3 # $Id: cf.data.pre,v 1.147 1999/04/15 06:15:47 wessels Exp $
6 # SQUID Internet Object Cache http://squid.nlanr.net/Squid/
7 # ----------------------------------------------------------
9 # Squid is the result of efforts by numerous individuals from the
10 # Internet community. Development is led by Duane Wessels of the
11 # National Laboratory for Applied Network Research and funded by the
12 # National Science Foundation. Squid is Copyrighted (C) 1998 by
13 # Duane Wessels and the University of California San Diego. Please
14 # see the COPYRIGHT file for full details. Squid incorporates
15 # software developed and/or copyrighted by other sources. Please see
16 # the CREDITS file for full details.
18 # This program is free software; you can redistribute it and/or modify
19 # it under the terms of the GNU General Public License as published by
20 # the Free Software Foundation; either version 2 of the License, or
21 # (at your option) any later version.
23 # This program is distributed in the hope that it will be useful,
24 # but WITHOUT ANY WARRANTY; without even the implied warranty of
25 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 # GNU General Public License for more details.
28 # You should have received a copy of the GNU General Public License
29 # along with this program; if not, write to the Free Software
30 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
37 This is the default Squid configuration file. You may wish
38 to look at http://cache.is.co.za/squid/ for documentation,
39 or the Squid home page (http://squid.nlanr.net/) for the FAQ.
41 The default Squid config file shows what the defaults for
42 various options happen to be. If you don't need to change the
43 default, you shouldn't uncomment the line. Doing so may cause
44 run-time problems. In some cases "none" refers to no default
45 setting at all, whilst in other cases it refers to a valid
46 option - the comments for that keyword indicate if this is the
53 -----------------------------------------------------------------------------
56 NAME: http_port ascii_port
62 The port number where Squid will listen for HTTP client
63 requests. Default is 3128, for httpd-accel mode use port 80.
64 May be overridden with -a on the command line.
66 You may specify multiple ports here, but they MUST all be on
73 NAME: icp_port udp_port
78 The port number where Squid sends and receives ICP queries to
79 and from neighbor caches. Default is 3130. To disable use
80 "0". May be overridden with -u on the command line.
91 The port number where Squid sends and receives HTCP queries to
92 and from neighbor caches. Default is 4827. To disable use
101 LOC: Config.mcast_group_list
104 This tag specifies a list of multicast groups which your server
105 should join to receive multicasted ICP queries.
107 NOTE! Be very careful what you put here! Be sure you
108 understand the difference between an ICP _query_ and an ICP
109 _reply_. This option is to be set only if you want to RECEIVE
110 multicast queries. Do NOT set this option to SEND multicast
111 ICP (use cache_peer for that). ICP replies are always sent via
112 unicast, so this option does not affect whether or not you will
113 receive replies from multicast group members.
115 You must be very careful to NOT use a multicast address which
116 is already in use by another group of caches. NLANR has been
117 assigned a block of multicast address space for use in Web
118 Caching. Plese write to us at nlanr-cache@nlanr.net to receive
119 an address for your own use.
121 If you are unsure about multicast, please read the Multicast
122 chapter in the Squid FAQ (http://squid.nlanr.net/Squid/FAQ/).
124 Usage: mcast_groups 239.128.16.128 224.0.1.20
126 By default, Squid doesn't listen on any multicast groups.
128 mcast_groups 239.128.16.128
132 NAME: tcp_incoming_address bind_address
134 LOC: Config.Addrs.tcp_incoming
138 NAME: tcp_outgoing_address outbound_address
140 LOC: Config.Addrs.tcp_outgoing
141 DEFAULT: 255.255.255.255
144 NAME: udp_incoming_address
146 LOC:Config.Addrs.udp_incoming
150 NAME: udp_outgoing_address
152 LOC: Config.Addrs.udp_outgoing
153 DEFAULT: 255.255.255.255
155 Usage: tcp_incoming_address 10.20.30.40
156 udp_outgoing_address fully.qualified.domain.name
158 tcp_incoming_address is used for the HTTP socket which accepts
159 connections from clients and other caches.
160 tcp_outgoing_address is used for connections made to remote
161 servers and other caches.
162 udp_incoming_address is used for the ICP socket receiving packets
164 udp_outgoing_address is used for ICP packets sent out to other
167 The default behaviour is to not bind to any specific address.
169 NOTE, udp_incoming_address and udp_outgoing_address can not
170 have the same value (unless it is 0.0.0.0) since they both use
173 tcp_incoming_address 0.0.0.0
174 tcp_outgoing_address 0.0.0.0
175 udp_incoming_address 0.0.0.0
176 udp_outgoing_address 0.0.0.0
180 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
181 -----------------------------------------------------------------------------
189 To specify other caches in a hierarchy, use the format:
191 hostname type http_port icp_port
196 # hostname type port port options
197 # -------------------- -------- ----- ----- -----------
198 cache_peer parent.foo.net parent 3128 3130 [proxy-only]
199 cache_peer sib1.foo.net sibling 3128 3130 [proxy-only]
200 cache_peer sib2.foo.net sibling 3128 3130 [proxy-only]
202 type: either 'parent', 'sibling', or 'multicast'.
204 proxy_port: The port number where the cache listens for proxy
207 icp_port: Used for querying neighbor caches about
208 objects. To have a non-ICP neighbor
209 specify '7' for the ICP port and make sure the
210 neighbor machine has the UDP echo port
211 enabled in its /etc/inetd.conf file.
226 use 'proxy-only' to specify that objects fetched
227 from this cache should not be saved locally.
229 use 'weight=n' to specify a weighted parent.
230 The weight must be an integer. The default weight
231 is 1, larger weights are favored more.
233 use 'ttl=n' to specify a IP multicast TTL to use
234 when sending an ICP queries to this address.
235 Only useful when sending to a multicast group.
236 Because we don't accept ICP replies from random
237 hosts, you must configure other group members as
238 peers with the 'multicast-responder' option below.
240 use 'no-query' to NOT send ICP queries to this
243 use 'default' if this is a parent cache which can
244 be used as a "last-resort." You should probably
245 only use 'default' in situations where you cannot
246 use ICP with your parent cache(s).
248 use 'round-robin' to define a set of parents which
249 should be used in a round-robin fashion in the
250 absence of any ICP queries.
252 'multicast-responder' indicates that the named peer
253 is a member of a multicast group. ICP queries will
254 not be sent directly to the peer, but ICP replies
255 will be accepted from it.
257 'closest-only' indicates that, for ICP_OP_MISS
258 replies, we'll only forward CLOSEST_PARENT_MISSes
259 and never FIRST_PARENT_MISSes.
261 use 'no-digest' to NOT request cache digests from
264 'no-netdb-exchange' disables requesting ICMP
265 RTT database (NetDB) from the neighbor.
267 use 'no-delay' to prevent access to this neighbor
268 from influencing the delay pools.
270 use 'login=user:password' if this is a personal/workgroup
271 proxy and your parent requires proxy authentication.
273 NOTE: non-ICP neighbors must be specified as 'parent'.
275 cache_peer hostname type 3128 3130
279 NAME: cache_peer_domain cache_host_domain
284 Use to limit the domains for which a neighbor cache will be
287 cache_peer_domain cache-host domain [domain ...]
288 cache_peer_domain cache-host !domain
290 For example, specifying
292 cache_peer_domain parent.foo.net .edu
294 has the effect such that UDP query packets are sent to
295 'bigserver' only when the requested object exists on a
296 server in the .edu domain. Prefixing the domainname
297 with '!' means that the cache will be queried for objects
300 NOTE: * Any number of domains may be given for a cache-host,
301 either on the same or separate lines.
302 * When multiple domains are given for a particular
303 cache-host, the first matched domain is applied.
304 * Cache hosts with no domain restrictions are queried
306 * There are no defaults.
307 * There is also a 'cache_peer_access' tag in the ACL
312 NAME: neighbor_type_domain
317 usage: neighbor_type_domain parent|sibling domain domain ...
319 Modifying the neighbor type for specific domains is now
320 possible. You can treat some domains differently than the the
321 default neighbor type specified on the 'cache_peer' line.
322 Normally it should only be necessary to list domains which
323 should be treated differently because the default neighbor type
324 applies for hostnames which do not match domains listed here.
