros can be used.
90
91 ${process_name} expands to the current Squid process "name"
92 (e.g., squid1, squid2, or cache1).
93
94 ${process_number} expands to the current Squid process
95 identifier, which is an integer number (e.g., 1, 2, 3) unique
96 across all Squid processes.
97COMMENT_END
98
99# Options Removed in 3.2
100NAME: ignore_expect_100
101TYPE: obsolete
102DOC_START
103 Remove this line. The HTTP/1.1 feature is now fully supported by default.
104DOC_END
105
106NAME: ftp_list_width
107TYPE: obsolete
108DOC_START
109 Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
110DOC_END
111
112NAME: url_rewrite_concurrency
113TYPE: obsolete
114DOC_START
115 Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
116DOC_END
117
118# Options Removed in 3.1
119NAME: dns_testnames
120TYPE: obsolete
121DOC_START
122 Remove this line. DNS is no longer tested on startup.
123DOC_END
124
125NAME: extension_methods
126TYPE: obsolete
127DOC_START
128 Remove this line. All valid methods for HTTP are accepted by default.
129DOC_END
130
131# 2.7 Options Removed/Replaced in 3.1
132NAME: incoming_rate
133TYPE: obsolete
134DOC_NONE
135
136NAME: server_http11
137TYPE: obsolete
138DOC_START
139 Remove this line. HTTP/1.1 is supported by default.
140DOC_END
141
142NAME: upgrade_http0.9
143TYPE: obsolete
144DOC_START
145 Remove this line. ICY/1.0 streaming protocol is supported by default.
146DOC_END
147
148NAME: zph_local zph_mode zph_option zph_parent zph_sibling
149TYPE: obsolete
150DOC_START
151 Alter these entries. Use the qos_flows directive instead.
152DOC_END
153
154# Options Removed in 3.0
155NAME: header_access
156TYPE: obsolete
157DOC_START
158 Since squid-3.0 replace with request_header_access or reply_header_access
159 depending on whether you wish to match client requests or server replies.
160DOC_END
161
162NAME: httpd_accel_no_pmtu_disc
163TYPE: obsolete
164DOC_START
165 Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
166DOC_END
167
168COMMENT_START
169 OPTIONS FOR AUTHENTICATION
170 -----------------------------------------------------------------------------
171COMMENT_END
172
173NAME: auth_param
174TYPE: authparam
175IFDEF: USE_AUTH
176LOC: Auth::TheConfig
177DEFAULT: none
178DOC_START
179 This is used to define parameters for the various authentication
180 schemes supported by Squid.
181
182 format: auth_param scheme parameter [setting]
183
184 The order in which authentication schemes are presented to the client is
185 dependent on the order the scheme first appears in config file. IE
186 has a bug (it's not RFC 2617 compliant) in that it will use the basic
187 scheme if basic is the first entry presented, even if more secure
188 schemes are presented. For now use the order in the recommended
189 settings section below. If other browsers have difficulties (don't
190 recognize the schemes offered even if you are using basic) either
191 put basic first, or disable the other schemes (by commenting out their
192 program entry).
193
194 Once an authentication scheme is fully configured, it can only be
195 shutdown by shutting squid down and restarting. Changes can be made on
196 the fly and activated with a reconfigure. I.E. You can change to a
197 different helper, but not unconfigure the helper completely.
198
199 Please note that while this directive defines how Squid processes
200 authentication it does not automatically activate authentication.
201 To use authentication you must in addition make use of ACLs based
202 on login name in http_access (proxy_auth, proxy_auth_regex or
203 external with %LOGIN used in the format tag). The browser will be
204 challenged for authentication on the first such acl encountered
205 in http_access processing and will also be re-challenged for new
206 login credentials if the request is being denied by a proxy_auth
207 type acl.
208
209 WARNING: authentication can't be used in a transparently intercepting
210 proxy as the client then thinks it is talking to an origin server and
211 not the proxy. This is a limitation of bending the TCP/IP protocol to
212 transparently intercepting port 80, not a limitation in Squid.
213 Ports flagged 'transparent', 'intercept', or 'tproxy' have
214 authentication disabled.
215
216 === Parameters for the basic scheme follow. ===
217
218 "program" cmdline
219 Specify the command for the external authenticator. Such a program
220 reads a line containing "username password" and replies "OK" or
221 "ERR" in an endless loop. "ERR" responses may optionally be followed
222 by a error description available as %m in the returned error page.
223 If you use an authenticator, make sure you have 1 acl of type
224 proxy_auth.
225
226 By default, the basic authentication scheme is not used unless a
227 program is specified.
228
229 If you want to use the traditional NCSA proxy authentication, set
230 this line to something like
231
232 auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
233
234 "utf8" on|off
235 HTTP uses iso-latin-1 as characterset, while some authentication
236 backends such as LDAP expects UTF-8. If this is set to on Squid will
237 translate the HTTP iso-latin-1 charset to UTF-8 before sending the
238 username & password to the helper.
239
240 "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
241 The maximum number of authenticator processes to spawn. If you start too few
242 Squid will have to wait for them to process a backlog of credential
243 verifications, slowing it down. When password verifications are
244 done via a (slow) network you are likely to need lots of
245 authenticator processes.
246
247 The startup= and idle= options permit some skew in the exact amount
248 run. A minimum of startup=N will begin during startup and reconfigure.
249 Squid will start more in groups of up to idle=N in an attempt to meet
250 traffic needs and to keep idle=N free above those traffic needs up to
251 the maximum.
252
253 The concurrency= option sets the number of concurrent requests the
254 helper can process. The default of 0 is used for helpers who only
255 supports one request at a time. Setting this to a number greater than
256 0 changes the protocol used to include a channel number first on the
257 request/response line, allowing multiple requests to be sent to the
258 same helper in parallell without wating for the response.
259 Must not be set unless it's known the helper supports this.
260
261 auth_param basic children 20 startup=0 idle=1
262
263 "realm" realmstring
264 Specifies the realm name which is to be reported to the
265 client for the basic proxy authentication scheme (part of
266 the text the user will see when prompted their username and
267 password). There is no default.
268 auth_param basic realm Squid proxy-caching web server
269
270 "credentialsttl" timetolive
271 Specifies how long squid assumes an externally validated
272 username:password pair is valid for - in other words how
273 often the helper program is called for that user. Set this
274 low to force revalidation with short lived passwords. Note
275 setting this high does not impact your susceptibility
276 to replay attacks unless you are using an one-time password
277 system (such as SecureID). If you are using such a system,
278 you will be vulnerable to replay attacks unless you also
279 use the max_user_ip ACL in an http_access rule.
280
281 "casesensitive" on|off
282 Specifies if usernames are case sensitive. Most user databases are
283 case insensitive allowing the same username to be spelled using both
284 lower and upper case letters, but some are case sensitive. This
285 makes a big difference for user_max_ip ACL processing and similar.
286 auth_param basic casesensitive off
287
288 === Parameters for the digest scheme follow ===
289
290 "program" cmdline
291 Specify the command for the external authenticator. Such
292 a program reads a line containing "username":"realm" and
293 replies with the appropriate H(A1) value hex encoded or
294 ERR if the user (or his H(A1) hash) does not exists.
295 See rfc 2616 for the definition of H(A1).
296 "ERR" responses may optionally be followed by a error description
297 available as %m in the returned error page.
298
299 By default, the digest authentication scheme is not used unless a
300 program is specified.
301
302 If you want to use a digest authenticator, set this line to
303 something like
304
305 auth_param digest program @DEFAULT_PREFIX@/bin/digest_pw_auth @DEFAULT_PREFIX@/etc/digpass
306
307 "utf8" on|off
308 HTTP uses iso-latin-1 as characterset, while some authentication
309 backends such as LDAP expects UTF-8. If this is set to on Squid will
310 translate the HTTP iso-latin-1 charset to UTF-8 before sending the
311 username & password to the helper.
312
313 "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
314 The maximum number of authenticator processes to spawn (default 5).
315 If you start too few Squid will have to wait for them to
316 process a backlog of H(A1) calculations, slowing it down.
317 When the H(A1) calculations are done via a (slow) network
318 you are likely to need lots of authenticator processes.
319
320 The startup= and idle= options permit some skew in the exact amount
321 run. A minimum of startup=N will begin during startup and reconfigure.
322 Squid will start more in groups of up to idle=N in an attempt to meet
323 traffic needs and to keep idle=N free above those traffic needs up to
324 the maximum.
325
326 The concurrency= option sets the number of concurrent requests the
327 helper can process. The default of 0 is used for helpers who only
328 supports one request at a time. Setting this to a number greater than
329 0 changes the protocol used to include a channel number first on the
330 request/response line, allowing multiple requests to be sent to the
331 same helper in parallell without wating for the response.
332 Must not be set unless it's known the helper supports this.
333
334 auth_param digest children 20 startup=0 idle=1
335
336 "realm" realmstring
337 Specifies the realm name which is to be reported to the
338 client for the digest proxy authentication scheme (part of
339 the text the user will see when prompted their username and
340 password). There is no default.
341 auth_param digest realm Squid proxy-caching web server
342
343 "nonce_garbage_interval" timeinterval
344 Specifies the interval that nonces that have been issued
345 to client_agent's are checked for validity.
346
347 "nonce_max_duration" timeinterval
348 Specifies the maximum length of time a given nonce will be
349 valid for.
350
351 "nonce_max_count" number
352 Specifies the maximum number of times a given nonce can be
353 used.
354
355 "nonce_strictness" on|off
356 Determines if squid requires strict increment-by-1 behavior
357 for nonce counts, or just incrementing (off - for use when
358 useragents generate nonce counts that occasionally miss 1
359 (ie, 1,2,4,6)). Default off.
360
361 "check_nonce_count" on|off
362 This directive if set to off can disable the nonce count check
363 completely to work around buggy digest qop implementations in
364 certain mainstream browser versions. Default on to check the
365 nonce count to protect from authentication replay attacks.
366
367 "post_workaround" on|off
368 This is a workaround to certain buggy browsers who sends
369 an incorrect request digest in POST requests when reusing
370 the same nonce as acquired earlier on a GET request.
371
372 === NTLM scheme options follow ===
373
374 "program" cmdline
375 Specify the command for the external NTLM authenticator.
376 Such a program reads exchanged NTLMSSP packets with
377 the browser via Squid until authentication is completed.
378 If you use an NTLM authenticator, make sure you have 1 acl
379 of type proxy_auth. By default, the NTLM authenticator_program
380 is not used.
381
382 auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
383
384 "children" numberofchildren [startup=N] [idle=N]
385 The maximum number of authenticator processes to spawn (default 5).
386 If you start too few Squid will have to wait for them to
387 process a backlog of credential verifications, slowing it
388 down. When credential verifications are done via a (slow)
389 network you are likely to need lots of authenticator
390 processes.
391
392 The startup= and idle= options permit some skew in the exact amount
393 run. A minimum of startup=N will begin during startup and reconfigure.
394 Squid will start more in groups of up to idle=N in an attempt to meet
395 traffic needs and to keep idle=N free above those traffic needs up to
396 the maximum.
397
398 auth_param ntlm children 20 startup=0 idle=1
399
400 "keep_alive" on|off
401 If you experience problems with PUT/POST requests when using the
402 Negotiate authentication scheme then you can try setting this to
403 off. This will cause Squid to forcibly close the connection on
404 the initial requests where the browser asks which schemes are
405 supported by the proxy.
406
407 auth_param ntlm keep_alive on
408
409 === Options for configuring the NEGOTIATE auth-scheme follow ===
410
411 "program" cmdline
412 Specify the command for the external Negotiate authenticator.
413 This protocol is used in Microsoft Active-Directory enabled setups with
414 the Microsoft Internet Explorer or Mozilla Firefox browsers.
415 Its main purpose is to exchange credentials with the Squid proxy
416 using the Kerberos mechanisms.
417 If you use a Negotiate authenticator, make sure you have at least
418 one acl of type proxy_auth active. By default, the negotiate
419 authenticator_program is not used.
420 The only supported program for this role is the ntlm_auth
421 program distributed as part of Samba, version 4 or later.
422
423 auth_param negotiate program @DEFAULT_PREFIX@/bin/ntlm_auth --helper-protocol=gss-spnego
424
425 "children" numberofchildren [startup=N] [idle=N]
426 The maximum number of authenticator processes to spawn (default 5).
427 If you start too few Squid will have to wait for them to
428 process a backlog of credential verifications, slowing it
429 down. When crendential verifications are done via a (slow)
430 network you are likely to need lots of authenticator
431 processes.
432
433 The startup= and idle= options permit some skew in the exact amount
434 run. A minimum of startup=N will begin during startup and reconfigure.
435 Squid will start more in groups of up to idle=N in an attempt to meet
436 traffic needs and to keep idle=N free above those traffic needs up to
437 the maximum.
438
439 auth_param negotiate children 20 startup=0 idle=1
440
441 "keep_alive" on|off
442 If you experience problems with PUT/POST requests when using the
443 Negotiate authentication scheme then you can try setting this to
444 off. This will cause Squid to forcibly close the connection on
445 the initial requests where the browser asks which schemes are
446 supported by the proxy.
447
448 auth_param negotiate keep_alive on
449
450
451 Examples:
452
453#Recommended minimum configuration per scheme:
454#auth_param negotiate program <uncomment and complete this line to activate>
455#auth_param negotiate children 20 startup=0 idle=1
456#auth_param negotiate keep_alive on
457#
458#auth_param ntlm program <uncomment and complete this line to activate>
459#auth_param ntlm children 20 startup=0 idle=1
460#auth_param ntlm keep_alive on
461#
462#auth_param digest program <uncomment and complete this line>
463#auth_param digest children 20 startup=0 idle=1
464#auth_param digest realm Squid proxy-caching web server
465#auth_param digest nonce_garbage_interval 5 minutes
466#auth_param digest nonce_max_duration 30 minutes
467#auth_param digest nonce_max_count 50
468#
469#auth_param basic program <uncomment and complete this line>
470#auth_param basic children 5 startup=5 idle=1
471#auth_param basic realm Squid proxy-caching web server
472#auth_param basic credentialsttl 2 hours
473DOC_END
474
475NAME: authenticate_cache_garbage_interval
476TYPE: time_t
477DEFAULT: 1 hour
478LOC: Config.authenticateGCInterval
479DOC_START
480 The time period between garbage collection across the username cache.
481 This is a tradeoff between memory utilization (long intervals - say
482 2 days) and CPU (short intervals - say 1 minute). Only change if you
483 have good reason to.
484DOC_END
485
486NAME: authenticate_ttl
487TYPE: time_t
488DEFAULT: 1 hour
489LOC: Config.authenticateTTL
490DOC_START
491 The time a user & their credentials stay in the logged in
492 user cache since their last request. When the garbage
493 interval passes, all user credentials that have passed their
494 TTL are removed from memory.
495DOC_END
496
497NAME: authenticate_ip_ttl
498TYPE: time_t
499LOC: Config.authenticateIpTTL
500DEFAULT: 0 seconds
501DOC_START
502 If you use proxy authentication and the 'max_user_ip' ACL,
503 this directive controls how long Squid remembers the IP
504 addresses associated with each user. Use a small value
505 (e.g., 60 seconds) if your users might change addresses
506 quickly, as is the case with dialups. You might be safe
507 using a larger value (e.g., 2 hours) in a corporate LAN
508 environment with relatively static address assignments.
509DOC_END
510
511COMMENT_START
512 ACCESS CONTROLS
513 -----------------------------------------------------------------------------
514COMMENT_END
515
516NAME: external_acl_type
517TYPE: externalAclHelper
518LOC: Config.externalAclHelperList
519DEFAULT: none
520DOC_START
521 This option defines external acl classes using a helper program
522 to look up the status
523
524 external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
525
526 Options:
527
528 ttl=n TTL in seconds for cached results (defaults to 3600
529 for 1 hour)
530 negative_ttl=n
531 TTL for cached negative lookups (default same
532 as ttl)
533 children-max=n
534 Maximum number of acl helper processes spawned to service
535 external acl lookups of this type. (default 20)
536 children-startup=n
537 Minimum number of acl helper processes to spawn during
538 startup and reconfigure to service external acl lookups
539 of this type. (default 0)
540 children-idle=n
541 Number of acl helper processes to keep ahead of traffic
542 loads. Squid will spawn this many at once whenever load
543 rises above the capabilities of existing processes.
544 Up to the value of children-max. (default 1)
545 concurrency=n concurrency level per process. Only used with helpers
546 capable of processing more than one query at a time.
547 cache=n limit the result cache size, default is unbounded.
548 grace=n Percentage remaining of TTL where a refresh of a
549 cached entry should be initiated without needing to
550 wait for a new reply. (default is for no grace period)
551 protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
552 ipv4 / ipv6 IP-mode used to communicate to this helper.
553 For compatability with older configurations and helpers
554 the default is currently 'ipv4'.
555
556 FORMAT specifications
557
558 %LOGIN Authenticated user login name
559 %EXT_USER Username from previous external acl
560 %EXT_LOG Log details from previous external acl
561 %EXT_TAG Tag from previous external acl
562 %IDENT Ident user name
563 %SRC Client IP
564 %SRCPORT Client source port
565 %URI Requested URI
566 %DST Requested host
567 %PROTO Requested protocol
568 %PORT Requested port
569 %PATH Requested URL path
570 %METHOD Request method
571 %MYADDR Squid interface address
572 %MYPORT Squid http_port number
573 %PATH Requested URL-path (including query-string if any)
574 %USER_CERT SSL User certificate in PEM format
575 %USER_CERTCHAIN SSL User certificate chain in PEM format
576 %USER_CERT_xx SSL User certificate subject attribute xx
577 %USER_CA_xx SSL User certificate issuer attribute xx
578
579 %>{Header} HTTP request header "Header"
580 %>{Hdr:member}
581 HTTP request header "Hdr" list member "member"
582 %>{Hdr:;member}
583 HTTP request header list member using ; as
584 list separator. ; can be any non-alphanumeric
585 character.
586
587 %<{Header} HTTP reply header "Header"
588 %<{Hdr:member}
589 HTTP reply header "Hdr" list member "member"
590 %<{Hdr:;member}
591 HTTP reply header list member using ; as
592 list separator. ; can be any non-alphanumeric
593 character.
594
595 In addition to the above, any string specified in the referencing
596 acl will also be included in the helper request line, after the
597 specified formats (see the "acl external" directive)
598
599 The helper receives lines per the above format specification,
600 and returns lines starting with OK or ERR indicating the validity
601 of the request and optionally followed by additional keywords with
602 more details.
603
604 General result syntax:
605
606 OK/ERR keyword=value ...
607
608 Defined keywords:
609
610 user= The users name (login)
611 password= The users password (for login= cache_peer option)
612 message= Message describing the reason. Available as %o
613 in error pages
614 tag= Apply a tag to a request (for both ERR and OK results)
615 Only sets a tag, does not alter existing tags.
616 log= String to be logged in access.log. Available as
617 %ea in logformat specifications
618
619 If protocol=3.0 (the default) then URL escaping is used to protect
620 each value in both requests and responses.
621
622 If using protocol=2.5 then all values need to be enclosed in quotes
623 if they may contain whitespace, or the whitespace escaped using \.
624 And quotes or \ characters within the keyword value must be \ escaped.
625
626 When using the concurrency= option the protocol is changed by
627 introducing a query channel tag infront of the request/response.
628 The query channel tag is a number between 0 and concurrency-1.
629DOC_END
630
631NAME: acl
632TYPE: acl
633LOC: Config.aclList
634DEFAULT: all src all
635DEFAULT: manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
636DEFAULT: localhost src 127.0.0.1/32 ::1
637DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
638DEFAULT_DOC: ACLs all, manager, localhost, and to_localhost are predefined.
639DOC_START
640 Defining an Access List
641
642 Every access list definition must begin with an aclname and acltype,
643 followed by either type-specific arguments or a quoted filename that
644 they are read from.
645
646 acl aclname acltype argument ...
647 acl aclname acltype "file" ...
648
649 When using "file", the file should contain one item per line.
650
651 By default, regular expressions are CASE-SENSITIVE.
652 To make them case-insensitive, use the -i option. To return case-sensitive
653 use the +i option between patterns, or make a new ACL line without -i.
654
655 Some acl types require suspending the current request in order
656 to access some external data source.
657 Those which do are marked with the tag [slow], those which
658 don't are marked as [fast].
659 See http://wiki.squid-cache.org/SquidFaq/SquidAcl
660 for further information
661
662 ***** ACL TYPES AVAILABLE *****
663
664 acl aclname src ip-address/mask ... # clients IP address [fast]
665 acl aclname src addr1-addr2/mask ... # range of addresses [fast]
666 acl aclname dst ip-address/mask ... # URL host's IP address [slow]
667 acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
668
669 acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
670 # The arp ACL requires the special configure option --enable-arp-acl.
671 # Furthermore, the ARP ACL code is not portable to all operating systems.
672 # It works on Linux, Solaris, Windows, FreeBSD, and some
673 # other *BSD variants.
674 # [fast]
675 #
676 # NOTE: Squid can only determine the MAC address for clients that are on
677 # the same subnet. If the client is on a different subnet,
678 # then Squid cannot find out its MAC address.
679
680 acl aclname srcdomain .foo.com ...
681 # reverse lookup, from client IP [slow]
682 acl aclname dstdomain .foo.com ...
683 # Destination server from URL [fast]
684 acl aclname srcdom_regex [-i] \.foo\.com ...
685 # regex matching client name [slow]
686 acl aclname dstdom_regex [-i] \.foo\.com ...
687 # regex matching server [fast]
688 #
689 # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
690 # based URL is used and no match is found. The name "none" is used
691 # if the reverse lookup fails.
692
693 acl aclname src_as number ...
694 acl aclname dst_as number ...
695 # [fast]
696 # Except for access control, AS numbers can be used for
697 # routing of requests to specific caches. Here's an
698 # example for routing all requests for AS#1241 and only
699 # those to mycache.mydomain.net:
700 # acl asexample dst_as 1241
701 # cache_peer_access mycache.mydomain.net allow asexample
702 # cache_peer_access mycache_mydomain.net deny all
703
704 acl aclname peername myPeer ...
705 # [fast]
706 # match against a named cache_peer entry
707 # set unique name= on cache_peer lines for reliable use.
708
709 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
710 # [fast]
711 # day-abbrevs:
712 # S - Sunday
713 # M - Monday
714 # T - Tuesday
715 # W - Wednesday
716 # H - Thursday
717 # F - Friday
718 # A - Saturday
719 # h1:m1 must be less than h2:m2
720
721 acl aclname url_regex [-i] ^http:// ...
722 # regex matching on whole URL [fast]
723 acl aclname urlpath_regex [-i] \.gif$ ...
724 # regex matching on URL path [fast]
725
726 acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
727 # ranges are alloed
728 acl aclname localport 3128 ... # TCP port the client connected to [fast]
729 # NP: for interception mode this is usually '80'
730
731 acl aclname myportname 3128 ... # http(s)_port name [fast]
732
733 acl aclname proto HTTP FTP ... # request protocol [fast]
734
735 acl aclname method GET POST ... # HTTP request method [fast]
736
737 acl aclname http_status 200 301 500- 400-403 ...
738 # status code in reply [fast]
739
740 acl aclname browser [-i] regexp ...
741 # pattern match on User-Agent header (see also req_header below) [fast]
742
743 acl aclname referer_regex [-i] regexp ...
744 # pattern match on Referer header [fast]
745 # Referer is highly unreliable, so use with care
746
747 acl aclname ident username ...
748 acl aclname ident_regex [-i] pattern ...
749 # string match on ident output [slow]
750 # use REQUIRED to accept any non-null ident.
751
752 acl aclname proxy_auth [-i] username ...
753 acl aclname proxy_auth_regex [-i] pattern ...
754 # perform http authentication challenge to the client and match against
755 # supplied credentials [slow]
756 #
757 # takes a list of allowed usernames.
758 # use REQUIRED to accept any valid username.
759 #
760 # Will use proxy authentication in forward-proxy scenarios, and plain
761 # http authenticaiton in reverse-proxy scenarios
762 #
763 # NOTE: when a Proxy-Authentication header is sent but it is not
764 # needed during ACL checking the username is NOT logged
765 # in access.log.
766 #
767 # NOTE: proxy_auth requires a EXTERNAL authentication program
768 # to check username/password combinations (see
769 # auth_param directive).
770 #
771 # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
772 # as the browser needs to be configured for using a proxy in order
773 # to respond to proxy authentication.
774
775 acl aclname snmp_community string ...
776 # A community string to limit access to your SNMP Agent [fast]
777 # Example:
778 #
779 # acl snmppublic snmp_community public
780
781 acl aclname maxconn number
782 # This will be matched when the client's IP address has
783 # more than <number> TCP connections established. [fast]
784 # NOTE: This only measures direct TCP links so X-Forwarded-For
785 # indirect clients are not counted.
786
787 acl aclname max_user_ip [-s] number
788 # This will be matched when the user attempts to log in from more
789 # than <number> different ip addresses. The authenticate_ip_ttl
790 # parameter controls the timeout on the ip entries. [fast]
791 # If -s is specified the limit is strict, denying browsing
792 # from any further IP addresses until the ttl has expired. Without
793 # -s Squid will just annoy the user by "randomly" denying requests.
794 # (the counter is reset each time the limit is reached and a
795 # request is denied)
796 # NOTE: in acceleration mode or where there is mesh of child proxies,
797 # clients may appear to come from multiple addresses if they are
798 # going through proxy farms, so a limit of 1 may cause user problems.
799
800 acl aclname random probability
801 # Pseudo-randomly match requests. Based on the probability given.
802 # Probability may be written as a decimal (0.333), fraction (1/3)
803 # or ratio of matches:non-matches (3:5).
804
805 acl aclname req_mime_type [-i] mime-type ...
806 # regex match against the mime type of the request generated
807 # by the client. Can be used to detect file upload or some
808 # types HTTP tunneling requests [fast]
809 # NOTE: This does NOT match the reply. You cannot use this
810 # to match the returned file type.
811
812 acl aclname req_header header-name [-i] any\.regex\.here
813 # regex match against any of the known request headers. May be
814 # thought of as a superset of "browser", "referer" and "mime-type"
815 # ACL [fast]
816
817 acl aclname rep_mime_type [-i] mime-type ...
818 # regex match against the mime type of the reply received by
819 # squid. Can be used to detect file download or some
820 # types HTTP tunneling requests. [fast]
821 # NOTE: This has no effect in http_access rules. It only has
822 # effect in rules that affect the reply data stream such as
823 # http_reply_access.
824
825 acl aclname rep_header header-name [-i] any\.regex\.here
826 # regex match against any of the known reply headers. May be
827 # thought of as a superset of "browser", "referer" and "mime-type"
828 # ACLs [fast]
829
830 acl aclname external class_name [arguments...]
831 # external ACL lookup via a helper class defined by the
832 # external_acl_type directive [slow]
833
834 acl aclname user_cert attribute values...
835 # match against attributes in a user SSL certificate
836 # attribute is one of DN/C/O/CN/L/ST [fast]
837
838 acl aclname ca_cert attribute values...
839 # match against attributes a users issuing CA SSL certificate
840 # attribute is one of DN/C/O/CN/L/ST [fast]
841
842 acl aclname ext_user username ...
843 acl aclname ext_user_regex [-i] pattern ...
844 # string match on username returned by external acl helper [slow]
845 # use REQUIRED to accept any non-null user name.
846
847 acl aclname tag tagvalue ...
848 # string match on tag returned by external acl helper [slow]
849
850 acl aclname hier_code codename ...
851 # string match against squid hierarchy code(s); [fast]
852 # e.g., DIRECT, PARENT_HIT, NONE, etc.
853 #
854 # NOTE: This has no effect in http_access rules. It only has
855 # effect in rules that affect the reply data stream such as
856 # http_reply_access.
857
858 Examples:
859 acl macaddress arp 09:00:2b:23:45:67
860 acl myexample dst_as 1241
861 acl password proxy_auth REQUIRED
862 acl fileupload req_mime_type -i ^multipart/form-data$
863 acl javascript rep_mime_type -i ^application/x-javascript$
864
865NOCOMMENT_START
866#
867# Recommended minimum configuration:
868#
869
870# Example rule allowing access from your local networks.
871# Adapt to list your (internal) IP networks from where browsing
872# should be allowed
873acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
874acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
875acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
876acl localnet src fc00::/7 # RFC 4193 local private network range
877acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
878
879acl SSL_ports port 443
880acl Safe_ports port 80 # http
881acl Safe_ports port 21 # ftp
882acl Safe_ports port 443 # https
883acl Safe_ports port 70 # gopher
884acl Safe_ports port 210 # wais
885acl Safe_ports port 1025-65535 # unregistered ports
886acl Safe_ports port 280 # http-mgmt
887acl Safe_ports port 488 # gss-http
888acl Safe_ports port 591 # filemaker
889acl Safe_ports port 777 # multiling http
890acl CONNECT method CONNECT
891NOCOMMENT_END
892DOC_END
893
894NAME: follow_x_forwarded_for
895TYPE: acl_access
896IFDEF: FOLLOW_X_FORWARDED_FOR
897LOC: Config.accessList.followXFF
898DEFAULT_IF_NONE: deny all
899DOC_START
900 Allowing or Denying the X-Forwarded-For header to be followed to
901 find the original source of a request.
902
903 Requests may pass through a chain of several other proxies
904 before reaching us. The X-Forwarded-For header will contain a
905 comma-separated list of the IP addresses in the chain, with the
906 rightmost address being the most recent.
907
908 If a request reaches us from a source that is allowed by this
909 configuration item, then we consult the X-Forwarded-For header
910 to see where that host received the request from. If the
911 X-Forwarded-For header contains multiple addresses, we continue
912 backtracking until we reach an address for which we are not allowed
913 to follow the X-Forwarded-For header, or until we reach the first
914 address in the list. For the purpose of ACL used in the
915 follow_x_forwarded_for directive the src ACL type always matches
916 the address we are testing and srcdomain matches its rDNS.
917
918 The end result of this process is an IP address that we will
919 refer to as the indirect client address. This address may
920 be treated as the client address for access control, ICAP, delay
921 pools and logging, depending on the acl_uses_indirect_client,
922 icap_uses_indirect_client, delay_pool_uses_indirect_client,
923 log_uses_indirect_client and tproxy_uses_indirect_client options.
924
925 This clause only supports fast acl types.
926 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
927
928 SECURITY CONSIDERATIONS:
929
930 Any host for which we follow the X-Forwarded-For header
931 can place incorrect information in the header, and Squid
932 will use the incorrect information as if it were the
933 source address of the request. This may enable remote
934 hosts to bypass any access control restrictions that are
935 based on the client's source addresses.
936
937 For example:
938
939 acl localhost src 127.0.0.1
940 acl my_other_proxy srcdomain .proxy.example.com
941 follow_x_forwarded_for allow localhost
942 follow_x_forwarded_for allow my_other_proxy
943DOC_END
944
945NAME: acl_uses_indirect_client
946COMMENT: on|off
947TYPE: onoff
948IFDEF: FOLLOW_X_FORWARDED_FOR
949DEFAULT: on
950LOC: Config.onoff.acl_uses_indirect_client
951DOC_START
952 Controls whether the indirect client address
953 (see follow_x_forwarded_for) is used instead of the
954 direct client address in acl matching.
955
956 NOTE: maxconn ACL considers direct TCP links and indirect
957 clients will always have zero. So no match.
958DOC_END
959
960NAME: delay_pool_uses_indirect_client
961COMMENT: on|off
962TYPE: onoff
963IFDEF: FOLLOW_X_FORWARDED_FOR&&USE_DELAY_POOLS
964DEFAULT: on
965LOC: Config.onoff.delay_pool_uses_indirect_client
966DOC_START
967 Controls whether the indirect client address
968 (see follow_x_forwarded_for) is used instead of the
969 direct client address in delay pools.
970DOC_END
971
972NAME: log_uses_indirect_client
973COMMENT: on|off
974TYPE: onoff
975IFDEF: FOLLOW_X_FORWARDED_FOR
976DEFAULT: on
977LOC: Config.onoff.log_uses_indirect_client
978DOC_START
979 Controls whether the indirect client address
980 (see follow_x_forwarded_for) is used instead of the
981 direct client address in the access log.
982DOC_END
983
984NAME: tproxy_uses_indirect_client
985COMMENT: on|off
986TYPE: onoff
987IFDEF: FOLLOW_X_FORWARDED_FOR&&LINUX_NETFILTER
988DEFAULT: off
989LOC: Config.onoff.tproxy_uses_indirect_client
990DOC_START
991 Controls whether the indirect client address
992 (see follow_x_forwarded_for) is used instead of the
993 direct client address when spoofing the outgoing client.
