6 This is the default squid configuration file. You may wish
7 to look at http://cache.is.co.za/squid/ for documentation,
8 or the squid home page (http://squid.nlanr.net/) for the FAQ
14 -----------------------------------------------------------------------------
17 NAME: http_port ascii_port
23 The port number where squid will listen for HTTP client
24 requests. Default is 3128, for httpd-accel mode use port 80.
25 May be overridden with -a on the command line.
27 You may specify multiple ports here, but they MUST all be on
34 NAME: icp_port udp_port
39 The port number where squid send and receive ICP requests to
40 and from neighbor caches. Default is 3130. To disable use
41 "0". May be overridden with -u on the command line.
49 LOC: Config.mcast_group_list
52 This tag specifies a list of multicast groups which your
53 server should join to receive multicasted ICP requests.
55 NOTE! Be very careful what you put here! Be sure you
56 understand the difference between an ICP _query_ and an ICP
57 _reply_. This option is to be set only if you want to RECEIVE
58 multicast queries. Do NOT set this option to SEND multicast
59 ICP (use cache_peer for that). ICP replies are always sent via
60 unicast, so this option does not affect whether or not you will
61 receive replies from multicast group members.
63 You must be very careful to NOT use a multicast address which
64 is already in use by another group of caches. NLANR has been
65 assigned a block of multicast address space for use in Web
66 Caching. Plese write to us at nlanr-cache@nlanr.net to receive
67 an address for your own use.
69 Usage: mcast_groups 239.128.16.128 224.0.1.20
71 By default, squid doesn't listen on any multicast groups.
73 mcast_groups 239.128.16.128
77 NAME: tcp_incoming_address bind_address
79 LOC: Config.Addrs.tcp_incoming
83 NAME: tcp_outgoing_address outbound_address
85 LOC: Config.Addrs.tcp_outgoing
86 DEFAULT: 255.255.255.255
89 NAME: udp_incoming_address
91 LOC:Config.Addrs.udp_incoming
95 NAME: udp_outgoing_address
97 LOC: Config.Addrs.udp_outgoing
98 DEFAULT: 255.255.255.255
100 Usage: tcp_incoming_address 10.20.30.40
101 udp_outgoing_address fully.qualified.domain.name
103 tcp_incoming_address is used for the HTTP socket which accepts
104 connections from clients and other caches.
105 tcp_outgoing_address is used for connections made to remote
106 servers and other caches.
107 udp_incoming_address is used for the ICP socket receiving packets
109 udp_outgoing_address is used for ICP packets sent out to other
112 The defaults behaviour is to not bind to any specific address.
114 NOTE, udp_incoming_address and udp_outgoing_address can not have
115 the same value since they both use port 3130.
117 tcp_incoming_address 0.0.0.0
118 tcp_outgoing_address 0.0.0.0
119 udp_incoming_address 0.0.0.0
120 udp_outgoing_address 0.0.0.0
124 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
125 -----------------------------------------------------------------------------
133 To specify other caches in a hierarchy, use the format:
135 hostname type http_port icp_port
140 # hostname type port port options
141 # -------------------- -------- ----- ----- -----------
142 cache_peer bigserver.usc.edu parent 3128 3130 [proxy-only]
143 cache_peer littleguy1.usc.edu sibling 3128 3130 [proxy-only]
144 cache_peer littleguy1.usc.edu sibling 3128 3130 [proxy-only]
146 type: either 'parent', 'sibling', or 'multicast'.
148 proxy_port: The port number where the cache listens for proxy
151 icp_port: Used for querying neighbor caches about
152 objects. To have a non-ICP neighbor
153 specify '7' for the ICP port and make sure the
154 neighbor machine has the UDP echo port
155 enabled in its /etc/inetd.conf file.
166 use 'proxy-only' to specify that objects fetched
167 from this cache should not be saved locally.
169 use 'weight=n' to specify a weighted parent.
170 The weight must be an integer. The default weight
171 is 1, larger weights are favored more.
173 use 'ttl=n' to specify a IP multicast TTL to use
174 when sending an ICP request to this address.
175 Only useful when sending to a multicast group.
176 Because we don't accept ICP replies from random
177 hosts, you must configure other group members as
178 peers with the 'multicast-responder' option below.
180 use 'no-query' to NOT send ICP queries to this
183 use 'default' if this is a parent cache which can
184 be used as a "last-resort." You should probably
185 only use 'default' in situations where you cannot
186 use ICP with your parent cache(s).
188 use 'round-robin' to define a set of parents which
189 should be used in a round-robin fashion in the
190 absence of any ICP queries.
192 'multicast-responder' indicates that the named peer
193 is a member of a multicast group. ICP queries will
194 not be sent directly to the peer, but ICP replies
195 will be accepted from it.
197 'closest-only' indicates that, for ICP_OP_MISS
198 replies, we'll only forward CLOSEST_PARENT_MISSes
199 and never FIRST_PARENT_MISSes.
201 NOTE: non-ICP neighbors must be specified as 'parent'.
203 cache_peer hostname type 3128 3130
207 NAME: cache_host_domain
212 Use to limit the domains for which a neighbor cache will be queried.
215 cache_host_domain cache-host domain [domain ...]
216 cache_host_domain cache-host !domain
218 For example, specifying
220 cache_host_domain bigserver.usc.edu .edu
222 has the effect such that UDP query packets are sent to
223 'bigserver' only when the requested object exists on a
224 server in the .edu domain. Prefixing the domainname
225 with '!' means that the cache will be queried for objects
228 NOTE: * Any number of domains may be given for a cache-host,
229 either on the same or separate lines.
230 * When multiple domains are given for a particular
231 cache-host, the first matched domain is applied.
