3 # $Id: cf.data.pre,v 1.502 2008/02/12 00:05:11 amosjeffries Exp $
5 # SQUID Web Proxy Cache http://www.squid-cache.org/
6 # ----------------------------------------------------------
8 # Squid is the result of efforts by numerous individuals from
9 # the Internet community; see the CONTRIBUTORS file for full
10 # details. Many organizations have provided support for Squid's
11 # development; see the SPONSORS file for full details. Squid is
12 # Copyrighted (C) 2000 by the Regents of the University of
13 # California; see the COPYRIGHT file for full details. Squid
14 # incorporates software developed and/or copyrighted by other
15 # sources; see the CREDITS file for full details.
17 # This program is free software; you can redistribute it and/or modify
18 # it under the terms of the GNU General Public License as published by
19 # the Free Software Foundation; either version 2 of the License, or
20 # (at your option) any later version.
22 # This program is distributed in the hope that it will be useful,
23 # but WITHOUT ANY WARRANTY; without even the implied warranty of
24 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25 # GNU General Public License for more details.
27 # You should have received a copy of the GNU General Public License
28 # along with this program; if not, write to the Free Software
29 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
33 WELCOME TO SQUID @VERSION@
34 ----------------------------
36 This is the default Squid configuration file. You may wish
37 to look at the Squid home page (http://www.squid-cache.org/)
38 for the FAQ and other documentation.
40 The default Squid config file shows what the defaults for
41 various options happen to be. If you don't need to change the
42 default, you shouldn't uncomment the line. Doing so may cause
43 run-time problems. In some cases "none" refers to no default
44 setting at all, while in other cases it refers to a valid
45 option - the comments for that keyword indicate if this is the
51 Configuration options can be included using the "include" directive.
52 Include takes a list of files to include. Quoting and wildcards is
57 include /path/to/included/file/squid.acl.config
59 Includes can be nested up to a hard-coded depth of 16 levels.
60 This arbitrary restriction is to prevent recursive include references
61 from causing Squid entering an infinite loop whilst trying to load
66 OPTIONS FOR AUTHENTICATION
67 -----------------------------------------------------------------------------
72 LOC: Config.authConfiguration
75 This is used to define parameters for the various authentication
76 schemes supported by Squid.
78 format: auth_param scheme parameter [setting]
80 The order in which authentication schemes are presented to the client is
81 dependent on the order the scheme first appears in config file. IE
82 has a bug (it's not RFC 2617 compliant) in that it will use the basic
83 scheme if basic is the first entry presented, even if more secure
84 schemes are presented. For now use the order in the recommended
85 settings section below. If other browsers have difficulties (don't
86 recognize the schemes offered even if you are using basic) either
87 put basic first, or disable the other schemes (by commenting out their
90 Once an authentication scheme is fully configured, it can only be
91 shutdown by shutting squid down and restarting. Changes can be made on
92 the fly and activated with a reconfigure. I.E. You can change to a
93 different helper, but not unconfigure the helper completely.
95 Please note that while this directive defines how Squid processes
96 authentication it does not automatically activate authentication.
97 To use authentication you must in addition make use of ACLs based
98 on login name in http_access (proxy_auth, proxy_auth_regex or
99 external with %LOGIN used in the format tag). The browser will be
100 challenged for authentication on the first such acl encountered
101 in http_access processing and will also be re-challenged for new
102 login credentials if the request is being denied by a proxy_auth
105 WARNING: authentication can't be used in a transparently intercepting
106 proxy as the client then thinks it is talking to an origin server and
107 not the proxy. This is a limitation of bending the TCP/IP protocol to
108 transparently intercepting port 80, not a limitation in Squid.
109 Ports flagged 'transparent', 'intercept', or 'tproxy' have authentication
112 === Parameters for the basic scheme follow. ===
115 Specify the command for the external authenticator. Such a program
116 reads a line containing "username password" and replies "OK" or
117 "ERR" in an endless loop. "ERR" responses may optionally be followed
118 by a error description available as %m in the returned error page.
119 If you use an authenticator, make sure you have 1 acl of type proxy_auth.
121 By default, the basic authentication scheme is not used unless a
122 program is specified.
124 If you want to use the traditional NCSA proxy authentication, set
125 this line to something like
127 auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
129 "children" numberofchildren
130 The number of authenticator processes to spawn. If you start too few
131 Squid will have to wait for them to process a backlog of credential
132 verifications, slowing it down. When password verifications are
133 done via a (slow) network you are likely to need lots of
134 authenticator processes.
135 auth_param basic children 5
137 "concurrency" concurrency
138 The number of concurrent requests the helper can process.
139 The default of 0 is used for helpers who only supports
140 one request at a time. Setting this changes the protocol used to
141 include a channel number first on the request/response line, allowing
142 multiple requests to be sent to the same helper in parallell without
143 wating for the response.
144 Must not be set unless it's known the helper supports this.
145 auth_param basic concurrency 0
148 Specifies the realm name which is to be reported to the
149 client for the basic proxy authentication scheme (part of
150 the text the user will see when prompted their username and
151 password). There is no default.
152 auth_param basic realm Squid proxy-caching web server
154 "credentialsttl" timetolive
155 Specifies how long squid assumes an externally validated
156 username:password pair is valid for - in other words how
157 often the helper program is called for that user. Set this
158 low to force revalidation with short lived passwords. Note
159 setting this high does not impact your susceptibility
160 to replay attacks unless you are using an one-time password
161 system (such as SecureID). If you are using such a system,
162 you will be vulnerable to replay attacks unless you also
163 use the max_user_ip ACL in an http_access rule.
165 "casesensitive" on|off
166 Specifies if usernames are case sensitive. Most user databases are
167 case insensitive allowing the same username to be spelled using both
168 lower and upper case letters, but some are case sensitive. This
169 makes a big difference for user_max_ip ACL processing and similar.
170 auth_param basic casesensitive off
172 === Parameters for the digest scheme follow ===
175 Specify the command for the external authenticator. Such
176 a program reads a line containing "username":"realm" and
177 replies with the appropriate H(A1) value hex encoded or
178 ERR if the user (or his H(A1) hash) does not exists.
179 See rfc 2616 for the definition of H(A1).
180 "ERR" responses may optionally be followed by a error description
181 available as %m in the returned error page.
183 By default, the digest authentication scheme is not used unless a
184 program is specified.
186 If you want to use a digest authenticator, set this line to
189 auth_param digest program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass
191 "children" numberofchildren
192 The number of authenticator processes to spawn (no default).
193 If you start too few Squid will have to wait for them to
194 process a backlog of H(A1) calculations, slowing it down.
195 When the H(A1) calculations are done via a (slow) network
196 you are likely to need lots of authenticator processes.
197 auth_param digest children 5
200 Specifies the realm name which is to be reported to the
201 client for the digest proxy authentication scheme (part of
202 the text the user will see when prompted their username and
203 password). There is no default.
204 auth_param digest realm Squid proxy-caching web server
206 "nonce_garbage_interval" timeinterval
207 Specifies the interval that nonces that have been issued
208 to client_agent's are checked for validity.
210 "nonce_max_duration" timeinterval
211 Specifies the maximum length of time a given nonce will be
214 "nonce_max_count" number
215 Specifies the maximum number of times a given nonce can be
218 "nonce_strictness" on|off
219 Determines if squid requires strict increment-by-1 behavior
220 for nonce counts, or just incrementing (off - for use when
221 useragents generate nonce counts that occasionally miss 1
222 (ie, 1,2,4,6)). Default off.
224 "check_nonce_count" on|off
225 This directive if set to off can disable the nonce count check
226 completely to work around buggy digest qop implementations in
227 certain mainstream browser versions. Default on to check the
228 nonce count to protect from authentication replay attacks.
230 "post_workaround" on|off
231 This is a workaround to certain buggy browsers who sends
232 an incorrect request digest in POST requests when reusing
233 the same nonce as acquired earlier on a GET request.
235 === NTLM scheme options follow ===
238 Specify the command for the external NTLM authenticator.
239 Such a program reads exchanged NTLMSSP packets with
240 the browser via Squid until authentication is completed.
241 If you use an NTLM authenticator, make sure you have 1 acl
242 of type proxy_auth. By default, the NTLM authenticator_program
245 auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
247 "children" numberofchildren
248 The number of authenticator processes to spawn (no default).
249 If you start too few Squid will have to wait for them to
250 process a backlog of credential verifications, slowing it
251 down. When credential verifications are done via a (slow)
252 network you are likely to need lots of authenticator
255 auth_param ntlm children 5
258 If you experience problems with PUT/POST requests when using the
259 Negotiate authentication scheme then you can try setting this to
260 off. This will cause Squid to forcibly close the connection on
261 the initial requests where the browser asks which schemes are
262 supported by the proxy.
264 auth_param ntlm keep_alive on
266 === Options for configuring the NEGOTIATE auth-scheme follow ===
269 Specify the command for the external Negotiate authenticator.
270 This protocol is used in Microsoft Active-Directory enabled setups with
271 the Microsoft Internet Explorer or Mozilla Firefox browsers.
272 Its main purpose is to exchange credentials with the Squid proxy
273 using the Kerberos mechanisms.
274 If you use a Negotiate authenticator, make sure you have at least one acl
275 of type proxy_auth active. By default, the negotiate authenticator_program
277 The only supported program for this role is the ntlm_auth
278 program distributed as part of Samba, version 4 or later.
280 auth_param negotiate program @DEFAULT_PREFIX@/bin/ntlm_auth --helper-protocol=gss-spnego
282 "children" numberofchildren
283 The number of authenticator processes to spawn (no default).
284 If you start too few Squid will have to wait for them to
285 process a backlog of credential verifications, slowing it
286 down. When crendential verifications are done via a (slow)
287 network you are likely to need lots of authenticator
289 auth_param negotiate children 5
292 If you experience problems with PUT/POST requests when using the
293 Negotiate authentication scheme then you can try setting this to
294 off. This will cause Squid to forcibly close the connection on
295 the initial requests where the browser asks which schemes are
296 supported by the proxy.
298 auth_param negotiate keep_alive on
301 #Recommended minimum configuration per scheme:
302 #auth_param negotiate program <uncomment and complete this line to activate>
303 #auth_param negotiate children 5
304 #auth_param negotiate keep_alive on
305 #auth_param ntlm program <uncomment and complete this line to activate>
306 #auth_param ntlm children 5
307 #auth_param ntlm keep_alive on
308 #auth_param digest program <uncomment and complete this line>
309 #auth_param digest children 5
310 #auth_param digest realm Squid proxy-caching web server
311 #auth_param digest nonce_garbage_interval 5 minutes
312 #auth_param digest nonce_max_duration 30 minutes
313 #auth_param digest nonce_max_count 50
314 #auth_param basic program <uncomment and complete this line>
315 #auth_param basic children 5
316 #auth_param basic realm Squid proxy-caching web server
317 #auth_param basic credentialsttl 2 hours
321 NAME: authenticate_cache_garbage_interval
324 LOC: Config.authenticateGCInterval
326 The time period between garbage collection across the username cache.
327 This is a tradeoff between memory utilization (long intervals - say
328 2 days) and CPU (short intervals - say 1 minute). Only change if you
332 NAME: authenticate_ttl
335 LOC: Config.authenticateTTL
337 The time a user & their credentials stay in the logged in
338 user cache since their last request. When the garbage
339 interval passes, all user credentials that have passed their
340 TTL are removed from memory.
343 NAME: authenticate_ip_ttl
345 LOC: Config.authenticateIpTTL
348 If you use proxy authentication and the 'max_user_ip' ACL,
349 this directive controls how long Squid remembers the IP
350 addresses associated with each user. Use a small value
351 (e.g., 60 seconds) if your users might change addresses
352 quickly, as is the case with dialups. You might be safe
353 using a larger value (e.g., 2 hours) in a corporate LAN
354 environment with relatively static address assignments.
359 -----------------------------------------------------------------------------
362 NAME: external_acl_type
363 TYPE: externalAclHelper
364 LOC: Config.externalAclHelperList
367 This option defines external acl classes using a helper program
368 to look up the status
370 external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
374 ttl=n TTL in seconds for cached results (defaults to 3600
377 TTL for cached negative lookups (default same
379 children=n Number of acl helper processes spawn to service
380 external acl lookups of this type. (default 5)
381 concurrency=n concurrency level per process. Only used with helpers
382 capable of processing more than one query at a time.
383 cache=n result cache size, 0 is unbounded (default)
384 grace=n Percentage remaining of TTL where a refresh of a
385 cached entry should be initiated without needing to
386 wait for a new reply. (default 0 for no grace period)
387 protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
388 ipv4 / ipv6 IP-mode used to communicate to this helper.
389 For compatability with older configurations and helpers
390 'ipv4' is the default unless --with-localhost-ipv6 is used.
391 --with-localhost-ipv6 changes the default to 'ipv6'.
392 SPECIAL NOTE: these options override --with-localhost-ipv6
394 FORMAT specifications
396 %LOGIN Authenticated user login name
397 %EXT_USER Username from external acl
398 %IDENT Ident user name
400 %SRCPORT Client source port
403 %PROTO Requested protocol
405 %PATH Requested URL path
406 %METHOD Request method
407 %MYADDR Squid interface address
408 %MYPORT Squid http_port number
409 %PATH Requested URL-path (including query-string if any)
410 %USER_CERT SSL User certificate in PEM format
411 %USER_CERTCHAIN SSL User certificate chain in PEM format
412 %USER_CERT_xx SSL User certificate subject attribute xx
413 %USER_CA_xx SSL User certificate issuer attribute xx
415 %>{Header} HTTP request header
417 HTTP request header list member
419 HTTP request header list member using ; as
420 list separator. ; can be any non-alphanumeric
423 %<{Header} HTTP reply header
425 HTTP reply header list member
427 HTTP reply header list member using ; as
428 list separator. ; can be any non-alphanumeric
431 In addition to the above, any string specified in the referencing
432 acl will also be included in the helper request line, after the
433 specified formats (see the "acl external" directive)
435 The helper receives lines per the above format specification,
436 and returns lines starting with OK or ERR indicating the validity
437 of the request and optionally followed by additional keywords with
440 General result syntax:
442 OK/ERR keyword=value ...
446 user= The users name (login)
447 password= The users password (for login= cache_peer option)
448 message= Message describing the reason. Available as %o
450 tag= Apply a tag to a request (for both ERR and OK results)
451 Only sets a tag, does not alter existing tags.
452 log= String to be logged in access.log. Available as
453 %ea in logformat specifications
455 If protocol=3.0 (the default) then URL escaping is used to protect
456 each value in both requests and responses.
458 If using protocol=2.5 then all values need to be enclosed in quotes
459 if they may contain whitespace, or the whitespace escaped using \.
460 And quotes or \ characters within the keyword value must be \ escaped.
462 When using the concurrency= option the protocol is changed by
463 introducing a query channel tag infront of the request/response.
464 The query channel tag is a number between 0 and concurrency-1.
472 Defining an Access List
474 Every access list definition must begin with an aclname and acltype,
475 followed by either type-specific arguments or a quoted filename that
478 acl aclname acltype argument ...
479 acl aclname acltype "file" ...
481 When using "file", the file should contain one item per line.
483 By default, regular expressions are CASE-SENSITIVE. To make
484 them case-insensitive, use the -i option.
487 ***** ACL TYPES AVAILABLE *****
489 acl aclname src ip-address/netmask ... # clients IP address
490 acl aclname src addr1-addr2/netmask ... # range of addresses
491 acl aclname dst ip-address/netmask ... # URL host's IP address
492 acl aclname myip ip-address/netmask ... # local socket IP address
494 acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
495 # The arp ACL requires the special configure option --enable-arp-acl.
496 # Furthermore, the ARP ACL code is not portable to all operating systems.
497 # It works on Linux, Solaris, Windows, FreeBSD, and some other *BSD variants.
499 # NOTE: Squid can only determine the MAC address for clients that are on
500 # the same subnet. If the client is on a different subnet, then Squid cannot
501 # find out its MAC address.
503 acl aclname srcdomain .foo.com ... # reverse lookup, from client IP
504 acl aclname dstdomain .foo.com ... # Destination server from URL
505 acl aclname srcdom_regex [-i] \.foo\.com ... # regex matching client name
506 acl aclname dstdom_regex [-i] \.foo\.com ... # regex matching server
507 # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
508 # based URL is used and no match is found. The name "none" is used
509 # if the reverse lookup fails.
511 acl aclname src_as number ...
512 acl aclname dst_as number ...
513 # Except for access control, AS numbers can be used for
514 # routing of requests to specific caches. Here's an
515 # example for routing all requests for AS#1241 and only
516 # those to mycache.mydomain.net:
517 # acl asexample dst_as 1241
518 # cache_peer_access mycache.mydomain.net allow asexample
519 # cache_peer_access mycache_mydomain.net deny all
521 acl aclname peername myPeer ...
522 # match against a named cache_peer entry
523 # set unique name= on cache_peer lines for reliable use.
525 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
534 # h1:m1 must be less than h2:m2
536 acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
537 acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
539 acl aclname port 80 70 21 ...
540 acl aclname port 0-1024 ... # ranges allowed
541 acl aclname myport 3128 ... # (local socket TCP port)
542 acl aclname myportname 3128 ... # http(s)_port name
544 acl aclname proto HTTP FTP ...
546 acl aclname method GET POST ...
548 acl aclname http_status 200 301 500- 400-403 ... # status code in reply
550 acl aclname browser [-i] regexp ...
551 # pattern match on User-Agent header (see also req_header below)
553 acl aclname referer_regex [-i] regexp ...
554 # pattern match on Referer header
555 # Referer is highly unreliable, so use with care
557 acl aclname ident username ...
558 acl aclname ident_regex [-i] pattern ...
559 # string match on ident output.
560 # use REQUIRED to accept any non-null ident.
562 acl aclname proxy_auth [-i] username ...
563 acl aclname proxy_auth_regex [-i] pattern ...
564 # list of valid usernames
565 # use REQUIRED to accept any valid username.
567 # NOTE: when a Proxy-Authentication header is sent but it is not
568 # needed during ACL checking the username is NOT logged
571 # NOTE: proxy_auth requires a EXTERNAL authentication program
572 # to check username/password combinations (see
573 # auth_param directive).
575 # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
576 # as the browser needs to be configured for using a proxy in order
577 # to respond to proxy authentication.
579 acl aclname snmp_community string ...
580 # A community string to limit access to your SNMP Agent
583 # acl snmppublic snmp_community public
585 acl aclname maxconn number
586 # This will be matched when the client's IP address has
587 # more than <number> HTTP connections established.
589 acl aclname max_user_ip [-s] number
590 # This will be matched when the user attempts to log in from more
591 # than <number> different ip addresses. The authenticate_ip_ttl
592 # parameter controls the timeout on the ip entries.
593 # If -s is specified the limit is strict, denying browsing
594 # from any further IP addresses until the ttl has expired. Without
595 # -s Squid will just annoy the user by "randomly" denying requests.
596 # (the counter is reset each time the limit is reached and a
598 # NOTE: in acceleration mode or where there is mesh of child proxies,
599 # clients may appear to come from multiple addresses if they are
600 # going through proxy farms, so a limit of 1 may cause user problems.
602 acl aclname req_mime_type [-i] mime-type ...
603 # regex match against the mime type of the request generated
604 # by the client. Can be used to detect file upload or some
605 # types HTTP tunneling requests.
606 # NOTE: This does NOT match the reply. You cannot use this
607 # to match the returned file type.
609 acl aclname req_header header-name [-i] any\.regex\.here
610 # regex match against any of the known request headers. May be
611 # thought of as a superset of "browser", "referer" and "mime-type"
614 acl aclname rep_mime_type [-i] mime-type ...
615 # regex match against the mime type of the reply received by
616 # squid. Can be used to detect file download or some
617 # types HTTP tunneling requests.
618 # NOTE: This has no effect in http_access rules. It only has
619 # effect in rules that affect the reply data stream such as
622 acl aclname rep_header header-name [-i] any\.regex\.here
623 # regex match against any of the known reply headers. May be
624 # thought of as a superset of "browser", "referer" and "mime-type"
627 acl aclname external class_name [arguments...]