994
995 This has no effect on requests arriving in non-tproxy
996 mode ports.
997
998 SECURITY WARNING: Usage of this option is dangerous
999 and should not be used trivially. Correct configuration
1000 of folow_x_forewarded_for with a limited set of trusted
1001 sources is required to prevent abuse of your proxy.
1002DOC_END
1003
1004NAME: http_access
1005TYPE: acl_access
1006LOC: Config.accessList.http
1007DEFAULT_IF_NONE: deny all
1008DOC_START
1009 Allowing or Denying access based on defined access lists
1010
1011 Access to the HTTP port:
1012 http_access allow|deny [!]aclname ...
1013
1014 NOTE on default values:
1015
1016 If there are no "access" lines present, the default is to deny
1017 the request.
1018
1019 If none of the "access" lines cause a match, the default is the
1020 opposite of the last line in the list. If the last line was
1021 deny, the default is allow. Conversely, if the last line
1022 is allow, the default will be deny. For these reasons, it is a
1023 good idea to have an "deny all" entry at the end of your access
1024 lists to avoid potential confusion.
1025
1026 This clause supports both fast and slow acl types.
1027 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1028
1029NOCOMMENT_START
1030
1031#
1032# Recommended minimum Access Permission configuration:
1033#
1034# Only allow cachemgr access from localhost
1035http_access allow localhost manager
1036http_access deny manager
1037
1038# Deny requests to certain unsafe ports
1039http_access deny !Safe_ports
1040
1041# Deny CONNECT to other than secure SSL ports
1042http_access deny CONNECT !SSL_ports
1043
1044# We strongly recommend the following be uncommented to protect innocent
1045# web applications running on the proxy server who think the only
1046# one who can access services on "localhost" is a local user
1047#http_access deny to_localhost
1048
1049#
1050# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
1051#
1052
1053# Example rule allowing access from your local networks.
1054# Adapt localnet in the ACL section to list your (internal) IP networks
1055# from where browsing should be allowed
1056http_access allow localnet
1057http_access allow localhost
1058
1059# And finally deny all other access to this proxy
1060http_access deny all
1061NOCOMMENT_END
1062DOC_END
1063
1064NAME: adapted_http_access http_access2
1065TYPE: acl_access
1066LOC: Config.accessList.adapted_http
1067DEFAULT: none
1068DOC_START
1069 Allowing or Denying access based on defined access lists
1070
1071 Essentially identical to http_access, but runs after redirectors
1072 and ICAP/eCAP adaptation. Allowing access control based on their
1073 output.
1074
1075 If not set then only http_access is used.
1076DOC_END
1077
1078NAME: http_reply_access
1079TYPE: acl_access
1080LOC: Config.accessList.reply
1081DEFAULT: none
1082DOC_START
1083 Allow replies to client requests. This is complementary to http_access.
1084
1085 http_reply_access allow|deny [!] aclname ...
1086
1087 NOTE: if there are no access lines present, the default is to allow
1088 all replies
1089
1090 If none of the access lines cause a match the opposite of the
1091 last line will apply. Thus it is good practice to end the rules
1092 with an "allow all" or "deny all" entry.
1093
1094 This clause supports both fast and slow acl types.
1095 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1096DOC_END
1097
1098NAME: icp_access
1099TYPE: acl_access
1100LOC: Config.accessList.icp
1101DEFAULT_IF_NONE: deny all
1102DOC_START
1103 Allowing or Denying access to the ICP port based on defined
1104 access lists
1105
1106 icp_access allow|deny [!]aclname ...
1107
1108 See http_access for details
1109
1110 This clause only supports fast acl types.
1111 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1112
1113# Allow ICP queries from local networks only
1114#icp_access allow localnet
1115#icp_access deny all
1116DOC_END
1117
1118NAME: htcp_access
1119IFDEF: USE_HTCP
1120TYPE: acl_access
1121LOC: Config.accessList.htcp
1122DEFAULT_IF_NONE: deny all
1123DOC_START
1124 Allowing or Denying access to the HTCP port based on defined
1125 access lists
1126
1127 htcp_access allow|deny [!]aclname ...
1128
1129 See http_access for details
1130
1131 NOTE: The default if no htcp_access lines are present is to
1132 deny all traffic. This default may cause problems with peers
1133 using the htcp option.
1134
1135 This clause only supports fast acl types.
1136 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1137
1138# Allow HTCP queries from local networks only
1139#htcp_access allow localnet
1140#htcp_access deny all
1141DOC_END
1142
1143NAME: htcp_clr_access
1144IFDEF: USE_HTCP
1145TYPE: acl_access
1146LOC: Config.accessList.htcp_clr
1147DEFAULT_IF_NONE: deny all
1148DOC_START
1149 Allowing or Denying access to purge content using HTCP based
1150 on defined access lists
1151
1152 htcp_clr_access allow|deny [!]aclname ...
1153
1154 See http_access for details
1155
1156 This clause only supports fast acl types.
1157 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1158
1159# Allow HTCP CLR requests from trusted peers
1160acl htcp_clr_peer src 172.16.1.2
1161htcp_clr_access allow htcp_clr_peer
1162DOC_END
1163
1164NAME: miss_access
1165TYPE: acl_access
1166LOC: Config.accessList.miss
1167DEFAULT: none
1168DOC_START
1169 Use to force your neighbors to use you as a sibling instead of
1170 a parent. For example:
1171
1172 acl localclients src 172.16.0.0/16
1173 miss_access allow localclients
1174 miss_access deny !localclients
1175
1176 This means only your local clients are allowed to fetch
1177 MISSES and all other clients can only fetch HITS.
1178
1179 By default, allow all clients who passed the http_access rules
1180 to fetch MISSES from us.
1181
1182 This clause only supports fast acl types.
1183 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1184DOC_END
1185
1186NAME: ident_lookup_access
1187TYPE: acl_access
1188IFDEF: USE_IDENT
1189DEFAULT_IF_NONE: deny all
1190LOC: Ident::TheConfig.identLookup
1191DOC_START
1192 A list of ACL elements which, if matched, cause an ident
1193 (RFC 931) lookup to be performed for this request. For
1194 example, you might choose to always perform ident lookups
1195 for your main multi-user Unix boxes, but not for your Macs
1196 and PCs. By default, ident lookups are not performed for
1197 any requests.
1198
1199 To enable ident lookups for specific client addresses, you
1200 can follow this example:
1201
1202 acl ident_aware_hosts src 198.168.1.0/24
1203 ident_lookup_access allow ident_aware_hosts
1204 ident_lookup_access deny all
1205
1206 Only src type ACL checks are fully supported. A srcdomain
1207 ACL might work at times, but it will not always provide
1208 the correct result.
1209
1210 This clause only supports fast acl types.
1211 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1212DOC_END
1213
1214NAME: reply_body_max_size
1215COMMENT: size [acl acl...]
1216TYPE: acl_b_size_t
1217DEFAULT: none
1218LOC: Config.ReplyBodySize
1219DOC_START
1220 This option specifies the maximum size of a reply body. It can be
1221 used to prevent users from downloading very large files, such as
1222 MP3's and movies. When the reply headers are received, the
1223 reply_body_max_size lines are processed, and the first line where
1224 all (if any) listed ACLs are true is used as the maximum body size
1225 for this reply.
1226
1227 This size is checked twice. First when we get the reply headers,
1228 we check the content-length value. If the content length value exists
1229 and is larger than the allowed size, the request is denied and the
1230 user receives an error message that says "the request or reply
1231 is too large." If there is no content-length, and the reply
1232 size exceeds this limit, the client's connection is just closed
1233 and they will receive a partial reply.
1234
1235 WARNING: downstream caches probably can not detect a partial reply
1236 if there is no content-length header, so they will cache
1237 partial responses and give them out as hits. You should NOT
1238 use this option if you have downstream caches.
1239
1240 WARNING: A maximum size smaller than the size of squid's error messages
1241 will cause an infinite loop and crash squid. Ensure that the smallest
1242 non-zero value you use is greater that the maximum header size plus
1243 the size of your largest error page.
1244
1245 If you set this parameter none (the default), there will be
1246 no limit imposed.
1247
1248 Configuration Format is:
1249 reply_body_max_size SIZE UNITS [acl ...]
1250 ie.
1251 reply_body_max_size 10 MB
1252
1253DOC_END
1254
1255COMMENT_START
1256 NETWORK OPTIONS
1257 -----------------------------------------------------------------------------
1258COMMENT_END
1259
1260NAME: http_port ascii_port
1261TYPE: http_port_list
1262DEFAULT: none
1263LOC: Config.Sockaddr.http
1264DOC_START
1265 Usage: port [mode] [options]
1266 hostname:port [mode] [options]
1267 1.2.3.4:port [mode] [options]
1268
1269 The socket addresses where Squid will listen for HTTP client
1270 requests. You may specify multiple socket addresses.
1271 There are three forms: port alone, hostname with port, and
1272 IP address with port. If you specify a hostname or IP
1273 address, Squid binds the socket to that specific
1274 address. Most likely, you do not need to bind to a specific
1275 address, so you can use the port number alone.
1276
1277 If you are running Squid in accelerator mode, you
1278 probably want to listen on port 80 also, or instead.
1279
1280 The -a command line option may be used to specify additional
1281 port(s) where Squid listens for proxy request. Such ports will
1282 be plain proxy ports with no options.
1283
1284 You may specify multiple socket addresses on multiple lines.
1285
1286 Modes:
1287
1288 intercept Support for IP-Layer interception of
1289 outgoing requests without browser settings.
1290 NP: disables authentication and IPv6 on the port.
1291
1292 tproxy Support Linux TPROXY for spoofing outgoing
1293 connections using the client IP address.
1294 NP: disables authentication and maybe IPv6 on the port.
1295
1296 accel Accelerator / reverse proxy mode
1297
1298 ssl-bump Intercept each CONNECT request matching ssl_bump ACL,
1299 establish secure connection with the client and with
1300 the server, decrypt HTTP messages as they pass through
1301 Squid, and treat them as unencrypted HTTP messages,
1302 becoming the man-in-the-middle.
1303
1304 The ssl_bump option is required to fully enable
1305 the SslBump feature.
1306
1307 Omitting the mode flag causes default forward proxy mode to be used.
1308
1309
1310 Accelerator Mode Options:
1311
1312 defaultsite=domainname
1313 What to use for the Host: header if it is not present
1314 in a request. Determines what site (not origin server)
1315 accelerators should consider the default.
1316
1317 no-vhost Disable using HTTP/1.1 Host header for virtual domain support.
1318
1319 protocol= Protocol to reconstruct accelerated requests with.
1320 Defaults to http for http_port and https for
1321 https_port
1322
1323 vport Virtual host port support. Using the http_port number
1324 instead of the port passed on Host: headers.
1325
1326 vport=NN Virtual host port support. Using the specified port
1327 number instead of the port passed on Host: headers.
1328
1329 act-as-origin
1330 Act as if this Squid is the origin server.
1331 This currently means generate new Date: and Expires:
1332 headers on HIT instead of adding Age:.
1333
1334 ignore-cc Ignore request Cache-Control headers.
1335
1336 WARNING: This option violates HTTP specifications if
1337 used in non-accelerator setups.
1338
1339 allow-direct Allow direct forwarding in accelerator mode. Normally
1340 accelerated requests are denied direct forwarding as if
1341 never_direct was used.
1342
1343 WARNING: this option opens accelerator mode to security
1344 vulnerabilities usually only affecting in interception
1345 mode. Make sure to protect forwarding with suitable
1346 http_access rules when using this.
1347
1348
1349 SSL Bump Mode Options:
1350
1351 cert= Path to SSL certificate (PEM format).
1352
1353 key= Path to SSL private key file (PEM format)
1354 if not specified, the certificate file is
1355 assumed to be a combined certificate and
1356 key file.
1357
1358 version= The version of SSL/TLS supported
1359 1 automatic (default)
1360 2 SSLv2 only
1361 3 SSLv3 only
1362 4 TLSv1 only
1363
1364 cipher= Colon separated list of supported ciphers.
1365
1366 options= Various SSL engine options. The most important
1367 being:
1368 NO_SSLv2 Disallow the use of SSLv2
1369 NO_SSLv3 Disallow the use of SSLv3
1370 NO_TLSv1 Disallow the use of TLSv1
1371 SINGLE_DH_USE Always create a new key when using
1372 temporary/ephemeral DH key exchanges
1373 See src/ssl_support.c or OpenSSL SSL_CTX_set_options
1374 documentation for a complete list of options.
1375
1376 clientca= File containing the list of CAs to use when
1377 requesting a client certificate.
1378
1379 cafile= File containing additional CA certificates to
1380 use when verifying client certificates. If unset
1381 clientca will be used.
1382
1383 capath= Directory containing additional CA certificates
1384 and CRL lists to use when verifying client certificates.
1385
1386 crlfile= File of additional CRL lists to use when verifying
1387 the client certificate, in addition to CRLs stored in
1388 the capath. Implies VERIFY_CRL flag below.
1389
1390 dhparams= File containing DH parameters for temporary/ephemeral
1391 DH key exchanges.
1392
1393 sslflags= Various flags modifying the use of SSL:
1394 DELAYED_AUTH
1395 Don't request client certificates
1396 immediately, but wait until acl processing
1397 requires a certificate (not yet implemented).
1398 NO_DEFAULT_CA
1399 Don't use the default CA lists built in
1400 to OpenSSL.
1401 NO_SESSION_REUSE
1402 Don't allow for session reuse. Each connection
1403 will result in a new SSL session.
1404 VERIFY_CRL
1405 Verify CRL lists when accepting client
1406 certificates.
1407 VERIFY_CRL_ALL
1408 Verify CRL lists for all certificates in the
1409 client certificate chain.
1410
1411 sslcontext= SSL session ID context identifier.
1412
1413 generate-host-certificates[=<on|off>]
1414 Dynamically create SSL server certificates for the
1415 destination hosts of bumped CONNECT requests.When
1416 enabled, the cert and key options are used to sign
1417 generated certificates. Otherwise generated
1418 certificate will be selfsigned.
1419 If there is CA certificate life time of generated
1420 certificate equals lifetime of CA certificate. If
1421 generated certificate is selfsigned lifetime is three
1422 years.
1423 This option is enabled by default when SslBump is used.
1424 See the sslBump option above for more information.
1425
1426 dynamic_cert_mem_cache_size=SIZE
1427 Approximate total RAM size spent on cached generated
1428 certificates. If set to zero, caching is disabled. The
1429 default value is 4MB. An average XXX-bit certificate
1430 consumes about XXX bytes of RAM.
1431
1432 Other Options:
1433
1434 connection-auth[=on|off]
1435 use connection-auth=off to tell Squid to prevent
1436 forwarding Microsoft connection oriented authentication
1437 (NTLM, Negotiate and Kerberos)
1438
1439 disable-pmtu-discovery=
1440 Control Path-MTU discovery usage:
1441 off lets OS decide on what to do (default).
1442 transparent disable PMTU discovery when transparent
1443 support is enabled.
1444 always disable always PMTU discovery.
1445
1446 In many setups of transparently intercepting proxies
1447 Path-MTU discovery can not work on traffic towards the
1448 clients. This is the case when the intercepting device
1449 does not fully track connections and fails to forward
1450 ICMP must fragment messages to the cache server. If you
1451 have such setup and experience that certain clients
1452 sporadically hang or never complete requests set
1453 disable-pmtu-discovery option to 'transparent'.
1454
1455 name= Specifies a internal name for the port. Defaults to
1456 the port specification (port or addr:port)
1457
1458 tcpkeepalive[=idle,interval,timeout]
1459 Enable TCP keepalive probes of idle connections.
1460 In seconds; idle is the initial time before TCP starts
1461 probing the connection, interval how often to probe, and
1462 timeout the time before giving up.
1463
1464 If you run Squid on a dual-homed machine with an internal
1465 and an external interface we recommend you to specify the
1466 internal address:port in http_port. This way Squid will only be
1467 visible on the internal address.
1468
1469NOCOMMENT_START
1470
1471# Squid normally listens to port 3128
1472http_port @DEFAULT_HTTP_PORT@
1473NOCOMMENT_END
1474DOC_END
1475
1476NAME: https_port
1477IFDEF: USE_SSL
1478TYPE: https_port_list
1479DEFAULT: none
1480LOC: Config.Sockaddr.https
1481DOC_START
1482 Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...]
1483
1484 The socket address where Squid will listen for HTTPS client
1485 requests.
1486
1487 This is really only useful for situations where you are running
1488 squid in accelerator mode and you want to do the SSL work at the
1489 accelerator level.
1490
1491 You may specify multiple socket addresses on multiple lines,
1492 each with their own SSL certificate and/or options.
1493
1494 Modes:
1495
1496 accel Accelerator / reverse proxy mode
1497
1498 Omitting the mode flag causes default forward proxy mode to be used.
1499
1500
1501 See http_port for a list of generic options
1502
1503
1504 SSL Options:
1505
1506 cert= Path to SSL certificate (PEM format).
1507
1508 key= Path to SSL private key file (PEM format)
1509 if not specified, the certificate file is
1510 assumed to be a combined certificate and
1511 key file.
1512
1513 version= The version of SSL/TLS supported
1514 1 automatic (default)
1515 2 SSLv2 only
1516 3 SSLv3 only
1517 4 TLSv1 only
1518
1519 cipher= Colon separated list of supported ciphers.
1520
1521 options= Various SSL engine options. The most important
1522 being:
1523 NO_SSLv2 Disallow the use of SSLv2
1524 NO_SSLv3 Disallow the use of SSLv3
1525 NO_TLSv1 Disallow the use of TLSv1
1526 SINGLE_DH_USE Always create a new key when using
1527 temporary/ephemeral DH key exchanges
1528 See src/ssl_support.c or OpenSSL SSL_CTX_set_options
1529 documentation for a complete list of options.
1530
1531 clientca= File containing the list of CAs to use when
1532 requesting a client certificate.
1533
1534 cafile= File containing additional CA certificates to
1535 use when verifying client certificates. If unset
1536 clientca will be used.
1537
1538 capath= Directory containing additional CA certificates
1539 and CRL lists to use when verifying client certificates.
1540
1541 crlfile= File of additional CRL lists to use when verifying
1542 the client certificate, in addition to CRLs stored in
1543 the capath. Implies VERIFY_CRL flag below.
1544
1545 dhparams= File containing DH parameters for temporary/ephemeral
1546 DH key exchanges.
1547
1548 sslflags= Various flags modifying the use of SSL:
1549 DELAYED_AUTH
1550 Don't request client certificates
1551 immediately, but wait until acl processing
1552 requires a certificate (not yet implemented).
1553 NO_DEFAULT_CA
1554 Don't use the default CA lists built in
1555 to OpenSSL.
1556 NO_SESSION_REUSE
1557 Don't allow for session reuse. Each connection
1558 will result in a new SSL session.
1559 VERIFY_CRL
1560 Verify CRL lists when accepting client
1561 certificates.
1562 VERIFY_CRL_ALL
1563 Verify CRL lists for all certificates in the
1564 client certificate chain.
1565
1566 sslcontext= SSL session ID context identifier.
1567
1568DOC_END
1569
1570NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
1571TYPE: acl_tos
1572DEFAULT: none
1573LOC: Ip::Qos::TheConfig.tosToServer
1574DOC_START
1575 Allows you to select a TOS/Diffserv value for packets outgoing
1576 on the server side, based on an ACL.
1577
1578 tcp_outgoing_tos ds-field [!]aclname ...
1579
1580 Example where normal_service_net uses the TOS value 0x00
1581 and good_service_net uses 0x20
1582
1583 acl normal_service_net src 10.0.0.0/24
1584 acl good_service_net src 10.0.1.0/24
1585 tcp_outgoing_tos 0x00 normal_service_net
1586 tcp_outgoing_tos 0x20 good_service_net
1587
1588 TOS/DSCP values really only have local significance - so you should
1589 know what you're specifying. For more information, see RFC2474,
1590 RFC2475, and RFC3260.
1591
1592 The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
1593 "default" to use whatever default your host has. Note that in
1594 practice often only multiples of 4 is usable as the two rightmost bits
1595 have been redefined for use by ECN (RFC 3168 section 23.1).
1596
1597 Processing proceeds in the order specified, and stops at first fully
1598 matching line.
1599DOC_END
1600
1601NAME: clientside_tos
1602TYPE: acl_tos
1603DEFAULT: none
1604LOC: Ip::Qos::TheConfig.tosToClient
1605DOC_START
1606 Allows you to select a TOS/Diffserv value for packets being transmitted
1607 on the client-side, based on an ACL.
1608
1609 clientside_tos ds-field [!]aclname ...
1610
1611 Example where normal_service_net uses the TOS value 0x00
1612 and good_service_net uses 0x20
1613
1614 acl normal_service_net src 10.0.0.0/24
1615 acl good_service_net src 10.0.1.0/24
1616 clientside_tos 0x00 normal_service_net
1617 clientside_tos 0x20 good_service_net
1618
1619 Note: This feature is incompatible with qos_flows. Any TOS values set here
1620 will be overwritten by TOS values in qos_flows.
1621DOC_END
1622
1623NAME: tcp_outgoing_mark
1624TYPE: acl_nfmark
1625IFDEF: SO_MARK&&USE_LIBCAP
1626DEFAULT: none
1627LOC: Ip::Qos::TheConfig.nfmarkToServer
1628DOC_START
1629 Allows you to apply a Netfilter mark value to outgoing packets
1630 on the server side, based on an ACL.
1631
1632 tcp_outgoing_mark mark-value [!]aclname ...
1633
1634 Example where normal_service_net uses the mark value 0x00
1635 and good_service_net uses 0x20
1636
1637 acl normal_service_net src 10.0.0.0/24
1638 acl good_service_net src 10.0.1.0/24
1639 tcp_outgoing_mark 0x00 normal_service_net
1640 tcp_outgoing_mark 0x20 good_service_net
1641DOC_END
1642
1643NAME: clientside_mark
1644TYPE: acl_nfmark
1645IFDEF: SO_MARK&&USE_LIBCAP
1646DEFAULT: none
1647LOC: Ip::Qos::TheConfig.nfmarkToClient
1648DOC_START
1649 Allows you to apply a Netfilter mark value to packets being transmitted
1650 on the client-side, based on an ACL.
1651
1652 clientside_mark mark-value [!]aclname ...
1653
1654 Example where normal_service_net uses the mark value 0x00
1655 and good_service_net uses 0x20
1656
1657 acl normal_service_net src 10.0.0.0/24
1658 acl good_service_net src 10.0.1.0/24
1659 clientside_mark 0x00 normal_service_net
1660 clientside_mark 0x20 good_service_net
1661
1662 Note: This feature is incompatible with qos_flows. Any mark values set here
1663 will be overwritten by mark values in qos_flows.
1664DOC_END
1665
1666NAME: qos_flows
1667TYPE: QosConfig
1668IFDEF: USE_QOS_TOS
1669DEFAULT: none
1670LOC: Ip::Qos::TheConfig
1671DOC_START
1672 Allows you to select a TOS/DSCP value to mark outgoing
1673 connections with, based on where the reply was sourced. For
1674 platforms using netfilter, allows you to set a netfilter mark
1675 value instead of, or in addition to, a TOS value.
1676
1677 TOS values really only have local significance - so you should
1678 know what you're specifying. For more information, see RFC2474,
1679 RFC2475, and RFC3260.
1680
1681 The TOS/DSCP byte must be exactly that - a octet value 0 - 255. Note that
1682 in practice often only multiples of 4 is usable as the two rightmost bits
1683 have been redefined for use by ECN (RFC 3168 section 23.1).
1684
1685 Mark values can be any unsigned 32-bit integer value.
1686
1687 This setting is configured by setting the following values:
1688
1689 tos|mark Whether to set TOS or netfilter mark values
1690
1691 local-hit=0xFF Value to mark local cache hits.
1692
1693 sibling-hit=0xFF Value to mark hits from sibling peers.
1694
1695 parent-hit=0xFF Value to mark hits from parent peers.
1696
1697 miss=0xFF Value to mark cache misses. Takes precedence
1698 over the preserve-miss feature (see below).
1699
1700 The TOS variant of the following features are only possible on Linux
1701 and require your kernel to be patched with the TOS preserving ZPH
1702 patch, available from http://zph.bratcheda.org
1703 No patch is needed to preserve the netfilter mark, which will work
1704 with all variants of netfilter.
1705
1706 disable-preserve-miss
1707 This option disables the preservation of the TOS or netfilter
1708 mark. By default, the existing TOS or netfilter mark value of
1709 the response coming from the remote server will be retained
1710 and masked with miss-mark.
1711 NOTE: in the case of a netfilter mark, the mark must be set on
1712 the connection (using the CONNMARK target) not on the packet
1713 (MARK target).
1714
1715 miss-mask=0xFF
1716 Allows you to mask certain bits in the TOS or mark value
1717 received from the remote server, before copying the value to
1718 the TOS sent towards clients.
1719 Default for tos: 0xFF (TOS from server is not changed).
1720 Default for mark: 0xFFFFFFFF (mark from server is not changed).
1721
1722 All of these features require the --enable-zph-qos compilation flag
1723 (enabled by default). Netfilter marking also requires the
1724 libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
1725 libcap 2.09+ (--with-libcap).
1726
1727DOC_END
1728
1729NAME: tcp_outgoing_address
1730TYPE: acl_address
1731DEFAULT: none
1732LOC: Config.accessList.outgoing_address
1733DOC_START
1734 Allows you to map requests to different outgoing IP addresses
1735 based on the username or source address of the user making
1736 the request.
1737
1738 tcp_outgoing_address ipaddr [[!]aclname] ...
1739
1740 For example;
1741 Forwarding clients with dedicated IPs for certain subnets.
1742
1743 acl normal_service_net src 10.0.0.0/24
1744 acl good_service_net src 10.0.2.0/24
1745
1746 tcp_outgoing_address 2001:db8::c001 good_service_net
1747 tcp_outgoing_address 10.1.0.2 good_service_net
1748
1749 tcp_outgoing_address 2001:db8::beef normal_service_net
1750 tcp_outgoing_address 10.1.0.1 normal_service_net
1751
1752 tcp_outgoing_address 2001:db8::1
1753 tcp_outgoing_address 10.1.0.3
1754
1755 Processing proceeds in the order specified, and stops at first fully
1756 matching line.
1757
1758 Squid will add an implicit IP version test to each line.
1759 Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
1760 Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
1761
1762
1763 NOTE: The use of this directive using client dependent ACLs is
1764 incompatible with the use of server side persistent connections. To
1765 ensure correct results it is best to set server_persistent_connections
1766 to off when using this directive in such configurations.
1767
1768 NOTE: The use of this directive to set a local IP on outgoing TCP links
1769 is incompatible with using TPROXY to set client IP out outbound TCP links.
1770 When needing to contact peers use the no-tproxy cache_peer option and the
1771 client_dst_passthru directive re-enable normal forwarding such as this.
1772
1773DOC_END
1774
1775NAME: client_dst_passthru
1776TYPE: onoff
1777DEFAULT: on
1778LOC: Config.onoff.client_dst_passthru
1779DOC_START
1780 With NAT or TPROXY intercepted traffic Squid may pass the request
1781 directly to the original client destination IP or seek a faster
1782 source.
1783
1784 This option (on by default) prevents cache_peer and alternative DNS
1785 entries being used on intercepted traffic. Both of which lead to
1786 the security vulnerability outlined below.
1787
1788 SECURITY WARNING:
1789
1790 This directive should only be disabled if cache_peer are required.
1791
1792 As described in CVE-2009-0801 when the Host: header alone is used
1793 to determine the destination of a request it becomes trivial for
1794 malicious scripts on remote websites to bypass browser same-origin
1795 security policy and sandboxing protections.
1796
1797 The cause of this is that such applets are allowed to perform their
1798 own HTTP stack, in which case the same-origin policy of the browser
1799 sandbox only verifies that the applet tries to contact the same IP
1800 as from where it was loaded at the IP level. The Host: header may
1801 be different from the connected IP and approved origin.
1802
1803DOC_END
1804
1805COMMENT_START
1806 SSL OPTIONS
1807 -----------------------------------------------------------------------------
1808COMMENT_END
1809
1810NAME: ssl_unclean_shutdown
1811IFDEF: USE_SSL
1812TYPE: onoff
1813DEFAULT: off
1814LOC: Config.SSL.unclean_shutdown
1815DOC_START
1816 Some browsers (especially MSIE) bugs out on SSL shutdown
1817 messages.
1818DOC_END
1819
1820NAME: ssl_engine
1821IFDEF: USE_SSL
1822TYPE: string
1823LOC: Config.SSL.ssl_engine
1824DEFAULT: none
1825DOC_START
1826 The OpenSSL engine to use. You will need to set this if you
1827 would like to use hardware SSL acceleration for example.
1828DOC_END
1829
1830NAME: sslproxy_client_certificate
1831IFDEF: USE_SSL
1832DEFAULT: none
1833LOC: Config.ssl_client.cert
1834TYPE: string
1835DOC_START
1836 Client SSL Certificate to use when proxying https:// URLs
1837DOC_END
1838
1839NAME: sslproxy_client_key
1840IFDEF: USE_SSL
1841DEFAULT: none
1842LOC: Config.ssl_client.key
1843TYPE: string
1844DOC_START
1845 Client SSL Key to use when proxying https:// URLs
1846DOC_END
1847
1848NAME: sslproxy_version
1849IFDEF: USE_SSL
1850DEFAULT: 1
1851LOC: Config.ssl_client.version
1852TYPE: int
1853DOC_START
1854 SSL version level to use when proxying https:// URLs
1855DOC_END
1856
1857NAME: sslproxy_options
1858IFDEF: USE_SSL
1859DEFAULT: none
1860LOC: Config.ssl_client.options
1861TYPE: string
1862DOC_START
1863 SSL engine options to use when proxying https:// URLs
1864
1865 The most important being:
1866
1867 NO_SSLv2 Disallow the use of SSLv2
1868 NO_SSLv3 Disallow the use of SSLv3
1869 NO_TLSv1 Disallow the use of TLSv1
1870 SINGLE_DH_USE
1871 Always create a new key when using
1872 temporary/ephemeral DH key exchanges
1873
1874 These options vary depending on your SSL engine.
1875 See the OpenSSL SSL_CTX_set_options documentation for a
1876 complete list of possible options.
1877DOC_END
1878
1879NAME: sslproxy_cipher
1880IFDEF: USE_SSL
1881DEFAULT: none
1882LOC: Config.ssl_client.cipher
1883TYPE: string
1884DOC_START
1885 SSL cipher list to use when proxying https:// URLs
1886
1887 Colon separated list of supported ciphers.
1888DOC_END
1889
1890NAME: sslproxy_cafile
1891IFDEF: USE_SSL
1892DEFAULT: none
1893LOC: Config.ssl_client.cafile
1894TYPE: string
1895DOC_START
1896 file containing CA certificates to use when verifying server
1897 certificates while proxying https:// URLs
1898DOC_END
1899
1900NAME: sslproxy_capath
1901IFDEF: USE_SSL
1902DEFAULT: none
1903LOC: Config.ssl_client.capath
1904TYPE: string
1905DOC_START
1906 directory containing CA certificates to use when verifying
1907 server certificates while proxying https:// URLs
1908DOC_END
1909
1910NAME: ssl_bump
1911IFDEF: USE_SSL
1912TYPE: acl_access
1913LOC: Config.accessList.ssl_bump
1914DEFAULT: none
1915DOC_START
1916 This ACL controls which CONNECT requests to an http_port
1917 marked with an sslBump flag are actually "bumped". Please
1918 see the sslBump flag of an http_port option for more details
1919 about decoding proxied SSL connections.
1920
1921 By default, no requests are bumped.
1922
1923 See also: http_port ssl-bump
1924
1925 This clause supports both fast and slow acl types.
1926 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1927
1928
1929 # Example: Bump all requests except those originating from localhost and
1930 # those going to webax.com or example.com sites.
1931
1932 acl localhost src 127.0.0.1/32
1933 acl broken_sites dstdomain .webax.com
1934 acl broken_sites dstdomain .example.com
1935 ssl_bump deny localhost
1936 ssl_bump deny broken_sites
1937 ssl_bump allow all
1938DOC_END
1939
1940NAME: sslproxy_flags
1941IFDEF: USE_SSL
1942DEFAULT: none
1943LOC: Config.ssl_client.flags
1944TYPE: string
1945DOC_START
1946 Various flags modifying the use of SSL while proxying https:// URLs:
1947 DONT_VERIFY_PEER Accept certificates that fail verification.
1948 For refined control, see sslproxy_cert_error.
1949 NO_DEFAULT_CA Don't use the default CA list built in
1950 to OpenSSL.