232 * Cache hosts with no domain restrictions are queried
234 * There are no defaults.
235 * There is also a 'cache_host_acl' tag in the ACL
240 NAME: neighbor_type_domain
245 usage: neighbor_type_domain parent|sibling domain domain ...
247 Modifying the neighbor type for specific domains is now
248 possible. You can treat some domains differently than the the
249 default neighbor type specified on the 'cache_peer' line.
250 Normally it should only be necessary to list domains which
251 should be treated differently because the default neighbor type
252 applies for hostnames which do not match domains listed here.
255 cache_peer parent cache.foo.org 3128 3130
256 neighbor_type_domain cache.foo.org sibling .com .net
257 neighbor_type_domain cache.foo.org sibling .au .de
260 NAME: single_parent_bypass
264 LOC: Config.onoff.single_parent_bypass
266 This tag specifies that it is okay to bypass the hierarchy
267 "Pinging" when there is only a single parent for a given URL.
269 Usage: single_parent_bypass on|off
271 Before actually sending ICP "ping" packets to parents and
272 neighbors, we figure out which hosts would be pinged based
273 on the cache_host_domain rules, etc. Often it may be the
274 case that only a single parent cache would be pinged.
276 Since there is only a single parent, there is a very good
277 chance that we will end up fetching the object from that
278 parent. For this reason, it may be beneficial to avoid
279 the ping and just fetch the object anyway.
281 However, if we avoid the ping, we will be assuming that the
282 parent host is reachable and that the cache process is running.
283 By using the ping, we can be reasonably sure that the parent
284 host will be able to handle our request. If the ping fails then
285 it may be possible to fetch the object directly from the source.
287 To favor the resiliency provided by the ping algorithm,
288 single_parent_bypass is 'off' by default.
290 single_parent_bypass off
298 LOC: Config.onoff.source_ping
300 If source_ping is enabled, then squid will include the source
301 provider site in its selection algorithm. This is accomplished
302 by sending ICP "HIT" packets to the UDP echo port of the source
303 host. Note that using source_ping may send a fair amount of UDP
304 traffic out on the Internet and may irritate paranoid network
307 Note that source_ping is incompatible with inside_firewall.
308 For hosts beyond the firewall, source_ping packets will never
311 By default, source_ping is off.
316 NAME: neighbor_timeout neighbour_timeout
320 LOC: Config.neighborTimeout
322 This controls how long to wait for replies from neighbor caches.
323 If none of the parent or neighbor caches reply before this many
324 seconds (due to dropped packets or slow links), then the object
325 request will be satisfied from the default source. The default
326 timeout is two seconds.
328 neighbor_timeout 2 seconds
332 NAME: hierarchy_stoplist
335 LOC: Config.hierarchy_stoplist
337 A list of words which, if found in a URL, cause the object to
338 be handled directly by this cache. In other words, use this
339 to not query neighbor caches for certain objects. You may
340 list this option multiple times.
342 The default is to directly fetch URLs containing 'cgi-bin' or '?'.
344 hierarchy_stoplist cgi-bin ?
351 LOC: Config.cache_stoplist
353 A list of words which, if found in a URL, cause the object to
354 immediately removed from the cache. In other words, use this
355 to force certain objects to never be cached. You may list this
356 option multiple times.
358 The default is to not cache URLs containing 'cgi-bin' or '?'.
360 cache_stoplist cgi-bin ?
364 NAME: cache_stoplist_pattern
366 LOC: Config.cache_stop_relist
369 Just like 'cache_stoplist' but you can use regular expressions
370 instead of simple string matching. There is no default.
371 Insert -i to get case-insensitive regular expressions.
373 cache_stoplist_pattern
378 OPTIONS WHICH AFFECT THE CACHE SIZE
379 -----------------------------------------------------------------------------
386 LOC: Config.Mem.maxSize
388 Maximum amout of VM used to store objects in memory.
391 negative-cached objects,
393 The value of cache_mem is an upper limit on the size of the
394 "in-memory object data" pool. This is a pool of 4k pages used
397 In-transit objects have priority over the others. When
398 additional space is needed for incoming data, negative-cached
399 and hot objects will be released. In other words, the
400 negative-cached and hot objects will fill up any unused space
401 not needed for in-transit objects.
403 The values of cache_mem_low and cache_mem_high (below) can be
404 used to tune the use of the memory pool. When the high mark is
405 reached, in-transit and hot objects will be released to clear
406 space. When an object transfer is completed, it will remain in
407 memory only if the current memory usage is below the low water
410 The default is 8 Megabytes.
417 COMMENT: (percent, 0-100)
420 LOC: Config.Swap.lowWaterMark
423 NAME: cache_swap_high
424 COMMENT: (percent, 0-100)
427 LOC: Config.Swap.highWaterMark
429 The low- and high-water marks for cache LRU replacement.
430 LRU replacement begins when the high-water mark is reached
431 and ends when enough objects have been removed and the low-water
432 mark is reached. Defaults are 90% and 95%.
440 COMMENT: (in percent, 0-100)
443 LOC: Config.Mem.lowWaterMark
447 COMMENT: (in percent, 0-100)
450 LOC: Config.Mem.highWaterMark
452 The low- and high-water mark for cache memory storage. When
453 the amount of RAM used by the hot-object RAM cache reaches this
454 point, the cache starts throwing objects out of the RAM cache
455 (but they remain on disk). Defaults are 75% and 90%.
462 NAME: maximum_object_size
466 LOC: Config.Store.maxObjectSize
468 Objects larger than this size will NOT be saved on disk. The
469 value is specified in kilobytes, and the default is 4MB.
