3 # $Id: cf.data.pre,v 1.362 2004/11/06 22:20:47 hno Exp $
6 # SQUID Web Proxy Cache http://www.squid-cache.org/
7 # ----------------------------------------------------------
9 # Squid is the result of efforts by numerous individuals from
10 # the Internet community; see the CONTRIBUTORS file for full
11 # details. Many organizations have provided support for Squid's
12 # development; see the SPONSORS file for full details. Squid is
13 # Copyrighted (C) 2000 by the Regents of the University of
14 # California; see the COPYRIGHT file for full details. Squid
15 # incorporates software developed and/or copyrighted by other
16 # sources; see the CREDITS file for full details.
18 # This program is free software; you can redistribute it and/or modify
19 # it under the terms of the GNU General Public License as published by
20 # the Free Software Foundation; either version 2 of the License, or
21 # (at your option) any later version.
23 # This program is distributed in the hope that it will be useful,
24 # but WITHOUT ANY WARRANTY; without even the implied warranty of
25 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 # GNU General Public License for more details.
28 # You should have received a copy of the GNU General Public License
29 # along with this program; if not, write to the Free Software
30 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
34 WELCOME TO SQUID @VERSION@
35 ----------------------------
37 This is the default Squid configuration file. You may wish
38 to look at the Squid home page (http://www.squid-cache.org/)
39 for the FAQ and other documentation.
41 The default Squid config file shows what the defaults for
42 various options happen to be. If you don't need to change the
43 default, you shouldn't uncomment the line. Doing so may cause
44 run-time problems. In some cases "none" refers to no default
45 setting at all, while in other cases it refers to a valid
46 option - the comments for that keyword indicate if this is the
53 -----------------------------------------------------------------------------
56 NAME: http_port ascii_port
59 LOC: Config.Sockaddr.http
62 hostname:port [options]
63 1.2.3.4:port [options]
65 The socket addresses where Squid will listen for HTTP client
66 requests. You may specify multiple socket addresses.
67 There are three forms: port alone, hostname with port, and
68 IP address with port. If you specify a hostname or IP
69 address, Squid binds the socket to that specific
70 address. This replaces the old 'tcp_incoming_address'
71 option. Most likely, you do not need to bind to a specific
72 address, so you can use the port number alone.
74 If you are running Squid in accelerator mode, you
75 probably want to listen on port 80 also, or instead.
77 The -a command line option will override the *first* port
78 number listed here. That option will NOT override an IP
81 You may specify multiple socket addresses on multiple lines.
85 transparent Support for transparent proxies
87 accel Accelerator mode. Also set implicit by the other
88 accelerator directives
90 vhost Accelerator mode using Host header for virtual
93 vport Accelerator with IP based virtual host support
95 vport=NN As above, but uses specified port number rather
96 than the http_port number
98 defaultsite= Main web site name for accelerators
100 protocol= Protocol to reconstruct accelerated requests with.
103 If you run Squid on a dual-homed machine with an internal
104 and an external interface we recommend you to specify the
105 internal address:port in http_port. This way Squid will only be
106 visible on the internal address.
108 # Squid normally listens to port 3128
115 TYPE: https_port_list
117 LOC: Config.Sockaddr.https
119 Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
121 The socket address where Squid will listen for HTTPS client
124 This is really only useful for situations where you are running
125 squid in accelerator mode and you want to do the SSL work at the
128 You may specify multiple socket addresses on multiple lines,
129 each with their own SSL certificate and/or options.
133 defaultsite= The name of the https site presented on
136 protocol= Protocol to reconstruct accelerated requests
137 with. Defaults to https
139 cert= Path to SSL certificate (PEM format)
141 key= Path to SSL private key file (PEM format)
142 if not specified, the certificate file is
143 assumed to be a combined certificate and
146 version= The version of SSL/TLS supported
147 1 automatic (default)
152 cipher= Colon separated list of supported ciphers
154 options= Varions SSL engine options. The most important
156 NO_SSLv2 Disallow the use of SSLv2
157 NO_SSLv3 Disallow the use of SSLv3
158 NO_TLSv1 Disallow the use of TLSv1
159 SINGLE_DH_USE Always create a new key when using
160 temporary/ephemeral DH key exchanges
161 See src/ssl_support.c or OpenSSL SSL_CTX_set_options
162 documentation for a complete list of options
164 clientca= File containing the list of CAs to use when
165 requesting a client certificate
167 cafile= File containing additional CA certificates to
168 use when verifying client certificates. If unset
169 clientca will be used
171 capath= Directory containing additional CA certificates
172 to use when verifying client certificates
174 dhparams= File containing DH parameters for temporary/ephemeral
177 sslflags= Various flags modifying the use of SSL:
179 Don't request client certificates
180 immediately, but wait until acl processing
181 requires a certificate
183 Don't use the default CA list built in
186 accel Accelerator mode. Also set implicit by the other
187 accelerator directives
189 vhost Accelerator mode using Host header for virtual
192 vport Accelerator with IP based virtual host support
194 vport=NN As above, but uses specified port number rather
195 than the https_port number
199 NAME: ssl_unclean_shutdown
203 LOC: Config.SSL.unclean_shutdown
205 Some browsers (especially MSIE) bugs out on SSL shutdown
212 LOC: Config.SSL.ssl_engine
215 The openssl engine to use. You will need to set this if you
216 would like to use hardware SSL acceleration for example.
219 NAME: sslproxy_client_certificate
222 LOC: Config.ssl_client.cert
225 Client SSL Certificate to use when proxying https:// URLs
228 NAME: sslproxy_client_key
231 LOC: Config.ssl_client.key
234 Client SSL Key to use when proxying https:// URLs
237 NAME: sslproxy_version
240 LOC: Config.ssl_client.version
243 SSL version level to use when proxying https:// URLs
246 NAME: sslproxy_options
249 LOC: Config.ssl_client.options
252 SSL engine options to use when proxying https:// URLs
255 NAME: sslproxy_cipher
258 LOC: Config.ssl_client.cipher
261 SSL cipher list to use when proxying https:// URLs
264 NAME: sslproxy_cafile
267 LOC: Config.ssl_client.cafile
270 file containing CA certificates to use when verifying server
271 certificates while proxying https:// URLs
274 NAME: sslproxy_capath
277 LOC: Config.ssl_client.capath
280 directory containing CA certificates to use when verifying
281 server certificates while proxying https:// URLs
287 LOC: Config.ssl_client.flags
290 Various flags modifying the use of SSL while proxying https:// URLs:
291 DONT_VERIFY_PEER Accept certificates even if they fail to
293 NO_DEFAULT_CA Don't use the default CA list built in
297 NAME: sslpassword_program
300 LOC: Config.Program.ssl_password
303 Specify a program used for entering SSL key passphrases
304 when using encrypted SSL certificate keys. If not specified
305 keys must either be unencrypted, or Squid started with the -N
306 option to allow it to query interactively for the passphrase.
309 NAME: icp_port udp_port
314 The port number where Squid sends and receives ICP queries to
315 and from neighbor caches. The standard UDP port for ICP is 3130.
316 Default is disabled (0).
326 LOC: Config.Port.htcp
328 The port number where Squid sends and receives HTCP queries to
329 and from neighbor caches. Default is 4827. To disable use
336 LOC: Config.mcast_group_list
339 This tag specifies a list of multicast groups which your server
340 should join to receive multicasted ICP queries.
342 NOTE! Be very careful what you put here! Be sure you
343 understand the difference between an ICP _query_ and an ICP
344 _reply_. This option is to be set only if you want to RECEIVE
345 multicast queries. Do NOT set this option to SEND multicast
346 ICP (use cache_peer for that). ICP replies are always sent via
347 unicast, so this option does not affect whether or not you will
348 receive replies from multicast group members.
350 You must be very careful to NOT use a multicast address which
351 is already in use by another group of caches.
353 If you are unsure about multicast, please read the Multicast
354 chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
356 Usage: mcast_groups 239.128.16.128 224.0.1.20
358 By default, Squid doesn't listen on any multicast groups.
362 NAME: udp_incoming_address
364 LOC:Config.Addrs.udp_incoming
368 NAME: udp_outgoing_address
370 LOC: Config.Addrs.udp_outgoing
371 DEFAULT: 255.255.255.255
373 udp_incoming_address is used for the ICP socket receiving packets
375 udp_outgoing_address is used for ICP packets sent out to other
378 The default behavior is to not bind to any specific address.
380 A udp_incoming_address value of 0.0.0.0 indicates Squid
381 should listen for UDP messages on all available interfaces.
383 If udp_outgoing_address is set to 255.255.255.255 (the default)
384 it will use the same socket as udp_incoming_address. Only
385 change this if you want to have ICP queries sent using another
386 address than where this Squid listens for ICP queries from other
389 NOTE, udp_incoming_address and udp_outgoing_address can not
390 have the same value since they both use port 3130.
394 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
395 -----------------------------------------------------------------------------
403 To specify other caches in a hierarchy, use the format:
405 cache_peer hostname type http_port icp_port [options]
410 # hostname type port port options
411 # -------------------- -------- ----- ----- -----------
412 cache_peer parent.foo.net parent 3128 3130 [proxy-only]
413 cache_peer sib1.foo.net sibling 3128 3130 [proxy-only]
414 cache_peer sib2.foo.net sibling 3128 3130 [proxy-only]
416 type: either 'parent', 'sibling', or 'multicast'.
418 proxy_port: The port number where the cache listens for proxy
421 icp_port: Used for querying neighbor caches about
422 objects. To have a non-ICP neighbor
423 specify '7' for the ICP port and make sure the
424 neighbor machine has the UDP echo port
425 enabled in its /etc/inetd.conf file.
442 login=user:password | PASS | *:password
452 sslcert=/path/to/ssl/certificate
453 sslkey=/path/to/ssl/key
457 front-end-https[=on|auto]
459 use 'proxy-only' to specify objects fetched
460 from this cache should not be saved locally.
462 use 'weight=n' to specify a weighted parent.
463 The weight must be an integer. The default weight
464 is 1, larger weights are favored more.
466 use 'basetime=n' to specify a base amount to
467 be subtracted from round trip times of parents.
468 It is subtracted before division by weight in calculating
469 which parent to fectch from. If the rtt is less than the
470 base time the rtt is set to a minimal value.
472 use 'ttl=n' to specify a IP multicast TTL to use
473 when sending an ICP queries to this address.
474 Only useful when sending to a multicast group.
475 Because we don't accept ICP replies from random
476 hosts, you must configure other group members as
477 peers with the 'multicast-responder' option below.
479 use 'no-query' to NOT send ICP queries to this
482 use 'background-ping' to only send ICP queries to this
483 neighbor infrequently. This is used to keep the neighbor
484 round trip time updated and is usually used in
485 conjunction with weighted-round-robin.
487 use 'default' if this is a parent cache which can
488 be used as a "last-resort." You should probably
489 only use 'default' in situations where you cannot
490 use ICP with your parent cache(s).
492 use 'round-robin' to define a set of parents which
493 should be used in a round-robin fashion in the
494 absence of any ICP queries.
496 use 'weighted-round-robin' to define a set of parents
497 which should be used in a round-robin fashion with the
498 frequency of each parent being based on the round trip
499 time. Closer parents are used more often.
500 Usually used for background-ping parents.
502 use 'carp' to define a set of parents which should
503 be used as a CARP array. The requests will be
504 distributed among the parents based on the CARP load
505 balancing hash function based on their weigth.
507 'multicast-responder' indicates the named peer
508 is a member of a multicast group. ICP queries will
509 not be sent directly to the peer, but ICP replies
510 will be accepted from it.
512 'closest-only' indicates that, for ICP_OP_MISS
513 replies, we'll only forward CLOSEST_PARENT_MISSes
514 and never FIRST_PARENT_MISSes.
516 use 'no-digest' to NOT request cache digests from
519 'no-netdb-exchange' disables requesting ICMP
520 RTT database (NetDB) from the neighbor.
522 use 'no-delay' to prevent access to this neighbor
523 from influencing the delay pools.
525 use 'login=user:password' if this is a personal/workgroup
526 proxy and your parent requires proxy authentication.
527 Note: The string can include URL escapes (i.e. %20 for
528 spaces). This also means % must be written as %%.
530 use 'login=PASS' if users must authenticate against
531 the upstream proxy. This will pass the users credentials
532 as they are to the peer proxy. This only works for the
533 Basic HTTP authentication sheme. Note: To combine this
534 with proxy_auth both proxies must share the same user
535 database as HTTP only allows for one proxy login.
536 Also be warned this will expose your users proxy
537 password to the peer. USE WITH CAUTION
539 use 'login=*:password' to pass the username to the
540 upstream cache, but with a fixed password. This is meant
541 to be used when the peer is in another administrative
542 domain, but it is still needed to identify each user.
543 The star can optionally be followed by some extra
544 information which is added to the username. This can
545 be used to identify this proxy to the peer, similar to
546 the login=username:password option above.
548 use 'connect-timeout=nn' to specify a peer
549 specific connect timeout (also see the
550 peer_connect_timeout directive)
552 use 'digest-url=url' to tell Squid to fetch the cache
553 digest (if digests are enabled) for this host from
554 the specified URL rather than the Squid default
557 use 'allow-miss' to disable Squid's use of only-if-cached
558 when forwarding requests to siblings. This is primarily
559 useful when icp_hit_stale is used by the sibling. To
560 extensive use of this option may result in forwarding
561 loops, and you should avoid having two-way peerings
562 with this option. (for example to deny peer usage on
563 requests from peer by denying cache_peer_access if the
566 use 'max-conn' to limit the amount of connections Squid
567 may open to this peer.
569 use 'htcp' to send HTCP, instead of ICP, queries
570 to the neighbor. You probably also want to
571 set the "icp port" to 4827 instead of 3130.
573 'originserver' causes this parent peer to be contacted as
574 a origin server. Meant to be used in accelerator setups.
576 use 'name=xxx' if you have multiple peers on the same
577 host but different ports. This name can be used to
578 differentiate the peers in cache_peer_access and similar
581 use 'forceddomain=name' to forcibly set the Host header
582 of requests forwarded to this peer. Useful in accelerator
583 setups where the server (peer) expects a certain domain
584 name and using redirectors to feed this domainname
587 use 'ssl' to indicate connections to this peer should
588 bs SSL/TLS encrypted.