1951DOC_END
1952
1953NAME: sslproxy_cert_error
1954IFDEF: USE_SSL
1955DEFAULT: none
1956LOC: Config.ssl_client.cert_error
1957TYPE: acl_access
1958DOC_START
1959 Use this ACL to bypass server certificate validation errors.
1960
1961 For example, the following lines will bypass all validation errors
1962 when talking to servers located at 172.16.0.0/16. All other
1963 validation errors will result in ERR_SECURE_CONNECT_FAIL error.
1964
1965 acl BrokenServersAtTrustedIP dst 172.16.0.0/16
1966 sslproxy_cert_error allow BrokenServersAtTrustedIP
1967 sslproxy_cert_error deny all
1968
1969 This clause only supports fast acl types.
1970 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1971 Using slow acl types may result in server crashes
1972
1973 Without this option, all server certificate validation errors
1974 terminate the transaction. Bypassing validation errors is dangerous
1975 because an error usually implies that the server cannot be trusted and
1976 the connection may be insecure.
1977
1978 See also: sslproxy_flags and DONT_VERIFY_PEER.
1979
1980 Default setting: sslproxy_cert_error deny all
1981DOC_END
1982
1983NAME: sslpassword_program
1984IFDEF: USE_SSL
1985DEFAULT: none
1986LOC: Config.Program.ssl_password
1987TYPE: string
1988DOC_START
1989 Specify a program used for entering SSL key passphrases
1990 when using encrypted SSL certificate keys. If not specified
1991 keys must either be unencrypted, or Squid started with the -N
1992 option to allow it to query interactively for the passphrase.
1993
1994 The key file name is given as argument to the program allowing
1995 selection of the right password if you have multiple encrypted
1996 keys.
1997DOC_END
1998
1999COMMENT_START
2000 OPTIONS RELATING TO EXTERNAL SSL_CRTD
2001 -----------------------------------------------------------------------------
2002COMMENT_END
2003
2004NAME: sslcrtd_program
2005TYPE: eol
2006IFDEF: USE_SSL_CRTD
2007DEFAULT: @DEFAULT_SSL_CRTD@ -s @DEFAULT_SSL_DB_DIR@ -M 4MB
2008LOC: Ssl::TheConfig.ssl_crtd
2009DOC_START
2010 Specify the location and options of the executable for ssl_crtd process.
2011 @DEFAULT_SSL_CRTD@ program requires -s and -M parameters
2012 For more information use:
2013 @DEFAULT_SSL_CRTD@ -h
2014DOC_END
2015
2016NAME: sslcrtd_children
2017TYPE: HelperChildConfig
2018IFDEF: USE_SSL_CRTD
2019DEFAULT: 32 startup=5 idle=1
2020LOC: Ssl::TheConfig.ssl_crtdChildren
2021DOC_START
2022 The maximum number of processes spawn to service ssl server.
2023 The maximum this may be safely set to is 32.
2024
2025 The startup= and idle= options allow some measure of skew in your
2026 tuning.
2027
2028 startup=N
2029
2030 Sets the minimum number of processes to spawn when Squid
2031 starts or reconfigures. When set to zero the first request will
2032 cause spawning of the first child process to handle it.
2033
2034 Starting too few children temporary slows Squid under load while it
2035 tries to spawn enough additional processes to cope with traffic.
2036
2037 idle=N
2038
2039 Sets a minimum of how many processes Squid is to try and keep available
2040 at all times. When traffic begins to rise above what the existing
2041 processes can handle this many more will be spawned up to the maximum
2042 configured. A minimum setting of 1 is required.
2043
2044 You must have at least one ssl_crtd process.
2045DOC_END
2046
2047COMMENT_START
2048 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
2049 -----------------------------------------------------------------------------
2050COMMENT_END
2051
2052NAME: cache_peer
2053TYPE: peer
2054DEFAULT: none
2055LOC: Config.peers
2056DOC_START
2057 To specify other caches in a hierarchy, use the format:
2058
2059 cache_peer hostname type http-port icp-port [options]
2060
2061 For example,
2062
2063 # proxy icp
2064 # hostname type port port options
2065 # -------------------- -------- ----- ----- -----------
2066 cache_peer parent.foo.net parent 3128 3130 default
2067 cache_peer sib1.foo.net sibling 3128 3130 proxy-only
2068 cache_peer sib2.foo.net sibling 3128 3130 proxy-only
2069 cache_peer example.com parent 80 0 no-query default
2070 cache_peer cdn.example.com sibling 3128 0
2071
2072 type: either 'parent', 'sibling', or 'multicast'.
2073
2074 proxy-port: The port number where the peer accept HTTP requests.
2075 For other Squid proxies this is usually 3128
2076 For web servers this is usually 80
2077
2078 icp-port: Used for querying neighbor caches about objects.
2079 Set to 0 if the peer does not support ICP or HTCP.
2080 See ICP and HTCP options below for additional details.
2081
2082
2083 ==== ICP OPTIONS ====
2084
2085 You MUST also set icp_port and icp_access explicitly when using these options.
2086 The defaults will prevent peer traffic using ICP.
2087
2088
2089 no-query Disable ICP queries to this neighbor.
2090
2091 multicast-responder
2092 Indicates the named peer is a member of a multicast group.
2093 ICP queries will not be sent directly to the peer, but ICP
2094 replies will be accepted from it.
2095
2096 closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward
2097 CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
2098
2099 background-ping
2100 To only send ICP queries to this neighbor infrequently.
2101 This is used to keep the neighbor round trip time updated
2102 and is usually used in conjunction with weighted-round-robin.
2103
2104
2105 ==== HTCP OPTIONS ====
2106
2107 You MUST also set htcp_port and htcp_access explicitly when using these options.
2108 The defaults will prevent peer traffic using HTCP.
2109
2110
2111 htcp Send HTCP, instead of ICP, queries to the neighbor.
2112 You probably also want to set the "icp-port" to 4827
2113 instead of 3130. This directive accepts a comma separated
2114 list of options described below.
2115
2116 htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier).
2117
2118 htcp=no-clr Send HTCP to the neighbor but without
2119 sending any CLR requests. This cannot be used with
2120 only-clr.
2121
2122 htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests.
2123 This cannot be used with no-clr.
2124
2125 htcp=no-purge-clr
2126 Send HTCP to the neighbor including CLRs but only when
2127 they do not result from PURGE requests.
2128
2129 htcp=forward-clr
2130 Forward any HTCP CLR requests this proxy receives to the peer.
2131
2132
2133 ==== PEER SELECTION METHODS ====
2134
2135 The default peer selection method is ICP, with the first responding peer
2136 being used as source. These options can be used for better load balancing.
2137
2138
2139 default This is a parent cache which can be used as a "last-resort"
2140 if a peer cannot be located by any of the peer-selection methods.
2141 If specified more than once, only the first is used.
2142
2143 round-robin Load-Balance parents which should be used in a round-robin
2144 fashion in the absence of any ICP queries.
2145 weight=N can be used to add bias.
2146
2147 weighted-round-robin
2148 Load-Balance parents which should be used in a round-robin
2149 fashion with the frequency of each parent being based on the
2150 round trip time. Closer parents are used more often.
2151 Usually used for background-ping parents.
2152 weight=N can be used to add bias.
2153
2154 carp Load-Balance parents which should be used as a CARP array.
2155 The requests will be distributed among the parents based on the
2156 CARP load balancing hash function based on their weight.
2157
2158 userhash Load-balance parents based on the client proxy_auth or ident username.
2159
2160 sourcehash Load-balance parents based on the client source IP.
2161
2162 multicast-siblings
2163 To be used only for cache peers of type "multicast".
2164 ALL members of this multicast group have "sibling"
2165 relationship with it, not "parent". This is to a mulicast
2166 group when the requested object would be fetched only from
2167 a "parent" cache, anyway. It's useful, e.g., when
2168 configuring a pool of redundant Squid proxies, being
2169 members of the same multicast group.
2170
2171
2172 ==== PEER SELECTION OPTIONS ====
2173
2174 weight=N use to affect the selection of a peer during any weighted
2175 peer-selection mechanisms.
2176 The weight must be an integer; default is 1,
2177 larger weights are favored more.
2178 This option does not affect parent selection if a peering
2179 protocol is not in use.
2180
2181 basetime=N Specify a base amount to be subtracted from round trip
2182 times of parents.
2183 It is subtracted before division by weight in calculating
2184 which parent to fectch from. If the rtt is less than the
2185 base time the rtt is set to a minimal value.
2186
2187 ttl=N Specify a TTL to use when sending multicast ICP queries
2188 to this address.
2189 Only useful when sending to a multicast group.
2190 Because we don't accept ICP replies from random
2191 hosts, you must configure other group members as
2192 peers with the 'multicast-responder' option.
2193
2194 no-delay To prevent access to this neighbor from influencing the
2195 delay pools.
2196
2197 digest-url=URL Tell Squid to fetch the cache digest (if digests are
2198 enabled) for this host from the specified URL rather
2199 than the Squid default location.
2200
2201
2202 ==== CARP OPTIONS ====
2203
2204 carp-key=key-specification
2205 use a different key than the full URL to hash against the peer.
2206 the key-specification is a comma-separated list of the keywords
2207 scheme, host, port, path, params
2208 Order is not important.
2209
2210 ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
2211
2212 originserver Causes this parent to be contacted as an origin server.
2213 Meant to be used in accelerator setups when the peer
2214 is a web server.
2215
2216 forceddomain=name
2217 Set the Host header of requests forwarded to this peer.
2218 Useful in accelerator setups where the server (peer)
2219 expects a certain domain name but clients may request
2220 others. ie example.com or www.example.com
2221
2222 no-digest Disable request of cache digests.
2223
2224 no-netdb-exchange
2225 Disables requesting ICMP RTT database (NetDB).
2226
2227
2228 ==== AUTHENTICATION OPTIONS ====
2229
2230 login=user:password
2231 If this is a personal/workgroup proxy and your parent
2232 requires proxy authentication.
2233
2234 Note: The string can include URL escapes (i.e. %20 for
2235 spaces). This also means % must be written as %%.
2236
2237 login=PASSTHRU
2238 Send login details received from client to this peer.
2239 Both Proxy- and WWW-Authorization headers are passed
2240 without alteration to the peer.
2241 Authentication is not required by Squid for this to work.
2242
2243 Note: This will pass any form of authentication but
2244 only Basic auth will work through a proxy unless the
2245 connection-auth options are also used.
2246
2247 login=PASS Send login details received from client to this peer.
2248 Authentication is not required by this option.
2249
2250 If there are no client-provided authentication headers
2251 to pass on, but username and password are available
2252 from an external ACL user= and password= result tags
2253 they may be sent instead.
2254
2255 Note: To combine this with proxy_auth both proxies must
2256 share the same user database as HTTP only allows for
2257 a single login (one for proxy, one for origin server).
2258 Also be warned this will expose your users proxy
2259 password to the peer. USE WITH CAUTION
2260
2261 login=*:password
2262 Send the username to the upstream cache, but with a
2263 fixed password. This is meant to be used when the peer
2264 is in another administrative domain, but it is still
2265 needed to identify each user.
2266 The star can optionally be followed by some extra
2267 information which is added to the username. This can
2268 be used to identify this proxy to the peer, similar to
2269 the login=username:password option above.
2270
2271 login=NEGOTIATE
2272 If this is a personal/workgroup proxy and your parent
2273 requires a secure proxy authentication.
2274 The first principal from the default keytab or defined by
2275 the environment variable KRB5_KTNAME will be used.
2276
2277 WARNING: The connection may transmit requests from multiple
2278 clients. Negotiate often assumes end-to-end authentication
2279 and a single-client. Which is not strictly true here.
2280
2281 login=NEGOTIATE:principal_name
2282 If this is a personal/workgroup proxy and your parent
2283 requires a secure proxy authentication.
2284 The principal principal_name from the default keytab or
2285 defined by the environment variable KRB5_KTNAME will be
2286 used.
2287
2288 WARNING: The connection may transmit requests from multiple
2289 clients. Negotiate often assumes end-to-end authentication
2290 and a single-client. Which is not strictly true here.
2291
2292 connection-auth=on|off
2293 Tell Squid that this peer does or not support Microsoft
2294 connection oriented authentication, and any such
2295 challenges received from there should be ignored.
2296 Default is auto to automatically determine the status
2297 of the peer.
2298
2299
2300 ==== SSL / HTTPS / TLS OPTIONS ====
2301
2302 ssl Encrypt connections to this peer with SSL/TLS.
2303
2304 sslcert=/path/to/ssl/certificate
2305 A client SSL certificate to use when connecting to
2306 this peer.
2307
2308 sslkey=/path/to/ssl/key
2309 The private SSL key corresponding to sslcert above.
2310 If 'sslkey' is not specified 'sslcert' is assumed to
2311 reference a combined file containing both the
2312 certificate and the key.
2313
2314 sslversion=1|2|3|4
2315 The SSL version to use when connecting to this peer
2316 1 = automatic (default)
2317 2 = SSL v2 only
2318 3 = SSL v3 only
2319 4 = TLS v1 only
2320
2321 sslcipher=... The list of valid SSL ciphers to use when connecting
2322 to this peer.
2323
2324 ssloptions=... Specify various SSL engine options:
2325 NO_SSLv2 Disallow the use of SSLv2
2326 NO_SSLv3 Disallow the use of SSLv3
2327 NO_TLSv1 Disallow the use of TLSv1
2328 See src/ssl_support.c or the OpenSSL documentation for
2329 a more complete list.
2330
2331 sslcafile=... A file containing additional CA certificates to use
2332 when verifying the peer certificate.
2333
2334 sslcapath=... A directory containing additional CA certificates to
2335 use when verifying the peer certificate.
2336
2337 sslcrlfile=... A certificate revocation list file to use when
2338 verifying the peer certificate.
2339
2340 sslflags=... Specify various flags modifying the SSL implementation:
2341
2342 DONT_VERIFY_PEER
2343 Accept certificates even if they fail to
2344 verify.
2345 NO_DEFAULT_CA
2346 Don't use the default CA list built in
2347 to OpenSSL.
2348 DONT_VERIFY_DOMAIN
2349 Don't verify the peer certificate
2350 matches the server name
2351
2352 ssldomain= The peer name as advertised in it's certificate.
2353 Used for verifying the correctness of the received peer
2354 certificate. If not specified the peer hostname will be
2355 used.
2356
2357 front-end-https
2358 Enable the "Front-End-Https: On" header needed when
2359 using Squid as a SSL frontend in front of Microsoft OWA.
2360 See MS KB document Q307347 for details on this header.
2361 If set to auto the header will only be added if the
2362 request is forwarded as a https:// URL.
2363
2364
2365 ==== GENERAL OPTIONS ====
2366
2367 connect-timeout=N
2368 A peer-specific connect timeout.
2369 Also see the peer_connect_timeout directive.
2370
2371 connect-fail-limit=N
2372 How many times connecting to a peer must fail before
2373 it is marked as down. Default is 10.
2374
2375 allow-miss Disable Squid's use of only-if-cached when forwarding
2376 requests to siblings. This is primarily useful when
2377 icp_hit_stale is used by the sibling. To extensive use
2378 of this option may result in forwarding loops, and you
2379 should avoid having two-way peerings with this option.
2380 For example to deny peer usage on requests from peer
2381 by denying cache_peer_access if the source is a peer.
2382
2383 max-conn=N Limit the amount of connections Squid may open to this
2384 peer. see also
2385
2386 name=xxx Unique name for the peer.
2387 Required if you have multiple peers on the same host
2388 but different ports.
2389 This name can be used in cache_peer_access and similar
2390 directives to dentify the peer.
2391 Can be used by outgoing access controls through the
2392 peername ACL type.
2393
2394 no-tproxy Do not use the client-spoof TPROXY support when forwarding
2395 requests to this peer. Use normal address selection instead.
2396
2397 proxy-only objects fetched from the peer will not be stored locally.
2398
2399DOC_END
2400
2401NAME: cache_peer_domain cache_host_domain
2402TYPE: hostdomain
2403DEFAULT: none
2404LOC: none
2405DOC_START
2406 Use to limit the domains for which a neighbor cache will be
2407 queried. Usage:
2408
2409 cache_peer_domain cache-host domain [domain ...]
2410 cache_peer_domain cache-host !domain
2411
2412 For example, specifying
2413
2414 cache_peer_domain parent.foo.net .edu
2415
2416 has the effect such that UDP query packets are sent to
2417 'bigserver' only when the requested object exists on a
2418 server in the .edu domain. Prefixing the domainname
2419 with '!' means the cache will be queried for objects
2420 NOT in that domain.
2421
2422 NOTE: * Any number of domains may be given for a cache-host,
2423 either on the same or separate lines.
2424 * When multiple domains are given for a particular
2425 cache-host, the first matched domain is applied.
2426 * Cache hosts with no domain restrictions are queried
2427 for all requests.
2428 * There are no defaults.
2429 * There is also a 'cache_peer_access' tag in the ACL
2430 section.
2431DOC_END
2432
2433NAME: cache_peer_access
2434TYPE: peer_access
2435DEFAULT: none
2436LOC: none
2437DOC_START
2438 Similar to 'cache_peer_domain' but provides more flexibility by
2439 using ACL elements.
2440
2441 cache_peer_access cache-host allow|deny [!]aclname ...
2442
2443 The syntax is identical to 'http_access' and the other lists of
2444 ACL elements. See the comments for 'http_access' below, or
2445 the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl).
2446DOC_END
2447
2448NAME: neighbor_type_domain
2449TYPE: hostdomaintype
2450DEFAULT: none
2451LOC: none
2452DOC_START
2453 usage: neighbor_type_domain neighbor parent|sibling domain domain ...
2454
2455 Modifying the neighbor type for specific domains is now
2456 possible. You can treat some domains differently than the
2457 default neighbor type specified on the 'cache_peer' line.
2458 Normally it should only be necessary to list domains which
2459 should be treated differently because the default neighbor type
2460 applies for hostnames which do not match domains listed here.
2461
2462EXAMPLE:
2463 cache_peer cache.foo.org parent 3128 3130
2464 neighbor_type_domain cache.foo.org sibling .com .net
2465 neighbor_type_domain cache.foo.org sibling .au .de
2466DOC_END
2467
2468NAME: dead_peer_timeout
2469COMMENT: (seconds)
2470DEFAULT: 10 seconds
2471TYPE: time_t
2472LOC: Config.Timeout.deadPeer
2473DOC_START
2474 This controls how long Squid waits to declare a peer cache
2475 as "dead." If there are no ICP replies received in this
2476 amount of time, Squid will declare the peer dead and not
2477 expect to receive any further ICP replies. However, it
2478 continues to send ICP queries, and will mark the peer as
2479 alive upon receipt of the first subsequent ICP reply.
2480
2481 This timeout also affects when Squid expects to receive ICP
2482 replies from peers. If more than 'dead_peer' seconds have
2483 passed since the last ICP reply was received, Squid will not
2484 expect to receive an ICP reply on the next query. Thus, if
2485 your time between requests is greater than this timeout, you
2486 will see a lot of requests sent DIRECT to origin servers
2487 instead of to your parents.
2488DOC_END
2489
2490NAME: forward_max_tries
2491DEFAULT: 10
2492TYPE: int
2493LOC: Config.forward_max_tries
2494DOC_START
2495 Controls how many different forward paths Squid will try
2496 before giving up. See also forward_timeout.
2497
2498 NOTE: connect_retries (default: none) can make each of these
2499 possible forwarding paths be tried multiple times.
2500DOC_END
2501
2502NAME: hierarchy_stoplist
2503TYPE: wordlist
2504DEFAULT: none
2505LOC: Config.hierarchy_stoplist
2506DOC_START
2507 A list of words which, if found in a URL, cause the object to
2508 be handled directly by this cache. In other words, use this
2509 to not query neighbor caches for certain objects. You may
2510 list this option multiple times.
2511
2512 Example:
2513 hierarchy_stoplist cgi-bin ?
2514
2515 Note: never_direct overrides this option.
2516DOC_END
2517
2518COMMENT_START
2519 MEMORY CACHE OPTIONS
2520 -----------------------------------------------------------------------------
2521COMMENT_END
2522
2523NAME: cache_mem
2524COMMENT: (bytes)
2525TYPE: b_size_t
2526DEFAULT: 256 MB
2527LOC: Config.memMaxSize
2528DOC_START
2529 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
2530 IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
2531 USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
2532 THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
2533
2534 'cache_mem' specifies the ideal amount of memory to be used
2535 for:
2536 * In-Transit objects
2537 * Hot Objects
2538 * Negative-Cached objects
2539
2540 Data for these objects are stored in 4 KB blocks. This
2541 parameter specifies the ideal upper limit on the total size of
2542 4 KB blocks allocated. In-Transit objects take the highest
2543 priority.
2544
2545 In-transit objects have priority over the others. When
2546 additional space is needed for incoming data, negative-cached
2547 and hot objects will be released. In other words, the
2548 negative-cached and hot objects will fill up any unused space
2549 not needed for in-transit objects.
2550
2551 If circumstances require, this limit will be exceeded.
2552 Specifically, if your incoming request rate requires more than
2553 'cache_mem' of memory to hold in-transit objects, Squid will
2554 exceed this limit to satisfy the new requests. When the load
2555 decreases, blocks will be freed until the high-water mark is
2556 reached. Thereafter, blocks will be used to store hot
2557 objects.
2558DOC_END
2559
2560NAME: maximum_object_size_in_memory
2561COMMENT: (bytes)
2562TYPE: b_size_t
2563DEFAULT: 512 KB
2564LOC: Config.Store.maxInMemObjSize
2565DOC_START
2566 Objects greater than this size will not be attempted to kept in
2567 the memory cache. This should be set high enough to keep objects
2568 accessed frequently in memory to improve performance whilst low
2569 enough to keep larger objects from hoarding cache_mem.
2570DOC_END
2571
2572NAME: memory_cache_mode
2573TYPE: memcachemode
2574LOC: Config
2575DEFAULT: always
2576DOC_START
2577 Controls which objects to keep in the memory cache (cache_mem)
2578
2579 always Keep most recently fetched objects in memory (default)
2580
2581 disk Only disk cache hits are kept in memory, which means
2582 an object must first be cached on disk and then hit
2583 a second time before cached in memory.
2584
2585 network Only objects fetched from network is kept in memory
2586DOC_END
2587
2588NAME: memory_replacement_policy
2589TYPE: removalpolicy
2590LOC: Config.memPolicy
2591DEFAULT: lru
2592DOC_START
2593 The memory replacement policy parameter determines which
2594 objects are purged from memory when memory space is needed.
2595
2596 See cache_replacement_policy for details.
2597DOC_END
2598
2599COMMENT_START
2600 DISK CACHE OPTIONS
2601 -----------------------------------------------------------------------------
2602COMMENT_END
2603
2604NAME: cache_replacement_policy
2605TYPE: removalpolicy
2606LOC: Config.replPolicy
2607DEFAULT: lru
2608DOC_START
2609 The cache replacement policy parameter determines which
2610 objects are evicted (replaced) when disk space is needed.
2611
2612 lru : Squid's original list based LRU policy
2613 heap GDSF : Greedy-Dual Size Frequency
2614 heap LFUDA: Least Frequently Used with Dynamic Aging
2615 heap LRU : LRU policy implemented using a heap
2616
2617 Applies to any cache_dir lines listed below this.
2618
2619 The LRU policies keeps recently referenced objects.
2620
2621 The heap GDSF policy optimizes object hit rate by keeping smaller
2622 popular objects in cache so it has a better chance of getting a
2623 hit. It achieves a lower byte hit rate than LFUDA though since
2624 it evicts larger (possibly popular) objects.
2625
2626 The heap LFUDA policy keeps popular objects in cache regardless of
2627 their size and thus optimizes byte hit rate at the expense of
2628 hit rate since one large, popular object will prevent many
2629 smaller, slightly less popular objects from being cached.
2630
2631 Both policies utilize a dynamic aging mechanism that prevents
2632 cache pollution that can otherwise occur with frequency-based
2633 replacement policies.
2634
2635 NOTE: if using the LFUDA replacement policy you should increase
2636 the value of maximum_object_size above its default of 4096 KB to
2637 to maximize the potential byte hit rate improvement of LFUDA.
2638
2639 For more information about the GDSF and LFUDA cache replacement
2640 policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
2641 and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
2642DOC_END
2643
2644NAME: cache_dir
2645TYPE: cachedir
2646DEFAULT: none
2647LOC: Config.cacheSwap
2648DOC_START
2649 Usage:
2650
2651 cache_dir Type Directory-Name Fs-specific-data [options]
2652
2653 You can specify multiple cache_dir lines to spread the
2654 cache among different disk partitions.
2655
2656 Type specifies the kind of storage system to use. Only "ufs"
2657 is built by default. To enable any of the other storage systems
2658 see the --enable-storeio configure option.
2659
2660 'Directory' is a top-level directory where cache swap
2661 files will be stored. If you want to use an entire disk
2662 for caching, this can be the mount-point directory.
2663 The directory must exist and be writable by the Squid
2664 process. Squid will NOT create this directory for you.
2665
2666 In SMP configurations, cache_dir must not precede the workers option
2667 and should use configuration macros or conditionals to give each
2668 worker interested in disk caching a dedicated cache directory.
2669
2670 The ufs store type:
2671
2672 "ufs" is the old well-known Squid storage format that has always
2673 been there.
2674
2675 cache_dir ufs Directory-Name Mbytes L1 L2 [options]
2676
2677 'Mbytes' is the amount of disk space (MB) to use under this
2678 directory. The default is 100 MB. Change this to suit your
2679 configuration. Do NOT put the size of your disk drive here.
2680 Instead, if you want Squid to use the entire disk drive,
2681 subtract 20% and use that value.
2682
2683 'L1' is the number of first-level subdirectories which
2684 will be created under the 'Directory'. The default is 16.
2685
2686 'L2' is the number of second-level subdirectories which
2687 will be created under each first-level directory. The default
2688 is 256.
2689
2690 The aufs store type:
2691
2692 "aufs" uses the same storage format as "ufs", utilizing
2693 POSIX-threads to avoid blocking the main Squid process on
2694 disk-I/O. This was formerly known in Squid as async-io.
2695
2696 cache_dir aufs Directory-Name Mbytes L1 L2 [options]
2697
2698 see argument descriptions under ufs above
2699
2700 The diskd store type:
2701
2702 "diskd" uses the same storage format as "ufs", utilizing a
2703 separate process to avoid blocking the main Squid process on
2704 disk-I/O.
2705
2706 cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
2707
2708 see argument descriptions under ufs above
2709
2710 Q1 specifies the number of unacknowledged I/O requests when Squid
2711 stops opening new files. If this many messages are in the queues,
2712 Squid won't open new files. Default is 64
2713
2714 Q2 specifies the number of unacknowledged messages when Squid
2715 starts blocking. If this many messages are in the queues,
2716 Squid blocks until it receives some replies. Default is 72
2717
2718 When Q1 < Q2 (the default), the cache directory is optimized
2719 for lower response time at the expense of a decrease in hit
2720 ratio. If Q1 > Q2, the cache directory is optimized for
2721 higher hit ratio at the expense of an increase in response
2722 time.
2723
2724 The coss store type:
2725
2726 NP: COSS filesystem in Squid-3 has been deemed too unstable for
2727 production use and has thus been removed from this release.
2728 We hope that it can be made usable again soon.
2729
2730 block-size=n defines the "block size" for COSS cache_dir's.
2731 Squid uses file numbers as block numbers. Since file numbers
2732 are limited to 24 bits, the block size determines the maximum
2733 size of the COSS partition. The default is 512 bytes, which
2734 leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
2735 you should not change the coss block size after Squid
2736 has written some objects to the cache_dir.
2737
2738 The coss file store has changed from 2.5. Now it uses a file
2739 called 'stripe' in the directory names in the config - and
2740 this will be created by squid -z.
2741
2742 Common options:
2743
2744 no-store, no new objects should be stored to this cache_dir
2745
2746 min-size=n, refers to the min object size in bytes this cache_dir
2747 will accept. It's used to restrict a cache_dir to only store
2748 large objects (e.g. aufs) while other storedirs are optimized
2749 for smaller objects (e.g. COSS). Defaults to 0.
2750
2751 max-size=n, refers to the max object size in bytes this cache_dir
2752 supports. It is used to select the cache_dir to store the object.
2753 Note: To make optimal use of the max-size limits you should order
2754 the cache_dir lines with the smallest max-size value first and the
2755 ones with no max-size specification last.
2756
2757 Note for coss, max-size must be less than COSS_MEMBUF_SZ,
2758 which can be changed with the --with-coss-membuf-size=N configure
2759 option.
2760NOCOMMENT_START
2761
2762# Uncomment and adjust the following to add a disk cache directory.
2763#cache_dir ufs @DEFAULT_SWAP_DIR@ 100 16 256
2764NOCOMMENT_END
2765DOC_END
2766
2767NAME: store_dir_select_algorithm
2768TYPE: string
2769LOC: Config.store_dir_select_algorithm
2770DEFAULT: least-load
2771DOC_START
2772 Set this to 'round-robin' as an alternative.
2773DOC_END
2774
2775NAME: max_open_disk_fds
2776TYPE: int
2777LOC: Config.max_open_disk_fds
2778DEFAULT: 0
2779DOC_START
2780 To avoid having disk as the I/O bottleneck Squid can optionally
2781 bypass the on-disk cache if more than this amount of disk file
2782 descriptors are open.
2783
2784 A value of 0 indicates no limit.
2785DOC_END
2786
2787NAME: minimum_object_size
2788COMMENT: (bytes)
2789TYPE: b_int64_t
2790DEFAULT: 0 KB
2791LOC: Config.Store.minObjectSize
2792DOC_START
2793 Objects smaller than this size will NOT be saved on disk. The
2794 value is specified in kilobytes, and the default is 0 KB, which
2795 means there is no minimum.
2796DOC_END
2797
2798NAME: maximum_object_size
2799COMMENT: (bytes)
2800TYPE: b_int64_t
2801DEFAULT: 4096 KB
2802LOC: Config.Store.maxObjectSize
2803DOC_START
2804 Objects larger than this size will NOT be saved on disk. The
2805 value is specified in kilobytes, and the default is 4MB. If
2806 you wish to get a high BYTES hit ratio, you should probably
2807 increase this (one 32 MB object hit counts for 3200 10KB
2808 hits). If you wish to increase speed more than your want to
2809 save bandwidth you should leave this low.
2810
2811 NOTE: if using the LFUDA replacement policy you should increase
2812 this value to maximize the byte hit rate improvement of LFUDA!
2813 See replacement_policy below for a discussion of this policy.
2814DOC_END
2815
2816NAME: cache_swap_low
2817COMMENT: (percent, 0-100)
2818TYPE: int
2819DEFAULT: 90
2820LOC: Config.Swap.lowWaterMark
2821DOC_NONE
2822
2823NAME: cache_swap_high
2824COMMENT: (percent, 0-100)
2825TYPE: int
2826DEFAULT: 95
2827LOC: Config.Swap.highWaterMark
2828DOC_START
2829
2830 The low- and high-water marks for cache object replacement.
2831 Replacement begins when the swap (disk) usage is above the
2832 low-water mark and attempts to maintain utilization near the
2833 low-water mark. As swap utilization gets close to high-water
2834 mark object eviction becomes more aggressive. If utilization is
2835 close to the low-water mark less replacement is done each time.
2836
2837 Defaults are 90% and 95%. If you have a large cache, 5% could be
2838 hundreds of MB. If this is the case you may wish to set these
2839 numbers closer together.
2840DOC_END
2841
2842COMMENT_START
2843 LOGFILE OPTIONS
2844 -----------------------------------------------------------------------------
2845COMMENT_END
2846
2847NAME: logformat
2848TYPE: logformat
2849LOC: Log::TheConfig
2850DEFAULT: none
2851DOC_START
2852 Usage:
2853
2854 logformat <name> <format specification>
2855
2856 Defines an access log format.
2857
2858 The <format specification> is a string with embedded % format codes
2859
2860 % format codes all follow the same basic structure where all but
2861 the formatcode is optional. Output strings are automatically escaped
2862 as required according to their context and the output format
2863 modifiers are usually not needed, but can be specified if an explicit
2864 output format is desired.