471 maximum_object_size 4096 KB
476 COMMENT: (number of entries)
479 LOC: Config.ipcache.size
486 LOC: Config.ipcache.low
493 LOC: Config.ipcache.high
495 The size, low-, and high-water marks for the IP cache.
503 LOGFILE PATHNAMES AND CACHE DIRECTORIES
504 -----------------------------------------------------------------------------
510 DEFAULT_IF_NONE: @DEFAULT_SWAP_DIR@ 100 16 256
511 LOC: Config.cacheSwap
513 Directory for on-disk cache storage. The cache will change into
514 this directory when running. The default is
517 You can specify multiple cache_dir lines to spread the
518 cache among different disk partitions.
520 cache_dir @DEFAULT_SWAP_DIR@ 100 16 256
524 NAME: cache_access_log
526 DEFAULT: @DEFAULT_ACCESS_LOG@
527 LOC: Config.Log.access
529 Logs the client request activity. Contains an entry for
530 every HTTP and ICP request received.
532 cache_access_log @DEFAULT_ACCESS_LOG@
538 DEFAULT: @DEFAULT_CACHE_LOG@
541 Cache logging file. Set logging levels with "debug_options" below.
543 cache_log @DEFAULT_CACHE_LOG@
547 NAME: cache_store_log
549 DEFAULT: @DEFAULT_STORE_LOG@
550 LOC: Config.Log.store
552 Logs the activities of the storage manager. Shows which
553 objects are ejected from the cache, and which objects are
554 saved and for how long. To disable, enter "none".
556 cache_store_log @DEFAULT_STORE_LOG@
565 Location for the cache "swap.log." This log file holds the
566 metadata of objects saved on disk. It is used to rebuild the
567 cache during startup. Normally this file resides in the first
568 'cache_dir' directory, but you may specify an alternate
569 pathname here. Note you must give a full filename, not just
576 NAME: emulate_httpd_log
580 LOC: Config.onoff.common_log
582 The Cache can emulate the log file format which many 'httpd'
583 programs use. To disable/enable this emulation, set
584 emulate_httpd_log to 'off' or 'on'. The default
585 is to use the native log format.
587 emulate_httpd_log off
593 DEFAULT: @DEFAULT_MIME_TABLE@
594 LOC: Config.mimeTablePathname
596 Pathname to Squid's MIME table which has the format
598 regex content-type icon content-encoding transfer-mode
600 mime_table @DEFAULT_MIME_TABLE@
607 LOC: Config.onoff.log_mime_hdrs
610 The Cache can record both the request and the response
611 MIME headers for each HTTP transaction. The headers are
612 encoded safely and will appear as two bracketed fields
613 at the end of the access log (for either the native
614 or httpd-emulated log formats). To enable this logging
615 set log_mime_hdrs to 'on'.
617 NOTE: support for this may require you to define
618 LOG_FULL_HEADERS before compiling.
626 LOC: Config.Log.useragent
629 If compiled with "-DUSE_USERAGENT_LOG=1" Squid will write
630 the User-Agent field from HTTP requests to the filename
631 specified here. By default useragent_log is disabled.
639 DEFAULT: @DEFAULT_PID_FILE@
640 LOC: Config.pidFilename
642 A pathname to write the process-id to. To disable, enter "none".
644 pid_filename @DEFAULT_PID_FILE@
651 LOC: Config.debugOptions
653 Logging options are set as section,level where each source file
654 is assigned a unique section. Lower levels result in less
655 output, Full debugging (level 9) can result in a very large
656 log file, so be careful. The magic word "ALL" sets debugging
657 levels for all sections. We recommend normally running with
668 LOC: Config.onoff.ident_lookup
670 If you wish to make an RFC931/ident lookup of the client username
671 for each connection, enable this. It is off by default.
681 LOC: Config.onoff.log_fqdn
683 Turn this on if you wish to log fully qualified domain names
692 LOC: Config.Addrs.client_netmask
693 DEFAULT: 255.255.255.255
695 A netmask for client addresses in logfiles and cachemgr output.
696 Change this to protect the privacy of your cache clients.
698 client_netmask 255.255.255.255
703 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
704 -----------------------------------------------------------------------------
707 # TAG: ftpget_program
708 # Where to find the 'ftpget' program that retrieves FTP data (HTTP
709 # and Gopher protocol support are built into the cache).
711 # To disable ftpget and the ability to retrieve FTP objects, set
712 # this to "none". Note that ftpget is automatically disabled for
715 #ftpget_program @DEFAULT_FTPGET@
717 # TAG: ftpget_options
718 # Options for the 'ftpget' program. Please run 'ftpget' without
719 # any arguments to see a list of options. The default is
720 # no options. An example is
722 # ftpget_options -n 60 -R -W
729 LOC: Config.Ftp.anon_user
731 If you want the anonymous login password to be more informative
732 (and enable the use of picky ftp servers), set this to something
733 resonable for your domain, like wwwuser@somewhere.net
735 The reason why this is domainless by default is that the
736 request can be made on the behalf of a user in any domain,
737 depending on how the cache is used.
738 Some ftp server also validate that the email address is valid
739 (for example perl.com).
747 LOC: Config.Ftp.list_width
752 NAME: cache_dns_program
754 DEFAULT: @DEFAULT_DNSSERVER@
755 LOC: Config.Program.dnsserver
757 Specify the location of the executable for dnslookup process.
759 cache_dns_program @DEFAULT_DNSSERVER@
765 LOC: Config.dnsChildren
767 The number of processes spawn to service DNS name lookups.
768 For heavily loaded caches on large servers, you should
769 probably increase this value to at least 10. The maximum
770 is 32. The default is 5.
