3 # $Id: cf.data.pre,v 1.451 2007/08/17 03:33:23 hno Exp $
5 # SQUID Web Proxy Cache http://www.squid-cache.org/
6 # ----------------------------------------------------------
8 # Squid is the result of efforts by numerous individuals from
9 # the Internet community; see the CONTRIBUTORS file for full
10 # details. Many organizations have provided support for Squid's
11 # development; see the SPONSORS file for full details. Squid is
12 # Copyrighted (C) 2000 by the Regents of the University of
13 # California; see the COPYRIGHT file for full details. Squid
14 # incorporates software developed and/or copyrighted by other
15 # sources; see the CREDITS file for full details.
17 # This program is free software; you can redistribute it and/or modify
18 # it under the terms of the GNU General Public License as published by
19 # the Free Software Foundation; either version 2 of the License, or
20 # (at your option) any later version.
22 # This program is distributed in the hope that it will be useful,
23 # but WITHOUT ANY WARRANTY; without even the implied warranty of
24 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25 # GNU General Public License for more details.
27 # You should have received a copy of the GNU General Public License
28 # along with this program; if not, write to the Free Software
29 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
33 WELCOME TO SQUID @VERSION@
34 ----------------------------
36 This is the default Squid configuration file. You may wish
37 to look at the Squid home page (http://www.squid-cache.org/)
38 for the FAQ and other documentation.
40 The default Squid config file shows what the defaults for
41 various options happen to be. If you don't need to change the
42 default, you shouldn't uncomment the line. Doing so may cause
43 run-time problems. In some cases "none" refers to no default
44 setting at all, while in other cases it refers to a valid
45 option - the comments for that keyword indicate if this is the
52 -----------------------------------------------------------------------------
55 NAME: http_port ascii_port
58 LOC: Config.Sockaddr.http
61 hostname:port [options]
62 1.2.3.4:port [options]
64 The socket addresses where Squid will listen for HTTP client
65 requests. You may specify multiple socket addresses.
66 There are three forms: port alone, hostname with port, and
67 IP address with port. If you specify a hostname or IP
68 address, Squid binds the socket to that specific
69 address. This replaces the old 'tcp_incoming_address'
70 option. Most likely, you do not need to bind to a specific
71 address, so you can use the port number alone.
73 If you are running Squid in accelerator mode, you
74 probably want to listen on port 80 also, or instead.
76 The -a command line option may be used to specify additional
77 port(s) where Squid listens for proxy request. Such ports will
78 be plain proxy ports with no options.
80 You may specify multiple socket addresses on multiple lines.
84 transparent Support for transparent interception of
85 outgoing requests without browser settings.
87 accel Accelerator mode. Also needs at least one of
88 vhost / vport / defaultsite.
90 vhost Accelerator mode using Host header for virtual
91 domain support. Implies accel.
93 vport Accelerator with IP based virtual host support.
96 vport=NN As above, but uses specified port number rather
97 than the http_port number. Implies accel.
99 defaultsite=domainname
100 What to use for the Host: header if it is not present
101 in a request. Determines what site (not origin server)
102 accelerators should consider the default.
105 protocol= Protocol to reconstruct accelerated requests with.
108 tproxy Support Linux TPROXY for spoofing outgoing
109 connections using the client IP address.
111 disable-pmtu-discovery=
112 Control Path-MTU discovery usage:
113 off lets OS decide on what to do (default).
114 transparent disable PMTU discovery when transparent
116 always disable always PMTU discovery.
118 In many setups of transparently intercepting proxies
119 Path-MTU discovery can not work on traffic towards the
120 clients. This is the case when the intercepting device
121 does not fully track connections and fails to forward
122 ICMP must fragment messages to the cache server. If you
123 have such setup and experience that certain clients
124 sporadically hang or never complete requests set
125 disable-pmtu-discovery option to 'transparent'.
127 If you run Squid on a dual-homed machine with an internal
128 and an external interface we recommend you to specify the
129 internal address:port in http_port. This way Squid will only be
130 visible on the internal address.
133 # Squid normally listens to port 3128
134 http_port @DEFAULT_HTTP_PORT@
140 TYPE: https_port_list
142 LOC: Config.Sockaddr.https
144 Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
146 The socket address where Squid will listen for HTTPS client
149 This is really only useful for situations where you are running
150 squid in accelerator mode and you want to do the SSL work at the
153 You may specify multiple socket addresses on multiple lines,
154 each with their own SSL certificate and/or options.
158 accel Accelerator mode. Also needs at least one of
159 defaultsite or vhost.
161 defaultsite= The name of the https site presented on
162 this port. Implies accel.
164 vhost Accelerator mode using Host header for virtual
165 domain support. Requires a wildcard certificate
166 or other certificate valid for more than one domain.
169 protocol= Protocol to reconstruct accelerated requests with.
172 cert= Path to SSL certificate (PEM format).
174 key= Path to SSL private key file (PEM format)
175 if not specified, the certificate file is
176 assumed to be a combined certificate and
179 version= The version of SSL/TLS supported
180 1 automatic (default)
185 cipher= Colon separated list of supported ciphers.
187 options= Various SSL engine options. The most important
189 NO_SSLv2 Disallow the use of SSLv2
190 NO_SSLv3 Disallow the use of SSLv3
191 NO_TLSv1 Disallow the use of TLSv1
192 SINGLE_DH_USE Always create a new key when using
193 temporary/ephemeral DH key exchanges
194 See src/ssl_support.c or OpenSSL SSL_CTX_set_options
195 documentation for a complete list of options.
197 clientca= File containing the list of CAs to use when
198 requesting a client certificate.
200 cafile= File containing additional CA certificates to
201 use when verifying client certificates. If unset
202 clientca will be used.
204 capath= Directory containing additional CA certificates
205 and CRL lists to use when verifying client certificates.
207 crlfile= File of additional CRL lists to use when verifying
208 the client certificate, in addition to CRLs stored in
209 the capath. Implies VERIFY_CRL flag below.
211 dhparams= File containing DH parameters for temporary/ephemeral
214 sslflags= Various flags modifying the use of SSL:
216 Don't request client certificates
217 immediately, but wait until acl processing
218 requires a certificate (not yet implemented).
220 Don't use the default CA lists built in
223 Don't allow for session reuse. Each connection
224 will result in a new SSL session.
226 Verify CRL lists when accepting client
229 Verify CRL lists for all certificates in the
230 client certificate chain.
232 sslcontext= SSL session ID context identifier.
234 vport Accelerator with IP based virtual host support.
236 vport=NN As above, but uses specified port number rather
237 than the https_port number. Implies accel.
243 -----------------------------------------------------------------------------
246 NAME: ssl_unclean_shutdown
250 LOC: Config.SSL.unclean_shutdown
252 Some browsers (especially MSIE) bugs out on SSL shutdown
259 LOC: Config.SSL.ssl_engine
262 The OpenSSL engine to use. You will need to set this if you
263 would like to use hardware SSL acceleration for example.
266 NAME: sslproxy_client_certificate
269 LOC: Config.ssl_client.cert
272 Client SSL Certificate to use when proxying https:// URLs
275 NAME: sslproxy_client_key
278 LOC: Config.ssl_client.key
281 Client SSL Key to use when proxying https:// URLs
284 NAME: sslproxy_version
287 LOC: Config.ssl_client.version
290 SSL version level to use when proxying https:// URLs
293 NAME: sslproxy_options
296 LOC: Config.ssl_client.options
299 SSL engine options to use when proxying https:// URLs
302 NAME: sslproxy_cipher
305 LOC: Config.ssl_client.cipher
308 SSL cipher list to use when proxying https:// URLs
311 NAME: sslproxy_cafile
314 LOC: Config.ssl_client.cafile
317 file containing CA certificates to use when verifying server
318 certificates while proxying https:// URLs
321 NAME: sslproxy_capath
324 LOC: Config.ssl_client.capath
327 directory containing CA certificates to use when verifying
328 server certificates while proxying https:// URLs
334 LOC: Config.ssl_client.flags
337 Various flags modifying the use of SSL while proxying https:// URLs:
338 DONT_VERIFY_PEER Accept certificates even if they fail to
340 NO_DEFAULT_CA Don't use the default CA list built in
344 NAME: sslpassword_program
347 LOC: Config.Program.ssl_password
350 Specify a program used for entering SSL key passphrases
351 when using encrypted SSL certificate keys. If not specified
352 keys must either be unencrypted, or Squid started with the -N
353 option to allow it to query interactively for the passphrase.
357 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
358 -----------------------------------------------------------------------------
366 To specify other caches in a hierarchy, use the format:
368 cache_peer hostname type http-port icp-port [options]
373 # hostname type port port options
374 # -------------------- -------- ----- ----- -----------
375 cache_peer parent.foo.net parent 3128 3130 proxy-only default
376 cache_peer sib1.foo.net sibling 3128 3130 proxy-only
377 cache_peer sib2.foo.net sibling 3128 3130 proxy-only
379 type: either 'parent', 'sibling', or 'multicast'.
381 proxy-port: The port number where the cache listens for proxy
384 icp-port: Used for querying neighbor caches about
385 objects. To have a non-ICP neighbor
386 specify '7' for the ICP port and make sure the
387 neighbor machine has the UDP echo port
388 enabled in its /etc/inetd.conf file.
389 NOTE: Also requires icp_port option enabled to send/receive
390 requests via this method.
407 login=user:password | PASS | *:password
418 sslcert=/path/to/ssl/certificate
419 sslkey=/path/to/ssl/key
423 front-end-https[=on|auto]
425 use 'proxy-only' to specify objects fetched
426 from this cache should not be saved locally.
428 use 'weight=n' to affect the selection of a peer
429 during any weighted peer-selection mechanisms.
430 The weight must be an integer; default is 1,
431 larger weights are favored more.
432 This option does not affect parent selection if a peering
433 protocol is not in use.
435 use 'basetime=n' to specify a base amount to
436 be subtracted from round trip times of parents.
437 It is subtracted before division by weight in calculating
438 which parent to fectch from. If the rtt is less than the
439 base time the rtt is set to a minimal value.
441 use 'ttl=n' to specify a IP multicast TTL to use
442 when sending an ICP queries to this address.
443 Only useful when sending to a multicast group.
444 Because we don't accept ICP replies from random
445 hosts, you must configure other group members as
446 peers with the 'multicast-responder' option below.
448 use 'no-query' to NOT send ICP queries to this
451 use 'background-ping' to only send ICP queries to this
452 neighbor infrequently. This is used to keep the neighbor
453 round trip time updated and is usually used in
454 conjunction with weighted-round-robin.
456 use 'default' if this is a parent cache which can
457 be used as a "last-resort" if a peer cannot be located
458 by any of the peer-selection mechanisms.
459 If specified more than once, only the first is used.
461 use 'round-robin' to define a set of parents which
462 should be used in a round-robin fashion in the
463 absence of any ICP queries.
465 use 'weighted-round-robin' to define a set of parents
466 which should be used in a round-robin fashion with the
467 frequency of each parent being based on the round trip
468 time. Closer parents are used more often.
469 Usually used for background-ping parents.
471 use 'carp' to define a set of parents which should
472 be used as a CARP array. The requests will be
473 distributed among the parents based on the CARP load
474 balancing hash function based on their weigth.
476 'multicast-responder' indicates the named peer
477 is a member of a multicast group. ICP queries will
478 not be sent directly to the peer, but ICP replies
479 will be accepted from it.
481 'closest-only' indicates that, for ICP_OP_MISS
482 replies, we'll only forward CLOSEST_PARENT_MISSes
483 and never FIRST_PARENT_MISSes.
485 use 'no-digest' to NOT request cache digests from
488 'no-netdb-exchange' disables requesting ICMP
489 RTT database (NetDB) from the neighbor.
491 use 'no-delay' to prevent access to this neighbor
492 from influencing the delay pools.
494 use 'login=user:password' if this is a personal/workgroup
495 proxy and your parent requires proxy authentication.
496 Note: The string can include URL escapes (i.e. %20 for
497 spaces). This also means % must be written as %%.
499 use 'login=PASS' if users must authenticate against
500 the upstream proxy or in the case of a reverse proxy
501 configuration, the origin web server. This will pass
502 the users credentials as they are to the peer.
503 This only works for the Basic HTTP authentication scheme.
504 Note: To combine this with proxy_auth both proxies must
505 share the same user database as HTTP only allows for
507 Also be warned this will expose your users proxy
508 password to the peer. USE WITH CAUTION
510 use 'login=*:password' to pass the username to the
511 upstream cache, but with a fixed password. This is meant
512 to be used when the peer is in another administrative
513 domain, but it is still needed to identify each user.
514 The star can optionally be followed by some extra
515 information which is added to the username. This can
516 be used to identify this proxy to the peer, similar to
517 the login=username:password option above.
519 use 'connect-timeout=nn' to specify a peer
520 specific connect timeout (also see the
521 peer_connect_timeout directive)
523 use 'digest-url=url' to tell Squid to fetch the cache
524 digest (if digests are enabled) for this host from
525 the specified URL rather than the Squid default
528 use 'allow-miss' to disable Squid's use of only-if-cached
529 when forwarding requests to siblings. This is primarily
530 useful when icp_hit_stale is used by the sibling. To
531 extensive use of this option may result in forwarding
532 loops, and you should avoid having two-way peerings
533 with this option. (for example to deny peer usage on
534 requests from peer by denying cache_peer_access if the
537 use 'max-conn=n' to limit the amount of connections Squid
538 may open to this peer.