2865
2866 % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
2867
2868 " output in quoted string format
2869 [ output in squid text log format as used by log_mime_hdrs
2870 # output in URL quoted format
2871 ' output as-is
2872
2873 - left aligned
2874 width field width. If starting with 0 the
2875 output is zero padded
2876 {arg} argument such as header name etc
2877
2878 Format codes:
2879
2880 % a literal % character
2881 sn Unique sequence number per log line entry
2882 err_code The ID of an error response served by Squid or
2883 a similar internal error identifier.
2884 err_detail Additional err_code-dependent error information.
2885
2886 Connection related format codes:
2887
2888 >a Client source IP address
2889 >A Client FQDN
2890 >p Client source port
2891 >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
2892 >la Local IP address the client connected to
2893 >lp Local port number the client connected to
2894
2895 <a Server IP address of the last server or peer connection
2896 <A Server FQDN or peer name
2897 <p Server port number of the last server or peer connection
2898 <la Local IP address of the last server or peer connection
2899 <lp Local port number of the last server or peer connection
2900
2901 Time related format codes:
2902
2903 ts Seconds since epoch
2904 tu subsecond time (milliseconds)
2905 tl Local time. Optional strftime format argument
2906 default %d/%b/%Y:%H:%M:%S %z
2907 tg GMT time. Optional strftime format argument
2908 default %d/%b/%Y:%H:%M:%S %z
2909 tr Response time (milliseconds)
2910 dt Total time spent making DNS lookups (milliseconds)
2911
2912 Access Control related format codes:
2913
2914 et Tag returned by external acl
2915 ea Log string returned by external acl
2916 un User name (any available)
2917 ul User name from authentication
2918 ue User name from external acl helper
2919 ui User name from ident
2920 us User name from SSL
2921
2922 HTTP related format codes:
2923
2924 [http::]>h Original request header. Optional header name argument
2925 on the format header[:[separator]element]
2926 [http::]>ha The HTTP request headers after adaptation and redirection.
2927 Optional header name argument as for >h
2928 [http::]<h Reply header. Optional header name argument
2929 as for >h
2930 [http::]>Hs HTTP status code sent to the client
2931 [http::]<Hs HTTP status code received from the next hop
2932 [http::]<bs Number of HTTP-equivalent message body bytes
2933 received from the next hop, excluding chunked
2934 transfer encoding and control messages.
2935 Generated FTP/Gopher listings are treated as
2936 received bodies.
2937 [http::]mt MIME content type
2938 [http::]rm Request method (GET/POST etc)
2939 [http::]>rm Request method from client
2940 [http::]<rm Request method sent to server or peer
2941 [http::]ru Request URL from client (historic, filtered for logging)
2942 [http::]>ru Request URL from client
2943 [http::]<ru Request URL sent to server or peer
2944 [http::]rp Request URL-Path excluding hostname
2945 [http::]>rp Request URL-Path excluding hostname from client
2946 [http::]<rp Request URL-Path excluding hostname sento to server or peer
2947 [http::]rv Request protocol version
2948 [http::]>rv Request protocol version from client
2949 [http::]<rv Request protocol version sent to server or peer
2950 [http::]<st Sent reply size including HTTP headers
2951 [http::]>st Received request size including HTTP headers. In the
2952 case of chunked requests the chunked encoding metadata
2953 are not included
2954 [http::]>sh Received HTTP request headers size
2955 [http::]<sh Sent HTTP reply headers size
2956 [http::]st Request+Reply size including HTTP headers
2957 [http::]<sH Reply high offset sent
2958 [http::]<sS Upstream object size
2959 [http::]<pt Peer response time in milliseconds. The timer starts
2960 when the last request byte is sent to the next hop
2961 and stops when the last response byte is received.
2962 [http::]<tt Total server-side time in milliseconds. The timer
2963 starts with the first connect request (or write I/O)
2964 sent to the first selected peer. The timer stops
2965 with the last I/O with the last peer.
2966
2967 Squid handling related format codes:
2968
2969 Ss Squid request status (TCP_MISS etc)
2970 Sh Squid hierarchy status (DEFAULT_PARENT etc)
2971
2972 If ICAP is enabled, the following code becomes available (as
2973 well as ICAP log codes documented with the icap_log option):
2974
2975 icap::tt Total ICAP processing time for the HTTP
2976 transaction. The timer ticks when ICAP
2977 ACLs are checked and when ICAP
2978 transaction is in progress.
2979
2980 If adaptation is enabled the following three codes become available:
2981
2982 adapt::<last_h The header of the last ICAP response or
2983 meta-information from the last eCAP
2984 transaction related to the HTTP transaction.
2985 Like <h, accepts an optional header name
2986 argument.
2987
2988 adapt::sum_trs Summed adaptation transaction response
2989 times recorded as a comma-separated list in
2990 the order of transaction start time. Each time
2991 value is recorded as an integer number,
2992 representing response time of one or more
2993 adaptation (ICAP or eCAP) transaction in
2994 milliseconds. When a failed transaction is
2995 being retried or repeated, its time is not
2996 logged individually but added to the
2997 replacement (next) transaction. See also:
2998 adapt::all_trs.
2999
3000 adapt::all_trs All adaptation transaction response times.
3001 Same as adaptation_strs but response times of
3002 individual transactions are never added
3003 together. Instead, all transaction response
3004 times are recorded individually.
3005
3006 You can prefix adapt::*_trs format codes with adaptation
3007 service name in curly braces to record response time(s) specific
3008 to that service. For example: %{my_service}adapt::sum_trs
3009
3010 The default formats available (which do not need re-defining) are:
3011
3012logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<a %mt
3013logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
3014logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
3015logformat referrer %ts.%03tu %>a %{Referer}>h %ru
3016logformat useragent %>a [%tl] "%{User-Agent}>h"
3017
3018 NOTE: When the log_mime_hdrs directive is set to ON.
3019 The squid, common and combined formats have a safely encoded copy
3020 of the mime headers appended to each line within a pair of brackets.
3021
3022 NOTE: The common and combined formats are not quite true to the Apache definition.
3023 The logs from Squid contain an extra status and hierarchy code appended.
3024
3025DOC_END
3026
3027NAME: access_log cache_access_log
3028TYPE: access_log
3029LOC: Config.Log.accesslogs
3030DEFAULT_IF_NONE: daemon:@DEFAULT_ACCESS_LOG@ squid
3031DOC_START
3032 These files log client request activities. Has a line every HTTP or
3033 ICP request. The format is:
3034 access_log <module>:<place> [<logformat name> [acl acl ...]]
3035 access_log none [acl acl ...]]
3036
3037 Will log to the specified module:place using the specified format (which
3038 must be defined in a logformat directive) those entries which match
3039 ALL the acl's specified (which must be defined in acl clauses).
3040 If no acl is specified, all requests will be logged to this destination.
3041
3042 ===== Modules Currently available =====
3043
3044 none Do not log any requests matching these ACL.
3045 Do not specify Place or logformat name.
3046
3047 stdio Write each log line to disk immediately at the completion of
3048 each request.
3049 Place: the filename and path to be written.
3050
3051 daemon Very similar to stdio. But instead of writing to disk the log
3052 line is passed to a daemon helper for asychronous handling instead.
3053 Place: varies depending on the daemon.
3054
3055 log_file_daemon Place: the file name and path to be written.
3056
3057 syslog To log each request via syslog facility.
3058 Place: The syslog facility and priority level for these entries.
3059 Place Format: facility.priority
3060
3061 where facility could be any of:
3062 authpriv, daemon, local0 ... local7 or user.
3063
3064 And priority could be any of:
3065 err, warning, notice, info, debug.
3066
3067 udp To send each log line as text data to a UDP receiver.
3068 Place: The destination host name or IP and port.
3069 Place Format: \\host:port
3070
3071 tcp To send each log line as text data to a TCP receiver.
3072 Place: The destination host name or IP and port.
3073 Place Format: \\host:port
3074
3075 Default:
3076 access_log daemon:@DEFAULT_ACCESS_LOG@ squid
3077DOC_END
3078
3079NAME: icap_log
3080TYPE: access_log
3081IFDEF: ICAP_CLIENT
3082LOC: Config.Log.icaplogs
3083DEFAULT: none
3084DOC_START
3085 ICAP log files record ICAP transaction summaries, one line per
3086 transaction.
3087
3088 The icap_log option format is:
3089 icap_log <filepath> [<logformat name> [acl acl ...]]
3090 icap_log none [acl acl ...]]
3091
3092 Please see access_log option documentation for details. The two
3093 kinds of logs share the overall configuration approach and many
3094 features.
3095
3096 ICAP processing of a single HTTP message or transaction may
3097 require multiple ICAP transactions. In such cases, multiple
3098 ICAP transaction log lines will correspond to a single access
3099 log line.
3100
3101 ICAP log uses logformat codes that make sense for an ICAP
3102 transaction. Header-related codes are applied to the HTTP header
3103 embedded in an ICAP server response, with the following caveats:
3104 For REQMOD, there is no HTTP response header unless the ICAP
3105 server performed request satisfaction. For RESPMOD, the HTTP
3106 request header is the header sent to the ICAP server. For
3107 OPTIONS, there are no HTTP headers.
3108
3109 The following format codes are also available for ICAP logs:
3110
3111 icap::<A ICAP server IP address. Similar to <A.
3112
3113 icap::<service_name ICAP service name from the icap_service
3114 option in Squid configuration file.
3115
3116 icap::ru ICAP Request-URI. Similar to ru.
3117
3118 icap::rm ICAP request method (REQMOD, RESPMOD, or
3119 OPTIONS). Similar to existing rm.
3120
3121 icap::>st Bytes sent to the ICAP server (TCP payload
3122 only; i.e., what Squid writes to the socket).
3123
3124 icap::<st Bytes received from the ICAP server (TCP
3125 payload only; i.e., what Squid reads from
3126 the socket).
3127
3128 icap::<bs Number of message body bytes received from the
3129 ICAP server. ICAP message body, if any, usually
3130 includes encapsulated HTTP message headers and
3131 possibly encapsulated HTTP message body. The
3132 HTTP body part is dechunked before its size is
3133 computed.
3134
3135 icap::tr Transaction response time (in
3136 milliseconds). The timer starts when
3137 the ICAP transaction is created and
3138 stops when the transaction is completed.
3139 Similar to tr.
3140
3141 icap::tio Transaction I/O time (in milliseconds). The
3142 timer starts when the first ICAP request
3143 byte is scheduled for sending. The timers
3144 stops when the last byte of the ICAP response
3145 is received.
3146
3147 icap::to Transaction outcome: ICAP_ERR* for all
3148 transaction errors, ICAP_OPT for OPTION
3149 transactions, ICAP_ECHO for 204
3150 responses, ICAP_MOD for message
3151 modification, and ICAP_SAT for request
3152 satisfaction. Similar to Ss.
3153
3154 icap::Hs ICAP response status code. Similar to Hs.
3155
3156 icap::>h ICAP request header(s). Similar to >h.
3157
3158 icap::<h ICAP response header(s). Similar to <h.
3159
3160 The default ICAP log format, which can be used without an explicit
3161 definition, is called icap_squid:
3162
3163logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
3164
3165 See also: logformat, log_icap, and %adapt::<last_h
3166DOC_END
3167
3168NAME: logfile_daemon
3169TYPE: string
3170DEFAULT: @DEFAULT_LOGFILED@
3171LOC: Log::TheConfig.logfile_daemon
3172DOC_START
3173 Specify the path to the logfile-writing daemon. This daemon is
3174 used to write the access and store logs, if configured.
3175
3176 Squid sends a number of commands to the log daemon:
3177 L<data>\n - logfile data
3178 R\n - rotate file
3179 T\n - truncate file
3180 O\n - reopen file
3181 F\n - flush file
3182 r<n>\n - set rotate count to <n>
3183 b<n>\n - 1 = buffer output, 0 = don't buffer output
3184
3185 No responses is expected.
3186DOC_END
3187
3188NAME: log_access
3189TYPE: acl_access
3190LOC: Config.accessList.log
3191DEFAULT: none
3192COMMENT: allow|deny acl acl...
3193DOC_START
3194 This options allows you to control which requests gets logged
3195 to access.log (see access_log directive). Requests denied for
3196 logging will also not be accounted for in performance counters.
3197
3198 This clause only supports fast acl types.
3199 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3200DOC_END
3201
3202NAME: log_icap
3203TYPE: acl_access
3204IFDEF: ICAP_CLIENT
3205LOC: Config.accessList.icap
3206DEFAULT: none
3207DOC_START
3208 This options allows you to control which requests get logged
3209 to icap.log. See the icap_log directive for ICAP log details.
3210DOC_END
3211
3212NAME: cache_store_log
3213TYPE: string
3214DEFAULT: none
3215LOC: Config.Log.store
3216DOC_START
3217 Logs the activities of the storage manager. Shows which
3218 objects are ejected from the cache, and which objects are
3219 saved and for how long. To disable, enter "none" or remove the line.
3220 There are not really utilities to analyze this data, so you can safely
3221 disable it.
3222
3223 Example:
3224 cache_store_log @DEFAULT_STORE_LOG@
3225DOC_END
3226
3227NAME: cache_swap_state cache_swap_log
3228TYPE: string
3229LOC: Config.Log.swap
3230DEFAULT: none
3231DOC_START
3232 Location for the cache "swap.state" file. This index file holds
3233 the metadata of objects saved on disk. It is used to rebuild
3234 the cache during startup. Normally this file resides in each
3235 'cache_dir' directory, but you may specify an alternate
3236 pathname here. Note you must give a full filename, not just
3237 a directory. Since this is the index for the whole object
3238 list you CANNOT periodically rotate it!
3239
3240 If %s can be used in the file name it will be replaced with a
3241 a representation of the cache_dir name where each / is replaced
3242 with '.'. This is needed to allow adding/removing cache_dir
3243 lines when cache_swap_log is being used.
3244
3245 If have more than one 'cache_dir', and %s is not used in the name
3246 these swap logs will have names such as:
3247
3248 cache_swap_log.00
3249 cache_swap_log.01
3250 cache_swap_log.02
3251
3252 The numbered extension (which is added automatically)
3253 corresponds to the order of the 'cache_dir' lines in this
3254 configuration file. If you change the order of the 'cache_dir'
3255 lines in this file, these index files will NOT correspond to
3256 the correct 'cache_dir' entry (unless you manually rename
3257 them). We recommend you do NOT use this option. It is
3258 better to keep these index files in each 'cache_dir' directory.
3259DOC_END
3260
3261NAME: logfile_rotate
3262TYPE: int
3263DEFAULT: 10
3264LOC: Config.Log.rotateNumber
3265DOC_START
3266 Specifies the number of logfile rotations to make when you
3267 type 'squid -k rotate'. The default is 10, which will rotate
3268 with extensions 0 through 9. Setting logfile_rotate to 0 will
3269 disable the file name rotation, but the logfiles are still closed
3270 and re-opened. This will enable you to rename the logfiles
3271 yourself just before sending the rotate signal.
3272
3273 Note, the 'squid -k rotate' command normally sends a USR1
3274 signal to the running squid process. In certain situations
3275 (e.g. on Linux with Async I/O), USR1 is used for other
3276 purposes, so -k rotate uses another signal. It is best to get
3277 in the habit of using 'squid -k rotate' instead of 'kill -USR1
3278 <pid>'.
3279
3280 Note, from Squid-3.1 this option has no effect on the cache.log,
3281 that log can be rotated separately by using debug_options
3282DOC_END
3283
3284NAME: emulate_httpd_log
3285TYPE: obsolete
3286DOC_START
3287 Replace this with an access_log directive using the format 'common' or 'combined'.
3288DOC_END
3289
3290NAME: log_ip_on_direct
3291TYPE: obsolete
3292DOC_START
3293 Remove this option from your config. To log server or peer names use %<A in the log format.
3294DOC_END
3295
3296NAME: mime_table
3297TYPE: string
3298DEFAULT: @DEFAULT_MIME_TABLE@
3299LOC: Config.mimeTablePathname
3300DOC_START
3301 Pathname to Squid's MIME table. You shouldn't need to change
3302 this, but the default file contains examples and formatting
3303 information if you do.
3304DOC_END
3305
3306NAME: log_mime_hdrs
3307COMMENT: on|off
3308TYPE: onoff
3309LOC: Config.onoff.log_mime_hdrs
3310DEFAULT: off
3311DOC_START
3312 The Cache can record both the request and the response MIME
3313 headers for each HTTP transaction. The headers are encoded
3314 safely and will appear as two bracketed fields at the end of
3315 the access log (for either the native or httpd-emulated log
3316 formats). To enable this logging set log_mime_hdrs to 'on'.
3317DOC_END
3318
3319NAME: useragent_log
3320TYPE: obsolete
3321DOC_START
3322 Replace this with an access_log directive using the format 'useragent'.
3323DOC_END
3324
3325NAME: referer_log referrer_log
3326TYPE: obsolete
3327DOC_START
3328 Replace this with an access_log directive using the format 'referrer'.
3329DOC_END
3330
3331NAME: pid_filename
3332TYPE: string
3333DEFAULT: @DEFAULT_PID_FILE@
3334LOC: Config.pidFilename
3335DOC_START
3336 A filename to write the process-id to. To disable, enter "none".
3337DOC_END
3338
3339NAME: log_fqdn
3340TYPE: obsolete
3341DOC_START
3342 Remove this option from your config. To log FQDN use %>A in the log format.
3343DOC_END
3344
3345NAME: client_netmask
3346TYPE: address
3347LOC: Config.Addrs.client_netmask
3348DEFAULT: no_addr
3349DOC_START
3350 A netmask for client addresses in logfiles and cachemgr output.
3351 Change this to protect the privacy of your cache clients.
3352 A netmask of 255.255.255.0 will log all IP's in that range with
3353 the last digit set to '0'.
3354DOC_END
3355
3356NAME: forward_log
3357TYPE: obsolete
3358DOC_START
3359 Use a regular access.log with ACL limiting it to MISS events.
3360DOC_END
3361
3362NAME: strip_query_terms
3363TYPE: onoff
3364LOC: Config.onoff.strip_query_terms
3365DEFAULT: on
3366DOC_START
3367 By default, Squid strips query terms from requested URLs before
3368 logging. This protects your user's privacy.
3369DOC_END
3370
3371NAME: buffered_logs
3372COMMENT: on|off
3373TYPE: onoff
3374DEFAULT: off
3375LOC: Config.onoff.buffered_logs
3376DOC_START
3377 cache.log log file is written with stdio functions, and as such
3378 it can be buffered or unbuffered. By default it will be unbuffered.
3379 Buffering it can speed up the writing slightly (though you are
3380 unlikely to need to worry unless you run with tons of debugging
3381 enabled in which case performance will suffer badly anyway..).
3382DOC_END
3383
3384NAME: netdb_filename
3385TYPE: string
3386DEFAULT: @DEFAULT_NETDB_FILE@
3387LOC: Config.netdbFilename
3388IFDEF: USE_ICMP
3389DOC_START
3390 A filename where Squid stores it's netdb state between restarts.
3391 To disable, enter "none".
3392DOC_END
3393
3394COMMENT_START
3395 OPTIONS FOR TROUBLESHOOTING
3396 -----------------------------------------------------------------------------
3397COMMENT_END
3398
3399NAME: cache_log
3400TYPE: string
3401DEFAULT_IF_NONE: @DEFAULT_CACHE_LOG@
3402LOC: Debug::cache_log
3403DOC_START
3404 Cache logging file. This is where general information about
3405 your cache's behavior goes. You can increase the amount of data
3406 logged to this file and how often its rotated with "debug_options"
3407DOC_END
3408
3409NAME: debug_options
3410TYPE: eol
3411DEFAULT: ALL,1
3412LOC: Debug::debugOptions
3413DOC_START
3414 Logging options are set as section,level where each source file
3415 is assigned a unique section. Lower levels result in less
3416 output, Full debugging (level 9) can result in a very large
3417 log file, so be careful.
3418
3419 The magic word "ALL" sets debugging levels for all sections.
3420 We recommend normally running with "ALL,1".
3421
3422 The rotate=N option can be used to keep more or less of these logs
3423 than would otherwise be kept by logfile_rotate.
3424 For most uses a single log should be enough to monitor current
3425 events affecting Squid.
3426DOC_END
3427
3428NAME: coredump_dir
3429TYPE: string
3430LOC: Config.coredump_dir
3431DEFAULT_IF_NONE: none
3432DOC_START
3433 By default Squid leaves core files in the directory from where
3434 it was started. If you set 'coredump_dir' to a directory
3435 that exists, Squid will chdir() to that directory at startup
3436 and coredump files will be left there.
3437
3438NOCOMMENT_START
3439
3440# Leave coredumps in the first cache dir
3441coredump_dir @DEFAULT_SWAP_DIR@
3442NOCOMMENT_END
3443DOC_END
3444
3445
3446COMMENT_START
3447 OPTIONS FOR FTP GATEWAYING
3448 -----------------------------------------------------------------------------
3449COMMENT_END
3450
3451NAME: ftp_user
3452TYPE: string
3453DEFAULT: Squid@
3454LOC: Config.Ftp.anon_user
3455DOC_START
3456 If you want the anonymous login password to be more informative
3457 (and enable the use of picky ftp servers), set this to something
3458 reasonable for your domain, like wwwuser@somewhere.net
3459
3460 The reason why this is domainless by default is the
3461 request can be made on the behalf of a user in any domain,
3462 depending on how the cache is used.
3463 Some ftp server also validate the email address is valid
3464 (for example perl.com).
3465DOC_END
3466
3467NAME: ftp_passive
3468TYPE: onoff
3469DEFAULT: on
3470LOC: Config.Ftp.passive
3471DOC_START
3472 If your firewall does not allow Squid to use passive
3473 connections, turn off this option.
3474
3475 Use of ftp_epsv_all option requires this to be ON.
3476DOC_END
3477
3478NAME: ftp_epsv_all
3479TYPE: onoff
3480DEFAULT: off
3481LOC: Config.Ftp.epsv_all
3482DOC_START
3483 FTP Protocol extensions permit the use of a special "EPSV ALL" command.
3484
3485 NATs may be able to put the connection on a "fast path" through the
3486 translator, as the EPRT command will never be used and therefore,
3487 translation of the data portion of the segments will never be needed.
3488
3489 When a client only expects to do two-way FTP transfers this may be
3490 useful.
3491 If squid finds that it must do a three-way FTP transfer after issuing
3492 an EPSV ALL command, the FTP session will fail.
3493
3494 If you have any doubts about this option do not use it.
3495 Squid will nicely attempt all other connection methods.
3496
3497 Requires ftp_passive to be ON (default) for any effect.
3498DOC_END
3499
3500NAME: ftp_epsv
3501TYPE: onoff
3502DEFAULT: on
3503LOC: Config.Ftp.epsv
3504DOC_START
3505 FTP Protocol extensions permit the use of a special "EPSV" command.
3506
3507 NATs may be able to put the connection on a "fast path" through the
3508 translator using EPSV, as the EPRT command will never be used
3509 and therefore, translation of the data portion of the segments
3510 will never be needed.
3511
3512 Turning this OFF will prevent EPSV being attempted.
3513 WARNING: Doing so will convert Squid back to the old behavior with all
3514 the related problems with external NAT devices/layers.
3515
3516 Requires ftp_passive to be ON (default) for any effect.
3517DOC_END
3518
3519NAME: ftp_eprt
3520TYPE: onoff
3521DEFAULT: on
3522LOC: Config.Ftp.eprt
3523DOC_START
3524 FTP Protocol extensions permit the use of a special "EPRT" command.
3525
3526 This extension provides a protocol neutral alternative to the
3527 IPv4-only PORT command. When supported it enables active FTP data
3528 channels over IPv6 and efficient NAT handling.
3529
3530 Turning this OFF will prevent EPRT being attempted and will skip
3531 straight to using PORT for IPv4 servers.
3532
3533 Some devices are known to not handle this extension correctly and
3534 may result in crashes. Devices which suport EPRT enough to fail
3535 cleanly will result in Squid attempting PORT anyway. This directive
3536 should only be disabled when EPRT results in device failures.
3537
3538 WARNING: Doing so will convert Squid back to the old behavior with all
3539 the related problems with external NAT devices/layers and IPv4-only FTP.
3540DOC_END
3541
3542NAME: ftp_sanitycheck
3543TYPE: onoff
3544DEFAULT: on
3545LOC: Config.Ftp.sanitycheck
3546DOC_START
3547 For security and data integrity reasons Squid by default performs
3548 sanity checks of the addresses of FTP data connections ensure the
3549 data connection is to the requested server. If you need to allow
3550 FTP connections to servers using another IP address for the data
3551 connection turn this off.
3552DOC_END
3553
3554NAME: ftp_telnet_protocol
3555TYPE: onoff
3556DEFAULT: on
3557LOC: Config.Ftp.telnet
3558DOC_START
3559 The FTP protocol is officially defined to use the telnet protocol
3560 as transport channel for the control connection. However, many
3561 implementations are broken and does not respect this aspect of
3562 the FTP protocol.
3563
3564 If you have trouble accessing files with ASCII code 255 in the
3565 path or similar problems involving this ASCII code you can
3566 try setting this directive to off. If that helps, report to the
3567 operator of the FTP server in question that their FTP server
3568 is broken and does not follow the FTP standard.
3569DOC_END
3570
3571COMMENT_START
3572 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
3573 -----------------------------------------------------------------------------
3574COMMENT_END
3575
3576NAME: diskd_program
3577TYPE: string
3578DEFAULT: @DEFAULT_DISKD@
3579LOC: Config.Program.diskd
3580DOC_START
3581 Specify the location of the diskd executable.
3582 Note this is only useful if you have compiled in
3583 diskd as one of the store io modules.
3584DOC_END
3585
3586NAME: unlinkd_program
3587IFDEF: USE_UNLINKD
3588TYPE: string
3589DEFAULT: @DEFAULT_UNLINKD@
3590LOC: Config.Program.unlinkd
3591DOC_START
3592 Specify the location of the executable for file deletion process.
3593DOC_END
3594
3595NAME: pinger_program
3596TYPE: string
3597DEFAULT: @DEFAULT_PINGER@
3598LOC: Config.pinger.program
3599IFDEF: USE_ICMP
3600DOC_START
3601 Specify the location of the executable for the pinger process.
3602DOC_END
3603
3604NAME: pinger_enable
3605TYPE: onoff
3606DEFAULT: on
3607LOC: Config.pinger.enable
3608IFDEF: USE_ICMP
3609DOC_START
3610 Control whether the pinger is active at run-time.
3611 Enables turning ICMP pinger on and off with a simple
3612 squid -k reconfigure.
3613DOC_END
3614
3615
3616COMMENT_START
3617 OPTIONS FOR URL REWRITING
3618 -----------------------------------------------------------------------------
3619COMMENT_END
3620
3621NAME: url_rewrite_program redirect_program
3622TYPE: wordlist
3623LOC: Config.Program.redirect
3624DEFAULT: none
3625DOC_START
3626 Specify the location of the executable URL rewriter to use.
3627 Since they can perform almost any function there isn't one included.
3628
3629 For each requested URL, the rewriter will receive on line with the format
3630
3631 URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
3632
3633 In the future, the rewriter interface will be extended with
3634 key=value pairs ("kvpairs" shown above). Rewriter programs
3635 should be prepared to receive and possibly ignore additional
3636 whitespace-separated tokens on each input line.
3637
3638 And the rewriter may return a rewritten URL. The other components of
3639 the request line does not need to be returned (ignored if they are).
3640
3641 The rewriter can also indicate that a client-side redirect should
3642 be performed to the new URL. This is done by prefixing the returned
3643 URL with "301:" (moved permanently) or 302: (moved temporarily), etc.
3644
3645 By default, a URL rewriter is not used.
3646DOC_END
3647
3648NAME: url_rewrite_children redirect_children
3649TYPE: HelperChildConfig
3650DEFAULT: 20 startup=0 idle=1 concurrency=0
3651LOC: Config.redirectChildren
3652DOC_START
3653 The maximum number of redirector processes to spawn. If you limit
3654 it too few Squid will have to wait for them to process a backlog of
3655 URLs, slowing it down. If you allow too many they will use RAM
3656 and other system resources noticably.
3657
3658 The startup= and idle= options allow some measure of skew in your
3659 tuning.
3660
3661 startup=
3662
3663 Sets a minimum of how many processes are to be spawned when Squid
3664 starts or reconfigures. When set to zero the first request will
3665 cause spawning of the first child process to handle it.
3666
3667 Starting too few will cause an initial slowdown in traffic as Squid
3668 attempts to simultaneously spawn enough processes to cope.
3669
3670 idle=
3671
3672 Sets a minimum of how many processes Squid is to try and keep available
3673 at all times. When traffic begins to rise above what the existing
3674 processes can handle this many more will be spawned up to the maximum
3675 configured. A minimum setting of 1 is required.
3676
3677 concurrency=
3678
3679 The number of requests each redirector helper can handle in
3680 parallel. Defaults to 0 which indicates the redirector
3681 is a old-style single threaded redirector.
3682
3683 When this directive is set to a value >= 1 then the protocol
3684 used to communicate with the helper is modified to include
3685 a request ID in front of the request/response. The request
3686 ID from the request must be echoed back with the response
3687 to that request.
3688DOC_END
3689
3690NAME: url_rewrite_host_header redirect_rewrites_host_header
3691TYPE: onoff
3692DEFAULT: on
3693LOC: Config.onoff.redir_rewrites_host
3694DOC_START
3695 By default Squid rewrites any Host: header in redirected
3696 requests. If you are running an accelerator this may
3697 not be a wanted effect of a redirector.
3698
3699 WARNING: Entries are cached on the result of the URL rewriting
3700 process, so be careful if you have domain-virtual hosts.
3701DOC_END
3702
3703NAME: url_rewrite_access redirector_access
3704TYPE: acl_access
3705DEFAULT: none
3706LOC: Config.accessList.redirector
3707DOC_START
3708 If defined, this access list specifies which requests are
3709 sent to the redirector processes. By default all requests
3710 are sent.
3711
3712 This clause supports both fast and slow acl types.
3713 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3714DOC_END
3715
3716NAME: url_rewrite_bypass redirector_bypass
3717TYPE: onoff
3718LOC: Config.onoff.redirector_bypass
3719DEFAULT: off
3720DOC_START
3721 When this is 'on', a request will not go through the
3722 redirector if all redirectors are busy. If this is 'off'
3723 and the redirector queue grows too large, Squid will exit
3724 with a FATAL error and ask you to increase the number of
3725 redirectors. You should only enable this if the redirectors
3726 are not critical to your caching system. If you use
3727 redirectors for access control, and you enable this option,
3728 users may have access to pages they should not
3729 be allowed to request.
3730DOC_END
3731
3732COMMENT_START
3733 OPTIONS FOR TUNING THE CACHE
3734 -----------------------------------------------------------------------------
3735COMMENT_END
3736
3737NAME: cache no_cache
3738TYPE: acl_access
3739DEFAULT: none
3740LOC: Config.accessList.noCache
3741DOC_START
3742 A list of ACL elements which, if matched and denied, cause the request to
3743 not be satisfied from the cache and the reply to not be cached.
3744 In other words, use this to force certain objects to never be cached.
3745
3746 You must use the words 'allow' or 'deny' to indicate whether items
3747 matching the ACL should be allowed or denied into the cache.
3748
3749 Default is to allow all to be cached.
3750
3751 This clause supports both fast and slow acl types.
3752 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3753DOC_END
3754
3755NAME: max_stale
3756COMMENT: time-units
3757TYPE: time_t
3758LOC: Config.maxStale
3759DEFAULT: 1 week
3760DOC_START
3761 This option puts an upper limit on how stale content Squid
3762 will serve from the cache if cache validation fails.
3763 Can be overriden by the refresh_pattern max-stale option.
3764DOC_END
3765
3766NAME: refresh_pattern
3767TYPE: refreshpattern
3768LOC: Config.Refresh
3769DEFAULT: none
3770DOC_START
3771 usage: refresh_pattern [-i] regex min percent max [options]
3772
3773 By default, regular expressions are CASE-SENSITIVE. To make
3774 them case-insensitive, use the -i option.
3775
3776 'Min' is the time (in minutes) an object without an explicit
3777 expiry time should be considered fresh. The recommended
3778 value is 0, any higher values may cause dynamic applications
3779 to be erroneously cached unless the application designer
3780 has taken the appropriate actions.
3781
3782 'Percent' is a percentage of the objects age (time since last
3783 modification age) an object without explicit expiry time
3784 will be considered fresh.
3785
3786 'Max' is an upper limit on how long objects without an explicit
3787 expiry time will be considered fresh.