772 To disable dnsservers, set this to 0. NOTE, this is very
773 strongly discouraged. If you disable dnsservers your Squid
774 process will BLOCK on DNS lookups!
784 LOC: Config.onoff.res_defnames
786 Normally the 'dnsserver' disables the RES_DEFNAMES resolver
787 option (see res_init(3)). This prevents caches in a hierarchy
788 from interpreting single-component hostnames locally. To allow
789 dnsserver to handle single-component names, enable this
796 NAME: unlinkd_program
798 DEFAULT: @DEFAULT_UNLINKD@
799 LOC: Config.Program.unlinkd
801 Specify the location of the executable for file deletion process.
803 unlinkd_program @DEFAULT_UNLINKD@
809 DEFAULT: @DEFAULT_PINGER@
810 LOC: Config.Program.pinger
812 Specify the location of the executable for the pinger process.
814 pinger_program @DEFAULT_PINGER@
818 NAME: redirect_program
820 LOC: Config.Program.redirect
823 Specify the location of the executable for the URL redirector.
824 Currently, you must provide your own redirector program.
825 See the Release-Notes for how to write one.
826 By default, the redirector is not used.
828 redirect_program none
832 NAME: redirect_children
835 LOC: Config.redirectChildren
837 The number of redirector processes to spawn.
843 OPTIONS FOR TUNING THE CACHE
844 -----------------------------------------------------------------------------
847 NAME: wais_relay_host
850 LOC: Config.Wais.relayHost
853 NAME: wais_relay_port
856 LOC: Config.Wais.relayPort
858 Relay WAIS request to host (1st arg) at port (2 arg).
860 wais_relay_host localhost
869 LOC: Config.maxRequestSize
871 Maximum allowed request size in kilobytes. If people are using
872 POST to upload files, then set this to the largest acceptable
873 filesize plus a few extra kbytes.
879 NAME: refresh_pattern
884 usage: refresh_pattern regex min percent max
886 min and max are specified in MINUTES.
887 percent is an integer number.
889 Please see the file doc/Release-Notes-1.1.txt for a full
890 description of Squid's refresh algorithm. Basically a
894 STALE if expires < now
896 FRESH if lm-factor < percent
898 The refresh_pattern lines are checked in the order listed here.
899 The first entry which matches is used. If none of the entries
900 match, then the default will be used.
903 refresh_pattern . 0 20% 4320
909 LOC: Config.referenceAge
912 As a part of normal operation, Squid performs Least Recently
913 Used removal of cached objects. The LRU age for removal is
914 computed dynamically, based on the amount of disk space in
915 use. The 'reference_age' value defines the maximum LRU age.
916 For example, setting reference_age to '1 week' will cause
917 objects to be removed if they have not been accessed for a week
918 or more. If set to zero, LRU removal is disabled, and objects
919 will be removed only when disk usage is over the high water
920 mark. The default value is one year.
922 Specify a number here, followed by units of time. For example:
928 reference_age 1 month
932 NAME: quick_abort_min
936 LOC: Config.quickAbort.min
939 NAME: quick_abort_pct
943 LOC: Config.quickAbort.pct
946 NAME: quick_abort_max
950 LOC: Config.quickAbort.max
952 By default the cache continues to retrieve objects from
953 aborted requests. This may be undesirable on slow (e.g. SLIP)
954 links and/or very busy caches. Impatient users may tie up
955 file descriptors by repeatedly aborting and re-requesting
956 non-cachable objects.
958 Usage: quick_abort min-kbytes percent max-kbytes
960 When the user aborts a request, Squid will check the
961 quick_abort values to the amount of data transfered until
964 If the transfer has less than 'min-kbytes' remaining, it
965 will finish the retrieval. Setting minlength to -1 will
966 disable the quick_abort feature.
968 If the transfer has more than 'max-kbytes' remaining, it
969 will abort the retrieval.
971 If more than 'percent' of the transfer has completed, it will
972 finish the retrieval.
983 LOC: Config.negativeTtl
986 Time-to-Live (TTL) for failed requests. Certain types of
987 failures (such as "connection refused" and "404 Not Found") are
988 negatively-cached for a small amount of time. The default is 5
989 minutes. Note that this is different from negative caching of
992 negative_ttl 5 minutes
996 NAME: positive_dns_ttl
999 LOC: Config.positiveDnsTtl
1002 Time-to-Live (TTL) for positive caching of successful DNS lookups.
1003 Default is 6 hours (360 minutes). If you want to minimize the
1004 use of Squid's ipcache, set this to 1, not 0.
1006 positive_dns_ttl 6 hours
1010 NAME: negative_dns_ttl
1013 LOC: Config.negativeDnsTtl
1016 Time-to-Live (TTL) for negative caching of failed DNS lookups.
1018 negative_dns_ttl 5 minutes
1023 -----------------------------------------------------------------------------
1026 NAME: connect_timeout
1029 LOC: Config.Timeout.connect
1032 Some systems (notably Linux) can not be relied upon to properly
1033 time out connect(2) requests. Therefore the squid process
1034 enforces its own timeout on server connections. This parameter
1035 specifies how long to wait for the connect to complete. The
1036 default is two minutes (120 seconds).
1038 connect_timeout 120 seconds
1041 NAME: siteselect_timeout
1044 LOC: Config.Timeout.siteSelect
1047 For URN to multiple URL's URL selection
1049 siteselect_timeout 4 seconds
1055 LOC: Config.Timeout.read
1058 The read_timeout is applied on server-side connections. After
1059 each successful read(), the timeout will be extended by this
1060 amount. If no data is read again after this amount of time,
1061 the request is aborted and logged with ERR_READ_TIMEOUT. The
1062 default is 15 minutes.
