3 # $Id: cf.data.pre,v 1.419 2006/07/02 16:53:46 serassio Exp $
6 # SQUID Web Proxy Cache http://www.squid-cache.org/
7 # ----------------------------------------------------------
9 # Squid is the result of efforts by numerous individuals from
10 # the Internet community; see the CONTRIBUTORS file for full
11 # details. Many organizations have provided support for Squid's
12 # development; see the SPONSORS file for full details. Squid is
13 # Copyrighted (C) 2000 by the Regents of the University of
14 # California; see the COPYRIGHT file for full details. Squid
15 # incorporates software developed and/or copyrighted by other
16 # sources; see the CREDITS file for full details.
18 # This program is free software; you can redistribute it and/or modify
19 # it under the terms of the GNU General Public License as published by
20 # the Free Software Foundation; either version 2 of the License, or
21 # (at your option) any later version.
23 # This program is distributed in the hope that it will be useful,
24 # but WITHOUT ANY WARRANTY; without even the implied warranty of
25 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 # GNU General Public License for more details.
28 # You should have received a copy of the GNU General Public License
29 # along with this program; if not, write to the Free Software
30 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
34 WELCOME TO SQUID @VERSION@
35 ----------------------------
37 This is the default Squid configuration file. You may wish
38 to look at the Squid home page (http://www.squid-cache.org/)
39 for the FAQ and other documentation.
41 The default Squid config file shows what the defaults for
42 various options happen to be. If you don't need to change the
43 default, you shouldn't uncomment the line. Doing so may cause
44 run-time problems. In some cases "none" refers to no default
45 setting at all, while in other cases it refers to a valid
46 option - the comments for that keyword indicate if this is the
53 -----------------------------------------------------------------------------
56 NAME: http_port ascii_port
59 LOC: Config.Sockaddr.http
62 hostname:port [options]
63 1.2.3.4:port [options]
65 The socket addresses where Squid will listen for HTTP client
66 requests. You may specify multiple socket addresses.
67 There are three forms: port alone, hostname with port, and
68 IP address with port. If you specify a hostname or IP
69 address, Squid binds the socket to that specific
70 address. This replaces the old 'tcp_incoming_address'
71 option. Most likely, you do not need to bind to a specific
72 address, so you can use the port number alone.
74 If you are running Squid in accelerator mode, you
75 probably want to listen on port 80 also, or instead.
77 The -a command line option will override the *first* port
78 number listed here. That option will NOT override an IP
81 You may specify multiple socket addresses on multiple lines.
85 transparent Support for transparent proxies
87 accel Accelerator mode. Also set implicit by the other
88 accelerator directives
90 vhost Accelerator mode using Host header for virtual
93 vport Accelerator with IP based virtual host support
95 vport=NN As above, but uses specified port number rather
96 than the http_port number
98 defaultsite= Main web site name for accelerators
100 protocol= Protocol to reconstruct accelerated requests with.
103 disable-pmtu-discovery=
104 Control Path-MTU discovery usage:
105 off lets OS decide on what to do (default).
106 transparent disable PMTU discovery when transparent
108 always disable always PMTU discovery.
110 In many setups of transparently intercepting proxies Path-MTU
111 discovery can not work on traffic towards the clients. This is
112 the case when the intercepting device does not fully track
113 connections and fails to forward ICMP must fragment messages
114 to the cache server. If you have such setup and experience that
115 certain clients sporadically hang or never complete requests set
116 disable-pmtu-discovery option to 'transparent'.
118 If you run Squid on a dual-homed machine with an internal
119 and an external interface we recommend you to specify the
120 internal address:port in http_port. This way Squid will only be
121 visible on the internal address.
123 # Squid normally listens to port 3128
124 http_port @DEFAULT_HTTP_PORT@
130 TYPE: https_port_list
132 LOC: Config.Sockaddr.https
134 Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
136 The socket address where Squid will listen for HTTPS client
139 This is really only useful for situations where you are running
140 squid in accelerator mode and you want to do the SSL work at the
143 You may specify multiple socket addresses on multiple lines,
144 each with their own SSL certificate and/or options.
148 defaultsite= The name of the https site presented on
151 protocol= Protocol to reconstruct accelerated requests
152 with. Defaults to https
154 cert= Path to SSL certificate (PEM format)
156 key= Path to SSL private key file (PEM format)
157 if not specified, the certificate file is
158 assumed to be a combined certificate and
161 version= The version of SSL/TLS supported
162 1 automatic (default)
167 cipher= Colon separated list of supported ciphers
169 options= Various SSL engine options. The most important
171 NO_SSLv2 Disallow the use of SSLv2
172 NO_SSLv3 Disallow the use of SSLv3
173 NO_TLSv1 Disallow the use of TLSv1
174 SINGLE_DH_USE Always create a new key when using
175 temporary/ephemeral DH key exchanges
176 See src/ssl_support.c or OpenSSL SSL_CTX_set_options
177 documentation for a complete list of options
179 clientca= File containing the list of CAs to use when
180 requesting a client certificate
182 cafile= File containing additional CA certificates to
183 use when verifying client certificates. If unset
184 clientca will be used
186 capath= Directory containing additional CA certificates
187 and CRL lists to use when verifying client certificates
189 crlfile= File of additional CRL lists to use when verifying
190 the client certificate, in addition to CRLs stored in
191 the capath. Implies VERIFY_CRL flag below.
193 dhparams= File containing DH parameters for temporary/ephemeral
196 sslflags= Various flags modifying the use of SSL:
198 Don't request client certificates
199 immediately, but wait until acl processing
200 requires a certificate (not yet implemented)
202 Don't use the default CA lists built in
205 Don't allow for session reuse. Each connection
206 will result in a new SSL session.
208 Verify CRL lists when accepting client
211 Verify CRL lists for all certificates in the
212 client certificate chain
214 sslcontext= SSL session ID context identifier.
216 accel Accelerator mode. Also set implicit by the other
217 accelerator directives
219 vhost Accelerator mode using Host header for virtual
222 vport Accelerator with IP based virtual host support
224 vport=NN As above, but uses specified port number rather
225 than the https_port number
229 NAME: ssl_unclean_shutdown
233 LOC: Config.SSL.unclean_shutdown
235 Some browsers (especially MSIE) bugs out on SSL shutdown
242 LOC: Config.SSL.ssl_engine
245 The openssl engine to use. You will need to set this if you
246 would like to use hardware SSL acceleration for example.
249 NAME: sslproxy_client_certificate
252 LOC: Config.ssl_client.cert
255 Client SSL Certificate to use when proxying https:// URLs
258 NAME: sslproxy_client_key
261 LOC: Config.ssl_client.key
264 Client SSL Key to use when proxying https:// URLs
267 NAME: sslproxy_version
270 LOC: Config.ssl_client.version
273 SSL version level to use when proxying https:// URLs
276 NAME: sslproxy_options
279 LOC: Config.ssl_client.options
282 SSL engine options to use when proxying https:// URLs
285 NAME: sslproxy_cipher
288 LOC: Config.ssl_client.cipher
291 SSL cipher list to use when proxying https:// URLs
294 NAME: sslproxy_cafile
297 LOC: Config.ssl_client.cafile
300 file containing CA certificates to use when verifying server
301 certificates while proxying https:// URLs
304 NAME: sslproxy_capath
307 LOC: Config.ssl_client.capath
310 directory containing CA certificates to use when verifying
311 server certificates while proxying https:// URLs
317 LOC: Config.ssl_client.flags
320 Various flags modifying the use of SSL while proxying https:// URLs:
321 DONT_VERIFY_PEER Accept certificates even if they fail to
323 NO_DEFAULT_CA Don't use the default CA list built in
327 NAME: sslpassword_program
330 LOC: Config.Program.ssl_password
333 Specify a program used for entering SSL key passphrases
334 when using encrypted SSL certificate keys. If not specified
335 keys must either be unencrypted, or Squid started with the -N
336 option to allow it to query interactively for the passphrase.
339 NAME: icp_port udp_port
344 The port number where Squid sends and receives ICP queries to
345 and from neighbor caches. The standard UDP port for ICP is 3130.
346 Default is disabled (0).
348 icp_port @DEFAULT_ICP_PORT@
356 LOC: Config.Port.htcp
358 The port number where Squid sends and receives HTCP queries to
359 and from neighbor caches. Default is 4827. To disable use
366 LOC: Config.mcast_group_list
369 This tag specifies a list of multicast groups which your server
370 should join to receive multicasted ICP queries.
372 NOTE! Be very careful what you put here! Be sure you
373 understand the difference between an ICP _query_ and an ICP
374 _reply_. This option is to be set only if you want to RECEIVE
375 multicast queries. Do NOT set this option to SEND multicast
376 ICP (use cache_peer for that). ICP replies are always sent via
377 unicast, so this option does not affect whether or not you will
378 receive replies from multicast group members.
380 You must be very careful to NOT use a multicast address which
381 is already in use by another group of caches.
383 If you are unsure about multicast, please read the Multicast
384 chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
386 Usage: mcast_groups 239.128.16.128 224.0.1.20
388 By default, Squid doesn't listen on any multicast groups.
392 NAME: udp_incoming_address
394 LOC:Config.Addrs.udp_incoming
398 NAME: udp_outgoing_address
400 LOC: Config.Addrs.udp_outgoing
401 DEFAULT: 255.255.255.255
403 udp_incoming_address is used for the ICP socket receiving packets
405 udp_outgoing_address is used for ICP packets sent out to other
408 The default behavior is to not bind to any specific address.
410 A udp_incoming_address value of 0.0.0.0 indicates Squid
411 should listen for UDP messages on all available interfaces.
413 If udp_outgoing_address is set to 255.255.255.255 (the default)
414 it will use the same socket as udp_incoming_address. Only
415 change this if you want to have ICP queries sent using another
416 address than where this Squid listens for ICP queries from other
419 NOTE, udp_incoming_address and udp_outgoing_address can not
420 have the same value since they both use port 3130.
424 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
425 -----------------------------------------------------------------------------
433 To specify other caches in a hierarchy, use the format:
435 cache_peer hostname type http_port icp_port [options]
440 # hostname type port port options
441 # -------------------- -------- ----- ----- -----------
442 cache_peer parent.foo.net parent 3128 3130 [proxy-only]
443 cache_peer sib1.foo.net sibling 3128 3130 [proxy-only]
444 cache_peer sib2.foo.net sibling 3128 3130 [proxy-only]
446 type: either 'parent', 'sibling', or 'multicast'.
448 proxy_port: The port number where the cache listens for proxy
451 icp_port: Used for querying neighbor caches about
452 objects. To have a non-ICP neighbor
453 specify '7' for the ICP port and make sure the
454 neighbor machine has the UDP echo port
455 enabled in its /etc/inetd.conf file.
472 login=user:password | PASS | *:password
483 sslcert=/path/to/ssl/certificate
484 sslkey=/path/to/ssl/key
488 front-end-https[=on|auto]
490 use 'proxy-only' to specify objects fetched
491 from this cache should not be saved locally.
493 use 'weight=n' to specify a weighted parent.
494 The weight must be an integer. The default weight
495 is 1, larger weights are favored more.
497 use 'basetime=n' to specify a base amount to
498 be subtracted from round trip times of parents.
499 It is subtracted before division by weight in calculating
500 which parent to fectch from. If the rtt is less than the
501 base time the rtt is set to a minimal value.
503 use 'ttl=n' to specify a IP multicast TTL to use
504 when sending an ICP queries to this address.
505 Only useful when sending to a multicast group.
506 Because we don't accept ICP replies from random
507 hosts, you must configure other group members as
508 peers with the 'multicast-responder' option below.
510 use 'no-query' to NOT send ICP queries to this
513 use 'background-ping' to only send ICP queries to this
514 neighbor infrequently. This is used to keep the neighbor
515 round trip time updated and is usually used in
516 conjunction with weighted-round-robin.
518 use 'default' if this is a parent cache which can
519 be used as a "last-resort." You should probably
520 only use 'default' in situations where you cannot
521 use ICP with your parent cache(s).
523 use 'round-robin' to define a set of parents which
524 should be used in a round-robin fashion in the
525 absence of any ICP queries.
527 use 'weighted-round-robin' to define a set of parents
528 which should be used in a round-robin fashion with the
529 frequency of each parent being based on the round trip
530 time. Closer parents are used more often.
531 Usually used for background-ping parents.
533 use 'carp' to define a set of parents which should
534 be used as a CARP array. The requests will be
535 distributed among the parents based on the CARP load
536 balancing hash function based on their weigth.
538 'multicast-responder' indicates the named peer
539 is a member of a multicast group. ICP queries will
540 not be sent directly to the peer, but ICP replies
541 will be accepted from it.
543 'closest-only' indicates that, for ICP_OP_MISS
544 replies, we'll only forward CLOSEST_PARENT_MISSes
545 and never FIRST_PARENT_MISSes.
547 use 'no-digest' to NOT request cache digests from
550 'no-netdb-exchange' disables requesting ICMP
551 RTT database (NetDB) from the neighbor.
553 use 'no-delay' to prevent access to this neighbor
554 from influencing the delay pools.
556 use 'login=user:password' if this is a personal/workgroup
557 proxy and your parent requires proxy authentication.
558 Note: The string can include URL escapes (i.e. %20 for
559 spaces). This also means % must be written as %%.
561 use 'login=PASS' if users must authenticate against
562 the upstream proxy or in the case of a reverse proxy
563 configuration, the origin web server. This will pass
564 the users credentials as they are to the peer.
565 This only works for the Basic HTTP authentication scheme.
566 Note: To combine this with proxy_auth both proxies must
567 share the same user database as HTTP only allows for
569 Also be warned this will expose your users proxy
570 password to the peer. USE WITH CAUTION
572 use 'login=*:password' to pass the username to the
573 upstream cache, but with a fixed password. This is meant
574 to be used when the peer is in another administrative
575 domain, but it is still needed to identify each user.
576 The star can optionally be followed by some extra
577 information which is added to the username. This can
578 be used to identify this proxy to the peer, similar to
579 the login=username:password option above.
581 use 'connect-timeout=nn' to specify a peer
582 specific connect timeout (also see the
583 peer_connect_timeout directive)
585 use 'digest-url=url' to tell Squid to fetch the cache
586 digest (if digests are enabled) for this host from
587 the specified URL rather than the Squid default
590 use 'allow-miss' to disable Squid's use of only-if-cached
591 when forwarding requests to siblings. This is primarily
592 useful when icp_hit_stale is used by the sibling. To
593 extensive use of this option may result in forwarding
594 loops, and you should avoid having two-way peerings
595 with this option. (for example to deny peer usage on
596 requests from peer by denying cache_peer_access if the
599 use 'max-conn' to limit the amount of connections Squid
600 may open to this peer.
602 use 'htcp' to send HTCP, instead of ICP, queries
603 to the neighbor. You probably also want to
604 set the "icp port" to 4827 instead of 3130.
606 use 'htcp-oldsquid' to send HTCP to old Squid versions
608 'originserver' causes this parent peer to be contacted as
609 a origin server. Meant to be used in accelerator setups.
611 use 'name=xxx' if you have multiple peers on the same
612 host but different ports. This name can be used to
613 differentiate the peers in cache_peer_access and similar
616 use 'forceddomain=name' to forcibly set the Host header
617 of requests forwarded to this peer. Useful in accelerator
618 setups where the server (peer) expects a certain domain
619 name and using redirectors to feed this domainname
622 use 'ssl' to indicate connections to this peer should
623 bs SSL/TLS encrypted.
625 use 'sslcert=/path/to/ssl/certificate' to specify a client
626 SSL certificate to use when connecting to this peer.
628 use 'sslkey=/path/to/ssl/key' to specify the private SSL
629 key corresponding to sslcert above. If 'sslkey' is not
630 specified 'sslcert' is assumed to reference a
631 combined file containing both the certificate and the key.
633 use sslversion=1|2|3|4 to specify the SSL version to use
634 when connecting to this peer
635 1 = automatic (default)
640 use sslcipher=... to specify the list of valid SSL chipers
641 to use when connecting to this peer
643 use ssloptions=... to specify various SSL engine options:
644 NO_SSLv2 Disallow the use of SSLv2
645 NO_SSLv3 Disallow the use of SSLv3
646 NO_TLSv1 Disallow the use of TLSv1
647 See src/ssl_support.c or the OpenSSL documentation for
648 a more complete list.