3788
3789 options: override-expire
3790 override-lastmod
3791 reload-into-ims
3792 ignore-reload
3793 ignore-no-cache
3794 ignore-no-store
3795 ignore-must-revalidate
3796 ignore-private
3797 ignore-auth
3798 max-stale=NN
3799 refresh-ims
3800 store-stale
3801
3802 override-expire enforces min age even if the server
3803 sent an explicit expiry time (e.g., with the
3804 Expires: header or Cache-Control: max-age). Doing this
3805 VIOLATES the HTTP standard. Enabling this feature
3806 could make you liable for problems which it causes.
3807
3808 Note: override-expire does not enforce staleness - it only extends
3809 freshness / min. If the server returns a Expires time which
3810 is longer than your max time, Squid will still consider
3811 the object fresh for that period of time.
3812
3813 override-lastmod enforces min age even on objects
3814 that were modified recently.
3815
3816 reload-into-ims changes client no-cache or ``reload''
3817 to If-Modified-Since requests. Doing this VIOLATES the
3818 HTTP standard. Enabling this feature could make you
3819 liable for problems which it causes.
3820
3821 ignore-reload ignores a client no-cache or ``reload''
3822 header. Doing this VIOLATES the HTTP standard. Enabling
3823 this feature could make you liable for problems which
3824 it causes.
3825
3826 ignore-no-cache ignores any ``Pragma: no-cache'' and
3827 ``Cache-control: no-cache'' headers received from a server.
3828 The HTTP RFC never allows the use of this (Pragma) header
3829 from a server, only a client, though plenty of servers
3830 send it anyway.
3831
3832 ignore-no-store ignores any ``Cache-control: no-store''
3833 headers received from a server. Doing this VIOLATES
3834 the HTTP standard. Enabling this feature could make you
3835 liable for problems which it causes.
3836
3837 ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
3838 headers received from a server. Doing this VIOLATES
3839 the HTTP standard. Enabling this feature could make you
3840 liable for problems which it causes.
3841
3842 ignore-private ignores any ``Cache-control: private''
3843 headers received from a server. Doing this VIOLATES
3844 the HTTP standard. Enabling this feature could make you
3845 liable for problems which it causes.
3846
3847 ignore-auth caches responses to requests with authorization,
3848 as if the originserver had sent ``Cache-control: public''
3849 in the response header. Doing this VIOLATES the HTTP standard.
3850 Enabling this feature could make you liable for problems which
3851 it causes.
3852
3853 refresh-ims causes squid to contact the origin server
3854 when a client issues an If-Modified-Since request. This
3855 ensures that the client will receive an updated version
3856 if one is available.
3857
3858 store-stale stores responses even if they don't have explicit
3859 freshness or a validator (i.e., Last-Modified or an ETag)
3860 present, or if they're already stale. By default, Squid will
3861 not cache such responses because they usually can't be
3862 reused. Note that such responses will be stale by default.
3863
3864 max-stale=NN provide a maximum staleness factor. Squid won't
3865 serve objects more stale than this even if it failed to
3866 validate the object. Default: use the max_stale global limit.
3867
3868 Basically a cached object is:
3869
3870 FRESH if expires < now, else STALE
3871 STALE if age > max
3872 FRESH if lm-factor < percent, else STALE
3873 FRESH if age < min
3874 else STALE
3875
3876 The refresh_pattern lines are checked in the order listed here.
3877 The first entry which matches is used. If none of the entries
3878 match the default will be used.
3879
3880 Note, you must uncomment all the default lines if you want
3881 to change one. The default setting is only active if none is
3882 used.
3883
3884NOCOMMENT_START
3885
3886# Add any of your own refresh_pattern entries above these.
3887refresh_pattern ^ftp: 1440 20% 10080
3888refresh_pattern ^gopher: 1440 0% 1440
3889refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
3890refresh_pattern . 0 20% 4320
3891NOCOMMENT_END
3892DOC_END
3893
3894NAME: quick_abort_min
3895COMMENT: (KB)
3896TYPE: kb_int64_t
3897DEFAULT: 16 KB
3898LOC: Config.quickAbort.min
3899DOC_NONE
3900
3901NAME: quick_abort_max
3902COMMENT: (KB)
3903TYPE: kb_int64_t
3904DEFAULT: 16 KB
3905LOC: Config.quickAbort.max
3906DOC_NONE
3907
3908NAME: quick_abort_pct
3909COMMENT: (percent)
3910TYPE: int
3911DEFAULT: 95
3912LOC: Config.quickAbort.pct
3913DOC_START
3914 The cache by default continues downloading aborted requests
3915 which are almost completed (less than 16 KB remaining). This
3916 may be undesirable on slow (e.g. SLIP) links and/or very busy
3917 caches. Impatient users may tie up file descriptors and
3918 bandwidth by repeatedly requesting and immediately aborting
3919 downloads.
3920
3921 When the user aborts a request, Squid will check the
3922 quick_abort values to the amount of data transfered until
3923 then.
3924
3925 If the transfer has less than 'quick_abort_min' KB remaining,
3926 it will finish the retrieval.
3927
3928 If the transfer has more than 'quick_abort_max' KB remaining,
3929 it will abort the retrieval.
3930
3931 If more than 'quick_abort_pct' of the transfer has completed,
3932 it will finish the retrieval.
3933
3934 If you do not want any retrieval to continue after the client
3935 has aborted, set both 'quick_abort_min' and 'quick_abort_max'
3936 to '0 KB'.
3937
3938 If you want retrievals to always continue if they are being
3939 cached set 'quick_abort_min' to '-1 KB'.
3940DOC_END
3941
3942NAME: read_ahead_gap
3943COMMENT: buffer-size
3944TYPE: b_int64_t
3945LOC: Config.readAheadGap
3946DEFAULT: 16 KB
3947DOC_START
3948 The amount of data the cache will buffer ahead of what has been
3949 sent to the client when retrieving an object from another server.
3950DOC_END
3951
3952NAME: negative_ttl
3953IFDEF: USE_HTTP_VIOLATIONS
3954COMMENT: time-units
3955TYPE: time_t
3956LOC: Config.negativeTtl
3957DEFAULT: 0 seconds
3958DOC_START
3959 Set the Default Time-to-Live (TTL) for failed requests.
3960 Certain types of failures (such as "connection refused" and
3961 "404 Not Found") are able to be negatively-cached for a short time.
3962 Modern web servers should provide Expires: header, however if they
3963 do not this can provide a minimum TTL.
3964 The default is not to cache errors with unknown expiry details.
3965
3966 Note that this is different from negative caching of DNS lookups.
3967
3968 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3969 this feature could make you liable for problems which it
3970 causes.
3971DOC_END
3972
3973NAME: positive_dns_ttl
3974COMMENT: time-units
3975TYPE: time_t
3976LOC: Config.positiveDnsTtl
3977DEFAULT: 6 hours
3978DOC_START
3979 Upper limit on how long Squid will cache positive DNS responses.
3980 Default is 6 hours (360 minutes). This directive must be set
3981 larger than negative_dns_ttl.
3982DOC_END
3983
3984NAME: negative_dns_ttl
3985COMMENT: time-units
3986TYPE: time_t
3987LOC: Config.negativeDnsTtl
3988DEFAULT: 1 minutes
3989DOC_START
3990 Time-to-Live (TTL) for negative caching of failed DNS lookups.
3991 This also sets the lower cache limit on positive lookups.
3992 Minimum value is 1 second, and it is not recommendable to go
3993 much below 10 seconds.
3994DOC_END
3995
3996NAME: range_offset_limit
3997COMMENT: size [acl acl...]
3998TYPE: acl_b_size_t
3999LOC: Config.rangeOffsetLimit
4000DEFAULT: none
4001DOC_START
4002 usage: (size) [units] [[!]aclname]
4003
4004 Sets an upper limit on how far (number of bytes) into the file
4005 a Range request may be to cause Squid to prefetch the whole file.
4006 If beyond this limit, Squid forwards the Range request as it is and
4007 the result is NOT cached.
4008
4009 This is to stop a far ahead range request (lets say start at 17MB)
4010 from making Squid fetch the whole object up to that point before
4011 sending anything to the client.
4012
4013 Multiple range_offset_limit lines may be specified, and they will
4014 be searched from top to bottom on each request until a match is found.
4015 The first match found will be used. If no line matches a request, the
4016 default limit of 0 bytes will be used.
4017
4018 'size' is the limit specified as a number of units.
4019
4020 'units' specifies whether to use bytes, KB, MB, etc.
4021 If no units are specified bytes are assumed.
4022
4023 A size of 0 causes Squid to never fetch more than the
4024 client requested. (default)
4025
4026 A size of 'none' causes Squid to always fetch the object from the
4027 beginning so it may cache the result. (2.0 style)
4028
4029 'aclname' is the name of a defined ACL.
4030
4031 NP: Using 'none' as the byte value here will override any quick_abort settings
4032 that may otherwise apply to the range request. The range request will
4033 be fully fetched from start to finish regardless of the client
4034 actions. This affects bandwidth usage.
4035DOC_END
4036
4037NAME: minimum_expiry_time
4038COMMENT: (seconds)
4039TYPE: time_t
4040LOC: Config.minimum_expiry_time
4041DEFAULT: 60 seconds
4042DOC_START
4043 The minimum caching time according to (Expires - Date)
4044 Headers Squid honors if the object can't be revalidated
4045 defaults to 60 seconds. In reverse proxy environments it
4046 might be desirable to honor shorter object lifetimes. It
4047 is most likely better to make your server return a
4048 meaningful Last-Modified header however. In ESI environments
4049 where page fragments often have short lifetimes, this will
4050 often be best set to 0.
4051DOC_END
4052
4053NAME: store_avg_object_size
4054COMMENT: (kbytes)
4055TYPE: kb_int64_t
4056DEFAULT: 13 KB
4057LOC: Config.Store.avgObjectSize
4058DOC_START
4059 Average object size, used to estimate number of objects your
4060 cache can hold. The default is 13 KB.
4061DOC_END
4062
4063NAME: store_objects_per_bucket
4064TYPE: int
4065DEFAULT: 20
4066LOC: Config.Store.objectsPerBucket
4067DOC_START
4068 Target number of objects per bucket in the store hash table.
4069 Lowering this value increases the total number of buckets and
4070 also the storage maintenance rate. The default is 20.
4071DOC_END
4072
4073COMMENT_START
4074 HTTP OPTIONS
4075 -----------------------------------------------------------------------------
4076COMMENT_END
4077
4078NAME: request_header_max_size
4079COMMENT: (KB)
4080TYPE: b_size_t
4081DEFAULT: 64 KB
4082LOC: Config.maxRequestHeaderSize
4083DOC_START
4084 This specifies the maximum size for HTTP headers in a request.
4085 Request headers are usually relatively small (about 512 bytes).
4086 Placing a limit on the request header size will catch certain
4087 bugs (for example with persistent connections) and possibly
4088 buffer-overflow or denial-of-service attacks.
4089DOC_END
4090
4091NAME: reply_header_max_size
4092COMMENT: (KB)
4093TYPE: b_size_t
4094DEFAULT: 64 KB
4095LOC: Config.maxReplyHeaderSize
4096DOC_START
4097 This specifies the maximum size for HTTP headers in a reply.
4098 Reply headers are usually relatively small (about 512 bytes).
4099 Placing a limit on the reply header size will catch certain
4100 bugs (for example with persistent connections) and possibly
4101 buffer-overflow or denial-of-service attacks.
4102DOC_END
4103
4104NAME: request_body_max_size
4105COMMENT: (bytes)
4106TYPE: b_int64_t
4107DEFAULT: 0 KB
4108LOC: Config.maxRequestBodySize
4109DOC_START
4110 This specifies the maximum size for an HTTP request body.
4111 In other words, the maximum size of a PUT/POST request.
4112 A user who attempts to send a request with a body larger
4113 than this limit receives an "Invalid Request" error message.
4114 If you set this parameter to a zero (the default), there will
4115 be no limit imposed.
4116DOC_END
4117
4118NAME: client_request_buffer_max_size
4119COMMENT: (bytes)
4120TYPE: b_size_t
4121DEFAULT: 512 KB
4122LOC: Config.maxRequestBufferSize
4123DOC_START
4124 This specifies the maximum buffer size of a client request.
4125 It prevents squid eating too much memory when somebody uploads
4126 a large file.
4127DOC_END
4128
4129NAME: chunked_request_body_max_size
4130COMMENT: (bytes)
4131TYPE: b_int64_t
4132DEFAULT: 64 KB
4133LOC: Config.maxChunkedRequestBodySize
4134DOC_START
4135 A broken or confused HTTP/1.1 client may send a chunked HTTP
4136 request to Squid. Squid does not have full support for that
4137 feature yet. To cope with such requests, Squid buffers the
4138 entire request and then dechunks request body to create a
4139 plain HTTP/1.0 request with a known content length. The plain
4140 request is then used by the rest of Squid code as usual.
4141
4142 The option value specifies the maximum size of the buffer used
4143 to hold the request before the conversion. If the chunked
4144 request size exceeds the specified limit, the conversion
4145 fails, and the client receives an "unsupported request" error,
4146 as if dechunking was disabled.
4147
4148 Dechunking is enabled by default. To disable conversion of
4149 chunked requests, set the maximum to zero.
4150
4151 Request dechunking feature and this option in particular are a
4152 temporary hack. When chunking requests and responses are fully
4153 supported, there will be no need to buffer a chunked request.
4154DOC_END
4155
4156NAME: broken_posts
4157IFDEF: USE_HTTP_VIOLATIONS
4158TYPE: acl_access
4159DEFAULT: none
4160LOC: Config.accessList.brokenPosts
4161DOC_START
4162 A list of ACL elements which, if matched, causes Squid to send
4163 an extra CRLF pair after the body of a PUT/POST request.
4164
4165 Some HTTP servers has broken implementations of PUT/POST,
4166 and rely on an extra CRLF pair sent by some WWW clients.
4167
4168 Quote from RFC2616 section 4.1 on this matter:
4169
4170 Note: certain buggy HTTP/1.0 client implementations generate an
4171 extra CRLF's after a POST request. To restate what is explicitly
4172 forbidden by the BNF, an HTTP/1.1 client must not preface or follow
4173 a request with an extra CRLF.
4174
4175 This clause only supports fast acl types.
4176 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
4177
4178Example:
4179 acl buggy_server url_regex ^http://....
4180 broken_posts allow buggy_server
4181DOC_END
4182
4183NAME: adaptation_uses_indirect_client icap_uses_indirect_client
4184COMMENT: on|off
4185TYPE: onoff
4186IFDEF: FOLLOW_X_FORWARDED_FOR&&USE_ADAPTATION
4187DEFAULT: on
4188LOC: Adaptation::Config::use_indirect_client
4189DOC_START
4190 Controls whether the indirect client IP address (instead of the direct
4191 client IP address) is passed to adaptation services.
4192
4193 See also: follow_x_forwarded_for adaptation_send_client_ip
4194DOC_END
4195
4196NAME: via
4197IFDEF: USE_HTTP_VIOLATIONS
4198COMMENT: on|off
4199TYPE: onoff
4200DEFAULT: on
4201LOC: Config.onoff.via
4202DOC_START
4203 If set (default), Squid will include a Via header in requests and
4204 replies as required by RFC2616.
4205DOC_END
4206
4207NAME: ie_refresh
4208COMMENT: on|off
4209TYPE: onoff
4210LOC: Config.onoff.ie_refresh
4211DEFAULT: off
4212DOC_START
4213 Microsoft Internet Explorer up until version 5.5 Service
4214 Pack 1 has an issue with transparent proxies, wherein it
4215 is impossible to force a refresh. Turning this on provides
4216 a partial fix to the problem, by causing all IMS-REFRESH
4217 requests from older IE versions to check the origin server
4218 for fresh content. This reduces hit ratio by some amount
4219 (~10% in my experience), but allows users to actually get
4220 fresh content when they want it. Note because Squid
4221 cannot tell if the user is using 5.5 or 5.5SP1, the behavior
4222 of 5.5 is unchanged from old versions of Squid (i.e. a
4223 forced refresh is impossible). Newer versions of IE will,
4224 hopefully, continue to have the new behavior and will be
4225 handled based on that assumption. This option defaults to
4226 the old Squid behavior, which is better for hit ratios but
4227 worse for clients using IE, if they need to be able to
4228 force fresh content.
4229DOC_END
4230
4231NAME: vary_ignore_expire
4232COMMENT: on|off
4233TYPE: onoff
4234LOC: Config.onoff.vary_ignore_expire
4235DEFAULT: off
4236DOC_START
4237 Many HTTP servers supporting Vary gives such objects
4238 immediate expiry time with no cache-control header
4239 when requested by a HTTP/1.0 client. This option
4240 enables Squid to ignore such expiry times until
4241 HTTP/1.1 is fully implemented.
4242
4243 WARNING: If turned on this may eventually cause some
4244 varying objects not intended for caching to get cached.
4245DOC_END
4246
4247NAME: request_entities
4248TYPE: onoff
4249LOC: Config.onoff.request_entities
4250DEFAULT: off
4251DOC_START
4252 Squid defaults to deny GET and HEAD requests with request entities,
4253 as the meaning of such requests are undefined in the HTTP standard
4254 even if not explicitly forbidden.
4255
4256 Set this directive to on if you have clients which insists
4257 on sending request entities in GET or HEAD requests. But be warned
4258 that there is server software (both proxies and web servers) which
4259 can fail to properly process this kind of request which may make you
4260 vulnerable to cache pollution attacks if enabled.
4261DOC_END
4262
4263NAME: request_header_access
4264IFDEF: USE_HTTP_VIOLATIONS
4265TYPE: http_header_access[]
4266LOC: Config.request_header_access
4267DEFAULT: none
4268DOC_START
4269 Usage: request_header_access header_name allow|deny [!]aclname ...
4270
4271 WARNING: Doing this VIOLATES the HTTP standard. Enabling
4272 this feature could make you liable for problems which it
4273 causes.
4274
4275 This option replaces the old 'anonymize_headers' and the
4276 older 'http_anonymizer' option with something that is much
4277 more configurable. This new method creates a list of ACLs
4278 for each header, allowing you very fine-tuned header
4279 mangling.
4280
4281 This option only applies to request headers, i.e., from the
4282 client to the server.
4283
4284 You can only specify known headers for the header name.
4285 Other headers are reclassified as 'Other'. You can also
4286 refer to all the headers with 'All'.
4287
4288 For example, to achieve the same behavior as the old
4289 'http_anonymizer standard' option, you should use:
4290
4291 request_header_access From deny all
4292 request_header_access Referer deny all
4293 request_header_access Server deny all
4294 request_header_access User-Agent deny all
4295 request_header_access WWW-Authenticate deny all
4296 request_header_access Link deny all
4297
4298 Or, to reproduce the old 'http_anonymizer paranoid' feature
4299 you should use:
4300
4301 request_header_access Allow allow all
4302 request_header_access Authorization allow all
4303 request_header_access WWW-Authenticate allow all
4304 request_header_access Proxy-Authorization allow all
4305 request_header_access Proxy-Authenticate allow all
4306 request_header_access Cache-Control allow all
4307 request_header_access Content-Encoding allow all
4308 request_header_access Content-Length allow all
4309 request_header_access Content-Type allow all
4310 request_header_access Date allow all
4311 request_header_access Expires allow all
4312 request_header_access Host allow all
4313 request_header_access If-Modified-Since allow all
4314 request_header_access Last-Modified allow all
4315 request_header_access Location allow all
4316 request_header_access Pragma allow all
4317 request_header_access Accept allow all
4318 request_header_access Accept-Charset allow all
4319 request_header_access Accept-Encoding allow all
4320 request_header_access Accept-Language allow all
4321 request_header_access Content-Language allow all
4322 request_header_access Mime-Version allow all
4323 request_header_access Retry-After allow all
4324 request_header_access Title allow all
4325 request_header_access Connection allow all
4326 request_header_access All deny all
4327
4328 although many of those are HTTP reply headers, and so should be
4329 controlled with the reply_header_access directive.
4330
4331 By default, all headers are allowed (no anonymizing is
4332 performed).
4333DOC_END
4334
4335NAME: reply_header_access
4336IFDEF: USE_HTTP_VIOLATIONS
4337TYPE: http_header_access[]
4338LOC: Config.reply_header_access
4339DEFAULT: none
4340DOC_START
4341 Usage: reply_header_access header_name allow|deny [!]aclname ...
4342
4343 WARNING: Doing this VIOLATES the HTTP standard. Enabling
4344 this feature could make you liable for problems which it
4345 causes.
4346
4347 This option only applies to reply headers, i.e., from the
4348 server to the client.
4349
4350 This is the same as request_header_access, but in the other
4351 direction.
4352
4353 This option replaces the old 'anonymize_headers' and the
4354 older 'http_anonymizer' option with something that is much
4355 more configurable. This new method creates a list of ACLs
4356 for each header, allowing you very fine-tuned header
4357 mangling.
4358
4359 You can only specify known headers for the header name.
4360 Other headers are reclassified as 'Other'. You can also
4361 refer to all the headers with 'All'.
4362
4363 For example, to achieve the same behavior as the old
4364 'http_anonymizer standard' option, you should use:
4365
4366 reply_header_access From deny all
4367 reply_header_access Referer deny all
4368 reply_header_access Server deny all
4369 reply_header_access User-Agent deny all
4370 reply_header_access WWW-Authenticate deny all
4371 reply_header_access Link deny all
4372
4373 Or, to reproduce the old 'http_anonymizer paranoid' feature
4374 you should use:
4375
4376 reply_header_access Allow allow all
4377 reply_header_access Authorization allow all
4378 reply_header_access WWW-Authenticate allow all
4379 reply_header_access Proxy-Authorization allow all
4380 reply_header_access Proxy-Authenticate allow all
4381 reply_header_access Cache-Control allow all
4382 reply_header_access Content-Encoding allow all
4383 reply_header_access Content-Length allow all
4384 reply_header_access Content-Type allow all
4385 reply_header_access Date allow all
4386 reply_header_access Expires allow all
4387 reply_header_access Host allow all
4388 reply_header_access If-Modified-Since allow all
4389 reply_header_access Last-Modified allow all
4390 reply_header_access Location allow all
4391 reply_header_access Pragma allow all
4392 reply_header_access Accept allow all
4393 reply_header_access Accept-Charset allow all
4394 reply_header_access Accept-Encoding allow all
4395 reply_header_access Accept-Language allow all
4396 reply_header_access Content-Language allow all
4397 reply_header_access Mime-Version allow all
4398 reply_header_access Retry-After allow all
4399 reply_header_access Title allow all
4400 reply_header_access Connection allow all
4401 reply_header_access All deny all
4402
4403 although the HTTP request headers won't be usefully controlled
4404 by this directive -- see request_header_access for details.
4405
4406 By default, all headers are allowed (no anonymizing is
4407 performed).
4408DOC_END
4409
4410NAME: request_header_replace header_replace
4411IFDEF: USE_HTTP_VIOLATIONS
4412TYPE: http_header_replace[]
4413LOC: Config.request_header_access
4414DEFAULT: none
4415DOC_START
4416 Usage: request_header_replace header_name message
4417 Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
4418
4419 This option allows you to change the contents of headers
4420 denied with request_header_access above, by replacing them
4421 with some fixed string. This replaces the old fake_user_agent
4422 option.
4423
4424 This only applies to request headers, not reply headers.
4425
4426 By default, headers are removed if denied.
4427DOC_END
4428
4429NAME: reply_header_replace
4430IFDEF: USE_HTTP_VIOLATIONS
4431TYPE: http_header_replace[]
4432LOC: Config.reply_header_access
4433DEFAULT: none
4434DOC_START
4435 Usage: reply_header_replace header_name message
4436 Example: reply_header_replace Server Foo/1.0
4437
4438 This option allows you to change the contents of headers
4439 denied with reply_header_access above, by replacing them
4440 with some fixed string.
4441
4442 This only applies to reply headers, not request headers.
4443
4444 By default, headers are removed if denied.
4445DOC_END
4446
4447NAME: relaxed_header_parser
4448COMMENT: on|off|warn
4449TYPE: tristate
4450LOC: Config.onoff.relaxed_header_parser
4451DEFAULT: on
4452DOC_START
4453 In the default "on" setting Squid accepts certain forms
4454 of non-compliant HTTP messages where it is unambiguous
4455 what the sending application intended even if the message
4456 is not correctly formatted. The messages is then normalized
4457 to the correct form when forwarded by Squid.
4458
4459 If set to "warn" then a warning will be emitted in cache.log
4460 each time such HTTP error is encountered.
4461
4462 If set to "off" then such HTTP errors will cause the request
4463 or response to be rejected.
4464DOC_END
4465
4466COMMENT_START
4467 TIMEOUTS
4468 -----------------------------------------------------------------------------
4469COMMENT_END
4470
4471NAME: forward_timeout
4472COMMENT: time-units
4473TYPE: time_t
4474LOC: Config.Timeout.forward
4475DEFAULT: 4 minutes
4476DOC_START
4477 This parameter specifies how long Squid should at most attempt in
4478 finding a forwarding path for the request before giving up.
4479DOC_END
4480
4481NAME: connect_timeout
4482COMMENT: time-units
4483TYPE: time_t
4484LOC: Config.Timeout.connect
4485DEFAULT: 1 minute
4486DOC_START
4487 This parameter specifies how long to wait for the TCP connect to
4488 the requested server or peer to complete before Squid should
4489 attempt to find another path where to forward the request.
4490DOC_END
4491
4492NAME: peer_connect_timeout
4493COMMENT: time-units
4494TYPE: time_t
4495LOC: Config.Timeout.peer_connect
4496DEFAULT: 30 seconds
4497DOC_START
4498 This parameter specifies how long to wait for a pending TCP
4499 connection to a peer cache. The default is 30 seconds. You
4500 may also set different timeout values for individual neighbors
4501 with the 'connect-timeout' option on a 'cache_peer' line.
4502DOC_END
4503
4504NAME: read_timeout
4505COMMENT: time-units
4506TYPE: time_t
4507LOC: Config.Timeout.read
4508DEFAULT: 15 minutes
4509DOC_START
4510 The read_timeout is applied on server-side connections. After
4511 each successful read(), the timeout will be extended by this
4512 amount. If no data is read again after this amount of time,
4513 the request is aborted and logged with ERR_READ_TIMEOUT. The
4514 default is 15 minutes.
4515DOC_END
4516
4517NAME: write_timeout
4518COMMENT: time-units
4519TYPE: time_t
4520LOC: Config.Timeout.write
4521DEFAULT: 15 minutes
4522DOC_START
4523 This timeout is tracked for all connections that have data
4524 available for writing and are waiting for the socket to become
4525 ready. After each successful write, the timeout is extended by
4526 the configured amount. If Squid has data to write but the
4527 connection is not ready for the configured duration, the
4528 transaction associated with the connection is terminated. The
4529 default is 15 minutes.
4530DOC_END
4531
4532NAME: request_timeout
4533TYPE: time_t
4534LOC: Config.Timeout.request
4535DEFAULT: 5 minutes
4536DOC_START
4537 How long to wait for an HTTP request after initial
4538 connection establishment.
4539DOC_END
4540
4541NAME: persistent_request_timeout
4542TYPE: time_t
4543LOC: Config.Timeout.persistent_request
4544DEFAULT: 2 minutes
4545DOC_START
4546 How long to wait for the next HTTP request on a persistent
4547 connection after the previous request completes.
4548DOC_END
4549
4550NAME: client_lifetime
4551COMMENT: time-units
4552TYPE: time_t
4553LOC: Config.Timeout.lifetime
4554DEFAULT: 1 day
4555DOC_START
4556 The maximum amount of time a client (browser) is allowed to
4557 remain connected to the cache process. This protects the Cache
4558 from having a lot of sockets (and hence file descriptors) tied up
4559 in a CLOSE_WAIT state from remote clients that go away without
4560 properly shutting down (either because of a network failure or
4561 because of a poor client implementation). The default is one
4562 day, 1440 minutes.
4563
4564 NOTE: The default value is intended to be much larger than any
4565 client would ever need to be connected to your cache. You
4566 should probably change client_lifetime only as a last resort.
4567 If you seem to have many client connections tying up
4568 filedescriptors, we recommend first tuning the read_timeout,
4569 request_timeout, persistent_request_timeout and quick_abort values.
4570DOC_END
4571
4572NAME: half_closed_clients
4573TYPE: onoff
4574LOC: Config.onoff.half_closed_clients
4575DEFAULT: off
4576DOC_START
4577 Some clients may shutdown the sending side of their TCP
4578 connections, while leaving their receiving sides open. Sometimes,
4579 Squid can not tell the difference between a half-closed and a
4580 fully-closed TCP connection.
4581
4582 By default, Squid will immediately close client connections when
4583 read(2) returns "no more data to read."
4584
4585 Change this option to 'on' and Squid will keep open connections
4586 until a read(2) or write(2) on the socket returns an error.
4587 This may show some benefits for reverse proxies. But if not
4588 it is recommended to leave OFF.
4589DOC_END
4590
4591NAME: pconn_timeout
4592TYPE: time_t
4593LOC: Config.Timeout.pconn
4594DEFAULT: 1 minute
4595DOC_START
4596 Timeout for idle persistent connections to servers and other
4597 proxies.
4598DOC_END
4599
4600NAME: ident_timeout
4601TYPE: time_t
4602IFDEF: USE_IDENT
4603LOC: Ident::TheConfig.timeout
4604DEFAULT: 10 seconds
4605DOC_START
4606 Maximum time to wait for IDENT lookups to complete.
4607
4608 If this is too high, and you enabled IDENT lookups from untrusted
4609 users, you might be susceptible to denial-of-service by having
4610 many ident requests going at once.
4611DOC_END
4612
4613NAME: shutdown_lifetime
4614COMMENT: time-units
4615TYPE: time_t
4616LOC: Config.shutdownLifetime
4617DEFAULT: 30 seconds
4618DOC_START
4619 When SIGTERM or SIGHUP is received, the cache is put into
4620 "shutdown pending" mode until all active sockets are closed.
4621 This value is the lifetime to set for all open descriptors
4622 during shutdown mode. Any active clients after this many
4623 seconds will receive a 'timeout' message.
4624DOC_END
4625
4626COMMENT_START
4627 ADMINISTRATIVE PARAMETERS
4628 -----------------------------------------------------------------------------
4629COMMENT_END
4630
4631NAME: cache_mgr
4632TYPE: string
4633DEFAULT: webmaster
4634LOC: Config.adminEmail
4635DOC_START
4636 Email-address of local cache manager who will receive
4637 mail if the cache dies. The default is "webmaster."
4638DOC_END
4639
4640NAME: mail_from
4641TYPE: string
4642DEFAULT: none
4643LOC: Config.EmailFrom
4644DOC_START
4645 From: email-address for mail sent when the cache dies.
4646 The default is to use 'appname@unique_hostname'.
4647 Default appname value is "squid", can be changed into
4648 src/globals.h before building squid.
4649DOC_END
4650
4651NAME: mail_program
4652TYPE: eol
4653DEFAULT: mail
4654LOC: Config.EmailProgram
4655DOC_START
4656 Email program used to send mail if the cache dies.
4657 The default is "mail". The specified program must comply
4658 with the standard Unix mail syntax:
4659 mail-program recipient < mailfile
4660
4661 Optional command line options can be specified.
4662DOC_END
4663
4664NAME: cache_effective_user
4665TYPE: string
4666DEFAULT: @DEFAULT_CACHE_EFFECTIVE_USER@
4667LOC: Config.effectiveUser
4668DOC_START
4669 If you start Squid as root, it will change its effective/real
4670 UID/GID to the user specified below. The default is to change
4671 to UID of @DEFAULT_CACHE_EFFECTIVE_USER@.
4672 see also; cache_effective_group
4673DOC_END
4674
4675NAME: cache_effective_group
4676TYPE: string
4677DEFAULT: none
4678LOC: Config.effectiveGroup
4679DOC_START
4680 Squid sets the GID to the effective user's default group ID
4681 (taken from the password file) and supplementary group list
4682 from the groups membership.
4683
4684 If you want Squid to run with a specific GID regardless of
4685 the group memberships of the effective user then set this
4686 to the group (or GID) you want Squid to run as. When set
4687 all other group privileges of the effective user are ignored
4688 and only this GID is effective. If Squid is not started as
4689 root the user starting Squid MUST be member of the specified
4690 group.
4691
4692 This option is not recommended by the Squid Team.
4693 Our preference is for administrators to configure a secure
4694 user account for squid with UID/GID matching system policies.