1064 read_timeout 15 minutes
1068 NAME: request_timeout
1070 LOC: Config.Timeout.request
1073 How long to wait for an HTTP request after connection
1074 establishment. For persistent connections, wait this long
1075 after the previous request completes.
1077 defer_timeout 30 seconds
1081 NAME: client_lifetime
1084 LOC: Config.Timeout.lifetime
1087 The maximum amount of time that a client (browser) is allowed to
1088 remain connected to the cache process. This protects the Cache
1089 from having alot of sockets (and hence file descriptors) tied up
1090 in a CLOSE_WAIT state from remote clients that go away without
1091 properly shutting down (either because of a network failure or
1092 because of a poor client implementation). The default is one
1095 NOTE: The default value is intended to be much larger than any
1096 client would ever need to be connected to your cache. You
1097 should probably change client_lifetime only as a last resort.
1098 If you seem to have many client connections tying up
1099 filedescriptors, we recommend first tuning the read_timeout,
1100 defer_timeout, and quick_abort values.
1102 client_lifetime 1 day
1107 LOC: Config.Timeout.pconn
1108 DEFAULT: 120 seconds
1110 Timeout for idle persistent connections to servers and other
1112 pconn_timeout 120 seconds
1116 NAME: shutdown_lifetime
1119 LOC: Config.shutdownLifetime
1122 When SIGTERM or SIGHUP is received, the cache is put into
1123 "shutdown pending" mode until all active sockets are closed.
1124 This value is the lifetime to set for all open descriptors
1125 during shutdown mode. Any active clients after this many
1126 seconds will receive a 'timeout' message.
1128 shutdown_lifetime 30 seconds
1133 -----------------------------------------------------------------------------
1141 Defining an Access List
1143 acl aclname acltype string1 ...
1144 acl aclname acltype "file" ...
1146 when using "file", the file should contain one item per line
1148 acltype is one of src dst srcdomain dstdomain url_pattern
1149 urlpath_pattern time port proto method browser user
1151 acl aclname src ip-address/netmask ... (clients IP address)
1152 acl aclname src addr1-addr2/netmask ... (range of addresses)
1153 acl aclname dst ip-address/netmask ... (URL host's IP address)
1154 acl aclname srcdomain foo.com ... (taken from reverse DNS lookup)
1155 acl aclname dstdomain foo.com ... (taken from the URL)
1156 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
1165 h1:m1 must be less than h2:m2
1166 acl aclname url_regex ^http:// ... # regex matching on whole URL
1167 acl aclname urlpath_regex \.gif$ ... # regex matching on URL path only
1168 acl aclname port 80 70 21 ...
1169 acl aclname proto HTTP FTP ...
1170 acl aclname method GET POST ...
1171 acl aclname browser regexp
1172 acl aclname user username ... # string match on ident output.
1173 # use REQUIRED to accept any
1175 acl aclname src_as number ...
1176 acl aclname dst_as number ...
1177 # Except for access control, AS numbers can be used for
1178 # routing of requests to specific caches. Here's an
1179 # example for routing all requests for AS#1241 and only
1180 # those to mycache.mydomain.net:
1181 # acl asexample dst_as 1241
1182 # cache_host_acl mycache.mydomain.net asexample
1183 # cache_host_acl mycache_mydomain.net !all
1185 acl aclname proxy_auth passwd_file [ refresh ]
1186 # 'passwd_file' is an Apache-style file of passwords for
1187 # authenticated proxy access. Looks like user:password, with
1188 # the password being standard crypt() format. 'refresh' is
1189 # the time in seconds to check for a changes in the file
1190 # (default = 300 secs). When using a proxy_auth ACL in an
1191 # ACL list, make sure it is the *last* in the list and the
1192 # only proxy_auth ACL in the list. NOTE: when a
1193 # Proxy-Authentication header is sent but it is not needed
1194 # during ACL checking the username is NOT logged in
1197 acl manager proto cache_object
1198 acl localhost src 127.0.0.1/255.255.255.255
1199 acl all src 0.0.0.0/0.0.0.0
1200 acl myexample dst_as 1241
1201 acl SSL_ports port 443 563
1202 acl Dangerous_ports port 7 9 19
1203 acl CONNECT method CONNECT
1208 LOC: Config.accessList.http
1211 Allowing or Denying access based on defined access lists
1213 Access to the HTTP port:
1214 http_access allow|deny [!]aclname ...
1216 Access to the ICP port:
1217 icp_access allow|deny [!]aclname ...
1219 NOTE on default values:
1221 If there are no "access" lines present, the default is to allow
1224 If none of the "access" lines cause a match, the default is the
1225 opposite of the last line in the list. If the last line was
1226 deny, then the default is allow. Conversely, if the last line
1227 is allow, the default will be deny. For these reasons, it is a
1228 good idea to have an "deny all" or "allow all" entry at the end
1229 of your access lists to avoid potential confusion.
1232 Only allow access to the cache manager functions from the local host.
1233 http_access deny manager !localhost
1234 http_access deny CONNECT !SSL_ports
1235 http_access deny Dangerous_ports
1237 Allow everything else
1238 http_access allow all
1244 LOC: Config.accessList.icp
1247 Reply to all ICP queries we receive
1249 icp_access allow all
1255 LOC: Config.accessList.miss
1258 Use to force your neighbors to use you as a sibling instead of
1259 a parent. For example:
1261 acl localclients src 172.16.0.0/16
1262 miss_access allow localclients
1263 miss_access deny !localclients
1265 This means that only your local clients are allowed to fetch
1266 MISSES and all other clients can only fetch HITS.
1268 By default, allow all clients who passed the http_access rules
1269 to fetch MISSES from us.