327 cache_peer parent cache.foo.org 3128 3130
328 neighbor_type_domain cache.foo.org sibling .com .net
329 neighbor_type_domain cache.foo.org sibling .au .de
332 NAME: icp_query_timeout
336 LOC: Config.Timeout.icp_query
338 Normally Squid will automatically determine an optimal ICP
339 query timeout value based on the round-trip-time of recent ICP
340 queries. If you want to override the value determined by
341 Squid, set this 'icp_query_timeout' to a non-zero value. This
342 value is specified in MILLISECONDS, so, to use a 2-second
343 timeout (the old default), you would write:
345 icp_query_timeout 2000
350 NAME: mcast_icp_query_timeout
354 LOC: Config.Timeout.mcast_icp_query
356 For Multicast peers, Squid regularly sends out ICP "probes" to
357 count how many other peers are listening on the given multicast
358 address. This value specifies how long Squid should wait to
359 count all the replies. The default is 2000 msec, or 2
362 mcast_icp_query_timeout 2000
365 NAME: dead_peer_timeout
369 LOC: Config.Timeout.deadPeer
371 This controls how long Squid waits to declare a peer cache
372 as "dead." If there are no ICP replies received in this
373 amount of time, Squid will declare the peer dead and not
374 expect to receive any further ICP replies. However, it
375 continues to send ICP queries, and will mark the peer as
376 alive upon receipt of the first subsequent ICP reply.
378 This timeout also affects when Squid expects to receive ICP
379 replies from peers. If more than 'dead_peer' seconds have
380 passed since the last ICP reply was received, Squid will not
381 expect to receive an ICP reply on the next query. Thus, if
382 your time between requests is greater than this timeout, you
383 will see a lot of requests sent DIRECT to origin servers
384 instead of to your parents.
386 dead_peer_timeout 10 seconds
390 NAME: hierarchy_stoplist
393 DEFAULT_IF_NONE: cgi-bin ?
394 LOC: Config.hierarchy_stoplist
396 A list of words which, if found in a URL, cause the object to
397 be handled directly by this cache. In other words, use this
398 to not query neighbor caches for certain objects. You may
399 list this option multiple times.
401 The default is to directly fetch URLs containing 'cgi-bin' or '?'.
403 hierarchy_stoplist cgi-bin ?
410 LOC: Config.accessList.noCache
412 A list of ACL elements which, if matched, cause the reply to
413 immediately removed from the cache. In other words, use this
414 to force certain objects to never be cached.
416 You must use the word 'DENY' to indicate the ACL names which should
419 There is no default. We recommend you uncomment the following
422 acl QUERY urlpath_regex cgi-bin \?
428 OPTIONS WHICH AFFECT THE CACHE SIZE
429 -----------------------------------------------------------------------------
436 LOC: Config.memMaxSize
438 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS
439 SIZE. IT PLACES A LIMIT ON ONE ASPECT OF SQUID'S MEMORY
440 USAGE. SQUID USES MEMORY FOR OTHER THINGS AS WELL.
441 YOUR PROCESS WILL PROBABLY BECOME TWICE OR THREE TIMES
442 BIGGER THAN THE VALUE YOU PUT HERE
444 'cache_mem' specifies the ideal amount of memory to be used
448 * Negative-Cached objects
450 Data for these objects are stored in 4 KB blocks. This
451 parameter specifies the ideal upper limit on the total size of
452 4 KB blocks allocated. In-Transit objects take the highest
455 In-transit objects have priority over the others. When
456 additional space is needed for incoming data, negative-cached
457 and hot objects will be released. In other words, the
458 negative-cached and hot objects will fill up any unused space
459 not needed for in-transit objects.
461 If circumstances require, this limit will be exceeded.
462 Specifically, if your incoming request rate requires more than
463 'cache_mem' of memory to hold in-transit objects, Squid will
464 exceed this limit to satisfy the new requests. When the load
465 decreases, blocks will be freed until the high-water mark is
466 reached. Thereafter, blocks will be used to store hot
469 The values of cache_mem_low and cache_mem_high (below) can be
470 used to tune the use of the memory pool. When the high mark is
471 reached, in-transit and hot objects will be released to clear
472 space. When an object transfer is completed, it will remain in
473 memory only if the current memory usage is below the low water
476 The default is 8 Megabytes.
483 COMMENT: (percent, 0-100)
486 LOC: Config.Swap.lowWaterMark
489 NAME: cache_swap_high
490 COMMENT: (percent, 0-100)
493 LOC: Config.Swap.highWaterMark
495 The low- and high-water marks for cache LRU replacement. LRU
496 replacement begins when the high-water mark is reached and ends
497 when enough objects have been removed and the low-water mark is
498 reached. Defaults are 90% and 95%. If you have a large cache, 5%
499 could be hundreds of MB. If this is the case you may wish to
500 set these numbers closer together.
506 NAME: maximum_object_size
510 LOC: Config.Store.maxObjectSize
512 Objects larger than this size will NOT be saved on disk. The
513 value is specified in kilobytes, and the default is 4MB. If
514 you wish to get a high BYTES hit ratio, you should probably
515 increase this (one 32 MB object hit counts for 3200 10KB
516 hits). If you wish to increase speed more than your want to
517 save bandwidth you should leave this low.
519 maximum_object_size 4096 KB
524 COMMENT: (number of entries)
527 LOC: Config.ipcache.size
534 LOC: Config.ipcache.low
541 LOC: Config.ipcache.high
543 The size, low-, and high-water marks for the IP cache.
551 COMMENT: (number of entries)
554 LOC: Config.fqdncache.size
556 Maximum number of FQDN cache entries.
561 LOGFILE PATHNAMES AND CACHE DIRECTORIES
562 -----------------------------------------------------------------------------
568 DEFAULT_IF_NONE: @DEFAULT_SWAP_DIR@ 100 16 256
569 LOC: Config.cacheSwap
573 cache_dir Directory-Name Mbytes Level-1 Level2
575 You can specify multiple cache_dir lines to spread the
576 cache among different disk partitions.
578 'Directory' is a top-level directory where cache swap
579 files will be stored. If you want to use an entire disk
580 for caching, then this can be the mount-point directory.
581 The directory must exist and be writable by the Squid
582 process. Squid will NOT create this directory for you.
584 If no 'cache_dir' lines are specified, the following
585 default will be used: @DEFAULT_SWAP_DIR@.
587 'Mbytes' is the amount of disk space (MB) to use under this
588 directory. The default is 100 MB. Change this to suit your
591 'Level-1' is the number of first-level subdirectories which
592 will be created under the 'Directory'. The default is 16.
594 'Level-2' is the number of second-level subdirectories which
595 will be created under each first-level directory. The default
598 cache_dir @DEFAULT_SWAP_DIR@ 100 16 256
602 NAME: cache_access_log
604 DEFAULT: @DEFAULT_ACCESS_LOG@
605 LOC: Config.Log.access
607 Logs the client request activity. Contains an entry for
608 every HTTP and ICP queries received.
610 cache_access_log @DEFAULT_ACCESS_LOG@
616 DEFAULT: @DEFAULT_CACHE_LOG@
619 Cache logging file. This is where general information about
620 your cache's behaviour goes. You can increase the amount of data
621 logged to this file with the "debug_options" tag below.
623 cache_log @DEFAULT_CACHE_LOG@
627 NAME: cache_store_log
629 DEFAULT: @DEFAULT_STORE_LOG@
630 LOC: Config.Log.store
632 Logs the activities of the storage manager. Shows which
633 objects are ejected from the cache, and which objects are
634 saved and for how long. To disable, enter "none". There are
635 not really utilities to analyse this data, so you can safely
638 cache_store_log @DEFAULT_STORE_LOG@
647 Location for the cache "swap.log." This log file holds the
648 metadata of objects saved on disk. It is used to rebuild the
649 cache during startup. Normally this file resides in the first
650 'cache_dir' directory, but you may specify an alternate
651 pathname here. Note you must give a full filename, not just
652 a directory. Since this is the index for the whole object
653 list you CANNOT periodically rotate it!
655 If you have more than one 'cache_dir', these swap logs will
662 The numbered extension (which is added automatically)
663 corresponds to the order of the 'cache_dir' lines in this
664 configuration file. If you change the order of the 'cache_dir'
665 lines in this file, then these log files will NOT correspond to
666 the correct 'cache_dir' entry (unless you manually rename
667 them). We recommend that you do NOT use this option. It is
668 better to keep these log files in each 'cache_dir' directory.