4695DOC_END
4696
4697NAME: httpd_suppress_version_string
4698COMMENT: on|off
4699TYPE: onoff
4700DEFAULT: off
4701LOC: Config.onoff.httpd_suppress_version_string
4702DOC_START
4703 Suppress Squid version string info in HTTP headers and HTML error pages.
4704DOC_END
4705
4706NAME: visible_hostname
4707TYPE: string
4708LOC: Config.visibleHostname
4709DEFAULT: none
4710DOC_START
4711 If you want to present a special hostname in error messages, etc,
4712 define this. Otherwise, the return value of gethostname()
4713 will be used. If you have multiple caches in a cluster and
4714 get errors about IP-forwarding you must set them to have individual
4715 names with this setting.
4716DOC_END
4717
4718NAME: unique_hostname
4719TYPE: string
4720LOC: Config.uniqueHostname
4721DEFAULT: none
4722DOC_START
4723 If you want to have multiple machines with the same
4724 'visible_hostname' you must give each machine a different
4725 'unique_hostname' so forwarding loops can be detected.
4726DOC_END
4727
4728NAME: hostname_aliases
4729TYPE: wordlist
4730LOC: Config.hostnameAliases
4731DEFAULT: none
4732DOC_START
4733 A list of other DNS names your cache has.
4734DOC_END
4735
4736NAME: umask
4737TYPE: int
4738LOC: Config.umask
4739DEFAULT: 027
4740DOC_START
4741 Minimum umask which should be enforced while the proxy
4742 is running, in addition to the umask set at startup.
4743
4744 For a traditional octal representation of umasks, start
4745 your value with 0.
4746DOC_END
4747
4748COMMENT_START
4749 OPTIONS FOR THE CACHE REGISTRATION SERVICE
4750 -----------------------------------------------------------------------------
4751
4752 This section contains parameters for the (optional) cache
4753 announcement service. This service is provided to help
4754 cache administrators locate one another in order to join or
4755 create cache hierarchies.
4756
4757 An 'announcement' message is sent (via UDP) to the registration
4758 service by Squid. By default, the announcement message is NOT
4759 SENT unless you enable it with 'announce_period' below.
4760
4761 The announcement message includes your hostname, plus the
4762 following information from this configuration file:
4763
4764 http_port
4765 icp_port
4766 cache_mgr
4767
4768 All current information is processed regularly and made
4769 available on the Web at http://www.ircache.net/Cache/Tracker/.
4770COMMENT_END
4771
4772NAME: announce_period
4773TYPE: time_t
4774LOC: Config.Announce.period
4775DEFAULT: 0
4776DOC_START
4777 This is how frequently to send cache announcements. The
4778 default is `0' which disables sending the announcement
4779 messages.
4780
4781 To enable announcing your cache, just set an announce period.
4782
4783 Example:
4784 announce_period 1 day
4785DOC_END
4786
4787NAME: announce_host
4788TYPE: string
4789DEFAULT: tracker.ircache.net
4790LOC: Config.Announce.host
4791DOC_NONE
4792
4793NAME: announce_file
4794TYPE: string
4795DEFAULT: none
4796LOC: Config.Announce.file
4797DOC_NONE
4798
4799NAME: announce_port
4800TYPE: u_short
4801DEFAULT: 3131
4802LOC: Config.Announce.port
4803DOC_START
4804 announce_host and announce_port set the hostname and port
4805 number where the registration message will be sent.
4806
4807 Hostname will default to 'tracker.ircache.net' and port will
4808 default default to 3131. If the 'filename' argument is given,
4809 the contents of that file will be included in the announce
4810 message.
4811DOC_END
4812
4813COMMENT_START
4814 HTTPD-ACCELERATOR OPTIONS
4815 -----------------------------------------------------------------------------
4816COMMENT_END
4817
4818NAME: httpd_accel_surrogate_id
4819TYPE: string
4820DEFAULT: none
4821LOC: Config.Accel.surrogate_id
4822DOC_START
4823 Surrogates (http://www.esi.org/architecture_spec_1.0.html)
4824 need an identification token to allow control targeting. Because
4825 a farm of surrogates may all perform the same tasks, they may share
4826 an identification token.
4827
4828 The default ID is the visible_hostname
4829DOC_END
4830
4831NAME: http_accel_surrogate_remote
4832COMMENT: on|off
4833TYPE: onoff
4834DEFAULT: off
4835LOC: Config.onoff.surrogate_is_remote
4836DOC_START
4837 Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
4838 Set this to on to have squid behave as a remote surrogate.
4839DOC_END
4840
4841NAME: esi_parser
4842IFDEF: USE_SQUID_ESI
4843COMMENT: libxml2|expat|custom
4844TYPE: string
4845LOC: ESIParser::Type
4846DEFAULT: custom
4847DOC_START
4848 ESI markup is not strictly XML compatible. The custom ESI parser
4849 will give higher performance, but cannot handle non ASCII character
4850 encodings.
4851DOC_END
4852
4853COMMENT_START
4854 DELAY POOL PARAMETERS
4855 -----------------------------------------------------------------------------
4856COMMENT_END
4857
4858NAME: delay_pools
4859TYPE: delay_pool_count
4860DEFAULT: 0
4861IFDEF: USE_DELAY_POOLS
4862LOC: Config.Delay
4863DOC_START
4864 This represents the number of delay pools to be used. For example,
4865 if you have one class 2 delay pool and one class 3 delays pool, you
4866 have a total of 2 delay pools.
4867DOC_END
4868
4869NAME: delay_class
4870TYPE: delay_pool_class
4871DEFAULT: none
4872IFDEF: USE_DELAY_POOLS
4873LOC: Config.Delay
4874DOC_START
4875 This defines the class of each delay pool. There must be exactly one
4876 delay_class line for each delay pool. For example, to define two
4877 delay pools, one of class 2 and one of class 3, the settings above
4878 and here would be:
4879
4880 Example:
4881 delay_pools 4 # 4 delay pools
4882 delay_class 1 2 # pool 1 is a class 2 pool
4883 delay_class 2 3 # pool 2 is a class 3 pool
4884 delay_class 3 4 # pool 3 is a class 4 pool
4885 delay_class 4 5 # pool 4 is a class 5 pool
4886
4887 The delay pool classes are:
4888
4889 class 1 Everything is limited by a single aggregate
4890 bucket.
4891
4892 class 2 Everything is limited by a single aggregate
4893 bucket as well as an "individual" bucket chosen
4894 from bits 25 through 32 of the IPv4 address.
4895
4896 class 3 Everything is limited by a single aggregate
4897 bucket as well as a "network" bucket chosen
4898 from bits 17 through 24 of the IP address and a
4899 "individual" bucket chosen from bits 17 through
4900 32 of the IPv4 address.
4901
4902 class 4 Everything in a class 3 delay pool, with an
4903 additional limit on a per user basis. This
4904 only takes effect if the username is established
4905 in advance - by forcing authentication in your
4906 http_access rules.
4907
4908 class 5 Requests are grouped according their tag (see
4909 external_acl's tag= reply).
4910
4911
4912 Each pool also requires a delay_parameters directive to configure the pool size
4913 and speed limits used whenever the pool is applied to a request. Along with
4914 a set of delay_access directives to determine when it is used.
4915
4916 NOTE: If an IP address is a.b.c.d
4917 -> bits 25 through 32 are "d"
4918 -> bits 17 through 24 are "c"
4919 -> bits 17 through 32 are "c * 256 + d"
4920
4921 NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
4922 IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
4923DOC_END
4924
4925NAME: delay_access
4926TYPE: delay_pool_access
4927DEFAULT: none
4928IFDEF: USE_DELAY_POOLS
4929LOC: Config.Delay
4930DOC_START
4931 This is used to determine which delay pool a request falls into.
4932
4933 delay_access is sorted per pool and the matching starts with pool 1,
4934 then pool 2, ..., and finally pool N. The first delay pool where the
4935 request is allowed is selected for the request. If it does not allow
4936 the request to any pool then the request is not delayed (default).
4937
4938 For example, if you want some_big_clients in delay
4939 pool 1 and lotsa_little_clients in delay pool 2:
4940
4941Example:
4942 delay_access 1 allow some_big_clients
4943 delay_access 1 deny all
4944 delay_access 2 allow lotsa_little_clients
4945 delay_access 2 deny all
4946 delay_access 3 allow authenticated_clients
4947DOC_END
4948
4949NAME: delay_parameters
4950TYPE: delay_pool_rates
4951DEFAULT: none
4952IFDEF: USE_DELAY_POOLS
4953LOC: Config.Delay
4954DOC_START
4955 This defines the parameters for a delay pool. Each delay pool has
4956 a number of "buckets" associated with it, as explained in the
4957 description of delay_class.
4958
4959 For a class 1 delay pool, the syntax is:
4960 delay_pools pool 1
4961 delay_parameters pool aggregate
4962
4963 For a class 2 delay pool:
4964 delay_pools pool 2
4965 delay_parameters pool aggregate individual
4966
4967 For a class 3 delay pool:
4968 delay_pools pool 3
4969 delay_parameters pool aggregate network individual
4970
4971 For a class 4 delay pool:
4972 delay_pools pool 4
4973 delay_parameters pool aggregate network individual user
4974
4975 For a class 5 delay pool:
4976 delay_pools pool 5
4977 delay_parameters pool tagrate
4978
4979 The option variables are:
4980
4981 pool a pool number - ie, a number between 1 and the
4982 number specified in delay_pools as used in
4983 delay_class lines.
4984
4985 aggregate the speed limit parameters for the aggregate bucket
4986 (class 1, 2, 3).
4987
4988 individual the speed limit parameters for the individual
4989 buckets (class 2, 3).
4990
4991 network the speed limit parameters for the network buckets
4992 (class 3).
4993
4994 user the speed limit parameters for the user buckets
4995 (class 4).
4996
4997 tagrate the speed limit parameters for the tag buckets
4998 (class 5).
4999
5000 A pair of delay parameters is written restore/maximum, where restore is
5001 the number of bytes (not bits - modem and network speeds are usually
5002 quoted in bits) per second placed into the bucket, and maximum is the
5003 maximum number of bytes which can be in the bucket at any time.
5004
5005 There must be one delay_parameters line for each delay pool.
5006
5007
5008 For example, if delay pool number 1 is a class 2 delay pool as in the
5009 above example, and is being used to strictly limit each host to 64Kbit/sec
5010 (plus overheads), with no overall limit, the line is:
5011
5012 delay_parameters 1 -1/-1 8000/8000
5013
5014 Note that 8 x 8000 KByte/sec -> 64Kbit/sec.
5015
5016 Note that the figure -1 is used to represent "unlimited".
5017
5018
5019 And, if delay pool number 2 is a class 3 delay pool as in the above
5020 example, and you want to limit it to a total of 256Kbit/sec (strict limit)
5021 with each 8-bit network permitted 64Kbit/sec (strict limit) and each
5022 individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
5023 to permit a decent web page to be downloaded at a decent speed
5024 (if the network is not being limited due to overuse) but slow down
5025 large downloads more significantly:
5026
5027 delay_parameters 2 32000/32000 8000/8000 600/8000
5028
5029 Note that 8 x 32000 KByte/sec -> 256Kbit/sec.
5030 8 x 8000 KByte/sec -> 64Kbit/sec.
5031 8 x 600 Byte/sec -> 4800bit/sec.
5032
5033
5034 Finally, for a class 4 delay pool as in the example - each user will
5035 be limited to 128Kbits/sec no matter how many workstations they are logged into.:
5036
5037 delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
5038DOC_END
5039
5040NAME: delay_initial_bucket_level
5041COMMENT: (percent, 0-100)
5042TYPE: u_short
5043DEFAULT: 50
5044IFDEF: USE_DELAY_POOLS
5045LOC: Config.Delay.initial
5046DOC_START
5047 The initial bucket percentage is used to determine how much is put
5048 in each bucket when squid starts, is reconfigured, or first notices
5049 a host accessing it (in class 2 and class 3, individual hosts and
5050 networks only have buckets associated with them once they have been
5051 "seen" by squid).
5052DOC_END
5053
5054COMMENT_START
5055 CLIENT DELAY POOL PARAMETERS
5056 -----------------------------------------------------------------------------
5057COMMENT_END
5058
5059NAME: client_delay_pools
5060TYPE: client_delay_pool_count
5061DEFAULT: 0
5062IFDEF: USE_DELAY_POOLS
5063LOC: Config.ClientDelay
5064DOC_START
5065 This option specifies the number of client delay pools used. It must
5066 preceed other client_delay_* options.
5067
5068Example:
5069 client_delay_pools 2
5070DOC_END
5071
5072NAME: client_delay_initial_bucket_level
5073COMMENT: (percent, 0-no_limit)
5074TYPE: u_short
5075DEFAULT: 50
5076IFDEF: USE_DELAY_POOLS
5077LOC: Config.ClientDelay.initial
5078DOC_START
5079 This option determines the initial bucket size as a percentage of
5080 max_bucket_size from client_delay_parameters. Buckets are created
5081 at the time of the "first" connection from the matching IP. Idle
5082 buckets are periodically deleted up.
5083
5084 You can specify more than 100 percent but note that such "oversized"
5085 buckets are not refilled until their size goes down to max_bucket_size
5086 from client_delay_parameters.
5087
5088Example:
5089 client_delay_initial_bucket_level 50
5090DOC_END
5091
5092NAME: client_delay_parameters
5093TYPE: client_delay_pool_rates
5094DEFAULT: none
5095IFDEF: USE_DELAY_POOLS
5096LOC: Config.ClientDelay
5097DOC_START
5098
5099 This option configures client-side bandwidth limits using the
5100 following format:
5101
5102 client_delay_parameters pool speed_limit max_bucket_size
5103
5104 pool is an integer ID used for client_delay_access matching.
5105
5106 speed_limit is bytes added to the bucket per second.
5107
5108 max_bucket_size is the maximum size of a bucket, enforced after any
5109 speed_limit additions.
5110
5111 Please see the delay_parameters option for more information and
5112 examples.
5113
5114Example:
5115 client_delay_parameters 1 1024 2048
5116 client_delay_parameters 2 51200 16384
5117DOC_END
5118
5119NAME: client_delay_access
5120TYPE: client_delay_pool_access
5121DEFAULT: none
5122IFDEF: USE_DELAY_POOLS
5123LOC: Config.ClientDelay
5124DOC_START
5125
5126 This option determines the client-side delay pool for the
5127 request:
5128
5129 client_delay_access pool_ID allow|deny acl_name
5130
5131 All client_delay_access options are checked in their pool ID
5132 order, starting with pool 1. The first checked pool with allowed
5133 request is selected for the request. If no ACL matches or there
5134 are no client_delay_access options, the request bandwidth is not
5135 limited.
5136
5137 The ACL-selected pool is then used to find the
5138 client_delay_parameters for the request. Client-side pools are
5139 not used to aggregate clients. Clients are always aggregated
5140 based on their source IP addresses (one bucket per source IP).
5141
5142 Please see delay_access for more examples.
5143
5144Example:
5145 client_delay_access 1 allow low_rate_network
5146 client_delay_access 2 allow vips_network
5147DOC_END
5148
5149COMMENT_START
5150 WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
5151 -----------------------------------------------------------------------------
5152COMMENT_END
5153
5154NAME: wccp_router
5155TYPE: address
5156LOC: Config.Wccp.router
5157DEFAULT: any_addr
5158IFDEF: USE_WCCP
5159DOC_START
5160 Use this option to define your WCCP ``home'' router for
5161 Squid.
5162
5163 wccp_router supports a single WCCP(v1) router
5164
5165 wccp2_router supports multiple WCCPv2 routers
5166
5167 only one of the two may be used at the same time and defines
5168 which version of WCCP to use.
5169DOC_END
5170
5171NAME: wccp2_router
5172TYPE: IpAddress_list
5173LOC: Config.Wccp2.router
5174DEFAULT: none
5175IFDEF: USE_WCCPv2
5176DOC_START
5177 Use this option to define your WCCP ``home'' router for
5178 Squid.
5179
5180 wccp_router supports a single WCCP(v1) router
5181
5182 wccp2_router supports multiple WCCPv2 routers
5183
5184 only one of the two may be used at the same time and defines
5185 which version of WCCP to use.
5186DOC_END
5187
5188NAME: wccp_version
5189TYPE: int
5190LOC: Config.Wccp.version
5191DEFAULT: 4
5192IFDEF: USE_WCCP
5193DOC_START
5194 This directive is only relevant if you need to set up WCCP(v1)
5195 to some very old and end-of-life Cisco routers. In all other
5196 setups it must be left unset or at the default setting.
5197 It defines an internal version in the WCCP(v1) protocol,
5198 with version 4 being the officially documented protocol.
5199
5200 According to some users, Cisco IOS 11.2 and earlier only
5201 support WCCP version 3. If you're using that or an earlier
5202 version of IOS, you may need to change this value to 3, otherwise
5203 do not specify this parameter.
5204DOC_END
5205
5206NAME: wccp2_rebuild_wait
5207TYPE: onoff
5208LOC: Config.Wccp2.rebuildwait
5209DEFAULT: on
5210IFDEF: USE_WCCPv2
5211DOC_START
5212 If this is enabled Squid will wait for the cache dir rebuild to finish
5213 before sending the first wccp2 HereIAm packet
5214DOC_END
5215
5216NAME: wccp2_forwarding_method
5217TYPE: wccp2_method
5218LOC: Config.Wccp2.forwarding_method
5219DEFAULT: gre
5220IFDEF: USE_WCCPv2
5221DOC_START
5222 WCCP2 allows the setting of forwarding methods between the
5223 router/switch and the cache. Valid values are as follows:
5224
5225 gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
5226 l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
5227
5228 Currently (as of IOS 12.4) cisco routers only support GRE.
5229 Cisco switches only support the L2 redirect assignment method.
5230DOC_END
5231
5232NAME: wccp2_return_method
5233TYPE: wccp2_method
5234LOC: Config.Wccp2.return_method
5235DEFAULT: gre
5236IFDEF: USE_WCCPv2
5237DOC_START
5238 WCCP2 allows the setting of return methods between the
5239 router/switch and the cache for packets that the cache
5240 decides not to handle. Valid values are as follows:
5241
5242 gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
5243 l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
5244
5245 Currently (as of IOS 12.4) cisco routers only support GRE.
5246 Cisco switches only support the L2 redirect assignment.
5247
5248 If the "ip wccp redirect exclude in" command has been
5249 enabled on the cache interface, then it is still safe for
5250 the proxy server to use a l2 redirect method even if this
5251 option is set to GRE.
5252DOC_END
5253
5254NAME: wccp2_assignment_method
5255TYPE: wccp2_amethod
5256LOC: Config.Wccp2.assignment_method
5257DEFAULT: hash
5258IFDEF: USE_WCCPv2
5259DOC_START
5260 WCCP2 allows the setting of methods to assign the WCCP hash
5261 Valid values are as follows:
5262
5263 hash - Hash assignment
5264 mask - Mask assignment
5265
5266 As a general rule, cisco routers support the hash assignment method
5267 and cisco switches support the mask assignment method.
5268DOC_END
5269
5270NAME: wccp2_service
5271TYPE: wccp2_service
5272LOC: Config.Wccp2.info
5273DEFAULT_IF_NONE: standard 0
5274IFDEF: USE_WCCPv2
5275DOC_START
5276 WCCP2 allows for multiple traffic services. There are two
5277 types: "standard" and "dynamic". The standard type defines
5278 one service id - http (id 0). The dynamic service ids can be from
5279 51 to 255 inclusive. In order to use a dynamic service id
5280 one must define the type of traffic to be redirected; this is done
5281 using the wccp2_service_info option.
5282
5283 The "standard" type does not require a wccp2_service_info option,
5284 just specifying the service id will suffice.
5285
5286 MD5 service authentication can be enabled by adding
5287 "password=<password>" to the end of this service declaration.
5288
5289 Examples:
5290
5291 wccp2_service standard 0 # for the 'web-cache' standard service
5292 wccp2_service dynamic 80 # a dynamic service type which will be
5293 # fleshed out with subsequent options.
5294 wccp2_service standard 0 password=foo
5295DOC_END
5296
5297NAME: wccp2_service_info
5298TYPE: wccp2_service_info
5299LOC: Config.Wccp2.info
5300DEFAULT: none
5301IFDEF: USE_WCCPv2
5302DOC_START
5303 Dynamic WCCPv2 services require further information to define the
5304 traffic you wish to have diverted.
5305
5306 The format is:
5307
5308 wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
5309 priority=<priority> ports=<port>,<port>..
5310
5311 The relevant WCCPv2 flags:
5312 + src_ip_hash, dst_ip_hash
5313 + source_port_hash, dst_port_hash
5314 + src_ip_alt_hash, dst_ip_alt_hash
5315 + src_port_alt_hash, dst_port_alt_hash
5316 + ports_source
5317
5318 The port list can be one to eight entries.
5319
5320 Example:
5321
5322 wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
5323 priority=240 ports=80
5324
5325 Note: the service id must have been defined by a previous
5326 'wccp2_service dynamic <id>' entry.
5327DOC_END
5328
5329NAME: wccp2_weight
5330TYPE: int
5331LOC: Config.Wccp2.weight
5332DEFAULT: 10000
5333IFDEF: USE_WCCPv2
5334DOC_START
5335 Each cache server gets assigned a set of the destination
5336 hash proportional to their weight.
5337DOC_END
5338
5339NAME: wccp_address
5340TYPE: address
5341LOC: Config.Wccp.address
5342DEFAULT: 0.0.0.0
5343IFDEF: USE_WCCP
5344DOC_NONE
5345
5346NAME: wccp2_address
5347TYPE: address
5348LOC: Config.Wccp2.address
5349DEFAULT: 0.0.0.0
5350IFDEF: USE_WCCPv2
5351DOC_START
5352 Use this option if you require WCCP to use a specific
5353 interface address.
5354
5355 The default behavior is to not bind to any specific address.
5356DOC_END
5357
5358COMMENT_START
5359 PERSISTENT CONNECTION HANDLING
5360 -----------------------------------------------------------------------------
5361
5362 Also see "pconn_timeout" in the TIMEOUTS section
5363COMMENT_END
5364
5365NAME: client_persistent_connections
5366TYPE: onoff
5367LOC: Config.onoff.client_pconns
5368DEFAULT: on
5369DOC_NONE
5370
5371NAME: server_persistent_connections
5372TYPE: onoff
5373LOC: Config.onoff.server_pconns
5374DEFAULT: on
5375DOC_START
5376 Persistent connection support for clients and servers. By
5377 default, Squid uses persistent connections (when allowed)
5378 with its clients and servers. You can use these options to
5379 disable persistent connections with clients and/or servers.
5380DOC_END
5381
5382NAME: persistent_connection_after_error
5383TYPE: onoff
5384LOC: Config.onoff.error_pconns
5385DEFAULT: on
5386DOC_START
5387 With this directive the use of persistent connections after
5388 HTTP errors can be disabled. Useful if you have clients
5389 who fail to handle errors on persistent connections proper.
5390DOC_END
5391
5392NAME: detect_broken_pconn
5393TYPE: onoff
5394LOC: Config.onoff.detect_broken_server_pconns
5395DEFAULT: off
5396DOC_START
5397 Some servers have been found to incorrectly signal the use
5398 of HTTP/1.0 persistent connections even on replies not
5399 compatible, causing significant delays. This server problem
5400 has mostly been seen on redirects.
5401
5402 By enabling this directive Squid attempts to detect such
5403 broken replies and automatically assume the reply is finished
5404 after 10 seconds timeout.
5405DOC_END
5406
5407COMMENT_START
5408 CACHE DIGEST OPTIONS
5409 -----------------------------------------------------------------------------
5410COMMENT_END
5411
5412NAME: digest_generation
5413IFDEF: USE_CACHE_DIGESTS
5414TYPE: onoff
5415LOC: Config.onoff.digest_generation
5416DEFAULT: on
5417DOC_START
5418 This controls whether the server will generate a Cache Digest
5419 of its contents. By default, Cache Digest generation is
5420 enabled if Squid is compiled with --enable-cache-digests defined.
5421DOC_END
5422
5423NAME: digest_bits_per_entry
5424IFDEF: USE_CACHE_DIGESTS
5425TYPE: int
5426LOC: Config.digest.bits_per_entry
5427DEFAULT: 5
5428DOC_START
5429 This is the number of bits of the server's Cache Digest which
5430 will be associated with the Digest entry for a given HTTP
5431 Method and URL (public key) combination. The default is 5.
5432DOC_END
5433
5434NAME: digest_rebuild_period
5435IFDEF: USE_CACHE_DIGESTS
5436COMMENT: (seconds)
5437TYPE: time_t
5438LOC: Config.digest.rebuild_period
5439DEFAULT: 1 hour
5440DOC_START
5441 This is the wait time between Cache Digest rebuilds.
5442DOC_END
5443
5444NAME: digest_rewrite_period
5445COMMENT: (seconds)
5446IFDEF: USE_CACHE_DIGESTS
5447TYPE: time_t
5448LOC: Config.digest.rewrite_period
5449DEFAULT: 1 hour
5450DOC_START
5451 This is the wait time between Cache Digest writes to
5452 disk.
5453DOC_END
5454
5455NAME: digest_swapout_chunk_size
5456COMMENT: (bytes)
5457TYPE: b_size_t
5458IFDEF: USE_CACHE_DIGESTS
5459LOC: Config.digest.swapout_chunk_size
5460DEFAULT: 4096 bytes
5461DOC_START
5462 This is the number of bytes of the Cache Digest to write to
5463 disk at a time. It defaults to 4096 bytes (4KB), the Squid
5464 default swap page.
5465DOC_END
5466
5467NAME: digest_rebuild_chunk_percentage
5468COMMENT: (percent, 0-100)
5469IFDEF: USE_CACHE_DIGESTS
5470TYPE: int
5471LOC: Config.digest.rebuild_chunk_percentage
5472DEFAULT: 10
5473DOC_START
5474 This is the percentage of the Cache Digest to be scanned at a
5475 time. By default it is set to 10% of the Cache Digest.
5476DOC_END
5477
5478COMMENT_START
5479 SNMP OPTIONS
5480 -----------------------------------------------------------------------------
5481COMMENT_END
5482
5483NAME: snmp_port
5484TYPE: u_short
5485LOC: Config.Port.snmp
5486DEFAULT: 0
5487IFDEF: SQUID_SNMP
5488DOC_START
5489 The port number where Squid listens for SNMP requests. To enable
5490 SNMP support set this to a suitable port number. Port number
5491 3401 is often used for the Squid SNMP agent. By default it's
5492 set to "0" (disabled)
5493
5494 Example:
5495 snmp_port 3401
5496DOC_END
5497
5498NAME: snmp_access
5499TYPE: acl_access
5500LOC: Config.accessList.snmp
5501DEFAULT_IF_NONE: deny all
5502IFDEF: SQUID_SNMP
5503DOC_START
5504 Allowing or denying access to the SNMP port.
5505
5506 All access to the agent is denied by default.
5507 usage:
5508
5509 snmp_access allow|deny [!]aclname ...
5510
5511 This clause only supports fast acl types.
5512 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
5513Example:
5514 snmp_access allow snmppublic localhost
5515 snmp_access deny all
5516DOC_END
5517
5518NAME: snmp_incoming_address
5519TYPE: address
5520LOC: Config.Addrs.snmp_incoming
5521DEFAULT: any_addr
5522IFDEF: SQUID_SNMP
5523DOC_NONE
5524
5525NAME: snmp_outgoing_address
5526TYPE: address
5527LOC: Config.Addrs.snmp_outgoing
5528DEFAULT: no_addr
5529IFDEF: SQUID_SNMP
5530DOC_START
5531 Just like 'udp_incoming_address', but for the SNMP port.
5532
5533 snmp_incoming_address is used for the SNMP socket receiving
5534 messages from SNMP agents.
5535 snmp_outgoing_address is used for SNMP packets returned to SNMP
5536 agents.
5537
5538 The default snmp_incoming_address is to listen on all
5539 available network interfaces.
5540
5541 If snmp_outgoing_address is not set it will use the same socket
5542 as snmp_incoming_address. Only change this if you want to have
5543 SNMP replies sent using another address than where this Squid
5544 listens for SNMP queries.
5545
5546 NOTE, snmp_incoming_address and snmp_outgoing_address can not have
5547 the same value since they both use port 3401.
5548DOC_END
5549
5550COMMENT_START
5551 ICP OPTIONS
5552 -----------------------------------------------------------------------------
5553COMMENT_END
5554
5555NAME: icp_port udp_port
5556TYPE: u_short
5557DEFAULT: 0
5558LOC: Config.Port.icp
5559DOC_START
5560 The port number where Squid sends and receives ICP queries to
5561 and from neighbor caches. The standard UDP port for ICP is 3130.
5562 Default is disabled (0).
5563
5564 Example:
5565 icp_port @DEFAULT_ICP_PORT@
5566DOC_END
5567
5568NAME: htcp_port
5569IFDEF: USE_HTCP
5570TYPE: u_short
5571DEFAULT: 0
5572LOC: Config.Port.htcp
5573DOC_START
5574 The port number where Squid sends and receives HTCP queries to
5575 and from neighbor caches. To turn it on you want to set it to
5576 4827. By default it is set to "0" (disabled).
5577
5578 Example:
5579 htcp_port 4827
5580DOC_END
5581
5582NAME: log_icp_queries
5583COMMENT: on|off
5584TYPE: onoff
5585DEFAULT: on
5586LOC: Config.onoff.log_udp
5587DOC_START
5588 If set, ICP queries are logged to access.log. You may wish
5589 do disable this if your ICP load is VERY high to speed things
5590 up or to simplify log analysis.
5591DOC_END
5592
5593NAME: udp_incoming_address
5594TYPE: address
5595LOC:Config.Addrs.udp_incoming
5596DEFAULT: any_addr
5597DOC_START
5598 udp_incoming_address is used for UDP packets received from other
5599 caches.
5600
5601 The default behavior is to not bind to any specific address.
5602
5603 Only change this if you want to have all UDP queries received on
5604 a specific interface/address.
5605
5606 NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
5607 modules. Altering it will affect all of them in the same manner.
5608
5609 see also; udp_outgoing_address
5610
5611 NOTE, udp_incoming_address and udp_outgoing_address can not
5612 have the same value since they both use the same port.
5613DOC_END
5614
5615NAME: udp_outgoing_address
5616TYPE: address
5617LOC: Config.Addrs.udp_outgoing
5618DEFAULT: no_addr
5619DOC_START
5620 udp_outgoing_address is used for UDP packets sent out to other
5621 caches.
5622
5623 The default behavior is to not bind to any specific address.
5624
5625 Instead it will use the same socket as udp_incoming_address.
5626 Only change this if you want to have UDP queries sent using another
5627 address than where this Squid listens for UDP queries from other
5628 caches.
5629
5630 NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
5631 modules. Altering it will affect all of them in the same manner.
5632
5633 see also; udp_incoming_address
5634
5635 NOTE, udp_incoming_address and udp_outgoing_address can not
5636 have the same value since they both use the same port.
5637DOC_END
5638
5639NAME: icp_hit_stale
5640COMMENT: on|off
5641TYPE: onoff
5642DEFAULT: off
5643LOC: Config.onoff.icp_hit_stale
5644DOC_START
5645 If you want to return ICP_HIT for stale cache objects, set this
5646 option to 'on'. If you have sibling relationships with caches
5647 in other administrative domains, this should be 'off'. If you only
5648 have sibling relationships with caches under your control,
5649 it is probably okay to set this to 'on'.
5650 If set to 'on', your siblings should use the option "allow-miss"
5651 on their cache_peer lines for connecting to you.
5652DOC_END
5653
5654NAME: minimum_direct_hops
5655TYPE: int
5656DEFAULT: 4
5657LOC: Config.minDirectHops
5658DOC_START
5659 If using the ICMP pinging stuff, do direct fetches for sites
5660 which are no more than this many hops away.
5661DOC_END
5662
5663NAME: minimum_direct_rtt
5664TYPE: int
5665DEFAULT: 400
5666LOC: Config.minDirectRtt
5667DOC_START
5668 If using the ICMP pinging stuff, do direct fetches for sites
5669 which are no more than this many rtt milliseconds away.
5670DOC_END
5671
5672NAME: netdb_low
5673TYPE: int
5674DEFAULT: 900
5675LOC: Config.Netdb.low
5676DOC_NONE
5677
5678NAME: netdb_high
5679TYPE: int
5680DEFAULT: 1000
5681LOC: Config.Netdb.high
5682DOC_START
5683 The low and high water marks for the ICMP measurement
5684 database. These are counts, not percents. The defaults are
5685 900 and 1000. When the high water mark is reached, database
5686 entries will be deleted until the low mark is reached.