650 use cafile=... to specify a file containing additional
651 CA certificates to use when verifying the peer certificate
653 use capath=... to specify a directory containing additional
654 CA certificates to use when verifying the peer certificate
656 use sslflags=... to specify various flags modifying the
659 Accept certificates even if they fail to
662 Don't use the default CA list built in
665 Don't verify the peer certificate
666 matches the server name
668 use sslname= to specify the peer name as advertised
669 in it's certificate. Used for verifying the correctness
670 of the received peer certificate. If not specified the
671 peer hostname will be used.
673 use front-end-https to enable the "Front-End-Https: On"
674 header needed when using Squid as a SSL frontend infront
675 of Microsoft OWA. See MS KB document Q307347 for details
676 on this header. If set to auto the header will
677 only be added if the request is forwarded as a https://
680 NOTE: non-ICP neighbors must be specified as 'parent'.
683 NAME: cache_peer_domain cache_host_domain
688 Use to limit the domains for which a neighbor cache will be
691 cache_peer_domain cache-host domain [domain ...]
692 cache_peer_domain cache-host !domain
694 For example, specifying
696 cache_peer_domain parent.foo.net .edu
698 has the effect such that UDP query packets are sent to
699 'bigserver' only when the requested object exists on a
700 server in the .edu domain. Prefixing the domainname
701 with '!' means the cache will be queried for objects
704 NOTE: * Any number of domains may be given for a cache-host,
705 either on the same or separate lines.
706 * When multiple domains are given for a particular
707 cache-host, the first matched domain is applied.
708 * Cache hosts with no domain restrictions are queried
710 * There are no defaults.
711 * There is also a 'cache_peer_access' tag in the ACL
716 NAME: neighbor_type_domain
721 usage: neighbor_type_domain neighbor parent|sibling domain domain ...
723 Modifying the neighbor type for specific domains is now
724 possible. You can treat some domains differently than the the
725 default neighbor type specified on the 'cache_peer' line.
726 Normally it should only be necessary to list domains which
727 should be treated differently because the default neighbor type
728 applies for hostnames which do not match domains listed here.
731 cache_peer parent cache.foo.org 3128 3130
732 neighbor_type_domain cache.foo.org sibling .com .net
733 neighbor_type_domain cache.foo.org sibling .au .de
736 NAME: icp_query_timeout
740 LOC: Config.Timeout.icp_query
742 Normally Squid will automatically determine an optimal ICP
743 query timeout value based on the round-trip-time of recent ICP
744 queries. If you want to override the value determined by
745 Squid, set this 'icp_query_timeout' to a non-zero value. This
746 value is specified in MILLISECONDS, so, to use a 2-second
747 timeout (the old default), you would write:
749 icp_query_timeout 2000
752 NAME: maximum_icp_query_timeout
756 LOC: Config.Timeout.icp_query_max
758 Normally the ICP query timeout is determined dynamically. But
759 sometimes it can lead to very large values (say 5 seconds).
760 Use this option to put an upper limit on the dynamic timeout
761 value. Do NOT use this option to always use a fixed (instead
762 of a dynamic) timeout value. To set a fixed timeout see the
763 'icp_query_timeout' directive.
766 NAME: minimum_icp_query_timeout
770 LOC: Config.Timeout.icp_query_min
772 Normally the ICP query timeout is determined dynamically. But
773 sometimes it can lead to very small timeouts, even lower than
774 the normal latency variance on your link due to traffic.
775 Use this option to put an lower limit on the dynamic timeout
776 value. Do NOT use this option to always use a fixed (instead
777 of a dynamic) timeout value. To set a fixed timeout see the
778 'icp_query_timeout' directive.
781 NAME: mcast_icp_query_timeout
785 LOC: Config.Timeout.mcast_icp_query
787 For Multicast peers, Squid regularly sends out ICP "probes" to
788 count how many other peers are listening on the given multicast
789 address. This value specifies how long Squid should wait to
790 count all the replies. The default is 2000 msec, or 2
794 NAME: dead_peer_timeout
798 LOC: Config.Timeout.deadPeer
800 This controls how long Squid waits to declare a peer cache
801 as "dead." If there are no ICP replies received in this
802 amount of time, Squid will declare the peer dead and not
803 expect to receive any further ICP replies. However, it
804 continues to send ICP queries, and will mark the peer as
805 alive upon receipt of the first subsequent ICP reply.
807 This timeout also affects when Squid expects to receive ICP
808 replies from peers. If more than 'dead_peer' seconds have
809 passed since the last ICP reply was received, Squid will not
810 expect to receive an ICP reply on the next query. Thus, if
811 your time between requests is greater than this timeout, you
812 will see a lot of requests sent DIRECT to origin servers
813 instead of to your parents.
817 NAME: hierarchy_stoplist
820 LOC: Config.hierarchy_stoplist
822 A list of words which, if found in a URL, cause the object to
823 be handled directly by this cache. In other words, use this
824 to not query neighbor caches for certain objects. You may
825 list this option multiple times.
827 #We recommend you to use at least the following line.
828 hierarchy_stoplist cgi-bin ?
836 LOC: Config.accessList.noCache
838 A list of ACL elements which, if matched, cause the request to
839 not be satisfied from the cache and the reply to not be cached.
840 In other words, use this to force certain objects to never be cached.
842 You must use the word 'DENY' to indicate the ACL names which should
845 Default is to allow all to be cached
847 #We recommend you to use the following two lines.
848 acl QUERY urlpath_regex cgi-bin \?
853 NAME: background_ping_rate
857 LOC: Config.backgroundPingRate
859 Controls how often the ICP pings are sent to siblings that
860 have background-ping set.
865 OPTIONS WHICH AFFECT THE CACHE SIZE
866 -----------------------------------------------------------------------------
873 LOC: Config.memMaxSize
875 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
876 IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
877 USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
878 THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
880 'cache_mem' specifies the ideal amount of memory to be used
884 * Negative-Cached objects
886 Data for these objects are stored in 4 KB blocks. This
887 parameter specifies the ideal upper limit on the total size of
888 4 KB blocks allocated. In-Transit objects take the highest
891 In-transit objects have priority over the others. When
892 additional space is needed for incoming data, negative-cached
893 and hot objects will be released. In other words, the
894 negative-cached and hot objects will fill up any unused space
895 not needed for in-transit objects.
897 If circumstances require, this limit will be exceeded.
898 Specifically, if your incoming request rate requires more than
899 'cache_mem' of memory to hold in-transit objects, Squid will
900 exceed this limit to satisfy the new requests. When the load
901 decreases, blocks will be freed until the high-water mark is
902 reached. Thereafter, blocks will be used to store hot
908 COMMENT: (percent, 0-100)
911 LOC: Config.Swap.lowWaterMark
914 NAME: cache_swap_high
915 COMMENT: (percent, 0-100)
918 LOC: Config.Swap.highWaterMark
921 The low- and high-water marks for cache object replacement.
922 Replacement begins when the swap (disk) usage is above the
923 low-water mark and attempts to maintain utilization near the
924 low-water mark. As swap utilization gets close to high-water
925 mark object eviction becomes more aggressive. If utilization is
926 close to the low-water mark less replacement is done each time.
928 Defaults are 90% and 95%. If you have a large cache, 5% could be
929 hundreds of MB. If this is the case you may wish to set these
930 numbers closer together.
933 NAME: maximum_object_size
937 LOC: Config.Store.maxObjectSize
939 Objects larger than this size will NOT be saved on disk. The
940 value is specified in kilobytes, and the default is 4MB. If
941 you wish to get a high BYTES hit ratio, you should probably
942 increase this (one 32 MB object hit counts for 3200 10KB
943 hits). If you wish to increase speed more than your want to
944 save bandwidth you should leave this low.
946 NOTE: if using the LFUDA replacement policy you should increase
947 this value to maximize the byte hit rate improvement of LFUDA!
948 See replacement_policy below for a discussion of this policy.
951 NAME: minimum_object_size
955 LOC: Config.Store.minObjectSize
957 Objects smaller than this size will NOT be saved on disk. The
958 value is specified in kilobytes, and the default is 0 KB, which
959 means there is no minimum.
962 NAME: maximum_object_size_in_memory
966 LOC: Config.Store.maxInMemObjSize
968 Objects greater than this size will not be attempted to kept in
969 the memory cache. This should be set high enough to keep objects
970 accessed frequently in memory to improve performance whilst low
971 enough to keep larger objects from hoarding cache_mem .
975 COMMENT: (number of entries)
978 LOC: Config.ipcache.size
985 LOC: Config.ipcache.low
992 LOC: Config.ipcache.high
994 The size, low-, and high-water marks for the IP cache.
998 COMMENT: (number of entries)
1001 LOC: Config.fqdncache.size
1003 Maximum number of FQDN cache entries.
1006 NAME: cache_replacement_policy
1008 LOC: Config.replPolicy
1011 The cache replacement policy parameter determines which
1012 objects are evicted (replaced) when disk space is needed.
1014 lru : Squid's original list based LRU policy
1015 heap GDSF : Greedy-Dual Size Frequency
1016 heap LFUDA: Least Frequently Used with Dynamic Aging
1017 heap LRU : LRU policy implemented using a heap
1019 Applies to any cache_dir lines listed below this.
1021 The LRU policies keeps recently referenced objects.
1023 The heap GDSF policy optimizes object hit rate by keeping smaller
1024 popular objects in cache so it has a better chance of getting a
1025 hit. It achieves a lower byte hit rate than LFUDA though since
1026 it evicts larger (possibly popular) objects.
1028 The heap LFUDA policy keeps popular objects in cache regardless of
1029 their size and thus optimizes byte hit rate at the expense of
1030 hit rate since one large, popular object will prevent many
1031 smaller, slightly less popular objects from being cached.
1033 Both policies utilize a dynamic aging mechanism that prevents
1034 cache pollution that can otherwise occur with frequency-based
1035 replacement policies.
1037 NOTE: if using the LFUDA replacement policy you should increase
1038 the value of maximum_object_size above its default of 4096 KB to
1039 to maximize the potential byte hit rate improvement of LFUDA.
1041 For more information about the GDSF and LFUDA cache replacement
1042 policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
1043 and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
1046 NAME: memory_replacement_policy
1048 LOC: Config.memPolicy
1051 The memory replacement policy parameter determines which
1052 objects are purged from memory when memory space is needed.
1054 See cache_replacement_policy for details.
1059 LOGFILE PATHNAMES AND CACHE DIRECTORIES
1060 -----------------------------------------------------------------------------
1066 DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256
1067 LOC: Config.cacheSwap
1071 cache_dir Type Directory-Name Fs-specific-data [options]
1073 You can specify multiple cache_dir lines to spread the
1074 cache among different disk partitions.
1076 Type specifies the kind of storage system to use. Only "ufs"
1077 is built by default. To enable any of the other storage systems
1078 see the --enable-storeio configure option.
1080 'Directory' is a top-level directory where cache swap
1081 files will be stored. If you want to use an entire disk
1082 for caching, this can be the mount-point directory.
1083 The directory must exist and be writable by the Squid
1084 process. Squid will NOT create this directory for you.
1088 "ufs" is the old well-known Squid storage format that has always
1091 cache_dir ufs Directory-Name Mbytes L1 L2 [options]
1093 'Mbytes' is the amount of disk space (MB) to use under this
1094 directory. The default is 100 MB. Change this to suit your
1095 configuration. Do NOT put the size of your disk drive here.
1096 Instead, if you want Squid to use the entire disk drive,
1097 subtract 20% and use that value.
1099 'Level-1' is the number of first-level subdirectories which
1100 will be created under the 'Directory'. The default is 16.
1102 'Level-2' is the number of second-level subdirectories which
1103 will be created under each first-level directory. The default
1106 The aufs store type:
1108 "aufs" uses the same storage format as "ufs", utilizing
1109 POSIX-threads to avoid blocking the main Squid process on
1110 disk-I/O. This was formerly known in Squid as async-io.
1112 cache_dir aufs Directory-Name Mbytes L1 L2 [options]
1114 see argument descriptions under ufs above
1116 The diskd store type:
1118 "diskd" uses the same storage format as "ufs", utilizing a
1119 separate process to avoid blocking the main Squid process on
1122 cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
1124 see argument descriptions under ufs above
1126 Q1 specifies the number of unacknowledged I/O requests when Squid
1127 stops opening new files. If this many messages are in the queues,
1128 Squid won't open new files. Default is 64
1130 Q2 specifies the number of unacknowledged messages when Squid
1131 starts blocking. If this many messages are in the queues,
1132 Squid blocks until it receives some replies. Default is 72
1134 When Q1 < Q2 (the default), the cache directory is optimized
1135 for lower response time at the expense of a decrease in hit
1136 ratio. If Q1 > Q2, the cache directory is optimized for
1137 higher hit ratio at the expense of an increase in response
1140 The coss store type:
1142 block-size=n defines the "block size" for COSS cache_dir's.
1143 Squid uses file numbers as block numbers. Since file numbers
1144 are limited to 24 bits, the block size determines the maximum
1145 size of the COSS partition. The default is 512 bytes, which
1146 leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
1147 you should not change the coss block size after Squid
1148 has written some objects to the cache_dir.
1150 The coss file store has changed from 2.5. Now it uses a file
1151 called 'stripe' in the directory names in the config - and
1152 this will be created by squid -z.
1156 read-only, this cache_dir is read only.
1158 max-size=n, refers to the max object size this storedir supports.
1159 It is used to initially choose the storedir to dump the object.
1160 Note: To make optimal use of the max-size limits you should order
1161 the cache_dir lines with the smallest max-size value first and the
1162 ones with no max-size specification last.
1164 Note for coss, max-size must be less than COSS_MEMBUF_SZ,
1165 which can be changed with the --with-coss-membuf-size=N configure
1168 The null store type:
1170 no options are allowed or required
1176 LOC: Config.Log.logformats
1181 logformat <name> <format specification>
1183 Defines an access log format.
1185 The <format specification> is a string with embedded % format codes
1187 % format codes all follow the same basic structure where all but
1188 the formatcode is optional. Output strings are automatically escaped
1189 as required according to their context and the output format
1190 modifiers are usually not needed, but can be specified if an explicit
1191 output format is desired.
1193 % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
1195 " output in quoted string format
1196 [ output in squid text log format as used by log_mime_hdrs
1197 # output in URL quoted format
1201 width field width. If starting with 0 the
1202 output is zero padded
1203 {arg} argument such as header name etc
1207 >a Client source IP address
1209 <A Server IP address or peer name
1210 la Local IP address (http_port)
1211 lp Local port number (http_port)
1212 ts Seconds since epoch
1213 tu subsecond time (milliseconds)
1214 tl Local time. Optional strftime format argument
1215 default %d/%b/%Y:%H:%M:S %z
1216 tg GMT time. Optional strftime format argument
1217 default %d/%b/%Y:%H:%M:S %z
1218 tr Response time (milliseconds)
1219 >h Request header. Optional header name argument
1220 on the format header[:[separator]element]
1221 <h Reply header. Optional header name argument
1226 ue User from external acl
1228 Ss Squid request status (TCP_MISS etc)
1229 Sh Squid hierarchy status (DEFAULT_PARENT etc)
1230 mt MIME content type
1231 rm Request method (GET/POST etc)
1233 rv Request protocol version
1234 et Tag returned by external acl
1235 ea Log string returned by external acl
1236 <st Reply size including HTTP headers
1237 <sH Reply high offset sent
1238 <sS Upstream object size
1239 % a literal % character
1241 logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
1242 logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
1243 logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
1244 logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
1247 NAME: access_log cache_access_log
1249 LOC: Config.Log.accesslogs
1251 DEFAULT_IF_NONE: @DEFAULT_ACCESS_LOG@
1253 These files log client request activities. Has a line every HTTP or
1254 ICP request. The format is:
1255 access_log <filepath> [<logformat name> [acl acl ...]]
1256 access_log none [acl acl ...]]
1258 Will log to the specified file using the specified format (which
1259 must be defined in a logformat directive) those entries which match
1260 ALL the acl's specified (which must be defined in acl clauses).
1261 If no acl is specified, all requests will be logged to this file.
1263 To disable logging of a request use the filepath "none", in which case
1264 a logformat name should not be specified.
1266 To log the request via syslog specify a filepath of "syslog":
1268 access_log syslog[:facility|priority] [format [acl1 [acl2 ....]]]