674 NAME: emulate_httpd_log
678 LOC: Config.onoff.common_log
680 The Cache can emulate the log file format which many 'httpd'
681 programs use. To disable/enable this emulation, set
682 emulate_httpd_log to 'off' or 'on'. The default
683 is to use the native log format since it includes useful
684 information that Squid-specific log analysers use.
686 emulate_httpd_log off
692 DEFAULT: @DEFAULT_MIME_TABLE@
693 LOC: Config.mimeTablePathname
695 Pathname to Squid's MIME table. You shouldn't need to change
696 this, but the default file contains examples and formatting
697 information if you do.
699 mime_table @DEFAULT_MIME_TABLE@
706 LOC: Config.onoff.log_mime_hdrs
709 The Cache can record both the request and the response MIME
710 headers for each HTTP transaction. The headers are encoded
711 safely and will appear as two bracketed fields at the end of
712 the access log (for either the native or httpd-emulated log
713 formats). To enable this logging set log_mime_hdrs to 'on'.
721 LOC: Config.Log.useragent
724 If configured with the "--enable-useragent_log" configure
725 option, Squid will write the User-Agent field from HTTP
726 requests to the filename specified here. By default
727 useragent_log is disabled.
735 DEFAULT: @DEFAULT_PID_FILE@
736 LOC: Config.pidFilename
738 A filename to write the process-id to. To disable, enter "none".
740 pid_filename @DEFAULT_PID_FILE@
747 LOC: Config.debugOptions
749 Logging options are set as section,level where each source file
750 is assigned a unique section. Lower levels result in less
751 output, Full debugging (level 9) can result in a very large
752 log file, so be careful. The magic word "ALL" sets debugging
753 levels for all sections. We recommend normally running with
760 NAME: ident_lookup_access
764 DEFAULT_IF_NONE: deny all
765 LOC: Config.accessList.identLookup
767 A list of ACL elements which, if matched, cause an ident
768 (RFC 931) lookup to be performed for this request. For
769 example, you might choose to always perform ident lookups
770 for your main multi-user Unix boxes, but not for your Macs
771 and PCs. By default, ident lookups are not performed for
774 To enable ident lookups for specific client addresses, you
775 can follow this example:
777 acl ident_aware_hosts src 198.168.1.0/255.255.255.0
778 ident_lookup_access allow ident_aware_hosts
779 ident_lookup_access deny all
780 ident_lookup_access deny all
788 LOC: Config.onoff.log_fqdn
790 Turn this on if you wish to log fully qualified domain names
791 in the access.log. To do this Squid does a DNS lookup of all
792 IP's connecting to it. This can (in some situations) increase
793 latency, which makes your cache seem slower for interactive
802 LOC: Config.Addrs.client_netmask
803 DEFAULT: 255.255.255.255
805 A netmask for client addresses in logfiles and cachemgr output.
806 Change this to protect the privacy of your cache clients.
807 A netmask of 255.255.255.0 will log all IP's in that range with
808 the last digit set to '0'.
810 client_netmask 255.255.255.255
815 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
816 -----------------------------------------------------------------------------
822 LOC: Config.Ftp.anon_user
824 If you want the anonymous login password to be more informative
825 (and enable the use of picky ftp servers), set this to something
826 resonable for your domain, like wwwuser@somewhere.net
828 The reason why this is domainless by default is that the
829 request can be made on the behalf of a user in any domain,
830 depending on how the cache is used.
831 Some ftp server also validate that the email address is valid
832 (for example perl.com).
840 LOC: Config.Ftp.list_width
842 Sets the width of ftp listings. This should be set to fit in
843 the width of a standard browser. Setting this too small
844 can cut off long filenames when browsing ftp sites.
849 NAME: cache_dns_program
851 DEFAULT: @DEFAULT_DNSSERVER@
852 LOC: Config.Program.dnsserver
854 Specify the location of the executable for dnslookup process.
856 cache_dns_program @DEFAULT_DNSSERVER@
862 LOC: Config.dnsChildren
864 The number of processes spawn to service DNS name lookups.
865 For heavily loaded caches on large servers, you should
866 probably increase this value to at least 10. The maximum
867 is 32. The default is 5.
869 To disable dnsservers, set this to 0. NOTE, this is very
870 strongly discouraged. If you disable dnsservers your Squid
871 process will BLOCK on DNS lookups!
881 LOC: Config.onoff.res_defnames
883 Normally the 'dnsserver' disables the RES_DEFNAMES resolver
884 option (see res_init(3)). This prevents caches in a hierarchy
885 from interpreting single-component hostnames locally. To allow
886 dnsserver to handle single-component names, enable this
892 NAME: dns_nameservers
895 LOC: Config.dns_nameservers
897 Use this if you want to specify a list of DNS name servers
898 (IP addresses) to use instead of those given in your
899 /etc/resolv.conf file.
901 Example: dns_nameservers 10.0.0.1 192.172.0.4
907 NAME: unlinkd_program
909 DEFAULT: @DEFAULT_UNLINKD@
910 LOC: Config.Program.unlinkd
912 Specify the location of the executable for file deletion process.
913 This isn't needed if you are using async-io since it's handled by
916 unlinkd_program @DEFAULT_UNLINKD@
922 DEFAULT: @DEFAULT_PINGER@
923 LOC: Config.Program.pinger
925 Specify the location of the executable for the pinger process.
926 This is only useful if you configured Squid (during compliation)
927 with the '--enable-icmp' option.
929 pinger_program @DEFAULT_PINGER@
933 NAME: redirect_program
935 LOC: Config.Program.redirect
938 Specify the location of the executable for the URL redirector.
939 Since they can perform almost any function there isn't one included.
940 See the Release-Notes for information on how to write one.
941 By default, a redirector is not used.
943 redirect_program none
947 NAME: redirect_children
950 LOC: Config.redirectChildren
952 The number of redirector processes to spawn. If you start
953 too few Squid will have to wait for them to process a backlog of
954 URLs, slowing it down. If you start too many they will use RAM
955 and other system resources.
960 NAME: redirect_rewrites_host_header
963 LOC: Config.onoff.redir_rewrites_host
965 By default Squid rewrites any Host: header in redirected requests.
966 If you are running a accelerator then this may not be a wanted effect
968 redirect_rewrites_host_header on
972 NAME: authenticate_program
974 LOC: Config.Program.authenticate
977 Specify the command for the external authenticator. Such a
978 program reads a line containing "username password" and replies
979 "OK" or "ERR" in an endless loop. If you use an authenticator,
980 make sure you have 1 acl of type proxy_auth. By default, the
981 authenticator_program is not used.
983 If you want to use the traditional proxy authentication,
984 jump over to the ../auth_modules/NCSA directory and
989 Then, set this line to something like
991 authenticate_program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
993 authenticate_program none
996 NAME: authenticate_children
999 LOC: Config.authenticateChildren
1001 The number of authenticator processes to spawn (default 5). If you
1002 start too few Squid will have to wait for them to process a backlog
1003 of usercode/password verifications, slowing it down. When password
1004 verifications are done via a (slow) network you are likely to need
1005 lots of authenticator processes.
1007 authenticate_children 5
1010 NAME: authenticate_ttl
1013 LOC: Config.authenticateTTL
1015 The time a checked username/password combination remains cached
1016 (default 3600). If a wrong password is given for a cached user,
1017 the user gets removed from the username/password cache forcing
1020 authenticate_ttl 3600
1024 OPTIONS FOR TUNING THE CACHE
1025 -----------------------------------------------------------------------------
1028 NAME: wais_relay_host
1031 LOC: Config.Wais.relayHost
1034 NAME: wais_relay_port
1037 LOC: Config.Wais.relayPort
1039 Relay WAIS request to host (1st arg) at port (2 arg).
1041 wais_relay_host localhost
1042 wais_relay_port 8000
1050 LOC: Config.maxRequestSize
1052 Maximum allowed request size in kilobytes. If people are using
1053 POST to upload files, then set this to the largest acceptable
1054 filesize plus a few extra kbytes.
1060 NAME: refresh_pattern
1061 TYPE: refreshpattern
1065 usage: refresh_pattern [-i] regex min percent max [options]
1067 By default, regular expressions are CASE-SENSITIVE. To make
1068 them case-insensitive, use the -i option.
1070 min and max are specified in MINUTES.
1071 percent is an integer number.