628 # external ACL lookup via a helper class defined by the
629 # external_acl_type directive.
631 acl aclname user_cert attribute values...
632 # match against attributes in a user SSL certificate
633 # attribute is one of DN/C/O/CN/L/ST
635 acl aclname ca_cert attribute values...
636 # match against attributes a users issuing CA SSL certificate
637 # attribute is one of DN/C/O/CN/L/ST
639 acl aclname ext_user username ...
640 acl aclname ext_user_regex [-i] pattern ...
641 # string match on username returned by external acl helper
642 # use REQUIRED to accept any non-null user name.
645 acl macaddress arp 09:00:2b:23:45:67
646 acl myexample dst_as 1241
647 acl password proxy_auth REQUIRED
648 acl fileupload req_mime_type -i ^multipart/form-data$
649 acl javascript rep_mime_type -i ^application/x-javascript$
652 #Recommended minimum configuration:
653 acl manager proto cache_object
654 acl localhost src 127.0.0.1/32
655 acl to_localhost dst 127.0.0.0/8
657 # Example rule allowing access from your local networks.
658 # Adapt to list your (internal) IP networks from where browsing
660 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
661 acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
662 acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
664 acl SSL_ports port 443
665 acl Safe_ports port 80 # http
666 acl Safe_ports port 21 # ftp
667 acl Safe_ports port 443 # https
668 acl Safe_ports port 70 # gopher
669 acl Safe_ports port 210 # wais
670 acl Safe_ports port 1025-65535 # unregistered ports
671 acl Safe_ports port 280 # http-mgmt
672 acl Safe_ports port 488 # gss-http
673 acl Safe_ports port 591 # filemaker
674 acl Safe_ports port 777 # multiling http
675 acl CONNECT method CONNECT
679 NAME: follow_x_forwarded_for
681 IFDEF: FOLLOW_X_FORWARDED_FOR
682 LOC: Config.accessList.followXFF
684 DEFAULT_IF_NONE: deny all
686 Allowing or Denying the X-Forwarded-For header to be followed to
687 find the original source of a request.
689 Requests may pass through a chain of several other proxies
690 before reaching us. The X-Forwarded-For header will contain a
691 comma-separated list of the IP addresses in the chain, with the
692 rightmost address being the most recent.
694 If a request reaches us from a source that is allowed by this
695 configuration item, then we consult the X-Forwarded-For header
696 to see where that host received the request from. If the
697 X-Forwarded-For header contains multiple addresses, and if
698 acl_uses_indirect_client is on, then we continue backtracking
699 until we reach an address for which we are not allowed to
700 follow the X-Forwarded-For header, or until we reach the first
701 address in the list. (If acl_uses_indirect_client is off, then
702 it's impossible to backtrack through more than one level of
703 X-Forwarded-For addresses.)
705 The end result of this process is an IP address that we will
706 refer to as the indirect client address. This address may
707 be treated as the client address for access control, delay
708 pools and logging, depending on the acl_uses_indirect_client,
709 delay_pool_uses_indirect_client and log_uses_indirect_client
712 SECURITY CONSIDERATIONS:
714 Any host for which we follow the X-Forwarded-For header
715 can place incorrect information in the header, and Squid
716 will use the incorrect information as if it were the
717 source address of the request. This may enable remote
718 hosts to bypass any access control restrictions that are
719 based on the client's source addresses.
723 acl localhost src 127.0.0.1
724 acl my_other_proxy srcdomain .proxy.example.com
725 follow_x_forwarded_for allow localhost
726 follow_x_forwarded_for allow my_other_proxy
729 NAME: acl_uses_indirect_client
732 IFDEF: FOLLOW_X_FORWARDED_FOR
734 LOC: Config.onoff.acl_uses_indirect_client
736 Controls whether the indirect client address
737 (see follow_x_forwarded_for) is used instead of the
738 direct client address in acl matching.
741 NAME: delay_pool_uses_indirect_client
744 IFDEF: FOLLOW_X_FORWARDED_FOR DELAY_POOLS
746 LOC: Config.onoff.delay_pool_uses_indirect_client
748 Controls whether the indirect client address
749 (see follow_x_forwarded_for) is used instead of the
750 direct client address in delay pools.
753 NAME: log_uses_indirect_client
756 IFDEF: FOLLOW_X_FORWARDED_FOR
758 LOC: Config.onoff.log_uses_indirect_client
760 Controls whether the indirect client address
761 (see follow_x_forwarded_for) is used instead of the
762 direct client address in the access log.
767 LOC: Config.accessList.http
769 DEFAULT_IF_NONE: deny all
771 Allowing or Denying access based on defined access lists
773 Access to the HTTP port:
774 http_access allow|deny [!]aclname ...
776 NOTE on default values:
778 If there are no "access" lines present, the default is to deny
781 If none of the "access" lines cause a match, the default is the
782 opposite of the last line in the list. If the last line was
783 deny, the default is allow. Conversely, if the last line
784 is allow, the default will be deny. For these reasons, it is a
785 good idea to have an "deny all" or "allow all" entry at the end
786 of your access lists to avoid potential confusion.
789 #Recommended minimum configuration:
791 # Only allow cachemgr access from localhost
792 http_access allow manager localhost
793 http_access deny manager
794 # Deny requests to unknown ports
795 http_access deny !Safe_ports
796 # Deny CONNECT to other than SSL ports
797 http_access deny CONNECT !SSL_ports
799 # We strongly recommend the following be uncommented to protect innocent
800 # web applications running on the proxy server who think the only
801 # one who can access services on "localhost" is a local user
802 #http_access deny to_localhost
804 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
806 # Example rule allowing access from your local networks.
807 # Adapt localnet in the ACL section to list your (internal) IP networks
808 # from where browsing should be allowed
809 http_access allow localnet
811 # And finally deny all other access to this proxy
816 NAME: http_reply_access
818 LOC: Config.accessList.reply
821 Allow replies to client requests. This is complementary to http_access.
823 http_reply_access allow|deny [!] aclname ...
825 NOTE: if there are no access lines present, the default is to allow
828 If none of the access lines cause a match the opposite of the
829 last line will apply. Thus it is good practice to end the rules
830 with an "allow all" or "deny all" entry.
835 LOC: Config.accessList.icp
837 DEFAULT_IF_NONE: deny all
839 Allowing or Denying access to the ICP port based on defined
842 icp_access allow|deny [!]aclname ...
844 See http_access for details
847 #Allow ICP queries from local networks only
848 #icp_access allow localnet
856 LOC: Config.accessList.htcp
858 DEFAULT_IF_NONE: deny all
860 Allowing or Denying access to the HTCP port based on defined
863 htcp_access allow|deny [!]aclname ...
865 See http_access for details
867 NOTE: The default if no htcp_access lines are present is to
868 deny all traffic. This default may cause problems with peers
869 using the htcp or htcp-oldsquid options.
872 #Allow HTCP queries from local networks only
873 #htcp_access allow localnet
874 #htcp_access deny all
878 NAME: htcp_clr_access
881 LOC: Config.accessList.htcp_clr
883 DEFAULT_IF_NONE: deny all
885 Allowing or Denying access to purge content using HTCP based
886 on defined access lists
888 htcp_clr_access allow|deny [!]aclname ...
890 See http_access for details
892 #Allow HTCP CLR requests from trusted peers
893 acl htcp_clr_peer src 172.16.1.2
894 htcp_clr_access allow htcp_clr_peer
899 LOC: Config.accessList.miss
902 Use to force your neighbors to use you as a sibling instead of
903 a parent. For example:
905 acl localclients src 172.16.0.0/16
906 miss_access allow localclients
907 miss_access deny !localclients
909 This means only your local clients are allowed to fetch
910 MISSES and all other clients can only fetch HITS.
912 By default, allow all clients who passed the http_access rules
913 to fetch MISSES from us.
916 NAME: ident_lookup_access
920 DEFAULT_IF_NONE: deny all
921 LOC: Config.accessList.identLookup
923 A list of ACL elements which, if matched, cause an ident
924 (RFC 931) lookup to be performed for this request. For
925 example, you might choose to always perform ident lookups
926 for your main multi-user Unix boxes, but not for your Macs
927 and PCs. By default, ident lookups are not performed for
930 To enable ident lookups for specific client addresses, you
931 can follow this example:
933 acl ident_aware_hosts src 198.168.1.0/255.255.255.0
934 ident_lookup_access allow ident_aware_hosts
935 ident_lookup_access deny all
937 Only src type ACL checks are fully supported. A src_domain
938 ACL might work at times, but it will not always provide
942 NAME: reply_body_max_size
943 COMMENT: size [acl acl...]
946 LOC: Config.ReplyBodySize
948 This option specifies the maximum size of a reply body. It can be
949 used to prevent users from downloading very large files, such as
950 MP3's and movies. When the reply headers are received, the
951 reply_body_max_size lines are processed, and the first line where
952 all (if any) listed ACLs are true is used as the maximum body size
955 This size is checked twice. First when we get the reply headers,
956 we check the content-length value. If the content length value exists
957 and is larger than the allowed size, the request is denied and the
958 user receives an error message that says "the request or reply
959 is too large." If there is no content-length, and the reply
960 size exceeds this limit, the client's connection is just closed
961 and they will receive a partial reply.
963 WARNING: downstream caches probably can not detect a partial reply
964 if there is no content-length header, so they will cache
965 partial responses and give them out as hits. You should NOT
966 use this option if you have downstream caches.
968 WARNING: A maximum size smaller than the size of squid's error messages
969 will cause an infinite loop and crash squid. Ensure that the smallest
970 non-zero value you use is greater that the maximum header size plus
971 the size of your largest error page.
973 If you set this parameter none (the default), there will be
976 Configuration Format is:
977 reply_body_max_size SIZE UNITS [acl ...]
979 reply_body_max_size 10 MB
985 -----------------------------------------------------------------------------
988 NAME: http_port ascii_port
991 LOC: Config.Sockaddr.http
993 Usage: port [options]
994 hostname:port [options]
995 1.2.3.4:port [options]
997 The socket addresses where Squid will listen for HTTP client
998 requests. You may specify multiple socket addresses.
999 There are three forms: port alone, hostname with port, and
1000 IP address with port. If you specify a hostname or IP
1001 address, Squid binds the socket to that specific
1002 address. This replaces the old 'tcp_incoming_address'
1003 option. Most likely, you do not need to bind to a specific
1004 address, so you can use the port number alone.
1006 If you are running Squid in accelerator mode, you
1007 probably want to listen on port 80 also, or instead.
1009 The -a command line option may be used to specify additional
1010 port(s) where Squid listens for proxy request. Such ports will
1011 be plain proxy ports with no options.
1013 You may specify multiple socket addresses on multiple lines.
1017 intercept Support for IP-Layer interception of
1018 outgoing requests without browser settings.
1019 NP: disables authentication and IPv6 on the port.
1021 tproxy Support Linux TPROXY for spoofing outgoing
1022 connections using the client IP address.
1023 NP: disables authentication and IPv6 on the port.
1025 accel Accelerator mode. Also needs at least one of
1026 vhost / vport / defaultsite.
1028 defaultsite=domainname
1029 What to use for the Host: header if it is not present
1030 in a request. Determines what site (not origin server)
1031 accelerators should consider the default.
1034 vhost Accelerator mode using Host header for virtual
1035 domain support. Implies accel.
1037 vport Accelerator with IP based virtual host support.
1040 vport=NN As above, but uses specified port number rather
1041 than the http_port number. Implies accel.
1043 protocol= Protocol to reconstruct accelerated requests with.
1046 connection-auth[=on|off]
1047 use connection-auth=off to tell Squid to prevent
1048 forwarding Microsoft connection oriented authentication
1049 (NTLM, Negotiate and Kerberos)
1051 disable-pmtu-discovery=
1052 Control Path-MTU discovery usage:
1053 off lets OS decide on what to do (default).
1054 transparent disable PMTU discovery when transparent
1056 always disable always PMTU discovery.
1058 In many setups of transparently intercepting proxies
1059 Path-MTU discovery can not work on traffic towards the
1060 clients. This is the case when the intercepting device
1061 does not fully track connections and fails to forward
1062 ICMP must fragment messages to the cache server. If you
1063 have such setup and experience that certain clients
1064 sporadically hang or never complete requests set
1065 disable-pmtu-discovery option to 'transparent'.
1067 sslBump Intercept each CONNECT request matching ssl_bump ACL,
1068 establish secure connection with the client and with
1069 the server, decrypt HTTP messages as they pass through
1070 Squid, and treat them as unencrypted HTTP messages,
1071 becoming the man-in-the-middle.
1073 When this option is enabled, additional options become
1074 available to specify SSL-related properties of the
1075 client-side connection: cert, key, version, cipher,
1076 options, clientca, cafile, capath, crlfile, dhparams,
1077 sslflags, and sslcontext. See the https_port directive
1078 for more information on these options.
1080 The ssl_bump option is required to fully enable
1081 the SslBump feature.
1083 name= Specifies a internal name for the port. Defaults to
1084 the port specification (port or addr:port)
1086 keepalive[=idle,interval,timeout]
1087 Enable TCP keepalive probes of idle connections
1088 idle is the initial time before TCP starts probing
1089 the connection, interval how often to probe, and
1090 timeout the time before giving up.
1092 If you run Squid on a dual-homed machine with an internal
1093 and an external interface we recommend you to specify the
1094 internal address:port in http_port. This way Squid will only be
1095 visible on the internal address.
1098 # Squid normally listens to port 3128
1099 http_port @DEFAULT_HTTP_PORT@
1105 TYPE: https_port_list
1107 LOC: Config.Sockaddr.https
1109 Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
1111 The socket address where Squid will listen for HTTPS client
1114 This is really only useful for situations where you are running
1115 squid in accelerator mode and you want to do the SSL work at the
1118 You may specify multiple socket addresses on multiple lines,
1119 each with their own SSL certificate and/or options.
1123 accel Accelerator mode. Also needs at least one of
1124 defaultsite or vhost.
1126 defaultsite= The name of the https site presented on
1127 this port. Implies accel.
1129 vhost Accelerator mode using Host header for virtual
1130 domain support. Requires a wildcard certificate
1131 or other certificate valid for more than one domain.
1134 protocol= Protocol to reconstruct accelerated requests with.
1137 cert= Path to SSL certificate (PEM format).
1139 key= Path to SSL private key file (PEM format)
1140 if not specified, the certificate file is
1141 assumed to be a combined certificate and
1144 version= The version of SSL/TLS supported
1145 1 automatic (default)
1150 cipher= Colon separated list of supported ciphers.
1152 options= Various SSL engine options. The most important
1154 NO_SSLv2 Disallow the use of SSLv2
1155 NO_SSLv3 Disallow the use of SSLv3
1156 NO_TLSv1 Disallow the use of TLSv1
1157 SINGLE_DH_USE Always create a new key when using
1158 temporary/ephemeral DH key exchanges
1159 See src/ssl_support.c or OpenSSL SSL_CTX_set_options
1160 documentation for a complete list of options.
1162 clientca= File containing the list of CAs to use when
1163 requesting a client certificate.
1165 cafile= File containing additional CA certificates to
1166 use when verifying client certificates. If unset
1167 clientca will be used.
1169 capath= Directory containing additional CA certificates
1170 and CRL lists to use when verifying client certificates.
1172 crlfile= File of additional CRL lists to use when verifying
1173 the client certificate, in addition to CRLs stored in
1174 the capath. Implies VERIFY_CRL flag below.
1176 dhparams= File containing DH parameters for temporary/ephemeral
1179 sslflags= Various flags modifying the use of SSL:
1181 Don't request client certificates
1182 immediately, but wait until acl processing
1183 requires a certificate (not yet implemented).
1185 Don't use the default CA lists built in
1188 Don't allow for session reuse. Each connection
1189 will result in a new SSL session.
1191 Verify CRL lists when accepting client
1194 Verify CRL lists for all certificates in the
1195 client certificate chain.
1197 sslcontext= SSL session ID context identifier.
1199 vport Accelerator with IP based virtual host support.
1201 vport=NN As above, but uses specified port number rather
1202 than the https_port number. Implies accel.
1204 name= Specifies a internal name for the port. Defaults to
1205 the port specification (port or addr:port)
1209 NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
1212 LOC: Config.accessList.outgoing_tos
1214 Allows you to select a TOS/Diffserv value to mark outgoing
1215 connections with, based on the username or source address
1218 tcp_outgoing_tos ds-field [!]aclname ...
1220 Example where normal_service_net uses the TOS value 0x00
1221 and normal_service_net uses 0x20
1223 acl normal_service_net src 10.0.0.0/255.255.255.0
1224 acl good_service_net src 10.0.1.0/255.255.255.0
1225 tcp_outgoing_tos 0x00 normal_service_net
1226 tcp_outgoing_tos 0x20 good_service_net
1228 TOS/DSCP values really only have local significance - so you should
1229 know what you're specifying. For more information, see RFC2474,
1230 RFC2475, and RFC3260.
1232 The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
1233 "default" to use whatever default your host has. Note that in
1234 practice often only values 0 - 63 is usable as the two highest bits
1235 have been redefined for use by ECN (RFC3168).
1237 Processing proceeds in the order specified, and stops at first fully
1240 Note: The use of this directive using client dependent ACLs is
1241 incompatible with the use of server side persistent connections. To
1242 ensure correct results it is best to set server_persisten_connections
1243 to off when using this directive in such configurations.
1246 NAME: clientside_tos
1249 LOC: Config.accessList.clientside_tos
1251 Allows you to select a TOS/Diffserv value to mark client-side
1252 connections with, based on the username or source address
1262 Allows you to select a TOS/DSCP value to mark outgoing
1263 connections with, based on where the reply was sourced.
1265 TOS values really only have local significance - so you should
1266 know what you're specifying. For more information, see RFC2474,
1267 RFC2475, and RFC3260.
1269 The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF.
1270 Note that in practice often only values up to 0x3F are usable
1271 as the two highest bits have been redefined for use by ECN
1274 This setting is configured by setting the source TOS values:
1276 local-hit=0xFF Value to mark local cache hits.
1278 sibling-hit=0xFF Value to mark hits from sibling peers.
1280 parent-hit=0xFF Value to mark hits from parent peers.
1283 NOTE: 'miss' preserve feature is only possible on Linux at this time.
1285 For the following to work correctly, you will need to patch your
1286 linux kernel with the TOS preserving ZPH patch.
1287 The kernel patch can be downloaded from http://zph.bratcheda.org
1289 disable-preserve-miss
1290 If set, any HTTP response towards clients will
1291 have the TOS value of the response comming from the
1292 remote server masked with the value of miss-mask.
1295 Allows you to mask certain bits in the TOS received from the
1296 remote server, before copying the value to the TOS sent
1298 Default: 0xFF (TOS from server is not changed).
1302 NAME: tcp_outgoing_address
1305 LOC: Config.accessList.outgoing_address
1307 Allows you to map requests to different outgoing IP addresses
1308 based on the username or source address of the user making
1311 tcp_outgoing_address ipaddr [[!]aclname] ...
1313 Example where requests from 10.0.0.0/24 will be forwarded
1314 with source address 10.1.0.1, 10.0.2.0/24 forwarded with
1315 source address 10.1.0.2 and the rest will be forwarded with
1316 source address 10.1.0.3.
1318 acl normal_service_net src 10.0.0.0/24
1319 acl good_service_net src 10.0.2.0/24
1320 tcp_outgoing_address 10.1.0.1 normal_service_net
1321 tcp_outgoing_address 10.1.0.2 good_service_net
1322 tcp_outgoing_address 10.1.0.3
1324 Processing proceeds in the order specified, and stops at first fully
1327 Note: The use of this directive using client dependent ACLs is
1328 incompatible with the use of server side persistent connections. To
1329 ensure correct results it is best to set server_persistent_connections
1330 to off when using this directive in such configurations.
1335 Squid is built with a capability of bridging the IPv4 and IPv6 internets.
1336 tcp_outgoing_address as exampled above breaks this bridging by forcing
1337 all outbound traffic through a certain IPv4 which may be on the wrong
1338 side of the IPv4/IPv6 boundary.