1269 where facility could be any of:
1270 LOG_AUTHPRIV, LOG_DAEMON, LOG_LOCAL0 .. LOG_LOCAL7 or LOG_USER.
1272 And priority could be any of:
1273 LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG.
1279 DEFAULT: @DEFAULT_CACHE_LOG@
1282 Cache logging file. This is where general information about
1283 your cache's behavior goes. You can increase the amount of data
1284 logged to this file with the "debug_options" tag below.
1288 NAME: cache_store_log
1290 DEFAULT: @DEFAULT_STORE_LOG@
1291 LOC: Config.Log.store
1293 Logs the activities of the storage manager. Shows which
1294 objects are ejected from the cache, and which objects are
1295 saved and for how long. To disable, enter "none". There are
1296 not really utilities to analyze this data, so you can safely
1301 NAME: cache_swap_state cache_swap_log
1303 LOC: Config.Log.swap
1306 Location for the cache "swap.state" file. This index file holds
1307 the metadata of objects saved on disk. It is used to rebuild
1308 the cache during startup. Normally this file resides in each
1309 'cache_dir' directory, but you may specify an alternate
1310 pathname here. Note you must give a full filename, not just
1311 a directory. Since this is the index for the whole object
1312 list you CANNOT periodically rotate it!
1314 If %s can be used in the file name it will be replaced with a
1315 a representation of the cache_dir name where each / is replaced
1316 with '.'. This is needed to allow adding/removing cache_dir
1317 lines when cache_swap_log is being used.
1319 If have more than one 'cache_dir', and %s is not used in the name
1320 these swap logs will have names such as:
1326 The numbered extension (which is added automatically)
1327 corresponds to the order of the 'cache_dir' lines in this
1328 configuration file. If you change the order of the 'cache_dir'
1329 lines in this file, these log files will NOT correspond to
1330 the correct 'cache_dir' entry (unless you manually rename
1331 them). We recommend you do NOT use this option. It is
1332 better to keep these log files in each 'cache_dir' directory.
1336 NAME: emulate_httpd_log
1340 LOC: Config.onoff.common_log
1342 The Cache can emulate the log file format which many 'httpd'
1343 programs use. To disable/enable this emulation, set
1344 emulate_httpd_log to 'off' or 'on'. The default
1345 is to use the native log format since it includes useful
1346 information Squid-specific log analyzers use.
1349 NAME: log_ip_on_direct
1353 LOC: Config.onoff.log_ip_on_direct
1355 Log the destination IP address in the hierarchy log tag when going
1356 direct. Earlier Squid versions logged the hostname here. If you
1357 prefer the old way set this to off.
1362 DEFAULT: @DEFAULT_MIME_TABLE@
1363 LOC: Config.mimeTablePathname
1365 Pathname to Squid's MIME table. You shouldn't need to change
1366 this, but the default file contains examples and formatting
1367 information if you do.
1374 LOC: Config.onoff.log_mime_hdrs
1377 The Cache can record both the request and the response MIME
1378 headers for each HTTP transaction. The headers are encoded
1379 safely and will appear as two bracketed fields at the end of
1380 the access log (for either the native or httpd-emulated log
1381 formats). To enable this logging set log_mime_hdrs to 'on'.
1387 LOC: Config.Log.useragent
1389 IFDEF: USE_USERAGENT_LOG
1391 Squid will write the User-Agent field from HTTP requests
1392 to the filename specified here. By default useragent_log
1399 LOC: Config.Log.referer
1401 IFDEF: USE_REFERER_LOG
1403 Squid will write the Referer field from HTTP requests to the
1404 filename specified here. By default referer_log is disabled.
1410 DEFAULT: @DEFAULT_PID_FILE@
1411 LOC: Config.pidFilename
1413 A filename to write the process-id to. To disable, enter "none".
1420 LOC: Config.debugOptions
1422 Logging options are set as section,level where each source file
1423 is assigned a unique section. Lower levels result in less
1424 output, Full debugging (level 9) can result in a very large
1425 log file, so be careful. The magic word "ALL" sets debugging
1426 levels for all sections. We recommend normally running with
1435 LOC: Config.onoff.log_fqdn
1437 Turn this on if you wish to log fully qualified domain names
1438 in the access.log. To do this Squid does a DNS lookup of all
1439 IP's connecting to it. This can (in some situations) increase
1440 latency, which makes your cache seem slower for interactive
1445 NAME: client_netmask
1447 LOC: Config.Addrs.client_netmask
1448 DEFAULT: 255.255.255.255
1450 A netmask for client addresses in logfiles and cachemgr output.
1451 Change this to protect the privacy of your cache clients.
1452 A netmask of 255.255.255.0 will log all IP's in that range with
1453 the last digit set to '0'.
1458 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
1459 -----------------------------------------------------------------------------
1465 LOC: Config.Ftp.anon_user
1467 If you want the anonymous login password to be more informative
1468 (and enable the use of picky ftp servers), set this to something
1469 reasonable for your domain, like wwwuser@somewhere.net
1471 The reason why this is domainless by default is the
1472 request can be made on the behalf of a user in any domain,
1473 depending on how the cache is used.
1474 Some ftp server also validate the email address is valid
1475 (for example perl.com).
1478 NAME: ftp_list_width
1481 LOC: Config.Ftp.list_width
1483 Sets the width of ftp listings. This should be set to fit in
1484 the width of a standard browser. Setting this too small
1485 can cut off long filenames when browsing ftp sites.
1491 LOC: Config.Ftp.passive
1493 If your firewall does not allow Squid to use passive
1494 connections, turn off this option.
1497 NAME: ftp_sanitycheck
1500 LOC: Config.Ftp.sanitycheck
1502 For security and data integrity reasons Squid by default performs
1503 sanity checks of the addresses of FTP data connections ensure the
1504 data connection is to the requested server. If you need to allow
1505 FTP connections to servers using another IP address for the data
1506 connection turn this off.
1509 NAME: check_hostnames
1512 LOC: Config.onoff.check_hostnames
1514 For security and stability reasons Squid by default checks
1515 hostnames for Internet standard RFC compliance. If you do not want
1516 Squid to perform these checks turn this directive off.
1519 NAME: ftp_telnet_protocol
1522 LOC: Config.Ftp.telnet
1524 The FTP protocol is officially defined to use the telnet protocol
1525 as transport channel for the control connection. However, many
1526 implementations are broken and does not respect this aspect of
1529 If you have trouble accessing files with ASCII code 255 in the
1530 path or similar problems involving this ASCII code you can
1531 try setting this directive to off. If that helps, report to the
1532 operator of the FTP server in question that their FTP server
1533 is broken and does not follow the FTP standard.
1536 NAME: cache_dns_program
1538 IFDEF: USE_DNSSERVERS
1539 DEFAULT: @DEFAULT_DNSSERVER@
1540 LOC: Config.Program.dnsserver
1542 Specify the location of the executable for dnslookup process.
1547 IFDEF: USE_DNSSERVERS
1549 LOC: Config.dnsChildren
1551 The number of processes spawn to service DNS name lookups.
1552 For heavily loaded caches on large servers, you should
1553 probably increase this value to at least 10. The maximum
1554 is 32. The default is 5.
1556 You must have at least one dnsserver process.
1559 NAME: dns_retransmit_interval
1562 LOC: Config.Timeout.idns_retransmit
1563 IFDEF: !USE_DNSSERVERS
1565 Initial retransmit interval for DNS queries. The interval is
1566 doubled each time all configured DNS servers have been tried.
1573 LOC: Config.Timeout.idns_query
1574 IFDEF: !USE_DNSSERVERS
1576 DNS Query timeout. If no response is received to a DNS query
1577 within this time all DNS servers for the queried domain
1578 are assumed to be unavailable.
1585 LOC: Config.onoff.res_defnames
1587 Normally the RES_DEFNAMES resolver option is disabled
1588 (see res_init(3)). This prevents caches in a hierarchy
1589 from interpreting single-component hostnames locally. To allow
1590 Squid to handle single-component names, enable this option.
1593 NAME: dns_nameservers
1596 LOC: Config.dns_nameservers
1598 Use this if you want to specify a list of DNS name servers
1599 (IP addresses) to use instead of those given in your
1600 /etc/resolv.conf file.
1601 On Windows platforms, if no value is specified here or in
1602 the /etc/resolv.conf file, the list of DNS name servers are
1603 taken from the Windows registry, both static and dynamic DHCP
1604 configurations are supported.
1606 Example: dns_nameservers 10.0.0.1 192.172.0.4
1611 DEFAULT: @DEFAULT_HOSTS@
1612 LOC: Config.etcHostsPath
1614 Location of the host-local IP name-address associations
1615 database. Most Operating Systems have such a file on different
1617 - Un*X & Linux: /etc/hosts
1618 - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
1619 (%SystemRoot% value install default is c:\winnt)
1620 - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
1621 (%SystemRoot% value install default is c:\windows)
1622 - Windows 9x/Me: %windir%\hosts
1623 (%windir% value is usually c:\windows)
1624 - Cygwin: /etc/hosts
1626 The file contains newline-separated definitions, in the
1627 form ip_address_in_dotted_form name [name ...] names are
1628 whitespace-separated. Lines beginning with an hash (#)
1629 character are comments.
1631 The file is checked at startup and upon configuration.
1632 If set to 'none', it won't be checked.
1633 If append_domain is used, that domain will be added to
1634 domain-local (i.e. not containing any dot character) host
1640 DEFAULT: @DEFAULT_DISKD@
1641 LOC: Config.Program.diskd
1643 Specify the location of the diskd executable.
1644 Note this is only useful if you have compiled in
1645 diskd as one of the store io modules.
1648 NAME: unlinkd_program
1651 DEFAULT: @DEFAULT_UNLINKD@
1652 LOC: Config.Program.unlinkd
1654 Specify the location of the executable for file deletion process.
1657 NAME: pinger_program
1659 DEFAULT: @DEFAULT_PINGER@
1660 LOC: Config.Program.pinger
1663 Specify the location of the executable for the pinger process.
1667 NAME: url_rewrite_program redirect_program
1669 LOC: Config.Program.redirect
1672 Specify the location of the executable for the URL redirector.
1673 Since they can perform almost any function there isn't one included.
1674 See the FAQ (section 15) for information on how to write one.
1675 By default, a redirector is not used.
1679 NAME: url_rewrite_children redirect_children
1682 LOC: Config.redirectChildren
1684 The number of redirector processes to spawn. If you start
1685 too few Squid will have to wait for them to process a backlog of
1686 URLs, slowing it down. If you start too many they will use RAM
1687 and other system resources.
1690 NAME: url_rewrite_concurrency redirect_concurrency
1693 LOC: Config.redirectConcurrency
1695 The number of requests each redirector helper can handle in
1696 parallell. Defaults to 0 which indicates the redirector
1697 is a old-style singlethreaded redirector.
1700 NAME: url_rewrite_host_header redirect_rewrites_host_header
1703 LOC: Config.onoff.redir_rewrites_host
1705 By default Squid rewrites any Host: header in redirected
1706 requests. If you are running an accelerator this may
1707 not be a wanted effect of a redirector.
1709 WARNING: Entries are cached on the result of the URL rewriting
1710 process, so be careful if you have domain-virtual hosts.
1713 NAME: redirector_access
1716 LOC: Config.accessList.redirector
1718 If defined, this access list specifies which requests are
1719 sent to the redirector processes. By default all requests
1725 LOC: Config.authConfiguration
1728 This is used to pass parameters to the various authentication
1730 format: auth_param scheme parameter [setting]
1732 auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
1733 would tell the basic authentication scheme it's program parameter.
1735 The order authentication prompts are presented to the client_agent
1736 is dependent on the order the scheme first appears in config file.
1737 IE has a bug (it's not rfc 2617 compliant) in that it will use the basic
1738 scheme if basic is the first entry presented, even if more secure schemes
1739 are presented. For now use the order in the file below. If other browsers
1740 have difficulties (don't recognize the schemes offered even if you are using
1741 basic) either put basic first, or disable the other schemes (by commenting
1742 out their program entry).
1744 Once an authentication scheme is fully configured, it can only be shutdown
1745 by shutting squid down and restarting. Changes can be made on the fly and
1746 activated with a reconfigure. I.E. You can change to a different helper,
1747 but not unconfigure the helper completely.
1749 === Parameters for the basic scheme follow. ===
1752 Specify the command for the external authenticator. Such a
1753 program reads a line containing "username password" and replies
1754 "ERR" in an endless loop. "ERR" responses may optionally be followed
1755 by a error description available as %m in the returned error page.
1756 If you use an authenticator, make sure you have 1 acl of type proxy_auth.
1757 By default, the basic authentication scheme is not used unless a program
1760 If you want to use the traditional proxy authentication,
1761 jump over to the ../helpers/basic_auth/NCSA directory and
1766 Then, set this line to something like
1768 auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
1770 "children" numberofchildren
1771 The number of authenticator processes to spawn (no default).
1772 If you start too few Squid will have to wait for them to
1773 process a backlog of usercode/password verifications, slowing
1774 it down. When password verifications are done via a (slow)
1775 network you are likely to need lots of authenticator
1777 auth_param basic children 5
1779 "concurrency" concurrency
1780 The number of concurrent requests the helper can process.
1781 The default of 0 is used for helpers who only supports
1782 one request at a time.
1783 auth_param basic concurrency 0
1786 Specifies the realm name which is to be reported to the
1787 client for the basic proxy authentication scheme (part of
1788 the text the user will see when prompted their username and
1789 password). There is no default.
1790 auth_param basic realm Squid proxy-caching web server
1792 "credentialsttl" timetolive
1793 Specifies how long squid assumes an externally validated
1794 username:password pair is valid for - in other words how
1795 often the helper program is called for that user. Set this
1796 low to force revalidation with short lived passwords. Note
1797 setting this high does not impact your susceptibility
1798 to replay attacks unless you are using an one-time password
1799 system (such as SecureID). If you are using such a system,
1800 you will be vulnerable to replay attacks unless you also
1801 use the max_user_ip ACL in an http_access rule.
1803 "casesensitive" on|off
1804 Specifies if usernames are case sensitive. Most user databases are
1805 case insensitive allowing the same username to be spelled using both
1806 lower and upper case letters, but some are case sensitive. This
1807 makes a big difference for user_max_ip ACL processing and similar.
1808 auth_param basic casesensitive off
1810 === Parameters for the digest scheme follow ===
1813 Specify the command for the external authenticator. Such
1814 a program reads a line containing "username":"realm" and
1815 replies with the appropriate H(A1) value base64 encoded or
1816 ERR if the user (or his H(A1) hash) does not exists.
1817 See rfc 2616 for the definition of H(A1).
1818 "ERR" responses may optionally be followed by a error description
1819 available as %m in the returned error page.
1821 By default, the digest authentication is not used unless a
1822 program is specified.
1824 If you want to use a digest authenticator, jump over to the
1825 helpers/digest_auth/ directory and choose the authenticator
1826 to use. In it's directory type
1830 Then, set this line to something like
1832 auth_param digest program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass
1835 "children" numberofchildren
1836 The number of authenticator processes to spawn (no default).
1837 If you start too few Squid will have to wait for them to
1838 process a backlog of H(A1) calculations, slowing it down.
1839 When the H(A1) calculations are done via a (slow) network
1840 you are likely to need lots of authenticator processes.
1841 auth_param digest children 5
1844 Specifies the realm name which is to be reported to the
1845 client for the digest proxy authentication scheme (part of
1846 the text the user will see when prompted their username and
1847 password). There is no default.
1848 auth_param digest realm Squid proxy-caching web server
1850 "nonce_garbage_interval" timeinterval
1851 Specifies the interval that nonces that have been issued
1852 to client_agent's are checked for validity.
1854 "nonce_max_duration" timeinterval
1855 Specifies the maximum length of time a given nonce will be
1858 "nonce_max_count" number
1859 Specifies the maximum number of times a given nonce can be
1862 "nonce_strictness" on|off
1863 Determines if squid requires strict increment-by-1 behavior
1864 for nonce counts, or just incrementing (off - for use when
1865 useragents generate nonce counts that occasionally miss 1
1866 (ie, 1,2,4,6)). Default off.
1868 "check_nonce_count" on|off
1869 This directive if set to off can disable the nonce count check
1870 completely to work around buggy digest qop implementations in
1871 certain mainstream browser versions. Default on to check the
1872 nonce count to protect from authentication replay attacks.
1874 "post_workaround" on|off
1875 This is a workaround to certain buggy browsers who sends
1876 an incorrect request digest in POST requests when reusing
1877 the same nonce as acquired earlier on a GET request.