540 use 'htcp' to send HTCP, instead of ICP, queries
541 to the neighbor. You probably also want to
542 set the "icp port" to 4827 instead of 3130.
544 use 'htcp-oldsquid' to send HTCP to old Squid versions
546 'originserver' causes this parent peer to be contacted as
547 a origin server. Meant to be used in accelerator setups.
549 use 'name=xxx' if you have multiple peers on the same
550 host but different ports. This name can be used to
551 differentiate the peers in cache_peer_access and similar
554 use 'forceddomain=name' to forcibly set the Host header
555 of requests forwarded to this peer. Useful in accelerator
556 setups where the server (peer) expects a certain domain
557 name and using redirectors to feed this domainname
560 use 'ssl' to indicate connections to this peer should
561 bs SSL/TLS encrypted.
563 use 'sslcert=/path/to/ssl/certificate' to specify a client
564 SSL certificate to use when connecting to this peer.
566 use 'sslkey=/path/to/ssl/key' to specify the private SSL
567 key corresponding to sslcert above. If 'sslkey' is not
568 specified 'sslcert' is assumed to reference a
569 combined file containing both the certificate and the key.
571 use sslversion=1|2|3|4 to specify the SSL version to use
572 when connecting to this peer
573 1 = automatic (default)
578 use sslcipher=... to specify the list of valid SSL ciphers
579 to use when connecting to this peer.
581 use ssloptions=... to specify various SSL engine options:
582 NO_SSLv2 Disallow the use of SSLv2
583 NO_SSLv3 Disallow the use of SSLv3
584 NO_TLSv1 Disallow the use of TLSv1
585 See src/ssl_support.c or the OpenSSL documentation for
586 a more complete list.
588 use sslcafile=... to specify a file containing additional
589 CA certificates to use when verifying the peer certificate
591 use sslcapath=... to specify a directory containing additional
592 CA certificates to use when verifying the peer certificate
594 use sslcrlfile=... to specify a certificate revocation
595 list file to use when verifying the peer certificate.
597 use sslflags=... to specify various flags modifying the
600 Accept certificates even if they fail to
603 Don't use the default CA list built in
606 Don't verify the peer certificate
607 matches the server name
609 use ssldomain= to specify the peer name as advertised
610 in it's certificate. Used for verifying the correctness
611 of the received peer certificate. If not specified the
612 peer hostname will be used.
614 use front-end-https to enable the "Front-End-Https: On"
615 header needed when using Squid as a SSL frontend infront
616 of Microsoft OWA. See MS KB document Q307347 for details
617 on this header. If set to auto the header will
618 only be added if the request is forwarded as a https://
622 NAME: cache_peer_domain cache_host_domain
627 Use to limit the domains for which a neighbor cache will be
630 cache_peer_domain cache-host domain [domain ...]
631 cache_peer_domain cache-host !domain
633 For example, specifying
635 cache_peer_domain parent.foo.net .edu
637 has the effect such that UDP query packets are sent to
638 'bigserver' only when the requested object exists on a
639 server in the .edu domain. Prefixing the domainname
640 with '!' means the cache will be queried for objects
643 NOTE: * Any number of domains may be given for a cache-host,
644 either on the same or separate lines.
645 * When multiple domains are given for a particular
646 cache-host, the first matched domain is applied.
647 * Cache hosts with no domain restrictions are queried
649 * There are no defaults.
650 * There is also a 'cache_peer_access' tag in the ACL
654 NAME: neighbor_type_domain
659 usage: neighbor_type_domain neighbor parent|sibling domain domain ...
661 Modifying the neighbor type for specific domains is now
662 possible. You can treat some domains differently than the the
663 default neighbor type specified on the 'cache_peer' line.
664 Normally it should only be necessary to list domains which
665 should be treated differently because the default neighbor type
666 applies for hostnames which do not match domains listed here.
669 cache_peer parent cache.foo.org 3128 3130
670 neighbor_type_domain cache.foo.org sibling .com .net
671 neighbor_type_domain cache.foo.org sibling .au .de
674 NAME: dead_peer_timeout
678 LOC: Config.Timeout.deadPeer
680 This controls how long Squid waits to declare a peer cache
681 as "dead." If there are no ICP replies received in this
682 amount of time, Squid will declare the peer dead and not
683 expect to receive any further ICP replies. However, it
684 continues to send ICP queries, and will mark the peer as
685 alive upon receipt of the first subsequent ICP reply.
687 This timeout also affects when Squid expects to receive ICP
688 replies from peers. If more than 'dead_peer' seconds have
689 passed since the last ICP reply was received, Squid will not
690 expect to receive an ICP reply on the next query. Thus, if
691 your time between requests is greater than this timeout, you
692 will see a lot of requests sent DIRECT to origin servers
693 instead of to your parents.
696 NAME: hierarchy_stoplist
699 LOC: Config.hierarchy_stoplist
701 A list of words which, if found in a URL, cause the object to
702 be handled directly by this cache. In other words, use this
703 to not query neighbor caches for certain objects. You may
704 list this option multiple times.
705 Note: never_direct overrides this option.
707 #We recommend you to use at least the following line.
708 hierarchy_stoplist cgi-bin ?
715 LOC: Config.accessList.noCache
717 A list of ACL elements which, if matched, cause the request to
718 not be satisfied from the cache and the reply to not be cached.
719 In other words, use this to force certain objects to never be cached.
721 You must use the word 'DENY' to indicate the ACL names which should
724 Default is to allow all to be cached
726 #We recommend you to use the following two lines.
727 acl QUERY urlpath_regex cgi-bin \?
734 -----------------------------------------------------------------------------
741 LOC: Config.memMaxSize
743 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
744 IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
745 USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
746 THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
748 'cache_mem' specifies the ideal amount of memory to be used
752 * Negative-Cached objects
754 Data for these objects are stored in 4 KB blocks. This
755 parameter specifies the ideal upper limit on the total size of
756 4 KB blocks allocated. In-Transit objects take the highest
759 In-transit objects have priority over the others. When
760 additional space is needed for incoming data, negative-cached
761 and hot objects will be released. In other words, the
762 negative-cached and hot objects will fill up any unused space
763 not needed for in-transit objects.
765 If circumstances require, this limit will be exceeded.
766 Specifically, if your incoming request rate requires more than
767 'cache_mem' of memory to hold in-transit objects, Squid will
768 exceed this limit to satisfy the new requests. When the load
769 decreases, blocks will be freed until the high-water mark is
770 reached. Thereafter, blocks will be used to store hot
774 NAME: maximum_object_size_in_memory
778 LOC: Config.Store.maxInMemObjSize
780 Objects greater than this size will not be attempted to kept in
781 the memory cache. This should be set high enough to keep objects
782 accessed frequently in memory to improve performance whilst low
783 enough to keep larger objects from hoarding cache_mem .
787 COMMENT: (number of entries)
790 LOC: Config.ipcache.size
797 LOC: Config.ipcache.low
804 LOC: Config.ipcache.high
806 The size, low-, and high-water marks for the IP cache.
810 COMMENT: (number of entries)
813 LOC: Config.fqdncache.size
815 Maximum number of FQDN cache entries.
818 NAME: memory_replacement_policy
820 LOC: Config.memPolicy
823 The memory replacement policy parameter determines which
824 objects are purged from memory when memory space is needed.
826 See cache_replacement_policy for details.
831 -----------------------------------------------------------------------------
837 DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256
838 LOC: Config.cacheSwap
842 cache_dir Type Directory-Name Fs-specific-data [options]
844 You can specify multiple cache_dir lines to spread the
845 cache among different disk partitions.
847 Type specifies the kind of storage system to use. Only "ufs"
848 is built by default. To enable any of the other storage systems
849 see the --enable-storeio configure option.
851 'Directory' is a top-level directory where cache swap
852 files will be stored. If you want to use an entire disk
853 for caching, this can be the mount-point directory.
854 The directory must exist and be writable by the Squid
855 process. Squid will NOT create this directory for you.
859 "ufs" is the old well-known Squid storage format that has always
862 cache_dir ufs Directory-Name Mbytes L1 L2 [options]
864 'Mbytes' is the amount of disk space (MB) to use under this
865 directory. The default is 100 MB. Change this to suit your
866 configuration. Do NOT put the size of your disk drive here.
867 Instead, if you want Squid to use the entire disk drive,
868 subtract 20% and use that value.
870 'Level-1' is the number of first-level subdirectories which
871 will be created under the 'Directory'. The default is 16.
873 'Level-2' is the number of second-level subdirectories which
874 will be created under each first-level directory. The default
879 "aufs" uses the same storage format as "ufs", utilizing
880 POSIX-threads to avoid blocking the main Squid process on
881 disk-I/O. This was formerly known in Squid as async-io.
883 cache_dir aufs Directory-Name Mbytes L1 L2 [options]
885 see argument descriptions under ufs above
887 The diskd store type:
889 "diskd" uses the same storage format as "ufs", utilizing a
890 separate process to avoid blocking the main Squid process on
893 cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
895 see argument descriptions under ufs above
897 Q1 specifies the number of unacknowledged I/O requests when Squid
898 stops opening new files. If this many messages are in the queues,
899 Squid won't open new files. Default is 64
901 Q2 specifies the number of unacknowledged messages when Squid
902 starts blocking. If this many messages are in the queues,
903 Squid blocks until it receives some replies. Default is 72
905 When Q1 < Q2 (the default), the cache directory is optimized
906 for lower response time at the expense of a decrease in hit
907 ratio. If Q1 > Q2, the cache directory is optimized for
908 higher hit ratio at the expense of an increase in response
913 block-size=n defines the "block size" for COSS cache_dir's.
914 Squid uses file numbers as block numbers. Since file numbers
915 are limited to 24 bits, the block size determines the maximum
916 size of the COSS partition. The default is 512 bytes, which
917 leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
918 you should not change the coss block size after Squid
919 has written some objects to the cache_dir.
921 The coss file store has changed from 2.5. Now it uses a file
922 called 'stripe' in the directory names in the config - and
923 this will be created by squid -z.
927 no options are allowed or required
931 no-store, no new objects should be stored to this cache_dir
933 max-size=n, refers to the max object size this storedir supports.
934 It is used to initially choose the storedir to dump the object.
935 Note: To make optimal use of the max-size limits you should order
936 the cache_dir lines with the smallest max-size value first and the
937 ones with no max-size specification last.
939 Note for coss, max-size must be less than COSS_MEMBUF_SZ,
940 which can be changed with the --with-coss-membuf-size=N configure
944 NAME: store_dir_select_algorithm
946 LOC: Config.store_dir_select_algorithm
949 Set this to 'round-robin' as an alternative.
952 NAME: max_open_disk_fds
954 LOC: Config.max_open_disk_fds
957 To avoid having disk as the I/O bottleneck Squid can optionally
958 bypass the on-disk cache if more than this amount of disk file
959 descriptors are open.
961 A value of 0 indicates no limit.
964 NAME: cache_replacement_policy
966 LOC: Config.replPolicy
969 The cache replacement policy parameter determines which
970 objects are evicted (replaced) when disk space is needed.
972 lru : Squid's original list based LRU policy
973 heap GDSF : Greedy-Dual Size Frequency
974 heap LFUDA: Least Frequently Used with Dynamic Aging
975 heap LRU : LRU policy implemented using a heap
977 Applies to any cache_dir lines listed below this.
979 The LRU policies keeps recently referenced objects.
981 The heap GDSF policy optimizes object hit rate by keeping smaller
982 popular objects in cache so it has a better chance of getting a
983 hit. It achieves a lower byte hit rate than LFUDA though since
984 it evicts larger (possibly popular) objects.
986 The heap LFUDA policy keeps popular objects in cache regardless of
987 their size and thus optimizes byte hit rate at the expense of
988 hit rate since one large, popular object will prevent many
989 smaller, slightly less popular objects from being cached.
991 Both policies utilize a dynamic aging mechanism that prevents
992 cache pollution that can otherwise occur with frequency-based
993 replacement policies.
995 NOTE: if using the LFUDA replacement policy you should increase
996 the value of maximum_object_size above its default of 4096 KB to
997 to maximize the potential byte hit rate improvement of LFUDA.
999 For more information about the GDSF and LFUDA cache replacement
1000 policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
1001 and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
1004 NAME: minimum_object_size
1008 LOC: Config.Store.minObjectSize
1010 Objects smaller than this size will NOT be saved on disk. The
1011 value is specified in kilobytes, and the default is 0 KB, which
1012 means there is no minimum.
1015 NAME: maximum_object_size
1019 LOC: Config.Store.maxObjectSize
1021 Objects larger than this size will NOT be saved on disk. The
1022 value is specified in kilobytes, and the default is 4MB. If
1023 you wish to get a high BYTES hit ratio, you should probably
1024 increase this (one 32 MB object hit counts for 3200 10KB
1025 hits). If you wish to increase speed more than your want to
1026 save bandwidth you should leave this low.
1028 NOTE: if using the LFUDA replacement policy you should increase
1029 this value to maximize the byte hit rate improvement of LFUDA!
1030 See replacement_policy below for a discussion of this policy.
1033 NAME: cache_swap_low
1034 COMMENT: (percent, 0-100)
1037 LOC: Config.Swap.lowWaterMark
1040 NAME: cache_swap_high
1041 COMMENT: (percent, 0-100)
1044 LOC: Config.Swap.highWaterMark
1047 The low- and high-water marks for cache object replacement.
1048 Replacement begins when the swap (disk) usage is above the
1049 low-water mark and attempts to maintain utilization near the
1050 low-water mark. As swap utilization gets close to high-water
1051 mark object eviction becomes more aggressive. If utilization is
1052 close to the low-water mark less replacement is done each time.