1073 options: override-expire
1078 override-expire enforces min age even if the server
1079 sent a Expires: header. Doing this VIOLATES the HTTP
1080 standard. Enabling this feature could make you liable
1081 for problems which it causes.
1083 override-lastmod enforces min age even on objects
1084 that was modified recently.
1086 reload-into-ims changes client no-cache or ``reload''
1087 to If-Modified-Since requests. Doing this VIOLATES the
1088 HTTP standard. Enabling this feature could make you
1089 liable for problems which it causes.
1091 ignore-reload ignores a client no-cache or ``reload''
1092 header. Doing this VIOLATES the HTTP standard. Enabling
1093 this feature could make you liable for problems which
1096 Please see the file doc/Release-Notes-1.1.txt for a full
1097 description of Squid's refresh algorithm. Basically a
1098 cached object is: (the order is changed from 1.1.X)
1101 FRESH if expires < now, else STALE
1102 FRESH if lm-factor < percent, else STALE
1106 The refresh_pattern lines are checked in the order listed here.
1107 The first entry which matches is used. If none of the entries
1108 match, then the default will be used.
1111 refresh_pattern . 0 20% 4320
1117 LOC: Config.referenceAge
1120 As a part of normal operation, Squid performs Least Recently
1121 Used removal of cached objects. The LRU age for removal is
1122 computed dynamically, based on the amount of disk space in
1123 use. The dynamic value can be seen in the Cache Manager 'info'
1126 The 'reference_age' parameter defines the maximum LRU age. For
1127 example, setting reference_age to '1 week' will cause objects
1128 to be removed if they have not been accessed for a week or
1129 more. The default value is one month.
1131 Specify a number here, followed by units of time. For example:
1137 reference_age 1 month
1141 NAME: quick_abort_min
1145 LOC: Config.quickAbort.min
1148 NAME: quick_abort_max
1152 LOC: Config.quickAbort.max
1155 NAME: quick_abort_pct
1159 LOC: Config.quickAbort.pct
1161 The cache can be configured to continue downloading aborted
1162 requests. This may be undesirable on slow (e.g. SLIP) links
1163 and/or very busy caches. Impatient users may tie up file
1164 descriptors and bandwidth by repeatedly requesting and
1165 immediately aborting downloads.
1167 When the user aborts a request, Squid will check the
1168 quick_abort values to the amount of data transfered until
1171 If the transfer has less than 'quick_abort_min' KB remaining,
1172 it will finish the retrieval. Setting 'quick_abort_min' to -1
1173 will disable the quick_abort feature.
1175 If the transfer has more than 'quick_abort_max' KB remaining,
1176 it will abort the retrieval.
1178 If more than 'quick_abort_pct' of the transfer has completed,
1179 it will finish the retrieval.
1181 quick_abort_min 16 KB
1182 quick_abort_max 16 KB
1190 LOC: Config.negativeTtl
1193 Time-to-Live (TTL) for failed requests. Certain types of
1194 failures (such as "connection refused" and "404 Not Found") are
1195 negatively-cached for a configurable amount of time. The
1196 default is 5 minutes. Note that this is different from
1197 negative caching of DNS lookups.
1199 negative_ttl 5 minutes
1203 NAME: positive_dns_ttl
1206 LOC: Config.positiveDnsTtl
1209 Time-to-Live (TTL) for positive caching of successful DNS lookups.
1210 Default is 6 hours (360 minutes). If you want to minimize the
1211 use of Squid's ipcache, set this to 1, not 0.
1213 positive_dns_ttl 6 hours
1217 NAME: negative_dns_ttl
1220 LOC: Config.negativeDnsTtl
1223 Time-to-Live (TTL) for negative caching of failed DNS lookups.
1225 negative_dns_ttl 5 minutes
1228 NAME: range_offset_limit
1231 LOC: Config.rangeOffsetLimit
1234 Sets a upper limit on how far into the the file a Range request
1235 may be to cause Squid to prefetch the whole file. If beyond this
1236 limit then Squid forwards the Range request as it is and the result
1239 This is to stop a far ahead range request (lets say start at 17MB)
1240 from making Squid fetch the whole object up to that point before
1241 sending anything to the client.
1243 A value of -1 causes Squid to always fetch the object from the
1244 beginning so that it may cache the result. (2.0 style)
1246 A value of 0 causes Squid to never fetch more than the client
1247 client requested. (default)
1249 range_offset_limit 0 KB
1255 -----------------------------------------------------------------------------
1258 NAME: connect_timeout
1261 LOC: Config.Timeout.connect
1264 Some systems (notably Linux) can not be relied upon to properly
1265 time out connect(2) requests. Therefore the Squid process
1266 enforces its own timeout on server connections. This parameter
1267 specifies how long to wait for the connect to complete. The
1268 default is two minutes (120 seconds).
1270 connect_timeout 120 seconds
1273 NAME: siteselect_timeout
1276 LOC: Config.Timeout.siteSelect
1279 For URN to multiple URL's URL selection
1281 siteselect_timeout 4 seconds
1287 LOC: Config.Timeout.read
1290 The read_timeout is applied on server-side connections. After
1291 each successful read(), the timeout will be extended by this
1292 amount. If no data is read again after this amount of time,
1293 the request is aborted and logged with ERR_READ_TIMEOUT. The
1294 default is 15 minutes.
1296 read_timeout 15 minutes
1300 NAME: request_timeout
1302 LOC: Config.Timeout.request
1305 How long to wait for an HTTP request after connection
1306 establishment. For persistent connections, wait this long
1307 after the previous request completes.
1309 request_timeout 30 seconds
1313 NAME: client_lifetime
1316 LOC: Config.Timeout.lifetime
1319 The maximum amount of time that a client (browser) is allowed to
1320 remain connected to the cache process. This protects the Cache
1321 from having alot of sockets (and hence file descriptors) tied up
1322 in a CLOSE_WAIT state from remote clients that go away without
1323 properly shutting down (either because of a network failure or
1324 because of a poor client implementation). The default is one
1327 NOTE: The default value is intended to be much larger than any
1328 client would ever need to be connected to your cache. You
1329 should probably change client_lifetime only as a last resort.
1330 If you seem to have many client connections tying up
1331 filedescriptors, we recommend first tuning the read_timeout,
1332 request_timeout, pconn_timeout and quick_abort values.
1334 client_lifetime 1 day
1337 NAME: half_closed_clients
1339 LOC: Config.onoff.half_closed_clients
1342 Some clients may shutdown the sending side of their TCP
1343 connections, while leaving their receiving sides open. Sometimes,
1344 Squid can not tell the difference between a half-closed and a
1345 fully-closed TCP connection. By default, half-closed client
1346 connections are kept open until a read(2) or write(2) on the
1347 socket returns an error. Change this option to 'off' and Squid
1348 will immediately close client connections when read(2) returns
1349 "no more data to read."
1351 half_closed_clients on
1356 LOC: Config.Timeout.pconn
1357 DEFAULT: 120 seconds
1359 Timeout for idle persistent connections to servers and other
1361 pconn_timeout 120 seconds
1367 LOC: Config.Timeout.ident
1370 Maximum time to wait for IDENT requests. If this is too high,
1371 and you enabled 'ident_lookup', then you might be susceptible
1372 to denial-of-service by having many ident requests going at
1374 ident_timeout 10 seconds
1378 NAME: shutdown_lifetime
1381 LOC: Config.shutdownLifetime
1384 When SIGTERM or SIGHUP is received, the cache is put into
1385 "shutdown pending" mode until all active sockets are closed.
1386 This value is the lifetime to set for all open descriptors
1387 during shutdown mode. Any active clients after this many
1388 seconds will receive a 'timeout' message.
1390 shutdown_lifetime 30 seconds
1395 -----------------------------------------------------------------------------
1403 Defining an Access List
1405 acl aclname acltype string1 ...
1406 acl aclname acltype "file" ...
1408 when using "file", the file should contain one item per line
1410 acltype is one of src dst srcdomain dstdomain url_pattern
1411 urlpath_pattern time port proto method browser user
1413 By default, regular expressions are CASE-SENSITIVE. To make
1414 them case-insensitive, use the -i option.