5687DOC_END
5688
5689NAME: netdb_ping_period
5690TYPE: time_t
5691LOC: Config.Netdb.period
5692DEFAULT: 5 minutes
5693DOC_START
5694 The minimum period for measuring a site. There will be at
5695 least this much delay between successive pings to the same
5696 network. The default is five minutes.
5697DOC_END
5698
5699NAME: query_icmp
5700COMMENT: on|off
5701TYPE: onoff
5702DEFAULT: off
5703LOC: Config.onoff.query_icmp
5704DOC_START
5705 If you want to ask your peers to include ICMP data in their ICP
5706 replies, enable this option.
5707
5708 If your peer has configured Squid (during compilation) with
5709 '--enable-icmp' that peer will send ICMP pings to origin server
5710 sites of the URLs it receives. If you enable this option the
5711 ICP replies from that peer will include the ICMP data (if available).
5712 Then, when choosing a parent cache, Squid will choose the parent with
5713 the minimal RTT to the origin server. When this happens, the
5714 hierarchy field of the access.log will be
5715 "CLOSEST_PARENT_MISS". This option is off by default.
5716DOC_END
5717
5718NAME: test_reachability
5719COMMENT: on|off
5720TYPE: onoff
5721DEFAULT: off
5722LOC: Config.onoff.test_reachability
5723DOC_START
5724 When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
5725 instead of ICP_MISS if the target host is NOT in the ICMP
5726 database, or has a zero RTT.
5727DOC_END
5728
5729NAME: icp_query_timeout
5730COMMENT: (msec)
5731DEFAULT: 0
5732TYPE: int
5733LOC: Config.Timeout.icp_query
5734DOC_START
5735 Normally Squid will automatically determine an optimal ICP
5736 query timeout value based on the round-trip-time of recent ICP
5737 queries. If you want to override the value determined by
5738 Squid, set this 'icp_query_timeout' to a non-zero value. This
5739 value is specified in MILLISECONDS, so, to use a 2-second
5740 timeout (the old default), you would write:
5741
5742 icp_query_timeout 2000
5743DOC_END
5744
5745NAME: maximum_icp_query_timeout
5746COMMENT: (msec)
5747DEFAULT: 2000
5748TYPE: int
5749LOC: Config.Timeout.icp_query_max
5750DOC_START
5751 Normally the ICP query timeout is determined dynamically. But
5752 sometimes it can lead to very large values (say 5 seconds).
5753 Use this option to put an upper limit on the dynamic timeout
5754 value. Do NOT use this option to always use a fixed (instead
5755 of a dynamic) timeout value. To set a fixed timeout see the
5756 'icp_query_timeout' directive.
5757DOC_END
5758
5759NAME: minimum_icp_query_timeout
5760COMMENT: (msec)
5761DEFAULT: 5
5762TYPE: int
5763LOC: Config.Timeout.icp_query_min
5764DOC_START
5765 Normally the ICP query timeout is determined dynamically. But
5766 sometimes it can lead to very small timeouts, even lower than
5767 the normal latency variance on your link due to traffic.
5768 Use this option to put an lower limit on the dynamic timeout
5769 value. Do NOT use this option to always use a fixed (instead
5770 of a dynamic) timeout value. To set a fixed timeout see the
5771 'icp_query_timeout' directive.
5772DOC_END
5773
5774NAME: background_ping_rate
5775COMMENT: time-units
5776TYPE: time_t
5777DEFAULT: 10 seconds
5778LOC: Config.backgroundPingRate
5779DOC_START
5780 Controls how often the ICP pings are sent to siblings that
5781 have background-ping set.
5782DOC_END
5783
5784COMMENT_START
5785 MULTICAST ICP OPTIONS
5786 -----------------------------------------------------------------------------
5787COMMENT_END
5788
5789NAME: mcast_groups
5790TYPE: wordlist
5791LOC: Config.mcast_group_list
5792DEFAULT: none
5793DOC_START
5794 This tag specifies a list of multicast groups which your server
5795 should join to receive multicasted ICP queries.
5796
5797 NOTE! Be very careful what you put here! Be sure you
5798 understand the difference between an ICP _query_ and an ICP
5799 _reply_. This option is to be set only if you want to RECEIVE
5800 multicast queries. Do NOT set this option to SEND multicast
5801 ICP (use cache_peer for that). ICP replies are always sent via
5802 unicast, so this option does not affect whether or not you will
5803 receive replies from multicast group members.
5804
5805 You must be very careful to NOT use a multicast address which
5806 is already in use by another group of caches.
5807
5808 If you are unsure about multicast, please read the Multicast
5809 chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
5810
5811 Usage: mcast_groups 239.128.16.128 224.0.1.20
5812
5813 By default, Squid doesn't listen on any multicast groups.
5814DOC_END
5815
5816NAME: mcast_miss_addr
5817IFDEF: MULTICAST_MISS_STREAM
5818TYPE: address
5819LOC: Config.mcast_miss.addr
5820DEFAULT: no_addr
5821DOC_START
5822 If you enable this option, every "cache miss" URL will
5823 be sent out on the specified multicast address.
5824
5825 Do not enable this option unless you are are absolutely
5826 certain you understand what you are doing.
5827DOC_END
5828
5829NAME: mcast_miss_ttl
5830IFDEF: MULTICAST_MISS_STREAM
5831TYPE: u_short
5832LOC: Config.mcast_miss.ttl
5833DEFAULT: 16
5834DOC_START
5835 This is the time-to-live value for packets multicasted
5836 when multicasting off cache miss URLs is enabled. By
5837 default this is set to 'site scope', i.e. 16.
5838DOC_END
5839
5840NAME: mcast_miss_port
5841IFDEF: MULTICAST_MISS_STREAM
5842TYPE: u_short
5843LOC: Config.mcast_miss.port
5844DEFAULT: 3135
5845DOC_START
5846 This is the port number to be used in conjunction with
5847 'mcast_miss_addr'.
5848DOC_END
5849
5850NAME: mcast_miss_encode_key
5851IFDEF: MULTICAST_MISS_STREAM
5852TYPE: string
5853LOC: Config.mcast_miss.encode_key
5854DEFAULT: XXXXXXXXXXXXXXXX
5855DOC_START
5856 The URLs that are sent in the multicast miss stream are
5857 encrypted. This is the encryption key.
5858DOC_END
5859
5860NAME: mcast_icp_query_timeout
5861COMMENT: (msec)
5862DEFAULT: 2000
5863TYPE: int
5864LOC: Config.Timeout.mcast_icp_query
5865DOC_START
5866 For multicast peers, Squid regularly sends out ICP "probes" to
5867 count how many other peers are listening on the given multicast
5868 address. This value specifies how long Squid should wait to
5869 count all the replies. The default is 2000 msec, or 2
5870 seconds.
5871DOC_END
5872
5873COMMENT_START
5874 INTERNAL ICON OPTIONS
5875 -----------------------------------------------------------------------------
5876COMMENT_END
5877
5878NAME: icon_directory
5879TYPE: string
5880LOC: Config.icons.directory
5881DEFAULT: @DEFAULT_ICON_DIR@
5882DOC_START
5883 Where the icons are stored. These are normally kept in
5884 @DEFAULT_ICON_DIR@
5885DOC_END
5886
5887NAME: global_internal_static
5888TYPE: onoff
5889LOC: Config.onoff.global_internal_static
5890DEFAULT: on
5891DOC_START
5892 This directive controls is Squid should intercept all requests for
5893 /squid-internal-static/ no matter which host the URL is requesting
5894 (default on setting), or if nothing special should be done for
5895 such URLs (off setting). The purpose of this directive is to make
5896 icons etc work better in complex cache hierarchies where it may
5897 not always be possible for all corners in the cache mesh to reach
5898 the server generating a directory listing.
5899DOC_END
5900
5901NAME: short_icon_urls
5902TYPE: onoff
5903LOC: Config.icons.use_short_names
5904DEFAULT: on
5905DOC_START
5906 If this is enabled Squid will use short URLs for icons.
5907 If disabled it will revert to the old behavior of including
5908 it's own name and port in the URL.
5909
5910 If you run a complex cache hierarchy with a mix of Squid and
5911 other proxies you may need to disable this directive.
5912DOC_END
5913
5914COMMENT_START
5915 ERROR PAGE OPTIONS
5916 -----------------------------------------------------------------------------
5917COMMENT_END
5918
5919NAME: error_directory
5920TYPE: string
5921LOC: Config.errorDirectory
5922DEFAULT: none
5923DOC_START
5924 If you wish to create your own versions of the default
5925 error files to customize them to suit your company copy
5926 the error/template files to another directory and point
5927 this tag at them.
5928
5929 WARNING: This option will disable multi-language support
5930 on error pages if used.
5931
5932 The squid developers are interested in making squid available in
5933 a wide variety of languages. If you are making translations for a
5934 language that Squid does not currently provide please consider
5935 contributing your translation back to the project.
5936 http://wiki.squid-cache.org/Translations
5937
5938 The squid developers working on translations are happy to supply drop-in
5939 translated error files in exchange for any new language contributions.
5940DOC_END
5941
5942NAME: error_default_language
5943IFDEF: USE_ERR_LOCALES
5944TYPE: string
5945LOC: Config.errorDefaultLanguage
5946DEFAULT: none
5947DOC_START
5948 Set the default language which squid will send error pages in
5949 if no existing translation matches the clients language
5950 preferences.
5951
5952 If unset (default) generic English will be used.
5953
5954 The squid developers are interested in making squid available in
5955 a wide variety of languages. If you are interested in making
5956 translations for any language see the squid wiki for details.
5957 http://wiki.squid-cache.org/Translations
5958DOC_END
5959
5960NAME: error_log_languages
5961IFDEF: USE_ERR_LOCALES
5962TYPE: onoff
5963LOC: Config.errorLogMissingLanguages
5964DEFAULT: on
5965DOC_START
5966 Log to cache.log what languages users are attempting to
5967 auto-negotiate for translations.
5968
5969 Successful negotiations are not logged. Only failures
5970 have meaning to indicate that Squid may need an upgrade
5971 of its error page translations.
5972DOC_END
5973
5974NAME: err_page_stylesheet
5975TYPE: string
5976LOC: Config.errorStylesheet
5977DEFAULT: @DEFAULT_CONFIG_DIR@/errorpage.css
5978DOC_START
5979 CSS Stylesheet to pattern the display of Squid default error pages.
5980
5981 For information on CSS see http://www.w3.org/Style/CSS/
5982DOC_END
5983
5984NAME: err_html_text
5985TYPE: eol
5986LOC: Config.errHtmlText
5987DEFAULT: none
5988DOC_START
5989 HTML text to include in error messages. Make this a "mailto"
5990 URL to your admin address, or maybe just a link to your
5991 organizations Web page.
5992
5993 To include this in your error messages, you must rewrite
5994 the error template files (found in the "errors" directory).
5995 Wherever you want the 'err_html_text' line to appear,
5996 insert a %L tag in the error template file.
5997DOC_END
5998
5999NAME: email_err_data
6000COMMENT: on|off
6001TYPE: onoff
6002LOC: Config.onoff.emailErrData
6003DEFAULT: on
6004DOC_START
6005 If enabled, information about the occurred error will be
6006 included in the mailto links of the ERR pages (if %W is set)
6007 so that the email body contains the data.
6008 Syntax is <A HREF="mailto:%w%W">%w</A>
6009DOC_END
6010
6011NAME: deny_info
6012TYPE: denyinfo
6013LOC: Config.denyInfoList
6014DEFAULT: none
6015DOC_START
6016 Usage: deny_info err_page_name acl
6017 or deny_info http://... acl
6018 or deny_info TCP_RESET acl
6019
6020 This can be used to return a ERR_ page for requests which
6021 do not pass the 'http_access' rules. Squid remembers the last
6022 acl it evaluated in http_access, and if a 'deny_info' line exists
6023 for that ACL Squid returns a corresponding error page.
6024
6025 The acl is typically the last acl on the http_access deny line which
6026 denied access. The exceptions to this rule are:
6027 - When Squid needs to request authentication credentials. It's then
6028 the first authentication related acl encountered
6029 - When none of the http_access lines matches. It's then the last
6030 acl processed on the last http_access line.
6031 - When the decision to deny access was made by an adaptation service,
6032 the acl name is the corresponding eCAP or ICAP service_name.
6033
6034 NP: If providing your own custom error pages with error_directory
6035 you may also specify them by your custom file name:
6036 Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
6037
6038 By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
6039 may be specified by prefixing the file name with the code and a colon.
6040 e.g. 404:ERR_CUSTOM_ACCESS_DENIED
6041
6042 Alternatively you can tell Squid to reset the TCP connection
6043 by specifying TCP_RESET.
6044
6045 Or you can specify an error URL or URL pattern. The browsers will
6046 get redirected to the specified URL after formatting tags have
6047 been replaced. Redirect will be done with 302 or 307 according to
6048 HTTP/1.1 specs. A different 3xx code may be specified by prefixing
6049 the URL. e.g. 303:http://example.com/
6050
6051 URL FORMAT TAGS:
6052 %a - username (if available. Password NOT included)
6053 %B - FTP path URL
6054 %e - Error number
6055 %E - Error description
6056 %h - Squid hostname
6057 %H - Request domain name
6058 %i - Client IP Address
6059 %M - Request Method
6060 %o - Message result from external ACL helper
6061 %p - Request Port number
6062 %P - Request Protocol name
6063 %R - Request URL path
6064 %T - Timestamp in RFC 1123 format
6065 %U - Full canonical URL from client
6066 (HTTPS URLs terminate with *)
6067 %u - Full canonical URL from client
6068 %w - Admin email from squid.conf
6069 %x - Error name
6070 %% - Literal percent (%) code
6071
6072DOC_END
6073
6074COMMENT_START
6075 OPTIONS INFLUENCING REQUEST FORWARDING
6076 -----------------------------------------------------------------------------
6077COMMENT_END
6078
6079NAME: nonhierarchical_direct
6080TYPE: onoff
6081LOC: Config.onoff.nonhierarchical_direct
6082DEFAULT: on
6083DOC_START
6084 By default, Squid will send any non-hierarchical requests
6085 (matching hierarchy_stoplist or not cacheable request type) direct
6086 to origin servers.
6087
6088 If you set this to off, Squid will prefer to send these
6089 requests to parents.
6090
6091 Note that in most configurations, by turning this off you will only
6092 add latency to these request without any improvement in global hit
6093 ratio.
6094
6095 If you are inside an firewall see never_direct instead of
6096 this directive.
6097DOC_END
6098
6099NAME: prefer_direct
6100TYPE: onoff
6101LOC: Config.onoff.prefer_direct
6102DEFAULT: off
6103DOC_START
6104 Normally Squid tries to use parents for most requests. If you for some
6105 reason like it to first try going direct and only use a parent if
6106 going direct fails set this to on.
6107
6108 By combining nonhierarchical_direct off and prefer_direct on you
6109 can set up Squid to use a parent as a backup path if going direct
6110 fails.
6111
6112 Note: If you want Squid to use parents for all requests see
6113 the never_direct directive. prefer_direct only modifies how Squid
6114 acts on cacheable requests.
6115DOC_END
6116
6117NAME: always_direct
6118TYPE: acl_access
6119LOC: Config.accessList.AlwaysDirect
6120DEFAULT: none
6121DOC_START
6122 Usage: always_direct allow|deny [!]aclname ...
6123
6124 Here you can use ACL elements to specify requests which should
6125 ALWAYS be forwarded by Squid to the origin servers without using
6126 any peers. For example, to always directly forward requests for
6127 local servers ignoring any parents or siblings you may have use
6128 something like:
6129
6130 acl local-servers dstdomain my.domain.net
6131 always_direct allow local-servers
6132
6133 To always forward FTP requests directly, use
6134
6135 acl FTP proto FTP
6136 always_direct allow FTP
6137
6138 NOTE: There is a similar, but opposite option named
6139 'never_direct'. You need to be aware that "always_direct deny
6140 foo" is NOT the same thing as "never_direct allow foo". You
6141 may need to use a deny rule to exclude a more-specific case of
6142 some other rule. Example:
6143
6144 acl local-external dstdomain external.foo.net
6145 acl local-servers dstdomain .foo.net
6146 always_direct deny local-external
6147 always_direct allow local-servers
6148
6149 NOTE: If your goal is to make the client forward the request
6150 directly to the origin server bypassing Squid then this needs
6151 to be done in the client configuration. Squid configuration
6152 can only tell Squid how Squid should fetch the object.
6153
6154 NOTE: This directive is not related to caching. The replies
6155 is cached as usual even if you use always_direct. To not cache
6156 the replies see the 'cache' directive.
6157
6158 This clause supports both fast and slow acl types.
6159 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
6160DOC_END
6161
6162NAME: never_direct
6163TYPE: acl_access
6164LOC: Config.accessList.NeverDirect
6165DEFAULT: none
6166DOC_START
6167 Usage: never_direct allow|deny [!]aclname ...
6168
6169 never_direct is the opposite of always_direct. Please read
6170 the description for always_direct if you have not already.
6171
6172 With 'never_direct' you can use ACL elements to specify
6173 requests which should NEVER be forwarded directly to origin
6174 servers. For example, to force the use of a proxy for all
6175 requests, except those in your local domain use something like:
6176
6177 acl local-servers dstdomain .foo.net
6178 never_direct deny local-servers
6179 never_direct allow all
6180
6181 or if Squid is inside a firewall and there are local intranet
6182 servers inside the firewall use something like:
6183
6184 acl local-intranet dstdomain .foo.net
6185 acl local-external dstdomain external.foo.net
6186 always_direct deny local-external
6187 always_direct allow local-intranet
6188 never_direct allow all
6189
6190 This clause supports both fast and slow acl types.
6191 See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
6192DOC_END
6193
6194COMMENT_START
6195 ADVANCED NETWORKING OPTIONS
6196 -----------------------------------------------------------------------------
6197COMMENT_END
6198
6199NAME: incoming_icp_average
6200TYPE: int
6201DEFAULT: 6
6202LOC: Config.comm_incoming.icp_average
6203DOC_NONE
6204
6205NAME: incoming_http_average
6206TYPE: int
6207DEFAULT: 4
6208LOC: Config.comm_incoming.http_average
6209DOC_NONE
6210
6211NAME: incoming_dns_average
6212TYPE: int
6213DEFAULT: 4
6214LOC: Config.comm_incoming.dns_average
6215DOC_NONE
6216
6217NAME: min_icp_poll_cnt
6218TYPE: int
6219DEFAULT: 8
6220LOC: Config.comm_incoming.icp_min_poll
6221DOC_NONE
6222
6223NAME: min_dns_poll_cnt
6224TYPE: int
6225DEFAULT: 8
6226LOC: Config.comm_incoming.dns_min_poll
6227DOC_NONE
6228
6229NAME: min_http_poll_cnt
6230TYPE: int
6231DEFAULT: 8
6232LOC: Config.comm_incoming.http_min_poll
6233DOC_START
6234 Heavy voodoo here. I can't even believe you are reading this.
6235 Are you crazy? Don't even think about adjusting these unless
6236 you understand the algorithms in comm_select.c first!
6237DOC_END
6238
6239NAME: accept_filter
6240TYPE: string
6241DEFAULT: none
6242LOC: Config.accept_filter
6243DOC_START
6244 FreeBSD:
6245
6246 The name of an accept(2) filter to install on Squid's
6247 listen socket(s). This feature is perhaps specific to
6248 FreeBSD and requires support in the kernel.
6249
6250 The 'httpready' filter delays delivering new connections
6251 to Squid until a full HTTP request has been received.
6252 See the accf_http(9) man page for details.
6253
6254 The 'dataready' filter delays delivering new connections
6255 to Squid until there is some data to process.
6256 See the accf_dataready(9) man page for details.
6257
6258 Linux:
6259
6260 The 'data' filter delays delivering of new connections
6261 to Squid until there is some data to process by TCP_ACCEPT_DEFER.
6262 You may optionally specify a number of seconds to wait by
6263 'data=N' where N is the number of seconds. Defaults to 30
6264 if not specified. See the tcp(7) man page for details.
6265EXAMPLE:
6266# FreeBSD
6267accept_filter httpready
6268# Linux
6269accept_filter data
6270DOC_END
6271
6272NAME: client_ip_max_connections
6273TYPE: int
6274LOC: Config.client_ip_max_connections
6275DEFAULT: -1
6276DOC_START
6277 Set an absolute limit on the number of connections a single
6278 client IP can use. Any more than this and Squid will begin to drop
6279 new connections from the client until it closes some links.
6280
6281 Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
6282 connections from the client. For finer control use the ACL access controls.
6283
6284 Requires client_db to be enabled (the default).
6285
6286 WARNING: This may noticably slow down traffic received via external proxies
6287 or NAT devices and cause them to rebound error messages back to their clients.
6288DOC_END
6289
6290NAME: tcp_recv_bufsize
6291COMMENT: (bytes)
6292TYPE: b_size_t
6293DEFAULT: 0 bytes
6294LOC: Config.tcpRcvBufsz
6295DOC_START
6296 Size of receive buffer to set for TCP sockets. Probably just
6297 as easy to change your kernel's default. Set to zero to use
6298 the default buffer size.
6299DOC_END
6300
6301COMMENT_START
6302 ICAP OPTIONS
6303 -----------------------------------------------------------------------------
6304COMMENT_END
6305
6306NAME: icap_enable
6307TYPE: onoff
6308IFDEF: ICAP_CLIENT
6309COMMENT: on|off
6310LOC: Adaptation::Icap::TheConfig.onoff
6311DEFAULT: off
6312DOC_START
6313 If you want to enable the ICAP module support, set this to on.
6314DOC_END
6315
6316NAME: icap_connect_timeout
6317TYPE: time_t
6318DEFAULT: none
6319LOC: Adaptation::Icap::TheConfig.connect_timeout_raw
6320IFDEF: ICAP_CLIENT
6321DOC_START
6322 This parameter specifies how long to wait for the TCP connect to
6323 the requested ICAP server to complete before giving up and either
6324 terminating the HTTP transaction or bypassing the failure.
6325
6326 The default for optional services is peer_connect_timeout.
6327 The default for essential services is connect_timeout.
6328 If this option is explicitly set, its value applies to all services.
6329DOC_END
6330
6331NAME: icap_io_timeout
6332COMMENT: time-units
6333TYPE: time_t
6334DEFAULT: none
6335LOC: Adaptation::Icap::TheConfig.io_timeout_raw
6336IFDEF: ICAP_CLIENT
6337DOC_START
6338 This parameter specifies how long to wait for an I/O activity on
6339 an established, active ICAP connection before giving up and
6340 either terminating the HTTP transaction or bypassing the
6341 failure.
6342
6343 The default is read_timeout.
6344DOC_END
6345
6346NAME: icap_service_failure_limit
6347COMMENT: limit [in memory-depth time-units]
6348TYPE: icap_service_failure_limit
6349IFDEF: ICAP_CLIENT
6350LOC: Adaptation::Icap::TheConfig
6351DEFAULT: 10
6352DOC_START
6353 The limit specifies the number of failures that Squid tolerates
6354 when establishing a new TCP connection with an ICAP service. If
6355 the number of failures exceeds the limit, the ICAP service is
6356 not used for new ICAP requests until it is time to refresh its
6357 OPTIONS.
6358
6359 A negative value disables the limit. Without the limit, an ICAP
6360 service will not be considered down due to connectivity failures
6361 between ICAP OPTIONS requests.
6362
6363 Squid forgets ICAP service failures older than the specified
6364 value of memory-depth. The memory fading algorithm
6365 is approximate because Squid does not remember individual
6366 errors but groups them instead, splitting the option
6367 value into ten time slots of equal length.
6368
6369 When memory-depth is 0 and by default this option has no
6370 effect on service failure expiration.
6371
6372 Squid always forgets failures when updating service settings
6373 using an ICAP OPTIONS transaction, regardless of this option
6374 setting.
6375
6376 For example,
6377 # suspend service usage after 10 failures in 5 seconds:
6378 icap_service_failure_limit 10 in 5 seconds
6379DOC_END
6380
6381NAME: icap_service_revival_delay
6382TYPE: int
6383IFDEF: ICAP_CLIENT
6384LOC: Adaptation::Icap::TheConfig.service_revival_delay
6385DEFAULT: 180
6386DOC_START
6387 The delay specifies the number of seconds to wait after an ICAP
6388 OPTIONS request failure before requesting the options again. The
6389 failed ICAP service is considered "down" until fresh OPTIONS are
6390 fetched.
6391
6392 The actual delay cannot be smaller than the hardcoded minimum
6393 delay of 30 seconds.
6394DOC_END
6395
6396NAME: icap_preview_enable
6397TYPE: onoff
6398IFDEF: ICAP_CLIENT
6399COMMENT: on|off
6400LOC: Adaptation::Icap::TheConfig.preview_enable
6401DEFAULT: on
6402DOC_START
6403 The ICAP Preview feature allows the ICAP server to handle the
6404 HTTP message by looking only at the beginning of the message body
6405 or even without receiving the body at all. In some environments,
6406 previews greatly speedup ICAP processing.
6407
6408 During an ICAP OPTIONS transaction, the server may tell Squid what
6409 HTTP messages should be previewed and how big the preview should be.
6410 Squid will not use Preview if the server did not request one.
6411
6412 To disable ICAP Preview for all ICAP services, regardless of
6413 individual ICAP server OPTIONS responses, set this option to "off".
6414Example:
6415icap_preview_enable off
6416DOC_END
6417
6418NAME: icap_preview_size
6419TYPE: int
6420IFDEF: ICAP_CLIENT
6421LOC: Adaptation::Icap::TheConfig.preview_size
6422DEFAULT: -1
6423DOC_START
6424 The default size of preview data to be sent to the ICAP server.
6425 -1 means no preview. This value might be overwritten on a per server
6426 basis by OPTIONS requests.
6427DOC_END
6428
6429NAME: icap_206_enable
6430TYPE: onoff
6431IFDEF: ICAP_CLIENT
6432COMMENT: on|off
6433LOC: Adaptation::Icap::TheConfig.allow206_enable
6434DEFAULT: on
6435DOC_START
6436 206 (Partial Content) responses is an ICAP extension that allows the
6437 ICAP agents to optionally combine adapted and original HTTP message
6438 content. The decision to combine is postponed until the end of the
6439 ICAP response. Squid supports Partial Content extension by default.
6440
6441 Activation of the Partial Content extension is negotiated with each
6442 ICAP service during OPTIONS exchange. Most ICAP servers should handle
6443 negotation correctly even if they do not support the extension, but
6444 some might fail. To disable Partial Content support for all ICAP
6445 services and to avoid any negotiation, set this option to "off".
6446
6447 Example:
6448 icap_206_enable off
6449DOC_END
6450
6451NAME: icap_default_options_ttl
6452TYPE: int
6453IFDEF: ICAP_CLIENT
6454LOC: Adaptation::Icap::TheConfig.default_options_ttl
6455DEFAULT: 60
6456DOC_START
6457 The default TTL value for ICAP OPTIONS responses that don't have
6458 an Options-TTL header.
6459DOC_END
6460
6461NAME: icap_persistent_connections
6462TYPE: onoff
6463IFDEF: ICAP_CLIENT
6464COMMENT: on|off
6465LOC: Adaptation::Icap::TheConfig.reuse_connections
6466DEFAULT: on
6467DOC_START
6468 Whether or not Squid should use persistent connections to
6469 an ICAP server.
6470DOC_END
6471
6472NAME: adaptation_send_client_ip icap_send_client_ip
6473TYPE: onoff
6474IFDEF: USE_ADAPTATION
6475COMMENT: on|off
6476LOC: Adaptation::Config::send_client_ip
6477DEFAULT: off
6478DOC_START
6479 If enabled, Squid shares HTTP client IP information with adaptation
6480 services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
6481 For eCAP, Squid sets the libecap::metaClientIp transaction option.
6482
6483 See also: adaptation_uses_indirect_client
6484DOC_END
6485
6486NAME: adaptation_send_username icap_send_client_username
6487TYPE: onoff
6488IFDEF: USE_ADAPTATION
6489COMMENT: on|off
6490LOC: Adaptation::Config::send_username
6491DEFAULT: off
6492DOC_START
6493 This sends authenticated HTTP client username (if available) to
6494 the adaptation service.
6495
6496 For ICAP, the username value is encoded based on the
6497 icap_client_username_encode option and is sent using the header
6498 specified by the icap_client_username_header option.
6499DOC_END
6500
6501NAME: icap_client_username_header
6502TYPE: string
6503IFDEF: ICAP_CLIENT
6504LOC: Adaptation::Icap::TheConfig.client_username_header
6505DEFAULT: X-Client-Username
6506DOC_START
6507 ICAP request header name to use for adaptation_send_username.
6508DOC_END
6509
6510NAME: icap_client_username_encode
6511TYPE: onoff
6512IFDEF: ICAP_CLIENT
6513COMMENT: on|off
6514LOC: Adaptation::Icap::TheConfig.client_username_encode
6515DEFAULT: off
6516DOC_START
6517 Whether to base64 encode the authenticated client username.
6518DOC_END
6519
6520NAME: icap_service
6521TYPE: icap_service_type
6522IFDEF: ICAP_CLIENT
6523LOC: Adaptation::Icap::TheConfig
6524DEFAULT: none
6525DOC_START
6526 Defines a single ICAP service using the following format:
6527
6528 icap_service service_name vectoring_point [options] service_url
6529
6530 service_name: ID
6531 an opaque identifier which must be unique in squid.conf
6532
6533 vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
6534 This specifies at which point of transaction processing the
6535 ICAP service should be activated. *_postcache vectoring points
6536 are not yet supported.
6537
6538 service_url: icap://servername:port/servicepath
6539 ICAP server and service location.
6540
6541 ICAP does not allow a single service to handle both REQMOD and RESPMOD
6542 transactions. Squid does not enforce that requirement. You can specify
6543 services with the same service_url and different vectoring_points. You
6544 can even specify multiple identical services as long as their
6545 service_names differ.
6546
6547
6548 Service options are separated by white space. ICAP services support
6549 the following name=value options:
6550
6551 bypass=on|off|1|0
6552 If set to 'on' or '1', the ICAP service is treated as
6553 optional. If the service cannot be reached or malfunctions,
6554 Squid will try to ignore any errors and process the message as
6555 if the service was not enabled. No all ICAP errors can be
6556 bypassed. If set to 0, the ICAP service is treated as
6557 essential and all ICAP errors will result in an error page
6558 returned to the HTTP client.
6559
6560 Bypass is off by default: services are treated as essential.
6561
6562 routing=on|off|1|0
6563 If set to 'on' or '1', the ICAP service is allowed to
6564 dynamically change the current message adaptation plan by
6565 returning a chain of services to be used next. The services
6566 are specified using the X-Next-Services ICAP response header
6567 value, formatted as a comma-separated list of service names.
6568 Each named service should be configured in squid.conf and
6569 should have the same method and vectoring point as the current
6570 ICAP transaction. Services violating these rules are ignored.
6571 An empty X-Next-Services value results in an empty plan which
6572 ends the current adaptation.
6573
6574 Routing is not allowed by default: the ICAP X-Next-Services
6575 response header is ignored.
6576
6577 ipv6=on|off
6578 Only has effect on split-stack systems. The default on those systems
6579 is to use IPv4-only connections. When set to 'on' this option will
6580 make Squid use IPv6-only connections to contact this ICAP service.
6581
6582 on-overload=block|bypass|wait|force
6583 If the service Max-Connections limit has been reached, do
6584 one of the following for each new ICAP transaction:
6585 * block: send an HTTP error response to the client
6586 * bypass: ignore the "over-connected" ICAP service
6587 * wait: wait (in a FIFO queue) for an ICAP connection slot
6588 * force: proceed, ignoring the Max-Connections limit
6589
6590 In SMP mode with N workers, each worker assumes the service
6591 connection limit is Max-Connections/N, even though not all
6592 workers may use a given service.
6593
6594 The default value is "bypass" if service is bypassable,
6595 otherwise it is set to "wait".
6596
6597
6598 max-conn=number
6599 Use the given number as the Max-Connections limit, regardless
6600 of the Max-Connections value given by the service, if any.
6601
6602 Older icap_service format without optional named parameters is
6603 deprecated but supported for backward compatibility.
6604
6605Example:
6606icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod
6607icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod
6608DOC_END
6609
6610NAME: icap_class
6611TYPE: icap_class_type
6612IFDEF: ICAP_CLIENT
6613LOC: none
6614DEFAULT: none
6615DOC_START
6616 This deprecated option was documented to define an ICAP service
6617 chain, even though it actually defined a set of similar, redundant
6618 services, and the chains were not supported.