1054 Defaults are 90% and 95%. If you have a large cache, 5% could be
1055 hundreds of MB. If this is the case you may wish to set these
1056 numbers closer together.
1061 -----------------------------------------------------------------------------
1066 LOC: Config.Log.logformats
1071 logformat <name> <format specification>
1073 Defines an access log format.
1075 The <format specification> is a string with embedded % format codes
1077 % format codes all follow the same basic structure where all but
1078 the formatcode is optional. Output strings are automatically escaped
1079 as required according to their context and the output format
1080 modifiers are usually not needed, but can be specified if an explicit
1081 output format is desired.
1083 % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
1085 " output in quoted string format
1086 [ output in squid text log format as used by log_mime_hdrs
1087 # output in URL quoted format
1091 width field width. If starting with 0 the
1092 output is zero padded
1093 {arg} argument such as header name etc
1097 >a Client source IP address
1099 >p Client source port
1100 <A Server IP address or peer name
1101 la Local IP address (http_port)
1102 lp Local port number (http_port)
1103 ts Seconds since epoch
1104 tu subsecond time (milliseconds)
1105 tl Local time. Optional strftime format argument
1106 default %d/%b/%Y:%H:%M:%S %z
1107 tg GMT time. Optional strftime format argument
1108 default %d/%b/%Y:%H:%M:%S %z
1109 tr Response time (milliseconds)
1110 >h Request header. Optional header name argument
1111 on the format header[:[separator]element]
1112 <h Reply header. Optional header name argument
1115 ul User name from authentication
1116 ui User name from ident
1117 us User name from SSL
1118 ue User name from external acl helper
1120 Ss Squid request status (TCP_MISS etc)
1121 Sh Squid hierarchy status (DEFAULT_PARENT etc)
1122 mt MIME content type
1123 rm Request method (GET/POST etc)
1125 rp Request URL-Path excluding hostname
1126 rv Request protocol version
1127 et Tag returned by external acl
1128 ea Log string returned by external acl
1129 <st Reply size including HTTP headers
1130 <sH Reply high offset sent
1131 <sS Upstream object size
1132 % a literal % character
1134 logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
1135 logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
1136 logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
1137 logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
1140 NAME: access_log cache_access_log
1142 LOC: Config.Log.accesslogs
1145 These files log client request activities. Has a line every HTTP or
1146 ICP request. The format is:
1147 access_log <filepath> [<logformat name> [acl acl ...]]
1148 access_log none [acl acl ...]]
1150 Will log to the specified file using the specified format (which
1151 must be defined in a logformat directive) those entries which match
1152 ALL the acl's specified (which must be defined in acl clauses).
1153 If no acl is specified, all requests will be logged to this file.
1155 To disable logging of a request use the filepath "none", in which case
1156 a logformat name should not be specified.
1158 To log the request via syslog specify a filepath of "syslog":
1160 access_log syslog[:facility|priority] [format [acl1 [acl2 ....]]]
1161 where facility could be any of:
1162 LOG_AUTHPRIV, LOG_DAEMON, LOG_LOCAL0 .. LOG_LOCAL7 or LOG_USER.
1164 And priority could be any of:
1165 LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG.
1167 access_log @DEFAULT_ACCESS_LOG@ squid
1173 DEFAULT: @DEFAULT_CACHE_LOG@
1176 Cache logging file. This is where general information about
1177 your cache's behavior goes. You can increase the amount of data
1178 logged to this file with the "debug_options" tag below.
1181 NAME: cache_store_log
1183 DEFAULT: @DEFAULT_STORE_LOG@
1184 LOC: Config.Log.store
1186 Logs the activities of the storage manager. Shows which
1187 objects are ejected from the cache, and which objects are
1188 saved and for how long. To disable, enter "none". There are
1189 not really utilities to analyze this data, so you can safely
1193 NAME: cache_swap_state cache_swap_log
1195 LOC: Config.Log.swap
1198 Location for the cache "swap.state" file. This index file holds
1199 the metadata of objects saved on disk. It is used to rebuild
1200 the cache during startup. Normally this file resides in each
1201 'cache_dir' directory, but you may specify an alternate
1202 pathname here. Note you must give a full filename, not just
1203 a directory. Since this is the index for the whole object
1204 list you CANNOT periodically rotate it!
1206 If %s can be used in the file name it will be replaced with a
1207 a representation of the cache_dir name where each / is replaced
1208 with '.'. This is needed to allow adding/removing cache_dir
1209 lines when cache_swap_log is being used.
1211 If have more than one 'cache_dir', and %s is not used in the name
1212 these swap logs will have names such as:
1218 The numbered extension (which is added automatically)
1219 corresponds to the order of the 'cache_dir' lines in this
1220 configuration file. If you change the order of the 'cache_dir'
1221 lines in this file, these index files will NOT correspond to
1222 the correct 'cache_dir' entry (unless you manually rename
1223 them). We recommend you do NOT use this option. It is
1224 better to keep these index files in each 'cache_dir' directory.
1227 NAME: logfile_rotate
1230 LOC: Config.Log.rotateNumber
1232 Specifies the number of logfile rotations to make when you
1233 type 'squid -k rotate'. The default is 10, which will rotate
1234 with extensions 0 through 9. Setting logfile_rotate to 0 will
1235 disable the file name rotation, but the logfiles are still closed
1236 and re-opened. This will enable you to rename the logfiles
1237 yourself just before sending the rotate signal.
1239 Note, the 'squid -k rotate' command normally sends a USR1
1240 signal to the running squid process. In certain situations
1241 (e.g. on Linux with Async I/O), USR1 is used for other
1242 purposes, so -k rotate uses another signal. It is best to get
1243 in the habit of using 'squid -k rotate' instead of 'kill -USR1
1247 NAME: emulate_httpd_log
1251 LOC: Config.onoff.common_log
1253 The Cache can emulate the log file format which many 'httpd'
1254 programs use. To disable/enable this emulation, set
1255 emulate_httpd_log to 'off' or 'on'. The default
1256 is to use the native log format since it includes useful
1257 information Squid-specific log analyzers use.
1260 NAME: log_ip_on_direct
1264 LOC: Config.onoff.log_ip_on_direct
1266 Log the destination IP address in the hierarchy log tag when going
1267 direct. Earlier Squid versions logged the hostname here. If you
1268 prefer the old way set this to off.
1273 DEFAULT: @DEFAULT_MIME_TABLE@
1274 LOC: Config.mimeTablePathname
1276 Pathname to Squid's MIME table. You shouldn't need to change
1277 this, but the default file contains examples and formatting
1278 information if you do.
1284 LOC: Config.onoff.log_mime_hdrs
1287 The Cache can record both the request and the response MIME
1288 headers for each HTTP transaction. The headers are encoded
1289 safely and will appear as two bracketed fields at the end of
1290 the access log (for either the native or httpd-emulated log
1291 formats). To enable this logging set log_mime_hdrs to 'on'.
1296 LOC: Config.Log.useragent
1298 IFDEF: USE_USERAGENT_LOG
1300 Squid will write the User-Agent field from HTTP requests
1301 to the filename specified here. By default useragent_log
1305 NAME: referer_log referrer_log
1307 LOC: Config.Log.referer
1309 IFDEF: USE_REFERER_LOG
1311 Squid will write the Referer field from HTTP requests to the
1312 filename specified here. By default referer_log is disabled.
1313 Note that "referer" is actually a misspelling of "referrer"
1314 however the misspelt version has been accepted into the HTTP RFCs
1320 DEFAULT: @DEFAULT_PID_FILE@
1321 LOC: Config.pidFilename
1323 A filename to write the process-id to. To disable, enter "none".
1329 LOC: Config.debugOptions
1331 Logging options are set as section,level where each source file
1332 is assigned a unique section. Lower levels result in less
1333 output, Full debugging (level 9) can result in a very large
1334 log file, so be careful. The magic word "ALL" sets debugging
1335 levels for all sections. We recommend normally running with
1343 LOC: Config.onoff.log_fqdn
1345 Turn this on if you wish to log fully qualified domain names
1346 in the access.log. To do this Squid does a DNS lookup of all
1347 IP's connecting to it. This can (in some situations) increase
1348 latency, which makes your cache seem slower for interactive
1352 NAME: client_netmask
1354 LOC: Config.Addrs.client_netmask
1355 DEFAULT: 255.255.255.255
1357 A netmask for client addresses in logfiles and cachemgr output.
1358 Change this to protect the privacy of your cache clients.
1359 A netmask of 255.255.255.0 will log all IP's in that range with
1360 the last digit set to '0'.
1367 LOC: Config.Log.forward
1369 Logs the server-side requests.
1371 This is currently work in progress.
1374 NAME: strip_query_terms
1376 LOC: Config.onoff.strip_query_terms
1379 By default, Squid strips query terms from requested URLs before
1380 logging. This protects your user's privacy.
1387 LOC: Config.onoff.buffered_logs
1389 cache.log log file is written with stdio functions, and as such
1390 it can be buffered or unbuffered. By default it will be unbuffered.
1391 Buffering it can speed up the writing slightly (though you are
1392 unlikely to need to worry unless you run with tons of debugging
1393 enabled in which case performance will suffer badly anyway..).
1397 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
1398 -----------------------------------------------------------------------------
1404 LOC: Config.Ftp.anon_user
1406 If you want the anonymous login password to be more informative
1407 (and enable the use of picky ftp servers), set this to something
1408 reasonable for your domain, like wwwuser@somewhere.net
1410 The reason why this is domainless by default is the
1411 request can be made on the behalf of a user in any domain,
1412 depending on how the cache is used.
1413 Some ftp server also validate the email address is valid
1414 (for example perl.com).
1417 NAME: ftp_list_width
1420 LOC: Config.Ftp.list_width
1422 Sets the width of ftp listings. This should be set to fit in
1423 the width of a standard browser. Setting this too small
1424 can cut off long filenames when browsing ftp sites.
1430 LOC: Config.Ftp.passive
1432 If your firewall does not allow Squid to use passive
1433 connections, turn off this option.
1436 NAME: ftp_sanitycheck
1439 LOC: Config.Ftp.sanitycheck
1441 For security and data integrity reasons Squid by default performs
1442 sanity checks of the addresses of FTP data connections ensure the
1443 data connection is to the requested server. If you need to allow
1444 FTP connections to servers using another IP address for the data
1445 connection turn this off.
1448 NAME: ftp_telnet_protocol
1451 LOC: Config.Ftp.telnet
1453 The FTP protocol is officially defined to use the telnet protocol
1454 as transport channel for the control connection. However, many
1455 implementations are broken and does not respect this aspect of
1458 If you have trouble accessing files with ASCII code 255 in the
1459 path or similar problems involving this ASCII code you can
1460 try setting this directive to off. If that helps, report to the
1461 operator of the FTP server in question that their FTP server
1462 is broken and does not follow the FTP standard.
1467 DEFAULT: @DEFAULT_DISKD@
1468 LOC: Config.Program.diskd
1470 Specify the location of the diskd executable.
1471 Note this is only useful if you have compiled in
1472 diskd as one of the store io modules.
1475 NAME: unlinkd_program
1478 DEFAULT: @DEFAULT_UNLINKD@
1479 LOC: Config.Program.unlinkd
1481 Specify the location of the executable for file deletion process.
1484 NAME: pinger_program
1486 DEFAULT: @DEFAULT_PINGER@
1487 LOC: Config.Program.pinger
1490 Specify the location of the executable for the pinger process.
1493 NAME: url_rewrite_program redirect_program
1495 LOC: Config.Program.redirect
1498 Specify the location of the executable for the URL rewriter.
1499 Since they can perform almost any function there isn't one included.
1501 For each requested URL rewriter will receive on line with the format
1503 URL <SP> client_ip "/" fqdn <SP> user <SP> method <NL>
1505 And the rewriter may return a rewritten URL. The other components of
1506 the request line does not need to be returned (ignored if they are).
1508 The rewriter can also indicate that a client-side redirect should
1509 be performed to the new URL. This is done by prefixing the returned
1510 URL with "301:" (moved permanently) or 302: (moved temporarily).
1512 By default, a URL rewriter is not used.
1515 NAME: url_rewrite_children redirect_children
1518 LOC: Config.redirectChildren
1520 The number of redirector processes to spawn. If you start
1521 too few Squid will have to wait for them to process a backlog of
1522 URLs, slowing it down. If you start too many they will use RAM
1523 and other system resources.
1526 NAME: url_rewrite_concurrency redirect_concurrency
1529 LOC: Config.redirectConcurrency
1531 The number of requests each redirector helper can handle in
1532 parallel. Defaults to 0 which indicates the redirector
1533 is a old-style single threaded redirector.
1536 NAME: url_rewrite_host_header redirect_rewrites_host_header
1539 LOC: Config.onoff.redir_rewrites_host
1541 By default Squid rewrites any Host: header in redirected
1542 requests. If you are running an accelerator this may
1543 not be a wanted effect of a redirector.
1545 WARNING: Entries are cached on the result of the URL rewriting
1546 process, so be careful if you have domain-virtual hosts.
1549 NAME: url_rewrite_access redirector_access
1552 LOC: Config.accessList.redirector
1554 If defined, this access list specifies which requests are
1555 sent to the redirector processes. By default all requests
1561 LOC: Config.authConfiguration
1564 This is used to define parameters for the various authentication
1565 schemes supported by Squid.