1416 acl aclname src ip-address/netmask ... (clients IP address)
1417 acl aclname src addr1-addr2/netmask ... (range of addresses)
1418 acl aclname dst ip-address/netmask ... (URL host's IP address)
1419 acl aclname myip ip-address/netmask ... (local socket IP address)
1421 acl aclname srcdomain foo.com ... # reverse lookup, client IP
1422 acl aclname dstdomain foo.com ... # Destination server from URL
1423 acl aclname srcdom_regex [-i] xxx ... # regex matching client name
1424 acl aclname dstdom_regex [-i] xxx ... # regex matching server
1425 # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
1426 # based URL is used. The name "none" is used if the reverse lookup
1429 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
1438 h1:m1 must be less than h2:m2
1439 acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
1440 acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
1441 acl aclname port 80 70 21 ...
1442 acl aclname port 0-1024 ... # ranges allowed
1443 acl aclname proto HTTP FTP ...
1444 acl aclname method GET POST ...
1445 acl aclname browser [-i] regexp
1446 # pattern match on User-Agent header
1447 acl aclname ident username ...
1448 # string match on ident output.
1449 # use REQUIRED to accept any non-null ident.
1450 acl aclname src_as number ...
1451 acl aclname dst_as number ...
1452 # Except for access control, AS numbers can be used for
1453 # routing of requests to specific caches. Here's an
1454 # example for routing all requests for AS#1241 and only
1455 # those to mycache.mydomain.net:
1456 # acl asexample dst_as 1241
1457 # cache_peer_access mycache.mydomain.net allow asexample
1458 # cache_peer_access mycache_mydomain.net deny all
1460 acl aclname proxy_auth username ...
1461 # list of valid usernames
1462 # use REQUIRED to accept any valid username.
1464 # NOTE: when a Proxy-Authentication header is sent but it is not
1465 # needed during ACL checking the username is NOT logged
1468 # NOTE: proxy_auth requires a EXTERNAL authentication program
1469 # to check username/password combinations (see
1470 # authenticate_program).
1472 # WARNING: proxy_auth can't be used in a transparent proxy. It
1473 # collides with any authentication done by origin servers. It may
1474 # seem like it works at first, but it doesn't.
1476 acl aclname snmp_community string ...
1477 # A community string to limit access to your SNMP Agent
1480 # acl snmppublic snmp_community public
1484 acl myexample dst_as 1241
1485 acl password proxy_auth 300
1489 acl all src 0.0.0.0/0.0.0.0
1490 acl manager proto cache_object
1491 acl localhost src 127.0.0.1/255.255.255.255
1492 acl SSL_ports port 443 563
1493 acl Safe_ports port 80 21 443 563 70 210 1025-65535
1494 acl CONNECT method CONNECT
1500 LOC: Config.accessList.http
1502 DEFAULT_IF_NONE: deny all
1504 Allowing or Denying access based on defined access lists
1506 Access to the HTTP port:
1507 http_access allow|deny [!]aclname ...
1509 Access to the ICP port:
1510 icp_access allow|deny [!]aclname ...
1512 NOTE on default values:
1514 If there are no "access" lines present, the default is to allow
1517 If none of the "access" lines cause a match, the default is the
1518 opposite of the last line in the list. If the last line was
1519 deny, then the default is allow. Conversely, if the last line
1520 is allow, the default will be deny. For these reasons, it is a
1521 good idea to have an "deny all" or "allow all" entry at the end
1522 of your access lists to avoid potential confusion.
1524 Default configuration:
1526 http_access allow manager localhost
1527 http_access deny manager
1528 http_access deny !Safe_ports
1529 http_access deny CONNECT !SSL_ports
1531 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
1533 http_access deny all
1540 LOC: Config.accessList.icp
1542 DEFAULT_IF_NONE: deny all
1544 Reply to all ICP queries we receive
1547 icp_access allow all
1554 LOC: Config.accessList.miss
1557 Use to force your neighbors to use you as a sibling instead of
1558 a parent. For example:
1560 acl localclients src 172.16.0.0/16
1561 miss_access allow localclients
1562 miss_access deny !localclients
1564 This means that only your local clients are allowed to fetch
1565 MISSES and all other clients can only fetch HITS.
1567 By default, allow all clients who passed the http_access rules
1568 to fetch MISSES from us.
1570 miss_access allow all
1575 NAME: cache_peer_access
1580 Similar to 'cache_peer_domain' but provides more flexibility by
1583 cache_peer_access cache-host allow|deny [!]aclname ...
1585 The syntax is identical to 'http_access' and the other lists of
1586 ACL elements. See the comments for 'http_access' below, or
1587 the Squid FAQ (http://squid.nlanr.net/Squid/FAQ/FAQ-10.html).
1590 NAME: proxy_auth_realm
1592 DEFAULT: Squid proxy-caching web server
1593 LOC: Config.proxyAuthRealm
1595 Specifies the realm name which is to be reported to the client for
1596 proxy authentication (part of the text the user will see when
1597 prompted their username and password).
1599 proxy_auth_realm Squid proxy-caching web server
1604 ADMINISTRATIVE PARAMETERS
1605 -----------------------------------------------------------------------------
1611 LOC: Config.adminEmail
1613 Email-address of local cache manager who will receive
1614 mail if the cache dies. The default is "webmaster."
1620 NAME: cache_effective_user
1623 LOC: Config.effectiveUser
1626 NAME: cache_effective_group
1629 LOC: Config.effectiveGroup
1632 If the cache is run as root, it will change its effective/real
1633 UID/GID to the UID/GID specified below. The default is to
1634 change to UID to nobody and GID to nogroup.
1636 If Squid is not started as root, the default is to keep the
1637 current UID/GID. Note that if Squid is not started as root then
1638 you cannot set http_port to a value lower than 1024.
1640 cache_effective_user nobody
1641 cache_effective_group nogroup
1645 NAME: visible_hostname
1647 LOC: Config.visibleHostname
1650 If you want to present a special hostname in error messages, etc,
1651 then define this. Otherwise, the return value of gethostname()
1652 will be used. If you have multiple caches in a cluster and
1653 get errors about IP-forwarding you must set them to have individual
1654 names with this setting.
1656 visible_hostname www-cache.foo.org
1660 NAME: unique_hostname
1662 LOC: Config.uniqueHostname
1665 If you want to have multiple machines with the same
1666 'visible_hostname' then you must give each machine a different
1667 'unique_hostname' so that forwarding loops can be detected.
1669 unique_hostname www-cache1.foo.org
1673 OPTIONS FOR THE CACHE REGISTRATION SERVICE
1674 -----------------------------------------------------------------------------
1676 This section contains parameters for the (optional) cache
1677 announcement service. This service is provided to help
1678 cache administrators locate one another in order to join or
1679 create cache hierarchies.
1681 An 'announcement' message is sent (via UDP) to the registration
1682 service by Squid. By default, the annoucement message is NOT
1683 SENT unless you enable it with 'announce_period' below.
1685 The announcement message includes your hostname, plus the
1686 following information from this configuration file:
1692 All current information is processed regularly and made
1693 available on the Web at http://ircache.nlanr.net/Cache/Tracker/.
1696 NAME: announce_period
1698 LOC: Config.Announce.period
1701 This is how frequently to send cache announcements. The
1702 default is `0' which disables sending the announcement
1705 To enable announcing your cache, just uncomment the line
1708 announce_period 1 day
1714 DEFAULT: tracker.ircache.net
1715 LOC: Config.Announce.host
1721 LOC: Config.Announce.file
1727 LOC: Config.Announce.port
1729 announce_host and announce_port set the hostname and port
1730 number where the registration message will be sent.
1732 Hostname will default to 'tracker.ircache.net' and port will
1733 default default to 3131. If the 'filename' argument is given,
1734 the contents of that file will be included in the announce
1737 announce_host tracker.ircache.net
1742 HTTPD-ACCELERATOR OPTIONS
1743 -----------------------------------------------------------------------------
1746 NAME: httpd_accel_host
1748 LOC: Config.Accel.host
1752 NAME: httpd_accel_port
1754 LOC: Config.Accel.port
1757 If you want to run Squid as an httpd accelerator, define the
1758 host name and port number where the real HTTP server is.
1760 If you want virtual host support then specify the hostname
1763 NOTE: enabling httpd_accel_host disables proxy-caching and
1764 ICP. If you want these features enabled also, then set
1765 the 'httpd_accel_with_proxy' option.