1879 === NTLM scheme options follow ===
1882 Specify the command for the external NTLM authenticator.
1883 Such a program reads exchanged NTLMSSP packets with
1884 the browser via Squid until authentication is completed.
1885 If you use an NTLM authenticator, make sure you have 1 acl
1886 of type proxy_auth. By default, the NTLM authenticator_program
1889 auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
1891 "children" numberofchildren
1892 The number of authenticator processes to spawn (no default).
1893 If you start too few Squid will have to wait for them to
1894 process a backlog of credential verifications, slowing it
1895 down. When credential verifications are done via a (slow)
1896 network you are likely to need lots of authenticator
1899 auth_param ntlm children 5
1902 If you experience problems with PUT/POST requests when using the
1903 Negotiate authentication scheme then you can try setting this to
1904 off. This will cause Squid to forcibly close the connection on
1905 the initial requests where the browser asks which schemes are
1906 supported by the proxy.
1908 auth_param ntlm keep_alive on
1910 === Options for configuring the NEGOTIATE auth-scheme follow ===
1913 Specify the command for the external Negotiate authenticator.
1914 This protocol is used in Microsoft Active-Directory enabled setups with
1915 the Microsoft Internet Explorer or Mozilla Firefox browsers.
1916 Its main purpose is to exchange credentials with the Squid proxy
1917 using the Kerberos mechanisms.
1918 If you use a Negotiate authenticator, make sure you have at least one acl
1919 of type proxy_auth active. By default, the negotiate authenticator_program
1921 The only supported program for this role is the ntlm_auth
1922 program distributed as part of Samba, version 4 or later.
1924 auth_param negotiate program @DEFAULT_PREFIX@/bin/ntlm_auth --helper-protocol=gss-spnego
1926 "children" numberofchildren
1927 The number of authenticator processes to spawn (no default).
1928 If you start too few Squid will have to wait for them to
1929 process a backlog of credential verifications, slowing it
1930 down. When crendential verifications are done via a (slow)
1931 network you are likely to need lots of authenticator
1933 auth_param negotiate children 5
1936 If you experience problems with PUT/POST requests when using the
1937 Negotiate authentication scheme then you can try setting this to
1938 off. This will cause Squid to forcibly close the connection on
1939 the initial requests where the browser asks which schemes are
1940 supported by the proxy.
1942 auth_param negotiate keep_alive on
1945 #Recommended minimum configuration per scheme:
1946 #auth_param negotiate program <uncomment and complete this line to activate>
1947 #auth_param negotiate children 5
1948 #auth_param negotiate keep_alive on
1949 #auth_param ntlm program <uncomment and complete this line to activate>
1950 #auth_param ntlm children 5
1951 #auth_param ntlm keep_alive on
1952 #auth_param digest program <uncomment and complete this line>
1953 #auth_param digest children 5
1954 #auth_param digest realm Squid proxy-caching web server
1955 #auth_param digest nonce_garbage_interval 5 minutes
1956 #auth_param digest nonce_max_duration 30 minutes
1957 #auth_param digest nonce_max_count 50
1958 #auth_param basic program <uncomment and complete this line>
1959 #auth_param basic children 5
1960 #auth_param basic realm Squid proxy-caching web server
1961 #auth_param basic credentialsttl 2 hours
1965 NAME: authenticate_cache_garbage_interval
1968 LOC: Config.authenticateGCInterval
1970 The time period between garbage collection across the
1971 username cache. This is a tradeoff between memory utilization
1972 (long intervals - say 2 days) and CPU (short intervals -
1973 say 1 minute). Only change if you have good reason to.
1976 NAME: authenticate_ttl
1979 LOC: Config.authenticateTTL
1981 The time a user & their credentials stay in the logged in
1982 user cache since their last request. When the garbage
1983 interval passes, all user credentials that have passed their
1984 TTL are removed from memory.
1987 NAME: authenticate_ip_ttl
1989 LOC: Config.authenticateIpTTL
1992 If you use proxy authentication and the 'max_user_ip' ACL,
1993 this directive controls how long Squid remembers the IP
1994 addresses associated with each user. Use a small value
1995 (e.g., 60 seconds) if your users might change addresses
1996 quickly, as is the case with dialups. You might be safe
1997 using a larger value (e.g., 2 hours) in a corporate LAN
1998 environment with relatively static address assignments.
2001 NAME: external_acl_type
2002 TYPE: externalAclHelper
2003 LOC: Config.externalAclHelperList
2006 This option defines external acl classes using a helper program
2007 to look up the status
2009 external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
2013 ttl=n TTL in seconds for cached results (defaults to 3600
2016 TTL for cached negative lookups (default same
2018 children=n Number of acl helper processes spawn to service
2019 external acl lookups of this type.
2020 concurrency=n concurrency level per process. Use 0 for old style
2021 helpers who can only process a single request at a
2023 cache=n result cache size, 0 is unbounded (default)
2024 grace=n Percentage remaining of TTL where a refresh of a
2025 cached entry should be initiated without needing to
2026 wait for a new reply. (default 0 for no grace period)
2027 protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
2029 FORMAT specifications
2031 %LOGIN Authenticated user login name
2032 %EXT_USER Username from external acl
2033 %IDENT Ident user name
2035 %SRCPORT Client source port
2037 %PROTO Requested protocol
2038 %PORT Requested port
2039 %PATH Requested URL path
2040 %METHOD Request method
2041 %MYADDR Squid interface address
2042 %MYPORT Squid http_port number
2043 %USER_CERT SSL User certificate in PEM format
2044 %USER_CERTCHAIN SSL User certificate chain in PEM format
2045 %USER_CERT_xx SSL User certificate subject attribute xx
2046 %USER_CA_xx SSL User certificate issuer attribute xx
2047 %{Header} HTTP request header
2048 %{Hdr:member} HTTP request header list member
2050 HTTP request header list member using ; as
2051 list separator. ; can be any non-alphanumeric
2054 In addition, any string specified in the referencing acl will
2055 also be included in the helper request line, after the specified
2056 formats (see the "acl external" directive)
2058 The helper receives lines per the above format specification,
2059 and returns lines starting with OK or ERR indicating the validity
2060 of the request and optionally followed by additional keywords with
2061 more details. To protect from odd characters the data is URL
2064 General result syntax:
2066 OK/ERR keyword=value ...
2070 user= The users name (login)
2071 password= The users password (for login= cache_peer option)
2072 message= Message describing the reason. Available as %o
2074 tag= Apply a tag to a request (for both ERR and OK results)
2075 Only sets a tag, does not alter existing tags.
2076 log= String to be logged in access.log. Available as
2077 %ea in logformat specifications
2079 Keyword values need to be URL escaped if they may contain
2080 contain whitespace or quotes.
2082 In Squid-2.5 compatibility mode quoting using " and \ is used
2083 instead of URL escaping.
2087 OPTIONS FOR TUNING THE CACHE
2088 -----------------------------------------------------------------------------
2091 NAME: wais_relay_host
2094 LOC: Config.Wais.relayHost
2097 NAME: wais_relay_port
2100 LOC: Config.Wais.relayPort
2102 Relay WAIS request to host (1st arg) at port (2 arg).
2106 NAME: request_header_max_size
2110 LOC: Config.maxRequestHeaderSize
2112 This specifies the maximum size for HTTP headers in a request.
2113 Request headers are usually relatively small (about 512 bytes).
2114 Placing a limit on the request header size will catch certain
2115 bugs (for example with persistent connections) and possibly
2116 buffer-overflow or denial-of-service attacks.
2119 NAME: request_body_max_size
2123 LOC: Config.maxRequestBodySize
2125 This specifies the maximum size for an HTTP request body.
2126 In other words, the maximum size of a PUT/POST request.
2127 A user who attempts to send a request with a body larger
2128 than this limit receives an "Invalid Request" error message.
2129 If you set this parameter to a zero (the default), there will
2130 be no limit imposed.
2133 NAME: refresh_pattern
2134 TYPE: refreshpattern
2138 usage: refresh_pattern [-i] regex min percent max [options]
2140 By default, regular expressions are CASE-SENSITIVE. To make
2141 them case-insensitive, use the -i option.
2143 'Min' is the time (in minutes) an object without an explicit
2144 expiry time should be considered fresh. The recommended
2145 value is 0, any higher values may cause dynamic applications
2146 to be erroneously cached unless the application designer
2147 has taken the appropriate actions.
2149 'Percent' is a percentage of the objects age (time since last
2150 modification age) an object without explicit expiry time
2151 will be considered fresh.
2153 'Max' is an upper limit on how long objects without an explicit
2154 expiry time will be considered fresh.
2156 options: override-expire
2166 override-expire enforces min age even if the server
2167 sent a Expires: header. Doing this VIOLATES the HTTP
2168 standard. Enabling this feature could make you liable
2169 for problems which it causes.
2171 override-lastmod enforces min age even on objects
2172 that were modified recently.
2174 reload-into-ims changes client no-cache or ``reload''
2175 to If-Modified-Since requests. Doing this VIOLATES the
2176 HTTP standard. Enabling this feature could make you
2177 liable for problems which it causes.
2179 ignore-reload ignores a client no-cache or ``reload''
2180 header. Doing this VIOLATES the HTTP standard. Enabling
2181 this feature could make you liable for problems which
2184 ignore-no-cache ignores any ``Pragma: no-cache'' and
2185 ``Cache-control: no-cache'' headers received from a server.
2186 The HTTP RFC never allows the use of this (Pragma) header
2187 from a server, only a client, though plenty of servers
2190 ignore-no-store ignores any ``Cache-control: no-store''
2191 headers received from a server. Doing this VIOLATES
2192 the HTTP standard. Enabling this feature could make you
2193 liable for problems which it causes.
2195 ignore-private ignores any ``Cache-control: private''
2196 headers received from a server. Doing this VIOLATES
2197 the HTTP standard. Enabling this feature could make you
2198 liable for problems which it causes.
2200 ignore-auth caches responses to requests with authorization,
2201 irrespective of ``Cache-control'' headers received from
2202 a server. Doing this VIOLATES the HTTP standard. Enabling
2203 this feature could make you liable for problems which
2206 refresh-ims causes squid to contact the origin server
2207 when a client issues an If-Modified-Since request. This
2208 ensures that the client will receive an updated version
2209 if one is available.
2211 Basically a cached object is:
2213 FRESH if expires < now, else STALE
2215 FRESH if lm-factor < percent, else STALE
2219 The refresh_pattern lines are checked in the order listed here.
2220 The first entry which matches is used. If none of the entries
2221 match the default will be used.
2223 Note, you must uncomment all the default lines if you want
2224 to change one. The default setting is only active if none is
2229 refresh_pattern ^ftp: 1440 20% 10080
2230 refresh_pattern ^gopher: 1440 0% 1440
2231 refresh_pattern . 0 20% 4320
2235 NAME: quick_abort_min
2239 LOC: Config.quickAbort.min
2242 NAME: quick_abort_max
2246 LOC: Config.quickAbort.max
2249 NAME: quick_abort_pct
2253 LOC: Config.quickAbort.pct
2255 The cache by default continues downloading aborted requests
2256 which are almost completed (less than 16 KB remaining). This
2257 may be undesirable on slow (e.g. SLIP) links and/or very busy
2258 caches. Impatient users may tie up file descriptors and
2259 bandwidth by repeatedly requesting and immediately aborting
2262 When the user aborts a request, Squid will check the
2263 quick_abort values to the amount of data transfered until
2266 If the transfer has less than 'quick_abort_min' KB remaining,
2267 it will finish the retrieval.
2269 If the transfer has more than 'quick_abort_max' KB remaining,
2270 it will abort the retrieval.
2272 If more than 'quick_abort_pct' of the transfer has completed,
2273 it will finish the retrieval.
2275 If you do not want any retrieval to continue after the client
2276 has aborted, set both 'quick_abort_min' and 'quick_abort_max'
2279 If you want retrievals to always continue if they are being
2280 cached set 'quick_abort_min' to '-1 KB'.
2283 NAME: read_ahead_gap
2284 COMMENT: buffer-size
2286 LOC: Config.readAheadGap
2289 The amount of data the cache will buffer ahead of what has been
2290 sent to the client when retrieving an object from another server.
2296 LOC: Config.negativeTtl
2299 Time-to-Live (TTL) for failed requests. Certain types of
2300 failures (such as "connection refused" and "404 Not Found") are
2301 negatively-cached for a configurable amount of time. The
2302 default is 5 minutes. Note that this is different from
2303 negative caching of DNS lookups.
2307 NAME: positive_dns_ttl
2310 LOC: Config.positiveDnsTtl
2313 Time-to-Live (TTL) for positive caching of successful DNS lookups.
2314 Default is 6 hours (360 minutes). If you want to minimize the
2315 use of Squid's ipcache, set this to 1, not 0.
2319 NAME: negative_dns_ttl
2322 LOC: Config.negativeDnsTtl
2325 Time-to-Live (TTL) for negative caching of failed DNS lookups.
2328 NAME: range_offset_limit
2331 LOC: Config.rangeOffsetLimit
2334 Sets a upper limit on how far into the the file a Range request
2335 may be to cause Squid to prefetch the whole file. If beyond this
2336 limit Squid forwards the Range request as it is and the result
2339 This is to stop a far ahead range request (lets say start at 17MB)
2340 from making Squid fetch the whole object up to that point before
2341 sending anything to the client.
2343 A value of -1 causes Squid to always fetch the object from the
2344 beginning so it may cache the result. (2.0 style)
2346 A value of 0 causes Squid to never fetch more than the
2347 client requested. (default)
2353 -----------------------------------------------------------------------------
2356 NAME: forward_timeout
2359 LOC: Config.Timeout.forward
2362 This parameter specifies how long Squid should at most attempt in
2363 finding a forwarding path for the request before giving up.
2366 NAME: connect_timeout
2369 LOC: Config.Timeout.connect
2372 This parameter specifies how long to wait for the TCP connect to
2373 the requested server or peer to complete before Squid should
2374 attempt to find another path where to forward the request.
2377 NAME: peer_connect_timeout
2380 LOC: Config.Timeout.peer_connect
2383 This parameter specifies how long to wait for a pending TCP
2384 connection to a peer cache. The default is 30 seconds. You
2385 may also set different timeout values for individual neighbors
2386 with the 'connect-timeout' option on a 'cache_peer' line.
2392 LOC: Config.Timeout.read
2395 The read_timeout is applied on server-side connections. After
2396 each successful read(), the timeout will be extended by this
2397 amount. If no data is read again after this amount of time,
2398 the request is aborted and logged with ERR_READ_TIMEOUT. The
2399 default is 15 minutes.
2403 NAME: request_timeout
2405 LOC: Config.Timeout.request
2408 How long to wait for an HTTP request after initial
2409 connection establishment.
2413 NAME: persistent_request_timeout
2415 LOC: Config.Timeout.persistent_request
2418 How long to wait for the next HTTP request on a persistent
2419 connection after the previous request completes.
2423 NAME: client_lifetime
2426 LOC: Config.Timeout.lifetime
2429 The maximum amount of time a client (browser) is allowed to
2430 remain connected to the cache process. This protects the Cache
2431 from having a lot of sockets (and hence file descriptors) tied up
2432 in a CLOSE_WAIT state from remote clients that go away without
2433 properly shutting down (either because of a network failure or
2434 because of a poor client implementation). The default is one
2437 NOTE: The default value is intended to be much larger than any
2438 client would ever need to be connected to your cache. You
2439 should probably change client_lifetime only as a last resort.
2440 If you seem to have many client connections tying up
2441 filedescriptors, we recommend first tuning the read_timeout,
2442 request_timeout, persistent_request_timeout and quick_abort values.
2445 NAME: half_closed_clients
2447 LOC: Config.onoff.half_closed_clients
2450 Some clients may shutdown the sending side of their TCP
2451 connections, while leaving their receiving sides open. Sometimes,
2452 Squid can not tell the difference between a half-closed and a
2453 fully-closed TCP connection. By default, half-closed client
2454 connections are kept open until a read(2) or write(2) on the
2455 socket returns an error. Change this option to 'off' and Squid
2456 will immediately close client connections when read(2) returns
2457 "no more data to read."