1271 miss_access allow all
1275 NAME: cache_host_acl
1280 Just like 'cache_host_domain' but provides more flexibility by
1283 cache_host_acl cache-host [!]aclname ...
1285 NOTE: * Any number of ACL's may be given for a cache-host,
1286 either on the same or separate lines.
1287 * When multiple ACL's are given for a particular
1288 cache-host, the first matched ACL is applied.
1289 * Cache hosts with no domain or ACL restrictions are
1290 queried for all requests.
1291 * There are no defaults.
1295 ADMINISTRATIVE PARAMETERS
1296 -----------------------------------------------------------------------------
1302 LOC: Config.adminEmail
1304 Email-address of local cache manager who will receive
1305 mail if the cache dies. The default is "webmaster."
1311 NAME: cache_effective_user
1314 LOC: Config.effectiveUser
1317 NAME: cache_effective_group
1320 LOC: Config.effectiveGroup
1322 If the cache is run as root, it will change its effective/real
1323 UID/GID to the UID/GID specified below. The default is not to
1326 cache_effective_user nobody
1327 cache_effective_group nogroup
1331 NAME: visible_hostname
1333 LOC: Config.visibleHostname
1336 If you want to present a special hostname in error messages, etc,
1337 then define this. Otherwise, the return value of gethostname()
1340 visible_hostname www-cache.foo.org
1344 OPTIONS FOR THE CACHE REGISTRATION SERVICE
1345 -----------------------------------------------------------------------------
1347 This section contains parameters for the (optional) cache
1348 announcement service. This service is provided to help
1349 cache administrators locate one another in order to join or
1350 create cache hierarchies.
1352 An 'announcement' message is sent (via UDP) to the registration
1353 service by Squid. By default, the annoucement message is NOT
1354 SENT unless you enable it with 'cache_announce' below.
1356 The announcement message includes your hostname, plus the
1357 following information from this configuration file:
1363 All current information is processed regularly and made
1364 available on the Web at http://www.nlanr.net/Cache/Tracker/.
1367 NAME: announce_period
1369 LOC: Config.Announce.period
1372 This is how frequently to send cache announcements. The default
1373 is `0' which disables sending the announcement messages.
1375 To enable announcing your cache, just uncomment the line below.
1377 announce_period 1 day
1383 DEFAULT: sd.cache.nlanr.net
1384 LOC: Config.Announce.host
1390 LOC: Config.Announce.port
1392 This is the hostname and portnumber where the registration message
1395 Format: announce_to host[:port] [filename]
1397 Hostname will default to 'sd.cache.nlanr.net' and port will default
1398 to 3131. If the 'filename' argument is given, the contents of that
1399 file will be included in the announce message.
1401 announce_host sd.cache.nlanr.net
1408 LOC: Config.Announce.file
1412 HTTPD-ACCELERATOR OPTIONS
1413 -----------------------------------------------------------------------------
1416 NAME: httpd_accel_host
1418 LOC: Config.Accel.host
1422 NAME: httpd_accel_port
1424 LOC: Config.Accel.port
1427 If you want to run squid as an httpd accelerator, define the
1428 host name and port number where the real HTTP server is.
1430 If you want virtual host support then specify the hostname
1433 httpd_accel_host hostname
1434 httpd_accel_port port
1438 NAME: httpd_accel_with_proxy
1442 LOC: Config.onoff.accel_with_proxy
1444 If you want to use squid as both a local httpd accelerator
1445 and as a proxy, change this to 'on'.
1447 httpd_accel_with_proxy off
1451 NAME: httpd_accel_uses_host_header
1455 LOC: opt_accel_uses_host
1457 HTTP/1.1 requests include a Host: header which is basically the
1458 hostname from the URL. Squid can be an accelerator for
1459 different HTTP servers by looking at this header. However,
1460 Squid does NOT check the value of the Host header, so it opens
1461 a big security hole. We recommend that this option remain
1462 disabled unless you are sure of what you are doing.
1464 httpd_accel_uses_host_header off
1469 -----------------------------------------------------------------------------
1474 LOC: Config.dns_testname_list
1477 The DNS tests exit as soon as the first site is successfully looked up
1479 If you want to disable DNS tests, do not comment out or delete this
1480 list. Instead use the -D command line option
1482 dns_testnames internic.net usc.edu cs.colorado.edu mit.edu yale.edu
1486 NAME: logfile_rotate
1489 LOC: Config.Log.rotateNumber
1491 Specifies the number of logfile rotations to make upon receiving
1492 a USR1 signal. The default is 10, which will rotate with
1493 extensions 0 through 9. Setting logfile_rotate to 0 will
1494 disable the rotation, but the logfiles are still closed and
1495 re-opened. This will enable you to rename the logfiles yourself
1496 just before sending a USR1 signal to the squid process.
1504 LOC: Config.appendDomain
1507 Appends local domain name to hostnames without any dots in them.
1508 append_domain must begin with a period.
1510 append_domain .yourdomain.com
1514 NAME: tcp_recv_bufsize
1518 LOC: Config.tcpRcvBufsz
1520 Size of receive buffer to set for TCP sockets. Probably just
1521 as easy to change your kernel's default. Set to zero to use
1522 the default buffer size.
1524 tcp_recv_bufsize 0 bytes
1529 LOC: Config.errHtmlText
1532 HTML text to include in error messages. Make this a "mailto"
1533 URL to your admin address, or maybe just a link to your
1534 organizations Web page.
1542 LOC: Config.denyInfoList
1545 Usage: deny_info URL acl
1547 This can be used to return a HTTP redirect for requests which
1548 do not pass the 'http_access' rules. A single ACL will cause
1549 the http_access check to fail. If a 'deny_info' line exists
1550 for that ACL then Squid returns a redirect to the given URL.