1767 httpd_accel_host hostname
1768 httpd_accel_port port
1772 NAME: httpd_accel_with_proxy
1776 LOC: Config.onoff.accel_with_proxy
1778 If you want to use Squid as both a local httpd accelerator
1779 and as a proxy, change this to 'on'.
1781 httpd_accel_with_proxy off
1785 NAME: httpd_accel_uses_host_header
1789 LOC: opt_accel_uses_host
1791 HTTP/1.1 requests include a Host: header which is basically the
1792 hostname from the URL. Squid can be an accelerator for
1793 different HTTP servers by looking at this header. However,
1794 Squid does NOT check the value of the Host header, so it opens
1795 a big security hole. We recommend that this option remain
1796 disabled unless you are sure of what you are doing.
1798 However, you will need to enable this option if you run Squid
1799 as a transparent proxy. Otherwise, virtual servers which
1800 require the Host: header will not be properly cached.
1801 httpd_accel_uses_host_header off
1806 -----------------------------------------------------------------------------
1811 LOC: Config.dns_testname_list
1814 The DNS tests exit as soon as the first site is successfully looked up
1816 If you want to disable DNS tests, do not comment out or delete this
1817 list. Instead use the -D command line option
1819 dns_testnames netscape.com internic.net nlanr.net microsoft.com
1823 NAME: logfile_rotate
1826 LOC: Config.Log.rotateNumber
1828 Specifies the number of logfile rotations to make when you
1829 type 'squid -k rotate'. The default is 10, which will rotate
1830 with extensions 0 through 9. Setting logfile_rotate to 0 will
1831 disable the rotation, but the logfiles are still closed and
1832 re-opened. This will enable you to rename the logfiles
1833 yourself just before sending the rotate signal.
1835 Note, the 'squid -k rotate' command normally sends a USR1
1836 signal to the running squid process. In certain situations
1837 (e.g. on Linux with Async I/O), USR1 is used for other
1838 purposes, so -k rotate uses another signal. It is best to get
1839 in the habit of using 'squid -k rotate' instead of 'kill -USR1
1848 LOC: Config.appendDomain
1851 Appends local domain name to hostnames without any dots in
1852 them. append_domain must begin with a period.
1854 append_domain .yourdomain.com
1858 NAME: tcp_recv_bufsize
1862 LOC: Config.tcpRcvBufsz
1864 Size of receive buffer to set for TCP sockets. Probably just
1865 as easy to change your kernel's default. Set to zero to use
1866 the default buffer size.
1868 tcp_recv_bufsize 0 bytes
1873 LOC: Config.errHtmlText
1876 HTML text to include in error messages. Make this a "mailto"
1877 URL to your admin address, or maybe just a link to your
1878 organizations Web page.
1880 To include this in your error messages, you must rewrite
1881 the error template files (found in the "errors" directory).
1882 Wherever you want the 'err_html_text' line to appear,
1883 insert a %L tag in the error template file.
1890 LOC: Config.denyInfoList
1893 Usage: deny_info err_page_name acl
1894 Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
1896 This can be used to return a ERR_ page for requests which
1897 do not pass the 'http_access' rules. A single ACL will cause
1898 the http_access check to fail. If a 'deny_info' line exists
1899 for that ACL then Squid returns a corresponding error page.
1901 You may use ERR_ pages that come with Squid or create your own pages
1902 and put them into the configured errors/ directory.
1909 LOC: Config.onoff.mem_pools
1911 If set, Squid will keep pools of allocated (but unused) memory
1912 available for future use. If memory is a premium on your
1913 system and you believe your malloc library outperforms Squid
1914 routines, disable this.
1919 NAME: memory_pools_limit
1923 LOC: Config.MemPools.limit
1925 Used only with memory_pools on:
1926 memory_pools_limit 50 MB
1928 If set to a non-zero value, Squid will keep at most the specified
1929 limit of allocated (but unused) memory in memory pools. All free()
1930 requests that exceed this limit will be handled by your malloc
1931 library. Squid does not pre-allocate any memory, just safe-keeps
1932 objects that otherwise would be free()d. Thus, it is safe to set
1933 memory_pools_limit to a reasonably high value even if your
1934 configuration will use less memory.
1936 If not set (default) or set to zero, Squid will keep all memory it
1937 can. That is, there will be no limit on the total amount of memory
1938 used for safe-keeping.
1940 To disable memory allocation optimization, do not set
1941 memory_pools_limit to 0. Set memory_pools to "off" instead.
1943 An overhead for maintaining memory pools is not taken into account
1944 when the limit is checked. This overhead is close to four bytes per
1945 object kept. However, pools may actually _save_ memory because of
1946 reduced memory thrashing in your malloc library.
1953 LOC: opt_forwarded_for
1955 If set, Squid will include your system's IP address or name
1956 in the HTTP requests it forwards. By default it looks like
1959 X-Forwarded-For: 192.1.2.3
1961 If you disable this, it will appear as
1963 X-Forwarded-For: unknown
1968 NAME: log_icp_queries
1972 LOC: Config.onoff.log_udp
1974 If set, ICP queries are logged to access.log. You may wish
1975 do disable this if your ICP load is VERY high to speed things
1976 up or to simplify log analysis.
1985 LOC: Config.onoff.icp_hit_stale
1987 If you want to return ICP_HIT for stale cache objects, set this
1988 option to 'on'. If you have sibling relationships with caches
1989 in other administrative domains, this should be 'off'. If you only
1990 have sibling relationships with caches under your control, then
1991 it is probably okay to set this to 'on'.
1997 NAME: minimum_direct_hops
2000 LOC: Config.minDirectHops
2002 If using the ICMP pinging stuff, do direct fetches for sites
2003 which are no more than this many hops away.
2005 minimum_direct_hops 4
2009 NAME: cachemgr_passwd
2010 TYPE: cachemgrpasswd
2012 LOC: Config.passwd_list
2014 Specify passwords for cachemgr operations.
2016 Usage: cachemgr_passwd password action action ...
2018 Some valid actions are (see cache manager menu for a full list):
2056 * Indicates actions which will not be performed without a
2057 valid password, others can be performed if not listed here.
2059 To disable an action, set the password to "disable".
2060 To allow performing an action without a password, set the
2063 Use the keyword "all" to set the same password for all actions.
2065 cachemgr_passwd secret shutdown
2066 cachemgr_passwd lesssssssecret info stats/objects
2067 cachemgr_passwd disable all
2070 NAME: store_avg_object_size
2074 LOC: Config.Store.avgObjectSize
2076 Average object size, used to estimate number of objects your
2077 cache can hold. See doc/Release-Notes-1.1.txt. The default is
2080 store_avg_object_size 13 KB
2083 NAME: store_objects_per_bucket
2086 LOC: Config.Store.objectsPerBucket
2088 Target number of objects per bucket in the store hash table.
2089 Lowering this value increases the total number of buckets and
2090 also the storage maintenance rate. The default is 20.
2092 store_objects_per_bucket 50
2099 LOC: Config.onoff.client_db
2101 If you want to disable collecting per-client statistics, then
2102 turn off client_db here.
2111 LOC: Config.Netdb.low
2117 LOC: Config.Netdb.high
2119 The low and high water marks for the ICMP measurement
2120 database. These are counts, not percents. The defaults are
2121 900 and 1000. When the high water mark is reached, database
2122 entries will be deleted until the low mark is reached.
2129 NAME: netdb_ping_period
2131 LOC: Config.Netdb.period
2134 The minimum period for measuring a site. There will be at
2135 least this much delay between successive pings to the same
2136 network. The default is five minutes.
2138 netdb_ping_period 5 minutes
2146 LOC: Config.onoff.query_icmp
2148 If you want to ask your peers to include ICMP data in their ICP
2149 replies, enable this option.
2151 If your peer has configured Squid (during compilation) with
2152 '--enable-icmp' then that peer will send ICMP pings to origin server
2153 sites of the URLs it receives. If you enable this option then the
2154 ICP replies from that peer will include the ICMP data (if available).
2155 Then, when choosing a parent cache, Squid will choose the parent with
2156 the minimal RTT to the origin server. When this happens, the
2157 hierarchy field of the access.log will be
2158 "CLOSEST_PARENT_MISS". This option is off by default.
2163 NAME: test_reachability
2167 LOC: Config.onoff.test_reachability
2169 When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
2170 instead of ICP_MISS if the target host is NOT in the ICMP
2171 database, or has a zero RTT.