590 use 'sslcert=/path/to/ssl/certificate' to specify a client
591 SSL certificate to use when connecting to this peer.
593 use 'sslkey=/path/to/ssl/key' to specify the private SSL
594 key corresponding to sslcert above. If 'sslkey' is not
595 specified 'sslcert' is assumed to reference a
596 combined file containing both the certificate and the key.
598 use sslversion=1|2|3|4 to specify the SSL version to use
599 when connecting to this peer
600 1 = automatic (default)
605 use sslcipher=... to specify the list of valid SSL chipers
606 to use when connecting to this peer
608 use ssloptions=... to specify various SSL engine options:
609 NO_SSLv2 Disallow the use of SSLv2
610 NO_SSLv3 Disallow the use of SSLv3
611 NO_TLSv1 Disallow the use of TLSv1
612 See src/ssl_support.c or the OpenSSL documentation for
613 a more complete list.
615 use cafile=... to specify a file containing additional
616 CA certificates to use when verifying the peer certificate
618 use capath=... to specify a directory containing additional
619 CA certificates to use when verifying the peer certificate
621 use sslflags=... to specify various flags modifying the
624 Accept certificates even if they fail to
627 Don't use the default CA list built in
630 Don't verify the peer certificate
631 matches the server name
633 use sslname= to specify the peer name as advertised
634 in it's certificate. Used for verifying the correctness
635 of the received peer certificate. If not specified the
636 peer hostname will be used.
638 use front-end-https to enable the "Front-End-Https: On"
639 header needed when using Squid as a SSL frontend infront
640 of Microsoft OWA. See MS KB document Q307347 for details
641 on this header. If set to auto the header will
642 only be added if the request is forwarded as a https://
645 NOTE: non-ICP neighbors must be specified as 'parent'.
648 NAME: cache_peer_domain cache_host_domain
653 Use to limit the domains for which a neighbor cache will be
656 cache_peer_domain cache-host domain [domain ...]
657 cache_peer_domain cache-host !domain
659 For example, specifying
661 cache_peer_domain parent.foo.net .edu
663 has the effect such that UDP query packets are sent to
664 'bigserver' only when the requested object exists on a
665 server in the .edu domain. Prefixing the domainname
666 with '!' means the cache will be queried for objects
669 NOTE: * Any number of domains may be given for a cache-host,
670 either on the same or separate lines.
671 * When multiple domains are given for a particular
672 cache-host, the first matched domain is applied.
673 * Cache hosts with no domain restrictions are queried
675 * There are no defaults.
676 * There is also a 'cache_peer_access' tag in the ACL
681 NAME: neighbor_type_domain
686 usage: neighbor_type_domain neighbor parent|sibling domain domain ...
688 Modifying the neighbor type for specific domains is now
689 possible. You can treat some domains differently than the the
690 default neighbor type specified on the 'cache_peer' line.
691 Normally it should only be necessary to list domains which
692 should be treated differently because the default neighbor type
693 applies for hostnames which do not match domains listed here.
696 cache_peer parent cache.foo.org 3128 3130
697 neighbor_type_domain cache.foo.org sibling .com .net
698 neighbor_type_domain cache.foo.org sibling .au .de
701 NAME: icp_query_timeout
705 LOC: Config.Timeout.icp_query
707 Normally Squid will automatically determine an optimal ICP
708 query timeout value based on the round-trip-time of recent ICP
709 queries. If you want to override the value determined by
710 Squid, set this 'icp_query_timeout' to a non-zero value. This
711 value is specified in MILLISECONDS, so, to use a 2-second
712 timeout (the old default), you would write:
714 icp_query_timeout 2000
717 NAME: maximum_icp_query_timeout
721 LOC: Config.Timeout.icp_query_max
723 Normally the ICP query timeout is determined dynamically. But
724 sometimes it can lead to very large values (say 5 seconds).
725 Use this option to put an upper limit on the dynamic timeout
726 value. Do NOT use this option to always use a fixed (instead
727 of a dynamic) timeout value. To set a fixed timeout see the
728 'icp_query_timeout' directive.
731 NAME: minimum_icp_query_timeout
735 LOC: Config.Timeout.icp_query_min
737 Normally the ICP query timeout is determined dynamically. But
738 sometimes it can lead to very small timeouts, even lower than
739 the normal latency variance on your link due to traffic.
740 Use this option to put an lower limit on the dynamic timeout
741 value. Do NOT use this option to always use a fixed (instead
742 of a dynamic) timeout value. To set a fixed timeout see the
743 'icp_query_timeout' directive.
746 NAME: mcast_icp_query_timeout
750 LOC: Config.Timeout.mcast_icp_query
752 For Multicast peers, Squid regularly sends out ICP "probes" to
753 count how many other peers are listening on the given multicast
754 address. This value specifies how long Squid should wait to
755 count all the replies. The default is 2000 msec, or 2
759 NAME: dead_peer_timeout
763 LOC: Config.Timeout.deadPeer
765 This controls how long Squid waits to declare a peer cache
766 as "dead." If there are no ICP replies received in this
767 amount of time, Squid will declare the peer dead and not
768 expect to receive any further ICP replies. However, it
769 continues to send ICP queries, and will mark the peer as
770 alive upon receipt of the first subsequent ICP reply.
772 This timeout also affects when Squid expects to receive ICP
773 replies from peers. If more than 'dead_peer' seconds have
774 passed since the last ICP reply was received, Squid will not
775 expect to receive an ICP reply on the next query. Thus, if
776 your time between requests is greater than this timeout, you
777 will see a lot of requests sent DIRECT to origin servers
778 instead of to your parents.
782 NAME: hierarchy_stoplist
785 LOC: Config.hierarchy_stoplist
787 A list of words which, if found in a URL, cause the object to
788 be handled directly by this cache. In other words, use this
789 to not query neighbor caches for certain objects. You may
790 list this option multiple times.
792 #We recommend you to use at least the following line.
793 hierarchy_stoplist cgi-bin ?
801 LOC: Config.accessList.noCache
803 A list of ACL elements which, if matched, cause the request to
804 not be satisfied from the cache and the reply to not be cached.
805 In other words, use this to force certain objects to never be cached.
807 You must use the word 'DENY' to indicate the ACL names which should
811 #We recommend you to use the following two lines.
812 acl QUERY urlpath_regex cgi-bin \?
817 NAME: background_ping_rate
821 LOC: Config.backgroundPingRate
823 Controls how often the ICP pings are sent to siblings that
824 have background-ping set.
829 OPTIONS WHICH AFFECT THE CACHE SIZE
830 -----------------------------------------------------------------------------
837 LOC: Config.memMaxSize
839 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
840 IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
841 USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
842 THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
844 'cache_mem' specifies the ideal amount of memory to be used
848 * Negative-Cached objects
850 Data for these objects are stored in 4 KB blocks. This
851 parameter specifies the ideal upper limit on the total size of
852 4 KB blocks allocated. In-Transit objects take the highest
855 In-transit objects have priority over the others. When
856 additional space is needed for incoming data, negative-cached
857 and hot objects will be released. In other words, the
858 negative-cached and hot objects will fill up any unused space
859 not needed for in-transit objects.
861 If circumstances require, this limit will be exceeded.
862 Specifically, if your incoming request rate requires more than
863 'cache_mem' of memory to hold in-transit objects, Squid will
864 exceed this limit to satisfy the new requests. When the load
865 decreases, blocks will be freed until the high-water mark is
866 reached. Thereafter, blocks will be used to store hot
872 COMMENT: (percent, 0-100)
875 LOC: Config.Swap.lowWaterMark
878 NAME: cache_swap_high
879 COMMENT: (percent, 0-100)
882 LOC: Config.Swap.highWaterMark
885 The low- and high-water marks for cache object replacement.
886 Replacement begins when the swap (disk) usage is above the
887 low-water mark and attempts to maintain utilization near the
888 low-water mark. As swap utilization gets close to high-water
889 mark object eviction becomes more aggressive. If utilization is
890 close to the low-water mark less replacement is done each time.
892 Defaults are 90% and 95%. If you have a large cache, 5% could be
893 hundreds of MB. If this is the case you may wish to set these
894 numbers closer together.
897 NAME: maximum_object_size
901 LOC: Config.Store.maxObjectSize
903 Objects larger than this size will NOT be saved on disk. The
904 value is specified in kilobytes, and the default is 4MB. If
905 you wish to get a high BYTES hit ratio, you should probably
906 increase this (one 32 MB object hit counts for 3200 10KB
907 hits). If you wish to increase speed more than your want to
908 save bandwidth you should leave this low.
910 NOTE: if using the LFUDA replacement policy you should increase
911 this value to maximize the byte hit rate improvement of LFUDA!
912 See replacement_policy below for a discussion of this policy.
915 NAME: minimum_object_size
919 LOC: Config.Store.minObjectSize
921 Objects smaller than this size will NOT be saved on disk. The
922 value is specified in kilobytes, and the default is 0 KB, which
923 means there is no minimum.
926 NAME: maximum_object_size_in_memory
930 LOC: Config.Store.maxInMemObjSize
932 Objects greater than this size will not be attempted to kept in
933 the memory cache. This should be set high enough to keep objects
934 accessed frequently in memory to improve performance whilst low
935 enough to keep larger objects from hoarding cache_mem .
939 COMMENT: (number of entries)
942 LOC: Config.ipcache.size
949 LOC: Config.ipcache.low
956 LOC: Config.ipcache.high
958 The size, low-, and high-water marks for the IP cache.
962 COMMENT: (number of entries)
965 LOC: Config.fqdncache.size
967 Maximum number of FQDN cache entries.
970 NAME: cache_replacement_policy
972 LOC: Config.replPolicy
975 The cache replacement policy parameter determines which
976 objects are evicted (replaced) when disk space is needed.
978 lru : Squid's original list based LRU policy
979 heap GDSF : Greedy-Dual Size Frequency
980 heap LFUDA: Least Frequently Used with Dynamic Aging
981 heap LRU : LRU policy implemented using a heap
983 Applies to any cache_dir lines listed below this.
985 The LRU policies keeps recently referenced objects.
987 The heap GDSF policy optimizes object hit rate by keeping smaller
988 popular objects in cache so it has a better chance of getting a
989 hit. It achieves a lower byte hit rate than LFUDA though since
990 it evicts larger (possibly popular) objects.
992 The heap LFUDA policy keeps popular objects in cache regardless of
993 their size and thus optimizes byte hit rate at the expense of
994 hit rate since one large, popular object will prevent many
995 smaller, slightly less popular objects from being cached.
997 Both policies utilize a dynamic aging mechanism that prevents
998 cache pollution that can otherwise occur with frequency-based
999 replacement policies.
1001 NOTE: if using the LFUDA replacement policy you should increase
1002 the value of maximum_object_size above its default of 4096 KB to
1003 to maximize the potential byte hit rate improvement of LFUDA.
1005 For more information about the GDSF and LFUDA cache replacement
1006 policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
1007 and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
1010 NAME: memory_replacement_policy
1012 LOC: Config.memPolicy
1015 The memory replacement policy parameter determines which
1016 objects are purged from memory when memory space is needed.
1018 See cache_replacement_policy for details.
1023 LOGFILE PATHNAMES AND CACHE DIRECTORIES
1024 -----------------------------------------------------------------------------
1030 DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256
1031 LOC: Config.cacheSwap
1035 cache_dir Type Directory-Name Fs-specific-data [options]
1037 You can specify multiple cache_dir lines to spread the
1038 cache among different disk partitions.
1040 Type specifies the kind of storage system to use. Only "ufs"
1041 is built by default. To eanble any of the other storage systems
1042 see the --enable-storeio configure option.
1044 'Directory' is a top-level directory where cache swap
1045 files will be stored. If you want to use an entire disk
1046 for caching, this can be the mount-point directory.
1047 The directory must exist and be writable by the Squid
1048 process. Squid will NOT create this directory for you.
1052 "ufs" is the old well-known Squid storage format that has always
1055 cache_dir ufs Directory-Name Mbytes L1 L2 [options]
1057 'Mbytes' is the amount of disk space (MB) to use under this
1058 directory. The default is 100 MB. Change this to suit your
1059 configuration. Do NOT put the size of your disk drive here.
1060 Instead, if you want Squid to use the entire disk drive,
1061 subtract 20% and use that value.
1063 'Level-1' is the number of first-level subdirectories which
1064 will be created under the 'Directory'. The default is 16.
1066 'Level-2' is the number of second-level subdirectories which
1067 will be created under each first-level directory. The default
1070 The aufs store type:
1072 "aufs" uses the same storage format as "ufs", utilizing
1073 POSIX-threads to avoid blocking the main Squid process on
1074 disk-I/O. This was formerly known in Squid as async-io.
1076 cache_dir aufs Directory-Name Mbytes L1 L2 [options]
1078 see argument descriptions under ufs above
1080 The diskd store type:
1082 "diskd" uses the same storage format as "ufs", utilizing a
1083 separate process to avoid blocking the main Squid process on
1086 cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
1088 see argument descriptions under ufs above
1090 Q1 specifies the number of unacknowledged I/O requests when Squid
1091 stops opening new files. If this many messages are in the queues,
1092 Squid won't open new files. Default is 64
1094 Q2 specifies the number of unacknowledged messages when Squid
1095 starts blocking. If this many messages are in the queues,
1096 Squid blocks until it receives some replies. Default is 72
1098 When Q1 < Q2 (the default), the cache directory is optimized
1099 for lower response time at the expense of a decrease in hit
1100 ratio. If Q1 > Q2, the cache directory is optimized for
1101 higher hit ratio at the expense of an increase in response
1104 The coss store type:
1106 block-size=n defines the "block size" for COSS cache_dir's.
1107 Squid uses file numbers as block numbers. Since file numbers
1108 are limited to 24 bits, the block size determines the maximum
1109 size of the COSS partition. The default is 512 bytes, which
1110 leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
1111 you should not change the coss block size after Squid
1112 has written some objects to the cache_dir.
1116 read-only, this cache_dir is read only.
1118 max-size=n, refers to the max object size this storedir supports.
1119 It is used to initially choose the storedir to dump the object.
1120 Note: To make optimal use of the max-size limits you should order
1121 the cache_dir lines with the smallest max-size value first and the
1122 ones with no max-size specification last.