1567 format: auth_param scheme parameter [setting]
1569 The order in which authentication schemes are presented to the client is
1570 dependent on the order the scheme first appears in config file. IE
1571 has a bug (it's not RFC 2617 compliant) in that it will use the basic
1572 scheme if basic is the first entry presented, even if more secure
1573 schemes are presented. For now use the order in the recommended
1574 settings section below. If other browsers have difficulties (don't
1575 recognize the schemes offered even if you are using basic) either
1576 put basic first, or disable the other schemes (by commenting out their
1579 Once an authentication scheme is fully configured, it can only be
1580 shutdown by shutting squid down and restarting. Changes can be made on
1581 the fly and activated with a reconfigure. I.E. You can change to a
1582 different helper, but not unconfigure the helper completely.
1584 Please note that while this directive defines how Squid processes
1585 authentication it does not automatically activate authentication.
1586 To use authentication you must in addition make use of ACLs based
1587 on login name in http_access (proxy_auth, proxy_auth_regex or
1588 external with %LOGIN used in the format tag). The browser will be
1589 challenged for authentication on the first such acl encountered
1590 in http_access processing and will also be re-challenged for new
1591 login credentials if the request is being denied by a proxy_auth
1594 WARNING: authentication can't be used in a transparently intercepting
1595 proxy as the client then thinks it is talking to an origin server and
1596 not the proxy. This is a limitation of bending the TCP/IP protocol to
1597 transparently intercepting port 80, not a limitation in Squid.
1599 === Parameters for the basic scheme follow. ===
1602 Specify the command for the external authenticator. Such a program
1603 reads a line containing "username password" and replies "OK" or
1604 "ERR" in an endless loop. "ERR" responses may optionally be followed
1605 by a error description available as %m in the returned error page.
1606 If you use an authenticator, make sure you have 1 acl of type proxy_auth.
1608 By default, the basic authentication scheme is not used unless a
1609 program is specified.
1611 If you want to use the traditional NCSA proxy authentication, set
1612 this line to something like
1614 auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
1616 "children" numberofchildren
1617 The number of authenticator processes to spawn. If you start too few
1618 Squid will have to wait for them to process a backlog of credential
1619 verifications, slowing it down. When password verifications are
1620 done via a (slow) network you are likely to need lots of
1621 authenticator processes.
1622 auth_param basic children 5
1624 "concurrency" concurrency
1625 The number of concurrent requests the helper can process.
1626 The default of 0 is used for helpers who only supports
1627 one request at a time. Setting this changes the protocol used to
1628 include a channel number first on the request/response line, allowing
1629 multiple requests to be sent to the same helper in parallell without
1630 wating for the response.
1631 Must not be set unless it's known the helper supports this.
1632 auth_param basic concurrency 0
1635 Specifies the realm name which is to be reported to the
1636 client for the basic proxy authentication scheme (part of
1637 the text the user will see when prompted their username and
1638 password). There is no default.
1639 auth_param basic realm Squid proxy-caching web server
1641 "credentialsttl" timetolive
1642 Specifies how long squid assumes an externally validated
1643 username:password pair is valid for - in other words how
1644 often the helper program is called for that user. Set this
1645 low to force revalidation with short lived passwords. Note
1646 setting this high does not impact your susceptibility
1647 to replay attacks unless you are using an one-time password
1648 system (such as SecureID). If you are using such a system,
1649 you will be vulnerable to replay attacks unless you also
1650 use the max_user_ip ACL in an http_access rule.
1652 "casesensitive" on|off
1653 Specifies if usernames are case sensitive. Most user databases are
1654 case insensitive allowing the same username to be spelled using both
1655 lower and upper case letters, but some are case sensitive. This
1656 makes a big difference for user_max_ip ACL processing and similar.
1657 auth_param basic casesensitive off
1659 === Parameters for the digest scheme follow ===
1662 Specify the command for the external authenticator. Such
1663 a program reads a line containing "username":"realm" and
1664 replies with the appropriate H(A1) value hex encoded or
1665 ERR if the user (or his H(A1) hash) does not exists.
1666 See rfc 2616 for the definition of H(A1).
1667 "ERR" responses may optionally be followed by a error description
1668 available as %m in the returned error page.
1670 By default, the digest authentication scheme is not used unless a
1671 program is specified.
1673 If you want to use a digest authenticator, set this line to
1676 auth_param digest program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass
1678 "children" numberofchildren
1679 The number of authenticator processes to spawn (no default).
1680 If you start too few Squid will have to wait for them to
1681 process a backlog of H(A1) calculations, slowing it down.
1682 When the H(A1) calculations are done via a (slow) network
1683 you are likely to need lots of authenticator processes.
1684 auth_param digest children 5
1687 Specifies the realm name which is to be reported to the
1688 client for the digest proxy authentication scheme (part of
1689 the text the user will see when prompted their username and
1690 password). There is no default.
1691 auth_param digest realm Squid proxy-caching web server
1693 "nonce_garbage_interval" timeinterval
1694 Specifies the interval that nonces that have been issued
1695 to client_agent's are checked for validity.
1697 "nonce_max_duration" timeinterval
1698 Specifies the maximum length of time a given nonce will be
1701 "nonce_max_count" number
1702 Specifies the maximum number of times a given nonce can be
1705 "nonce_strictness" on|off
1706 Determines if squid requires strict increment-by-1 behavior
1707 for nonce counts, or just incrementing (off - for use when
1708 useragents generate nonce counts that occasionally miss 1
1709 (ie, 1,2,4,6)). Default off.
1711 "check_nonce_count" on|off
1712 This directive if set to off can disable the nonce count check
1713 completely to work around buggy digest qop implementations in
1714 certain mainstream browser versions. Default on to check the
1715 nonce count to protect from authentication replay attacks.
1717 "post_workaround" on|off
1718 This is a workaround to certain buggy browsers who sends
1719 an incorrect request digest in POST requests when reusing
1720 the same nonce as acquired earlier on a GET request.
1722 === NTLM scheme options follow ===
1725 Specify the command for the external NTLM authenticator.
1726 Such a program reads exchanged NTLMSSP packets with
1727 the browser via Squid until authentication is completed.
1728 If you use an NTLM authenticator, make sure you have 1 acl
1729 of type proxy_auth. By default, the NTLM authenticator_program
1732 auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
1734 "children" numberofchildren
1735 The number of authenticator processes to spawn (no default).
1736 If you start too few Squid will have to wait for them to
1737 process a backlog of credential verifications, slowing it
1738 down. When credential verifications are done via a (slow)
1739 network you are likely to need lots of authenticator
1742 auth_param ntlm children 5
1745 If you experience problems with PUT/POST requests when using the
1746 Negotiate authentication scheme then you can try setting this to
1747 off. This will cause Squid to forcibly close the connection on
1748 the initial requests where the browser asks which schemes are
1749 supported by the proxy.
1751 auth_param ntlm keep_alive on
1753 === Options for configuring the NEGOTIATE auth-scheme follow ===
1756 Specify the command for the external Negotiate authenticator.
1757 This protocol is used in Microsoft Active-Directory enabled setups with
1758 the Microsoft Internet Explorer or Mozilla Firefox browsers.
1759 Its main purpose is to exchange credentials with the Squid proxy
1760 using the Kerberos mechanisms.
1761 If you use a Negotiate authenticator, make sure you have at least one acl
1762 of type proxy_auth active. By default, the negotiate authenticator_program
1764 The only supported program for this role is the ntlm_auth
1765 program distributed as part of Samba, version 4 or later.
1767 auth_param negotiate program @DEFAULT_PREFIX@/bin/ntlm_auth --helper-protocol=gss-spnego
1769 "children" numberofchildren
1770 The number of authenticator processes to spawn (no default).
1771 If you start too few Squid will have to wait for them to
1772 process a backlog of credential verifications, slowing it
1773 down. When crendential verifications are done via a (slow)
1774 network you are likely to need lots of authenticator
1776 auth_param negotiate children 5
1779 If you experience problems with PUT/POST requests when using the
1780 Negotiate authentication scheme then you can try setting this to
1781 off. This will cause Squid to forcibly close the connection on
1782 the initial requests where the browser asks which schemes are
1783 supported by the proxy.
1785 auth_param negotiate keep_alive on
1788 #Recommended minimum configuration per scheme:
1789 #auth_param negotiate program <uncomment and complete this line to activate>
1790 #auth_param negotiate children 5
1791 #auth_param negotiate keep_alive on
1792 #auth_param ntlm program <uncomment and complete this line to activate>
1793 #auth_param ntlm children 5
1794 #auth_param ntlm keep_alive on
1795 #auth_param digest program <uncomment and complete this line>
1796 #auth_param digest children 5
1797 #auth_param digest realm Squid proxy-caching web server
1798 #auth_param digest nonce_garbage_interval 5 minutes
1799 #auth_param digest nonce_max_duration 30 minutes
1800 #auth_param digest nonce_max_count 50
1801 #auth_param basic program <uncomment and complete this line>
1802 #auth_param basic children 5
1803 #auth_param basic realm Squid proxy-caching web server
1804 #auth_param basic credentialsttl 2 hours
1808 NAME: authenticate_cache_garbage_interval
1811 LOC: Config.authenticateGCInterval
1813 The time period between garbage collection across the username cache.
1814 This is a tradeoff between memory utilization (long intervals - say
1815 2 days) and CPU (short intervals - say 1 minute). Only change if you
1816 have good reason to.
1819 NAME: authenticate_ttl
1822 LOC: Config.authenticateTTL
1824 The time a user & their credentials stay in the logged in
1825 user cache since their last request. When the garbage
1826 interval passes, all user credentials that have passed their
1827 TTL are removed from memory.
1830 NAME: authenticate_ip_ttl
1832 LOC: Config.authenticateIpTTL
1835 If you use proxy authentication and the 'max_user_ip' ACL,
1836 this directive controls how long Squid remembers the IP
1837 addresses associated with each user. Use a small value
1838 (e.g., 60 seconds) if your users might change addresses
1839 quickly, as is the case with dialups. You might be safe
1840 using a larger value (e.g., 2 hours) in a corporate LAN
1841 environment with relatively static address assignments.
1844 NAME: external_acl_type
1845 TYPE: externalAclHelper
1846 LOC: Config.externalAclHelperList
1849 This option defines external acl classes using a helper program
1850 to look up the status
1852 external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
1856 ttl=n TTL in seconds for cached results (defaults to 3600
1859 TTL for cached negative lookups (default same
1861 children=n Number of acl helper processes spawn to service
1862 external acl lookups of this type. (default 5)
1863 concurrency=n concurrency level per process. Only used with helpers
1864 capable of processing more than one query at a time.
1865 cache=n result cache size, 0 is unbounded (default)
1866 grace=n Percentage remaining of TTL where a refresh of a
1867 cached entry should be initiated without needing to
1868 wait for a new reply. (default 0 for no grace period)
1869 protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
1871 FORMAT specifications
1873 %LOGIN Authenticated user login name
1874 %EXT_USER Username from external acl
1875 %IDENT Ident user name
1877 %SRCPORT Client source port
1880 %PROTO Requested protocol
1881 %PORT Requested port
1882 %PATH Requested URL path
1883 %METHOD Request method
1884 %MYADDR Squid interface address
1885 %MYPORT Squid http_port number
1886 %PATH Requested URL-path (including query-string if any)
1887 %USER_CERT SSL User certificate in PEM format
1888 %USER_CERTCHAIN SSL User certificate chain in PEM format
1889 %USER_CERT_xx SSL User certificate subject attribute xx
1890 %USER_CA_xx SSL User certificate issuer attribute xx
1891 %{Header} HTTP request header
1892 %{Hdr:member} HTTP request header list member
1894 HTTP request header list member using ; as
1895 list separator. ; can be any non-alphanumeric
1898 In addition to the above, any string specified in the referencing
1899 acl will also be included in the helper request line, after the
1900 specified formats (see the "acl external" directive)
1902 The helper receives lines per the above format specification,
1903 and returns lines starting with OK or ERR indicating the validity
1904 of the request and optionally followed by additional keywords with
1907 General result syntax:
1909 OK/ERR keyword=value ...
1913 user= The users name (login)
1914 password= The users password (for login= cache_peer option)
1915 message= Message describing the reason. Available as %o
1917 tag= Apply a tag to a request (for both ERR and OK results)
1918 Only sets a tag, does not alter existing tags.
1919 log= String to be logged in access.log. Available as
1920 %ea in logformat specifications
1922 If protocol=3.0 (the default) then URL escaping is used to protect
1923 each value in both requests and responses.
1925 If using protocol=2.5 then all values need to be enclosed in quotes
1926 if they may contain whitespace, or the whitespace escaped using \.
1927 And quotes or \ characters within the keyword value must be \ escaped.
1929 When using the concurrency= option the protocol is changed by
1930 introducing a query channel tag infront of the request/response.
1931 The query channel tag is a number between 0 and concurrency-1.
1935 OPTIONS FOR TUNING THE CACHE
1936 -----------------------------------------------------------------------------
1939 NAME: request_header_max_size
1943 LOC: Config.maxRequestHeaderSize
1945 This specifies the maximum size for HTTP headers in a request.
1946 Request headers are usually relatively small (about 512 bytes).
1947 Placing a limit on the request header size will catch certain
1948 bugs (for example with persistent connections) and possibly
1949 buffer-overflow or denial-of-service attacks.