2173 test_reachability off
2180 LOC: Config.onoff.buffered_logs
2182 Some log files (cache.log, useragent.log) are written with
2183 stdio functions, and as such they can be buffered or
2184 unbuffered. By default they will be unbuffered. Buffering them
2185 can speed up the writing slightly (though you are unlikely to
2190 NAME: reload_into_ims
2191 IFDEF: HTTP_VIOLATIONS
2195 LOC: Config.onoff.reload_into_ims
2197 When you enable this option, client no-cache or ``reload''
2198 requests will be changed to If-Modified-Since requests.
2199 Doing this VIOLATES the HTTP standard. Enabling this
2200 feature could make you liable for problems which it
2203 see also refresh_pattern for a more selective approach.
2210 LOC: Config.accessList.AlwaysDirect
2213 Usage: always_direct allow|deny [!]aclname ...
2215 Here you can use ACL elements to specify requests which should
2216 ALWAYS be forwarded directly to origin servers. For example,
2217 to always directly forward requests for local servers use
2220 acl local-servers dstdomain my.domain.net
2221 always_direct allow local-servers
2223 To always forward FTP requests directly, use
2226 always_direct allow FTP
2228 NOTE: There is a similar, but opposite option named
2229 'never_direct'. You need to be aware that "always_direct deny
2230 foo" is NOT the same thing as "never_direct allow foo". You
2231 may need to use a deny rule to exclude a more-specific case of
2232 some other rule. Example:
2234 acl local-external dstdomain external.foo.net
2235 acl local-servers dstdomain foo.net
2236 always_direct deny local-external
2237 always_direct allow local-servers
2239 This option replaces some v1.1 options such as local_domain
2245 LOC: Config.accessList.NeverDirect
2248 Usage: never_direct allow|deny [!]aclname ...
2250 never_direct is the opposite of always_direct. Please read
2251 the description for always_direct if you have not already.
2253 With 'never_direct' you can use ACL elements to specify
2254 requests which should NEVER be forwarded directly to origin
2255 servers. For example, to force the use of a proxy for all
2256 requests, except those in your local domain use something like:
2258 acl local-servers dstdomain foo.net
2259 acl all src 0.0.0.0/0.0.0.0
2260 never_direct deny local-servers
2261 never_direct allow all
2263 or if squid is inside a firewall and there is local intranet
2264 servers inside the firewall then use something like:
2266 acl local-intranet dstdomain foo.net
2267 acl local-external dstdomain external.foo.net
2268 always_direct deny local-external
2269 always_direct allow local-intranet
2270 never_direct allow all
2272 This option replaces some v1.1 options such as inside_firewall
2276 NAME: anonymize_headers
2278 LOC: Config.anonymize_headers
2281 Usage: anonymize_headers allow|deny header_name ...
2283 This option replaces the old 'http_anonymizer' option with
2284 something that is much more configurable. You may now
2285 specify exactly which headers are to be allowed, or which
2286 are to be removed from outgoing requests.
2288 There are two methods of using this option. You may either
2289 allow specific headers (thus denying all others), or you
2290 may deny specific headers (thus allowing all others).
2292 For example, to achieve the same behaviour as the old
2293 'http_anonymizer standard' option, you should use:
2295 anonymize_headers deny From Referer Server
2296 anonymize_headers deny User-Agent WWW-Authenticate Link
2298 Or, to reproduce the old 'http_anonymizer paranoid' feature
2301 anonymize_headers allow Allow Authorization Cache-Control
2302 anonymize_headers allow Content-Encoding Content-Length
2303 anonymize_headers allow Content-Type Date Expires Host
2304 anonymize_headers allow If-Modified-Since Last-Modified
2305 anonymize_headers allow Location Pragma Accept Charset
2306 anonymize_headers allow Accept-Encoding Accept-Language
2307 anonymize_headers allow Content-Language Mime-Version
2308 anonymize_headers allow Retry-After Title Connection
2309 anonymize_headers allow Proxy-Connection
2311 NOTE: You can not mix "allow" and "deny". All 'anonymize_headers'
2312 lines must have the same second argument.
2314 By default, all headers are allowed (no anonymizing is
2320 NAME: fake_user_agent
2325 If you filter the User-Agent header with 'anonymize_headers' it
2326 may cause some Web servers to refuse your request. Use this to
2327 fake one up. For example:
2329 fake_user_agent Nutscrape/1.0 (CP/M; 8-bit)
2330 (credit to Paul Southworth pauls@etext.org for this one!)
2332 fake_user_agent none
2335 NAME: icon_directory
2337 LOC: Config.icons.directory
2338 DEFAULT: @DEFAULT_ICON_DIR@
2340 Where the icons are stored. These are normally kept in
2344 NAME: error_directory
2346 LOC: Config.errorDirectory
2347 DEFAULT: @DEFAULT_ERROR_DIR@
2349 If you wish to create your own versions of the default
2350 (English) error files, either to customise them to suit your
2351 language or company copy the template english files to another
2352 directory and point this tag at them.
2355 NAME: minimum_retry_timeout
2358 LOC: Config.retry.timeout
2361 This specifies the minimum connect timeout, for when the
2362 connect timeout is reduced to compensate for the availability
2363 of multiple IP addresses.
2365 When a connection to a host is initiated, and that host has
2366 several IP addresses, the default connection timeout is reduced
2367 by dividing it by the number of addresses. So, a site with 15
2368 addresses would then have a timeout of 8 seconds for each
2369 address attempted. To avoid having the timeout reduced to the
2370 point where even a working host would not have a chance to
2371 respond, this setting is provided. The default, and the
2372 minimum value, is five seconds, and the maximum value is sixty
2373 seconds, or half of connect_timeout, whichever is greater and
2374 less than connect_timeout.
2376 minimum_retry_timeout 5 seconds
2379 NAME: maximum_single_addr_tries
2381 LOC: Config.retry.maxtries
2384 This sets the maximum number of connection attempts for a
2385 host that only has one address (for multiple-address hosts,
2386 each address is tried once).
2388 The default value is three tries, the (not recommended)
2389 maximum is 255 tries. A warning message will be generated
2390 if it is set to a value greater than ten.
2392 maximum_single_addr_tries 3
2397 LOC: Config.Port.snmp
2401 Squid can now serve statistics and status information via SNMP.
2402 By default it listens to port 3401 on the machine. If you don't
2403 wish to use SNMP, set this to '-1'.
2405 NOTE: SNMP support requires use the --enable-snmp configure
2406 command line option.
2410 NAME: forward_snmpd_port
2412 LOC: Config.Snmp.localPort
2416 This configures whether we should be forwarding SNMP requests
2417 to another snmpd. The reason for putting this piece of
2418 functionality into Squid was to enable access to the system's
2419 installed snmpd with minimal changes. This option is turned
2420 off by default, check with your /etc/services for your system's
2421 snmp port (usually 161). We do not use getservbyname() to
2422 allow you to set Squid into port 161 and your system's snmpd to
2423 another port by changing /etc/services.
2425 WARNING: Because of Squid acting as a proxy snmpd for system
2426 you have to do security checks on THIS snmpd for all objects.
2427 Check your snmp_config_file.
2428 forward_snmpd_port 0
2433 LOC: Config.accessList.snmp
2435 DEFAULT_IF_NONE: deny all
2438 Allowing or denying access to the SNMP port.
2440 All access to the agent is denied by default.
2443 snmp_access allow|deny [!]aclname ...
2446 snmp_access allow public localhost
2447 snmp_access deny all
2450 NAME: snmp_incoming_address
2452 LOC: Config.Addrs.snmp_outgoing
2456 NAME: snmp_outgoing_address
2458 LOC: Config.Addrs.snmp_outgoing
2459 DEFAULT: 255.255.255.255
2462 Just like 'udp_incoming_address' above, but for the SNMP port.
2464 snmp_incoming_address is used for the SNMP socket receiving
2465 messages from SNMP agents.
2466 snmp_outgoing_address is used for SNMP packets returned to SNMP
2469 The default behaviour is to not bind to any specific address.
2471 NOTE, snmp_incoming_address and snmp_outgoing_address can not have
2472 the same value since they both use port 3130.
2474 snmp_incoming_address 0.0.0.0
2475 snmp_outgoing_address 0.0.0.0
2478 NAME: as_whois_server
2480 LOC: Config.as_whois_server
2481 DEFAULT: whois.ra.net
2482 DEFAULT_IF_NONE: whois.ra.net
2484 WHOIS server to query for AS numbers. NOTE: AS numbers are
2485 queried only when Squid starts up, not for every request.