1124 Note for coss, max-size must be less than COSS_MEMBUF_SZ,
1125 which can be changed with the --with-coss-membuf-size=N configure
1132 LOC: Config.Log.logformats
1137 logformat <name> <format specification>
1139 Defines an access log format.
1141 The <format specification> is a string with embedded % format codes
1143 % format codes all follow the same basic structure where all but
1144 the formatcode is optional. Output strings are automatically quoted
1145 as required according to their context and the output format
1146 modifiers are usually unneeded but can be specified if an explicit
1147 quoting format is desired.
1149 % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
1151 " quoted string output format
1152 [ squid log quoted format as used by log_mime_hdrs
1153 # URL quoted output format
1154 ' No automatic quoting
1156 width field width. If starting with 0 the
1157 output is zero padded
1158 {arg} argument such as header name etc
1162 >a Client source IP address
1164 <A Server IP address or peer name
1165 la Local IP address (http_port)
1166 lp Local port number (http_port)
1167 ts Seconds since epoch
1168 tu subsecond time (milliseconds)
1169 tl Local time. Optional strftime format argument
1170 default %d/%b/%Y:%H:%M:S %z
1171 tg GMT time. Optional strftime format argument
1172 default %d/%b/%Y:%H:%M:S %z
1173 tr Response time (milliseconds)
1174 >h Request header. Optional header name argument
1175 on the format header[:[separator]element]
1176 <h Reply header. Optional header name argument
1181 ue User from external acl
1183 Ss Squid request status (TCP_MISS etc)
1184 Sh Squid hierarchy status (DEFAULT_PARENT etc)
1185 mt MIME content type
1186 rm Request method (GET/POST etc)
1188 rv Request protocol version
1189 et Tag returned by external acl
1190 ea Log string returned by external acl
1191 <st Reply size including HTTP headers
1192 <sH Reply high offset sent
1193 <sS Upstream object size
1194 % a literal % character
1196 logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
1197 logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
1198 logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
1199 logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
1202 NAME: access_log cache_access_log
1204 LOC: Config.Log.accesslogs
1206 DEFAULT_IF_NONE: @DEFAULT_ACCESS_LOG@
1208 These files log client request activities. Has a line every HTTP or
1209 ICP request. The format is:
1210 access_log <filepath> [<logformat name> [acl acl ...]]
1211 access_log none [acl acl ...]]
1213 Will log to the specified file using the specified format (which
1214 must be defined in a logformat directive) those entries which match
1215 ALL the acl's specified (which must be defined in acl clauses).
1216 If no acl is specified, all requests will be logged to this file.
1218 To disable logging of a request specify "none".
1224 DEFAULT: @DEFAULT_CACHE_LOG@
1227 Cache logging file. This is where general information about
1228 your cache's behavior goes. You can increase the amount of data
1229 logged to this file with the "debug_options" tag below.
1233 NAME: cache_store_log
1235 DEFAULT: @DEFAULT_STORE_LOG@
1236 LOC: Config.Log.store
1238 Logs the activities of the storage manager. Shows which
1239 objects are ejected from the cache, and which objects are
1240 saved and for how long. To disable, enter "none". There are
1241 not really utilities to analyze this data, so you can safely
1246 NAME: cache_swap_state cache_swap_log
1248 LOC: Config.Log.swap
1251 Location for the cache "swap.state" file. This index file holds
1252 the metadata of objects saved on disk. It is used to rebuild
1253 the cache during startup. Normally this file resides in each
1254 'cache_dir' directory, but you may specify an alternate
1255 pathname here. Note you must give a full filename, not just
1256 a directory. Since this is the index for the whole object
1257 list you CANNOT periodically rotate it!
1259 If %s can be used in the file name it will be replaced with a
1260 a representation of the cache_dir name where each / is replaced
1261 with '.'. This is needed to allow adding/removing cache_dir
1262 lines when cache_swap_log is being used.
1264 If have more than one 'cache_dir', and %s is not used in the name
1265 these swap logs will have names such as:
1271 The numbered extension (which is added automatically)
1272 corresponds to the order of the 'cache_dir' lines in this
1273 configuration file. If you change the order of the 'cache_dir'
1274 lines in this file, these log files will NOT correspond to
1275 the correct 'cache_dir' entry (unless you manually rename
1276 them). We recommend you do NOT use this option. It is
1277 better to keep these log files in each 'cache_dir' directory.
1281 NAME: emulate_httpd_log
1285 LOC: Config.onoff.common_log
1287 The Cache can emulate the log file format which many 'httpd'
1288 programs use. To disable/enable this emulation, set
1289 emulate_httpd_log to 'off' or 'on'. The default
1290 is to use the native log format since it includes useful
1291 information Squid-specific log analyzers use.
1294 NAME: log_ip_on_direct
1298 LOC: Config.onoff.log_ip_on_direct
1300 Log the destination IP address in the hierarchy log tag when going
1301 direct. Earlier Squid versions logged the hostname here. If you
1302 prefer the old way set this to off.
1307 DEFAULT: @DEFAULT_MIME_TABLE@
1308 LOC: Config.mimeTablePathname
1310 Pathname to Squid's MIME table. You shouldn't need to change
1311 this, but the default file contains examples and formatting
1312 information if you do.
1319 LOC: Config.onoff.log_mime_hdrs
1322 The Cache can record both the request and the response MIME
1323 headers for each HTTP transaction. The headers are encoded
1324 safely and will appear as two bracketed fields at the end of
1325 the access log (for either the native or httpd-emulated log
1326 formats). To enable this logging set log_mime_hdrs to 'on'.
1332 LOC: Config.Log.useragent
1334 IFDEF: USE_USERAGENT_LOG
1336 Squid will write the User-Agent field from HTTP requests
1337 to the filename specified here. By default useragent_log
1344 LOC: Config.Log.referer
1346 IFDEF: USE_REFERER_LOG
1348 Squid will write the Referer field from HTTP requests to the
1349 filename specified here. By default referer_log is disabled.
1355 DEFAULT: @DEFAULT_PID_FILE@
1356 LOC: Config.pidFilename
1358 A filename to write the process-id to. To disable, enter "none".
1365 LOC: Config.debugOptions
1367 Logging options are set as section,level where each source file
1368 is assigned a unique section. Lower levels result in less
1369 output, Full debugging (level 9) can result in a very large
1370 log file, so be careful. The magic word "ALL" sets debugging
1371 levels for all sections. We recommend normally running with
1380 LOC: Config.onoff.log_fqdn
1382 Turn this on if you wish to log fully qualified domain names
1383 in the access.log. To do this Squid does a DNS lookup of all
1384 IP's connecting to it. This can (in some situations) increase
1385 latency, which makes your cache seem slower for interactive
1390 NAME: client_netmask
1392 LOC: Config.Addrs.client_netmask
1393 DEFAULT: 255.255.255.255
1395 A netmask for client addresses in logfiles and cachemgr output.
1396 Change this to protect the privacy of your cache clients.
1397 A netmask of 255.255.255.0 will log all IP's in that range with
1398 the last digit set to '0'.
1403 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
1404 -----------------------------------------------------------------------------
1410 LOC: Config.Ftp.anon_user
1412 If you want the anonymous login password to be more informative
1413 (and enable the use of picky ftp servers), set this to something
1414 reasonable for your domain, like wwwuser@somewhere.net
1416 The reason why this is domainless by default is the
1417 request can be made on the behalf of a user in any domain,
1418 depending on how the cache is used.
1419 Some ftp server also validate the email address is valid
1420 (for example perl.com).
1423 NAME: ftp_list_width
1426 LOC: Config.Ftp.list_width
1428 Sets the width of ftp listings. This should be set to fit in
1429 the width of a standard browser. Setting this too small
1430 can cut off long filenames when browsing ftp sites.
1436 LOC: Config.Ftp.passive
1438 If your firewall does not allow Squid to use passive
1439 connections, turn off this option.
1442 NAME: ftp_sanitycheck
1445 LOC: Config.Ftp.sanitycheck
1447 For security and data integrity reasons Squid by default performs
1448 sanity checks of the addresses of FTP data connections ensure the
1449 data connection is to the requested server. If you need to allow
1450 FTP connections to servers using another IP address for the data
1451 connection turn this off.
1454 NAME: check_hostnames
1457 LOC: Config.onoff.check_hostnames
1459 For security and stability reasons Squid by default checks
1460 hostnames for Internet standard RFC compliance. If you do not want
1461 Squid to perform these checks turn this directive off.
1464 NAME: ftp_telnet_protocol
1467 LOC: Config.Ftp.telnet
1469 The FTP protocol is officially defined to use the telnet protocol
1470 as transport channel for the control connection. However, many
1471 implemenations are broken and does not respect this aspect of
1474 If you have trouble accessing files with ASCII code 255 in the
1475 path or similar problems involving this ASCII code you can
1476 try setting this directive to off. If that helps, report to the
1477 operator of the FTP server in question that their FTP server
1478 is broken and does not follow the FTP standard.
1481 NAME: cache_dns_program
1483 IFDEF: USE_DNSSERVERS
1484 DEFAULT: @DEFAULT_DNSSERVER@
1485 LOC: Config.Program.dnsserver
1487 Specify the location of the executable for dnslookup process.
1492 IFDEF: USE_DNSSERVERS
1494 LOC: Config.dnsChildren
1496 The number of processes spawn to service DNS name lookups.
1497 For heavily loaded caches on large servers, you should
1498 probably increase this value to at least 10. The maximum
1499 is 32. The default is 5.
1501 You must have at least one dnsserver process.
1504 NAME: dns_retransmit_interval
1507 LOC: Config.Timeout.idns_retransmit
1508 IFDEF: !USE_DNSSERVERS
1510 Initial retransmit interval for DNS queries. The interval is
1511 doubled each time all configured DNS servers have been tried.
1518 LOC: Config.Timeout.idns_query
1519 IFDEF: !USE_DNSSERVERS
1521 DNS Query timeout. If no response is received to a DNS query
1522 within this time all DNS servers for the queried domain
1523 are assumed to be unavailable.
1528 IFDEF: USE_DNSSERVERS
1531 LOC: Config.onoff.res_defnames
1532 IFDEF: USE_DNSSERVERS
1534 Normally the 'dnsserver' disables the RES_DEFNAMES resolver
1535 option (see res_init(3)). This prevents caches in a hierarchy
1536 from interpreting single-component hostnames locally. To allow
1537 dnsserver to handle single-component names, enable this
1541 NAME: dns_nameservers
1544 LOC: Config.dns_nameservers
1546 Use this if you want to specify a list of DNS name servers
1547 (IP addresses) to use instead of those given in your
1548 /etc/resolv.conf file.
1549 On Windows platforms, if no value is specified here or in
1550 the /etc/resolv.conf file, the list of DNS name servers are
1551 taken from the Windows registry, both static and dynamic DHCP
1552 configurations are supported.
1554 Example: dns_nameservers 10.0.0.1 192.172.0.4
1559 DEFAULT: @DEFAULT_HOSTS@
1560 LOC: Config.etcHostsPath
1562 Location of the host-local IP name-address associations
1563 database. Most Operating Systems have such a file on different
1565 - Un*X & Linux: /etc/hosts
1566 - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
1567 (%SystemRoot% value install default is c:\winnt)
1568 - Windows XP: %SystemRoot%\system32\drivers\etc\hosts
1569 (%SystemRoot% value install default is c:\windows)
1570 - Windows 9x/Me: %windir%\hosts
1571 (%windir% value is usually c:\windows)
1572 - Cygwin: /etc/hosts
1574 The file contains newline-separated definitions, in the
1575 form ip_address_in_dotted_form name [name ...] names are
1576 whitespace-separated. Lines beginnng with an hash (#)
1577 character are comments.
1579 The file is checked at startup and upon configuration.
1580 If set to 'none', it won't be checked.
1581 If append_domain is used, that domain will be added to
1582 domain-local (i.e. not containing any dot character) host
1588 DEFAULT: @DEFAULT_DISKD@
1589 LOC: Config.Program.diskd
1591 Specify the location of the diskd executable.
1592 Note this is only useful if you have compiled in
1593 diskd as one of the store io modules.
1596 NAME: unlinkd_program
1599 DEFAULT: @DEFAULT_UNLINKD@
1600 LOC: Config.Program.unlinkd
1602 Specify the location of the executable for file deletion process.
1605 NAME: pinger_program
1607 DEFAULT: @DEFAULT_PINGER@
1608 LOC: Config.Program.pinger
1611 Specify the location of the executable for the pinger process.
1615 NAME: redirect_program
1617 LOC: Config.Program.redirect
1620 Specify the location of the executable for the URL redirector.
1621 Since they can perform almost any function there isn't one included.
1622 See the FAQ (section 15) for information on how to write one.
1623 By default, a redirector is not used.
1627 NAME: redirect_children
1630 LOC: Config.redirectChildren
1632 The number of redirector processes to spawn. If you start
1633 too few Squid will have to wait for them to process a backlog of
1634 URLs, slowing it down. If you start too many they will use RAM
1635 and other system resources.
1638 NAME: redirect_concurrency
1641 LOC: Config.redirectConcurrency
1643 The number of requests each redirector helper can handle in
1644 parallell. Defaults to 0 which indicates the redirector
1645 is a old-style singlethreaded redirector.
1648 NAME: redirect_rewrites_host_header
1651 LOC: Config.onoff.redir_rewrites_host
1653 By default Squid rewrites any Host: header in redirected
1654 requests. If you are running an accelerator this may
1655 not be a wanted effect of a redirector.
1657 WARNING: Entries are cached on the result of the URL rewriting
1658 process, so be careful if you have domain-virtual hosts.
1661 NAME: redirector_access
1664 LOC: Config.accessList.redirector
1666 If defined, this access list specifies which requests are
1667 sent to the redirector processes. By default all requests
1673 LOC: Config.authConfiguration
1676 This is used to pass parameters to the various authentication
1678 format: auth_param scheme parameter [setting]
1680 auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
1681 would tell the basic authentication scheme it's program parameter.
1683 The order authentication prompts are presented to the client_agent
1684 is dependant on the order the scheme first appears in config file.
1685 IE has a bug (it's not rfc 2617 compliant) in that it will use the basic
1686 scheme if basic is the first entry presented, even if more secure schemes
1687 are presented. For now use the order in the file below. If other browsers
1688 have difficulties (don't recognise the schemes offered even if you are using
1689 basic) either put basic first, or disable the other schemes (by commenting
1690 out their program entry).