1340 To operate with tcp_outgoing_address and keep the bridging benefits
1341 an additional ACL needs to be used which ensures the IPv6-bound traffic
1342 is never forced or permitted out the IPv4 interface.
1344 acl to_ipv6 dst ipv6
1345 tcp_outgoing_address 2002::c001 good_service_net to_ipv6
1346 tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
1348 tcp_outgoing_address 2002::beef normal_service_net to_ipv6
1349 tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
1351 tcp_outgoing_address 2002::1 to_ipv6
1352 tcp_outgoing_address 10.1.0.3 !to_ipv6
1355 'dst ipv6' bases its selection assuming DIRECT access.
1356 If peers are used the peername ACL are needed to select outgoing
1357 address which can link to the peer.
1363 -----------------------------------------------------------------------------
1366 NAME: ssl_unclean_shutdown
1370 LOC: Config.SSL.unclean_shutdown
1372 Some browsers (especially MSIE) bugs out on SSL shutdown
1379 LOC: Config.SSL.ssl_engine
1382 The OpenSSL engine to use. You will need to set this if you
1383 would like to use hardware SSL acceleration for example.
1386 NAME: sslproxy_client_certificate
1389 LOC: Config.ssl_client.cert
1392 Client SSL Certificate to use when proxying https:// URLs
1395 NAME: sslproxy_client_key
1398 LOC: Config.ssl_client.key
1401 Client SSL Key to use when proxying https:// URLs
1404 NAME: sslproxy_version
1407 LOC: Config.ssl_client.version
1410 SSL version level to use when proxying https:// URLs
1413 NAME: sslproxy_options
1416 LOC: Config.ssl_client.options
1419 SSL engine options to use when proxying https:// URLs
1422 NAME: sslproxy_cipher
1425 LOC: Config.ssl_client.cipher
1428 SSL cipher list to use when proxying https:// URLs
1431 NAME: sslproxy_cafile
1434 LOC: Config.ssl_client.cafile
1437 file containing CA certificates to use when verifying server
1438 certificates while proxying https:// URLs
1441 NAME: sslproxy_capath
1444 LOC: Config.ssl_client.capath
1447 directory containing CA certificates to use when verifying
1448 server certificates while proxying https:// URLs
1454 LOC: Config.accessList.ssl_bump
1457 This ACL controls which CONNECT requests to an http_port
1458 marked with an sslBump flag are actually "bumped". Please
1459 see the sslBump flag of an http_port option for more details
1460 about decoding proxied SSL connections.
1462 By default, no requests are bumped.
1464 See also: http_port sslBump
1467 # Example: Bump all requests except those originating from localhost and
1468 # those going to webax.com or example.com sites.
1470 # acl localhost src 127.0.0.1/32
1471 # acl broken_sites dstdomain .webax.com
1472 # acl broken_sites dstdomain .example.com
1473 # ssl_bump deny localhost
1474 # ssl_bump deny broken_sites
1475 # ssl_bump allow all
1479 NAME: sslproxy_flags
1482 LOC: Config.ssl_client.flags
1485 Various flags modifying the use of SSL while proxying https:// URLs:
1486 DONT_VERIFY_PEER Accept certificates that fail verification.
1487 For refined control, see sslproxy_cert_error.
1488 NO_DEFAULT_CA Don't use the default CA list built in
1493 NAME: sslproxy_cert_error
1496 LOC: Config.ssl_client.cert_error
1499 Use this ACL to bypass server certificate validation errors.
1501 For example, the following lines will bypass all validation errors
1502 when talking to servers located at 172.16.0.0/16. All other
1503 validation errors will result in ERR_SECURE_CONNECT_FAIL error.
1505 acl BrokenServersAtTrustedIP dst 172.16.0.0/16
1506 sslproxy_cert_error allow BrokenServersAtTrustedIP
1507 sslproxy_cert_error deny all
1509 This option must use fast ACL expressions only. Expressions that use
1510 external lookups or communication result in unpredictable behavior or
1513 Without this option, all server certificate validation errors
1514 terminate the transaction. Bypassing validation errors is dangerous
1515 because an error usually implies that the server cannot be trusted and
1516 the connection may be insecure.
1518 See also: sslproxy_flags and DONT_VERIFY_PEER.
1522 # sslproxy_cert_error deny all
1528 NAME: sslpassword_program
1531 LOC: Config.Program.ssl_password
1534 Specify a program used for entering SSL key passphrases
1535 when using encrypted SSL certificate keys. If not specified
1536 keys must either be unencrypted, or Squid started with the -N
1537 option to allow it to query interactively for the passphrase.
1541 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
1542 -----------------------------------------------------------------------------
1550 To specify other caches in a hierarchy, use the format:
1552 cache_peer hostname type http-port icp-port [options]
1557 # hostname type port port options
1558 # -------------------- -------- ----- ----- -----------
1559 cache_peer parent.foo.net parent 3128 3130 proxy-only default
1560 cache_peer sib1.foo.net sibling 3128 3130 proxy-only
1561 cache_peer sib2.foo.net sibling 3128 3130 proxy-only
1563 type: either 'parent', 'sibling', or 'multicast'.
1565 proxy-port: The port number where the cache listens for proxy
1568 icp-port: Used for querying neighbor caches about
1569 objects. To have a non-ICP neighbor
1570 specify '0' for the ICP port.
1571 NOTE: Also requires icp_port option enabled to send/receive
1572 requests via this method.
1582 weighted-round-robin
1591 login=user:password | PASS | *:password
1606 sslcert=/path/to/ssl/certificate
1607 sslkey=/path/to/ssl/key
1611 front-end-https[=on|auto]
1612 connection-auth[=on|off|auto]
1614 use 'proxy-only' to specify objects fetched
1615 from this cache should not be saved locally.
1617 use 'weight=n' to affect the selection of a peer
1618 during any weighted peer-selection mechanisms.
1619 The weight must be an integer; default is 1,
1620 larger weights are favored more.
1621 This option does not affect parent selection if a peering
1622 protocol is not in use.
1624 use 'basetime=n' to specify a base amount to
1625 be subtracted from round trip times of parents.
1626 It is subtracted before division by weight in calculating
1627 which parent to fectch from. If the rtt is less than the
1628 base time the rtt is set to a minimal value.
1630 use 'ttl=n' to specify a IP multicast TTL to use
1631 when sending an ICP queries to this address.
1632 Only useful when sending to a multicast group.
1633 Because we don't accept ICP replies from random
1634 hosts, you must configure other group members as
1635 peers with the 'multicast-responder' option below.
1637 use 'no-query' to NOT send ICP queries to this
1640 use 'background-ping' to only send ICP queries to this
1641 neighbor infrequently. This is used to keep the neighbor
1642 round trip time updated and is usually used in
1643 conjunction with weighted-round-robin.
1645 use 'default' if this is a parent cache which can
1646 be used as a "last-resort" if a peer cannot be located
1647 by any of the peer-selection mechanisms.
1648 If specified more than once, only the first is used.
1650 use 'round-robin' to define a set of parents which
1651 should be used in a round-robin fashion in the
1652 absence of any ICP queries.
1654 use 'weighted-round-robin' to define a set of parents
1655 which should be used in a round-robin fashion with the
1656 frequency of each parent being based on the round trip
1657 time. Closer parents are used more often.
1658 Usually used for background-ping parents.
1660 use 'carp' to define a set of parents which should
1661 be used as a CARP array. The requests will be
1662 distributed among the parents based on the CARP load
1663 balancing hash function based on their weight.
1665 use 'userhash' to load-balance amongst a set of parents
1666 based on the client proxy_auth or ident username.
1668 use 'sourcehash' to load-balance amongst a set of parents
1669 based on the client source ip.
1671 'multicast-responder' indicates the named peer
1672 is a member of a multicast group. ICP queries will
1673 not be sent directly to the peer, but ICP replies
1674 will be accepted from it.
1676 'closest-only' indicates that, for ICP_OP_MISS
1677 replies, we'll only forward CLOSEST_PARENT_MISSes
1678 and never FIRST_PARENT_MISSes.
1680 use 'no-digest' to NOT request cache digests from
1683 'no-netdb-exchange' disables requesting ICMP
1684 RTT database (NetDB) from the neighbor.
1686 use 'no-delay' to prevent access to this neighbor
1687 from influencing the delay pools.
1689 use 'login=user:password' if this is a personal/workgroup
1690 proxy and your parent requires proxy authentication.
1691 Note: The string can include URL escapes (i.e. %20 for
1692 spaces). This also means % must be written as %%.
1694 use 'login=PASS' if users must authenticate against
1695 the upstream proxy or in the case of a reverse proxy
1696 configuration, the origin web server. This will pass
1697 the users credentials as they are to the peer.
1698 This only works for the Basic HTTP authentication scheme.
1699 Note: To combine this with proxy_auth both proxies must
1700 share the same user database as HTTP only allows for
1701 a single login (one for proxy, one for origin server).
1702 Also be warned this will expose your users proxy
1703 password to the peer. USE WITH CAUTION
1705 use 'login=*:password' to pass the username to the
1706 upstream cache, but with a fixed password. This is meant
1707 to be used when the peer is in another administrative
1708 domain, but it is still needed to identify each user.
1709 The star can optionally be followed by some extra
1710 information which is added to the username. This can
1711 be used to identify this proxy to the peer, similar to
1712 the login=username:password option above.
1714 use 'connect-timeout=nn' to specify a peer
1715 specific connect timeout (also see the
1716 peer_connect_timeout directive)
1718 use 'digest-url=url' to tell Squid to fetch the cache
1719 digest (if digests are enabled) for this host from
1720 the specified URL rather than the Squid default
1723 use 'allow-miss' to disable Squid's use of only-if-cached
1724 when forwarding requests to siblings. This is primarily
1725 useful when icp_hit_stale is used by the sibling. To
1726 extensive use of this option may result in forwarding
1727 loops, and you should avoid having two-way peerings
1728 with this option. (for example to deny peer usage on
1729 requests from peer by denying cache_peer_access if the
1732 use 'max-conn=n' to limit the amount of connections Squid
1733 may open to this peer.
1735 use 'htcp' to send HTCP, instead of ICP, queries
1736 to the neighbor. You probably also want to
1737 set the "icp port" to 4827 instead of 3130.
1738 You MUST also set htcp_access expicitly. The default of
1739 deny all will prevent peer traffic.
1741 use 'htcp-oldsquid' to send HTCP to old Squid versions
1742 You MUST also set htcp_access expicitly. The default of
1743 deny all will prevent peer traffic.
1745 use 'htcp-no-clr' to send HTCP to the neighbor but without
1746 sending any CLR requests. This cannot be used with
1749 use 'htcp-no-purge-clr' to send HTCP to the neighbor
1750 including CLRs but only when they do not result from
1753 use 'htcp-only-clr' to send HTCP to the neighbor but ONLY
1754 CLR requests. This cannot be used with htcp-no-clr.
1756 use 'htcp-forward-clr' to forward any HTCP CLR requests
1757 this proxy receives to the peer.
1759 'originserver' causes this parent peer to be contacted as
1760 a origin server. Meant to be used in accelerator setups.
1762 use 'name=xxx' if you have multiple peers on the same
1763 host but different ports. This name can be used to
1764 differentiate the peers in cache_peer_access and similar
1765 directives. Including the peername ACL type.
1767 use 'forceddomain=name' to forcibly set the Host header
1768 of requests forwarded to this peer. Useful in accelerator
1769 setups where the server (peer) expects a certain domain
1770 name and using redirectors to feed this domain name
1773 use 'ssl' to indicate connections to this peer should
1774 be SSL/TLS encrypted.
1776 use 'sslcert=/path/to/ssl/certificate' to specify a client
1777 SSL certificate to use when connecting to this peer.
1779 use 'sslkey=/path/to/ssl/key' to specify the private SSL
1780 key corresponding to sslcert above. If 'sslkey' is not
1781 specified 'sslcert' is assumed to reference a
1782 combined file containing both the certificate and the key.
1784 use sslversion=1|2|3|4 to specify the SSL version to use
1785 when connecting to this peer
1786 1 = automatic (default)
1791 use sslcipher=... to specify the list of valid SSL ciphers
1792 to use when connecting to this peer.
1794 use ssloptions=... to specify various SSL engine options:
1795 NO_SSLv2 Disallow the use of SSLv2
1796 NO_SSLv3 Disallow the use of SSLv3
1797 NO_TLSv1 Disallow the use of TLSv1
1798 See src/ssl_support.c or the OpenSSL documentation for
1799 a more complete list.
1801 use sslcafile=... to specify a file containing
1802 additional CA certificates to use when verifying the
1805 use sslcapath=... to specify a directory containing
1806 additional CA certificates to use when verifying the
1809 use sslcrlfile=... to specify a certificate revocation
1810 list file to use when verifying the peer certificate.
1812 use sslflags=... to specify various flags modifying the
1815 Accept certificates even if they fail to
1818 Don't use the default CA list built in
1821 Don't verify the peer certificate
1822 matches the server name
1824 use ssldomain= to specify the peer name as advertised
1825 in it's certificate. Used for verifying the correctness
1826 of the received peer certificate. If not specified the
1827 peer hostname will be used.
1829 use front-end-https to enable the "Front-End-Https: On"
1830 header needed when using Squid as a SSL frontend in front
1831 of Microsoft OWA. See MS KB document Q307347 for details
1832 on this header. If set to auto the header will
1833 only be added if the request is forwarded as a https://
1836 use connection-auth=off to tell Squid that this peer does
1837 not support Microsoft connection oriented authentication,
1838 and any such challenges received from there should be
1839 ignored. Default is auto to automatically determine the
1843 NAME: cache_peer_domain cache_host_domain
1848 Use to limit the domains for which a neighbor cache will be
1851 cache_peer_domain cache-host domain [domain ...]
1852 cache_peer_domain cache-host !domain
1854 For example, specifying
1856 cache_peer_domain parent.foo.net .edu
1858 has the effect such that UDP query packets are sent to
1859 'bigserver' only when the requested object exists on a
1860 server in the .edu domain. Prefixing the domainname
1861 with '!' means the cache will be queried for objects
1864 NOTE: * Any number of domains may be given for a cache-host,
1865 either on the same or separate lines.
1866 * When multiple domains are given for a particular
1867 cache-host, the first matched domain is applied.
1868 * Cache hosts with no domain restrictions are queried
1870 * There are no defaults.
1871 * There is also a 'cache_peer_access' tag in the ACL
1875 NAME: cache_peer_access
1880 Similar to 'cache_peer_domain' but provides more flexibility by
1883 cache_peer_access cache-host allow|deny [!]aclname ...
1885 The syntax is identical to 'http_access' and the other lists of
1886 ACL elements. See the comments for 'http_access' below, or
1887 the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html).
1890 NAME: neighbor_type_domain
1891 TYPE: hostdomaintype
1895 usage: neighbor_type_domain neighbor parent|sibling domain domain ...
1897 Modifying the neighbor type for specific domains is now
1898 possible. You can treat some domains differently than the the
1899 default neighbor type specified on the 'cache_peer' line.
1900 Normally it should only be necessary to list domains which
1901 should be treated differently because the default neighbor type
1902 applies for hostnames which do not match domains listed here.
1905 cache_peer cache.foo.org parent 3128 3130
1906 neighbor_type_domain cache.foo.org sibling .com .net
1907 neighbor_type_domain cache.foo.org sibling .au .de
1910 NAME: dead_peer_timeout
1914 LOC: Config.Timeout.deadPeer
1916 This controls how long Squid waits to declare a peer cache
1917 as "dead." If there are no ICP replies received in this
1918 amount of time, Squid will declare the peer dead and not
1919 expect to receive any further ICP replies. However, it
1920 continues to send ICP queries, and will mark the peer as
1921 alive upon receipt of the first subsequent ICP reply.
1923 This timeout also affects when Squid expects to receive ICP
1924 replies from peers. If more than 'dead_peer' seconds have
1925 passed since the last ICP reply was received, Squid will not
1926 expect to receive an ICP reply on the next query. Thus, if
1927 your time between requests is greater than this timeout, you
1928 will see a lot of requests sent DIRECT to origin servers
1929 instead of to your parents.
1932 NAME: hierarchy_stoplist
1935 LOC: Config.hierarchy_stoplist
1937 A list of words which, if found in a URL, cause the object to
1938 be handled directly by this cache. In other words, use this
1939 to not query neighbor caches for certain objects. You may
1940 list this option multiple times.
1941 Note: never_direct overrides this option.
1943 #We recommend you to use at least the following line.
1944 hierarchy_stoplist cgi-bin ?
1949 MEMORY CACHE OPTIONS
1950 -----------------------------------------------------------------------------
1957 LOC: Config.memMaxSize
1959 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
1960 IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
1961 USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
1962 THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
1964 'cache_mem' specifies the ideal amount of memory to be used
1966 * In-Transit objects
1968 * Negative-Cached objects
1970 Data for these objects are stored in 4 KB blocks. This
1971 parameter specifies the ideal upper limit on the total size of
1972 4 KB blocks allocated. In-Transit objects take the highest
1975 In-transit objects have priority over the others. When
1976 additional space is needed for incoming data, negative-cached
1977 and hot objects will be released. In other words, the
1978 negative-cached and hot objects will fill up any unused space
1979 not needed for in-transit objects.
1981 If circumstances require, this limit will be exceeded.
1982 Specifically, if your incoming request rate requires more than
1983 'cache_mem' of memory to hold in-transit objects, Squid will
1984 exceed this limit to satisfy the new requests. When the load
1985 decreases, blocks will be freed until the high-water mark is
1986 reached. Thereafter, blocks will be used to store hot
1990 NAME: maximum_object_size_in_memory
1994 LOC: Config.Store.maxInMemObjSize
1996 Objects greater than this size will not be attempted to kept in
1997 the memory cache. This should be set high enough to keep objects
1998 accessed frequently in memory to improve performance whilst low
1999 enough to keep larger objects from hoarding cache_mem.
2002 NAME: memory_replacement_policy
2004 LOC: Config.memPolicy
2007 The memory replacement policy parameter determines which
2008 objects are purged from memory when memory space is needed.
2010 See cache_replacement_policy for details.
2015 -----------------------------------------------------------------------------
2018 NAME: cache_replacement_policy
2020 LOC: Config.replPolicy
2023 The cache replacement policy parameter determines which
2024 objects are evicted (replaced) when disk space is needed.
2026 lru : Squid's original list based LRU policy
2027 heap GDSF : Greedy-Dual Size Frequency
2028 heap LFUDA: Least Frequently Used with Dynamic Aging
2029 heap LRU : LRU policy implemented using a heap
2031 Applies to any cache_dir lines listed below this.
2033 The LRU policies keeps recently referenced objects.
2035 The heap GDSF policy optimizes object hit rate by keeping smaller
2036 popular objects in cache so it has a better chance of getting a
2037 hit. It achieves a lower byte hit rate than LFUDA though since
2038 it evicts larger (possibly popular) objects.
2040 The heap LFUDA policy keeps popular objects in cache regardless of
2041 their size and thus optimizes byte hit rate at the expense of
2042 hit rate since one large, popular object will prevent many
2043 smaller, slightly less popular objects from being cached.
2045 Both policies utilize a dynamic aging mechanism that prevents
2046 cache pollution that can otherwise occur with frequency-based
2047 replacement policies.
2049 NOTE: if using the LFUDA replacement policy you should increase
2050 the value of maximum_object_size above its default of 4096 KB to
2051 to maximize the potential byte hit rate improvement of LFUDA.
2053 For more information about the GDSF and LFUDA cache replacement
2054 policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
2055 and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
2061 LOC: Config.cacheSwap
2065 cache_dir Type Directory-Name Fs-specific-data [options]
2067 You can specify multiple cache_dir lines to spread the
2068 cache among different disk partitions.
2070 Type specifies the kind of storage system to use. Only "ufs"
2071 is built by default. To enable any of the other storage systems
2072 see the --enable-storeio configure option.