6619
6620 To define a set of redundant services, please use the
6621 adaptation_service_set directive. For service chains, use
6622 adaptation_service_chain.
6623DOC_END
6624
6625NAME: icap_access
6626TYPE: icap_access_type
6627IFDEF: ICAP_CLIENT
6628LOC: none
6629DEFAULT: none
6630DOC_START
6631 This option is deprecated. Please use adaptation_access, which
6632 has the same ICAP functionality, but comes with better
6633 documentation, and eCAP support.
6634DOC_END
6635
6636COMMENT_START
6637 eCAP OPTIONS
6638 -----------------------------------------------------------------------------
6639COMMENT_END
6640
6641NAME: ecap_enable
6642TYPE: onoff
6643IFDEF: USE_ECAP
6644COMMENT: on|off
6645LOC: Adaptation::Ecap::TheConfig.onoff
6646DEFAULT: off
6647DOC_START
6648 Controls whether eCAP support is enabled.
6649DOC_END
6650
6651NAME: ecap_service
6652TYPE: ecap_service_type
6653IFDEF: USE_ECAP
6654LOC: Adaptation::Ecap::TheConfig
6655DEFAULT: none
6656DOC_START
6657 Defines a single eCAP service
6658
6659 ecap_service servicename vectoring_point bypass service_url
6660
6661 vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
6662 This specifies at which point of transaction processing the
6663 eCAP service should be activated. *_postcache vectoring points
6664 are not yet supported.
6665 bypass = 1|0
6666 If set to 1, the eCAP service is treated as optional. If the
6667 service cannot be reached or malfunctions, Squid will try to
6668 ignore any errors and process the message as if the service
6669 was not enabled. No all eCAP errors can be bypassed.
6670 If set to 0, the eCAP service is treated as essential and all
6671 eCAP errors will result in an error page returned to the
6672 HTTP client.
6673 service_url = ecap://vendor/service_name?custom&cgi=style&parameters=optional
6674
6675Example:
6676ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
6677ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
6678DOC_END
6679
6680NAME: loadable_modules
6681TYPE: wordlist
6682IFDEF: USE_LOADABLE_MODULES
6683LOC: Config.loadable_module_names
6684DEFAULT: none
6685DOC_START
6686 Instructs Squid to load the specified dynamic module(s) or activate
6687 preloaded module(s).
6688Example:
6689loadable_modules @DEFAULT_PREFIX@/lib/MinimalAdapter.so
6690DOC_END
6691
6692COMMENT_START
6693 MESSAGE ADAPTATION OPTIONS
6694 -----------------------------------------------------------------------------
6695COMMENT_END
6696
6697NAME: adaptation_service_set
6698TYPE: adaptation_service_set_type
6699IFDEF: USE_ADAPTATION
6700LOC: none
6701DEFAULT: none
6702DOC_START
6703
6704 Configures an ordered set of similar, redundant services. This is
6705 useful when hot standby or backup adaptation servers are available.
6706
6707 adaptation_service_set set_name service_name1 service_name2 ...
6708
6709 The named services are used in the set declaration order. The first
6710 applicable adaptation service from the set is used first. The next
6711 applicable service is tried if and only if the transaction with the
6712 previous service fails and the message waiting to be adapted is still
6713 intact.
6714
6715 When adaptation starts, broken services are ignored as if they were
6716 not a part of the set. A broken service is a down optional service.
6717
6718 The services in a set must be attached to the same vectoring point
6719 (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
6720
6721 If all services in a set are optional then adaptation failures are
6722 bypassable. If all services in the set are essential, then a
6723 transaction failure with one service may still be retried using
6724 another service from the set, but when all services fail, the master
6725 transaction fails as well.
6726
6727 A set may contain a mix of optional and essential services, but that
6728 is likely to lead to surprising results because broken services become
6729 ignored (see above), making previously bypassable failures fatal.
6730 Technically, it is the bypassability of the last failed service that
6731 matters.
6732
6733 See also: adaptation_access adaptation_service_chain
6734
6735Example:
6736adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
6737adaptation service_set svcLogger loggerLocal loggerRemote
6738DOC_END
6739
6740NAME: adaptation_service_chain
6741TYPE: adaptation_service_chain_type
6742IFDEF: USE_ADAPTATION
6743LOC: none
6744DEFAULT: none
6745DOC_START
6746
6747 Configures a list of complementary services that will be applied
6748 one-by-one, forming an adaptation chain or pipeline. This is useful
6749 when Squid must perform different adaptations on the same message.
6750
6751 adaptation_service_chain chain_name service_name1 svc_name2 ...
6752
6753 The named services are used in the chain declaration order. The first
6754 applicable adaptation service from the chain is used first. The next
6755 applicable service is applied to the successful adaptation results of
6756 the previous service in the chain.
6757
6758 When adaptation starts, broken services are ignored as if they were
6759 not a part of the chain. A broken service is a down optional service.
6760
6761 Request satisfaction terminates the adaptation chain because Squid
6762 does not currently allow declaration of RESPMOD services at the
6763 "reqmod_precache" vectoring point (see icap_service or ecap_service).
6764
6765 The services in a chain must be attached to the same vectoring point
6766 (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
6767
6768 A chain may contain a mix of optional and essential services. If an
6769 essential adaptation fails (or the failure cannot be bypassed for
6770 other reasons), the master transaction fails. Otherwise, the failure
6771 is bypassed as if the failed adaptation service was not in the chain.
6772
6773 See also: adaptation_access adaptation_service_set
6774
6775Example:
6776adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
6777DOC_END
6778
6779NAME: adaptation_access
6780TYPE: adaptation_access_type
6781IFDEF: USE_ADAPTATION
6782LOC: none
6783DEFAULT: none
6784DOC_START
6785 Sends an HTTP transaction to an ICAP or eCAP adaptation service.
6786
6787 adaptation_access service_name allow|deny [!]aclname...
6788 adaptation_access set_name allow|deny [!]aclname...
6789
6790 At each supported vectoring point, the adaptation_access
6791 statements are processed in the order they appear in this
6792 configuration file. Statements pointing to the following services
6793 are ignored (i.e., skipped without checking their ACL):
6794
6795 - services serving different vectoring points
6796 - "broken-but-bypassable" services
6797 - "up" services configured to ignore such transactions
6798 (e.g., based on the ICAP Transfer-Ignore header).
6799
6800 When a set_name is used, all services in the set are checked
6801 using the same rules, to find the first applicable one. See
6802 adaptation_service_set for details.
6803
6804 If an access list is checked and there is a match, the
6805 processing stops: For an "allow" rule, the corresponding
6806 adaptation service is used for the transaction. For a "deny"
6807 rule, no adaptation service is activated.
6808
6809 It is currently not possible to apply more than one adaptation
6810 service at the same vectoring point to the same HTTP transaction.
6811
6812 See also: icap_service and ecap_service
6813
6814Example:
6815adaptation_access service_1 allow all
6816DOC_END
6817
6818NAME: adaptation_service_iteration_limit
6819TYPE: int
6820IFDEF: USE_ADAPTATION
6821LOC: Adaptation::Config::service_iteration_limit
6822DEFAULT: 16
6823DOC_START
6824 Limits the number of iterations allowed when applying adaptation
6825 services to a message. If your longest adaptation set or chain
6826 may have more than 16 services, increase the limit beyond its
6827 default value of 16. If detecting infinite iteration loops sooner
6828 is critical, make the iteration limit match the actual number
6829 of services in your longest adaptation set or chain.
6830
6831 Infinite adaptation loops are most likely with routing services.
6832
6833 See also: icap_service routing=1
6834DOC_END
6835
6836NAME: adaptation_masterx_shared_names
6837TYPE: string
6838IFDEF: USE_ADAPTATION
6839LOC: Adaptation::Config::masterx_shared_name
6840DEFAULT: none
6841DOC_START
6842 For each master transaction (i.e., the HTTP request and response
6843 sequence, including all related ICAP and eCAP exchanges), Squid
6844 maintains a table of metadata. The table entries are (name, value)
6845 pairs shared among eCAP and ICAP exchanges. The table is destroyed
6846 with the master transaction.
6847
6848 This option specifies the table entry names that Squid must accept
6849 from and forward to the adaptation transactions.
6850
6851 An ICAP REQMOD or RESPMOD transaction may set an entry in the
6852 shared table by returning an ICAP header field with a name
6853 specified in adaptation_masterx_shared_names.
6854
6855 An eCAP REQMOD or RESPMOD transaction may set an entry in the
6856 shared table by implementing the libecap::visitEachOption() API
6857 to provide an option with a name specified in
6858 adaptation_masterx_shared_names.
6859
6860 Squid will store and forward the set entry to subsequent adaptation
6861 transactions within the same master transaction scope.
6862
6863 Only one shared entry name is supported at this time.
6864
6865Example:
6866# share authentication information among ICAP services
6867adaptation_masterx_shared_names X-Subscriber-ID
6868DOC_END
6869
6870NAME: icap_retry
6871TYPE: acl_access
6872IFDEF: ICAP_CLIENT
6873LOC: Adaptation::Icap::TheConfig.repeat
6874DEFAULT_IF_NONE: deny all
6875DOC_START
6876 This ACL determines which retriable ICAP transactions are
6877 retried. Transactions that received a complete ICAP response
6878 and did not have to consume or produce HTTP bodies to receive
6879 that response are usually retriable.
6880
6881 icap_retry allow|deny [!]aclname ...
6882
6883 Squid automatically retries some ICAP I/O timeouts and errors
6884 due to persistent connection race conditions.
6885
6886 See also: icap_retry_limit
6887DOC_END
6888
6889NAME: icap_retry_limit
6890TYPE: int
6891IFDEF: ICAP_CLIENT
6892LOC: Adaptation::Icap::TheConfig.repeat_limit
6893DEFAULT: 0
6894DOC_START
6895 Limits the number of retries allowed. When set to zero (default),
6896 no retries are allowed.
6897
6898 Communication errors due to persistent connection race
6899 conditions are unavoidable, automatically retried, and do not
6900 count against this limit.
6901
6902 See also: icap_retry
6903DOC_END
6904
6905
6906COMMENT_START
6907 DNS OPTIONS
6908 -----------------------------------------------------------------------------
6909COMMENT_END
6910
6911NAME: check_hostnames
6912TYPE: onoff
6913DEFAULT: off
6914LOC: Config.onoff.check_hostnames
6915DOC_START
6916 For security and stability reasons Squid can check
6917 hostnames for Internet standard RFC compliance. If you want
6918 Squid to perform these checks turn this directive on.
6919DOC_END
6920
6921NAME: allow_underscore
6922TYPE: onoff
6923DEFAULT: on
6924LOC: Config.onoff.allow_underscore
6925DOC_START
6926 Underscore characters is not strictly allowed in Internet hostnames
6927 but nevertheless used by many sites. Set this to off if you want
6928 Squid to be strict about the standard.
6929 This check is performed only when check_hostnames is set to on.
6930DOC_END
6931
6932NAME: cache_dns_program
6933TYPE: string
6934IFDEF: USE_DNSSERVERS
6935DEFAULT: @DEFAULT_DNSSERVER@
6936LOC: Config.Program.dnsserver
6937DOC_START
6938 Specify the location of the executable for dnslookup process.
6939DOC_END
6940
6941NAME: dns_children
6942TYPE: HelperChildConfig
6943IFDEF: USE_DNSSERVERS
6944DEFAULT: 32 startup=1 idle=1
6945LOC: Config.dnsChildren
6946DOC_START
6947 The maximum number of processes spawn to service DNS name lookups.
6948 If you limit it too few Squid will have to wait for them to process
6949 a backlog of requests, slowing it down. If you allow too many they
6950 will use RAM and other system resources noticably.
6951 The maximum this may be safely set to is 32.
6952
6953 The startup= and idle= options allow some measure of skew in your
6954 tuning.
6955
6956 startup=
6957
6958 Sets a minimum of how many processes are to be spawned when Squid
6959 starts or reconfigures. When set to zero the first request will
6960 cause spawning of the first child process to handle it.
6961
6962 Starting too few will cause an initial slowdown in traffic as Squid
6963 attempts to simultaneously spawn enough processes to cope.
6964
6965 idle=
6966
6967 Sets a minimum of how many processes Squid is to try and keep available
6968 at all times. When traffic begins to rise above what the existing
6969 processes can handle this many more will be spawned up to the maximum
6970 configured. A minimum setting of 1 is required.
6971DOC_END
6972
6973NAME: dns_retransmit_interval
6974TYPE: time_msec
6975DEFAULT: 5 seconds
6976LOC: Config.Timeout.idns_retransmit
6977IFDEF: !USE_DNSSERVERS
6978DOC_START
6979 Initial retransmit interval for DNS queries. The interval is
6980 doubled each time all configured DNS servers have been tried.
6981DOC_END
6982
6983NAME: dns_timeout
6984TYPE: time_msec
6985DEFAULT: 30 seconds
6986LOC: Config.Timeout.idns_query
6987IFDEF: !USE_DNSSERVERS
6988DOC_START
6989 DNS Query timeout. If no response is received to a DNS query
6990 within this time all DNS servers for the queried domain
6991 are assumed to be unavailable.
6992DOC_END
6993
6994NAME: dns_packet_max
6995TYPE: b_ssize_t
6996DEFAULT: none
6997LOC: Config.dns.packet_max
6998IFDEF: !USE_DNSSERVERS
6999DOC_START
7000 Maximum number of bytes packet size to advertise via EDNS.
7001 Set to "none" to disable EDNS large packet support.
7002
7003 For legacy reasons DNS UDP replies will default to 512 bytes which
7004 is too small for many responses. EDNS provides a means for Squid to
7005 negotiate receiving larger responses back immediately without having
7006 to failover with repeat requests. Responses larger than this limit
7007 will retain the old behaviour of failover to TCP DNS.
7008
7009 Squid has no real fixed limit internally, but allowing packet sizes
7010 over 1500 bytes requires network jumbogram support and is usually not
7011 necessary.
7012
7013 WARNING: The RFC also indicates that some older resolvers will reply
7014 with failure of the whole request if the extension is added. Some
7015 resolvers have already been identified which will reply with mangled
7016 EDNS response on occasion. Usually in response to many-KB jumbogram
7017 sizes being advertised by Squid.
7018 Squid will currently treat these both as an unable-to-resolve domain
7019 even if it would be resolvable without EDNS.
7020DOC_END
7021
7022NAME: dns_defnames
7023COMMENT: on|off
7024TYPE: onoff
7025DEFAULT: off
7026LOC: Config.onoff.res_defnames
7027DOC_START
7028 Normally the RES_DEFNAMES resolver option is disabled
7029 (see res_init(3)). This prevents caches in a hierarchy
7030 from interpreting single-component hostnames locally. To allow
7031 Squid to handle single-component names, enable this option.
7032DOC_END
7033
7034NAME: dns_nameservers
7035TYPE: wordlist
7036DEFAULT: none
7037LOC: Config.dns_nameservers
7038DOC_START
7039 Use this if you want to specify a list of DNS name servers
7040 (IP addresses) to use instead of those given in your
7041 /etc/resolv.conf file.
7042 On Windows platforms, if no value is specified here or in
7043 the /etc/resolv.conf file, the list of DNS name servers are
7044 taken from the Windows registry, both static and dynamic DHCP
7045 configurations are supported.
7046
7047 Example: dns_nameservers 10.0.0.1 192.172.0.4
7048DOC_END
7049
7050NAME: hosts_file
7051TYPE: string
7052DEFAULT: @DEFAULT_HOSTS@
7053LOC: Config.etcHostsPath
7054DOC_START
7055 Location of the host-local IP name-address associations
7056 database. Most Operating Systems have such a file on different
7057 default locations:
7058 - Un*X & Linux: /etc/hosts
7059 - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
7060 (%SystemRoot% value install default is c:\winnt)
7061 - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
7062 (%SystemRoot% value install default is c:\windows)
7063 - Windows 9x/Me: %windir%\hosts
7064 (%windir% value is usually c:\windows)
7065 - Cygwin: /etc/hosts
7066
7067 The file contains newline-separated definitions, in the
7068 form ip_address_in_dotted_form name [name ...] names are
7069 whitespace-separated. Lines beginning with an hash (#)
7070 character are comments.
7071
7072 The file is checked at startup and upon configuration.
7073 If set to 'none', it won't be checked.
7074 If append_domain is used, that domain will be added to
7075 domain-local (i.e. not containing any dot character) host
7076 definitions.
7077DOC_END
7078
7079NAME: append_domain
7080TYPE: string
7081LOC: Config.appendDomain
7082DEFAULT: none
7083DOC_START
7084 Appends local domain name to hostnames without any dots in
7085 them. append_domain must begin with a period.
7086
7087 Be warned there are now Internet names with no dots in
7088 them using only top-domain names, so setting this may
7089 cause some Internet sites to become unavailable.
7090
7091Example:
7092 append_domain .yourdomain.com
7093DOC_END
7094
7095NAME: ignore_unknown_nameservers
7096TYPE: onoff
7097LOC: Config.onoff.ignore_unknown_nameservers
7098DEFAULT: on
7099DOC_START
7100 By default Squid checks that DNS responses are received
7101 from the same IP addresses they are sent to. If they
7102 don't match, Squid ignores the response and writes a warning
7103 message to cache.log. You can allow responses from unknown
7104 nameservers by setting this option to 'off'.
7105DOC_END
7106
7107NAME: dns_v4_fallback
7108TYPE: onoff
7109DEFAULT: on
7110LOC: Config.onoff.dns_require_A
7111DOC_START
7112 Standard practice with DNS is to lookup either A or AAAA records
7113 and use the results if it succeeds. Only looking up the other if
7114 the first attempt fails or otherwise produces no results.
7115
7116 That policy however will cause squid to produce error pages for some
7117 servers that advertise AAAA but are unreachable over IPv6.
7118
7119 If this is ON squid will always lookup both AAAA and A, using both.
7120 If this is OFF squid will lookup AAAA and only try A if none found.
7121
7122 WARNING: There are some possibly unwanted side-effects with this on:
7123 *) Doubles the load placed by squid on the DNS network.
7124 *) May negatively impact connection delay times.
7125DOC_END
7126
7127NAME: ipcache_size
7128COMMENT: (number of entries)
7129TYPE: int
7130DEFAULT: 1024
7131LOC: Config.ipcache.size
7132DOC_NONE
7133
7134NAME: ipcache_low
7135COMMENT: (percent)
7136TYPE: int
7137DEFAULT: 90
7138LOC: Config.ipcache.low
7139DOC_NONE
7140
7141NAME: ipcache_high
7142COMMENT: (percent)
7143TYPE: int
7144DEFAULT: 95
7145LOC: Config.ipcache.high
7146DOC_START
7147 The size, low-, and high-water marks for the IP cache.
7148DOC_END
7149
7150NAME: fqdncache_size
7151COMMENT: (number of entries)
7152TYPE: int
7153DEFAULT: 1024
7154LOC: Config.fqdncache.size
7155DOC_START
7156 Maximum number of FQDN cache entries.
7157DOC_END
7158
7159COMMENT_START
7160 MISCELLANEOUS
7161 -----------------------------------------------------------------------------
7162COMMENT_END
7163
7164NAME: memory_pools
7165COMMENT: on|off
7166TYPE: onoff
7167DEFAULT: on
7168LOC: Config.onoff.mem_pools
7169DOC_START
7170 If set, Squid will keep pools of allocated (but unused) memory
7171 available for future use. If memory is a premium on your
7172 system and you believe your malloc library outperforms Squid
7173 routines, disable this.
7174DOC_END
7175
7176NAME: memory_pools_limit
7177COMMENT: (bytes)
7178TYPE: b_int64_t
7179DEFAULT: 5 MB
7180LOC: Config.MemPools.limit
7181DOC_START
7182 Used only with memory_pools on:
7183 memory_pools_limit 50 MB
7184
7185 If set to a non-zero value, Squid will keep at most the specified
7186 limit of allocated (but unused) memory in memory pools. All free()
7187 requests that exceed this limit will be handled by your malloc
7188 library. Squid does not pre-allocate any memory, just safe-keeps
7189 objects that otherwise would be free()d. Thus, it is safe to set
7190 memory_pools_limit to a reasonably high value even if your
7191 configuration will use less memory.
7192
7193 If set to none, Squid will keep all memory it can. That is, there
7194 will be no limit on the total amount of memory used for safe-keeping.
7195
7196 To disable memory allocation optimization, do not set
7197 memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
7198
7199 An overhead for maintaining memory pools is not taken into account
7200 when the limit is checked. This overhead is close to four bytes per
7201 object kept. However, pools may actually _save_ memory because of
7202 reduced memory thrashing in your malloc library.
7203DOC_END
7204
7205NAME: forwarded_for
7206COMMENT: on|off|transparent|truncate|delete
7207TYPE: string
7208DEFAULT: on
7209LOC: opt_forwarded_for
7210DOC_START
7211 If set to "on", Squid will append your client's IP address
7212 in the HTTP requests it forwards. By default it looks like:
7213
7214 X-Forwarded-For: 192.1.2.3
7215
7216 If set to "off", it will appear as
7217
7218 X-Forwarded-For: unknown
7219
7220 If set to "transparent", Squid will not alter the
7221 X-Forwarded-For header in any way.
7222
7223 If set to "delete", Squid will delete the entire
7224 X-Forwarded-For header.
7225
7226 If set to "truncate", Squid will remove all existing
7227 X-Forwarded-For entries, and place the client IP as the sole entry.
7228DOC_END
7229
7230NAME: cachemgr_passwd
7231TYPE: cachemgrpasswd
7232DEFAULT: none
7233LOC: Config.passwd_list
7234DOC_START
7235 Specify passwords for cachemgr operations.
7236
7237 Usage: cachemgr_passwd password action action ...
7238
7239 Some valid actions are (see cache manager menu for a full list):
7240 5min
7241 60min
7242 asndb
7243 authenticator
7244 cbdata
7245 client_list
7246 comm_incoming
7247 config *
7248 counters
7249 delay
7250 digest_stats
7251 dns
7252 events
7253 filedescriptors
7254 fqdncache
7255 histograms
7256 http_headers
7257 info
7258 io
7259 ipcache
7260 mem
7261 menu
7262 netdb
7263 non_peers
7264 objects
7265 offline_toggle *
7266 pconn
7267 peer_select
7268 reconfigure *
7269 redirector
7270 refresh
7271 server_list
7272 shutdown *
7273 store_digest
7274 storedir
7275 utilization
7276 via_headers
7277 vm_objects
7278
7279 * Indicates actions which will not be performed without a
7280 valid password, others can be performed if not listed here.
7281
7282 To disable an action, set the password to "disable".
7283 To allow performing an action without a password, set the
7284 password to "none".
7285
7286 Use the keyword "all" to set the same password for all actions.
7287
7288Example:
7289 cachemgr_passwd secret shutdown
7290 cachemgr_passwd lesssssssecret info stats/objects
7291 cachemgr_passwd disable all
7292DOC_END
7293
7294NAME: client_db
7295COMMENT: on|off
7296TYPE: onoff
7297DEFAULT: on
7298LOC: Config.onoff.client_db
7299DOC_START
7300 If you want to disable collecting per-client statistics,
7301 turn off client_db here.
7302DOC_END
7303
7304NAME: refresh_all_ims
7305COMMENT: on|off
7306TYPE: onoff
7307DEFAULT: off
7308LOC: Config.onoff.refresh_all_ims
7309DOC_START
7310 When you enable this option, squid will always check
7311 the origin server for an update when a client sends an
7312 If-Modified-Since request. Many browsers use IMS
7313 requests when the user requests a reload, and this
7314 ensures those clients receive the latest version.
7315
7316 By default (off), squid may return a Not Modified response
7317 based on the age of the cached version.
7318DOC_END
7319
7320NAME: reload_into_ims
7321IFDEF: USE_HTTP_VIOLATIONS
7322COMMENT: on|off
7323TYPE: onoff
7324DEFAULT: off
7325LOC: Config.onoff.reload_into_ims
7326DOC_START
7327 When you enable this option, client no-cache or ``reload''
7328 requests will be changed to If-Modified-Since requests.
7329 Doing this VIOLATES the HTTP standard. Enabling this
7330 feature could make you liable for problems which it
7331 causes.
7332
7333 see also refresh_pattern for a more selective approach.
7334DOC_END
7335
7336NAME: connect_retries
7337TYPE: int
7338LOC: Config.connect_retries
7339DEFAULT: 0
7340DOC_START
7341 This sets the maximum number of connection attempts made for each
7342 TCP connection. The connect_retries attempts must all still
7343 complete within the connection timeout period.
7344
7345 The default is not to re-try if the first connection attempt fails.
7346 The (not recommended) maximum is 10 tries.
7347
7348 A warning message will be generated if it is set to a too-high
7349 value and the configured value will be over-ridden.
7350
7351 Note: These re-tries are in addition to forward_max_tries
7352 which limit how many different addresses may be tried to find
7353 a useful server.
7354DOC_END
7355
7356NAME: retry_on_error
7357TYPE: onoff
7358LOC: Config.retry.onerror
7359DEFAULT: off
7360DOC_START
7361 If set to on Squid will automatically retry requests when
7362 receiving an error response. This is mainly useful if you
7363 are in a complex cache hierarchy to work around access
7364 control errors.
7365DOC_END
7366
7367NAME: as_whois_server
7368TYPE: string
7369LOC: Config.as_whois_server
7370DEFAULT: whois.ra.net
7371DOC_START
7372 WHOIS server to query for AS numbers. NOTE: AS numbers are
7373 queried only when Squid starts up, not for every request.
7374DOC_END
7375
7376NAME: offline_mode
7377TYPE: onoff
7378LOC: Config.onoff.offline
7379DEFAULT: off
7380DOC_START
7381 Enable this option and Squid will never try to validate cached
7382 objects.
7383DOC_END
7384
7385NAME: uri_whitespace
7386TYPE: uri_whitespace
7387LOC: Config.uri_whitespace
7388DEFAULT: strip
7389DOC_START
7390 What to do with requests that have whitespace characters in the
7391 URI. Options:
7392
7393 strip: The whitespace characters are stripped out of the URL.
7394 This is the behavior recommended by RFC2396.
7395 deny: The request is denied. The user receives an "Invalid
7396 Request" message.
7397 allow: The request is allowed and the URI is not changed. The
7398 whitespace characters remain in the URI. Note the
7399 whitespace is passed to redirector processes if they
7400 are in use.
7401 encode: The request is allowed and the whitespace characters are
7402 encoded according to RFC1738. This could be considered
7403 a violation of the HTTP/1.1
7404 RFC because proxies are not allowed to rewrite URI's.
7405 chop: The request is allowed and the URI is chopped at the
7406 first whitespace. This might also be considered a
7407 violation.
7408DOC_END
7409
7410NAME: chroot
7411TYPE: string
7412LOC: Config.chroot_dir
7413DEFAULT: none
7414DOC_START
7415 Specifies a directory where Squid should do a chroot() while
7416 initializing. This also causes Squid to fully drop root
7417 privileges after initializing. This means, for example, if you
7418 use a HTTP port less than 1024 and try to reconfigure, you may
7419 get an error saying that Squid can not open the port.
7420DOC_END
7421
7422NAME: balance_on_multiple_ip
7423TYPE: onoff
7424LOC: Config.onoff.balance_on_multiple_ip
7425DEFAULT: off
7426DOC_START
7427 Modern IP resolvers in squid sort lookup results by preferred access.
7428 By default squid will use these IP in order and only rotates to
7429 the next listed when the most preffered fails.
7430
7431 Some load balancing servers based on round robin DNS have been
7432 found not to preserve user session state across requests
7433 to different IP addresses.
7434
7435 Enabling this directive Squid rotates IP's per request.
7436DOC_END
7437
7438NAME: pipeline_prefetch
7439TYPE: onoff
7440LOC: Config.onoff.pipeline_prefetch
7441DEFAULT: off
7442DOC_START
7443 To boost the performance of pipelined requests to closer
7444 match that of a non-proxied environment Squid can try to fetch
7445 up to two requests in parallel from a pipeline.
7446
7447 Defaults to off for bandwidth management and access logging
7448 reasons.
7449
7450 WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
7451DOC_END
7452
7453NAME: high_response_time_warning
7454TYPE: int
7455COMMENT: (msec)
7456LOC: Config.warnings.high_rptm
7457DEFAULT: 0
7458DOC_START
7459 If the one-minute median response time exceeds this value,
7460 Squid prints a WARNING with debug level 0 to get the
7461 administrators attention. The value is in milliseconds.
7462DOC_END
7463
7464NAME: high_page_fault_warning
7465TYPE: int
7466LOC: Config.warnings.high_pf
7467DEFAULT: 0
7468DOC_START
7469 If the one-minute average page fault rate exceeds this
7470 value, Squid prints a WARNING with debug level 0 to get
7471 the administrators attention. The value is in page faults
7472 per second.
7473DOC_END
7474
7475NAME: high_memory_warning
7476TYPE: b_size_t
7477LOC: Config.warnings.high_memory
7478DEFAULT: 0 KB
7479DOC_START
7480 If the memory usage (as determined by mallinfo) exceeds
7481 this amount, Squid prints a WARNING with debug level 0 to get
7482 the administrators attention.
7483DOC_END
7484
7485NAME: sleep_after_fork
7486COMMENT: (microseconds)
7487TYPE: int
7488LOC: Config.sleep_after_fork
7489DEFAULT: 0
7490DOC_START
7491 When this is set to a non-zero value, the main Squid process
7492 sleeps the specified number of microseconds after a fork()
7493 system call. This sleep may help the situation where your
7494 system reports fork() failures due to lack of (virtual)
7495 memory. Note, however, if you have a lot of child
7496 processes, these sleep delays will add up and your
7497 Squid will not service requests for some amount of time
7498 until all the child processes have been started.
7499 On Windows value less then 1000 (1 milliseconds) are
7500 rounded to 1000.
7501DOC_END
7502
7503NAME: windows_ipaddrchangemonitor
7504IFDEF: _SQUID_MSWIN_
7505COMMENT: on|off
7506TYPE: onoff
7507DEFAULT: on
7508LOC: Config.onoff.WIN32_IpAddrChangeMonitor
7509DOC_START
7510 On Windows Squid by default will monitor IP address changes and will
7511 reconfigure itself after any detected event. This is very useful for
7512 proxies connected to internet with dial-up interfaces.
7513 In some cases (a Proxy server acting as VPN gateway is one) it could be
7514 desiderable to disable this behaviour setting this to 'off'.
7515 Note: after changing this, Squid service must be restarted.
7516DOC_END
7517
7518NAME: eui_lookup
7519TYPE: onoff
7520IFDEF: USE_SQUID_EUI
7521DEFAULT: on
7522LOC: Eui::TheConfig.euiLookup
7523DOC_START
7524 Whether to lookup the EUI or MAC address of a connected client.
7525DOC_END
7526
7527NAME: max_filedescriptors max_filedesc
7528TYPE: int
7529DEFAULT: 0
7530LOC: Config.max_filedescriptors
7531DOC_START
7532 The maximum number of filedescriptors supported.
7533
7534 The default "0" means Squid inherits the current ulimit setting.
7535
7536 Note: Changing this requires a restart of Squid. Also
7537 not all comm loops supports large values.
7538DOC_END
7539
7540NAME: workers
7541TYPE: int
7542LOC: Config.workers
7543DEFAULT: 1
7544DOC_START
7545 Number of main Squid processes or "workers" to fork and maintain.
7546 0: "no daemon" mode, like running "squid -N ..."
7547 1: "no SMP" mode, start one main Squid process daemon (default)
7548 N: start N main Squid process daemons (i.e., SMP mode)
7549
7550 In SMP mode, each worker does nearly all what a single Squid daemon
7551 does (e.g., listen on http_port and forward HTTP requests).
7552DOC_END
7553
7554NAME: cpu_affinity_map
7555TYPE: CpuAffinityMap
7556LOC: Config.cpuAffinityMap
7557DEFAULT: none
7558DOC_START
7559 Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
7560
7561 Sets 1:1 mapping between Squid processes and CPU cores. For example,
7562
7563 cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
7564
7565 affects processes 1 through 4 only and places them on the first
7566 four even cores, starting with core #1.
7567
7568 CPU cores are numbered starting from 1. Requires support for
7569 sched_getaffinity(2) and sched_setaffinity(2) system calls.
7570
7571 Multiple cpu_affinity_map options are merged.
7572
7573 See also: workers
7574DOC_END
7575
7576EOF
Mirror of https://github.com/squid-cache/squid.git