2462 LOC: Config.Timeout.pconn
2463 DEFAULT: 120 seconds
2465 Timeout for idle persistent connections to servers and other
2472 LOC: Config.Timeout.ident
2475 Maximum time to wait for IDENT lookups to complete.
2477 If this is too high, and you enabled IDENT lookups from untrusted
2478 users, you might be susceptible to denial-of-service by having
2479 many ident requests going at once.
2483 NAME: shutdown_lifetime
2486 LOC: Config.shutdownLifetime
2489 When SIGTERM or SIGHUP is received, the cache is put into
2490 "shutdown pending" mode until all active sockets are closed.
2491 This value is the lifetime to set for all open descriptors
2492 during shutdown mode. Any active clients after this many
2493 seconds will receive a 'timeout' message.
2498 -----------------------------------------------------------------------------
2506 Defining an Access List
2508 acl aclname acltype string1 ...
2509 acl aclname acltype "file" ...
2511 when using "file", the file should contain one item per line
2513 acltype is one of the types described below
2515 By default, regular expressions are CASE-SENSITIVE. To make
2516 them case-insensitive, use the -i option.
2518 acl aclname src ip-address/netmask ... (clients IP address)
2519 acl aclname src addr1-addr2/netmask ... (range of addresses)
2520 acl aclname dst ip-address/netmask ... (URL host's IP address)
2521 acl aclname myip ip-address/netmask ... (local socket IP address)
2523 acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
2524 # The arp ACL requires the special configure option --enable-arp-acl.
2525 # Furthermore, the ARP ACL code is not portable to all operating systems.
2526 # It works on Linux, Solaris, Windows, FreeBSD, and some other *BSD variants.
2528 # NOTE: Squid can only determine the MAC address for clients that are on
2529 # the same subnet. If the client is on a different subnet, then Squid cannot
2530 # find out its MAC address.
2532 acl aclname srcdomain .foo.com ... # reverse lookup, client IP
2533 acl aclname dstdomain .foo.com ... # Destination server from URL
2534 acl aclname srcdom_regex [-i] xxx ... # regex matching client name
2535 acl aclname dstdom_regex [-i] xxx ... # regex matching server
2536 # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
2537 # based URL is used and no match is found. The name "none" is used
2538 # if the reverse lookup fails.
2540 acl aclname http_status 200 301 500- 400-403 ... # status code in reply
2542 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
2551 h1:m1 must be less than h2:m2
2552 acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
2553 acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
2554 acl aclname port 80 70 21 ...
2555 acl aclname port 0-1024 ... # ranges allowed
2556 acl aclname myport 3128 ... # (local socket TCP port)
2557 acl aclname proto HTTP FTP ...
2558 acl aclname method GET POST ...
2559 acl aclname browser [-i] regexp ...
2560 # pattern match on User-Agent header (see also req_header below)
2561 acl aclname referer_regex [-i] regexp ...
2562 # pattern match on Referer header
2563 # Referer is highly unreliable, so use with care
2564 acl aclname ident username ...
2565 acl aclname ident_regex [-i] pattern ...
2566 # string match on ident output.
2567 # use REQUIRED to accept any non-null ident.
2568 acl aclname src_as number ...
2569 acl aclname dst_as number ...
2570 # Except for access control, AS numbers can be used for
2571 # routing of requests to specific caches. Here's an
2572 # example for routing all requests for AS#1241 and only
2573 # those to mycache.mydomain.net:
2574 # acl asexample dst_as 1241
2575 # cache_peer_access mycache.mydomain.net allow asexample
2576 # cache_peer_access mycache_mydomain.net deny all
2578 acl aclname proxy_auth [-i] username ...
2579 acl aclname proxy_auth_regex [-i] pattern ...
2580 # list of valid usernames
2581 # use REQUIRED to accept any valid username.
2583 # NOTE: when a Proxy-Authentication header is sent but it is not
2584 # needed during ACL checking the username is NOT logged
2587 # NOTE: proxy_auth requires a EXTERNAL authentication program
2588 # to check username/password combinations (see
2589 # auth_param directive).
2591 # NOTE: proxy_auth can't be used in a transparent proxy as
2592 # the browser needs to be configured for using a proxy in order
2593 # to respond to proxy authentication.
2595 acl aclname snmp_community string ...
2596 # A community string to limit access to your SNMP Agent
2599 # acl snmppublic snmp_community public
2601 acl aclname maxconn number
2602 # This will be matched when the client's IP address has
2603 # more than <number> HTTP connections established.
2605 acl aclname max_user_ip [-s] number
2606 # This will be matched when the user attempts to log in from more
2607 # than <number> different ip addresses. The authenticate_ip_ttl
2608 # parameter controls the timeout on the ip entries.
2609 # If -s is specified the limit is strict, denying browsing
2610 # from any further IP addresses until the ttl has expired. Without
2611 # -s Squid will just annoy the user by "randomly" denying requests.
2612 # (the counter is reset each time the limit is reached and a
2613 # request is denied)
2614 # NOTE: in acceleration mode or where there is mesh of child proxies,
2615 # clients may appear to come from multiple addresses if they are
2616 # going through proxy farms, so a limit of 1 may cause user problems.
2618 acl aclname req_mime_type mime-type1 ...
2619 # regex match agains the mime type of the request generated
2620 # by the client. Can be used to detect file upload or some
2621 # types HTTP tunneling requests.
2622 # NOTE: This does NOT match the reply. You cannot use this
2623 # to match the returned file type.
2625 acl aclname req_header header-name [-i] any\.regex\.here
2626 # regex match against any of the known request headers. May be
2627 # thought of as a superset of "browser", "referer" and "mime-type"
2630 acl aclname rep_mime_type mime-type1 ...
2631 # regex match against the mime type of the reply received by
2632 # squid. Can be used to detect file download or some
2633 # types HTTP tunneling requests.
2634 # NOTE: This has no effect in http_access rules. It only has
2635 # effect in rules that affect the reply data stream such as
2636 # http_reply_access.
2638 acl aclname req_header header-name [-i] any\.regex\.here
2639 # regex match against any of the known request headers. May be
2640 # thought of as a superset of "browser", "referer" and "mime-type"
2643 acl acl_name external class_name [arguments...]
2644 # external ACL lookup via a helper class defined by the
2645 # external_acl_type directive.
2647 acl aclname user_cert attribute values...
2648 # match against attributes in a user SSL certificate
2649 # attribute is one of DN/C/O/CN/L/ST
2651 acl aclname ca_cert attribute values...
2652 # match against attributes a users issuing CA SSL certificate
2653 # attribute is one of DN/C/O/CN/L/ST
2655 acl aclname ext_user username ...
2656 acl aclname ext_user_regex [-i] pattern ...
2657 # string match on username returned by external acl processing
2658 # use REQUIRED to accept any non-null user name.
2661 acl macaddress arp 09:00:2b:23:45:67
2662 acl myexample dst_as 1241
2663 acl password proxy_auth REQUIRED
2664 acl fileupload req_mime_type -i ^multipart/form-data$
2665 acl javascript rep_mime_type -i ^application/x-javascript$
2668 #Recommended minimum configuration:
2669 acl all src 0.0.0.0/0.0.0.0
2670 acl manager proto cache_object
2671 acl localhost src 127.0.0.1/255.255.255.255
2672 acl to_localhost dst 127.0.0.0/8
2673 acl SSL_ports port 443 563
2674 acl Safe_ports port 80 # http
2675 acl Safe_ports port 21 # ftp
2676 acl Safe_ports port 443 563 # https, snews
2677 acl Safe_ports port 70 # gopher
2678 acl Safe_ports port 210 # wais
2679 acl Safe_ports port 1025-65535 # unregistered ports
2680 acl Safe_ports port 280 # http-mgmt
2681 acl Safe_ports port 488 # gss-http
2682 acl Safe_ports port 591 # filemaker
2683 acl Safe_ports port 777 # multiling http
2684 acl CONNECT method CONNECT
2690 LOC: Config.accessList.http
2692 DEFAULT_IF_NONE: deny all
2694 Allowing or Denying access based on defined access lists
2696 Access to the HTTP port:
2697 http_access allow|deny [!]aclname ...
2699 NOTE on default values:
2701 If there are no "access" lines present, the default is to deny
2704 If none of the "access" lines cause a match, the default is the
2705 opposite of the last line in the list. If the last line was
2706 deny, the default is allow. Conversely, if the last line
2707 is allow, the default will be deny. For these reasons, it is a
2708 good idea to have an "deny all" or "allow all" entry at the end
2709 of your access lists to avoid potential confusion.
2712 #Recommended minimum configuration:
2714 # Only allow cachemgr access from localhost
2715 http_access allow manager localhost
2716 http_access deny manager
2717 # Deny requests to unknown ports
2718 http_access deny !Safe_ports
2719 # Deny CONNECT to other than SSL ports
2720 http_access deny CONNECT !SSL_ports
2722 # We strongly recommend the following be uncommented to protect innocent
2723 # web applications running on the proxy server who think the only
2724 # one who can access services on "localhost" is a local user
2725 #http_access deny to_localhost
2727 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
2729 # Example rule allowing access from your local networks. Adapt
2730 # to list your (internal) IP networks from where browsing should
2732 #acl our_networks src 192.168.1.0/24 192.168.2.0/24
2733 #http_access allow our_networks
2735 # And finally deny all other access to this proxy
2736 http_access deny all
2740 NAME: http_reply_access
2742 LOC: Config.accessList.reply
2744 DEFAULT_IF_NONE: allow all
2746 Allow replies to client requests. This is complementary to http_access.
2748 http_reply_access allow|deny [!] aclname ...
2750 NOTE: if there are no access lines present, the default is to allow
2753 If none of the access lines cause a match the opposite of the
2754 last line will apply. Thus it is good practice to end the rules
2755 with an "allow all" or "deny all" entry.
2758 #Recommended minimum configuration:
2760 # Insert your own rules here.
2763 # and finally allow by default
2764 http_reply_access allow all
2771 LOC: Config.accessList.icp
2773 DEFAULT_IF_NONE: deny all
2775 Allowing or Denying access to the ICP port based on defined
2778 icp_access allow|deny [!]aclname ...
2780 See http_access for details
2783 #Allow ICP queries from everyone
2784 icp_access allow all
2791 LOC: Config.accessList.miss
2794 Use to force your neighbors to use you as a sibling instead of
2795 a parent. For example:
2797 acl localclients src 172.16.0.0/16
2798 miss_access allow localclients
2799 miss_access deny !localclients
2801 This means only your local clients are allowed to fetch
2802 MISSES and all other clients can only fetch HITS.
2804 By default, allow all clients who passed the http_access rules
2805 to fetch MISSES from us.
2809 # miss_access allow all
2814 NAME: cache_peer_access
2819 Similar to 'cache_peer_domain' but provides more flexibility by
2822 cache_peer_access cache-host allow|deny [!]aclname ...
2824 The syntax is identical to 'http_access' and the other lists of
2825 ACL elements. See the comments for 'http_access' below, or
2826 the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html).
2829 NAME: ident_lookup_access
2833 DEFAULT_IF_NONE: deny all
2834 LOC: Config.accessList.identLookup
2836 A list of ACL elements which, if matched, cause an ident
2837 (RFC 931) lookup to be performed for this request. For
2838 example, you might choose to always perform ident lookups
2839 for your main multi-user Unix boxes, but not for your Macs
2840 and PCs. By default, ident lookups are not performed for
2843 To enable ident lookups for specific client addresses, you
2844 can follow this example:
2846 acl ident_aware_hosts src 198.168.1.0/255.255.255.0
2847 ident_lookup_access allow ident_aware_hosts
2848 ident_lookup_access deny all
2850 Only src type ACL checks are fully supported. A src_domain
2851 ACL might work at times, but it will not always provide
2855 NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
2858 LOC: Config.accessList.outgoing_tos
2860 Allows you to select a TOS/Diffserv value to mark outgoing
2861 connections with, based on the username or source address
2864 tcp_outgoing_tos ds-field [!]aclname ...
2866 Example where normal_service_net uses the TOS value 0x00
2867 and normal_service_net uses 0x20
2869 acl normal_service_net src 10.0.0.0/255.255.255.0
2870 acl good_service_net src 10.0.1.0/255.255.255.0
2871 tcp_outgoing_tos 0x00 normal_service_net 0x00
2872 tcp_outgoing_tos 0x20 good_service_net
2874 TOS/DSCP values really only have local significance - so you should
2875 know what you're specifying. For more, see RFC 2474
2877 The TOS/DSCP byte must be exactly that - a byte, value 0 - 255, or
2878 "default" to use whatever default your host has.
2880 Processing proceeds in the order specified, and stops at first fully
2884 NAME: tcp_outgoing_address
2887 LOC: Config.accessList.outgoing_address
2889 Allows you to map requests to different outgoing IP addresses
2890 based on the username or sourceaddress of the user making
2893 tcp_outgoing_address ipaddr [[!]aclname] ...
2895 Example where requests from 10.0.0.0/24 will be forwarded
2896 with source address 10.1.0.1, 10.0.2.0/24 forwarded with
2897 source address 10.1.0.2 and the rest will be forwarded with
2898 source address 10.1.0.3.
2900 acl normal_service_net src 10.0.0.0/255.255.255.0
2901 acl good_service_net src 10.0.1.0/255.255.255.0
2902 tcp_outgoing_address 10.0.0.1 normal_service_net
2903 tcp_outgoing_address 10.0.0.2 good_service_net
2904 tcp_outgoing_address 10.0.0.3
2906 Processing proceeds in the order specified, and stops at first fully
2910 NAME: reply_header_max_size
2914 LOC: Config.maxReplyHeaderSize
2916 This specifies the maximum size for HTTP headers in a reply.
2917 Reply headers are usually relatively small (about 512 bytes).
2918 Placing a limit on the reply header size will catch certain
2919 bugs (for example with persistent connections) and possibly
2920 buffer-overflow or denial-of-service attacks.
2923 NAME: reply_body_max_size
2924 COMMENT: size [acl acl...]
2927 LOC: Config.ReplyBodySize
2929 This option specifies the maximum size of a reply body. It can be
2930 used to prevent users from downloading very large files, such as
2931 MP3's and movies. When the reply headers are received, the
2932 reply_body_max_size lines are processed, and the first line where
2933 all (if any) listed ACLs are true is used as the maximum body size
2936 This size is checked twice. First when we get the reply headers,
2937 we check the content-length value. If the content length value exists
2938 and is larger than the allowed size, the request is denied and the
2939 user receives an error message that says "the request or reply
2940 is too large." If there is no content-length, and the reply
2941 size exceeds this limit, the client's connection is just closed
2942 and they will receive a partial reply.
2944 WARNING: downstream caches probably can not detect a partial reply
2945 if there is no content-length header, so they will cache
2946 partial responses and give them out as hits. You should NOT
2947 use this option if you have downstream caches.
2949 WARNING: A maximum size smaller than the size of squid's error messages
2950 will cause an infinite loop and crash squid. Ensure that the smallest
2951 non-zero value you use is greater that the maximum header size plus
2952 the size of your largest error page.
2954 If you set this parameter none (the default), there will be
2960 LOC: Config.accessList.log
2962 COMMENT: allow|deny acl acl...
2964 This options allows you to control which requests gets logged
2965 to access.log (see access_log directive). Requests denied for
2966 logging will also not be accounted for in performance counters.
2970 ADMINISTRATIVE PARAMETERS
2971 -----------------------------------------------------------------------------
2977 LOC: Config.adminEmail
2979 Email-address of local cache manager who will receive
2980 mail if the cache dies. The default is "webmaster."
2987 LOC: Config.EmailFrom
2989 From: email-address for mail sent when the cache dies.
2990 The default is to use 'appname@unique_hostname'.
2991 Default appname value is "squid", can be changed into
2992 src/globals.h before building squid.
2999 LOC: Config.EmailProgram
3001 Email program used to send mail if the cache dies.
3002 The default is "mail". The specified program must complain
3003 with the standard Unix mail syntax:
3004 mail_program recipient < mailfile
3005 Optional command line options can be specified.
3009 NAME: cache_effective_user
3012 LOC: Config.effectiveUser
3014 If you start Squid as root, it will change its effective/real
3015 UID/GID to the user specified below. The default is to change
3016 to UID to nobody. If you define cache_effective_user, but not
3017 cache_effective_group, Squid sets the GID to the effective
3018 user's default group ID (taken from the password file) and
3019 supplementary group list from the from groups membership of
3020 cache_effective_user.