2489 DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
2490 -----------------------------------------------------------------------------
2494 TYPE: delay_pool_count
2499 This represents the number of delay pools to be used. For example,
2500 if you have one class 2 delay pool and one class 3 delays pool, you
2501 have a total of 2 delay pools.
2507 TYPE: delay_pool_class
2512 This defines the class of each delay pool. There must be exactly one
2513 delay_class line for each delay pool. For example, to define two
2514 delay pools, one of class 2 and one of class 3, the settings above
2517 delay_pools 2 # 2 delay pools
2518 delay_class 1 2 # pool 1 is a class 2 pool
2519 delay_class 2 3 # pool 2 is a class 3 pool
2521 The delay pool classes are:
2523 class 1 Everything is limited by a single aggregate
2526 class 2 Everything is limited by a single aggregate
2527 bucket as well as an "individual" bucket chosen
2528 from bits 25 through 32 of the IP address.
2530 class 3 Everything is limited by a single aggregate
2531 bucket as well as a "network" bucket chosen
2532 from bits 17 through 24 of the IP address and a
2533 "individual" bucket chosen from bits 17 through
2534 32 of the IP address.
2536 NOTE: If an IP address is a.b.c.d
2537 -> bits 25 through 32 are "d"
2538 -> bits 17 through 24 are "c"
2539 -> bits 17 through 32 are "c * 256 + d"
2543 TYPE: delay_pool_access
2548 This is used to determine which delay pool a request falls into.
2549 The first matched delay pool is always used, ie, if a request falls
2550 into delay pool number one, no more delay are checked, otherwise the
2551 rest are checked in order of their delay pool number until they have
2552 all been checked. For example, if you want some_big_clients in delay
2553 pool 1 and lotsa_little_clients in delay pool 2:
2555 delay_access 1 allow some_big_clients
2556 delay_access 1 deny all
2557 delay_access 2 allow lotsa_little_clients
2558 delay_access 2 deny all
2561 NAME: delay_parameters
2562 TYPE: delay_pool_rates
2567 This defines the parameters for a delay pool. Each delay pool has
2568 a number of "buckets" associated with it, as explained in the
2569 description of delay_class. For a class 1 delay pool, the syntax is:
2571 delay_parameters pool aggregate
2573 For a class 2 delay pool:
2575 delay_parameters pool aggregate individual
2577 For a class 3 delay pool:
2579 delay_parameters pool aggregate network individual
2581 The variables here are:
2583 pool a pool number - ie, a number between 1 and the
2584 number specified in delay_pools as used in
2587 aggregate the "delay parameters" for the aggregate bucket
2590 individual the "delay parameters" for the individual
2591 buckets (class 2, 3).
2593 network the "delay parameters" for the network buckets
2596 A pair of delay parameters is written restore/maximum, where restore is
2597 the number of bytes (not bits - modem and network speeds are usually
2598 quoted in bits) per second placed into the bucket, and maximum is the
2599 maximum number of bytes which can be in the bucket at any time.
2601 For example, if delay pool number 1 is a class 2 delay pool as in the
2602 above example, and is being used to strictly limit each host to 64kbps
2603 (plus overheads), with no overall limit, the line is:
2605 delay_parameters 1 -1/-1 8000/8000
2607 Note that the figure -1 is used to represent "unlimited".
2609 And, if delay pool number 2 is a class 3 delay pool as in the above
2610 example, and you want to limit it to a total of 256kbps (strict limit)
2611 with each 8-bit network permitted 64kbps (strict limit) and each
2612 individual host permitted 4800bps with a bucket maximum size of 64kb
2613 to permit a decent web page to be downloaded at a decent speed
2614 (if the network is not being limited due to overuse) but slow down
2615 large downloads more significantly:
2617 delay_parameters 2 32000/32000 8000/8000 600/64000
2619 There must be one delay_parameters line for each delay pool.
2622 NAME: delay_initial_bucket_level
2623 COMMENT: (percent, 0-100)
2627 LOC: Config.Delay.initial
2629 The initial bucket percentage is used to determine how much is put
2630 in each bucket when squid starts, is reconfigured, or first notices
2631 a host accessing it (in class 2 and class 3, individual hosts and
2632 networks only have buckets associated with them once they have been
2635 delay_initial_bucket_level 50
2638 NAME: incoming_icp_average
2641 LOC: Config.comm_incoming.icp_average
2644 NAME: incoming_http_average
2647 LOC: Config.comm_incoming.http_average
2650 NAME: min_icp_poll_cnt
2653 LOC: Config.comm_incoming.icp_min_poll
2656 NAME: min_http_poll_cnt
2659 LOC: Config.comm_incoming.http_min_poll
2661 Heavy voodoo here. I can't even believe you are reading this.
2662 Are you crazy? Don't even think about adjusting these unless
2663 you understand the algorithms in comm_select.c first!
2665 incoming_icp_average 6
2666 incoming_http_average 4
2671 NAME: max_open_disk_fds
2673 LOC: Config.max_open_disk_fds
2679 LOC: Config.onoff.offline
2682 Enable this option and Squid will never try to validate cached
2686 NAME: uri_whitespace
2687 TYPE: uri_whitespace
2688 LOC: Config.uri_whitespace
2691 What to do with requests that have whitespace characters in the
2694 deny: The request is denied. The user receives an "Invalid
2696 allow: The request is allowed and the URI is not changed. The
2697 whitespace characters remain in the URI. Note the
2698 whitespace is passed to redirector processes if they
2700 encode: The request is allowed and the whitespace characters are
2701 encoded according to RFC1738. This could be considered
2702 a violation of the HTTP/1.1
2703 RFC because proxies are not allowed to rewrite URI's.
2704 chop: The request is allowed and the URI is chopped at the
2705 first whitespace. This might also be considered a
2713 LOC: Config.accessList.brokenPosts
2715 A list of ACL elements which, if matched, causes Squid to send
2716 a extra CRLF pair after the body of a PUT/POST request.
2718 Some HTTP servers has broken implementations of PUT/POST,
2719 and rely on a extra CRLF pair sent by some WWW clients.
2721 Quote from RFC 2068 section 4.1 on this matter:
2723 Note: certain buggy HTTP/1.0 client implementations generate an
2724 extra CRLF's after a POST request. To restate what is explicitly
2725 forbidden by the BNF, an HTTP/1.1 client must not preface or follow
2726 a request with an extra CRLF.
2728 acl buggy_server url_regex ^http://....
2729 broken_posts allow buggy_server
2732 NAME: mcast_miss_addr
2733 IFDEF: MULTICAST_MISS_STREAM
2735 LOC: Config.mcast_miss.addr
2736 DEFAULT: 255.255.255.255
2738 If you enable this option, every "cache miss" URL will
2739 be sent out on the specified multicast address.
2741 Do not enable this option unless you are are absolutely
2742 certain you understand what you are doing.
2745 NAME: mcast_miss_port
2746 IFDEF: MULTICAST_MISS_STREAM
2748 LOC: Config.mcast_miss.port
2751 This is the port number to be used in conjuction with
2755 NAME: mcast_miss_encode_key
2756 IFDEF: MULTICAST_MISS_STREAM
2758 LOC: Config.mcast_miss.encode_key
2759 DEFAULT: XXXXXXXXXXXXXXXX
2761 The URLs that are sent in the multicast miss stream are
2762 encrypted. This is the encryption key.
2767 LOC: Config.onoff.prefer_direct
2770 By default, if the ICP, HTCP, Cache Digest, etc. techniques
2771 do not yield a parent cache, Squid gives higher preference
2772 to forwarding the request direct to origin servers, rather
2773 than selecting a parent cache anyway.
2775 If you want Squid to give higher precedence to a parent
2776 cache, instead of going direct, then turn this option off.
2780 NAME: strip_query_terms
2782 LOC: Config.onoff.strip_query_terms
2785 By default, Squid strips query terms from requested URLs before
2786 logging. This protects your user's privacy.
2787 strip_query_terms on
2792 LOC: Config.coredump_dir
2795 By default Squid leaves core files in the first cache_dir
2796 directory. If you set 'coredump_dir' to a directory
2797 that exists, Squid will chdir() to that directory at startup
2798 and coredump files will be left there.