1692 Once an authentication scheme is fully configured, it can only be shutdown
1693 by shutting squid down and restarting. Changes can be made on the fly and
1694 activated with a reconfigure. I.E. You can change to a different helper,
1695 but not unconfigure the helper completely.
1697 === Parameters for the basic scheme follow. ===
1700 Specify the command for the external authenticator. Such a
1701 program reads a line containing "username password" and replies
1702 "OK" or "ERR" in an endless loop. If you use an authenticator,
1703 make sure you have 1 acl of type proxy_auth. By default, the
1704 basic authentication sheme is not used unless a program is specified.
1706 If you want to use the traditional proxy authentication,
1707 jump over to the ../auth_modules/NCSA directory and
1712 Then, set this line to something like
1714 auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
1716 "children" numberofchildren
1717 The number of authenticator processes to spawn (no default).
1718 If you start too few Squid will have to wait for them to
1719 process a backlog of usercode/password verifications, slowing
1720 it down. When password verifications are done via a (slow)
1721 network you are likely to need lots of authenticator
1723 auth_param basic children 5
1725 "concurrency" concurrency
1726 The number of concurrent requests the helper can process.
1727 The default of 0 is used for helpers who only supports
1728 one request at a time.
1729 auth_param basic concurrency 0
1732 Specifies the realm name which is to be reported to the
1733 client for the basic proxy authentication scheme (part of
1734 the text the user will see when prompted their username and
1735 password). There is no default.
1736 auth_param basic realm Squid proxy-caching web server
1738 "credentialsttl" timetolive
1739 Specifies how long squid assumes an externally validated
1740 username:password pair is valid for - in other words how
1741 often the helper program is called for that user. Set this
1742 low to force revalidation with short lived passwords. Note
1743 setting this high does not impact your susceptability
1744 to replay attacks unless you are using an one-time password
1745 system (such as SecureID). If you are using such a system,
1746 you will be vulnerable to replay attacks unless you also
1747 use the max_user_ip ACL in an http_access rule.
1749 "casesensitive" on|off
1750 Specifies if usernames are case sensitive. Most user databases are
1751 case insensitive allowing the same username to be spelled using both
1752 lower and upper case letters, but some are case sensitive. This
1753 makes a big difference for user_max_ip ACL processing and similar.
1754 auth_param basic casesensitive off
1756 === Parameters for the digest scheme follow ===
1759 Specify the command for the external authenticator. Such
1760 a program reads a line containing "username":"realm" and
1761 replies with the appropriate H(A1) value base64 encoded or
1762 ERR if the user (or his H(A1) hash) does not exists.
1763 See rfc 2616 for the definition of H(A1).
1765 By default, the digest authentication is not used unless a
1766 program is specified.
1768 If you want to use a digest authenticator, jump over to the
1769 helpers/digest_auth/ directory and choose the authenticator
1770 to use. In it's directory type
1774 Then, set this line to something like
1776 auth_param digest program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass
1779 "children" numberofchildren
1780 The number of authenticator processes to spawn (no default).
1781 If you start too few Squid will have to wait for them to
1782 process a backlog of H(A1) calculations, slowing it down.
1783 When the H(A1) calculations are done via a (slow) network
1784 you are likely to need lots of authenticator processes.
1785 auth_param digest children 5
1788 Specifies the realm name which is to be reported to the
1789 client for the digest proxy authentication scheme (part of
1790 the text the user will see when prompted their username and
1791 password). There is no default.
1792 auth_param digest realm Squid proxy-caching web server
1794 "nonce_garbage_interval" timeinterval
1795 Specifies the interval that nonces that have been issued
1796 to client_agent's are checked for validity.
1798 "nonce_max_duration" timeinterval
1799 Specifies the maximum length of time a given nonce will be
1802 "nonce_max_count" number
1803 Specifies the maximum number of times a given nonce can be
1806 "nonce_strictness" on|off
1807 Determines if squid requires strict increment-by-1 behaviour
1808 for nonce counts, or just incrementing (off - for use when
1809 useragents generate nonce counts that occasionally miss 1
1810 (ie, 1,2,4,6)). Default off.
1812 "check_nonce_count" on|off
1813 This directive if set to off can disable the nonce count check
1814 completely to work around buggy digest qop implementations in
1815 certain mainstream browser versions. Default on to check the
1816 nonce count to protect from authentication replay attacks.
1818 "post_workaround" on|off
1819 This is a workaround to certain buggy browsers who sends
1820 an incorrect request digest in POST requests when reusing
1821 the same nonce as aquired earlier on a GET request.
1824 === NTLM scheme options follow ===
1827 Specify the command for the external ntlm authenticator.
1828 Such a program reads exchanged NTLMSSP packets with
1829 the browser via Squid until authentication is completed.
1830 If you use an ntlm authenticator, make sure you have 1 acl
1831 of type proxy_auth. By default, the ntlm authenticator_program
1834 auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
1836 "children" numberofchildren
1837 The number of authenticator processes to spawn (no default).
1838 If you start too few Squid will have to wait for them to
1839 process a backlog of credential verifications, slowing it
1840 down. When crendential verifications are done via a (slow)
1841 network you are likely to need lots of authenticator
1843 auth_param ntlm children 5
1845 "max_challenge_reuses" number
1846 The maximum number of times a challenge given by a ntlm
1847 authentication helper can be reused. Increasing this number
1848 increases your exposure to replay attacks on your network.
1849 0 means use the challenge only once. (disable challenge
1850 caching) See max_ntlm_challenge_lifetime for more information.
1851 auth_param ntlm max_challenge_reuses 0
1853 "max_challenge_lifetime" timespan
1854 The maximum time period a ntlm challenge is reused
1855 over. The actual period will be the minimum of this time
1856 AND the number of reused challenges.
1857 auth_param ntlm max_challenge_lifetime 2 minutes
1860 #Recommended minimum configuration:
1861 #auth_param digest program <uncomment and complete this line>
1862 #auth_param digest children 5
1863 #auth_param digest realm Squid proxy-caching web server
1864 #auth_param digest nonce_garbage_interval 5 minutes
1865 #auth_param digest nonce_max_duration 30 minutes
1866 #auth_param digest nonce_max_count 50
1867 #auth_param ntlm program <uncomment and complete this line to activate>
1868 #auth_param ntlm children 5
1869 #auth_param ntlm max_challenge_reuses 0
1870 #auth_param ntlm max_challenge_lifetime 2 minutes
1871 #auth_param basic program <uncomment and complete this line>
1872 auth_param basic children 5
1873 auth_param basic realm Squid proxy-caching web server
1874 auth_param basic credentialsttl 2 hours
1878 NAME: authenticate_cache_garbage_interval
1881 LOC: Config.authenticateGCInterval
1883 The time period between garbage collection across the
1884 username cache. This is a tradeoff between memory utilisation
1885 (long intervals - say 2 days) and CPU (short intervals -
1886 say 1 minute). Only change if you have good reason to.
1889 NAME: authenticate_ttl
1892 LOC: Config.authenticateTTL
1894 The time a user & their credentials stay in the logged in
1895 user cache since their last request. When the garbage
1896 interval passes, all user credentials that have passed their
1897 TTL are removed from memory.
1900 NAME: authenticate_ip_ttl
1902 LOC: Config.authenticateIpTTL
1905 If you use proxy authentication and the 'max_user_ip' ACL,
1906 this directive controls how long Squid remembers the IP
1907 addresses associated with each user. Use a small value
1908 (e.g., 60 seconds) if your users might change addresses
1909 quickly, as is the case with dialups. You might be safe
1910 using a larger value (e.g., 2 hours) in a corporate LAN
1911 environment with relatively static address assignments.
1914 NAME: external_acl_type
1915 TYPE: externalAclHelper
1916 LOC: Config.externalAclHelperList
1919 This option defines external acl classes using a helper program
1920 to look up the status
1922 external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
1926 ttl=n TTL in seconds for cached results (defaults to 3600
1929 TTL for cached negative lookups (default same
1931 children=n Number of acl helper processes spawn to service
1932 external acl lookups of this type.
1933 concurrency=n concurrency level per process. Use 0 for old style
1934 helpers who can only process a single request at a
1936 cache=n result cache size, 0 is unbounded (default)
1937 grace=n Percentage remaining of TTL where a refresh of a
1938 cached entry should be initiated without needing to
1939 wait for a new reply. (default 0 for no grace period)
1940 protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
1942 FORMAT specifications
1944 %LOGIN Authenticated user login name
1945 %IDENT Ident user name
1947 %SRCPORT Client source port
1949 %PROTO Requested protocol
1950 %PORT Requested port
1951 %PATH Requested URL path
1952 %METHOD Request method
1953 %MYADDR Squid interface address
1954 %MYPORT Squid http_port number
1955 %USER_CERT_xx SSL User certificate attribute xx
1956 %USER_CA_xx SSL User certificate CA attribute xx
1957 %{Header} HTTP request header
1958 %{Hdr:member} HTTP request header list member
1960 HTTP request header list member using ; as
1961 list separator. ; can be any non-alphanumeric
1964 In addition, any string specified in the referencing acl will
1965 also be included in the helper request line, after the specified
1966 formats (see the "acl external" directive)
1968 The helper receives lines per the above format specification,
1969 and returns lines starting with OK or ERR indicating the validity
1970 of the request and optionally followed by additional keywords with
1971 more details. To protect from odd characters the data is URL
1974 General result syntax:
1976 OK/ERR keyword=value ...
1980 user= The users name (login)
1981 password= The users password (for login= cache_peer option)
1982 message= Message describing the reason. Available as %o
1984 tag= Apply a tag to a request (for both ERR and OK results)
1985 Only sets a tag, does not alter existing tags.
1986 log= String to be logged in access.log. Available as
1987 %ea in logformat specifications
1989 Keyword values need to be URL escaped if they may contain
1990 contain whitespace or quotes.
1992 In Squid-2.5 compatibility mode quoting using " and \ is used
1993 instead of URL escaping.
1997 OPTIONS FOR TUNING THE CACHE
1998 -----------------------------------------------------------------------------
2001 NAME: wais_relay_host
2004 LOC: Config.Wais.relayHost
2007 NAME: wais_relay_port
2010 LOC: Config.Wais.relayPort
2012 Relay WAIS request to host (1st arg) at port (2 arg).
2016 NAME: request_header_max_size
2020 LOC: Config.maxRequestHeaderSize
2022 This specifies the maximum size for HTTP headers in a request.
2023 Request headers are usually relatively small (about 512 bytes).
2024 Placing a limit on the request header size will catch certain
2025 bugs (for example with persistent connections) and possibly
2026 buffer-overflow or denial-of-service attacks.
2029 NAME: request_body_max_size
2033 LOC: Config.maxRequestBodySize
2035 This specifies the maximum size for an HTTP request body.
2036 In other words, the maximum size of a PUT/POST request.
2037 A user who attempts to send a request with a body larger
2038 than this limit receives an "Invalid Request" error message.
2039 If you set this parameter to a zero (the default), there will
2040 be no limit imposed.
2043 NAME: refresh_pattern
2044 TYPE: refreshpattern
2048 usage: refresh_pattern [-i] regex min percent max [options]
2050 By default, regular expressions are CASE-SENSITIVE. To make
2051 them case-insensitive, use the -i option.
2053 'Min' is the time (in minutes) an object without an explicit
2054 expiry time should be considered fresh. The recommended
2055 value is 0, any higher values may cause dynamic applications
2056 to be erroneously cached unless the application designer
2057 has taken the appropriate actions.
2059 'Percent' is a percentage of the objects age (time since last
2060 modification age) an object without explicit expiry time
2061 will be considered fresh.
2063 'Max' is an upper limit on how long objects without an explicit
2064 expiry time will be considered fresh.
2066 options: override-expire
2075 override-expire enforces min age even if the server
2076 sent a Expires: header. Doing this VIOLATES the HTTP
2077 standard. Enabling this feature could make you liable
2078 for problems which it causes.
2080 override-lastmod enforces min age even on objects
2081 that were modified recently.
2083 reload-into-ims changes client no-cache or ``reload''
2084 to If-Modified-Since requests. Doing this VIOLATES the
2085 HTTP standard. Enabling this feature could make you
2086 liable for problems which it causes.
2088 ignore-reload ignores a client no-cache or ``reload''
2089 header. Doing this VIOLATES the HTTP standard. Enabling
2090 this feature could make you liable for problems which
2093 ignore-no-cache ignores any ``Pragma: no-cache'' and
2094 ``Cache-control: no-cache'' headers received from a server.
2095 The HTTP RFC never allows the use of this (Pragma) header
2096 from a server, only a client, though plenty of servers
2099 ignore-no-store ignores any ``Cache-control: no-store''
2100 headers received from a server. Doing this VIOLATES
2101 the HTTP standard. Enabling this feature could make you
2102 liable for problems which it causes.
2104 ignore-private ignores any ``Cache-control: private''
2105 headers received from a server. Doing this VIOLATES
2106 the HTTP standard. Enabling this feature could make you
2107 liable for problems which it causes.
2109 ignore-auth caches responses to requests with authorization,
2110 irrespective of ``Cache-control'' headers received from
2111 a server. Doing this VIOLATES the HTTP standard. Enabling
2112 this feature could make you liable for problems which
2115 Basically a cached object is:
2117 FRESH if expires < now, else STALE
2119 FRESH if lm-factor < percent, else STALE
2123 The refresh_pattern lines are checked in the order listed here.
2124 The first entry which matches is used. If none of the entries
2125 match the default will be used.
2127 Note, you must uncomment all the default lines if you want
2128 to change one. The default setting is only active if none is
2133 refresh_pattern ^ftp: 1440 20% 10080
2134 refresh_pattern ^gopher: 1440 0% 1440
2135 refresh_pattern . 0 20% 4320
2139 NAME: quick_abort_min
2143 LOC: Config.quickAbort.min
2146 NAME: quick_abort_max
2150 LOC: Config.quickAbort.max
2153 NAME: quick_abort_pct
2157 LOC: Config.quickAbort.pct
2159 The cache by default continues downloading aborted requests
2160 which are almost completed (less than 16 KB remaining). This
2161 may be undesirable on slow (e.g. SLIP) links and/or very busy
2162 caches. Impatient users may tie up file descriptors and
2163 bandwidth by repeatedly requesting and immediately aborting
2166 When the user aborts a request, Squid will check the
2167 quick_abort values to the amount of data transfered until
2170 If the transfer has less than 'quick_abort_min' KB remaining,
2171 it will finish the retrieval.