2074 'Directory' is a top-level directory where cache swap
2075 files will be stored. If you want to use an entire disk
2076 for caching, this can be the mount-point directory.
2077 The directory must exist and be writable by the Squid
2078 process. Squid will NOT create this directory for you.
2082 "ufs" is the old well-known Squid storage format that has always
2085 cache_dir ufs Directory-Name Mbytes L1 L2 [options]
2087 'Mbytes' is the amount of disk space (MB) to use under this
2088 directory. The default is 100 MB. Change this to suit your
2089 configuration. Do NOT put the size of your disk drive here.
2090 Instead, if you want Squid to use the entire disk drive,
2091 subtract 20% and use that value.
2093 'Level-1' is the number of first-level subdirectories which
2094 will be created under the 'Directory'. The default is 16.
2096 'Level-2' is the number of second-level subdirectories which
2097 will be created under each first-level directory. The default
2100 The aufs store type:
2102 "aufs" uses the same storage format as "ufs", utilizing
2103 POSIX-threads to avoid blocking the main Squid process on
2104 disk-I/O. This was formerly known in Squid as async-io.
2106 cache_dir aufs Directory-Name Mbytes L1 L2 [options]
2108 see argument descriptions under ufs above
2110 The diskd store type:
2112 "diskd" uses the same storage format as "ufs", utilizing a
2113 separate process to avoid blocking the main Squid process on
2116 cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
2118 see argument descriptions under ufs above
2120 Q1 specifies the number of unacknowledged I/O requests when Squid
2121 stops opening new files. If this many messages are in the queues,
2122 Squid won't open new files. Default is 64
2124 Q2 specifies the number of unacknowledged messages when Squid
2125 starts blocking. If this many messages are in the queues,
2126 Squid blocks until it receives some replies. Default is 72
2128 When Q1 < Q2 (the default), the cache directory is optimized
2129 for lower response time at the expense of a decrease in hit
2130 ratio. If Q1 > Q2, the cache directory is optimized for
2131 higher hit ratio at the expense of an increase in response
2134 The coss store type:
2136 NP: COSS filesystem in Squid-3 has been deemed too unstable for
2137 production use and has thus been removed from this release.
2138 We hope that it can be made usable again soon.
2140 block-size=n defines the "block size" for COSS cache_dir's.
2141 Squid uses file numbers as block numbers. Since file numbers
2142 are limited to 24 bits, the block size determines the maximum
2143 size of the COSS partition. The default is 512 bytes, which
2144 leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
2145 you should not change the coss block size after Squid
2146 has written some objects to the cache_dir.
2148 The coss file store has changed from 2.5. Now it uses a file
2149 called 'stripe' in the directory names in the config - and
2150 this will be created by squid -z.
2154 no-store, no new objects should be stored to this cache_dir
2156 max-size=n, refers to the max object size this storedir supports.
2157 It is used to initially choose the storedir to dump the object.
2158 Note: To make optimal use of the max-size limits you should order
2159 the cache_dir lines with the smallest max-size value first and the
2160 ones with no max-size specification last.
2162 Note for coss, max-size must be less than COSS_MEMBUF_SZ,
2163 which can be changed with the --with-coss-membuf-size=N configure
2166 # cache_dir ufs @DEFAULT_SWAP_DIR@ 100 16 256
2170 NAME: store_dir_select_algorithm
2172 LOC: Config.store_dir_select_algorithm
2175 Set this to 'round-robin' as an alternative.
2178 NAME: max_open_disk_fds
2180 LOC: Config.max_open_disk_fds
2183 To avoid having disk as the I/O bottleneck Squid can optionally
2184 bypass the on-disk cache if more than this amount of disk file
2185 descriptors are open.
2187 A value of 0 indicates no limit.
2190 NAME: minimum_object_size
2194 LOC: Config.Store.minObjectSize
2196 Objects smaller than this size will NOT be saved on disk. The
2197 value is specified in kilobytes, and the default is 0 KB, which
2198 means there is no minimum.
2201 NAME: maximum_object_size
2205 LOC: Config.Store.maxObjectSize
2207 Objects larger than this size will NOT be saved on disk. The
2208 value is specified in kilobytes, and the default is 4MB. If
2209 you wish to get a high BYTES hit ratio, you should probably
2210 increase this (one 32 MB object hit counts for 3200 10KB
2211 hits). If you wish to increase speed more than your want to
2212 save bandwidth you should leave this low.
2214 NOTE: if using the LFUDA replacement policy you should increase
2215 this value to maximize the byte hit rate improvement of LFUDA!
2216 See replacement_policy below for a discussion of this policy.
2219 NAME: cache_swap_low
2220 COMMENT: (percent, 0-100)
2223 LOC: Config.Swap.lowWaterMark
2226 NAME: cache_swap_high
2227 COMMENT: (percent, 0-100)
2230 LOC: Config.Swap.highWaterMark
2233 The low- and high-water marks for cache object replacement.
2234 Replacement begins when the swap (disk) usage is above the
2235 low-water mark and attempts to maintain utilization near the
2236 low-water mark. As swap utilization gets close to high-water
2237 mark object eviction becomes more aggressive. If utilization is
2238 close to the low-water mark less replacement is done each time.
2240 Defaults are 90% and 95%. If you have a large cache, 5% could be
2241 hundreds of MB. If this is the case you may wish to set these
2242 numbers closer together.
2247 -----------------------------------------------------------------------------
2252 LOC: Config.Log.logformats
2257 logformat <name> <format specification>
2259 Defines an access log format.
2261 The <format specification> is a string with embedded % format codes
2263 % format codes all follow the same basic structure where all but
2264 the formatcode is optional. Output strings are automatically escaped
2265 as required according to their context and the output format
2266 modifiers are usually not needed, but can be specified if an explicit
2267 output format is desired.
2269 % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
2271 " output in quoted string format
2272 [ output in squid text log format as used by log_mime_hdrs
2273 # output in URL quoted format
2277 width field width. If starting with 0 the
2278 output is zero padded
2279 {arg} argument such as header name etc
2283 >a Client source IP address
2285 >p Client source port
2286 <A Server IP address or peer name
2287 la Local IP address (http_port)
2288 lp Local port number (http_port)
2289 ts Seconds since epoch
2290 tu subsecond time (milliseconds)
2291 tl Local time. Optional strftime format argument
2292 default %d/%b/%Y:%H:%M:%S %z
2293 tg GMT time. Optional strftime format argument
2294 default %d/%b/%Y:%H:%M:%S %z
2295 tr Response time (milliseconds)
2296 >h Request header. Optional header name argument
2297 on the format header[:[separator]element]
2298 <h Reply header. Optional header name argument
2301 ul User name from authentication
2302 ui User name from ident
2303 us User name from SSL
2304 ue User name from external acl helper
2306 Ss Squid request status (TCP_MISS etc)
2307 Sh Squid hierarchy status (DEFAULT_PARENT etc)
2308 mt MIME content type
2309 rm Request method (GET/POST etc)
2311 rp Request URL-Path excluding hostname
2312 rv Request protocol version
2313 et Tag returned by external acl
2314 ea Log string returned by external acl
2315 <st Reply size including HTTP headers
2316 >st Request size including HTTP headers
2317 st Request+Reply size including HTTP headers
2318 <sH Reply high offset sent
2319 <sS Upstream object size
2320 % a literal % character
2322 The default formats available (which do not need re-defining) are:
2324 logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
2325 logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
2326 logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
2327 logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
2330 NAME: access_log cache_access_log
2332 LOC: Config.Log.accesslogs
2334 DEFAULT_IF_NONE: @DEFAULT_ACCESS_LOG@ squid
2336 These files log client request activities. Has a line every HTTP or
2337 ICP request. The format is:
2338 access_log <filepath> [<logformat name> [acl acl ...]]
2339 access_log none [acl acl ...]]
2341 Will log to the specified file using the specified format (which
2342 must be defined in a logformat directive) those entries which match
2343 ALL the acl's specified (which must be defined in acl clauses).
2344 If no acl is specified, all requests will be logged to this file.
2346 To disable logging of a request use the filepath "none", in which case
2347 a logformat name should not be specified.
2349 To log the request via syslog specify a filepath of "syslog":
2351 access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]]
2352 where facility could be any of:
2353 authpriv, daemon, local0 .. local7 or user.
2355 And priority could be any of:
2356 err, warning, notice, info, debug.
2359 access_log @DEFAULT_ACCESS_LOG@ squid
2364 LOC: Config.accessList.log
2366 COMMENT: allow|deny acl acl...
2368 This options allows you to control which requests gets logged
2369 to access.log (see access_log directive). Requests denied for
2370 logging will also not be accounted for in performance counters.
2376 DEFAULT_IF_NONE: @DEFAULT_CACHE_LOG@
2379 Cache logging file. This is where general information about
2380 your cache's behavior goes. You can increase the amount of data
2381 logged to this file with the "debug_options" tag below.
2384 NAME: cache_store_log
2387 LOC: Config.Log.store
2389 Logs the activities of the storage manager. Shows which
2390 objects are ejected from the cache, and which objects are
2391 saved and for how long. To disable, enter "none" or remove the line.
2392 There are not really utilities to analyze this data, so you can safely
2395 # cache_store_log @DEFAULT_STORE_LOG@
2399 NAME: cache_swap_state cache_swap_log
2401 LOC: Config.Log.swap
2404 Location for the cache "swap.state" file. This index file holds
2405 the metadata of objects saved on disk. It is used to rebuild
2406 the cache during startup. Normally this file resides in each
2407 'cache_dir' directory, but you may specify an alternate
2408 pathname here. Note you must give a full filename, not just
2409 a directory. Since this is the index for the whole object
2410 list you CANNOT periodically rotate it!
2412 If %s can be used in the file name it will be replaced with a
2413 a representation of the cache_dir name where each / is replaced
2414 with '.'. This is needed to allow adding/removing cache_dir
2415 lines when cache_swap_log is being used.
2417 If have more than one 'cache_dir', and %s is not used in the name
2418 these swap logs will have names such as:
2424 The numbered extension (which is added automatically)
2425 corresponds to the order of the 'cache_dir' lines in this
2426 configuration file. If you change the order of the 'cache_dir'
2427 lines in this file, these index files will NOT correspond to
2428 the correct 'cache_dir' entry (unless you manually rename
2429 them). We recommend you do NOT use this option. It is
2430 better to keep these index files in each 'cache_dir' directory.
2433 NAME: logfile_rotate
2436 LOC: Config.Log.rotateNumber
2438 Specifies the number of logfile rotations to make when you
2439 type 'squid -k rotate'. The default is 10, which will rotate
2440 with extensions 0 through 9. Setting logfile_rotate to 0 will
2441 disable the file name rotation, but the logfiles are still closed
2442 and re-opened. This will enable you to rename the logfiles
2443 yourself just before sending the rotate signal.
2445 Note, the 'squid -k rotate' command normally sends a USR1
2446 signal to the running squid process. In certain situations
2447 (e.g. on Linux with Async I/O), USR1 is used for other
2448 purposes, so -k rotate uses another signal. It is best to get
2449 in the habit of using 'squid -k rotate' instead of 'kill -USR1
2453 NAME: emulate_httpd_log
2457 LOC: Config.onoff.common_log
2459 The Cache can emulate the log file format which many 'httpd'
2460 programs use. To disable/enable this emulation, set
2461 emulate_httpd_log to 'off' or 'on'. The default
2462 is to use the native log format since it includes useful
2463 information Squid-specific log analyzers use.
2466 NAME: log_ip_on_direct
2470 LOC: Config.onoff.log_ip_on_direct
2472 Log the destination IP address in the hierarchy log tag when going
2473 direct. Earlier Squid versions logged the hostname here. If you
2474 prefer the old way set this to off.
2479 DEFAULT: @DEFAULT_MIME_TABLE@
2480 LOC: Config.mimeTablePathname
2482 Pathname to Squid's MIME table. You shouldn't need to change
2483 this, but the default file contains examples and formatting
2484 information if you do.
2490 LOC: Config.onoff.log_mime_hdrs
2493 The Cache can record both the request and the response MIME
2494 headers for each HTTP transaction. The headers are encoded
2495 safely and will appear as two bracketed fields at the end of
2496 the access log (for either the native or httpd-emulated log
2497 formats). To enable this logging set log_mime_hdrs to 'on'.
2502 LOC: Config.Log.useragent
2504 IFDEF: USE_USERAGENT_LOG
2506 Squid will write the User-Agent field from HTTP requests
2507 to the filename specified here. By default useragent_log
2511 NAME: referer_log referrer_log
2513 LOC: Config.Log.referer
2515 IFDEF: USE_REFERER_LOG
2517 Squid will write the Referer field from HTTP requests to the
2518 filename specified here. By default referer_log is disabled.
2519 Note that "referer" is actually a misspelling of "referrer"
2520 however the misspelt version has been accepted into the HTTP RFCs
2526 DEFAULT: @DEFAULT_PID_FILE@
2527 LOC: Config.pidFilename
2529 A filename to write the process-id to. To disable, enter "none".
2535 LOC: Config.debugOptions
2537 Logging options are set as section,level where each source file
2538 is assigned a unique section. Lower levels result in less
2539 output, Full debugging (level 9) can result in a very large
2540 log file, so be careful. The magic word "ALL" sets debugging
2541 levels for all sections. We recommend normally running with
2549 LOC: Config.onoff.log_fqdn
2551 Turn this on if you wish to log fully qualified domain names
2552 in the access.log. To do this Squid does a DNS lookup of all
2553 IP's connecting to it. This can (in some situations) increase
2554 latency, which makes your cache seem slower for interactive
2558 NAME: client_netmask
2560 LOC: Config.Addrs.client_netmask
2561 DEFAULT: 255.255.255.255
2563 A netmask for client addresses in logfiles and cachemgr output.
2564 Change this to protect the privacy of your cache clients.
2565 A netmask of 255.255.255.0 will log all IP's in that range with
2566 the last digit set to '0'.
2573 LOC: Config.Log.forward
2575 Logs the server-side requests.
2577 This is currently work in progress.
2580 NAME: strip_query_terms
2582 LOC: Config.onoff.strip_query_terms
2585 By default, Squid strips query terms from requested URLs before
2586 logging. This protects your user's privacy.
2593 LOC: Config.onoff.buffered_logs
2595 cache.log log file is written with stdio functions, and as such
2596 it can be buffered or unbuffered. By default it will be unbuffered.
2597 Buffering it can speed up the writing slightly (though you are
2598 unlikely to need to worry unless you run with tons of debugging
2599 enabled in which case performance will suffer badly anyway..).
2602 NAME: netdb_filename
2604 DEFAULT: @DEFAULT_NETDB_FILE@
2605 LOC: Config.netdbFilename
2608 A filename where Squid stores it's netdb state between restarts.
2609 To disable, enter "none".
2613 OPTIONS FOR FTP GATEWAYING
2614 -----------------------------------------------------------------------------
2620 LOC: Config.Ftp.anon_user
2622 If you want the anonymous login password to be more informative
2623 (and enable the use of picky ftp servers), set this to something
2624 reasonable for your domain, like wwwuser@somewhere.net
2626 The reason why this is domainless by default is the
2627 request can be made on the behalf of a user in any domain,
2628 depending on how the cache is used.
2629 Some ftp server also validate the email address is valid
2630 (for example perl.com).
2633 NAME: ftp_list_width
2636 LOC: Config.Ftp.list_width
2638 Sets the width of ftp listings. This should be set to fit in
2639 the width of a standard browser. Setting this too small
2640 can cut off long filenames when browsing ftp sites.
2646 LOC: Config.Ftp.passive
2648 If your firewall does not allow Squid to use passive
2649 connections, turn off this option.
2651 Use of ftp_epsv_all option requires this to be ON.
2657 LOC: Config.Ftp.epsv_all
2659 FTP Protocol extensions permit the use of a special "EPSV ALL" command.
2661 NATs may be able to put the connection on a "fast path" through the
2662 translator, as the EPRT command will never be used and therefore,
2663 translation of the data portion of the segments will never be needed.
2665 When a client only expects to do two-way FTP transfers this may be useful.
2666 If squid finds that it must do a three-way FTP transfer after issuing
2667 an EPSV ALL command, the FTP session will fail.
2669 If you have any doubts about this option do not use it.
2670 Squid will nicely attempt all other connection methods.
2672 Requires ftp_passive to be ON (default)
2675 NAME: ftp_sanitycheck
2678 LOC: Config.Ftp.sanitycheck
2680 For security and data integrity reasons Squid by default performs
2681 sanity checks of the addresses of FTP data connections ensure the
2682 data connection is to the requested server. If you need to allow
2683 FTP connections to servers using another IP address for the data
2684 connection turn this off.
2687 NAME: ftp_telnet_protocol
2690 LOC: Config.Ftp.telnet
2692 The FTP protocol is officially defined to use the telnet protocol
2693 as transport channel for the control connection. However, many
2694 implementations are broken and does not respect this aspect of
2697 If you have trouble accessing files with ASCII code 255 in the
2698 path or similar problems involving this ASCII code you can
2699 try setting this directive to off. If that helps, report to the
2700 operator of the FTP server in question that their FTP server
2701 is broken and does not follow the FTP standard.
2705 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
2706 -----------------------------------------------------------------------------
2711 DEFAULT: @DEFAULT_DISKD@
2712 LOC: Config.Program.diskd
2714 Specify the location of the diskd executable.
2715 Note this is only useful if you have compiled in
2716 diskd as one of the store io modules.
2719 NAME: unlinkd_program
2722 DEFAULT: @DEFAULT_UNLINKD@
2723 LOC: Config.Program.unlinkd
2725 Specify the location of the executable for file deletion process.
2728 NAME: pinger_program
2730 DEFAULT: @DEFAULT_PINGER@
2731 LOC: Config.pinger.program
2734 Specify the location of the executable for the pinger process.
2740 LOC: Config.pinger.enable
2743 Control whether the pinger is active at run-time.
2744 Enables turning ICMP pinger on and off with a simple squid -k reconfigure.
2749 OPTIONS FOR URL REWRITING
2750 -----------------------------------------------------------------------------
2753 NAME: url_rewrite_program redirect_program
2755 LOC: Config.Program.redirect
2758 Specify the location of the executable for the URL rewriter.
2759 Since they can perform almost any function there isn't one included.
2761 For each requested URL rewriter will receive on line with the format
2763 URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
2765 In the future, the rewriter interface will be extended with
2766 key=value pairs ("kvpairs" shown above). Rewriter programs
2767 should be prepared to receive and possibly ignore additional
2768 whitespace-separated tokens on each input line.
2770 And the rewriter may return a rewritten URL. The other components of
2771 the request line does not need to be returned (ignored if they are).
2773 The rewriter can also indicate that a client-side redirect should
2774 be performed to the new URL. This is done by prefixing the returned
2775 URL with "301:" (moved permanently) or 302: (moved temporarily).
2777 By default, a URL rewriter is not used.
2780 NAME: url_rewrite_children redirect_children
2783 LOC: Config.redirectChildren
2785 The number of redirector processes to spawn. If you start
2786 too few Squid will have to wait for them to process a backlog of
2787 URLs, slowing it down. If you start too many they will use RAM
2788 and other system resources.
2791 NAME: url_rewrite_concurrency redirect_concurrency
2794 LOC: Config.redirectConcurrency
2796 The number of requests each redirector helper can handle in
2797 parallel. Defaults to 0 which indicates the redirector
2798 is a old-style single threaded redirector.
2800 When this directive is set to a value >= 1 then the protocol
2801 used to communicate with the helper is modified to include
2802 a request ID in front of the request/response. The request
2803 ID from the request must be echoed back with the response
2807 NAME: url_rewrite_host_header redirect_rewrites_host_header
2810 LOC: Config.onoff.redir_rewrites_host
2812 By default Squid rewrites any Host: header in redirected
2813 requests. If you are running an accelerator this may
2814 not be a wanted effect of a redirector.
2816 WARNING: Entries are cached on the result of the URL rewriting
2817 process, so be careful if you have domain-virtual hosts.