3024 NAME: cache_effective_group
3027 LOC: Config.effectiveGroup
3029 If you want Squid to run with a specific GID regardless of
3030 the group memberships of the effective user then set this
3031 to the group (or GID) you want Squid to run as. When set
3032 all other group privileges of the effective user is ignored
3033 and only this GID is effective. If Squid is not started as
3034 root the user starting Squid must be member of the specified
3039 NAME: httpd_suppress_version_string
3043 LOC: Config.onoff.httpd_suppress_version_string
3045 Suppress Squid version string info in HTTP headers and HTML error pages.
3049 NAME: visible_hostname
3051 LOC: Config.visibleHostname
3054 If you want to present a special hostname in error messages, etc,
3055 define this. Otherwise, the return value of gethostname()
3056 will be used. If you have multiple caches in a cluster and
3057 get errors about IP-forwarding you must set them to have individual
3058 names with this setting.
3062 NAME: unique_hostname
3064 LOC: Config.uniqueHostname
3067 If you want to have multiple machines with the same
3068 'visible_hostname' you must give each machine a different
3069 'unique_hostname' so forwarding loops can be detected.
3073 NAME: hostname_aliases
3075 LOC: Config.hostnameAliases
3078 A list of other DNS names your cache has.
3082 OPTIONS FOR THE CACHE REGISTRATION SERVICE
3083 -----------------------------------------------------------------------------
3085 This section contains parameters for the (optional) cache
3086 announcement service. This service is provided to help
3087 cache administrators locate one another in order to join or
3088 create cache hierarchies.
3090 An 'announcement' message is sent (via UDP) to the registration
3091 service by Squid. By default, the announcement message is NOT
3092 SENT unless you enable it with 'announce_period' below.
3094 The announcement message includes your hostname, plus the
3095 following information from this configuration file:
3101 All current information is processed regularly and made
3102 available on the Web at http://www.ircache.net/Cache/Tracker/.
3105 NAME: announce_period
3107 LOC: Config.Announce.period
3110 This is how frequently to send cache announcements. The
3111 default is `0' which disables sending the announcement
3114 To enable announcing your cache, just uncomment the line
3118 #To enable announcing your cache, just uncomment the line below.
3119 #announce_period 1 day
3126 DEFAULT: tracker.ircache.net
3127 LOC: Config.Announce.host
3133 LOC: Config.Announce.file
3139 LOC: Config.Announce.port
3141 announce_host and announce_port set the hostname and port
3142 number where the registration message will be sent.
3144 Hostname will default to 'tracker.ircache.net' and port will
3145 default default to 3131. If the 'filename' argument is given,
3146 the contents of that file will be included in the announce
3150 NAME: httpd_accel_surrogate_id
3153 LOC: Config.Accel.surrogate_id
3156 Surrogates (http://www.esi.org/architecture_spec_1.0.html)
3157 need an identification token to allow control targeting. Because
3158 a farm of surrogates may all perform the same tasks, they may share
3159 an identification token.
3162 NAME: http_accel_surrogate_remote
3167 LOC: Config.onoff.surrogate_is_remote
3169 Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
3170 Set this to on to have squid behave as a remote surrogate.
3175 COMMENT: libxml2|expat|custom
3177 LOC: ESIParser::Type
3180 ESI markup is not strictly XML compatible. The custom ESI parser
3181 will give higher performance, but cannot handle non ASCII character
3187 -----------------------------------------------------------------------------
3192 LOC: Config.dns_testname_list
3194 DEFAULT_IF_NONE: netscape.com internic.net nlanr.net microsoft.com
3196 The DNS tests exit as soon as the first site is successfully looked up
3198 This test can be disabled with the -D command line option.
3202 NAME: logfile_rotate
3205 LOC: Config.Log.rotateNumber
3207 Specifies the number of logfile rotations to make when you
3208 type 'squid -k rotate'. The default is 10, which will rotate
3209 with extensions 0 through 9. Setting logfile_rotate to 0 will
3210 disable the file name rotation, but the logfiles are still closed
3211 and re-opened. This will enable you to rename the logfiles
3212 yourself just before sending the rotate signal.
3214 Note, the 'squid -k rotate' command normally sends a USR1
3215 signal to the running squid process. In certain situations
3216 (e.g. on Linux with Async I/O), USR1 is used for other
3217 purposes, so -k rotate uses another signal. It is best to get
3218 in the habit of using 'squid -k rotate' instead of 'kill -USR1
3225 LOC: Config.appendDomain
3228 Appends local domain name to hostnames without any dots in
3229 them. append_domain must begin with a period.
3231 Be warned there are now Internet names with no dots in
3232 them using only top-domain names, so setting this may
3233 cause some Internet sites to become unavailable.
3236 append_domain .yourdomain.com
3240 NAME: tcp_recv_bufsize
3244 LOC: Config.tcpRcvBufsz
3246 Size of receive buffer to set for TCP sockets. Probably just
3247 as easy to change your kernel's default. Set to zero to use
3248 the default buffer size.
3253 LOC: Config.errHtmlText
3256 HTML text to include in error messages. Make this a "mailto"
3257 URL to your admin address, or maybe just a link to your
3258 organizations Web page.
3260 To include this in your error messages, you must rewrite
3261 the error template files (found in the "errors" directory).
3262 Wherever you want the 'err_html_text' line to appear,
3263 insert a %L tag in the error template file.
3266 NAME: email_err_data
3269 LOC: Config.onoff.emailErrData
3272 If enabled, information about the occurred error will be
3273 included in the mailto links of the ERR pages (if %W is set)
3274 so that the email body contains the data.
3275 Syntax is <A HREF="mailto:%w%W">%w</A>
3281 LOC: Config.denyInfoList
3284 Usage: deny_info err_page_name acl
3285 or deny_info http://... acl
3286 Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
3288 This can be used to return a ERR_ page for requests which
3289 do not pass the 'http_access' rules. A single ACL will cause
3290 the http_access check to fail. If a 'deny_info' line exists
3291 for that ACL Squid returns a corresponding error page.
3293 You may use ERR_ pages that come with Squid or create your own pages
3294 and put them into the configured errors/ directory.
3296 Alternatively you can specify an error URL. The browsers will
3297 get redirected (302) to the specified URL. %s in the redirection
3298 URL will be replaced by the requested URL.
3300 Alternatively you can tell Squid to reset the TCP connection
3301 by specifying TCP_RESET.
3308 LOC: Config.onoff.mem_pools
3310 If set, Squid will keep pools of allocated (but unused) memory
3311 available for future use. If memory is a premium on your
3312 system and you believe your malloc library outperforms Squid
3313 routines, disable this.
3316 NAME: memory_pools_limit
3320 LOC: Config.MemPools.limit
3322 Used only with memory_pools on:
3323 memory_pools_limit 50 MB
3325 If set to a non-zero value, Squid will keep at most the specified
3326 limit of allocated (but unused) memory in memory pools. All free()
3327 requests that exceed this limit will be handled by your malloc
3328 library. Squid does not pre-allocate any memory, just safe-keeps
3329 objects that otherwise would be free()d. Thus, it is safe to set
3330 memory_pools_limit to a reasonably high value even if your
3331 configuration will use less memory.
3333 If set to zero, Squid will keep all memory it can. That is, there
3334 will be no limit on the total amount of memory used for safe-keeping.
3336 To disable memory allocation optimization, do not set
3337 memory_pools_limit to 0. Set memory_pools to "off" instead.
3339 An overhead for maintaining memory pools is not taken into account
3340 when the limit is checked. This overhead is close to four bytes per
3341 object kept. However, pools may actually _save_ memory because of
3342 reduced memory thrashing in your malloc library.
3346 IFDEF: HTTP_VIOLATIONS
3350 LOC: Config.onoff.via
3352 If set (default), Squid will include a Via header in requests and
3353 replies as required by RFC2616.
3360 LOC: opt_forwarded_for
3362 If set, Squid will include your system's IP address or name
3363 in the HTTP requests it forwards. By default it looks like
3366 X-Forwarded-For: 192.1.2.3
3368 If you disable this, it will appear as
3370 X-Forwarded-For: unknown
3373 NAME: log_icp_queries
3377 LOC: Config.onoff.log_udp
3379 If set, ICP queries are logged to access.log. You may wish
3380 do disable this if your ICP load is VERY high to speed things
3381 up or to simplify log analysis.
3388 LOC: Config.onoff.icp_hit_stale
3390 If you want to return ICP_HIT for stale cache objects, set this
3391 option to 'on'. If you have sibling relationships with caches
3392 in other administrative domains, this should be 'off'. If you only
3393 have sibling relationships with caches under your control,
3394 it is probably okay to set this to 'on'.
3395 If set to 'on', your siblings should use the option "allow-miss"
3396 on their cache_peer lines for connecting to you.
3400 NAME: minimum_direct_hops
3403 LOC: Config.minDirectHops
3405 If using the ICMP pinging stuff, do direct fetches for sites
3406 which are no more than this many hops away.
3409 NAME: minimum_direct_rtt
3412 LOC: Config.minDirectRtt
3414 If using the ICMP pinging stuff, do direct fetches for sites
3415 which are no more than this many rtt milliseconds away.
3418 NAME: cachemgr_passwd
3419 TYPE: cachemgrpasswd
3421 LOC: Config.passwd_list
3423 Specify passwords for cachemgr operations.
3425 Usage: cachemgr_passwd password action action ...
3427 Some valid actions are (see cache manager menu for a full list):
3466 * Indicates actions which will not be performed without a
3467 valid password, others can be performed if not listed here.
3469 To disable an action, set the password to "disable".
3470 To allow performing an action without a password, set the
3473 Use the keyword "all" to set the same password for all actions.
3476 cachemgr_passwd secret shutdown
3477 cachemgr_passwd lesssssssecret info stats/objects
3478 cachemgr_passwd disable all
3481 NAME: store_avg_object_size
3485 LOC: Config.Store.avgObjectSize
3487 Average object size, used to estimate number of objects your
3488 cache can hold. See doc/Release-Notes-1.1.txt. The default is
3492 NAME: store_objects_per_bucket
3495 LOC: Config.Store.objectsPerBucket
3497 Target number of objects per bucket in the store hash table.
3498 Lowering this value increases the total number of buckets and
3499 also the storage maintenance rate. The default is 20.
3506 LOC: Config.onoff.client_db
3508 If you want to disable collecting per-client statistics,
3509 turn off client_db here.
3516 LOC: Config.Netdb.low
3522 LOC: Config.Netdb.high
3524 The low and high water marks for the ICMP measurement
3525 database. These are counts, not percents. The defaults are
3526 900 and 1000. When the high water mark is reached, database
3527 entries will be deleted until the low mark is reached.
3531 NAME: netdb_ping_period
3533 LOC: Config.Netdb.period
3536 The minimum period for measuring a site. There will be at
3537 least this much delay between successive pings to the same
3538 network. The default is five minutes.
3546 LOC: Config.onoff.query_icmp
3548 If you want to ask your peers to include ICMP data in their ICP
3549 replies, enable this option.
3551 If your peer has configured Squid (during compilation) with
3552 '--enable-icmp' that peer will send ICMP pings to origin server
3553 sites of the URLs it receives. If you enable this option the
3554 ICP replies from that peer will include the ICMP data (if available).
3555 Then, when choosing a parent cache, Squid will choose the parent with
3556 the minimal RTT to the origin server. When this happens, the
3557 hierarchy field of the access.log will be
3558 "CLOSEST_PARENT_MISS". This option is off by default.
3561 NAME: test_reachability
3565 LOC: Config.onoff.test_reachability
3567 When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
3568 instead of ICP_MISS if the target host is NOT in the ICMP
3569 database, or has a zero RTT.
3576 LOC: Config.onoff.buffered_logs
3578 cache.log log file is written with stdio functions, and as such
3579 it can be buffered or unbuffered. By default it will be unbuffered.
3580 Buffering it can speed up the writing slightly (though you are
3581 unlikely to need to worry unless you run with tons of debugging
3582 enabled in which case performance will suffer badly anyway..).
3585 NAME: refresh_all_ims
3589 LOC: Config.onoff.refresh_all_ims
3591 When you enable this option, squid will always check
3592 the origin server for an update when a client sends an
3593 If-Modified-Since request. Many browsers use IMS
3594 requests when the user requests a reload, and this
3595 ensures those clients receive the latest version.
3597 By default (off), squid may return a Not Modified response
3598 based on the age of the cached version.
3601 NAME: reload_into_ims
3602 IFDEF: HTTP_VIOLATIONS
3606 LOC: Config.onoff.reload_into_ims
3608 When you enable this option, client no-cache or ``reload''
3609 requests will be changed to If-Modified-Since requests.
3610 Doing this VIOLATES the HTTP standard. Enabling this
3611 feature could make you liable for problems which it
3614 see also refresh_pattern for a more selective approach.
3619 LOC: Config.accessList.AlwaysDirect
3622 Usage: always_direct allow|deny [!]aclname ...
3624 Here you can use ACL elements to specify requests which should
3625 ALWAYS be forwarded directly to origin servers. For example,
3626 to always directly forward requests for local servers use
3629 acl local-servers dstdomain my.domain.net
3630 always_direct allow local-servers
3632 To always forward FTP requests directly, use
3635 always_direct allow FTP
3637 NOTE: There is a similar, but opposite option named
3638 'never_direct'. You need to be aware that "always_direct deny
3639 foo" is NOT the same thing as "never_direct allow foo". You
3640 may need to use a deny rule to exclude a more-specific case of
3641 some other rule. Example:
3643 acl local-external dstdomain external.foo.net
3644 acl local-servers dstdomain .foo.net
3645 always_direct deny local-external
3646 always_direct allow local-servers
3648 This option replaces some v1.1 options such as local_domain
3654 LOC: Config.accessList.NeverDirect
3657 Usage: never_direct allow|deny [!]aclname ...
3659 never_direct is the opposite of always_direct. Please read
3660 the description for always_direct if you have not already.
3662 With 'never_direct' you can use ACL elements to specify
3663 requests which should NEVER be forwarded directly to origin
3664 servers. For example, to force the use of a proxy for all
3665 requests, except those in your local domain use something like:
3667 acl local-servers dstdomain .foo.net
3668 acl all src 0.0.0.0/0.0.0.0
3669 never_direct deny local-servers
3670 never_direct allow all
3672 or if Squid is inside a firewall and there are local intranet
3673 servers inside the firewall use something like:
3675 acl local-intranet dstdomain .foo.net
3676 acl local-external dstdomain external.foo.net
3677 always_direct deny local-external
3678 always_direct allow local-intranet
3679 never_direct allow all
3681 This option replaces some v1.1 options such as inside_firewall
3685 NAME: request_header_access
3686 IFDEF: HTTP_VIOLATIONS
3687 TYPE: http_header_access[]
3688 LOC: Config.request_header_access
3691 Usage: request_header_access header_name allow|deny [!]aclname ...
3693 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3694 this feature could make you liable for problems which it
3697 This option replaces the old 'anonymize_headers' and the
3698 older 'http_anonymizer' option with something that is much
3699 more configurable. This new method creates a list of ACLs
3700 for each header, allowing you very fine-tuned header
3703 This option only applies to request headers, i.e., from the
3704 client to the server.
3706 You can only specify known headers for the header name.
3707 Other headers are reclassified as 'Other'. You can also
3708 refer to all the headers with 'All'.
3710 For example, to achieve the same behavior as the old
3711 'http_anonymizer standard' option, you should use:
3713 request_header_access From deny all
3714 request_header_access Referer deny all
3715 request_header_access Server deny all
3716 request_header_access User-Agent deny all
3717 request_header_access WWW-Authenticate deny all
3718 request_header_access Link deny all
3720 Or, to reproduce the old 'http_anonymizer paranoid' feature
3723 request_header_access Allow allow all
3724 request_header_access Authorization allow all
3725 request_header_access WWW-Authenticate allow all
3726 request_header_access Proxy-Authorization allow all
3727 request_header_access Proxy-Authenticate allow all
3728 request_header_access Cache-Control allow all
3729 request_header_access Content-Encoding allow all
3730 request_header_access Content-Length allow all
3731 request_header_access Content-Type allow all
3732 request_header_access Date allow all
3733 request_header_access Expires allow all
3734 request_header_access Host allow all
3735 request_header_access If-Modified-Since allow all
3736 request_header_access Last-Modified allow all
3737 request_header_access Location allow all
3738 request_header_access Pragma allow all
3739 request_header_access Accept allow all
3740 request_header_access Accept-Charset allow all
3741 request_header_access Accept-Encoding allow all
3742 request_header_access Accept-Language allow all
3743 request_header_access Content-Language allow all
3744 request_header_access Mime-Version allow all
3745 request_header_access Retry-After allow all
3746 request_header_access Title allow all
3747 request_header_access Connection allow all
3748 request_header_access Proxy-Connection allow all
3749 request_header_access All deny all
3751 although many of those are HTTP reply headers, and so should be
3752 controlled with the reply_header_access directive.