1558 LOC: opt_udp_hit_obj
1560 If set, Squid will request UDP_HIT_OBJ replies from its
1561 neighbors. UDP_HIT_OBJ is nice because it saves bandwidth, but
1562 it can cause some other problems. For one it complicates
1563 calculating hit rates. Also, problems arise because the ICP
1564 query does not contain any HTTP request headers which may
1571 NAME: udp_hit_obj_size
1574 LOC: Config.udpMaxHitObjsz
1577 If set, Squid will limit UDP_HIT_OBJ size to be less than
1578 this value. Setting this value to more than SQUID_UDP_SO_SNDBUF
1579 will not work as expected. Set to zero to select the size
1580 permited by the socket.
1581 udp_hit_obj_size 0 bytes
1591 If set, Squid will keep pools of allocated (but unused) memory
1592 available for future use. If memory is a premium on your
1593 system, disable this.
1602 LOC: opt_forwarded_for
1604 If set, Squid will include your system's IP address or name
1605 in the HTTP requests it forwards. By default it looks like
1608 X-Forwarded-For: 192.1.2.3
1610 If you disable this, it will appear as
1612 X-Forwarded-For: unknown
1617 NAME: log_icp_queries
1621 LOC: Config.onoff.log_udp
1623 If set, ICP queries are logged to access.log. ICP logging
1624 is enabled by default, so uncomment and change the line
1625 below to disable it.
1634 LOC: Config.onoff.icp_hit_stale
1636 If you want to return ICP_HIT for stale cache objects, set this
1637 option to 'on'. If you have sibling relationships with caches
1638 in other administrative domains, this should be 'off'. If you only
1639 have sibling relationships with caches under your control, then
1640 it is probably okay to set this to 'on'.
1646 NAME: minimum_direct_hops
1649 LOC: Config.minDirectHops
1651 If using the ICMP pinging stuff, do direct fetches for sites
1652 which are no more than this many hops away.
1654 minimum_direct_hops 4
1658 NAME: cachemgr_passwd
1659 TYPE: cachemgrpasswd
1661 LOC: Config.passwd_list
1663 Specify passwords for cachemgr operations.
1665 Usage: cachemgr_passwd password action action ...
1679 stats/filedescriptors
1691 * Indicates actions which will not be performed without a
1692 valid password, others can be performed if not listed here.
1694 To disable an action, set the password to "disable".
1695 To allow performing an action without a password, set the
1698 Use the keyword "all" to set the same password for all actions.
1700 cachemgr_passwd secret shutdown
1701 cachemgr_passwd lesssssssecret info stats/objects
1702 cachemgr_passwd disable all
1706 # TAG: swap_level1_dirs
1707 # Number of first-level directories to create for storing cached
1708 # objects. Minimum 1, maximum 256, default 16.
1710 #swap_level1_dirs 16
1712 # TAG: swap_level2_dirs
1713 # Number of sub-directories to create under each first-level
1714 # directory. Minimum 1, maximum 256, default 256.
1716 #swap_level2_dirs 256
1718 NAME: store_avg_object_size
1722 LOC: Config.Store.avgObjectSize
1724 Average object size, used to estimate number of objects your
1725 cache can hold. See doc/Release-Notes-1.1.txt. The default is
1728 store_avg_object_size 20 KB
1731 NAME: store_objects_per_bucket
1734 LOC: Config.Store.objectsPerBucket
1736 Target number of objects per bucket in the store hash table.
1737 Lowering this value increases the total number of buckets and
1738 also the storage maintenance rate. The default is 20.
1740 store_objects_per_bucket 20
1744 NAME: http_anonymizer
1745 TYPE: httpanonymizer
1746 LOC: Config.onoff.anonymizer
1749 If you want to filter out certain HTTP request headers for
1750 privacy reasons, enable this option. There are three
1751 appropriate settings:
1752 'off' All HTTP request headers are passed.
1753 'standard' Specific headers are removed
1754 'paranoid' Only specific headers are allowed.
1755 To see which headers are allowed or denied, please see the
1756 http-anon.c source file.
1766 LOC: Config.onoff.client_db
1768 If you want to disable collecting per-client statistics, then
1769 turn off client_db here.
1778 LOC: Config.Netdb.low
1784 LOC: Config.Netdb.high
1786 The low and high water marks for the ICMP measurement
1787 database. These are counts, not percents. The defaults are
1788 900 and 1000. When the high water mark is reached, database
1789 entries will be deleted until the low mark is reached.
1796 NAME: netdb_ping_period
1798 LOC: Config.Netdb.period
1801 The minimum period for measuring a site. There will be at
1802 least this much delay between successive pings to the same
1803 network. The default is five minutes.
1805 netdb_ping_period 5 minutes
1813 LOC: Config.onoff.query_icmp
1815 If you want to ask your peers to include ICMP data in their ICP
1816 replies, enable this option.
1818 If your peer has built squid with '-DUSE_ICMP=1' then that peer
1819 will send ICMP pings to origin server sites of the URLs it
1820 receives. If you enable this option then the ICP replies from
1821 that peer will include the ICMP data (if available). Then,
1822 when choosing a parent cache, Squid will choose the parent with
1823 the minimal RTT to the origin server. When this happens, the
1824 hierarchy field of the access.log will be
1825 "CLOSEST_PARENT_MISS". This option is off by default.
1834 LOC: Config.onoff.buffered_logs
1836 Some log files (cache.log, useragent.log) are written with
1837 stdio functions, and as such they can be buffered or
1838 unbuffered. By default they will be unbuffered.