1952 NAME: request_body_max_size
1956 LOC: Config.maxRequestBodySize
1958 This specifies the maximum size for an HTTP request body.
1959 In other words, the maximum size of a PUT/POST request.
1960 A user who attempts to send a request with a body larger
1961 than this limit receives an "Invalid Request" error message.
1962 If you set this parameter to a zero (the default), there will
1963 be no limit imposed.
1966 NAME: refresh_pattern
1967 TYPE: refreshpattern
1971 usage: refresh_pattern [-i] regex min percent max [options]
1973 By default, regular expressions are CASE-SENSITIVE. To make
1974 them case-insensitive, use the -i option.
1976 'Min' is the time (in minutes) an object without an explicit
1977 expiry time should be considered fresh. The recommended
1978 value is 0, any higher values may cause dynamic applications
1979 to be erroneously cached unless the application designer
1980 has taken the appropriate actions.
1982 'Percent' is a percentage of the objects age (time since last
1983 modification age) an object without explicit expiry time
1984 will be considered fresh.
1986 'Max' is an upper limit on how long objects without an explicit
1987 expiry time will be considered fresh.
1989 options: override-expire
1999 override-expire enforces min age even if the server
2000 sent a Expires: header. Doing this VIOLATES the HTTP
2001 standard. Enabling this feature could make you liable
2002 for problems which it causes.
2004 override-lastmod enforces min age even on objects
2005 that were modified recently.
2007 reload-into-ims changes client no-cache or ``reload''
2008 to If-Modified-Since requests. Doing this VIOLATES the
2009 HTTP standard. Enabling this feature could make you
2010 liable for problems which it causes.
2012 ignore-reload ignores a client no-cache or ``reload''
2013 header. Doing this VIOLATES the HTTP standard. Enabling
2014 this feature could make you liable for problems which
2017 ignore-no-cache ignores any ``Pragma: no-cache'' and
2018 ``Cache-control: no-cache'' headers received from a server.
2019 The HTTP RFC never allows the use of this (Pragma) header
2020 from a server, only a client, though plenty of servers
2023 ignore-no-store ignores any ``Cache-control: no-store''
2024 headers received from a server. Doing this VIOLATES
2025 the HTTP standard. Enabling this feature could make you
2026 liable for problems which it causes.
2028 ignore-private ignores any ``Cache-control: private''
2029 headers received from a server. Doing this VIOLATES
2030 the HTTP standard. Enabling this feature could make you
2031 liable for problems which it causes.
2033 ignore-auth caches responses to requests with authorization,
2034 as if the originserver had sent ``Cache-control: public''
2035 in the response header. Doing this VIOLATES the HTTP standard.
2036 Enabling this feature could make you liable for problems which
2039 refresh-ims causes squid to contact the origin server
2040 when a client issues an If-Modified-Since request. This
2041 ensures that the client will receive an updated version
2042 if one is available.
2044 Basically a cached object is:
2046 FRESH if expires < now, else STALE
2048 FRESH if lm-factor < percent, else STALE
2052 The refresh_pattern lines are checked in the order listed here.
2053 The first entry which matches is used. If none of the entries
2054 match the default will be used.
2056 Note, you must uncomment all the default lines if you want
2057 to change one. The default setting is only active if none is
2062 refresh_pattern ^ftp: 1440 20% 10080
2063 refresh_pattern ^gopher: 1440 0% 1440
2064 refresh_pattern . 0 20% 4320
2068 NAME: quick_abort_min
2072 LOC: Config.quickAbort.min
2075 NAME: quick_abort_max
2079 LOC: Config.quickAbort.max
2082 NAME: quick_abort_pct
2086 LOC: Config.quickAbort.pct
2088 The cache by default continues downloading aborted requests
2089 which are almost completed (less than 16 KB remaining). This
2090 may be undesirable on slow (e.g. SLIP) links and/or very busy
2091 caches. Impatient users may tie up file descriptors and
2092 bandwidth by repeatedly requesting and immediately aborting
2095 When the user aborts a request, Squid will check the
2096 quick_abort values to the amount of data transfered until
2099 If the transfer has less than 'quick_abort_min' KB remaining,
2100 it will finish the retrieval.
2102 If the transfer has more than 'quick_abort_max' KB remaining,
2103 it will abort the retrieval.
2105 If more than 'quick_abort_pct' of the transfer has completed,
2106 it will finish the retrieval.
2108 If you do not want any retrieval to continue after the client
2109 has aborted, set both 'quick_abort_min' and 'quick_abort_max'
2112 If you want retrievals to always continue if they are being
2113 cached set 'quick_abort_min' to '-1 KB'.
2116 NAME: read_ahead_gap
2117 COMMENT: buffer-size
2119 LOC: Config.readAheadGap
2122 The amount of data the cache will buffer ahead of what has been
2123 sent to the client when retrieving an object from another server.
2129 LOC: Config.negativeTtl
2132 Time-to-Live (TTL) for failed requests. Certain types of
2133 failures (such as "connection refused" and "404 Not Found") are
2134 negatively-cached for a configurable amount of time. The
2135 default is 5 minutes. Note that this is different from
2136 negative caching of DNS lookups.
2139 NAME: positive_dns_ttl
2142 LOC: Config.positiveDnsTtl
2145 Upper limit on how long Squid will cache positive DNS responses.
2146 Default is 6 hours (360 minutes). This directive must be set
2147 larger than negative_dns_ttl.
2150 NAME: negative_dns_ttl
2153 LOC: Config.negativeDnsTtl
2156 Time-to-Live (TTL) for negative caching of failed DNS lookups.
2157 This also sets the lower cache limit on positive lookups.
2158 Minimum value is 1 second, and it is not recommendable to go
2159 much below 10 seconds.
2162 NAME: range_offset_limit
2165 LOC: Config.rangeOffsetLimit
2168 Sets a upper limit on how far into the the file a Range request
2169 may be to cause Squid to prefetch the whole file. If beyond this
2170 limit Squid forwards the Range request as it is and the result
2173 This is to stop a far ahead range request (lets say start at 17MB)
2174 from making Squid fetch the whole object up to that point before
2175 sending anything to the client.
2177 A value of -1 causes Squid to always fetch the object from the
2178 beginning so it may cache the result. (2.0 style)
2180 A value of 0 causes Squid to never fetch more than the
2181 client requested. (default)
2184 NAME: minimum_expiry_time
2187 LOC: Config.minimum_expiry_time
2190 The minimum caching time according to (Expires - Date)
2191 Headers Squid honors if the object can't be revalidated
2192 defaults to 60 seconds. In reverse proxy enorinments it
2193 might be desirable to honor shorter object lifetimes. It
2194 is most likely better to make your server return a
2195 meaningful Last-Modified header however. In ESI environments
2196 where page fragments often have short lifetimes, this will
2197 often be best set to 0.
2200 NAME: store_avg_object_size
2204 LOC: Config.Store.avgObjectSize
2206 Average object size, used to estimate number of objects your
2207 cache can hold. The default is 13 KB.
2210 NAME: store_objects_per_bucket
2213 LOC: Config.Store.objectsPerBucket
2215 Target number of objects per bucket in the store hash table.
2216 Lowering this value increases the total number of buckets and
2217 also the storage maintenance rate. The default is 20.
2222 -----------------------------------------------------------------------------
2228 LOC: Config.accessList.brokenPosts
2230 A list of ACL elements which, if matched, causes Squid to send
2231 an extra CRLF pair after the body of a PUT/POST request.
2233 Some HTTP servers has broken implementations of PUT/POST,
2234 and rely on an extra CRLF pair sent by some WWW clients.
2236 Quote from RFC2616 section 4.1 on this matter:
2238 Note: certain buggy HTTP/1.0 client implementations generate an
2239 extra CRLF's after a POST request. To restate what is explicitly
2240 forbidden by the BNF, an HTTP/1.1 client must not preface or follow
2241 a request with an extra CRLF.
2244 acl buggy_server url_regex ^http://....
2245 broken_posts allow buggy_server
2249 IFDEF: HTTP_VIOLATIONS
2253 LOC: Config.onoff.via
2255 If set (default), Squid will include a Via header in requests and
2256 replies as required by RFC2616.
2262 LOC: Config.onoff.ie_refresh
2265 Microsoft Internet Explorer up until version 5.5 Service
2266 Pack 1 has an issue with transparent proxies, wherein it
2267 is impossible to force a refresh. Turning this on provides
2268 a partial fix to the problem, by causing all IMS-REFRESH
2269 requests from older IE versions to check the origin server
2270 for fresh content. This reduces hit ratio by some amount
2271 (~10% in my experience), but allows users to actually get
2272 fresh content when they want it. Note because Squid
2273 cannot tell if the user is using 5.5 or 5.5SP1, the behavior
2274 of 5.5 is unchanged from old versions of Squid (i.e. a
2275 forced refresh is impossible). Newer versions of IE will,
2276 hopefully, continue to have the new behavior and will be
2277 handled based on that assumption. This option defaults to
2278 the old Squid behavior, which is better for hit ratios but
2279 worse for clients using IE, if they need to be able to
2280 force fresh content.
2283 NAME: vary_ignore_expire
2286 LOC: Config.onoff.vary_ignore_expire
2289 Many HTTP servers supporting Vary gives such objects
2290 immediate expiry time with no cache-control header
2291 when requested by a HTTP/1.0 client. This option
2292 enables Squid to ignore such expiry times until
2293 HTTP/1.1 is fully implemented.
2294 WARNING: This may eventually cause some varying
2295 objects not intended for caching to get cached.
2298 NAME: extension_methods
2300 LOC: Config.ext_methods
2303 Squid only knows about standardized HTTP request methods.
2304 You can add up to 20 additional "extension" methods here.
2307 NAME: request_entities
2309 LOC: Config.onoff.request_entities
2312 Squid defaults to deny GET and HEAD requests with request entities,
2313 as the meaning of such requests are undefined in the HTTP standard
2314 even if not explicitly forbidden.
2316 Set this directive to on if you have clients which insists
2317 on sending request entities in GET or HEAD requests. But be warned
2318 that there is server software (both proxies and web servers) which
2319 can fail to properly process this kind of request which may make you
2320 vulnerable to cache pollution attacks if enabled.
2323 NAME: request_header_access
2324 IFDEF: HTTP_VIOLATIONS
2325 TYPE: http_header_access[]
2326 LOC: Config.request_header_access
2329 Usage: request_header_access header_name allow|deny [!]aclname ...
2331 WARNING: Doing this VIOLATES the HTTP standard. Enabling
2332 this feature could make you liable for problems which it
2335 This option replaces the old 'anonymize_headers' and the
2336 older 'http_anonymizer' option with something that is much
2337 more configurable. This new method creates a list of ACLs
2338 for each header, allowing you very fine-tuned header
2341 This option only applies to request headers, i.e., from the
2342 client to the server.
2344 You can only specify known headers for the header name.
2345 Other headers are reclassified as 'Other'. You can also
2346 refer to all the headers with 'All'.
2348 For example, to achieve the same behavior as the old
2349 'http_anonymizer standard' option, you should use:
2351 request_header_access From deny all
2352 request_header_access Referer deny all
2353 request_header_access Server deny all
2354 request_header_access User-Agent deny all
2355 request_header_access WWW-Authenticate deny all
2356 request_header_access Link deny all
2358 Or, to reproduce the old 'http_anonymizer paranoid' feature
2361 request_header_access Allow allow all
2362 request_header_access Authorization allow all
2363 request_header_access WWW-Authenticate allow all
2364 request_header_access Proxy-Authorization allow all
2365 request_header_access Proxy-Authenticate allow all
2366 request_header_access Cache-Control allow all
2367 request_header_access Content-Encoding allow all
2368 request_header_access Content-Length allow all
2369 request_header_access Content-Type allow all
2370 request_header_access Date allow all
2371 request_header_access Expires allow all
2372 request_header_access Host allow all
2373 request_header_access If-Modified-Since allow all
2374 request_header_access Last-Modified allow all
2375 request_header_access Location allow all
2376 request_header_access Pragma allow all
2377 request_header_access Accept allow all
2378 request_header_access Accept-Charset allow all
2379 request_header_access Accept-Encoding allow all
2380 request_header_access Accept-Language allow all
2381 request_header_access Content-Language allow all
2382 request_header_access Mime-Version allow all
2383 request_header_access Retry-After allow all
2384 request_header_access Title allow all
2385 request_header_access Connection allow all
2386 request_header_access Proxy-Connection allow all
2387 request_header_access All deny all
2389 although many of those are HTTP reply headers, and so should be
2390 controlled with the reply_header_access directive.
2392 By default, all headers are allowed (no anonymizing is
2396 NAME: reply_header_access
2397 IFDEF: HTTP_VIOLATIONS
2398 TYPE: http_header_access[]
2399 LOC: Config.reply_header_access
2402 Usage: reply_header_access header_name allow|deny [!]aclname ...
2404 WARNING: Doing this VIOLATES the HTTP standard. Enabling
2405 this feature could make you liable for problems which it
2408 This option only applies to reply headers, i.e., from the
2409 server to the client.
2411 This is the same as request_header_access, but in the other
2414 This option replaces the old 'anonymize_headers' and the
2415 older 'http_anonymizer' option with something that is much
2416 more configurable. This new method creates a list of ACLs
2417 for each header, allowing you very fine-tuned header
2420 You can only specify known headers for the header name.
2421 Other headers are reclassified as 'Other'. You can also
2422 refer to all the headers with 'All'.