2820 NAME: url_rewrite_access redirector_access
2823 LOC: Config.accessList.redirector
2825 If defined, this access list specifies which requests are
2826 sent to the redirector processes. By default all requests
2830 NAME: url_rewrite_bypass redirector_bypass
2832 LOC: Config.onoff.redirector_bypass
2835 When this is 'on', a request will not go through the
2836 redirector if all redirectors are busy. If this is 'off'
2837 and the redirector queue grows too large, Squid will exit
2838 with a FATAL error and ask you to increase the number of
2839 redirectors. You should only enable this if the redirectors
2840 are not critical to your caching system. If you use
2841 redirectors for access control, and you enable this option,
2842 users may have access to pages they should not
2843 be allowed to request.
2847 OPTIONS FOR TUNING THE CACHE
2848 -----------------------------------------------------------------------------
2851 NAME: cache no_cache
2854 LOC: Config.accessList.noCache
2856 A list of ACL elements which, if matched and denied, cause the request to
2857 not be satisfied from the cache and the reply to not be cached.
2858 In other words, use this to force certain objects to never be cached.
2860 You must use the words 'allow' or 'deny' to indicate whether items
2861 matching the ACL should be allowed or denied into the cache.
2863 Default is to allow all to be cached.
2866 NAME: refresh_pattern
2867 TYPE: refreshpattern
2871 usage: refresh_pattern [-i] regex min percent max [options]
2873 By default, regular expressions are CASE-SENSITIVE. To make
2874 them case-insensitive, use the -i option.
2876 'Min' is the time (in minutes) an object without an explicit
2877 expiry time should be considered fresh. The recommended
2878 value is 0, any higher values may cause dynamic applications
2879 to be erroneously cached unless the application designer
2880 has taken the appropriate actions.
2882 'Percent' is a percentage of the objects age (time since last
2883 modification age) an object without explicit expiry time
2884 will be considered fresh.
2886 'Max' is an upper limit on how long objects without an explicit
2887 expiry time will be considered fresh.
2889 options: override-expire
2899 override-expire enforces min age even if the server
2900 sent an explicit expiry time (e.g., with the
2901 Expires: header or Cache-Control: max-age). Doing this
2902 VIOLATES the HTTP standard. Enabling this feature
2903 could make you liable for problems which it causes.
2905 override-lastmod enforces min age even on objects
2906 that were modified recently.
2908 reload-into-ims changes client no-cache or ``reload''
2909 to If-Modified-Since requests. Doing this VIOLATES the
2910 HTTP standard. Enabling this feature could make you
2911 liable for problems which it causes.
2913 ignore-reload ignores a client no-cache or ``reload''
2914 header. Doing this VIOLATES the HTTP standard. Enabling
2915 this feature could make you liable for problems which
2918 ignore-no-cache ignores any ``Pragma: no-cache'' and
2919 ``Cache-control: no-cache'' headers received from a server.
2920 The HTTP RFC never allows the use of this (Pragma) header
2921 from a server, only a client, though plenty of servers
2924 ignore-no-store ignores any ``Cache-control: no-store''
2925 headers received from a server. Doing this VIOLATES
2926 the HTTP standard. Enabling this feature could make you
2927 liable for problems which it causes.
2929 ignore-private ignores any ``Cache-control: private''
2930 headers received from a server. Doing this VIOLATES
2931 the HTTP standard. Enabling this feature could make you
2932 liable for problems which it causes.
2934 ignore-auth caches responses to requests with authorization,
2935 as if the originserver had sent ``Cache-control: public''
2936 in the response header. Doing this VIOLATES the HTTP standard.
2937 Enabling this feature could make you liable for problems which
2940 refresh-ims causes squid to contact the origin server
2941 when a client issues an If-Modified-Since request. This
2942 ensures that the client will receive an updated version
2943 if one is available.
2945 Basically a cached object is:
2947 FRESH if expires < now, else STALE
2949 FRESH if lm-factor < percent, else STALE
2953 The refresh_pattern lines are checked in the order listed here.
2954 The first entry which matches is used. If none of the entries
2955 match the default will be used.
2957 Note, you must uncomment all the default lines if you want
2958 to change one. The default setting is only active if none is
2963 refresh_pattern ^ftp: 1440 20% 10080
2964 refresh_pattern ^gopher: 1440 0% 1440
2965 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2966 refresh_pattern . 0 20% 4320
2970 NAME: quick_abort_min
2974 LOC: Config.quickAbort.min
2977 NAME: quick_abort_max
2981 LOC: Config.quickAbort.max
2984 NAME: quick_abort_pct
2988 LOC: Config.quickAbort.pct
2990 The cache by default continues downloading aborted requests
2991 which are almost completed (less than 16 KB remaining). This
2992 may be undesirable on slow (e.g. SLIP) links and/or very busy
2993 caches. Impatient users may tie up file descriptors and
2994 bandwidth by repeatedly requesting and immediately aborting
2997 When the user aborts a request, Squid will check the
2998 quick_abort values to the amount of data transfered until
3001 If the transfer has less than 'quick_abort_min' KB remaining,
3002 it will finish the retrieval.
3004 If the transfer has more than 'quick_abort_max' KB remaining,
3005 it will abort the retrieval.
3007 If more than 'quick_abort_pct' of the transfer has completed,
3008 it will finish the retrieval.
3010 If you do not want any retrieval to continue after the client
3011 has aborted, set both 'quick_abort_min' and 'quick_abort_max'
3014 If you want retrievals to always continue if they are being
3015 cached set 'quick_abort_min' to '-1 KB'.
3018 NAME: read_ahead_gap
3019 COMMENT: buffer-size
3021 LOC: Config.readAheadGap
3024 The amount of data the cache will buffer ahead of what has been
3025 sent to the client when retrieving an object from another server.
3029 IFDEF: HTTP_VIOLATIONS
3032 LOC: Config.negativeTtl
3035 Set the Default Time-to-Live (TTL) for failed requests.
3036 Certain types of failures (such as "connection refused" and
3037 "404 Not Found") are able to be negatively-cached for a short time.
3038 Modern web servers should provide Expires: header, however if they
3039 do not this can provide a minimum TTL.
3040 The default is not to cache errors with unknown expiry details.
3042 Note that this is different from negative caching of DNS lookups.
3044 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3045 this feature could make you liable for problems which it
3049 NAME: positive_dns_ttl
3052 LOC: Config.positiveDnsTtl
3055 Upper limit on how long Squid will cache positive DNS responses.
3056 Default is 6 hours (360 minutes). This directive must be set
3057 larger than negative_dns_ttl.
3060 NAME: negative_dns_ttl
3063 LOC: Config.negativeDnsTtl
3066 Time-to-Live (TTL) for negative caching of failed DNS lookups.
3067 This also sets the lower cache limit on positive lookups.
3068 Minimum value is 1 second, and it is not recommendable to go
3069 much below 10 seconds.
3072 NAME: range_offset_limit
3075 LOC: Config.rangeOffsetLimit
3078 Sets a upper limit on how far into the the file a Range request
3079 may be to cause Squid to prefetch the whole file. If beyond this
3080 limit Squid forwards the Range request as it is and the result
3083 This is to stop a far ahead range request (lets say start at 17MB)
3084 from making Squid fetch the whole object up to that point before
3085 sending anything to the client.
3087 A value of -1 causes Squid to always fetch the object from the
3088 beginning so it may cache the result. (2.0 style)
3090 A value of 0 causes Squid to never fetch more than the
3091 client requested. (default)
3094 NAME: minimum_expiry_time
3097 LOC: Config.minimum_expiry_time
3100 The minimum caching time according to (Expires - Date)
3101 Headers Squid honors if the object can't be revalidated
3102 defaults to 60 seconds. In reverse proxy environments it
3103 might be desirable to honor shorter object lifetimes. It
3104 is most likely better to make your server return a
3105 meaningful Last-Modified header however. In ESI environments
3106 where page fragments often have short lifetimes, this will
3107 often be best set to 0.
3110 NAME: store_avg_object_size
3114 LOC: Config.Store.avgObjectSize
3116 Average object size, used to estimate number of objects your
3117 cache can hold. The default is 13 KB.
3120 NAME: store_objects_per_bucket
3123 LOC: Config.Store.objectsPerBucket
3125 Target number of objects per bucket in the store hash table.
3126 Lowering this value increases the total number of buckets and
3127 also the storage maintenance rate. The default is 20.
3132 -----------------------------------------------------------------------------
3135 NAME: request_header_max_size
3139 LOC: Config.maxRequestHeaderSize
3141 This specifies the maximum size for HTTP headers in a request.
3142 Request headers are usually relatively small (about 512 bytes).
3143 Placing a limit on the request header size will catch certain
3144 bugs (for example with persistent connections) and possibly
3145 buffer-overflow or denial-of-service attacks.
3148 NAME: reply_header_max_size
3152 LOC: Config.maxReplyHeaderSize
3154 This specifies the maximum size for HTTP headers in a reply.
3155 Reply headers are usually relatively small (about 512 bytes).
3156 Placing a limit on the reply header size will catch certain
3157 bugs (for example with persistent connections) and possibly
3158 buffer-overflow or denial-of-service attacks.
3161 NAME: request_body_max_size
3165 LOC: Config.maxRequestBodySize
3167 This specifies the maximum size for an HTTP request body.
3168 In other words, the maximum size of a PUT/POST request.
3169 A user who attempts to send a request with a body larger
3170 than this limit receives an "Invalid Request" error message.
3171 If you set this parameter to a zero (the default), there will
3172 be no limit imposed.
3178 LOC: Config.accessList.brokenPosts
3180 A list of ACL elements which, if matched, causes Squid to send
3181 an extra CRLF pair after the body of a PUT/POST request.
3183 Some HTTP servers has broken implementations of PUT/POST,
3184 and rely on an extra CRLF pair sent by some WWW clients.
3186 Quote from RFC2616 section 4.1 on this matter:
3188 Note: certain buggy HTTP/1.0 client implementations generate an
3189 extra CRLF's after a POST request. To restate what is explicitly
3190 forbidden by the BNF, an HTTP/1.1 client must not preface or follow
3191 a request with an extra CRLF.
3194 acl buggy_server url_regex ^http://....
3195 broken_posts allow buggy_server
3199 IFDEF: HTTP_VIOLATIONS
3203 LOC: Config.onoff.via
3205 If set (default), Squid will include a Via header in requests and
3206 replies as required by RFC2616.
3212 LOC: Config.onoff.ie_refresh
3215 Microsoft Internet Explorer up until version 5.5 Service
3216 Pack 1 has an issue with transparent proxies, wherein it
3217 is impossible to force a refresh. Turning this on provides
3218 a partial fix to the problem, by causing all IMS-REFRESH
3219 requests from older IE versions to check the origin server
3220 for fresh content. This reduces hit ratio by some amount
3221 (~10% in my experience), but allows users to actually get
3222 fresh content when they want it. Note because Squid
3223 cannot tell if the user is using 5.5 or 5.5SP1, the behavior
3224 of 5.5 is unchanged from old versions of Squid (i.e. a
3225 forced refresh is impossible). Newer versions of IE will,
3226 hopefully, continue to have the new behavior and will be
3227 handled based on that assumption. This option defaults to
3228 the old Squid behavior, which is better for hit ratios but
3229 worse for clients using IE, if they need to be able to
3230 force fresh content.
3233 NAME: vary_ignore_expire
3236 LOC: Config.onoff.vary_ignore_expire
3239 Many HTTP servers supporting Vary gives such objects
3240 immediate expiry time with no cache-control header
3241 when requested by a HTTP/1.0 client. This option
3242 enables Squid to ignore such expiry times until
3243 HTTP/1.1 is fully implemented.
3244 WARNING: This may eventually cause some varying
3245 objects not intended for caching to get cached.
3248 NAME: request_entities
3250 LOC: Config.onoff.request_entities
3253 Squid defaults to deny GET and HEAD requests with request entities,
3254 as the meaning of such requests are undefined in the HTTP standard
3255 even if not explicitly forbidden.
3257 Set this directive to on if you have clients which insists
3258 on sending request entities in GET or HEAD requests. But be warned
3259 that there is server software (both proxies and web servers) which
3260 can fail to properly process this kind of request which may make you
3261 vulnerable to cache pollution attacks if enabled.
3264 NAME: request_header_access
3265 IFDEF: HTTP_VIOLATIONS
3266 TYPE: http_header_access[]
3267 LOC: Config.request_header_access
3270 Usage: request_header_access header_name allow|deny [!]aclname ...
3272 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3273 this feature could make you liable for problems which it
3276 This option replaces the old 'anonymize_headers' and the
3277 older 'http_anonymizer' option with something that is much
3278 more configurable. This new method creates a list of ACLs
3279 for each header, allowing you very fine-tuned header
3282 This option only applies to request headers, i.e., from the
3283 client to the server.
3285 You can only specify known headers for the header name.
3286 Other headers are reclassified as 'Other'. You can also
3287 refer to all the headers with 'All'.
3289 For example, to achieve the same behavior as the old
3290 'http_anonymizer standard' option, you should use:
3292 request_header_access From deny all
3293 request_header_access Referer deny all
3294 request_header_access Server deny all
3295 request_header_access User-Agent deny all
3296 request_header_access WWW-Authenticate deny all
3297 request_header_access Link deny all
3299 Or, to reproduce the old 'http_anonymizer paranoid' feature
3302 request_header_access Allow allow all
3303 request_header_access Authorization allow all
3304 request_header_access WWW-Authenticate allow all
3305 request_header_access Proxy-Authorization allow all
3306 request_header_access Proxy-Authenticate allow all
3307 request_header_access Cache-Control allow all
3308 request_header_access Content-Encoding allow all
3309 request_header_access Content-Length allow all
3310 request_header_access Content-Type allow all
3311 request_header_access Date allow all
3312 request_header_access Expires allow all
3313 request_header_access Host allow all
3314 request_header_access If-Modified-Since allow all
3315 request_header_access Last-Modified allow all
3316 request_header_access Location allow all
3317 request_header_access Pragma allow all
3318 request_header_access Accept allow all
3319 request_header_access Accept-Charset allow all
3320 request_header_access Accept-Encoding allow all
3321 request_header_access Accept-Language allow all
3322 request_header_access Content-Language allow all
3323 request_header_access Mime-Version allow all
3324 request_header_access Retry-After allow all
3325 request_header_access Title allow all
3326 request_header_access Connection allow all
3327 request_header_access Proxy-Connection allow all
3328 request_header_access All deny all
3330 although many of those are HTTP reply headers, and so should be
3331 controlled with the reply_header_access directive.
3333 By default, all headers are allowed (no anonymizing is
3337 NAME: reply_header_access
3338 IFDEF: HTTP_VIOLATIONS
3339 TYPE: http_header_access[]
3340 LOC: Config.reply_header_access
3343 Usage: reply_header_access header_name allow|deny [!]aclname ...
3345 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3346 this feature could make you liable for problems which it
3349 This option only applies to reply headers, i.e., from the
3350 server to the client.
3352 This is the same as request_header_access, but in the other
3355 This option replaces the old 'anonymize_headers' and the
3356 older 'http_anonymizer' option with something that is much
3357 more configurable. This new method creates a list of ACLs
3358 for each header, allowing you very fine-tuned header
3361 You can only specify known headers for the header name.
3362 Other headers are reclassified as 'Other'. You can also
3363 refer to all the headers with 'All'.
3365 For example, to achieve the same behavior as the old
3366 'http_anonymizer standard' option, you should use:
3368 reply_header_access From deny all
3369 reply_header_access Referer deny all
3370 reply_header_access Server deny all
3371 reply_header_access User-Agent deny all
3372 reply_header_access WWW-Authenticate deny all
3373 reply_header_access Link deny all
3375 Or, to reproduce the old 'http_anonymizer paranoid' feature
3378 reply_header_access Allow allow all
3379 reply_header_access Authorization allow all
3380 reply_header_access WWW-Authenticate allow all
3381 reply_header_access Proxy-Authorization allow all
3382 reply_header_access Proxy-Authenticate allow all
3383 reply_header_access Cache-Control allow all
3384 reply_header_access Content-Encoding allow all
3385 reply_header_access Content-Length allow all
3386 reply_header_access Content-Type allow all
3387 reply_header_access Date allow all
3388 reply_header_access Expires allow all
3389 reply_header_access Host allow all
3390 reply_header_access If-Modified-Since allow all
3391 reply_header_access Last-Modified allow all
3392 reply_header_access Location allow all
3393 reply_header_access Pragma allow all
3394 reply_header_access Accept allow all
3395 reply_header_access Accept-Charset allow all
3396 reply_header_access Accept-Encoding allow all
3397 reply_header_access Accept-Language allow all
3398 reply_header_access Content-Language allow all
3399 reply_header_access Mime-Version allow all
3400 reply_header_access Retry-After allow all
3401 reply_header_access Title allow all
3402 reply_header_access Connection allow all
3403 reply_header_access Proxy-Connection allow all
3404 reply_header_access All deny all
3406 although the HTTP request headers won't be usefully controlled
3407 by this directive -- see request_header_access for details.
3409 By default, all headers are allowed (no anonymizing is
3413 NAME: header_replace
3414 IFDEF: HTTP_VIOLATIONS
3415 TYPE: http_header_replace[]
3416 LOC: Config.request_header_access
3419 Usage: header_replace header_name message
3420 Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
3422 This option allows you to change the contents of headers
3423 denied with header_access above, by replacing them with
3424 some fixed string. This replaces the old fake_user_agent
3427 This only applies to request headers, not reply headers.
3429 By default, headers are removed if denied.
3432 NAME: relaxed_header_parser
3433 COMMENT: on|off|warn
3435 LOC: Config.onoff.relaxed_header_parser
3438 In the default "on" setting Squid accepts certain forms
3439 of non-compliant HTTP messages where it is unambiguous
3440 what the sending application intended even if the message
3441 is not correctly formatted. The messages is then normalized
3442 to the correct form when forwarded by Squid.
3444 If set to "warn" then a warning will be emitted in cache.log
3445 each time such HTTP error is encountered.
3447 If set to "off" then such HTTP errors will cause the request
3448 or response to be rejected.
3453 -----------------------------------------------------------------------------
3456 NAME: forward_timeout
3459 LOC: Config.Timeout.forward
3462 This parameter specifies how long Squid should at most attempt in
3463 finding a forwarding path for the request before giving up.
3466 NAME: connect_timeout
3469 LOC: Config.Timeout.connect
3472 This parameter specifies how long to wait for the TCP connect to
3473 the requested server or peer to complete before Squid should
3474 attempt to find another path where to forward the request.
3477 NAME: peer_connect_timeout
3480 LOC: Config.Timeout.peer_connect
3483 This parameter specifies how long to wait for a pending TCP
3484 connection to a peer cache. The default is 30 seconds. You
3485 may also set different timeout values for individual neighbors
3486 with the 'connect-timeout' option on a 'cache_peer' line.
3492 LOC: Config.Timeout.read
3495 The read_timeout is applied on server-side connections. After
3496 each successful read(), the timeout will be extended by this
3497 amount. If no data is read again after this amount of time,
3498 the request is aborted and logged with ERR_READ_TIMEOUT. The
3499 default is 15 minutes.
3502 NAME: request_timeout
3504 LOC: Config.Timeout.request
3507 How long to wait for an HTTP request after initial
3508 connection establishment.
3511 NAME: persistent_request_timeout
3513 LOC: Config.Timeout.persistent_request
3516 How long to wait for the next HTTP request on a persistent
3517 connection after the previous request completes.
3520 NAME: client_lifetime
3523 LOC: Config.Timeout.lifetime
3526 The maximum amount of time a client (browser) is allowed to
3527 remain connected to the cache process. This protects the Cache
3528 from having a lot of sockets (and hence file descriptors) tied up
3529 in a CLOSE_WAIT state from remote clients that go away without
3530 properly shutting down (either because of a network failure or
3531 because of a poor client implementation). The default is one
3534 NOTE: The default value is intended to be much larger than any
3535 client would ever need to be connected to your cache. You
3536 should probably change client_lifetime only as a last resort.
3537 If you seem to have many client connections tying up
3538 filedescriptors, we recommend first tuning the read_timeout,
3539 request_timeout, persistent_request_timeout and quick_abort values.