3754 By default, all headers are allowed (no anonymizing is
3758 NAME: reply_header_access
3759 IFDEF: HTTP_VIOLATIONS
3760 TYPE: http_header_access[]
3761 LOC: Config.reply_header_access
3764 Usage: reply_header_access header_name allow|deny [!]aclname ...
3766 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3767 this feature could make you liable for problems which it
3770 This option only applies to reply headers, i.e., from the
3771 server to the client.
3773 This is the same as request_header_access, but in the other
3776 This option replaces the old 'anonymize_headers' and the
3777 older 'http_anonymizer' option with something that is much
3778 more configurable. This new method creates a list of ACLs
3779 for each header, allowing you very fine-tuned header
3782 You can only specify known headers for the header name.
3783 Other headers are reclassified as 'Other'. You can also
3784 refer to all the headers with 'All'.
3786 For example, to achieve the same behavior as the old
3787 'http_anonymizer standard' option, you should use:
3789 reply_header_access From deny all
3790 reply_header_access Referer deny all
3791 reply_header_access Server deny all
3792 reply_header_access User-Agent deny all
3793 reply_header_access WWW-Authenticate deny all
3794 reply_header_access Link deny all
3796 Or, to reproduce the old 'http_anonymizer paranoid' feature
3799 reply_header_access Allow allow all
3800 reply_header_access Authorization allow all
3801 reply_header_access WWW-Authenticate allow all
3802 reply_header_access Proxy-Authorization allow all
3803 reply_header_access Proxy-Authenticate allow all
3804 reply_header_access Cache-Control allow all
3805 reply_header_access Content-Encoding allow all
3806 reply_header_access Content-Length allow all
3807 reply_header_access Content-Type allow all
3808 reply_header_access Date allow all
3809 reply_header_access Expires allow all
3810 reply_header_access Host allow all
3811 reply_header_access If-Modified-Since allow all
3812 reply_header_access Last-Modified allow all
3813 reply_header_access Location allow all
3814 reply_header_access Pragma allow all
3815 reply_header_access Accept allow all
3816 reply_header_access Accept-Charset allow all
3817 reply_header_access Accept-Encoding allow all
3818 reply_header_access Accept-Language allow all
3819 reply_header_access Content-Language allow all
3820 reply_header_access Mime-Version allow all
3821 reply_header_access Retry-After allow all
3822 reply_header_access Title allow all
3823 reply_header_access Connection allow all
3824 reply_header_access Proxy-Connection allow all
3825 reply_header_access All deny all
3827 although the HTTP request headers won't be usefully controlled
3828 by this directive -- see request_header_access for details.
3830 By default, all headers are allowed (no anonymizing is
3834 NAME: header_replace
3835 IFDEF: HTTP_VIOLATIONS
3836 TYPE: http_header_replace[]
3837 LOC: Config.request_header_access
3840 Usage: header_replace header_name message
3841 Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
3843 This option allows you to change the contents of headers
3844 denied with header_access above, by replacing them with
3845 some fixed string. This replaces the old fake_user_agent
3848 This only applies to request headers, not reply headers.
3850 By default, headers are removed if denied.
3853 NAME: icon_directory
3855 LOC: Config.icons.directory
3856 DEFAULT: @DEFAULT_ICON_DIR@
3858 Where the icons are stored. These are normally kept in
3862 NAME: global_internal_static
3864 LOC: Config.onoff.global_internal_static
3867 This directive controls is Squid should intercept all requests for
3868 /squid-internal-static/ no matter which host the URL is requesting
3869 (default on setting), or if nothing special should be done for
3870 such URLs (off setting). The purpose of this directive is to make
3871 icons etc work better in complex cache hierarchies where it may
3872 not always be possible for all corners in the cache mesh to reach
3873 the server generating a directory listing.
3876 NAME: short_icon_urls
3878 LOC: Config.icons.use_short_names
3881 If this is enabled Squid will use short URLs for icons.
3882 If disabled it will revert to the old behavior of including
3883 it's own name and port in the URL.
3885 If you run a complex cache hierarchy with a mix of Squid and
3886 other proxies you may need to disable this directive.
3889 NAME: error_directory
3891 LOC: Config.errorDirectory
3892 DEFAULT: @DEFAULT_ERROR_DIR@
3894 If you wish to create your own versions of the default
3895 (English) error files, either to customize them to suit your
3896 language or company copy the template English files to another
3897 directory and point this tag at them.
3900 NAME: maximum_single_addr_tries
3902 LOC: Config.retry.maxtries
3905 This sets the maximum number of connection attempts for a
3906 host that only has one address (for multiple-address hosts,
3907 each address is tried once).
3909 The default value is one attempt, the (not recommended)
3910 maximum is 255 tries. A warning message will be generated
3911 if it is set to a value greater than ten.
3913 Note: This is in addition to the request re-forwarding which
3914 takes place if Squid fails to get a satisfying response.
3917 NAME: retry_on_error
3919 LOC: Config.retry.onerror
3922 If set to on Squid will automatically retry requests when
3923 receiving an error response. This is mainly useful if you
3924 are in a complex cache hierarchy to work around access
3930 LOC: Config.Port.snmp
3934 Squid can now serve statistics and status information via SNMP.
3935 By default it listens to port 3401 on the machine. If you don't
3936 wish to use SNMP, set this to "0".
3938 Note: If you want Squid to use parents for all requests see
3939 the never_direct directive. prefer_direct only modifies how Squid
3940 acts on cachable requests.
3945 LOC: Config.accessList.snmp
3947 DEFAULT_IF_NONE: deny all
3950 Allowing or denying access to the SNMP port.
3952 All access to the agent is denied by default.
3955 snmp_access allow|deny [!]aclname ...
3958 snmp_access allow snmppublic localhost
3959 snmp_access deny all
3962 NAME: snmp_incoming_address
3964 LOC: Config.Addrs.snmp_incoming
3968 NAME: snmp_outgoing_address
3970 LOC: Config.Addrs.snmp_outgoing
3971 DEFAULT: 255.255.255.255
3974 Just like 'udp_incoming_address' above, but for the SNMP port.
3976 snmp_incoming_address is used for the SNMP socket receiving
3977 messages from SNMP agents.
3978 snmp_outgoing_address is used for SNMP packets returned to SNMP
3981 The default snmp_incoming_address (0.0.0.0) is to listen on all
3982 available network interfaces.
3984 If snmp_outgoing_address is set to 255.255.255.255 (the default)
3985 it will use the same socket as snmp_incoming_address. Only
3986 change this if you want to have SNMP replies sent using another
3987 address than where this Squid listens for SNMP queries.
3989 NOTE, snmp_incoming_address and snmp_outgoing_address can not have
3990 the same value since they both use port 3401.
3993 NAME: as_whois_server
3995 LOC: Config.as_whois_server
3996 DEFAULT: whois.ra.net
3997 DEFAULT_IF_NONE: whois.ra.net
3999 WHOIS server to query for AS numbers. NOTE: AS numbers are
4000 queried only when Squid starts up, not for every request.
4005 LOC: Config.Wccp.router
4010 TYPE: sockaddr_in_list
4011 LOC: Config.Wccp2.router
4015 Use this option to define your WCCP ``home'' router for
4018 wccp_router supports a single WCCP(v1) router
4020 wccp2_router supports multiple WCCPv2 routers
4022 only one of the two may be used at the same time and defines
4023 which version of WCCP to use.
4028 LOC: Config.Wccp.version
4032 This directive is only relevant if you need to set up WCCP(v1)
4033 to some very old and end-of-life Cisco routers. In all other
4034 setups it must be left unset or at the default setting.
4035 It defines an internal version in the WCCP(v1) protocol,
4036 with version 4 being the officially documented protocol.
4038 According to some users, Cisco IOS 11.2 and earlier only
4039 support WCCP version 3. If you're using that or an earlier
4040 version of IOS, you may need to change this value to 3, otherwise
4041 do not specify this parameter.
4044 NAME: wccp2_forwarding_method
4046 LOC: Config.Wccp2.forwarding_method
4050 WCCP2 allows the setting of forwarding methods between the
4051 router/switch and the cache. Valid values are as follows:
4053 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4054 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
4056 Currently (as of IOS 12.4) cisco routers only support GRE.
4057 Cisco switches only support the L2 redirect assignment method.
4060 NAME: wccp2_return_method
4062 LOC: Config.Wccp2.return_method
4066 WCCP2 allows the setting of return methods between the
4067 router/switch and the cache for packets that the cache
4068 decides not to handle. Valid values are as follows:
4070 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4071 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
4073 Currently (as of IOS 12.4) cisco routers only support GRE.
4074 Cisco switches only support the L2 redirect assignment.
4076 If the "ip wccp redirect exclude in" command has been
4077 enabled on the cache interface, then it is still safe for
4078 the proxy server to use a l2 redirect method even if this
4079 option is set to GRE.
4084 LOC: Config.Wccp2.info
4086 DEFAULT_IF_NONE: standard 0
4089 WCCP2 allows for multiple traffic services. There are two
4090 types: "standard" and "dynamic". The standard type defines
4091 one service id - http (id 0). The dynamic service ids can be from
4092 51 to 255 inclusive. In order to use a dynamic service id
4093 one must define the type of traffic to be redirected; this is done
4094 using the wccp2_service_info option.
4096 The "standard" type does not require a wccp2_service_info option,
4097 just specifying the service id will suffice.
4099 MD5 service authentication can be enabled by adding
4100 "password=<password>" to the end of this service declaration.
4104 wccp2_service standard 0 # for the 'web-cache' standard service
4105 wccp2_service dynamic 80 # a dynamic service type which will be
4106 # fleshed out with subsequent options.
4107 wccp2_service standard 0 password=foo
4111 NAME: wccp2_service_info
4112 TYPE: wccp2_service_info
4113 LOC: Config.Wccp2.info
4117 Dynamic WCCPv2 services require further information to define the
4118 traffic you wish to have diverted.
4122 wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
4123 priority=<priority> ports=<port>,<port>..
4125 The relevant WCCPv2 flags:
4126 + src_ip_hash, dst_ip_hash
4127 + source_port_hash, dest_port_hash
4128 + src_ip_alt_hash, dst_ip_alt_hash
4129 + src_port_alt_hash, dst_port_alt_hash
4132 The port list can be one to eight entries.
4136 wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
4137 priority=240 ports=80
4139 Note: the service id must have been defined by a previous
4140 'wccp2_service dynamic <id>' entry.
4145 LOC: Config.Wccp.address
4151 LOC: Config.Wccp2.address
4155 Use this option if you require WCCP to use a specific
4158 The default behavior is to not bind to any specific address.
4163 DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
4164 -----------------------------------------------------------------------------
4168 TYPE: delay_pool_count
4173 This represents the number of delay pools to be used. For example,
4174 if you have one class 2 delay pool and one class 3 delays pool, you
4175 have a total of 2 delay pools.
4179 TYPE: delay_pool_class
4184 This defines the class of each delay pool. There must be exactly one
4185 delay_class line for each delay pool. For example, to define two
4186 delay pools, one of class 2 and one of class 3, the settings above
4190 delay_pools 4 # 4 delay pools
4191 delay_class 1 2 # pool 1 is a class 2 pool
4192 delay_class 2 3 # pool 2 is a class 3 pool
4193 delay_class 3 4 # pool 3 is a class 4 pool
4194 delay_class 4 5 # pool 4 is a class 5 pool
4196 The delay pool classes are:
4198 class 1 Everything is limited by a single aggregate
4201 class 2 Everything is limited by a single aggregate
4202 bucket as well as an "individual" bucket chosen
4203 from bits 25 through 32 of the IP address.
4205 class 3 Everything is limited by a single aggregate
4206 bucket as well as a "network" bucket chosen
4207 from bits 17 through 24 of the IP address and a
4208 "individual" bucket chosen from bits 17 through
4209 32 of the IP address.
4211 class 4 Everything in a class 3 delay pool, with an
4212 additional limit on a per user basis. This
4213 only takes effect if the username is established
4214 in advance - by forcing authentication in your
4217 class 5 Requests are grouped according their tag (see
4218 external_acl's tag= reply).
4220 NOTE: If an IP address is a.b.c.d
4221 -> bits 25 through 32 are "d"
4222 -> bits 17 through 24 are "c"
4223 -> bits 17 through 32 are "c * 256 + d"
4227 TYPE: delay_pool_access
4232 This is used to determine which delay pool a request falls into.
4234 delay_access is sorted per pool and the matching starts with pool 1,
4235 then pool 2, ..., and finally pool N. The first delay pool where the
4236 request is allowed is selected for the request. If it does not allow
4237 the request to any pool then the request is not delayed (default).
4239 For example, if you want some_big_clients in delay
4240 pool 1 and lotsa_little_clients in delay pool 2:
4243 delay_access 1 allow some_big_clients
4244 delay_access 1 deny all
4245 delay_access 2 allow lotsa_little_clients
4246 delay_access 2 deny all
4247 delay_access 3 allow authenticated_clients
4250 NAME: delay_parameters
4251 TYPE: delay_pool_rates
4256 This defines the parameters for a delay pool. Each delay pool has
4257 a number of "buckets" associated with it, as explained in the
4258 description of delay_class. For a class 1 delay pool, the syntax is:
4260 delay_parameters pool aggregate
4262 For a class 2 delay pool:
4264 delay_parameters pool aggregate individual
4266 For a class 3 delay pool:
4268 delay_parameters pool aggregate network individual
4270 For a class 4 delay pool:
4272 delay_parameters pool aggregate network individual user
4274 For a class 5 delay pool:
4276 delay_parameters pool tag
4278 The variables here are:
4280 pool a pool number - ie, a number between 1 and the
4281 number specified in delay_pools as used in
4284 aggregate the "delay parameters" for the aggregate bucket
4287 individual the "delay parameters" for the individual
4288 buckets (class 2, 3).
4290 network the "delay parameters" for the network buckets
4293 user the delay parameters for the user buckets
4296 tag the delay parameters for the tag buckets
4299 A pair of delay parameters is written restore/maximum, where restore is
4300 the number of bytes (not bits - modem and network speeds are usually
4301 quoted in bits) per second placed into the bucket, and maximum is the
4302 maximum number of bytes which can be in the bucket at any time.
4304 For example, if delay pool number 1 is a class 2 delay pool as in the
4305 above example, and is being used to strictly limit each host to 64kbps
4306 (plus overheads), with no overall limit, the line is:
4308 delay_parameters 1 -1/-1 8000/8000
4310 Note that the figure -1 is used to represent "unlimited".
4312 And, if delay pool number 2 is a class 3 delay pool as in the above
4313 example, and you want to limit it to a total of 256kbps (strict limit)
4314 with each 8-bit network permitted 64kbps (strict limit) and each
4315 individual host permitted 4800bps with a bucket maximum size of 64kb
4316 to permit a decent web page to be downloaded at a decent speed
4317 (if the network is not being limited due to overuse) but slow down
4318 large downloads more significantly:
4320 delay_parameters 2 32000/32000 8000/8000 600/8000
4322 There must be one delay_parameters line for each delay pool.
4324 Finally, for a class 4 delay pool as in the example - each user will
4325 be limited to 128Kb no matter how many workstations they are logged into.:
4327 delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
4330 NAME: delay_initial_bucket_level
4331 COMMENT: (percent, 0-100)
4335 LOC: Config.Delay.initial
4337 The initial bucket percentage is used to determine how much is put
4338 in each bucket when squid starts, is reconfigured, or first notices
4339 a host accessing it (in class 2 and class 3, individual hosts and
4340 networks only have buckets associated with them once they have been
4344 NAME: incoming_icp_average
4347 LOC: Config.comm_incoming.icp_average
4350 NAME: incoming_http_average
4353 LOC: Config.comm_incoming.http_average
4356 NAME: incoming_dns_average
4359 LOC: Config.comm_incoming.dns_average
4362 NAME: min_icp_poll_cnt
4365 LOC: Config.comm_incoming.icp_min_poll
4368 NAME: min_dns_poll_cnt
4371 LOC: Config.comm_incoming.dns_min_poll
4374 NAME: min_http_poll_cnt
4377 LOC: Config.comm_incoming.http_min_poll
4379 Heavy voodoo here. I can't even believe you are reading this.
4380 Are you crazy? Don't even think about adjusting these unless
4381 you understand the algorithms in comm_select.c first!