1844 LOC: Config.accessList.AlwaysDirect
1852 LOC: Config.accessList.NeverDirect
1858 #NAME: proxy_auth_ignore
1859 #TYPE: regexplist_icase
1860 #LOC: Config.proxyAuth.IgnoreDomains
1865 NAME: fake_user_agent
1870 If you use the paranoid http_anonymizer setting, Squid will strip
1871 your User-agent string from the request. Some Web servers will
1872 refuse your request without a User-agent string. Use this to
1873 fake one up. For example:
1875 fake_user_agent Nutscrape/1.0 (CP/M; 8-bit)
1876 (credit to Paul Southworth pauls@etext.org for this one!)
1878 fake_user_agent none
1881 NAME: icon_directory
1883 LOC: Config.icons.directory
1884 DEFAULT: @DEFAULT_ICON_DIR@
1889 NAME: error_directory
1891 LOC: Config.errorDirectory
1892 DEFAULT: @DEFAULT_ERROR_DIR@
1897 NAME: icon_content_type
1899 LOC: Config.icons.content_type
1905 NAME: minimum_retry_timeout
1908 LOC: Config.retry.timeout
1911 This specifies the minimum connect timeout, for when the
1912 connect timeout is reduced to compensate for the availability
1913 of multiple IP addresses.
1915 When a connection to a host is initiated, and that host
1916 has several IP addresses, the default connection timeout
1917 is reduced by dividing it by the number of addresses. So,
1918 a site with 15 addresses would then have a timeout of 8
1919 seconds for each address attempted. To avoid having the
1920 timeout reduced to the point where even a working host
1921 would not have a chance to respond, this setting is provided.
1922 The default, and the minimum value, is five seconds, and
1923 the maximum value is sixty seconds, or half of connect_timeout,
1924 whichever is greater and less than connect_timeout.
1926 minimum_retry_timeout 5
1929 NAME: maximum_single_addr_tries
1931 LOC: Config.retry.maxtries
1934 This sets the maximum number of connection attempts for a
1935 host that only has one address (for multiple-address hosts,
1936 each address is tried once).
1938 The default value is three tries, the (not recommended)
1939 maximum is 255 tries. A warning message will be generated
1940 if it is set to a value greater than ten.
1942 maximum_single_addr_tries 3
1947 LOC: Config.Port.snmp
1951 Port for snmp. <=0 to disable.
1954 NAME: snmp_config_file
1956 LOC: Config.Snmp.configFile
1957 DEFAULT: @DEFAULT_SNMP_CONF@
1960 External snmp configuration file, CMU-snmpd style.
1963 NAME: snmp_do_queueing
1965 LOC: Config.Snmp.do_queueing
1969 If disabled, snmp packets will not be queued but delivered
1970 immediately. This could be performant when you want to monitor
1971 a cache in trouble, but this could also bring squid to block.
1974 NAME: forward_snmpd_port
1976 LOC: Config.Snmp.localPort
1980 This configures whether we should be forwarding SNMP requests
1981 to another snmpd. The reason for putting this piece of functionality
1982 into squid was to enable access to the system's installed
1983 snmpd with minimal changes.
1984 This option is turned off by default, check with your /etc/services
1985 for your system's snmp port (usually 161).
1986 We do not use getservbyname() to allow you to set squid into port 161
1987 and your system's snmpd to another port by changing /etc/services.
1989 WARNING: Because of squid acting as a proxy snmpd for system
1990 you have to do security checks on THIS snmpd for all objects.
1991 Check your snmp_config_file
1996 LOC: Config.Snmp.mibPath
1997 DEFAULT: @DEFAULT_MIB_PATH@
2000 The location of squid's mib.
2005 LOC: Config.Port.snmp
2009 Port for snmp. <=0 to disable.
2012 NAME: snmp_config_file
2014 LOC: Config.Snmp.configFile
2015 DEFAULT: @DEFAULT_SNMP_CONF@
2018 External snmp configuration file, CMU-snmpd style.
2021 NAME: snmp_do_queueing
2023 LOC: Config.Snmp.do_queueing
2027 If disabled, snmp packets will not be queued but delivered
2028 immediately. This could be performant when you want to monitor a
2029 cache in trouble, but this could also bring squid to block.
2032 NAME: forward_snmpd_port
2034 LOC: Config.Snmp.localPort
2038 This configures whether we should be forwarding SNMP requests to
2039 another snmpd. The reason for putting this piece of
2040 functionality into squid was to enable access to the system's
2041 installed snmpd with minimal changes. This option is turned off
2042 by default, check with your /etc/services for your system's snmp
2043 port (usually 161). We do not use getservbyname() to allow you
2044 to set squid into port 161 and your system's snmpd to another
2045 port by changing /etc/services. WARNING: Because of squid
2046 acting as a proxy snmpd for system you have to do security
2047 checks on THIS snmpd for all objects. Check your
2053 LOC: Config.Snmp.trap_sink
2057 Hostname or ip address of trap sink for snmp
2060 NAME: snmp_trap_community
2062 LOC: Config.Snmp.trap_community
2066 Community name for traps
2069 NAME: snmp_enable_authen_traps
2071 LOC: Config.Snmp.conf_authtraps
2075 Enable SNMP authenticated traps
2078 NAME: snmp_agent_conf
2080 LOC: Config.Snmp.snmpconf
2084 Define snmp views, users and communities
2086 snmp_agent_conf view all .1.3.6 included
2087 snmp_agent_conf view squid .1.3.6 included
2088 snmp_agent_conf user squid - all all public
2089 snmp_agent_conf user all all all all squid
2090 snmp_agent_conf community public squid squid
2091 snmp_agent_conf community readwrite all all