3542 NAME: half_closed_clients
3544 LOC: Config.onoff.half_closed_clients
3547 Some clients may shutdown the sending side of their TCP
3548 connections, while leaving their receiving sides open. Sometimes,
3549 Squid can not tell the difference between a half-closed and a
3550 fully-closed TCP connection. By default, half-closed client
3551 connections are kept open until a read(2) or write(2) on the
3552 socket returns an error. Change this option to 'off' and Squid
3553 will immediately close client connections when read(2) returns
3554 "no more data to read."
3559 LOC: Config.Timeout.pconn
3562 Timeout for idle persistent connections to servers and other
3569 LOC: Config.Timeout.ident
3572 Maximum time to wait for IDENT lookups to complete.
3574 If this is too high, and you enabled IDENT lookups from untrusted
3575 users, you might be susceptible to denial-of-service by having
3576 many ident requests going at once.
3579 NAME: shutdown_lifetime
3582 LOC: Config.shutdownLifetime
3585 When SIGTERM or SIGHUP is received, the cache is put into
3586 "shutdown pending" mode until all active sockets are closed.
3587 This value is the lifetime to set for all open descriptors
3588 during shutdown mode. Any active clients after this many
3589 seconds will receive a 'timeout' message.
3593 ADMINISTRATIVE PARAMETERS
3594 -----------------------------------------------------------------------------
3600 LOC: Config.adminEmail
3602 Email-address of local cache manager who will receive
3603 mail if the cache dies. The default is "webmaster."
3609 LOC: Config.EmailFrom
3611 From: email-address for mail sent when the cache dies.
3612 The default is to use 'appname@unique_hostname'.
3613 Default appname value is "squid", can be changed into
3614 src/globals.h before building squid.
3620 LOC: Config.EmailProgram
3622 Email program used to send mail if the cache dies.
3623 The default is "mail". The specified program must comply
3624 with the standard Unix mail syntax:
3625 mail-program recipient < mailfile
3627 Optional command line options can be specified.
3630 NAME: cache_effective_user
3632 DEFAULT: @DEFAULT_CACHE_EFFECTIVE_USER@
3633 LOC: Config.effectiveUser
3635 If you start Squid as root, it will change its effective/real
3636 UID/GID to the user specified below. The default is to change
3637 to UID of @DEFAULT_CACHE_EFFECTIVE_USER@.
3638 see also; cache_effective_group
3641 NAME: cache_effective_group
3644 LOC: Config.effectiveGroup
3646 Squid sets the GID to the effective user's default group ID
3647 (taken from the password file) and supplementary group list
3648 from the groups membership.
3650 If you want Squid to run with a specific GID regardless of
3651 the group memberships of the effective user then set this
3652 to the group (or GID) you want Squid to run as. When set
3653 all other group privileges of the effective user are ignored
3654 and only this GID is effective. If Squid is not started as
3655 root the user starting Squid MUST be member of the specified
3658 This option is not recommended by the Squid Team.
3659 Our preference is for administrators to configure a secure
3660 user account for squid with UID/GID matching system policies.
3663 NAME: httpd_suppress_version_string
3667 LOC: Config.onoff.httpd_suppress_version_string
3669 Suppress Squid version string info in HTTP headers and HTML error pages.
3672 NAME: visible_hostname
3674 LOC: Config.visibleHostname
3677 If you want to present a special hostname in error messages, etc,
3678 define this. Otherwise, the return value of gethostname()
3679 will be used. If you have multiple caches in a cluster and
3680 get errors about IP-forwarding you must set them to have individual
3681 names with this setting.
3684 NAME: unique_hostname
3686 LOC: Config.uniqueHostname
3689 If you want to have multiple machines with the same
3690 'visible_hostname' you must give each machine a different
3691 'unique_hostname' so forwarding loops can be detected.
3694 NAME: hostname_aliases
3696 LOC: Config.hostnameAliases
3699 A list of other DNS names your cache has.
3707 Minimum umask which should be enforced while the proxy
3708 is running, in addition to the umask set at startup.
3710 For a traditional octal representation of umasks, start
3715 OPTIONS FOR THE CACHE REGISTRATION SERVICE
3716 -----------------------------------------------------------------------------
3718 This section contains parameters for the (optional) cache
3719 announcement service. This service is provided to help
3720 cache administrators locate one another in order to join or
3721 create cache hierarchies.
3723 An 'announcement' message is sent (via UDP) to the registration
3724 service by Squid. By default, the announcement message is NOT
3725 SENT unless you enable it with 'announce_period' below.
3727 The announcement message includes your hostname, plus the
3728 following information from this configuration file:
3734 All current information is processed regularly and made
3735 available on the Web at http://www.ircache.net/Cache/Tracker/.
3738 NAME: announce_period
3740 LOC: Config.Announce.period
3743 This is how frequently to send cache announcements. The
3744 default is `0' which disables sending the announcement
3747 To enable announcing your cache, just uncomment the line
3751 #To enable announcing your cache, just uncomment the line below.
3752 #announce_period 1 day
3758 DEFAULT: tracker.ircache.net
3759 LOC: Config.Announce.host
3765 LOC: Config.Announce.file
3771 LOC: Config.Announce.port
3773 announce_host and announce_port set the hostname and port
3774 number where the registration message will be sent.
3776 Hostname will default to 'tracker.ircache.net' and port will
3777 default default to 3131. If the 'filename' argument is given,
3778 the contents of that file will be included in the announce
3783 HTTPD-ACCELERATOR OPTIONS
3784 -----------------------------------------------------------------------------
3787 NAME: httpd_accel_surrogate_id
3788 IFDEF: USE_SQUID_ESI
3790 LOC: Config.Accel.surrogate_id
3793 Surrogates (http://www.esi.org/architecture_spec_1.0.html)
3794 need an identification token to allow control targeting. Because
3795 a farm of surrogates may all perform the same tasks, they may share
3796 an identification token.
3799 NAME: http_accel_surrogate_remote
3800 IFDEF: USE_SQUID_ESI
3804 LOC: Config.onoff.surrogate_is_remote
3806 Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
3807 Set this to on to have squid behave as a remote surrogate.
3811 IFDEF: USE_SQUID_ESI
3812 COMMENT: libxml2|expat|custom
3814 LOC: ESIParser::Type
3817 ESI markup is not strictly XML compatible. The custom ESI parser
3818 will give higher performance, but cannot handle non ASCII character
3823 DELAY POOL PARAMETERS
3824 -----------------------------------------------------------------------------
3828 TYPE: delay_pool_count
3833 This represents the number of delay pools to be used. For example,
3834 if you have one class 2 delay pool and one class 3 delays pool, you
3835 have a total of 2 delay pools.
3839 TYPE: delay_pool_class
3844 This defines the class of each delay pool. There must be exactly one
3845 delay_class line for each delay pool. For example, to define two
3846 delay pools, one of class 2 and one of class 3, the settings above
3850 delay_pools 4 # 4 delay pools
3851 delay_class 1 2 # pool 1 is a class 2 pool
3852 delay_class 2 3 # pool 2 is a class 3 pool
3853 delay_class 3 4 # pool 3 is a class 4 pool
3854 delay_class 4 5 # pool 4 is a class 5 pool
3856 The delay pool classes are:
3858 class 1 Everything is limited by a single aggregate
3861 class 2 Everything is limited by a single aggregate
3862 bucket as well as an "individual" bucket chosen
3863 from bits 25 through 32 of the IP address.
3865 class 3 Everything is limited by a single aggregate
3866 bucket as well as a "network" bucket chosen
3867 from bits 17 through 24 of the IP address and a
3868 "individual" bucket chosen from bits 17 through
3869 32 of the IP address.
3871 class 4 Everything in a class 3 delay pool, with an
3872 additional limit on a per user basis. This
3873 only takes effect if the username is established
3874 in advance - by forcing authentication in your
3877 class 5 Requests are grouped according their tag (see
3878 external_acl's tag= reply).
3880 NOTE: If an IP address is a.b.c.d
3881 -> bits 25 through 32 are "d"
3882 -> bits 17 through 24 are "c"
3883 -> bits 17 through 32 are "c * 256 + d"
3887 TYPE: delay_pool_access
3892 This is used to determine which delay pool a request falls into.
3894 delay_access is sorted per pool and the matching starts with pool 1,
3895 then pool 2, ..., and finally pool N. The first delay pool where the
3896 request is allowed is selected for the request. If it does not allow
3897 the request to any pool then the request is not delayed (default).
3899 For example, if you want some_big_clients in delay
3900 pool 1 and lotsa_little_clients in delay pool 2:
3903 delay_access 1 allow some_big_clients
3904 delay_access 1 deny all
3905 delay_access 2 allow lotsa_little_clients
3906 delay_access 2 deny all
3907 delay_access 3 allow authenticated_clients
3910 NAME: delay_parameters
3911 TYPE: delay_pool_rates
3916 This defines the parameters for a delay pool. Each delay pool has
3917 a number of "buckets" associated with it, as explained in the
3918 description of delay_class. For a class 1 delay pool, the syntax is:
3920 delay_parameters pool aggregate
3922 For a class 2 delay pool:
3924 delay_parameters pool aggregate individual
3926 For a class 3 delay pool:
3928 delay_parameters pool aggregate network individual
3930 For a class 4 delay pool:
3932 delay_parameters pool aggregate network individual user
3934 For a class 5 delay pool:
3936 delay_parameters pool tag
3938 The variables here are:
3940 pool a pool number - ie, a number between 1 and the
3941 number specified in delay_pools as used in
3944 aggregate the "delay parameters" for the aggregate bucket
3947 individual the "delay parameters" for the individual
3948 buckets (class 2, 3).
3950 network the "delay parameters" for the network buckets
3953 user the delay parameters for the user buckets
3956 tag the delay parameters for the tag buckets
3959 A pair of delay parameters is written restore/maximum, where restore is
3960 the number of bytes (not bits - modem and network speeds are usually
3961 quoted in bits) per second placed into the bucket, and maximum is the
3962 maximum number of bytes which can be in the bucket at any time.
3964 For example, if delay pool number 1 is a class 2 delay pool as in the
3965 above example, and is being used to strictly limit each host to 64kbps
3966 (plus overheads), with no overall limit, the line is:
3968 delay_parameters 1 -1/-1 8000/8000
3970 Note that the figure -1 is used to represent "unlimited".
3972 And, if delay pool number 2 is a class 3 delay pool as in the above
3973 example, and you want to limit it to a total of 256kbps (strict limit)
3974 with each 8-bit network permitted 64kbps (strict limit) and each
3975 individual host permitted 4800bps with a bucket maximum size of 64kb
3976 to permit a decent web page to be downloaded at a decent speed
3977 (if the network is not being limited due to overuse) but slow down
3978 large downloads more significantly:
3980 delay_parameters 2 32000/32000 8000/8000 600/8000
3982 There must be one delay_parameters line for each delay pool.
3984 Finally, for a class 4 delay pool as in the example - each user will
3985 be limited to 128Kb no matter how many workstations they are logged into.:
3987 delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
3990 NAME: delay_initial_bucket_level
3991 COMMENT: (percent, 0-100)
3995 LOC: Config.Delay.initial
3997 The initial bucket percentage is used to determine how much is put
3998 in each bucket when squid starts, is reconfigured, or first notices
3999 a host accessing it (in class 2 and class 3, individual hosts and
4000 networks only have buckets associated with them once they have been
4005 WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
4006 -----------------------------------------------------------------------------
4011 LOC: Config.Wccp.router
4015 Use this option to define your WCCP ``home'' router for
4018 wccp_router supports a single WCCP(v1) router
4020 wccp2_router supports multiple WCCPv2 routers
4022 only one of the two may be used at the same time and defines
4023 which version of WCCP to use.
4027 TYPE: IPAddress_list
4028 LOC: Config.Wccp2.router
4032 Use this option to define your WCCP ``home'' router for
4035 wccp_router supports a single WCCP(v1) router
4037 wccp2_router supports multiple WCCPv2 routers
4039 only one of the two may be used at the same time and defines
4040 which version of WCCP to use.
4045 LOC: Config.Wccp.version
4049 This directive is only relevant if you need to set up WCCP(v1)
4050 to some very old and end-of-life Cisco routers. In all other
4051 setups it must be left unset or at the default setting.
4052 It defines an internal version in the WCCP(v1) protocol,
4053 with version 4 being the officially documented protocol.
4055 According to some users, Cisco IOS 11.2 and earlier only
4056 support WCCP version 3. If you're using that or an earlier
4057 version of IOS, you may need to change this value to 3, otherwise
4058 do not specify this parameter.
4061 NAME: wccp2_rebuild_wait
4063 LOC: Config.Wccp2.rebuildwait
4067 If this is enabled Squid will wait for the cache dir rebuild to finish
4068 before sending the first wccp2 HereIAm packet
4071 NAME: wccp2_forwarding_method
4073 LOC: Config.Wccp2.forwarding_method
4077 WCCP2 allows the setting of forwarding methods between the
4078 router/switch and the cache. Valid values are as follows:
4080 gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4081 l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
4083 Currently (as of IOS 12.4) cisco routers only support GRE.
4084 Cisco switches only support the L2 redirect assignment method.
4087 NAME: wccp2_return_method
4089 LOC: Config.Wccp2.return_method
4093 WCCP2 allows the setting of return methods between the
4094 router/switch and the cache for packets that the cache
4095 decides not to handle. Valid values are as follows:
4097 gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4098 l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
4100 Currently (as of IOS 12.4) cisco routers only support GRE.
4101 Cisco switches only support the L2 redirect assignment.
4103 If the "ip wccp redirect exclude in" command has been
4104 enabled on the cache interface, then it is still safe for
4105 the proxy server to use a l2 redirect method even if this
4106 option is set to GRE.
4109 NAME: wccp2_assignment_method
4111 LOC: Config.Wccp2.assignment_method
4115 WCCP2 allows the setting of methods to assign the WCCP hash
4116 Valid values are as follows:
4118 hash - Hash assignment
4119 mask - Mask assignment
4121 As a general rule, cisco routers support the hash assignment method
4122 and cisco switches support the mask assignment method.
4127 LOC: Config.Wccp2.info
4129 DEFAULT_IF_NONE: standard 0
4132 WCCP2 allows for multiple traffic services. There are two
4133 types: "standard" and "dynamic". The standard type defines
4134 one service id - http (id 0). The dynamic service ids can be from
4135 51 to 255 inclusive. In order to use a dynamic service id
4136 one must define the type of traffic to be redirected; this is done
4137 using the wccp2_service_info option.
4139 The "standard" type does not require a wccp2_service_info option,
4140 just specifying the service id will suffice.
4142 MD5 service authentication can be enabled by adding
4143 "password=<password>" to the end of this service declaration.
4147 wccp2_service standard 0 # for the 'web-cache' standard service
4148 wccp2_service dynamic 80 # a dynamic service type which will be
4149 # fleshed out with subsequent options.
4150 wccp2_service standard 0 password=foo
4153 NAME: wccp2_service_info
4154 TYPE: wccp2_service_info
4155 LOC: Config.Wccp2.info
4159 Dynamic WCCPv2 services require further information to define the
4160 traffic you wish to have diverted.
4164 wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
4165 priority=<priority> ports=<port>,<port>..
4167 The relevant WCCPv2 flags:
4168 + src_ip_hash, dst_ip_hash
4169 + source_port_hash, dst_port_hash
4170 + src_ip_alt_hash, dst_ip_alt_hash
4171 + src_port_alt_hash, dst_port_alt_hash
4174 The port list can be one to eight entries.
4178 wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
4179 priority=240 ports=80
4181 Note: the service id must have been defined by a previous
4182 'wccp2_service dynamic <id>' entry.
4187 LOC: Config.Wccp2.weight
4191 Each cache server gets assigned a set of the destination
4192 hash proportional to their weight.
4197 LOC: Config.Wccp.address
4204 LOC: Config.Wccp2.address
4208 Use this option if you require WCCP to use a specific
4211 The default behavior is to not bind to any specific address.
4215 PERSISTENT CONNECTION HANDLING
4216 -----------------------------------------------------------------------------
4218 Also see "pconn_timeout" in the TIMEOUTS section
4221 NAME: client_persistent_connections
4223 LOC: Config.onoff.client_pconns
4227 NAME: server_persistent_connections
4229 LOC: Config.onoff.server_pconns
4232 Persistent connection support for clients and servers. By
4233 default, Squid uses persistent connections (when allowed)
4234 with its clients and servers. You can use these options to
4235 disable persistent connections with clients and/or servers.
4238 NAME: persistent_connection_after_error
4240 LOC: Config.onoff.error_pconns
4243 With this directive the use of persistent connections after
4244 HTTP errors can be disabled. Useful if you have clients
4245 who fail to handle errors on persistent connections proper.
4248 NAME: detect_broken_pconn
4250 LOC: Config.onoff.detect_broken_server_pconns
4253 Some servers have been found to incorrectly signal the use
4254 of HTTP/1.0 persistent connections even on replies not
4255 compatible, causing significant delays. This server problem
4256 has mostly been seen on redirects.
4258 By enabling this directive Squid attempts to detect such
4259 broken replies and automatically assume the reply is finished
4260 after 10 seconds timeout.
4264 CACHE DIGEST OPTIONS
4265 -----------------------------------------------------------------------------
4268 NAME: digest_generation
4269 IFDEF: USE_CACHE_DIGESTS
4271 LOC: Config.onoff.digest_generation
4274 This controls whether the server will generate a Cache Digest
4275 of its contents. By default, Cache Digest generation is
4276 enabled if Squid is compiled with --enable-cache-digests defined.
4279 NAME: digest_bits_per_entry
4280 IFDEF: USE_CACHE_DIGESTS
4282 LOC: Config.digest.bits_per_entry
4285 This is the number of bits of the server's Cache Digest which
4286 will be associated with the Digest entry for a given HTTP
4287 Method and URL (public key) combination. The default is 5.
4290 NAME: digest_rebuild_period
4291 IFDEF: USE_CACHE_DIGESTS
4294 LOC: Config.digest.rebuild_period
4297 This is the wait time between Cache Digest rebuilds.
4300 NAME: digest_rewrite_period
4302 IFDEF: USE_CACHE_DIGESTS
4304 LOC: Config.digest.rewrite_period
4307 This is the wait time between Cache Digest writes to
4311 NAME: digest_swapout_chunk_size
4314 IFDEF: USE_CACHE_DIGESTS
4315 LOC: Config.digest.swapout_chunk_size
4318 This is the number of bytes of the Cache Digest to write to
4319 disk at a time. It defaults to 4096 bytes (4KB), the Squid
4323 NAME: digest_rebuild_chunk_percentage
4324 COMMENT: (percent, 0-100)
4325 IFDEF: USE_CACHE_DIGESTS
4327 LOC: Config.digest.rebuild_chunk_percentage
4330 This is the percentage of the Cache Digest to be scanned at a
4331 time. By default it is set to 10% of the Cache Digest.
4336 -----------------------------------------------------------------------------
4341 LOC: Config.Port.snmp
4345 The port number where Squid listens for SNMP requests. To enable
4346 SNMP support set this to a suitable port number. Port number
4347 3401 is often used for the Squid SNMP agent. By default it's
4348 set to "0" (disabled)
4356 LOC: Config.accessList.snmp
4358 DEFAULT_IF_NONE: deny all
4361 Allowing or denying access to the SNMP port.
4363 All access to the agent is denied by default.
4366 snmp_access allow|deny [!]aclname ...
4369 snmp_access allow snmppublic localhost
4370 snmp_access deny all
4373 NAME: snmp_incoming_address
4375 LOC: Config.Addrs.snmp_incoming
4380 NAME: snmp_outgoing_address
4382 LOC: Config.Addrs.snmp_outgoing
4383 DEFAULT: 255.255.255.255
4386 Just like 'udp_incoming_address', but for the SNMP port.
4388 snmp_incoming_address is used for the SNMP socket receiving
4389 messages from SNMP agents.
4390 snmp_outgoing_address is used for SNMP packets returned to SNMP
4393 The default snmp_incoming_address (0.0.0.0) is to listen on all
4394 available network interfaces.