2173 If the transfer has more than 'quick_abort_max' KB remaining,
2174 it will abort the retrieval.
2176 If more than 'quick_abort_pct' of the transfer has completed,
2177 it will finish the retrieval.
2179 If you do not want any retrieval to continue after the client
2180 has aborted, set both 'quick_abort_min' and 'quick_abort_max'
2183 If you want retrievals to always continue if they are being
2184 cached set 'quick_abort_min' to '-1 KB'.
2187 NAME: read_ahead_gap
2188 COMMENT: buffer-size
2190 LOC: Config.readAheadGap
2193 The amount of data the cache will buffer ahead of what has been
2194 sent to the client when retrieving an object from another server.
2200 LOC: Config.negativeTtl
2203 Time-to-Live (TTL) for failed requests. Certain types of
2204 failures (such as "connection refused" and "404 Not Found") are
2205 negatively-cached for a configurable amount of time. The
2206 default is 5 minutes. Note that this is different from
2207 negative caching of DNS lookups.
2211 NAME: positive_dns_ttl
2214 LOC: Config.positiveDnsTtl
2217 Time-to-Live (TTL) for positive caching of successful DNS lookups.
2218 Default is 6 hours (360 minutes). If you want to minimize the
2219 use of Squid's ipcache, set this to 1, not 0.
2223 NAME: negative_dns_ttl
2226 LOC: Config.negativeDnsTtl
2229 Time-to-Live (TTL) for negative caching of failed DNS lookups.
2232 NAME: range_offset_limit
2235 LOC: Config.rangeOffsetLimit
2238 Sets a upper limit on how far into the the file a Range request
2239 may be to cause Squid to prefetch the whole file. If beyond this
2240 limit Squid forwards the Range request as it is and the result
2243 This is to stop a far ahead range request (lets say start at 17MB)
2244 from making Squid fetch the whole object up to that point before
2245 sending anything to the client.
2247 A value of -1 causes Squid to always fetch the object from the
2248 beginning so it may cache the result. (2.0 style)
2250 A value of 0 causes Squid to never fetch more than the
2251 client requested. (default)
2257 -----------------------------------------------------------------------------
2260 NAME: forward_timeout
2263 LOC: Config.Timeout.forward
2266 This parameter specifies how long Squid should at most attempt in
2267 finding a forwarding path for the request before giving up.
2270 NAME: connect_timeout
2273 LOC: Config.Timeout.connect
2276 This parameter specifies how long to wait for the TCP connect to
2277 the requested server or peer to complete before Squid should
2278 attempt to find another path where to forward the request.
2281 NAME: peer_connect_timeout
2284 LOC: Config.Timeout.peer_connect
2287 This parameter specifies how long to wait for a pending TCP
2288 connection to a peer cache. The default is 30 seconds. You
2289 may also set different timeout values for individual neighbors
2290 with the 'connect-timeout' option on a 'cache_peer' line.
2296 LOC: Config.Timeout.read
2299 The read_timeout is applied on server-side connections. After
2300 each successful read(), the timeout will be extended by this
2301 amount. If no data is read again after this amount of time,
2302 the request is aborted and logged with ERR_READ_TIMEOUT. The
2303 default is 15 minutes.
2307 NAME: request_timeout
2309 LOC: Config.Timeout.request
2312 How long to wait for an HTTP request after initial
2313 connection establishment.
2317 NAME: persistent_request_timeout
2319 LOC: Config.Timeout.persistent_request
2322 How long to wait for the next HTTP request on a persistent
2323 connection after the previous request completes.
2327 NAME: client_lifetime
2330 LOC: Config.Timeout.lifetime
2333 The maximum amount of time a client (browser) is allowed to
2334 remain connected to the cache process. This protects the Cache
2335 from having a lot of sockets (and hence file descriptors) tied up
2336 in a CLOSE_WAIT state from remote clients that go away without
2337 properly shutting down (either because of a network failure or
2338 because of a poor client implementation). The default is one
2341 NOTE: The default value is intended to be much larger than any
2342 client would ever need to be connected to your cache. You
2343 should probably change client_lifetime only as a last resort.
2344 If you seem to have many client connections tying up
2345 filedescriptors, we recommend first tuning the read_timeout,
2346 request_timeout, persistent_request_timeout and quick_abort values.
2349 NAME: half_closed_clients
2351 LOC: Config.onoff.half_closed_clients
2354 Some clients may shutdown the sending side of their TCP
2355 connections, while leaving their receiving sides open. Sometimes,
2356 Squid can not tell the difference between a half-closed and a
2357 fully-closed TCP connection. By default, half-closed client
2358 connections are kept open until a read(2) or write(2) on the
2359 socket returns an error. Change this option to 'off' and Squid
2360 will immediately close client connections when read(2) returns
2361 "no more data to read."
2366 LOC: Config.Timeout.pconn
2367 DEFAULT: 120 seconds
2369 Timeout for idle persistent connections to servers and other
2376 LOC: Config.Timeout.ident
2379 Maximum time to wait for IDENT lookups to complete.
2381 If this is too high, and you enabled IDENT lookups from untrusted
2382 users, you might be susceptible to denial-of-service by having
2383 many ident requests going at once.
2387 NAME: shutdown_lifetime
2390 LOC: Config.shutdownLifetime
2393 When SIGTERM or SIGHUP is received, the cache is put into
2394 "shutdown pending" mode until all active sockets are closed.
2395 This value is the lifetime to set for all open descriptors
2396 during shutdown mode. Any active clients after this many
2397 seconds will receive a 'timeout' message.
2402 -----------------------------------------------------------------------------
2410 Defining an Access List
2412 acl aclname acltype string1 ...
2413 acl aclname acltype "file" ...
2415 when using "file", the file should contain one item per line
2417 acltype is one of the types described below
2419 By default, regular expressions are CASE-SENSITIVE. To make
2420 them case-insensitive, use the -i option.
2422 acl aclname src ip-address/netmask ... (clients IP address)
2423 acl aclname src addr1-addr2/netmask ... (range of addresses)
2424 acl aclname dst ip-address/netmask ... (URL host's IP address)
2425 acl aclname myip ip-address/netmask ... (local socket IP address)
2427 acl aclname srcdomain .foo.com ... # reverse lookup, client IP
2428 acl aclname dstdomain .foo.com ... # Destination server from URL
2429 acl aclname srcdom_regex [-i] xxx ... # regex matching client name
2430 acl aclname dstdom_regex [-i] xxx ... # regex matching server
2431 # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
2432 # based URL is used. The name "none" is used if the reverse lookup
2435 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
2444 h1:m1 must be less than h2:m2
2445 acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
2446 acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
2447 acl aclname port 80 70 21 ...
2448 acl aclname port 0-1024 ... # ranges allowed
2449 acl aclname myport 3128 ... # (local socket TCP port)
2450 acl aclname proto HTTP FTP ...
2451 acl aclname method GET POST ...
2452 acl aclname browser [-i] regexp ...
2453 # pattern match on User-Agent header
2454 acl aclname referer_regex [-i] regexp ...
2455 # pattern match on Referer header
2456 # Referer is highly unreliable, so use with care
2457 acl aclname ident username ...
2458 acl aclname ident_regex [-i] pattern ...
2459 # string match on ident output.
2460 # use REQUIRED to accept any non-null ident.
2461 acl aclname src_as number ...
2462 acl aclname dst_as number ...
2463 # Except for access control, AS numbers can be used for
2464 # routing of requests to specific caches. Here's an
2465 # example for routing all requests for AS#1241 and only
2466 # those to mycache.mydomain.net:
2467 # acl asexample dst_as 1241
2468 # cache_peer_access mycache.mydomain.net allow asexample
2469 # cache_peer_access mycache_mydomain.net deny all
2471 acl aclname proxy_auth [-i] username ...
2472 acl aclname proxy_auth_regex [-i] pattern ...
2473 # list of valid usernames
2474 # use REQUIRED to accept any valid username.
2476 # NOTE: when a Proxy-Authentication header is sent but it is not
2477 # needed during ACL checking the username is NOT logged
2480 # NOTE: proxy_auth requires a EXTERNAL authentication program
2481 # to check username/password combinations (see
2482 # auth_param directive).
2484 # NOTE: proxy_auth can't be used in a transparent proxy as
2485 # the browser needs to be configured for using a proxy in order
2486 # to respond to proxy authentication.
2488 acl aclname snmp_community string ...
2489 # A community string to limit access to your SNMP Agent
2492 # acl snmppublic snmp_community public
2494 acl aclname maxconn number
2495 # This will be matched when the client's IP address has
2496 # more than <number> HTTP connections established.
2498 acl aclname max_user_ip [-s] number
2499 # This will be matched when the user attempts to log in from more
2500 # than <number> different ip addresses. The authenticate_ip_ttl
2501 # parameter controls the timeout on the ip entries.
2502 # If -s is specified the limit is strict, denying browsing
2503 # from any further IP addresses until the ttl has expired. Without
2504 # -s Squid will just annoy the user by "randomly" denying requests.
2505 # (the counter is reset each time the limit is reached and a
2506 # request is denied)
2507 # NOTE: in acceleration mode or where there is mesh of child proxies,
2508 # clients may appear to come from multiple addresses if they are
2509 # going through proxy farms, so a limit of 1 may cause user problems.
2511 acl aclname req_mime_type mime-type1 ...
2512 # regex match agains the mime type of the request generated
2513 # by the client. Can be used to detect file upload or some
2514 # types HTTP tunelling requests.
2515 # NOTE: This does NOT match the reply. You cannot use this
2516 # to match the returned file type.
2518 acl aclname rep_mime_type mime-type1 ...
2519 # regex match against the mime type of the reply recieved by
2520 # squid. Can be used to detect file download or some
2521 # types HTTP tunelling requests.
2522 # NOTE: This has no effect in http_access rules. It only has
2523 # effect in rules that affect the reply data stream such as
2524 # http_reply_access.
2526 acl acl_name external class_name [arguments...]
2527 # external ACL lookup via a helper class defined by the
2528 # external_acl_type directive.
2530 acl aclname user_cert attribute values...
2531 # match against attributes in a user SSL certificate
2532 # attribute is one of DN/C/O/CN/L/ST
2534 acl aclname ca_cert attribute values...
2535 # match against attributes a users issuing CA SSL certificate
2536 # attribute is one of DN/C/O/CN/L/ST
2538 acl aclname ext_user username ...
2539 acl aclname ext_user_regex [-i] pattern ...
2540 # string match on username returned by external acl processing
2541 # use REQUIRED to accept any non-null user name.
2544 acl myexample dst_as 1241
2545 acl password proxy_auth REQUIRED
2546 acl fileupload req_mime_type -i ^multipart/form-data$
2547 acl javascript rep_mime_type -i ^application/x-javascript$
2550 #Recommended minimum configuration:
2551 acl all src 0.0.0.0/0.0.0.0
2552 acl manager proto cache_object
2553 acl localhost src 127.0.0.1/255.255.255.255
2554 acl to_localhost dst 127.0.0.0/8
2555 acl SSL_ports port 443 563
2556 acl Safe_ports port 80 # http
2557 acl Safe_ports port 21 # ftp
2558 acl Safe_ports port 443 563 # https, snews
2559 acl Safe_ports port 70 # gopher
2560 acl Safe_ports port 210 # wais
2561 acl Safe_ports port 1025-65535 # unregistered ports
2562 acl Safe_ports port 280 # http-mgmt
2563 acl Safe_ports port 488 # gss-http
2564 acl Safe_ports port 591 # filemaker
2565 acl Safe_ports port 777 # multiling http
2566 acl CONNECT method CONNECT
2572 LOC: Config.accessList.http
2574 DEFAULT_IF_NONE: deny all
2576 Allowing or Denying access based on defined access lists
2578 Access to the HTTP port:
2579 http_access allow|deny [!]aclname ...
2581 NOTE on default values:
2583 If there are no "access" lines present, the default is to deny
2586 If none of the "access" lines cause a match, the default is the
2587 opposite of the last line in the list. If the last line was
2588 deny, the default is allow. Conversely, if the last line
2589 is allow, the default will be deny. For these reasons, it is a
2590 good idea to have an "deny all" or "allow all" entry at the end
2591 of your access lists to avoid potential confusion.
2594 #Recommended minimum configuration:
2596 # Only allow cachemgr access from localhost
2597 http_access allow manager localhost
2598 http_access deny manager
2599 # Deny requests to unknown ports
2600 http_access deny !Safe_ports
2601 # Deny CONNECT to other than SSL ports
2602 http_access deny CONNECT !SSL_ports
2604 # We strongly recommend the following be uncommented to protect innocent
2605 # web applications running on the proxy server who think the only
2606 # one who can access services on "localhost" is a local user
2607 #http_access deny to_localhost
2609 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
2611 # Example rule allowing access from your local networks. Adapt
2612 # to list your (internal) IP networks from where browsing should
2614 #acl our_networks src 192.168.1.0/24 192.168.2.0/24
2615 #http_access allow our_networks
2617 # And finally deny all other access to this proxy
2618 http_access deny all
2622 NAME: http_reply_access
2624 LOC: Config.accessList.reply
2626 DEFAULT_IF_NONE: allow all
2628 Allow replies to client requests. This is complementary to http_access.
2630 http_reply_access allow|deny [!] aclname ...
2632 NOTE: if there are no access lines present, the default is to allow
2635 If none of the access lines cause a match the opposite of the
2636 last line will apply. Thus it is good practice to end the rules
2637 with an "allow all" or "deny all" entry.
2640 #Recommended minimum configuration:
2642 # Insert your own rules here.
2645 # and finally allow by default
2646 http_reply_access allow all
2653 LOC: Config.accessList.icp
2655 DEFAULT_IF_NONE: deny all
2657 Allowing or Denying access to the ICP port based on defined
2660 icp_access allow|deny [!]aclname ...
2662 See http_access for details
2665 #Allow ICP queries from everyone
2666 icp_access allow all
2673 LOC: Config.accessList.miss
2676 Use to force your neighbors to use you as a sibling instead of
2677 a parent. For example:
2679 acl localclients src 172.16.0.0/16
2680 miss_access allow localclients
2681 miss_access deny !localclients
2683 This means only your local clients are allowed to fetch
2684 MISSES and all other clients can only fetch HITS.
2686 By default, allow all clients who passed the http_access rules
2687 to fetch MISSES from us.