2424 For example, to achieve the same behavior as the old
2425 'http_anonymizer standard' option, you should use:
2427 reply_header_access From deny all
2428 reply_header_access Referer deny all
2429 reply_header_access Server deny all
2430 reply_header_access User-Agent deny all
2431 reply_header_access WWW-Authenticate deny all
2432 reply_header_access Link deny all
2434 Or, to reproduce the old 'http_anonymizer paranoid' feature
2437 reply_header_access Allow allow all
2438 reply_header_access Authorization allow all
2439 reply_header_access WWW-Authenticate allow all
2440 reply_header_access Proxy-Authorization allow all
2441 reply_header_access Proxy-Authenticate allow all
2442 reply_header_access Cache-Control allow all
2443 reply_header_access Content-Encoding allow all
2444 reply_header_access Content-Length allow all
2445 reply_header_access Content-Type allow all
2446 reply_header_access Date allow all
2447 reply_header_access Expires allow all
2448 reply_header_access Host allow all
2449 reply_header_access If-Modified-Since allow all
2450 reply_header_access Last-Modified allow all
2451 reply_header_access Location allow all
2452 reply_header_access Pragma allow all
2453 reply_header_access Accept allow all
2454 reply_header_access Accept-Charset allow all
2455 reply_header_access Accept-Encoding allow all
2456 reply_header_access Accept-Language allow all
2457 reply_header_access Content-Language allow all
2458 reply_header_access Mime-Version allow all
2459 reply_header_access Retry-After allow all
2460 reply_header_access Title allow all
2461 reply_header_access Connection allow all
2462 reply_header_access Proxy-Connection allow all
2463 reply_header_access All deny all
2465 although the HTTP request headers won't be usefully controlled
2466 by this directive -- see request_header_access for details.
2468 By default, all headers are allowed (no anonymizing is
2472 NAME: header_replace
2473 IFDEF: HTTP_VIOLATIONS
2474 TYPE: http_header_replace[]
2475 LOC: Config.request_header_access
2478 Usage: header_replace header_name message
2479 Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
2481 This option allows you to change the contents of headers
2482 denied with header_access above, by replacing them with
2483 some fixed string. This replaces the old fake_user_agent
2486 This only applies to request headers, not reply headers.
2488 By default, headers are removed if denied.
2491 NAME: relaxed_header_parser
2492 COMMENT: on|off|warn
2494 LOC: Config.onoff.relaxed_header_parser
2497 In the default "on" setting Squid accepts certain forms
2498 of non-compliant HTTP messages where it is unambiguous
2499 what the sending application intended even if the message
2500 is not correctly formatted. The messages is then normalized
2501 to the correct form when forwarded by Squid.
2503 If set to "warn" then a warning will be emitted in cache.log
2504 each time such HTTP error is encountered.
2506 If set to "off" then such HTTP errors will cause the request
2507 or response to be rejected.
2512 -----------------------------------------------------------------------------
2515 NAME: forward_timeout
2518 LOC: Config.Timeout.forward
2521 This parameter specifies how long Squid should at most attempt in
2522 finding a forwarding path for the request before giving up.
2525 NAME: connect_timeout
2528 LOC: Config.Timeout.connect
2531 This parameter specifies how long to wait for the TCP connect to
2532 the requested server or peer to complete before Squid should
2533 attempt to find another path where to forward the request.
2536 NAME: peer_connect_timeout
2539 LOC: Config.Timeout.peer_connect
2542 This parameter specifies how long to wait for a pending TCP
2543 connection to a peer cache. The default is 30 seconds. You
2544 may also set different timeout values for individual neighbors
2545 with the 'connect-timeout' option on a 'cache_peer' line.
2551 LOC: Config.Timeout.read
2554 The read_timeout is applied on server-side connections. After
2555 each successful read(), the timeout will be extended by this
2556 amount. If no data is read again after this amount of time,
2557 the request is aborted and logged with ERR_READ_TIMEOUT. The
2558 default is 15 minutes.
2561 NAME: request_timeout
2563 LOC: Config.Timeout.request
2566 How long to wait for an HTTP request after initial
2567 connection establishment.
2570 NAME: persistent_request_timeout
2572 LOC: Config.Timeout.persistent_request
2575 How long to wait for the next HTTP request on a persistent
2576 connection after the previous request completes.
2579 NAME: client_lifetime
2582 LOC: Config.Timeout.lifetime
2585 The maximum amount of time a client (browser) is allowed to
2586 remain connected to the cache process. This protects the Cache
2587 from having a lot of sockets (and hence file descriptors) tied up
2588 in a CLOSE_WAIT state from remote clients that go away without
2589 properly shutting down (either because of a network failure or
2590 because of a poor client implementation). The default is one
2593 NOTE: The default value is intended to be much larger than any
2594 client would ever need to be connected to your cache. You
2595 should probably change client_lifetime only as a last resort.
2596 If you seem to have many client connections tying up
2597 filedescriptors, we recommend first tuning the read_timeout,
2598 request_timeout, persistent_request_timeout and quick_abort values.
2601 NAME: half_closed_clients
2603 LOC: Config.onoff.half_closed_clients
2606 Some clients may shutdown the sending side of their TCP
2607 connections, while leaving their receiving sides open. Sometimes,
2608 Squid can not tell the difference between a half-closed and a
2609 fully-closed TCP connection. By default, half-closed client
2610 connections are kept open until a read(2) or write(2) on the
2611 socket returns an error. Change this option to 'off' and Squid
2612 will immediately close client connections when read(2) returns
2613 "no more data to read."
2618 LOC: Config.Timeout.pconn
2619 DEFAULT: 120 seconds
2621 Timeout for idle persistent connections to servers and other
2628 LOC: Config.Timeout.ident
2631 Maximum time to wait for IDENT lookups to complete.
2633 If this is too high, and you enabled IDENT lookups from untrusted
2634 users, you might be susceptible to denial-of-service by having
2635 many ident requests going at once.
2638 NAME: shutdown_lifetime
2641 LOC: Config.shutdownLifetime
2644 When SIGTERM or SIGHUP is received, the cache is put into
2645 "shutdown pending" mode until all active sockets are closed.
2646 This value is the lifetime to set for all open descriptors
2647 during shutdown mode. Any active clients after this many
2648 seconds will receive a 'timeout' message.
2653 -----------------------------------------------------------------------------
2661 Defining an Access List
2663 acl aclname acltype string1 ...
2664 acl aclname acltype "file" ...
2666 when using "file", the file should contain one item per line
2668 acltype is one of the types described below
2670 By default, regular expressions are CASE-SENSITIVE. To make
2671 them case-insensitive, use the -i option.
2673 acl aclname src ip-address/netmask ... (clients IP address)
2674 acl aclname src addr1-addr2/netmask ... (range of addresses)
2675 acl aclname dst ip-address/netmask ... (URL host's IP address)
2676 acl aclname myip ip-address/netmask ... (local socket IP address)
2678 acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
2679 # The arp ACL requires the special configure option --enable-arp-acl.
2680 # Furthermore, the ARP ACL code is not portable to all operating systems.
2681 # It works on Linux, Solaris, Windows, FreeBSD, and some other *BSD variants.
2683 # NOTE: Squid can only determine the MAC address for clients that are on
2684 # the same subnet. If the client is on a different subnet, then Squid cannot
2685 # find out its MAC address.
2687 acl aclname srcdomain .foo.com ... # reverse lookup, client IP
2688 acl aclname dstdomain .foo.com ... # Destination server from URL
2689 acl aclname srcdom_regex [-i] xxx ... # regex matching client name
2690 acl aclname dstdom_regex [-i] xxx ... # regex matching server
2691 # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
2692 # based URL is used and no match is found. The name "none" is used
2693 # if the reverse lookup fails.
2695 acl aclname http_status 200 301 500- 400-403 ... # status code in reply
2697 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
2706 h1:m1 must be less than h2:m2
2707 acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
2708 acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
2709 acl aclname port 80 70 21 ...
2710 acl aclname port 0-1024 ... # ranges allowed
2711 acl aclname myport 3128 ... # (local socket TCP port)
2712 acl aclname proto HTTP FTP ...
2713 acl aclname method GET POST ...
2714 acl aclname browser [-i] regexp ...
2715 # pattern match on User-Agent header (see also req_header below)
2716 acl aclname referer_regex [-i] regexp ...
2717 # pattern match on Referer header
2718 # Referer is highly unreliable, so use with care
2719 acl aclname ident username ...
2720 acl aclname ident_regex [-i] pattern ...
2721 # string match on ident output.
2722 # use REQUIRED to accept any non-null ident.
2723 acl aclname src_as number ...
2724 acl aclname dst_as number ...
2725 # Except for access control, AS numbers can be used for
2726 # routing of requests to specific caches. Here's an
2727 # example for routing all requests for AS#1241 and only
2728 # those to mycache.mydomain.net:
2729 # acl asexample dst_as 1241
2730 # cache_peer_access mycache.mydomain.net allow asexample
2731 # cache_peer_access mycache_mydomain.net deny all
2733 acl aclname proxy_auth [-i] username ...
2734 acl aclname proxy_auth_regex [-i] pattern ...
2735 # list of valid usernames
2736 # use REQUIRED to accept any valid username.
2738 # NOTE: when a Proxy-Authentication header is sent but it is not
2739 # needed during ACL checking the username is NOT logged
2742 # NOTE: proxy_auth requires a EXTERNAL authentication program
2743 # to check username/password combinations (see
2744 # auth_param directive).
2746 # NOTE: proxy_auth can't be used in a transparent proxy as
2747 # the browser needs to be configured for using a proxy in order
2748 # to respond to proxy authentication.
2750 acl aclname snmp_community string ...
2751 # A community string to limit access to your SNMP Agent
2754 # acl snmppublic snmp_community public
2756 acl aclname maxconn number
2757 # This will be matched when the client's IP address has
2758 # more than <number> HTTP connections established.
2760 acl aclname max_user_ip [-s] number
2761 # This will be matched when the user attempts to log in from more
2762 # than <number> different ip addresses. The authenticate_ip_ttl
2763 # parameter controls the timeout on the ip entries.
2764 # If -s is specified the limit is strict, denying browsing
2765 # from any further IP addresses until the ttl has expired. Without
2766 # -s Squid will just annoy the user by "randomly" denying requests.
2767 # (the counter is reset each time the limit is reached and a
2768 # request is denied)
2769 # NOTE: in acceleration mode or where there is mesh of child proxies,
2770 # clients may appear to come from multiple addresses if they are
2771 # going through proxy farms, so a limit of 1 may cause user problems.
2773 acl aclname rep_mime_type mime-type1 ...
2774 # regex match against the mime type of the reply received by
2775 # squid. Can be used to detect file download or some
2776 # types HTTP tunneling requests.
2777 # NOTE: This has no effect in http_access rules. It only has
2778 # effect in rules that affect the reply data stream such as
2779 # http_reply_access.
2781 acl aclname rep_header header-name [-i] any\.regex\.here
2782 # regex match against any of the known reply headers. May be
2783 # thought of as a superset of "browser", "referer" and "mime-type"
2786 acl aclname req_mime_type mime-type1 ...
2787 # regex match against the mime type of the request generated
2788 # by the client. Can be used to detect file upload or some
2789 # types HTTP tunneling requests.
2790 # NOTE: This does NOT match the reply. You cannot use this
2791 # to match the returned file type.
2793 acl aclname req_header header-name [-i] any\.regex\.here
2794 # regex match against any of the known request headers. May be
2795 # thought of as a superset of "browser", "referer" and "mime-type"
2798 acl acl_name external class_name [arguments...]
2799 # external ACL lookup via a helper class defined by the
2800 # external_acl_type directive.
2802 acl aclname user_cert attribute values...
2803 # match against attributes in a user SSL certificate
2804 # attribute is one of DN/C/O/CN/L/ST
2806 acl aclname ca_cert attribute values...
2807 # match against attributes a users issuing CA SSL certificate
2808 # attribute is one of DN/C/O/CN/L/ST
2810 acl aclname ext_user username ...
2811 acl aclname ext_user_regex [-i] pattern ...
2812 # string match on username returned by external acl helper
2813 # use REQUIRED to accept any non-null user name.
2816 acl macaddress arp 09:00:2b:23:45:67
2817 acl myexample dst_as 1241
2818 acl password proxy_auth REQUIRED
2819 acl fileupload req_mime_type -i ^multipart/form-data$
2820 acl javascript rep_mime_type -i ^application/x-javascript$
2823 #Recommended minimum configuration:
2824 acl all src 0.0.0.0/0.0.0.0
2825 acl manager proto cache_object
2826 acl localhost src 127.0.0.1/255.255.255.255
2827 acl to_localhost dst 127.0.0.0/8
2828 acl SSL_ports port 443
2829 acl Safe_ports port 80 # http
2830 acl Safe_ports port 21 # ftp
2831 acl Safe_ports port 443 # https
2832 acl Safe_ports port 70 # gopher
2833 acl Safe_ports port 210 # wais
2834 acl Safe_ports port 1025-65535 # unregistered ports
2835 acl Safe_ports port 280 # http-mgmt
2836 acl Safe_ports port 488 # gss-http
2837 acl Safe_ports port 591 # filemaker
2838 acl Safe_ports port 777 # multiling http
2839 acl CONNECT method CONNECT
2845 LOC: Config.accessList.http
2847 DEFAULT_IF_NONE: deny all
2849 Allowing or Denying access based on defined access lists
2851 Access to the HTTP port:
2852 http_access allow|deny [!]aclname ...