4396 If snmp_outgoing_address is set to 255.255.255.255 (the default)
4397 it will use the same socket as snmp_incoming_address. Only
4398 change this if you want to have SNMP replies sent using another
4399 address than where this Squid listens for SNMP queries.
4401 NOTE, snmp_incoming_address and snmp_outgoing_address can not have
4402 the same value since they both use port 3401.
4407 -----------------------------------------------------------------------------
4410 NAME: icp_port udp_port
4413 LOC: Config.Port.icp
4415 The port number where Squid sends and receives ICP queries to
4416 and from neighbor caches. The standard UDP port for ICP is 3130.
4417 Default is disabled (0).
4419 #icp_port @DEFAULT_ICP_PORT@
4427 LOC: Config.Port.htcp
4429 The port number where Squid sends and receives HTCP queries to
4430 and from neighbor caches. To turn it on you want to set it to
4431 4827. By default it is set to "0" (disabled).
4437 NAME: log_icp_queries
4441 LOC: Config.onoff.log_udp
4443 If set, ICP queries are logged to access.log. You may wish
4444 do disable this if your ICP load is VERY high to speed things
4445 up or to simplify log analysis.
4448 NAME: udp_incoming_address
4450 LOC:Config.Addrs.udp_incoming
4453 udp_incoming_address is used for UDP packets received from other
4456 The default behavior is to not bind to any specific address.
4458 Only change this if you want to have all UDP queries received on
4459 a specific interface/address.
4461 NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
4462 modules. Altering it will affect all of them in the same manner.
4464 see also; udp_outgoing_address
4466 NOTE, udp_incoming_address and udp_outgoing_address can not
4467 have the same value since they both use the same port.
4470 NAME: udp_outgoing_address
4472 LOC: Config.Addrs.udp_outgoing
4473 DEFAULT: 255.255.255.255
4475 udp_outgoing_address is used for UDP packets sent out to other
4478 The default behavior is to not bind to any specific address.
4480 Instead it will use the same socket as udp_incoming_address.
4481 Only change this if you want to have UDP queries sent using another
4482 address than where this Squid listens for UDP queries from other
4485 NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
4486 modules. Altering it will affect all of them in the same manner.
4488 see also; udp_incoming_address
4490 NOTE, udp_incoming_address and udp_outgoing_address can not
4491 have the same value since they both use the same port.
4498 LOC: Config.onoff.icp_hit_stale
4500 If you want to return ICP_HIT for stale cache objects, set this
4501 option to 'on'. If you have sibling relationships with caches
4502 in other administrative domains, this should be 'off'. If you only
4503 have sibling relationships with caches under your control,
4504 it is probably okay to set this to 'on'.
4505 If set to 'on', your siblings should use the option "allow-miss"
4506 on their cache_peer lines for connecting to you.
4509 NAME: minimum_direct_hops
4512 LOC: Config.minDirectHops
4514 If using the ICMP pinging stuff, do direct fetches for sites
4515 which are no more than this many hops away.
4518 NAME: minimum_direct_rtt
4521 LOC: Config.minDirectRtt
4523 If using the ICMP pinging stuff, do direct fetches for sites
4524 which are no more than this many rtt milliseconds away.
4530 LOC: Config.Netdb.low
4536 LOC: Config.Netdb.high
4538 The low and high water marks for the ICMP measurement
4539 database. These are counts, not percents. The defaults are
4540 900 and 1000. When the high water mark is reached, database
4541 entries will be deleted until the low mark is reached.
4544 NAME: netdb_ping_period
4546 LOC: Config.Netdb.period
4549 The minimum period for measuring a site. There will be at
4550 least this much delay between successive pings to the same
4551 network. The default is five minutes.
4558 LOC: Config.onoff.query_icmp
4560 If you want to ask your peers to include ICMP data in their ICP
4561 replies, enable this option.
4563 If your peer has configured Squid (during compilation) with
4564 '--enable-icmp' that peer will send ICMP pings to origin server
4565 sites of the URLs it receives. If you enable this option the
4566 ICP replies from that peer will include the ICMP data (if available).
4567 Then, when choosing a parent cache, Squid will choose the parent with
4568 the minimal RTT to the origin server. When this happens, the
4569 hierarchy field of the access.log will be
4570 "CLOSEST_PARENT_MISS". This option is off by default.
4573 NAME: test_reachability
4577 LOC: Config.onoff.test_reachability
4579 When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
4580 instead of ICP_MISS if the target host is NOT in the ICMP
4581 database, or has a zero RTT.
4584 NAME: icp_query_timeout
4588 LOC: Config.Timeout.icp_query
4590 Normally Squid will automatically determine an optimal ICP
4591 query timeout value based on the round-trip-time of recent ICP
4592 queries. If you want to override the value determined by
4593 Squid, set this 'icp_query_timeout' to a non-zero value. This
4594 value is specified in MILLISECONDS, so, to use a 2-second
4595 timeout (the old default), you would write:
4597 icp_query_timeout 2000
4600 NAME: maximum_icp_query_timeout
4604 LOC: Config.Timeout.icp_query_max
4606 Normally the ICP query timeout is determined dynamically. But
4607 sometimes it can lead to very large values (say 5 seconds).
4608 Use this option to put an upper limit on the dynamic timeout
4609 value. Do NOT use this option to always use a fixed (instead
4610 of a dynamic) timeout value. To set a fixed timeout see the
4611 'icp_query_timeout' directive.
4614 NAME: minimum_icp_query_timeout
4618 LOC: Config.Timeout.icp_query_min
4620 Normally the ICP query timeout is determined dynamically. But
4621 sometimes it can lead to very small timeouts, even lower than
4622 the normal latency variance on your link due to traffic.
4623 Use this option to put an lower limit on the dynamic timeout
4624 value. Do NOT use this option to always use a fixed (instead
4625 of a dynamic) timeout value. To set a fixed timeout see the
4626 'icp_query_timeout' directive.
4629 NAME: background_ping_rate
4633 LOC: Config.backgroundPingRate
4635 Controls how often the ICP pings are sent to siblings that
4636 have background-ping set.
4640 MULTICAST ICP OPTIONS
4641 -----------------------------------------------------------------------------
4646 LOC: Config.mcast_group_list
4649 This tag specifies a list of multicast groups which your server
4650 should join to receive multicasted ICP queries.
4652 NOTE! Be very careful what you put here! Be sure you
4653 understand the difference between an ICP _query_ and an ICP
4654 _reply_. This option is to be set only if you want to RECEIVE
4655 multicast queries. Do NOT set this option to SEND multicast
4656 ICP (use cache_peer for that). ICP replies are always sent via
4657 unicast, so this option does not affect whether or not you will
4658 receive replies from multicast group members.
4660 You must be very careful to NOT use a multicast address which
4661 is already in use by another group of caches.
4663 If you are unsure about multicast, please read the Multicast
4664 chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
4666 Usage: mcast_groups 239.128.16.128 224.0.1.20
4668 By default, Squid doesn't listen on any multicast groups.
4671 NAME: mcast_miss_addr
4672 IFDEF: MULTICAST_MISS_STREAM
4674 LOC: Config.mcast_miss.addr
4675 DEFAULT: 255.255.255.255
4677 If you enable this option, every "cache miss" URL will
4678 be sent out on the specified multicast address.
4680 Do not enable this option unless you are are absolutely
4681 certain you understand what you are doing.
4684 NAME: mcast_miss_ttl
4685 IFDEF: MULTICAST_MISS_STREAM
4687 LOC: Config.mcast_miss.ttl
4690 This is the time-to-live value for packets multicasted
4691 when multicasting off cache miss URLs is enabled. By
4692 default this is set to 'site scope', i.e. 16.
4695 NAME: mcast_miss_port
4696 IFDEF: MULTICAST_MISS_STREAM
4698 LOC: Config.mcast_miss.port
4701 This is the port number to be used in conjunction with
4705 NAME: mcast_miss_encode_key
4706 IFDEF: MULTICAST_MISS_STREAM
4708 LOC: Config.mcast_miss.encode_key
4709 DEFAULT: XXXXXXXXXXXXXXXX
4711 The URLs that are sent in the multicast miss stream are
4712 encrypted. This is the encryption key.
4715 NAME: mcast_icp_query_timeout
4719 LOC: Config.Timeout.mcast_icp_query
4721 For multicast peers, Squid regularly sends out ICP "probes" to
4722 count how many other peers are listening on the given multicast
4723 address. This value specifies how long Squid should wait to
4724 count all the replies. The default is 2000 msec, or 2
4729 INTERNAL ICON OPTIONS
4730 -----------------------------------------------------------------------------
4733 NAME: icon_directory
4735 LOC: Config.icons.directory
4736 DEFAULT: @DEFAULT_ICON_DIR@
4738 Where the icons are stored. These are normally kept in
4742 NAME: global_internal_static
4744 LOC: Config.onoff.global_internal_static
4747 This directive controls is Squid should intercept all requests for
4748 /squid-internal-static/ no matter which host the URL is requesting
4749 (default on setting), or if nothing special should be done for
4750 such URLs (off setting). The purpose of this directive is to make
4751 icons etc work better in complex cache hierarchies where it may
4752 not always be possible for all corners in the cache mesh to reach
4753 the server generating a directory listing.
4756 NAME: short_icon_urls
4758 LOC: Config.icons.use_short_names
4761 If this is enabled Squid will use short URLs for icons.
4762 If disabled it will revert to the old behavior of including
4763 it's own name and port in the URL.
4765 If you run a complex cache hierarchy with a mix of Squid and
4766 other proxies you may need to disable this directive.
4771 -----------------------------------------------------------------------------
4774 NAME: error_directory
4776 LOC: Config.errorDirectory
4779 If you wish to create your own versions of the default
4780 error files to customize them to suit your company copy
4781 the error/template files to another directory and point
4784 WARNING: This option will disable multi-language support
4785 on error pages if used.
4787 The squid developers are interested in making squid available in
4788 a wide variety of languages. If you are making translations for a
4789 language that Squid does not currently provide please consider
4790 contributing your translation back to the project.
4791 http://wiki.squid-cache.org/Translations
4793 The squid developers working on translations are happy to supply drop-in
4794 translated error files in exchange for any new language contributions.
4797 NAME: error_default_language
4798 IFDEF: USE_ERR_LOCALES
4800 LOC: Config.errorDefaultLanguage
4803 Set the default language which squid will send error pages in
4804 if no existing translation matches the clients language
4807 If unset (default) generic English will be used.
4809 The squid developers are interested in making squid available in
4810 a wide variety of languages. If you are interested in making
4811 translations for any language see the squid wiki for details.
4812 http://wiki.squid-cache.org/Translations
4815 NAME: error_log_languages
4816 IFDEF: USE_ERR_LOCALES
4818 LOC: Config.errorLogMissingLanguages
4821 Log to cache.log what languages users are attempting to
4822 auto-negotiate for translations.
4824 Successful negotiations are not logged. Only failures
4825 have meaning to indicate that Squid may need an upgrade
4826 of its error page translations.
4829 NAME: err_page_stylesheet
4831 LOC: Config.errorStylesheet
4832 DEFAULT: @DEFAULT_CONFIG_DIR@/errorpage.css
4834 CSS Stylesheet to pattern the display of Squid default error pages.
4836 For information on CSS see http://www.w3.org/Style/CSS/
4841 LOC: Config.errHtmlText
4844 HTML text to include in error messages. Make this a "mailto"
4845 URL to your admin address, or maybe just a link to your
4846 organizations Web page.
4848 To include this in your error messages, you must rewrite
4849 the error template files (found in the "errors" directory).
4850 Wherever you want the 'err_html_text' line to appear,
4851 insert a %L tag in the error template file.
4854 NAME: email_err_data
4857 LOC: Config.onoff.emailErrData
4860 If enabled, information about the occurred error will be
4861 included in the mailto links of the ERR pages (if %W is set)
4862 so that the email body contains the data.
4863 Syntax is <A HREF="mailto:%w%W">%w</A>
4868 LOC: Config.denyInfoList
4871 Usage: deny_info err_page_name acl
4872 or deny_info http://... acl
4873 or deny_info TCP_RESET acl
4875 This can be used to return a ERR_ page for requests which
4876 do not pass the 'http_access' rules. Squid remembers the last
4877 acl it evaluated in http_access, and if a 'deny_info' line exists
4878 for that ACL Squid returns a corresponding error page.
4880 The acl is typically the last acl on the http_access deny line which
4881 denied access. The exceptions to this rule are:
4882 - When Squid needs to request authentication credentials. It's then
4883 the first authentication related acl encountered
4884 - When none of the http_access lines matches. It's then the last
4885 acl processed on the last http_access line.
4887 NP: If providing your own custom error pages with error_directory
4888 you may also specify them by your custom file name:
4889 Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
4891 Alternatively you can specify an error URL. The browsers will
4892 get redirected (302) to the specified URL. %s in the redirection
4893 URL will be replaced by the requested URL.
4895 Alternatively you can tell Squid to reset the TCP connection
4896 by specifying TCP_RESET.
4900 OPTIONS INFLUENCING REQUEST FORWARDING
4901 -----------------------------------------------------------------------------
4904 NAME: nonhierarchical_direct
4906 LOC: Config.onoff.nonhierarchical_direct
4909 By default, Squid will send any non-hierarchical requests
4910 (matching hierarchy_stoplist or not cacheable request type) direct
4913 If you set this to off, Squid will prefer to send these
4914 requests to parents.
4916 Note that in most configurations, by turning this off you will only
4917 add latency to these request without any improvement in global hit
4920 If you are inside an firewall see never_direct instead of
4926 LOC: Config.onoff.prefer_direct
4929 Normally Squid tries to use parents for most requests. If you for some
4930 reason like it to first try going direct and only use a parent if
4931 going direct fails set this to on.
4933 By combining nonhierarchical_direct off and prefer_direct on you
4934 can set up Squid to use a parent as a backup path if going direct
4937 Note: If you want Squid to use parents for all requests see
4938 the never_direct directive. prefer_direct only modifies how Squid
4939 acts on cacheable requests.
4944 LOC: Config.accessList.AlwaysDirect
4947 Usage: always_direct allow|deny [!]aclname ...
4949 Here you can use ACL elements to specify requests which should
4950 ALWAYS be forwarded by Squid to the origin servers without using
4951 any peers. For example, to always directly forward requests for
4952 local servers ignoring any parents or siblings you may have use
4955 acl local-servers dstdomain my.domain.net
4956 always_direct allow local-servers
4958 To always forward FTP requests directly, use
4961 always_direct allow FTP
4963 NOTE: There is a similar, but opposite option named
4964 'never_direct'. You need to be aware that "always_direct deny
4965 foo" is NOT the same thing as "never_direct allow foo". You
4966 may need to use a deny rule to exclude a more-specific case of
4967 some other rule. Example:
4969 acl local-external dstdomain external.foo.net
4970 acl local-servers dstdomain .foo.net
4971 always_direct deny local-external
4972 always_direct allow local-servers
4974 NOTE: If your goal is to make the client forward the request
4975 directly to the origin server bypassing Squid then this needs
4976 to be done in the client configuration. Squid configuration
4977 can only tell Squid how Squid should fetch the object.
4979 NOTE: This directive is not related to caching. The replies
4980 is cached as usual even if you use always_direct. To not cache
4981 the replies see no_cache.
4983 This option replaces some v1.1 options such as local_domain
4989 LOC: Config.accessList.NeverDirect
4992 Usage: never_direct allow|deny [!]aclname ...
4994 never_direct is the opposite of always_direct. Please read
4995 the description for always_direct if you have not already.
4997 With 'never_direct' you can use ACL elements to specify
4998 requests which should NEVER be forwarded directly to origin
4999 servers. For example, to force the use of a proxy for all
5000 requests, except those in your local domain use something like:
5002 acl local-servers dstdomain .foo.net
5003 never_direct deny local-servers
5004 never_direct allow all
5006 or if Squid is inside a firewall and there are local intranet
5007 servers inside the firewall use something like:
5009 acl local-intranet dstdomain .foo.net
5010 acl local-external dstdomain external.foo.net
5011 always_direct deny local-external
5012 always_direct allow local-intranet
5013 never_direct allow all
5015 This option replaces some v1.1 options such as inside_firewall
5020 ADVANCED NETWORKING OPTIONS
5021 -----------------------------------------------------------------------------
5024 NAME: incoming_icp_average
5027 LOC: Config.comm_incoming.icp_average
5030 NAME: incoming_http_average
5033 LOC: Config.comm_incoming.http_average
5036 NAME: incoming_dns_average
5039 LOC: Config.comm_incoming.dns_average
5042 NAME: min_icp_poll_cnt
5045 LOC: Config.comm_incoming.icp_min_poll
5048 NAME: min_dns_poll_cnt
5051 LOC: Config.comm_incoming.dns_min_poll
5054 NAME: min_http_poll_cnt
5057 LOC: Config.comm_incoming.http_min_poll
5059 Heavy voodoo here. I can't even believe you are reading this.
5060 Are you crazy? Don't even think about adjusting these unless
5061 you understand the algorithms in comm_select.c first!
5067 LOC: Config.accept_filter
5071 The name of an accept(2) filter to install on Squid's
5072 listen socket(s). This feature is perhaps specific to
5073 FreeBSD and requires support in the kernel.
5075 The 'httpready' filter delays delivering new connections
5076 to Squid until a full HTTP request has been received.
5077 See the accf_http(9) man page for details.
5079 The 'dataready' filter delays delivering new connections
5080 to Squid until there is some data to process.
5081 See the accf_dataready(9) man page for details.
5085 The 'data' filter delays delivering of new connections
5086 to Squid until there is some data to process by TCP_ACCEPT_DEFER.
5087 You may optionally specify a number of seconds to wait by
5088 'data=N' where N is the number of seconds. Defaults to 30
5089 if not specified. See the tcp(7) man page for details.
5092 accept_filter httpready
5097 NAME: tcp_recv_bufsize
5101 LOC: Config.tcpRcvBufsz
5103 Size of receive buffer to set for TCP sockets. Probably just
5104 as easy to change your kernel's default. Set to zero to use
5105 the default buffer size.
5110 -----------------------------------------------------------------------------
5117 LOC: TheICAPConfig.onoff
5120 If you want to enable the ICAP module support, set this to on.
5123 NAME: icap_connect_timeout
5126 LOC: TheICAPConfig.connect_timeout_raw
5129 This parameter specifies how long to wait for the TCP connect to
5130 the requested ICAP server to complete before giving up and either
5131 terminating the HTTP transaction or bypassing the failure.
5133 The default for optional services is peer_connect_timeout.
5134 The default for essential services is connect_timeout.
5135 If this option is explicitly set, its value applies to all services.
5138 NAME: icap_io_timeout
5142 LOC: TheICAPConfig.io_timeout_raw
5145 This parameter specifies how long to wait for an I/O activity on
5146 an established, active ICAP connection before giving up and
5147 either terminating the HTTP transaction or bypassing the
5150 The default is read_timeout.
5153 NAME: icap_service_failure_limit
5156 LOC: TheICAPConfig.service_failure_limit
5159 The limit specifies the number of failures that Squid tolerates
5160 when establishing a new TCP connection with an ICAP service. If
5161 the number of failures exceeds the limit, the ICAP service is
5162 not used for new ICAP requests until it is time to refresh its
5163 OPTIONS. The per-service failure counter is reset to zero each
5164 time Squid fetches new service OPTIONS.
5166 A negative value disables the limit. Without the limit, an ICAP
5167 service will not be considered down due to connectivity failures
5168 between ICAP OPTIONS requests.
5171 NAME: icap_service_revival_delay
5174 LOC: TheICAPConfig.service_revival_delay
5177 The delay specifies the number of seconds to wait after an ICAP
5178 OPTIONS request failure before requesting the options again. The
5179 failed ICAP service is considered "down" until fresh OPTIONS are
5182 The actual delay cannot be smaller than the hardcoded minimum
5183 delay of 30 seconds.