2691 # miss_access allow all
2696 NAME: cache_peer_access
2701 Similar to 'cache_peer_domain' but provides more flexibility by
2704 cache_peer_access cache-host allow|deny [!]aclname ...
2706 The syntax is identical to 'http_access' and the other lists of
2707 ACL elements. See the comments for 'http_access' below, or
2708 the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html).
2711 NAME: ident_lookup_access
2715 DEFAULT_IF_NONE: deny all
2716 LOC: Config.accessList.identLookup
2718 A list of ACL elements which, if matched, cause an ident
2719 (RFC 931) lookup to be performed for this request. For
2720 example, you might choose to always perform ident lookups
2721 for your main multi-user Unix boxes, but not for your Macs
2722 and PCs. By default, ident lookups are not performed for
2725 To enable ident lookups for specific client addresses, you
2726 can follow this example:
2728 acl ident_aware_hosts src 198.168.1.0/255.255.255.0
2729 ident_lookup_access allow ident_aware_hosts
2730 ident_lookup_access deny all
2732 Only src type ACL checks are fully supported. A src_domain
2733 ACL might work at times, but it will not always provide
2737 NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
2740 LOC: Config.accessList.outgoing_tos
2742 Allows you to select a TOS/Diffserv value to mark outgoing
2743 connections with, based on the username or source address
2746 tcp_outgoing_tos ds-field [!]aclname ...
2748 Example where normal_service_net uses the TOS value 0x00
2749 and normal_service_net uses 0x20
2751 acl normal_service_net src 10.0.0.0/255.255.255.0
2752 acl good_service_net src 10.0.1.0/255.255.255.0
2753 tcp_outgoing_tos 0x00 normal_service_net 0x00
2754 tcp_outgoing_tos 0x20 good_service_net
2756 TOS/DSCP values really only have local significance - so you should
2757 know what you're specifying. For more, see RFC 2474
2759 The TOS/DSCP byte must be exactly that - a byte, value 0 - 255, or
2760 "default" to use whatever default your host has.
2762 Processing proceeds in the order specified, and stops at first fully
2766 NAME: tcp_outgoing_address
2769 LOC: Config.accessList.outgoing_address
2771 Allows you to map requests to different outgoing IP addresses
2772 based on the username or sourceaddress of the user making
2775 tcp_outgoing_address ipaddr [[!]aclname] ...
2777 Example where requests from 10.0.0.0/24 will be forwareded
2778 with source address 10.1.0.1, 10.0.2.0/24 forwarded with
2779 source address 10.1.0.2 and the rest will be forwarded with
2780 source address 10.1.0.3.
2782 acl normal_service_net src 10.0.0.0/255.255.255.0
2783 acl good_service_net src 10.0.1.0/255.255.255.0
2784 tcp_outgoing_address 10.0.0.1 normal_service_net
2785 tcp_outgoing_address 10.0.0.2 good_service_net
2786 tcp_outgoing_address 10.0.0.3
2788 Processing proceeds in the order specified, and stops at first fully
2792 NAME: reply_body_max_size
2793 COMMENT: size [acl acl...]
2796 LOC: Config.ReplyBodySize
2798 This option specifies the maximum size of a reply body. It can be
2799 used to prevent users from downloading very large files, such as
2800 MP3's and movies. When the reply headers are recieved, the
2801 reply_body_max_size lines are processed, and the first line where
2802 all (if any) listed acls are true is used as the maximum body size
2805 This size is checked twice. First when we get the reply headers,
2806 we check the content-length value. If the content length value exists
2807 and is larger than the allowed size, the request is denied and the
2808 user receives an error message that says "the request or reply
2809 is too large." If there is no content-length, and the reply
2810 size exceeds this limit, the client's connection is just closed
2811 and they will receive a partial reply.
2813 WARNING: downstream caches probably can not detect a partial reply
2814 if there is no content-length header, so they will cache
2815 partial responses and give them out as hits. You should NOT
2816 use this option if you have downstream caches.
2818 WARNING: A maximum size smaller than the size of squid's error messages
2819 will cause an infinite loop and crash squid. Ensure that the smallest
2820 non-zero value you use is greater that the maximum header size plus
2821 the size of your largest error page.
2823 If you set this parameter none (the default), there will be
2829 LOC: Config.accessList.log
2831 COMMENT: allow|deny acl acl...
2833 This options allows you to control which requests gets logged
2834 to access.log (see access_log directive). Requests denied for
2835 logging will also not be accounted for in performance counters.
2839 ADMINISTRATIVE PARAMETERS
2840 -----------------------------------------------------------------------------
2846 LOC: Config.adminEmail
2848 Email-address of local cache manager who will receive
2849 mail if the cache dies. The default is "webmaster."
2853 NAME: cache_effective_user
2856 LOC: Config.effectiveUser
2858 If you start Squid as root, it will change its effective/real
2859 UID/GID to the user specified below. The default is to change
2860 to UID to nobody. If you define cache_effective_user, but not
2861 cache_effective_group, Squid sets the GID to the effective
2862 user's default group ID (taken from the password file) and
2863 supplementary group list from the from groups membership of
2864 cache_effective_user.
2868 NAME: cache_effective_group
2871 LOC: Config.effectiveGroup
2873 If you want Squid to run with a specific GID regardless of
2874 the group memberships of the effective user then set this
2875 to the group (or GID) you want Squid to run as. When set
2876 all other group privileges of the effective user is ignored
2877 and only this GID is effective. If Squid is not started as
2878 root the user starting Squid must be member of the specified
2883 NAME: visible_hostname
2885 LOC: Config.visibleHostname
2888 If you want to present a special hostname in error messages, etc,
2889 define this. Otherwise, the return value of gethostname()
2890 will be used. If you have multiple caches in a cluster and
2891 get errors about IP-forwarding you must set them to have individual
2892 names with this setting.
2896 NAME: unique_hostname
2898 LOC: Config.uniqueHostname
2901 If you want to have multiple machines with the same
2902 'visible_hostname' you must give each machine a different
2903 'unique_hostname' so forwarding loops can be detected.
2907 NAME: hostname_aliases
2909 LOC: Config.hostnameAliases
2912 A list of other DNS names your cache has.
2916 OPTIONS FOR THE CACHE REGISTRATION SERVICE
2917 -----------------------------------------------------------------------------
2919 This section contains parameters for the (optional) cache
2920 announcement service. This service is provided to help
2921 cache administrators locate one another in order to join or
2922 create cache hierarchies.
2924 An 'announcement' message is sent (via UDP) to the registration
2925 service by Squid. By default, the announcement message is NOT
2926 SENT unless you enable it with 'announce_period' below.
2928 The announcement message includes your hostname, plus the
2929 following information from this configuration file:
2935 All current information is processed regularly and made
2936 available on the Web at http://www.ircache.net/Cache/Tracker/.
2939 NAME: announce_period
2941 LOC: Config.Announce.period
2944 This is how frequently to send cache announcements. The
2945 default is `0' which disables sending the announcement
2948 To enable announcing your cache, just uncomment the line
2952 #To enable announcing your cache, just uncomment the line below.
2953 #announce_period 1 day
2960 DEFAULT: tracker.ircache.net
2961 LOC: Config.Announce.host
2967 LOC: Config.Announce.file
2973 LOC: Config.Announce.port
2975 announce_host and announce_port set the hostname and port
2976 number where the registration message will be sent.
2978 Hostname will default to 'tracker.ircache.net' and port will
2979 default default to 3131. If the 'filename' argument is given,
2980 the contents of that file will be included in the announce
2984 NAME: httpd_accel_surrogate_id
2987 LOC: Config.Accel.surrogate_id
2990 Surrogates (http://www.esi.org/architecture_spec_1.0.html)
2991 need an identification token to allow control targeting. Because
2992 a farm of surrogates may all perform the same tasks, they may share
2993 an identification token.
2996 NAME: http_accel_surrogate_remote
3001 LOC: Config.onoff.surrogate_is_remote
3003 Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
3004 Set this to on to have squid behave as a remote surrogate.
3009 COMMENT: expat|custom
3011 LOC: ESIParser::Type
3014 ESI markup is not strictly XML compatible. The custom ESI parser
3015 will give higher performance, but cannot handle non ASCII character
3021 -----------------------------------------------------------------------------
3026 LOC: Config.dns_testname_list
3028 DEFAULT_IF_NONE: netscape.com internic.net nlanr.net microsoft.com
3030 The DNS tests exit as soon as the first site is successfully looked up
3032 This test can be disabled with the -D command line option.
3036 NAME: logfile_rotate
3039 LOC: Config.Log.rotateNumber
3041 Specifies the number of logfile rotations to make when you
3042 type 'squid -k rotate'. The default is 10, which will rotate
3043 with extensions 0 through 9. Setting logfile_rotate to 0 will
3044 disable the rotation, but the logfiles are still closed and
3045 re-opened. This will enable you to rename the logfiles
3046 yourself just before sending the rotate signal.
3048 Note, the 'squid -k rotate' command normally sends a USR1
3049 signal to the running squid process. In certain situations
3050 (e.g. on Linux with Async I/O), USR1 is used for other
3051 purposes, so -k rotate uses another signal. It is best to get
3052 in the habit of using 'squid -k rotate' instead of 'kill -USR1
3059 LOC: Config.appendDomain
3062 Appends local domain name to hostnames without any dots in
3063 them. append_domain must begin with a period.
3065 Be warned there are now Internet names with no dots in
3066 them using only top-domain names, so setting this may
3067 cause some Internet sites to become unavailable.
3070 append_domain .yourdomain.com
3074 NAME: tcp_recv_bufsize
3078 LOC: Config.tcpRcvBufsz
3080 Size of receive buffer to set for TCP sockets. Probably just
3081 as easy to change your kernel's default. Set to zero to use
3082 the default buffer size.
3087 LOC: Config.errHtmlText
3090 HTML text to include in error messages. Make this a "mailto"
3091 URL to your admin address, or maybe just a link to your
3092 organizations Web page.
3094 To include this in your error messages, you must rewrite
3095 the error template files (found in the "errors" directory).
3096 Wherever you want the 'err_html_text' line to appear,
3097 insert a %L tag in the error template file.
3100 NAME: email_err_data
3103 LOC: Config.onoff.emailErrData
3106 If enabled, information about the occurred error will be
3107 included in the mailto links of the ERR pages (if %W is set)
3108 so that the email body contains the data.
3109 Syntax is <A HREF="mailto:%w%W">%w</A>
3115 LOC: Config.denyInfoList
3118 Usage: deny_info err_page_name acl
3119 or deny_info http://... acl
3120 Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
3122 This can be used to return a ERR_ page for requests which
3123 do not pass the 'http_access' rules. A single ACL will cause
3124 the http_access check to fail. If a 'deny_info' line exists
3125 for that ACL Squid returns a corresponding error page.
3127 You may use ERR_ pages that come with Squid or create your own pages
3128 and put them into the configured errors/ directory.
3130 Alternatively you can specify an error URL. The browsers will
3131 get redirected (302) to the specified URL. %s in the redirection
3132 URL will be replaced by the requested URL.
3134 Alternatively you can tell Squid to reset the TCP connection
3135 by specifying TCP_RESET.
3142 LOC: Config.onoff.mem_pools
3144 If set, Squid will keep pools of allocated (but unused) memory
3145 available for future use. If memory is a premium on your
3146 system and you believe your malloc library outperforms Squid
3147 routines, disable this.
3150 NAME: memory_pools_limit
3154 LOC: Config.MemPools.limit
3156 Used only with memory_pools on:
3157 memory_pools_limit 50 MB
3159 If set to a non-zero value, Squid will keep at most the specified
3160 limit of allocated (but unused) memory in memory pools. All free()
3161 requests that exceed this limit will be handled by your malloc
3162 library. Squid does not pre-allocate any memory, just safe-keeps
3163 objects that otherwise would be free()d. Thus, it is safe to set
3164 memory_pools_limit to a reasonably high value even if your
3165 configuration will use less memory.
3167 If not set (default) or set to zero, Squid will keep all memory it
3168 can. That is, there will be no limit on the total amount of memory
3169 used for safe-keeping.
3171 To disable memory allocation optimization, do not set
3172 memory_pools_limit to 0. Set memory_pools to "off" instead.
3174 An overhead for maintaining memory pools is not taken into account
3175 when the limit is checked. This overhead is close to four bytes per
3176 object kept. However, pools may actually _save_ memory because of
3177 reduced memory thrashing in your malloc library.
3181 IFDEF: HTTP_VIOLATIONS
3185 LOC: Config.onoff.via
3187 If set (default), Squid will include a Via header in requests and
3188 replies as required by RFC2616.
3195 LOC: opt_forwarded_for
3197 If set, Squid will include your system's IP address or name
3198 in the HTTP requests it forwards. By default it looks like
3201 X-Forwarded-For: 192.1.2.3
3203 If you disable this, it will appear as
3205 X-Forwarded-For: unknown
3208 NAME: log_icp_queries
3212 LOC: Config.onoff.log_udp
3214 If set, ICP queries are logged to access.log. You may wish
3215 do disable this if your ICP load is VERY high to speed things
3216 up or to simplify log analysis.
3223 LOC: Config.onoff.icp_hit_stale
3225 If you want to return ICP_HIT for stale cache objects, set this
3226 option to 'on'. If you have sibling relationships with caches
3227 in other administrative domains, this should be 'off'. If you only
3228 have sibling relationships with caches under your control,
3229 it is probably okay to set this to 'on'.
3230 If set to 'on', your siblings should use the option "allow-miss"
3231 on their cache_peer lines for connecting to you.
3235 NAME: minimum_direct_hops
3238 LOC: Config.minDirectHops
3240 If using the ICMP pinging stuff, do direct fetches for sites
3241 which are no more than this many hops away.
3244 NAME: minimum_direct_rtt
3247 LOC: Config.minDirectRtt
3249 If using the ICMP pinging stuff, do direct fetches for sites
3250 which are no more than this many rtt milliseconds away.
3253 NAME: cachemgr_passwd
3254 TYPE: cachemgrpasswd
3256 LOC: Config.passwd_list
3258 Specify passwords for cachemgr operations.
3260 Usage: cachemgr_passwd password action action ...
3262 Some valid actions are (see cache manager menu for a full list):
3301 * Indicates actions which will not be performed without a
3302 valid password, others can be performed if not listed here.