2854 NOTE on default values:
2856 If there are no "access" lines present, the default is to deny
2859 If none of the "access" lines cause a match, the default is the
2860 opposite of the last line in the list. If the last line was
2861 deny, the default is allow. Conversely, if the last line
2862 is allow, the default will be deny. For these reasons, it is a
2863 good idea to have an "deny all" or "allow all" entry at the end
2864 of your access lists to avoid potential confusion.
2867 #Recommended minimum configuration:
2869 # Only allow cachemgr access from localhost
2870 http_access allow manager localhost
2871 http_access deny manager
2872 # Deny requests to unknown ports
2873 http_access deny !Safe_ports
2874 # Deny CONNECT to other than SSL ports
2875 http_access deny CONNECT !SSL_ports
2877 # We strongly recommend the following be uncommented to protect innocent
2878 # web applications running on the proxy server who think the only
2879 # one who can access services on "localhost" is a local user
2880 #http_access deny to_localhost
2882 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
2884 # Example rule allowing access from your local networks. Adapt
2885 # to list your (internal) IP networks from where browsing should
2887 #acl our_networks src 192.168.1.0/24 192.168.2.0/24
2888 #http_access allow our_networks
2890 # And finally deny all other access to this proxy
2891 http_access deny all
2895 NAME: http_reply_access
2897 LOC: Config.accessList.reply
2899 DEFAULT_IF_NONE: allow all
2901 Allow replies to client requests. This is complementary to http_access.
2903 http_reply_access allow|deny [!] aclname ...
2905 NOTE: if there are no access lines present, the default is to allow
2908 If none of the access lines cause a match the opposite of the
2909 last line will apply. Thus it is good practice to end the rules
2910 with an "allow all" or "deny all" entry.
2915 LOC: Config.accessList.icp
2917 DEFAULT_IF_NONE: deny all
2919 Allowing or Denying access to the ICP port based on defined
2922 icp_access allow|deny [!]aclname ...
2924 See http_access for details
2927 #Allow ICP queries from everyone
2928 icp_access allow all
2935 LOC: Config.accessList.htcp
2937 DEFAULT_IF_NONE: deny all
2939 Allowing or Denying access to the HTCP port based on defined
2942 htcp_access allow|deny [!]aclname ...
2944 See http_access for details
2946 #Allow HTCP queries from everyone
2947 htcp_access allow all
2950 NAME: htcp_clr_access
2953 LOC: Config.accessList.htcp_clr
2955 DEFAULT_IF_NONE: deny all
2957 Allowing or Denying access to purge content using HTCP based
2958 on defined access lists
2960 htcp_clr_access allow|deny [!]aclname ...
2962 See http_access for details
2964 #Allow HTCP CLR requests from trusted peers
2965 acl htcp_clr_peer src 172.16.1.2
2966 htcp_clr_access allow htcp_clr_peer
2971 LOC: Config.accessList.miss
2974 Use to force your neighbors to use you as a sibling instead of
2975 a parent. For example:
2977 acl localclients src 172.16.0.0/16
2978 miss_access allow localclients
2979 miss_access deny !localclients
2981 This means only your local clients are allowed to fetch
2982 MISSES and all other clients can only fetch HITS.
2984 By default, allow all clients who passed the http_access rules
2985 to fetch MISSES from us.
2989 # miss_access allow all
2993 NAME: cache_peer_access
2998 Similar to 'cache_peer_domain' but provides more flexibility by
3001 cache_peer_access cache-host allow|deny [!]aclname ...
3003 The syntax is identical to 'http_access' and the other lists of
3004 ACL elements. See the comments for 'http_access' below, or
3005 the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html).
3008 NAME: ident_lookup_access
3012 DEFAULT_IF_NONE: deny all
3013 LOC: Config.accessList.identLookup
3015 A list of ACL elements which, if matched, cause an ident
3016 (RFC 931) lookup to be performed for this request. For
3017 example, you might choose to always perform ident lookups
3018 for your main multi-user Unix boxes, but not for your Macs
3019 and PCs. By default, ident lookups are not performed for
3022 To enable ident lookups for specific client addresses, you
3023 can follow this example:
3025 acl ident_aware_hosts src 198.168.1.0/255.255.255.0
3026 ident_lookup_access allow ident_aware_hosts
3027 ident_lookup_access deny all
3029 Only src type ACL checks are fully supported. A src_domain
3030 ACL might work at times, but it will not always provide
3034 NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
3037 LOC: Config.accessList.outgoing_tos
3039 Allows you to select a TOS/Diffserv value to mark outgoing
3040 connections with, based on the username or source address
3043 tcp_outgoing_tos ds-field [!]aclname ...
3045 Example where normal_service_net uses the TOS value 0x00
3046 and normal_service_net uses 0x20
3048 acl normal_service_net src 10.0.0.0/255.255.255.0
3049 acl good_service_net src 10.0.1.0/255.255.255.0
3050 tcp_outgoing_tos 0x00 normal_service_net 0x00
3051 tcp_outgoing_tos 0x20 good_service_net
3053 TOS/DSCP values really only have local significance - so you should
3054 know what you're specifying. For more information, see RFC2474 and
3057 The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
3058 "default" to use whatever default your host has. Note that in
3059 practice often only values 0 - 63 is usable as the two highest bits
3060 have been redefined for use by ECN (RFC3168).
3062 Processing proceeds in the order specified, and stops at first fully
3065 Note: The use of this directive using client dependent ACLs is
3066 incompatible with the use of server side persistent connections. To
3067 ensure correct results it is best to set server_persisten_connections
3068 to off when using this directive in such configurations.
3071 NAME: clientside_tos
3074 LOC: Config.accessList.clientside_tos
3076 Allows you to select a TOS/Diffserv value to mark client-side
3077 connections with, based on the username or source address
3081 NAME: tcp_outgoing_address
3084 LOC: Config.accessList.outgoing_address
3086 Allows you to map requests to different outgoing IP addresses
3087 based on the username or source address of the user making
3090 tcp_outgoing_address ipaddr [[!]aclname] ...
3092 Example where requests from 10.0.0.0/24 will be forwarded
3093 with source address 10.1.0.1, 10.0.2.0/24 forwarded with
3094 source address 10.1.0.2 and the rest will be forwarded with
3095 source address 10.1.0.3.
3097 acl normal_service_net src 10.0.0.0/255.255.255.0
3098 acl good_service_net src 10.0.1.0/255.255.255.0
3099 tcp_outgoing_address 10.0.0.1 normal_service_net
3100 tcp_outgoing_address 10.0.0.2 good_service_net
3101 tcp_outgoing_address 10.0.0.3
3103 Processing proceeds in the order specified, and stops at first fully
3106 Note: The use of this directive using client dependent ACLs is
3107 incompatible with the use of server side persistent connections. To
3108 ensure correct results it is best to set server_persistent_connections
3109 to off when using this directive in such configurations.
3112 NAME: reply_header_max_size
3116 LOC: Config.maxReplyHeaderSize
3118 This specifies the maximum size for HTTP headers in a reply.
3119 Reply headers are usually relatively small (about 512 bytes).
3120 Placing a limit on the reply header size will catch certain
3121 bugs (for example with persistent connections) and possibly
3122 buffer-overflow or denial-of-service attacks.
3125 NAME: reply_body_max_size
3126 COMMENT: size [acl acl...]
3129 LOC: Config.ReplyBodySize
3131 This option specifies the maximum size of a reply body. It can be
3132 used to prevent users from downloading very large files, such as
3133 MP3's and movies. When the reply headers are received, the
3134 reply_body_max_size lines are processed, and the first line where
3135 all (if any) listed ACLs are true is used as the maximum body size
3138 This size is checked twice. First when we get the reply headers,
3139 we check the content-length value. If the content length value exists
3140 and is larger than the allowed size, the request is denied and the
3141 user receives an error message that says "the request or reply
3142 is too large." If there is no content-length, and the reply
3143 size exceeds this limit, the client's connection is just closed
3144 and they will receive a partial reply.
3146 WARNING: downstream caches probably can not detect a partial reply
3147 if there is no content-length header, so they will cache
3148 partial responses and give them out as hits. You should NOT
3149 use this option if you have downstream caches.
3151 WARNING: A maximum size smaller than the size of squid's error messages
3152 will cause an infinite loop and crash squid. Ensure that the smallest
3153 non-zero value you use is greater that the maximum header size plus
3154 the size of your largest error page.
3156 If you set this parameter none (the default), there will be
3162 LOC: Config.accessList.log
3164 COMMENT: allow|deny acl acl...
3166 This options allows you to control which requests gets logged
3167 to access.log (see access_log directive). Requests denied for
3168 logging will also not be accounted for in performance counters.
3172 ADMINISTRATIVE PARAMETERS
3173 -----------------------------------------------------------------------------
3179 LOC: Config.adminEmail
3181 Email-address of local cache manager who will receive
3182 mail if the cache dies. The default is "webmaster."
3188 LOC: Config.EmailFrom
3190 From: email-address for mail sent when the cache dies.
3191 The default is to use 'appname@unique_hostname'.
3192 Default appname value is "squid", can be changed into
3193 src/globals.h before building squid.
3199 LOC: Config.EmailProgram
3201 Email program used to send mail if the cache dies.
3202 The default is "mail". The specified program must complain
3203 with the standard Unix mail syntax:
3204 mail_program recipient < mailfile
3205 Optional command line options can be specified.
3208 NAME: cache_effective_user
3211 LOC: Config.effectiveUser
3213 If you start Squid as root, it will change its effective/real
3214 UID/GID to the user specified below. The default is to change
3215 to UID to nobody. If you define cache_effective_user, but not
3216 cache_effective_group, Squid sets the GID to the effective
3217 user's default group ID (taken from the password file) and
3218 supplementary group list from the from groups membership of
3219 cache_effective_user.
3222 NAME: cache_effective_group
3225 LOC: Config.effectiveGroup
3227 If you want Squid to run with a specific GID regardless of
3228 the group memberships of the effective user then set this
3229 to the group (or GID) you want Squid to run as. When set
3230 all other group privileges of the effective user is ignored
3231 and only this GID is effective. If Squid is not started as
3232 root the user starting Squid must be member of the specified
3236 NAME: httpd_suppress_version_string
3240 LOC: Config.onoff.httpd_suppress_version_string
3242 Suppress Squid version string info in HTTP headers and HTML error pages.
3245 NAME: visible_hostname
3247 LOC: Config.visibleHostname
3250 If you want to present a special hostname in error messages, etc,
3251 define this. Otherwise, the return value of gethostname()
3252 will be used. If you have multiple caches in a cluster and
3253 get errors about IP-forwarding you must set them to have individual
3254 names with this setting.
3257 NAME: unique_hostname
3259 LOC: Config.uniqueHostname
3262 If you want to have multiple machines with the same
3263 'visible_hostname' you must give each machine a different
3264 'unique_hostname' so forwarding loops can be detected.
3267 NAME: hostname_aliases
3269 LOC: Config.hostnameAliases
3272 A list of other DNS names your cache has.
3276 OPTIONS FOR THE CACHE REGISTRATION SERVICE
3277 -----------------------------------------------------------------------------
3279 This section contains parameters for the (optional) cache
3280 announcement service. This service is provided to help
3281 cache administrators locate one another in order to join or
3282 create cache hierarchies.
3284 An 'announcement' message is sent (via UDP) to the registration
3285 service by Squid. By default, the announcement message is NOT
3286 SENT unless you enable it with 'announce_period' below.
3288 The announcement message includes your hostname, plus the
3289 following information from this configuration file:
3295 All current information is processed regularly and made
3296 available on the Web at http://www.ircache.net/Cache/Tracker/.
3299 NAME: announce_period
3301 LOC: Config.Announce.period
3304 This is how frequently to send cache announcements. The
3305 default is `0' which disables sending the announcement
3308 To enable announcing your cache, just uncomment the line
3312 #To enable announcing your cache, just uncomment the line below.
3313 #announce_period 1 day
3319 DEFAULT: tracker.ircache.net
3320 LOC: Config.Announce.host
3326 LOC: Config.Announce.file
3332 LOC: Config.Announce.port
3334 announce_host and announce_port set the hostname and port
3335 number where the registration message will be sent.
3337 Hostname will default to 'tracker.ircache.net' and port will
3338 default default to 3131. If the 'filename' argument is given,
3339 the contents of that file will be included in the announce
3344 HTTPD-ACCELERATOR OPTIONS
3345 -----------------------------------------------------------------------------
3348 NAME: httpd_accel_surrogate_id
3351 LOC: Config.Accel.surrogate_id
3354 Surrogates (http://www.esi.org/architecture_spec_1.0.html)
3355 need an identification token to allow control targeting. Because
3356 a farm of surrogates may all perform the same tasks, they may share
3357 an identification token.
3360 NAME: http_accel_surrogate_remote
3365 LOC: Config.onoff.surrogate_is_remote
3367 Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
3368 Set this to on to have squid behave as a remote surrogate.
3373 COMMENT: libxml2|expat|custom
3375 LOC: ESIParser::Type
3378 ESI markup is not strictly XML compatible. The custom ESI parser
3379 will give higher performance, but cannot handle non ASCII character
3384 DELAY POOL PARAMETERS
3385 -----------------------------------------------------------------------------
3389 TYPE: delay_pool_count
3394 This represents the number of delay pools to be used. For example,
3395 if you have one class 2 delay pool and one class 3 delays pool, you
3396 have a total of 2 delay pools.