5186 NAME: icap_preview_enable
5190 LOC: TheICAPConfig.preview_enable
5193 The ICAP Preview feature allows the ICAP server to handle the
5194 HTTP message by looking only at the beginning of the message body
5195 or even without receiving the body at all. In some environments,
5196 previews greatly speedup ICAP processing.
5198 During an ICAP OPTIONS transaction, the server may tell Squid what
5199 HTTP messages should be previewed and how big the preview should be.
5200 Squid will not use Preview if the server did not request one.
5202 To disable ICAP Preview for all ICAP services, regardless of
5203 individual ICAP server OPTIONS responses, set this option to "off".
5205 icap_preview_enable off
5208 NAME: icap_preview_size
5211 LOC: TheICAPConfig.preview_size
5214 The default size of preview data to be sent to the ICAP server.
5215 -1 means no preview. This value might be overwritten on a per server
5216 basis by OPTIONS requests.
5219 NAME: icap_default_options_ttl
5222 LOC: TheICAPConfig.default_options_ttl
5225 The default TTL value for ICAP OPTIONS responses that don't have
5226 an Options-TTL header.
5229 NAME: icap_persistent_connections
5233 LOC: TheICAPConfig.reuse_connections
5236 Whether or not Squid should use persistent connections to
5240 NAME: icap_send_client_ip
5244 LOC: TheICAPConfig.send_client_ip
5247 This adds the header "X-Client-IP" to ICAP requests.
5250 NAME: icap_send_client_username
5254 LOC: TheICAPConfig.send_client_username
5257 This sends authenticated HTTP client username (if available) to
5258 the ICAP service. The username value is encoded based on the
5259 icap_client_username_encode option and is sent using the header
5260 specified by the icap_client_username_header option.
5263 NAME: icap_client_username_header
5266 LOC: TheICAPConfig.client_username_header
5267 DEFAULT: X-Client-Username
5269 ICAP request header name to use for send_client_username.
5272 NAME: icap_client_username_encode
5276 LOC: TheICAPConfig.client_username_encode
5279 Whether to base64 encode the authenticated client username.
5283 TYPE: icap_service_type
5288 Defines a single ICAP service
5290 icap_service servicename vectoring_point bypass service_url
5292 vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
5293 This specifies at which point of transaction processing the
5294 ICAP service should be activated. *_postcache vectoring points
5295 are not yet supported.
5297 If set to 1, the ICAP service is treated as optional. If the
5298 service cannot be reached or malfunctions, Squid will try to
5299 ignore any errors and process the message as if the service
5300 was not enabled. No all ICAP errors can be bypassed.
5301 If set to 0, the ICAP service is treated as essential and all
5302 ICAP errors will result in an error page returned to the
5304 service_url = icap://servername:port/service
5307 icap_service service_1 reqmod_precache 0 icap://icap1.mydomain.net:1344/reqmod
5308 icap_service service_2 respmod_precache 0 icap://icap2.mydomain.net:1344/respmod
5312 TYPE: icap_class_type
5317 This depricated option was documented to define an ICAP service
5318 chain, even though it actually defined a set of similar, redundant
5319 services, and the chains were not supported.
5321 To define a set of redundant services, please use the
5322 adaptation_service_set directive.
5324 If you need adaptation service chains, patches or sponsorship
5329 TYPE: icap_access_type
5334 This option is depricated. Please use adaptation_access, which
5335 has the same ICAP functionality, but comes with better
5336 documentation, and eCAP support.
5341 -----------------------------------------------------------------------------
5348 LOC: Ecap::TheConfig.onoff
5351 Controls whether eCAP support is enabled.
5355 TYPE: ecap_service_type
5357 LOC: Ecap::TheConfig
5360 Defines a single eCAP service
5362 ecap_service servicename vectoring_point bypass service_url
5364 vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
5365 This specifies at which point of transaction processing the
5366 eCAP service should be activated. *_postcache vectoring points
5367 are not yet supported.
5369 If set to 1, the eCAP service is treated as optional. If the
5370 service cannot be reached or malfunctions, Squid will try to
5371 ignore any errors and process the message as if the service
5372 was not enabled. No all eCAP errors can be bypassed.
5373 If set to 0, the eCAP service is treated as essential and all
5374 eCAP errors will result in an error page returned to the
5376 service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional
5379 ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
5380 ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
5383 NAME: loadable_modules
5385 IFDEF: USE_LOADABLE_MODULES
5386 LOC: Config.loadable_module_names
5389 Instructs Squid to load the specified dynamic module(s) or activate
5390 preloaded module(s).
5392 loadable_modules @DEFAULT_PREFIX@/lib/MinimalAdapter.so
5396 MESSAGE ADAPTATION OPTIONS
5397 -----------------------------------------------------------------------------
5400 NAME: adaptation_service_set
5401 TYPE: adaptation_service_set_type
5402 IFDEF: USE_ADAPTATION
5407 Defines a named adaptation service set. The set is populated in
5408 the order of adaptation_service_set directives in this file.
5409 When adaptation ACLs are processed, the first and only the first
5410 applicable adaptation service from the set will be used. Thus,
5411 the set should group similar, redundant services, rather than a
5412 chain of complementary services.
5414 If you have a single adaptation service, you do not need to
5415 define a set containing it because adaptation_access accepts
5418 See also: adaptation_access
5421 adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
5422 adaptation service_set svcLogger loggerLocal loggerRemote
5425 NAME: adaptation_access
5426 TYPE: adaptation_access_type
5427 IFDEF: USE_ADAPTATION
5431 Sends an HTTP transaction to an ICAP or eCAP adaptation service.
5433 adaptation_access service_name allow|deny [!]aclname...
5434 adaptation_access set_name allow|deny [!]aclname...
5436 At each supported vectoring point, the adaptation_access
5437 statements are processed in the order they appear in this
5438 configuration file. Statements pointing to the following services
5439 are ignored (i.e., skipped without checking their ACL):
5441 - services serving different vectoring points
5442 - "broken-but-bypassable" services
5443 - "up" services configured to ignore such transactions
5444 (e.g., based on the ICAP Transfer-Ignore header).
5446 When a set_name is used, all services in the set are checked
5447 using the same rules, to find the first applicable one. See
5448 adaptation_service_set for details.
5450 If an access list is checked and there is a match, the
5451 processing stops: For an "allow" rule, the corresponding
5452 adaptation service is used for the transaction. For a "deny"
5453 rule, no adaptation service is activated.
5455 It is currently not possible to apply more than one adaptation
5456 service at the same vectoring point to the same HTTP transaction.
5458 See also: icap_service and ecap_service
5461 adaptation_access service_1 allow all
5466 -----------------------------------------------------------------------------
5469 NAME: check_hostnames
5472 LOC: Config.onoff.check_hostnames
5474 For security and stability reasons Squid can check
5475 hostnames for Internet standard RFC compliance. If you want
5476 Squid to perform these checks turn this directive on.
5479 NAME: allow_underscore
5482 LOC: Config.onoff.allow_underscore
5484 Underscore characters is not strictly allowed in Internet hostnames
5485 but nevertheless used by many sites. Set this to off if you want
5486 Squid to be strict about the standard.
5487 This check is performed only when check_hostnames is set to on.
5490 NAME: cache_dns_program
5492 IFDEF: USE_DNSSERVERS
5493 DEFAULT: @DEFAULT_DNSSERVER@
5494 LOC: Config.Program.dnsserver
5496 Specify the location of the executable for dnslookup process.
5501 IFDEF: USE_DNSSERVERS
5503 LOC: Config.dnsChildren
5505 The number of processes spawn to service DNS name lookups.
5506 For heavily loaded caches on large servers, you should
5507 probably increase this value to at least 10. The maximum
5508 is 32. The default is 5.
5510 You must have at least one dnsserver process.
5513 NAME: dns_retransmit_interval
5516 LOC: Config.Timeout.idns_retransmit
5517 IFDEF: !USE_DNSSERVERS
5519 Initial retransmit interval for DNS queries. The interval is
5520 doubled each time all configured DNS servers have been tried.
5527 LOC: Config.Timeout.idns_query
5528 IFDEF: !USE_DNSSERVERS
5530 DNS Query timeout. If no response is received to a DNS query
5531 within this time all DNS servers for the queried domain
5532 are assumed to be unavailable.
5539 LOC: Config.onoff.res_defnames
5541 Normally the RES_DEFNAMES resolver option is disabled
5542 (see res_init(3)). This prevents caches in a hierarchy
5543 from interpreting single-component hostnames locally. To allow
5544 Squid to handle single-component names, enable this option.
5547 NAME: dns_nameservers
5550 LOC: Config.dns_nameservers
5552 Use this if you want to specify a list of DNS name servers
5553 (IP addresses) to use instead of those given in your
5554 /etc/resolv.conf file.
5555 On Windows platforms, if no value is specified here or in
5556 the /etc/resolv.conf file, the list of DNS name servers are
5557 taken from the Windows registry, both static and dynamic DHCP
5558 configurations are supported.
5560 Example: dns_nameservers 10.0.0.1 192.172.0.4
5565 DEFAULT: @DEFAULT_HOSTS@
5566 LOC: Config.etcHostsPath
5568 Location of the host-local IP name-address associations
5569 database. Most Operating Systems have such a file on different
5571 - Un*X & Linux: /etc/hosts
5572 - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
5573 (%SystemRoot% value install default is c:\winnt)
5574 - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
5575 (%SystemRoot% value install default is c:\windows)
5576 - Windows 9x/Me: %windir%\hosts
5577 (%windir% value is usually c:\windows)
5578 - Cygwin: /etc/hosts
5580 The file contains newline-separated definitions, in the
5581 form ip_address_in_dotted_form name [name ...] names are
5582 whitespace-separated. Lines beginning with an hash (#)
5583 character are comments.
5585 The file is checked at startup and upon configuration.
5586 If set to 'none', it won't be checked.
5587 If append_domain is used, that domain will be added to
5588 domain-local (i.e. not containing any dot character) host
5594 LOC: Config.appendDomain
5597 Appends local domain name to hostnames without any dots in
5598 them. append_domain must begin with a period.
5600 Be warned there are now Internet names with no dots in
5601 them using only top-domain names, so setting this may
5602 cause some Internet sites to become unavailable.
5605 append_domain .yourdomain.com
5608 NAME: ignore_unknown_nameservers
5610 LOC: Config.onoff.ignore_unknown_nameservers
5613 By default Squid checks that DNS responses are received
5614 from the same IP addresses they are sent to. If they
5615 don't match, Squid ignores the response and writes a warning
5616 message to cache.log. You can allow responses from unknown
5617 nameservers by setting this option to 'off'.
5620 NAME: dns_v4_fallback
5623 LOC: Config.onoff.dns_require_A
5625 Standard practice with DNS is to lookup either A or AAAA records
5626 and use the results if it succeeds. Only looking up the other if
5627 the first attempt fails or otherwise produces no results.
5629 That policy however will cause squid to produce error pages for some
5630 servers that advertise AAAA but are unreachable over IPv6.
5632 If this is ON squid will always lookup both AAAA and A, using both.
5633 If this is OFF squid will lookup AAAA and only try A if none found.
5635 WARNING: There are some possibly unwanted side-effects with this on:
5636 *) Doubles the load placed by squid on the DNS network.
5637 *) May negatively impact connection delay times.
5641 COMMENT: (number of entries)
5644 LOC: Config.ipcache.size
5651 LOC: Config.ipcache.low
5658 LOC: Config.ipcache.high
5660 The size, low-, and high-water marks for the IP cache.
5663 NAME: fqdncache_size
5664 COMMENT: (number of entries)
5667 LOC: Config.fqdncache.size
5669 Maximum number of FQDN cache entries.
5674 -----------------------------------------------------------------------------
5681 LOC: Config.onoff.mem_pools
5683 If set, Squid will keep pools of allocated (but unused) memory
5684 available for future use. If memory is a premium on your
5685 system and you believe your malloc library outperforms Squid
5686 routines, disable this.
5689 NAME: memory_pools_limit
5693 LOC: Config.MemPools.limit
5695 Used only with memory_pools on:
5696 memory_pools_limit 50 MB
5698 If set to a non-zero value, Squid will keep at most the specified
5699 limit of allocated (but unused) memory in memory pools. All free()
5700 requests that exceed this limit will be handled by your malloc
5701 library. Squid does not pre-allocate any memory, just safe-keeps
5702 objects that otherwise would be free()d. Thus, it is safe to set
5703 memory_pools_limit to a reasonably high value even if your
5704 configuration will use less memory.
5706 If set to zero, Squid will keep all memory it can. That is, there
5707 will be no limit on the total amount of memory used for safe-keeping.
5709 To disable memory allocation optimization, do not set
5710 memory_pools_limit to 0. Set memory_pools to "off" instead.
5712 An overhead for maintaining memory pools is not taken into account
5713 when the limit is checked. This overhead is close to four bytes per
5714 object kept. However, pools may actually _save_ memory because of
5715 reduced memory thrashing in your malloc library.
5719 COMMENT: on|off|transparent|truncate|delete
5722 LOC: opt_forwarded_for
5724 If set to "on", Squid will append your client's IP address
5725 in the HTTP requests it forwards. By default it looks like:
5727 X-Forwarded-For: 192.1.2.3
5729 If set to "off", it will appear as
5731 X-Forwarded-For: unknown
5733 If set to "transparent", Squid will not alter the
5734 X-Forwarded-For header in any way.
5736 If set to "delete", Squid will delete the entire
5737 X-Forwarded-For header.
5739 If set to "truncate", Squid will remove all existing
5740 X-Forwarded-For entries, and place itself as the sole entry.
5743 NAME: cachemgr_passwd
5744 TYPE: cachemgrpasswd
5746 LOC: Config.passwd_list
5748 Specify passwords for cachemgr operations.
5750 Usage: cachemgr_passwd password action action ...
5752 Some valid actions are (see cache manager menu for a full list):
5792 * Indicates actions which will not be performed without a
5793 valid password, others can be performed if not listed here.
5795 To disable an action, set the password to "disable".
5796 To allow performing an action without a password, set the
5799 Use the keyword "all" to set the same password for all actions.
5802 cachemgr_passwd secret shutdown
5803 cachemgr_passwd lesssssssecret info stats/objects
5804 cachemgr_passwd disable all
5811 LOC: Config.onoff.client_db
5813 If you want to disable collecting per-client statistics,
5814 turn off client_db here.
5817 NAME: refresh_all_ims
5821 LOC: Config.onoff.refresh_all_ims
5823 When you enable this option, squid will always check
5824 the origin server for an update when a client sends an
5825 If-Modified-Since request. Many browsers use IMS
5826 requests when the user requests a reload, and this
5827 ensures those clients receive the latest version.
5829 By default (off), squid may return a Not Modified response
5830 based on the age of the cached version.
5833 NAME: reload_into_ims
5834 IFDEF: HTTP_VIOLATIONS
5838 LOC: Config.onoff.reload_into_ims
5840 When you enable this option, client no-cache or ``reload''
5841 requests will be changed to If-Modified-Since requests.
5842 Doing this VIOLATES the HTTP standard. Enabling this
5843 feature could make you liable for problems which it
5846 see also refresh_pattern for a more selective approach.
5849 NAME: maximum_single_addr_tries
5851 LOC: Config.retry.maxtries
5854 This sets the maximum number of connection attempts for a
5855 host that only has one address (for multiple-address hosts,
5856 each address is tried once).
5858 The default value is one attempt, the (not recommended)
5859 maximum is 255 tries. A warning message will be generated
5860 if it is set to a value greater than ten.
5862 Note: This is in addition to the request re-forwarding which
5863 takes place if Squid fails to get a satisfying response.
5866 NAME: retry_on_error
5868 LOC: Config.retry.onerror
5871 If set to on Squid will automatically retry requests when
5872 receiving an error response. This is mainly useful if you
5873 are in a complex cache hierarchy to work around access
5877 NAME: as_whois_server
5879 LOC: Config.as_whois_server
5880 DEFAULT: whois.ra.net
5881 DEFAULT_IF_NONE: whois.ra.net
5883 WHOIS server to query for AS numbers. NOTE: AS numbers are
5884 queried only when Squid starts up, not for every request.
5889 LOC: Config.onoff.offline
5892 Enable this option and Squid will never try to validate cached
5896 NAME: uri_whitespace
5897 TYPE: uri_whitespace
5898 LOC: Config.uri_whitespace
5901 What to do with requests that have whitespace characters in the
5904 strip: The whitespace characters are stripped out of the URL.
5905 This is the behavior recommended by RFC2396.
5906 deny: The request is denied. The user receives an "Invalid
5908 allow: The request is allowed and the URI is not changed. The
5909 whitespace characters remain in the URI. Note the
5910 whitespace is passed to redirector processes if they
5912 encode: The request is allowed and the whitespace characters are
5913 encoded according to RFC1738. This could be considered
5914 a violation of the HTTP/1.1
5915 RFC because proxies are not allowed to rewrite URI's.
5916 chop: The request is allowed and the URI is chopped at the
5917 first whitespace. This might also be considered a
5923 LOC: Config.coredump_dir
5925 DEFAULT_IF_NONE: none
5927 By default Squid leaves core files in the directory from where
5928 it was started. If you set 'coredump_dir' to a directory
5929 that exists, Squid will chdir() to that directory at startup
5930 and coredump files will be left there.
5933 # Leave coredumps in the first cache dir
5934 coredump_dir @DEFAULT_SWAP_DIR@
5940 LOC: Config.chroot_dir
5943 Use this to have Squid do a chroot() while initializing. This
5944 also causes Squid to fully drop root privileges after
5945 initializing. This means, for example, if you use a HTTP
5946 port less than 1024 and try to reconfigure, you will may get an
5947 error saying that Squid can not open the port.
5950 NAME: balance_on_multiple_ip
5952 LOC: Config.onoff.balance_on_multiple_ip
5955 Modern IP resolvers in squid sort lookup results by preferred access.
5956 By default squid will use these IP in order and only rotates to
5957 the next listed when the most preffered fails.
5959 Some load balancing servers based on round robin DNS have been
5960 found not to preserve user session state across requests
5961 to different IP addresses.
5963 Enabling this directive Squid rotates IP's per request.
5966 NAME: pipeline_prefetch
5968 LOC: Config.onoff.pipeline_prefetch
5971 To boost the performance of pipelined requests to closer
5972 match that of a non-proxied environment Squid can try to fetch
5973 up to two requests in parallel from a pipeline.
5975 Defaults to off for bandwidth management and access logging
5979 NAME: high_response_time_warning
5982 LOC: Config.warnings.high_rptm
5985 If the one-minute median response time exceeds this value,
5986 Squid prints a WARNING with debug level 0 to get the
5987 administrators attention. The value is in milliseconds.
5990 NAME: high_page_fault_warning
5992 LOC: Config.warnings.high_pf
5995 If the one-minute average page fault rate exceeds this
5996 value, Squid prints a WARNING with debug level 0 to get
5997 the administrators attention. The value is in page faults
6001 NAME: high_memory_warning
6003 LOC: Config.warnings.high_memory
6006 If the memory usage (as determined by mallinfo) exceeds
6007 this amount, Squid prints a WARNING with debug level 0 to get
6008 the administrators attention.
6011 NAME: sleep_after_fork
6012 COMMENT: (microseconds)
6014 LOC: Config.sleep_after_fork
6017 When this is set to a non-zero value, the main Squid process
6018 sleeps the specified number of microseconds after a fork()
6019 system call. This sleep may help the situation where your
6020 system reports fork() failures due to lack of (virtual)
6021 memory. Note, however, if you have a lot of child
6022 processes, these sleep delays will add up and your
6023 Squid will not service requests for some amount of time
6024 until all the child processes have been started.
6025 On Windows value less then 1000 (1 milliseconds) are
6029 NAME: windows_ipaddrchangemonitor
6033 LOC: Config.onoff.WIN32_IpAddrChangeMonitor
6035 On Windows Squid by default will monitor IP address changes and will
6036 reconfigure itself after any detected event. This is very useful for
6037 proxies connected to internet with dial-up interfaces.
6038 In some cases (a Proxy server acting as VPN gateway is one) it could be
6039 desiderable to disable this behaviour setting this to 'off'.
6040 Note: after changing this, Squid service must be restarted.