3304 To disable an action, set the password to "disable".
3305 To allow performing an action without a password, set the
3308 Use the keyword "all" to set the same password for all actions.
3311 cachemgr_passwd secret shutdown
3312 cachemgr_passwd lesssssssecret info stats/objects
3313 cachemgr_passwd disable all
3316 NAME: store_avg_object_size
3320 LOC: Config.Store.avgObjectSize
3322 Average object size, used to estimate number of objects your
3323 cache can hold. See doc/Release-Notes-1.1.txt. The default is
3327 NAME: store_objects_per_bucket
3330 LOC: Config.Store.objectsPerBucket
3332 Target number of objects per bucket in the store hash table.
3333 Lowering this value increases the total number of buckets and
3334 also the storage maintenance rate. The default is 50.
3341 LOC: Config.onoff.client_db
3343 If you want to disable collecting per-client statistics,
3344 turn off client_db here.
3351 LOC: Config.Netdb.low
3357 LOC: Config.Netdb.high
3359 The low and high water marks for the ICMP measurement
3360 database. These are counts, not percents. The defaults are
3361 900 and 1000. When the high water mark is reached, database
3362 entries will be deleted until the low mark is reached.
3366 NAME: netdb_ping_period
3368 LOC: Config.Netdb.period
3371 The minimum period for measuring a site. There will be at
3372 least this much delay between successive pings to the same
3373 network. The default is five minutes.
3381 LOC: Config.onoff.query_icmp
3383 If you want to ask your peers to include ICMP data in their ICP
3384 replies, enable this option.
3386 If your peer has configured Squid (during compilation) with
3387 '--enable-icmp' that peer will send ICMP pings to origin server
3388 sites of the URLs it receives. If you enable this option the
3389 ICP replies from that peer will include the ICMP data (if available).
3390 Then, when choosing a parent cache, Squid will choose the parent with
3391 the minimal RTT to the origin server. When this happens, the
3392 hierarchy field of the access.log will be
3393 "CLOSEST_PARENT_MISS". This option is off by default.
3396 NAME: test_reachability
3400 LOC: Config.onoff.test_reachability
3402 When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
3403 instead of ICP_MISS if the target host is NOT in the ICMP
3404 database, or has a zero RTT.
3411 LOC: Config.onoff.buffered_logs
3413 cache.log log file is written with stdio functions, and as such
3414 it can be buffered or unbuffered. By default it will be unbuffered.
3415 Buffering it can speed up the writing slightly (though you are
3416 unlikely to need to worry unless you run with tons of debugging
3417 enabled in which case performance will suffer badly anyway..).
3420 NAME: reload_into_ims
3421 IFDEF: HTTP_VIOLATIONS
3425 LOC: Config.onoff.reload_into_ims
3427 When you enable this option, client no-cache or ``reload''
3428 requests will be changed to If-Modified-Since requests.
3429 Doing this VIOLATES the HTTP standard. Enabling this
3430 feature could make you liable for problems which it
3433 see also refresh_pattern for a more selective approach.
3438 LOC: Config.accessList.AlwaysDirect
3441 Usage: always_direct allow|deny [!]aclname ...
3443 Here you can use ACL elements to specify requests which should
3444 ALWAYS be forwarded directly to origin servers. For example,
3445 to always directly forward requests for local servers use
3448 acl local-servers dstdomain my.domain.net
3449 always_direct allow local-servers
3451 To always forward FTP requests directly, use
3454 always_direct allow FTP
3456 NOTE: There is a similar, but opposite option named
3457 'never_direct'. You need to be aware that "always_direct deny
3458 foo" is NOT the same thing as "never_direct allow foo". You
3459 may need to use a deny rule to exclude a more-specific case of
3460 some other rule. Example:
3462 acl local-external dstdomain external.foo.net
3463 acl local-servers dstdomain .foo.net
3464 always_direct deny local-external
3465 always_direct allow local-servers
3467 This option replaces some v1.1 options such as local_domain
3473 LOC: Config.accessList.NeverDirect
3476 Usage: never_direct allow|deny [!]aclname ...
3478 never_direct is the opposite of always_direct. Please read
3479 the description for always_direct if you have not already.
3481 With 'never_direct' you can use ACL elements to specify
3482 requests which should NEVER be forwarded directly to origin
3483 servers. For example, to force the use of a proxy for all
3484 requests, except those in your local domain use something like:
3486 acl local-servers dstdomain .foo.net
3487 acl all src 0.0.0.0/0.0.0.0
3488 never_direct deny local-servers
3489 never_direct allow all
3491 or if Squid is inside a firewall and there are local intranet
3492 servers inside the firewall use something like:
3494 acl local-intranet dstdomain .foo.net
3495 acl local-external dstdomain external.foo.net
3496 always_direct deny local-external
3497 always_direct allow local-intranet
3498 never_direct allow all
3500 This option replaces some v1.1 options such as inside_firewall
3505 IFDEF: HTTP_VIOLATIONS
3506 TYPE: http_header_access[]
3507 LOC: Config.header_access
3510 Usage: header_access header_name allow|deny [!]aclname ...
3512 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3513 this feature could make you liable for problems which it
3516 This option replaces the old 'anonymize_headers' and the
3517 older 'http_anonymizer' option with something that is much
3518 more configurable. This new method creates a list of ACLs
3519 for each header, allowing you very fine-tuned header
3522 You can only specify known headers for the header name.
3523 Other headers are reclassified as 'Other'. You can also
3524 refer to all the headers with 'All'.
3526 For example, to achieve the same behaviour as the old
3527 'http_anonymizer standard' option, you should use:
3529 header_access From deny all
3530 header_access Referer deny all
3531 header_access Server deny all
3532 header_access User-Agent deny all
3533 header_access WWW-Authenticate deny all
3534 header_access Link deny all
3536 Or, to reproduce the old 'http_anonymizer paranoid' feature
3539 header_access Allow allow all
3540 header_access Authorization allow all
3541 header_access WWW-Authenticate allow all
3542 header_access Cache-Control allow all
3543 header_access Content-Encoding allow all
3544 header_access Content-Length allow all
3545 header_access Content-Type allow all
3546 header_access Date allow all
3547 header_access Expires allow all
3548 header_access Host allow all
3549 header_access If-Modified-Since allow all
3550 header_access Last-Modified allow all
3551 header_access Location allow all
3552 header_access Pragma allow all
3553 header_access Accept allow all
3554 header_access Accept-Charset allow all
3555 header_access Accept-Encoding allow all
3556 header_access Accept-Language allow all
3557 header_access Content-Language allow all
3558 header_access Mime-Version allow all
3559 header_access Retry-After allow all
3560 header_access Title allow all
3561 header_access Connection allow all
3562 header_access Proxy-Connection allow all
3563 header_access All deny all
3565 By default, all headers are allowed (no anonymizing is
3569 NAME: header_replace
3570 IFDEF: HTTP_VIOLATIONS
3571 TYPE: http_header_replace[]
3572 LOC: Config.header_access
3575 Usage: header_replace header_name message
3576 Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
3578 This option allows you to change the contents of headers
3579 denied with header_access above, by replacing them with
3580 some fixed string. This replaces the old fake_user_agent
3583 By default, headers are removed if denied.
3586 NAME: icon_directory
3588 LOC: Config.icons.directory
3589 DEFAULT: @DEFAULT_ICON_DIR@
3591 Where the icons are stored. These are normally kept in
3595 NAME: short_icon_urls
3597 LOC: Config.icons.use_short_names
3600 If this is enabled Squid will use short URLs for icons.
3601 If disabled it will revert to the old behaviour of including
3602 it's own name and port in the URL.
3604 If you run a complex cache hierarchy with a mix of Squid and
3605 other proxies you may need to disable this directive.
3608 NAME: error_directory
3610 LOC: Config.errorDirectory
3611 DEFAULT: @DEFAULT_ERROR_DIR@
3613 If you wish to create your own versions of the default
3614 (English) error files, either to customize them to suit your
3615 language or company copy the template English files to another
3616 directory and point this tag at them.
3619 NAME: maximum_single_addr_tries
3621 LOC: Config.retry.maxtries
3624 This sets the maximum number of connection attempts for a
3625 host that only has one address (for multiple-address hosts,
3626 each address is tried once).
3628 The default value is one attempt, the (not recommended)
3629 maximum is 255 tries. A warning message will be generated
3630 if it is set to a value greater than ten.
3632 Note: This is in addition to the request reforwarding which
3633 takes place if Squid fails to get a satisfying response.
3638 LOC: Config.Port.snmp
3642 Squid can now serve statistics and status information via SNMP.
3643 By default it listens to port 3401 on the machine. If you don't
3644 wish to use SNMP, set this to "0".
3646 Note: If you want Squid to use parents for all requests see
3647 the never_direct directive. prefer_direct only modifies how Squid
3648 acts on cachable requests.
3653 LOC: Config.accessList.snmp
3655 DEFAULT_IF_NONE: deny all
3658 Allowing or denying access to the SNMP port.
3660 All access to the agent is denied by default.
3663 snmp_access allow|deny [!]aclname ...
3666 snmp_access allow snmppublic localhost
3667 snmp_access deny all
3670 NAME: snmp_incoming_address
3672 LOC: Config.Addrs.snmp_incoming
3676 NAME: snmp_outgoing_address
3678 LOC: Config.Addrs.snmp_outgoing
3679 DEFAULT: 255.255.255.255
3682 Just like 'udp_incoming_address' above, but for the SNMP port.
3684 snmp_incoming_address is used for the SNMP socket receiving
3685 messages from SNMP agents.
3686 snmp_outgoing_address is used for SNMP packets returned to SNMP
3689 The default snmp_incoming_address (0.0.0.0) is to listen on all
3690 available network interfaces.
3692 If snmp_outgoing_address is set to 255.255.255.255 (the default)
3693 it will use the same socket as snmp_incoming_address. Only
3694 change this if you want to have SNMP replies sent using another
3695 address than where this Squid listens for SNMP queries.
3697 NOTE, snmp_incoming_address and snmp_outgoing_address can not have
3698 the same value since they both use port 3401.
3701 NAME: as_whois_server
3703 LOC: Config.as_whois_server
3704 DEFAULT: whois.ra.net
3705 DEFAULT_IF_NONE: whois.ra.net
3707 WHOIS server to query for AS numbers. NOTE: AS numbers are
3708 queried only when Squid starts up, not for every request.
3713 LOC: Config.Wccp.router
3717 Use this option to define your WCCP ``home'' router for
3718 Squid. Setting the 'wccp_router' to 0.0.0.0 (the default)
3724 LOC: Config.Wccp.version
3728 According to some users, Cisco IOS 11.2 only supports WCCP
3729 version 3. If you're using that version of IOS, change
3733 NAME: wccp_incoming_address
3735 LOC: Config.Wccp.incoming
3739 NAME: wccp_outgoing_address
3741 LOC: Config.Wccp.outgoing
3742 DEFAULT: 255.255.255.255
3745 wccp_incoming_address Use this option if you require WCCP
3746 messages to be received on only one
3747 interface. Do NOT use this option if
3748 you're unsure how many interfaces you
3749 have, or if you know you have only one
3752 wccp_outgoing_address Use this option if you require WCCP
3753 messages to be sent out on only one
3754 interface. Do NOT use this option if
3755 you're unsure how many interfaces you
3756 have, or if you know you have only one
3759 The default behavior is to not bind to any specific address.
3761 NOTE, wccp_incoming_address and wccp_outgoing_address can not have
3762 the same value since they both use port 2048.
3767 DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
3768 -----------------------------------------------------------------------------
3772 TYPE: delay_pool_count
3777 This represents the number of delay pools to be used. For example,
3778 if you have one class 2 delay pool and one class 3 delays pool, you
3779 have a total of 2 delay pools.
3783 TYPE: delay_pool_class
3788 This defines the class of each delay pool. There must be exactly one
3789 delay_class line for each delay pool. For example, to define two
3790 delay pools, one of class 2 and one of class 3, the settings above
3794 delay_pools 4 # 4 delay pools
3795 delay_class 1 2 # pool 1 is a class 2 pool
3796 delay_class 2 3 # pool 2 is a class 3 pool
3797 delay_class 3 4 # pool 3 is a class 4 pool
3798 delay_class 4 5 # pool 4 is a class 5 pool
3800 The delay pool classes are:
3802 class 1 Everything is limited by a single aggregate
3805 class 2 Everything is limited by a single aggregate
3806 bucket as well as an "individual" bucket chosen
3807 from bits 25 through 32 of the IP address.
3809 class 3 Everything is limited by a single aggregate
3810 bucket as well as a "network" bucket chosen
3811 from bits 17 through 24 of the IP address and a
3812 "individual" bucket chosen from bits 17 through
3813 32 of the IP address.
3815 class 4 Everything in a class 3 delay pool, with an
3816 additional limit on a per user basis. This
3817 only takes effect if the username is established
3818 in advance - by forcing authentication in your
3821 class 5 Requests are grouped according their tag (see
3822 external_acl's tag= reply).
3824 NOTE: If an IP address is a.b.c.d
3825 -> bits 25 through 32 are "d"
3826 -> bits 17 through 24 are "c"
3827 -> bits 17 through 32 are "c * 256 + d"
3831 TYPE: delay_pool_access
3836 This is used to determine which delay pool a request falls into.
3837 The first matched delay pool is always used, i.e., if a request falls
3838 into delay pool number one, no more delay are checked, otherwise the
3839 rest are checked in order of their delay pool number until they have
3840 all been checked. For example, if you want some_big_clients in delay
3841 pool 1 and lotsa_little_clients in delay pool 2:
3844 delay_access 1 allow some_big_clients
3845 delay_access 1 deny all
3846 delay_access 2 allow lotsa_little_clients
3847 delay_access 2 deny all
3848 delay_access 3 allow authenticated_clients
3851 NAME: delay_parameters
3852 TYPE: delay_pool_rates
3857 This defines the parameters for a delay pool. Each delay pool has
3858 a number of "buckets" associated with it, as explained in the
3859 description of delay_class. For a class 1 delay pool, the syntax is:
3861 delay_parameters pool aggregate
3863 For a class 2 delay pool:
3865 delay_parameters pool aggregate individual
3867 For a class 3 delay pool:
3869 delay_parameters pool aggregate network individual
3871 For a class 4 delay pool:
3873 delay_parameters pool aggregate network individual user
3875 For a class 5 delay pool:
3877 delay_parameters pool tag
3879 The variables here are:
3881 pool a pool number - ie, a number between 1 and the
3882 number specified in delay_pools as used in
3885 aggregate the "delay parameters" for the aggregate bucket
3888 individual the "delay parameters" for the individual
3889 buckets (class 2, 3).