4384 NAME: max_open_disk_fds
4386 LOC: Config.max_open_disk_fds
4389 To avoid having disk as the I/O bottleneck Squid can optionally
4390 bypass the on-disk cache if more than this amount of disk file
4391 descriptors are open.
4393 A value of 0 indicates no limit.
4398 LOC: Config.onoff.offline
4401 Enable this option and Squid will never try to validate cached
4405 NAME: uri_whitespace
4406 TYPE: uri_whitespace
4407 LOC: Config.uri_whitespace
4410 What to do with requests that have whitespace characters in the
4413 strip: The whitespace characters are stripped out of the URL.
4414 This is the behavior recommended by RFC2396.
4415 deny: The request is denied. The user receives an "Invalid
4417 allow: The request is allowed and the URI is not changed. The
4418 whitespace characters remain in the URI. Note the
4419 whitespace is passed to redirector processes if they
4421 encode: The request is allowed and the whitespace characters are
4422 encoded according to RFC1738. This could be considered
4423 a violation of the HTTP/1.1
4424 RFC because proxies are not allowed to rewrite URI's.
4425 chop: The request is allowed and the URI is chopped at the
4426 first whitespace. This might also be considered a
4433 LOC: Config.accessList.brokenPosts
4435 A list of ACL elements which, if matched, causes Squid to send
4436 an extra CRLF pair after the body of a PUT/POST request.
4438 Some HTTP servers has broken implementations of PUT/POST,
4439 and rely on an extra CRLF pair sent by some WWW clients.
4441 Quote from RFC 2068 section 4.1 on this matter:
4443 Note: certain buggy HTTP/1.0 client implementations generate an
4444 extra CRLF's after a POST request. To restate what is explicitly
4445 forbidden by the BNF, an HTTP/1.1 client must not preface or follow
4446 a request with an extra CRLF.
4449 acl buggy_server url_regex ^http://....
4450 broken_posts allow buggy_server
4453 NAME: mcast_miss_addr
4454 IFDEF: MULTICAST_MISS_STREAM
4456 LOC: Config.mcast_miss.addr
4457 DEFAULT: 255.255.255.255
4459 If you enable this option, every "cache miss" URL will
4460 be sent out on the specified multicast address.
4462 Do not enable this option unless you are are absolutely
4463 certain you understand what you are doing.
4466 NAME: mcast_miss_ttl
4467 IFDEF: MULTICAST_MISS_STREAM
4469 LOC: Config.mcast_miss.ttl
4472 This is the time-to-live value for packets multicasted
4473 when multicasting off cache miss URLs is enabled. By
4474 default this is set to 'site scope', i.e. 16.
4477 NAME: mcast_miss_port
4478 IFDEF: MULTICAST_MISS_STREAM
4480 LOC: Config.mcast_miss.port
4483 This is the port number to be used in conjunction with
4487 NAME: mcast_miss_encode_key
4488 IFDEF: MULTICAST_MISS_STREAM
4490 LOC: Config.mcast_miss.encode_key
4491 DEFAULT: XXXXXXXXXXXXXXXX
4493 The URLs that are sent in the multicast miss stream are
4494 encrypted. This is the encryption key.
4497 NAME: nonhierarchical_direct
4499 LOC: Config.onoff.nonhierarchical_direct
4502 By default, Squid will send any non-hierarchical requests
4503 (matching hierarchy_stoplist or not cachable request type) direct
4506 If you set this to off, Squid will prefer to send these
4507 requests to parents.
4509 Note that in most configurations, by turning this off you will only
4510 add latency to these request without any improvement in global hit
4513 If you are inside an firewall see never_direct instead of
4519 LOC: Config.onoff.prefer_direct
4522 Normally Squid tries to use parents for most requests. If you for some
4523 reason like it to first try going direct and only use a parent if
4524 going direct fails set this to on.
4526 By combining nonhierarchical_direct off and prefer_direct on you
4527 can set up Squid to use a parent as a backup path if going direct
4531 NAME: strip_query_terms
4533 LOC: Config.onoff.strip_query_terms
4536 By default, Squid strips query terms from requested URLs before
4537 logging. This protects your user's privacy.
4542 LOC: Config.coredump_dir
4544 DEFAULT_IF_NONE: none
4546 By default Squid leaves core files in the directory from where
4547 it was started. If you set 'coredump_dir' to a directory
4548 that exists, Squid will chdir() to that directory at startup
4549 and coredump files will be left there.
4552 # Leave coredumps in the first cache dir
4553 coredump_dir @DEFAULT_SWAP_DIR@
4557 NAME: redirector_bypass
4559 LOC: Config.onoff.redirector_bypass
4562 When this is 'on', a request will not go through the
4563 redirector if all redirectors are busy. If this is 'off'
4564 and the redirector queue grows too large, Squid will exit
4565 with a FATAL error and ask you to increase the number of
4566 redirectors. You should only enable this if the redirectors
4567 are not critical to your caching system. If you use
4568 redirectors for access control, and you enable this option,
4569 users may have access to pages they should not
4570 be allowed to request.
4573 NAME: ignore_unknown_nameservers
4575 LOC: Config.onoff.ignore_unknown_nameservers
4578 By default Squid checks that DNS responses are received
4579 from the same IP addresses they are sent to. If they
4580 don't match, Squid ignores the response and writes a warning
4581 message to cache.log. You can allow responses from unknown
4582 nameservers by setting this option to 'off'.
4585 NAME: digest_generation
4586 IFDEF: USE_CACHE_DIGESTS
4588 LOC: Config.onoff.digest_generation
4591 This controls whether the server will generate a Cache Digest
4592 of its contents. By default, Cache Digest generation is
4593 enabled if Squid is compiled with USE_CACHE_DIGESTS defined.
4596 NAME: digest_bits_per_entry
4597 IFDEF: USE_CACHE_DIGESTS
4599 LOC: Config.digest.bits_per_entry
4602 This is the number of bits of the server's Cache Digest which
4603 will be associated with the Digest entry for a given HTTP
4604 Method and URL (public key) combination. The default is 5.
4607 NAME: digest_rebuild_period
4608 IFDEF: USE_CACHE_DIGESTS
4611 LOC: Config.digest.rebuild_period
4614 This is the number of seconds between Cache Digest rebuilds.
4617 NAME: digest_rewrite_period
4619 IFDEF: USE_CACHE_DIGESTS
4621 LOC: Config.digest.rewrite_period
4624 This is the number of seconds between Cache Digest writes to
4628 NAME: digest_swapout_chunk_size
4631 IFDEF: USE_CACHE_DIGESTS
4632 LOC: Config.digest.swapout_chunk_size
4635 This is the number of bytes of the Cache Digest to write to
4636 disk at a time. It defaults to 4096 bytes (4KB), the Squid
4640 NAME: digest_rebuild_chunk_percentage
4641 COMMENT: (percent, 0-100)
4642 IFDEF: USE_CACHE_DIGESTS
4644 LOC: Config.digest.rebuild_chunk_percentage
4647 This is the percentage of the Cache Digest to be scanned at a
4648 time. By default it is set to 10% of the Cache Digest.
4653 LOC: Config.chroot_dir
4656 Use this to have Squid do a chroot() while initializing. This
4657 also causes Squid to fully drop root privileges after
4658 initializing. This means, for example, if you use a HTTP
4659 port less than 1024 and try to reconfigure, you will get an
4663 NAME: client_persistent_connections
4665 LOC: Config.onoff.client_pconns
4669 NAME: server_persistent_connections
4671 LOC: Config.onoff.server_pconns
4674 Persistent connection support for clients and servers. By
4675 default, Squid uses persistent connections (when allowed)
4676 with its clients and servers. You can use these options to
4677 disable persistent connections with clients and/or servers.
4680 NAME: persistent_connection_after_error
4682 LOC: Config.onoff.error_pconns
4685 With this directive the use of persistent connections after
4686 HTTP errors can be disabled. Useful if you have clients
4687 who fail to handle errors on persistent connections proper.
4690 NAME: detect_broken_pconn
4692 LOC: Config.onoff.detect_broken_server_pconns
4695 Some servers have been found to incorrectly signal the use
4696 of HTTP/1.0 persistent connections even on replies not
4697 compatible, causing significant delays. This server problem
4698 has mostly been seen on redirects.
4700 By enabling this directive Squid attempts to detect such
4701 broken replies and automatically assume the reply is finished
4702 after 10 seconds timeout.
4705 NAME: balance_on_multiple_ip
4707 LOC: Config.onoff.balance_on_multiple_ip
4710 Some load balancing servers based on round robin DNS have been
4711 found not to preserve user session state across requests
4712 to different IP addresses.
4714 By default Squid rotates IP's per request. By disabling
4715 this directive only connection failure triggers rotation.
4718 NAME: pipeline_prefetch
4720 LOC: Config.onoff.pipeline_prefetch
4723 To boost the performance of pipelined requests to closer
4724 match that of a non-proxied environment Squid can try to fetch
4725 up to two requests in parallel from a pipeline.
4727 Defaults to off for bandwidth management and access logging
4731 NAME: extension_methods
4733 LOC: Config.ext_methods
4736 Squid only knows about standardized HTTP request methods.
4737 You can add up to 20 additional "extension" methods here.
4740 NAME: request_entities
4742 LOC: Config.onoff.request_entities
4745 Squid defaults to deny GET and HEAD requests with request entities,
4746 as the meaning of such requests are undefined in the HTTP standard
4747 even if not explicitly forbidden.
4749 Set this directive to on if you have clients which insists
4750 on sending request entities in GET or HEAD requests.
4753 NAME: high_response_time_warning
4756 LOC: Config.warnings.high_rptm
4759 If the one-minute median response time exceeds this value,
4760 Squid prints a WARNING with debug level 0 to get the
4761 administrators attention. The value is in milliseconds.
4764 NAME: high_page_fault_warning
4766 LOC: Config.warnings.high_pf
4769 If the one-minute average page fault rate exceeds this
4770 value, Squid prints a WARNING with debug level 0 to get
4771 the administrators attention. The value is in page faults
4775 NAME: high_memory_warning
4777 LOC: Config.warnings.high_memory
4780 If the memory usage (as determined by mallinfo) exceeds
4781 value, Squid prints a WARNING with debug level 0 to get
4782 the administrators attention.
4785 NAME: store_dir_select_algorithm
4787 LOC: Config.store_dir_select_algorithm
4790 Set this to 'round-robin' as an alternative.
4797 LOC: Config.Log.forward
4799 Logs the server-side requests.
4801 This is currently work in progress.
4807 LOC: Config.onoff.ie_refresh
4810 Microsoft Internet Explorer up until version 5.5 Service
4811 Pack 1 has an issue with transparent proxies, wherein it
4812 is impossible to force a refresh. Turning this on provides
4813 a partial fix to the problem, by causing all IMS-REFRESH
4814 requests from older IE versions to check the origin server
4815 for fresh content. This reduces hit ratio by some amount
4816 (~10% in my experience), but allows users to actually get
4817 fresh content when they want it. Note because Squid
4818 cannot tell if the user is using 5.5 or 5.5SP1, the behavior
4819 of 5.5 is unchanged from old versions of Squid (i.e. a
4820 forced refresh is impossible). Newer versions of IE will,
4821 hopefully, continue to have the new behavior and will be
4822 handled based on that assumption. This option defaults to
4823 the old Squid behavior, which is better for hit ratios but
4824 worse for clients using IE, if they need to be able to
4825 force fresh content.
4828 NAME: vary_ignore_expire
4831 LOC: Config.onoff.vary_ignore_expire
4834 Many HTTP servers supporting Vary gives such objects
4835 immediate expiry time with no cache-control header
4836 when requested by a HTTP/1.0 client. This option
4837 enables Squid to ignore such expiry times until
4838 HTTP/1.1 is fully implemented.
4839 WARNING: This may eventually cause some varying
4840 objects not intended for caching to get cached.
4843 NAME: sleep_after_fork
4844 COMMENT: (microseconds)
4846 LOC: Config.sleep_after_fork
4849 When this is set to a non-zero value, the main Squid process
4850 sleeps the specified number of microseconds after a fork()
4851 system call. This sleep may help the situation where your
4852 system reports fork() failures due to lack of (virtual)
4853 memory. Note, however, if you have a lot of child
4854 processes, these sleep delays will add up and your
4855 Squid will not service requests for some amount of time
4856 until all the child processes have been started.
4859 NAME: minimum_expiry_time
4862 LOC: Config.minimum_expiry_time
4865 The minimum caching time according to (Expires - Date)
4866 Headers Squid honors if the object can't be revalidated
4867 defaults to 60 seconds. In reverse proxy enorinments it
4868 might be desirable to honor shorter object lifetimes. It
4869 is most likely better to make your server return a
4870 meaningful Last-Modified header however. In ESI environments
4871 where page fragments often have short lifetimes, this will
4872 often be best set to 0.
4875 NAME: relaxed_header_parser
4876 COMMENT: on|off|warn
4878 LOC: Config.onoff.relaxed_header_parser
4881 In the default "on" setting Squid accepts certain forms
4882 of non-compliant HTTP messages where it is unambiguous
4883 what the sending application intended even if the message
4884 is not correctly formatted. The messages is then normalized
4885 to the correct form when forwarded by Squid.
4887 If set to "warn" then a warning will be emitted in cache.log
4888 each time such HTTP error is encountered.
4890 If set to "off" then such HTTP errors will cause the request
4891 or response to be rejected.
4896 -----------------------------------------------------------------------------
4903 LOC: TheICAPConfig.onoff
4906 If you want to enable the ICAP module support, set this to on.
4909 NAME: icap_preview_enable
4913 LOC: TheICAPConfig.preview_enable
4916 Set this to 'on' if you want to enable the ICAP preview
4920 NAME: icap_preview_size
4923 LOC: TheICAPConfig.preview_size
4926 The default size of preview data to be sent to the ICAP server.
4927 -1 means no preview. This value might be overwritten on a per server
4928 basis by OPTIONS requests.
4931 NAME: icap_default_options_ttl
4934 LOC: TheICAPConfig.default_options_ttl
4937 The default TTL value for ICAP OPTIONS responses that don't have
4938 an Options-TTL header.
4941 NAME: icap_persistent_connections
4945 LOC: TheICAPConfig.reuse_connections
4948 Whether or not Squid should use persistent connections to
4952 NAME: icap_send_client_ip
4956 LOC: TheICAPConfig.send_client_ip
4959 This adds the header "X-Client-IP" to ICAP requests.
4962 NAME: icap_send_client_username
4966 LOC: TheICAPConfig.send_client_username
4969 This adds the header "X-Client-Username" to ICAP requests
4970 if proxy access is authentified.
4974 TYPE: icap_service_type
4979 Defines a single ICAP service
4981 icap_service servicename vectoring_point bypass service_url
4983 vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
4984 This specifies at which point of request processing the ICAP
4985 service should be plugged in.
4987 If set to 1 and the ICAP server cannot be reached, the request will go
4988 through without being processed by an ICAP server
4989 service_url = icap://servername:port/service
4991 Note: reqmod_precache and respmod_postcache is not yet implemented
4994 icap_service service_1 reqmod_precache 0 icap://icap1.mydomain.net:1344/reqmod
4995 icap_service service_2 respmod_precache 0 icap://icap2.mydomain.net:1344/respmod
4999 TYPE: icap_class_type
5004 Defines an ICAP service chain. If there are multiple services per
5005 vectoring point, they are processed in the specified order.
5007 icap_class classname servicename...
5010 icap_class class_1 service_1 service_2
5011 icap class class_2 service_1 service_3
5015 TYPE: icap_access_type
5020 Redirects a request through an ICAP service class, depending
5023 icap_access classname allow|deny [!]aclname...
5025 The icap_access statements are processed in the order they appear in
5026 this configuration file. If an access list matches, the processing stops.
5027 For an "allow" rule, the specified class is used for the request. A "deny"
5028 rule simply stops processing without using the class. You can also use the
5029 special classname "None".
5031 For backward compatibility, it is also possible to use services
5034 icap_access class_1 allow all