3891 network the "delay parameters" for the network buckets
3894 user the delay parameters for the user buckets
3897 tag the delay parameters for the tag buckets
3900 A pair of delay parameters is written restore/maximum, where restore is
3901 the number of bytes (not bits - modem and network speeds are usually
3902 quoted in bits) per second placed into the bucket, and maximum is the
3903 maximum number of bytes which can be in the bucket at any time.
3905 For example, if delay pool number 1 is a class 2 delay pool as in the
3906 above example, and is being used to strictly limit each host to 64kbps
3907 (plus overheads), with no overall limit, the line is:
3909 delay_parameters 1 -1/-1 8000/8000
3911 Note that the figure -1 is used to represent "unlimited".
3913 And, if delay pool number 2 is a class 3 delay pool as in the above
3914 example, and you want to limit it to a total of 256kbps (strict limit)
3915 with each 8-bit network permitted 64kbps (strict limit) and each
3916 individual host permitted 4800bps with a bucket maximum size of 64kb
3917 to permit a decent web page to be downloaded at a decent speed
3918 (if the network is not being limited due to overuse) but slow down
3919 large downloads more significantly:
3921 delay_parameters 2 32000/32000 8000/8000 600/8000
3923 There must be one delay_parameters line for each delay pool.
3925 Finally, for a class 4 delay pool as in the example - each user will
3926 be limited to 128Kb no matter how many workstations they are logged into.:
3928 delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
3931 NAME: delay_initial_bucket_level
3932 COMMENT: (percent, 0-100)
3936 LOC: Config.Delay.initial
3938 The initial bucket percentage is used to determine how much is put
3939 in each bucket when squid starts, is reconfigured, or first notices
3940 a host accessing it (in class 2 and class 3, individual hosts and
3941 networks only have buckets associated with them once they have been
3945 NAME: incoming_icp_average
3948 LOC: Config.comm_incoming.icp_average
3951 NAME: incoming_http_average
3954 LOC: Config.comm_incoming.http_average
3957 NAME: incoming_dns_average
3960 LOC: Config.comm_incoming.dns_average
3963 NAME: min_icp_poll_cnt
3966 LOC: Config.comm_incoming.icp_min_poll
3969 NAME: min_dns_poll_cnt
3972 LOC: Config.comm_incoming.dns_min_poll
3975 NAME: min_http_poll_cnt
3978 LOC: Config.comm_incoming.http_min_poll
3980 Heavy voodoo here. I can't even believe you are reading this.
3981 Are you crazy? Don't even think about adjusting these unless
3982 you understand the algorithms in comm_select.c first!
3985 NAME: max_open_disk_fds
3987 LOC: Config.max_open_disk_fds
3990 To avoid having disk as the I/O bottleneck Squid can optionally
3991 bypass the on-disk cache if more than this amount of disk file
3992 descriptors are open.
3994 A value of 0 indicates no limit.
3999 LOC: Config.onoff.offline
4002 Enable this option and Squid will never try to validate cached
4006 NAME: uri_whitespace
4007 TYPE: uri_whitespace
4008 LOC: Config.uri_whitespace
4011 What to do with requests that have whitespace characters in the
4014 strip: The whitespace characters are stripped out of the URL.
4015 This is the behavior recommended by RFC2396.
4016 deny: The request is denied. The user receives an "Invalid
4018 allow: The request is allowed and the URI is not changed. The
4019 whitespace characters remain in the URI. Note the
4020 whitespace is passed to redirector processes if they
4022 encode: The request is allowed and the whitespace characters are
4023 encoded according to RFC1738. This could be considered
4024 a violation of the HTTP/1.1
4025 RFC because proxies are not allowed to rewrite URI's.
4026 chop: The request is allowed and the URI is chopped at the
4027 first whitespace. This might also be considered a
4034 LOC: Config.accessList.brokenPosts
4036 A list of ACL elements which, if matched, causes Squid to send
4037 an extra CRLF pair after the body of a PUT/POST request.
4039 Some HTTP servers has broken implementations of PUT/POST,
4040 and rely on an extra CRLF pair sent by some WWW clients.
4042 Quote from RFC 2068 section 4.1 on this matter:
4044 Note: certain buggy HTTP/1.0 client implementations generate an
4045 extra CRLF's after a POST request. To restate what is explicitly
4046 forbidden by the BNF, an HTTP/1.1 client must not preface or follow
4047 a request with an extra CRLF.
4050 acl buggy_server url_regex ^http://....
4051 broken_posts allow buggy_server
4054 NAME: mcast_miss_addr
4055 IFDEF: MULTICAST_MISS_STREAM
4057 LOC: Config.mcast_miss.addr
4058 DEFAULT: 255.255.255.255
4060 If you enable this option, every "cache miss" URL will
4061 be sent out on the specified multicast address.
4063 Do not enable this option unless you are are absolutely
4064 certain you understand what you are doing.
4067 NAME: mcast_miss_ttl
4068 IFDEF: MULTICAST_MISS_TTL
4070 LOC: Config.mcast_miss.ttl
4073 This is the time-to-live value for packets multicasted
4074 when multicasting off cache miss URLs is enabled. By
4075 default this is set to 'site scope', i.e. 16.
4078 NAME: mcast_miss_port
4079 IFDEF: MULTICAST_MISS_STREAM
4081 LOC: Config.mcast_miss.port
4084 This is the port number to be used in conjunction with
4088 NAME: mcast_miss_encode_key
4089 IFDEF: MULTICAST_MISS_STREAM
4091 LOC: Config.mcast_miss.encode_key
4092 DEFAULT: XXXXXXXXXXXXXXXX
4094 The URLs that are sent in the multicast miss stream are
4095 encrypted. This is the encryption key.
4098 NAME: nonhierarchical_direct
4100 LOC: Config.onoff.nonhierarchical_direct
4103 By default, Squid will send any non-hierarchical requests
4104 (matching hierarchy_stoplist or not cachable request type) direct
4107 If you set this to off, Squid will prefer to send these
4108 requests to parents.
4110 Note that in most configurations, by turning this off you will only
4111 add latency to these request without any improvement in global hit
4114 If you are inside an firewall see never_direct instead of
4120 LOC: Config.onoff.prefer_direct
4123 Normally Squid tries to use parents for most requests. If you for some
4124 reason like it to first try going direct and only use a parent if
4125 going direct fails set this to on.
4127 By combining nonhierarchical_direct off and prefer_direct on you
4128 can set up Squid to use a parent as a backup path if going direct
4132 NAME: strip_query_terms
4134 LOC: Config.onoff.strip_query_terms
4137 By default, Squid strips query terms from requested URLs before
4138 logging. This protects your user's privacy.
4143 LOC: Config.coredump_dir
4145 DEFAULT_IF_NONE: none
4147 By default Squid leaves core files in the directory from where
4148 it was started. If you set 'coredump_dir' to a directory
4149 that exists, Squid will chdir() to that directory at startup
4150 and coredump files will be left there.
4153 # Leave coredumps in the first cache dir
4154 coredump_dir @DEFAULT_SWAP_DIR@
4158 NAME: redirector_bypass
4160 LOC: Config.onoff.redirector_bypass
4163 When this is 'on', a request will not go through the
4164 redirector if all redirectors are busy. If this is 'off'
4165 and the redirector queue grows too large, Squid will exit
4166 with a FATAL error and ask you to increase the number of
4167 redirectors. You should only enable this if the redirectors
4168 are not critical to your caching system. If you use
4169 redirectors for access control, and you enable this option,
4170 users may have access to pages they should not
4171 be allowed to request.
4174 NAME: ignore_unknown_nameservers
4176 LOC: Config.onoff.ignore_unknown_nameservers
4179 By default Squid checks that DNS responses are received
4180 from the same IP addresses they are sent to. If they
4181 don't match, Squid ignores the response and writes a warning
4182 message to cache.log. You can allow responses from unknown
4183 nameservers by setting this option to 'off'.
4186 NAME: digest_generation
4187 IFDEF: USE_CACHE_DIGESTS
4189 LOC: Config.onoff.digest_generation
4192 This controls whether the server will generate a Cache Digest
4193 of its contents. By default, Cache Digest generation is
4194 enabled if Squid is compiled with USE_CACHE_DIGESTS defined.
4197 NAME: digest_bits_per_entry
4198 IFDEF: USE_CACHE_DIGESTS
4200 LOC: Config.digest.bits_per_entry
4203 This is the number of bits of the server's Cache Digest which
4204 will be associated with the Digest entry for a given HTTP
4205 Method and URL (public key) combination. The default is 5.
4208 NAME: digest_rebuild_period
4209 IFDEF: USE_CACHE_DIGESTS
4212 LOC: Config.digest.rebuild_period
4215 This is the number of seconds between Cache Digest rebuilds.
4218 NAME: digest_rewrite_period
4220 IFDEF: USE_CACHE_DIGESTS
4222 LOC: Config.digest.rewrite_period
4225 This is the number of seconds between Cache Digest writes to
4229 NAME: digest_swapout_chunk_size
4232 IFDEF: USE_CACHE_DIGESTS
4233 LOC: Config.digest.swapout_chunk_size
4236 This is the number of bytes of the Cache Digest to write to
4237 disk at a time. It defaults to 4096 bytes (4KB), the Squid
4241 NAME: digest_rebuild_chunk_percentage
4242 COMMENT: (percent, 0-100)
4243 IFDEF: USE_CACHE_DIGESTS
4245 LOC: Config.digest.rebuild_chunk_percentage
4248 This is the percentage of the Cache Digest to be scanned at a
4249 time. By default it is set to 10% of the Cache Digest.
4254 LOC: Config.chroot_dir
4257 Use this to have Squid do a chroot() while initializing. This
4258 also causes Squid to fully drop root privileges after
4259 initializing. This means, for example, if you use a HTTP
4260 port less than 1024 and try to reconfigure, you will get an
4264 NAME: client_persistent_connections
4266 LOC: Config.onoff.client_pconns
4270 NAME: server_persistent_connections
4272 LOC: Config.onoff.server_pconns
4275 Persistent connection support for clients and servers. By
4276 default, Squid uses persistent connections (when allowed)
4277 with its clients and servers. You can use these options to
4278 disable persistent connections with clients and/or servers.
4281 NAME: balance_on_multiple_ip
4283 LOC: Config.onoff.balance_on_multiple_ip
4286 Some load balancing servers based on round robin DNS have been
4287 found not to preserve user session state across requests
4288 to different IP addresses.
4290 By default Squid rotates IP's per request. By disabling
4291 this directive only connection failure triggers rotation.
4294 NAME: pipeline_prefetch
4296 LOC: Config.onoff.pipeline_prefetch
4299 To boost the performance of pipelined requests to closer
4300 match that of a non-proxied environment Squid can try to fetch
4301 up to two requests in parallell from a pipeline.
4303 Defaults to off for bandwidth management and access logging
4307 NAME: extension_methods
4309 LOC: Config.ext_methods
4312 Squid only knows about standardized HTTP request methods.
4313 You can add up to 20 additional "extension" methods here.
4316 NAME: request_entities
4318 LOC: Config.onoff.request_entities
4321 Squid defaults to deny GET and HEAD requests with request entities,
4322 as the meaning of such requests are undefined in the HTTP standard
4323 even if not explicitly forbidden.
4325 Set this directive to on if you have clients which insists
4326 on sending request entities in GET or HEAD requests.
4329 NAME: high_response_time_warning
4332 LOC: Config.warnings.high_rptm
4335 If the one-minute median response time exceeds this value,
4336 Squid prints a WARNING with debug level 0 to get the
4337 administrators attention. The value is in milliseconds.
4340 NAME: high_page_fault_warning
4342 LOC: Config.warnings.high_pf
4345 If the one-minute average page fault rate exceeds this
4346 value, Squid prints a WARNING with debug level 0 to get
4347 the administrators attention. The value is in page faults
4351 NAME: high_memory_warning
4353 LOC: Config.warnings.high_memory
4356 If the memory usage (as determined by mallinfo) exceeds
4357 value, Squid prints a WARNING with debug level 0 to get
4358 the administrators attention.
4361 NAME: store_dir_select_algorithm
4363 LOC: Config.store_dir_select_algorithm
4366 Set this to 'round-robin' as an alternative.
4373 LOC: Config.Log.forward
4375 Logs the server-side requests.
4377 This is currently work in progress.
4383 LOC: Config.onoff.ie_refresh
4386 Microsoft Internet Explorer up until version 5.5 Service
4387 Pack 1 has an issue with transparent proxies, wherein it
4388 is impossible to force a refresh. Turning this on provides
4389 a partial fix to the problem, by causing all IMS-REFRESH
4390 requests from older IE versions to check the origin server
4391 for fresh content. This reduces hit ratio by some amount
4392 (~10% in my experience), but allows users to actually get
4393 fresh content when they want it. Note because Squid
4394 cannot tell if the user is using 5.5 or 5.5SP1, the behavior
4395 of 5.5 is unchanged from old versions of Squid (i.e. a
4396 forced refresh is impossible). Newer versions of IE will,
4397 hopefully, continue to have the new behavior and will be
4398 handled based on that assumption. This option defaults to
4399 the old Squid behavior, which is better for hit ratios but
4400 worse for clients using IE, if they need to be able to
4401 force fresh content.
4404 NAME: vary_ignore_expire
4407 LOC: Config.onoff.vary_ignore_expire
4410 Many HTTP servers supporting Vary gives such objects
4411 immediate expiry time with no cache-control header
4412 when requested by a HTTP/1.0 client. This option
4413 enables Squid to ignore such expiry times until
4414 HTTP/1.1 is fully implemented.
4415 WARNING: This may eventually cause some varying
4416 objects not intended for caching to get cached.
4419 NAME: sleep_after_fork
4420 COMMENT: (microseconds)
4422 LOC: Config.sleep_after_fork
4425 When this is set to a non-zero value, the main Squid process
4426 sleeps the specified number of microseconds after a fork()
4427 system call. This sleep may help the situation where your
4428 system reports fork() failures due to lack of (virtual)
4429 memory. Note, however, if you have a lot of child
4430 processes, these sleep delays will add up and your
4431 Squid will not service requests for some amount of time
4432 until all the child processes have been started.