3400 TYPE: delay_pool_class
3405 This defines the class of each delay pool. There must be exactly one
3406 delay_class line for each delay pool. For example, to define two
3407 delay pools, one of class 2 and one of class 3, the settings above
3411 delay_pools 4 # 4 delay pools
3412 delay_class 1 2 # pool 1 is a class 2 pool
3413 delay_class 2 3 # pool 2 is a class 3 pool
3414 delay_class 3 4 # pool 3 is a class 4 pool
3415 delay_class 4 5 # pool 4 is a class 5 pool
3417 The delay pool classes are:
3419 class 1 Everything is limited by a single aggregate
3422 class 2 Everything is limited by a single aggregate
3423 bucket as well as an "individual" bucket chosen
3424 from bits 25 through 32 of the IP address.
3426 class 3 Everything is limited by a single aggregate
3427 bucket as well as a "network" bucket chosen
3428 from bits 17 through 24 of the IP address and a
3429 "individual" bucket chosen from bits 17 through
3430 32 of the IP address.
3432 class 4 Everything in a class 3 delay pool, with an
3433 additional limit on a per user basis. This
3434 only takes effect if the username is established
3435 in advance - by forcing authentication in your
3438 class 5 Requests are grouped according their tag (see
3439 external_acl's tag= reply).
3441 NOTE: If an IP address is a.b.c.d
3442 -> bits 25 through 32 are "d"
3443 -> bits 17 through 24 are "c"
3444 -> bits 17 through 32 are "c * 256 + d"
3448 TYPE: delay_pool_access
3453 This is used to determine which delay pool a request falls into.
3455 delay_access is sorted per pool and the matching starts with pool 1,
3456 then pool 2, ..., and finally pool N. The first delay pool where the
3457 request is allowed is selected for the request. If it does not allow
3458 the request to any pool then the request is not delayed (default).
3460 For example, if you want some_big_clients in delay
3461 pool 1 and lotsa_little_clients in delay pool 2:
3464 delay_access 1 allow some_big_clients
3465 delay_access 1 deny all
3466 delay_access 2 allow lotsa_little_clients
3467 delay_access 2 deny all
3468 delay_access 3 allow authenticated_clients
3471 NAME: delay_parameters
3472 TYPE: delay_pool_rates
3477 This defines the parameters for a delay pool. Each delay pool has
3478 a number of "buckets" associated with it, as explained in the
3479 description of delay_class. For a class 1 delay pool, the syntax is:
3481 delay_parameters pool aggregate
3483 For a class 2 delay pool:
3485 delay_parameters pool aggregate individual
3487 For a class 3 delay pool:
3489 delay_parameters pool aggregate network individual
3491 For a class 4 delay pool:
3493 delay_parameters pool aggregate network individual user
3495 For a class 5 delay pool:
3497 delay_parameters pool tag
3499 The variables here are:
3501 pool a pool number - ie, a number between 1 and the
3502 number specified in delay_pools as used in
3505 aggregate the "delay parameters" for the aggregate bucket
3508 individual the "delay parameters" for the individual
3509 buckets (class 2, 3).
3511 network the "delay parameters" for the network buckets
3514 user the delay parameters for the user buckets
3517 tag the delay parameters for the tag buckets
3520 A pair of delay parameters is written restore/maximum, where restore is
3521 the number of bytes (not bits - modem and network speeds are usually
3522 quoted in bits) per second placed into the bucket, and maximum is the
3523 maximum number of bytes which can be in the bucket at any time.
3525 For example, if delay pool number 1 is a class 2 delay pool as in the
3526 above example, and is being used to strictly limit each host to 64kbps
3527 (plus overheads), with no overall limit, the line is:
3529 delay_parameters 1 -1/-1 8000/8000
3531 Note that the figure -1 is used to represent "unlimited".
3533 And, if delay pool number 2 is a class 3 delay pool as in the above
3534 example, and you want to limit it to a total of 256kbps (strict limit)
3535 with each 8-bit network permitted 64kbps (strict limit) and each
3536 individual host permitted 4800bps with a bucket maximum size of 64kb
3537 to permit a decent web page to be downloaded at a decent speed
3538 (if the network is not being limited due to overuse) but slow down
3539 large downloads more significantly:
3541 delay_parameters 2 32000/32000 8000/8000 600/8000
3543 There must be one delay_parameters line for each delay pool.
3545 Finally, for a class 4 delay pool as in the example - each user will
3546 be limited to 128Kb no matter how many workstations they are logged into.:
3548 delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
3551 NAME: delay_initial_bucket_level
3552 COMMENT: (percent, 0-100)
3556 LOC: Config.Delay.initial
3558 The initial bucket percentage is used to determine how much is put
3559 in each bucket when squid starts, is reconfigured, or first notices
3560 a host accessing it (in class 2 and class 3, individual hosts and
3561 networks only have buckets associated with them once they have been
3566 WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
3567 -----------------------------------------------------------------------------
3572 LOC: Config.Wccp.router
3577 TYPE: sockaddr_in_list
3578 LOC: Config.Wccp2.router
3582 Use this option to define your WCCP ``home'' router for
3585 wccp_router supports a single WCCP(v1) router
3587 wccp2_router supports multiple WCCPv2 routers
3589 only one of the two may be used at the same time and defines
3590 which version of WCCP to use.
3595 LOC: Config.Wccp.version
3599 This directive is only relevant if you need to set up WCCP(v1)
3600 to some very old and end-of-life Cisco routers. In all other
3601 setups it must be left unset or at the default setting.
3602 It defines an internal version in the WCCP(v1) protocol,
3603 with version 4 being the officially documented protocol.
3605 According to some users, Cisco IOS 11.2 and earlier only
3606 support WCCP version 3. If you're using that or an earlier
3607 version of IOS, you may need to change this value to 3, otherwise
3608 do not specify this parameter.
3611 NAME: wccp2_rebuild_wait
3613 LOC: Config.Wccp2.rebuildwait
3617 If this is enabled Squid will wait for the cache dir rebuild to finish
3618 before sending the first wccp2 HereIAm packet
3621 NAME: wccp2_forwarding_method
3623 LOC: Config.Wccp2.forwarding_method
3627 WCCP2 allows the setting of forwarding methods between the
3628 router/switch and the cache. Valid values are as follows:
3630 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
3631 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
3633 Currently (as of IOS 12.4) cisco routers only support GRE.
3634 Cisco switches only support the L2 redirect assignment method.
3637 NAME: wccp2_return_method
3639 LOC: Config.Wccp2.return_method
3643 WCCP2 allows the setting of return methods between the
3644 router/switch and the cache for packets that the cache
3645 decides not to handle. Valid values are as follows:
3647 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
3648 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
3650 Currently (as of IOS 12.4) cisco routers only support GRE.
3651 Cisco switches only support the L2 redirect assignment.
3653 If the "ip wccp redirect exclude in" command has been
3654 enabled on the cache interface, then it is still safe for
3655 the proxy server to use a l2 redirect method even if this
3656 option is set to GRE.
3659 NAME: wccp2_assignment_method
3661 LOC: Config.Wccp2.assignment_method
3665 WCCP2 allows the setting of methods to assign the WCCP hash
3666 Valid values are as follows:
3671 As a general rule, cisco routers support the hash assignment method
3672 and cisco switches support the mask assignment method.
3677 LOC: Config.Wccp2.info
3679 DEFAULT_IF_NONE: standard 0
3682 WCCP2 allows for multiple traffic services. There are two
3683 types: "standard" and "dynamic". The standard type defines
3684 one service id - http (id 0). The dynamic service ids can be from
3685 51 to 255 inclusive. In order to use a dynamic service id
3686 one must define the type of traffic to be redirected; this is done
3687 using the wccp2_service_info option.
3689 The "standard" type does not require a wccp2_service_info option,
3690 just specifying the service id will suffice.
3692 MD5 service authentication can be enabled by adding
3693 "password=<password>" to the end of this service declaration.
3697 wccp2_service standard 0 # for the 'web-cache' standard service
3698 wccp2_service dynamic 80 # a dynamic service type which will be
3699 # fleshed out with subsequent options.
3700 wccp2_service standard 0 password=foo
3704 NAME: wccp2_service_info
3705 TYPE: wccp2_service_info
3706 LOC: Config.Wccp2.info
3710 Dynamic WCCPv2 services require further information to define the
3711 traffic you wish to have diverted.
3715 wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
3716 priority=<priority> ports=<port>,<port>..
3718 The relevant WCCPv2 flags:
3719 + src_ip_hash, dst_ip_hash
3720 + source_port_hash, dest_port_hash
3721 + src_ip_alt_hash, dst_ip_alt_hash
3722 + src_port_alt_hash, dst_port_alt_hash
3725 The port list can be one to eight entries.
3729 wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
3730 priority=240 ports=80
3732 Note: the service id must have been defined by a previous
3733 'wccp2_service dynamic <id>' entry.
3738 LOC: Config.Wccp2.weight
3742 Each cache server gets assigned a set of the destination
3743 hash proportional to their weight.
3748 LOC: Config.Wccp.address
3754 LOC: Config.Wccp2.address
3758 Use this option if you require WCCP to use a specific
3761 The default behavior is to not bind to any specific address.
3765 PERSISTENT CONNECTION HANDLING
3766 -----------------------------------------------------------------------------
3768 Also see "pconn_timeout" in the TIMEOUTS section
3771 NAME: client_persistent_connections
3773 LOC: Config.onoff.client_pconns
3777 NAME: server_persistent_connections
3779 LOC: Config.onoff.server_pconns
3782 Persistent connection support for clients and servers. By
3783 default, Squid uses persistent connections (when allowed)
3784 with its clients and servers. You can use these options to
3785 disable persistent connections with clients and/or servers.
3788 NAME: persistent_connection_after_error
3790 LOC: Config.onoff.error_pconns
3793 With this directive the use of persistent connections after
3794 HTTP errors can be disabled. Useful if you have clients
3795 who fail to handle errors on persistent connections proper.
3798 NAME: detect_broken_pconn
3800 LOC: Config.onoff.detect_broken_server_pconns
3803 Some servers have been found to incorrectly signal the use
3804 of HTTP/1.0 persistent connections even on replies not
3805 compatible, causing significant delays. This server problem
3806 has mostly been seen on redirects.
3808 By enabling this directive Squid attempts to detect such
3809 broken replies and automatically assume the reply is finished
3810 after 10 seconds timeout.
3814 CACHE DIGEST OPTIONS
3815 -----------------------------------------------------------------------------
3818 NAME: digest_generation
3819 IFDEF: USE_CACHE_DIGESTS
3821 LOC: Config.onoff.digest_generation
3824 This controls whether the server will generate a Cache Digest
3825 of its contents. By default, Cache Digest generation is
3826 enabled if Squid is compiled with USE_CACHE_DIGESTS defined.
3829 NAME: digest_bits_per_entry
3830 IFDEF: USE_CACHE_DIGESTS
3832 LOC: Config.digest.bits_per_entry
3835 This is the number of bits of the server's Cache Digest which
3836 will be associated with the Digest entry for a given HTTP
3837 Method and URL (public key) combination. The default is 5.
3840 NAME: digest_rebuild_period
3841 IFDEF: USE_CACHE_DIGESTS
3844 LOC: Config.digest.rebuild_period
3847 This is the number of seconds between Cache Digest rebuilds.
3850 NAME: digest_rewrite_period
3852 IFDEF: USE_CACHE_DIGESTS
3854 LOC: Config.digest.rewrite_period
3857 This is the number of seconds between Cache Digest writes to
3861 NAME: digest_swapout_chunk_size
3864 IFDEF: USE_CACHE_DIGESTS
3865 LOC: Config.digest.swapout_chunk_size
3868 This is the number of bytes of the Cache Digest to write to
3869 disk at a time. It defaults to 4096 bytes (4KB), the Squid
3873 NAME: digest_rebuild_chunk_percentage
3874 COMMENT: (percent, 0-100)
3875 IFDEF: USE_CACHE_DIGESTS
3877 LOC: Config.digest.rebuild_chunk_percentage
3880 This is the percentage of the Cache Digest to be scanned at a
3881 time. By default it is set to 10% of the Cache Digest.
3886 -----------------------------------------------------------------------------
3891 LOC: Config.Port.snmp
3895 Squid can now serve statistics and status information via SNMP.
3896 By default it listens to port 3401 on the machine. If you don't
3897 wish to use SNMP, set this to "0".
3902 LOC: Config.accessList.snmp
3904 DEFAULT_IF_NONE: deny all
3907 Allowing or denying access to the SNMP port.
3909 All access to the agent is denied by default.
3912 snmp_access allow|deny [!]aclname ...
3915 snmp_access allow snmppublic localhost
3916 snmp_access deny all
3919 NAME: snmp_incoming_address
3921 LOC: Config.Addrs.snmp_incoming
3925 NAME: snmp_outgoing_address
3927 LOC: Config.Addrs.snmp_outgoing
3928 DEFAULT: 255.255.255.255
3931 Just like 'udp_incoming_address' above, but for the SNMP port.
3933 snmp_incoming_address is used for the SNMP socket receiving
3934 messages from SNMP agents.
3935 snmp_outgoing_address is used for SNMP packets returned to SNMP
3938 The default snmp_incoming_address (0.0.0.0) is to listen on all
3939 available network interfaces.
3941 If snmp_outgoing_address is set to 255.255.255.255 (the default)
3942 it will use the same socket as snmp_incoming_address. Only
3943 change this if you want to have SNMP replies sent using another
3944 address than where this Squid listens for SNMP queries.
3946 NOTE, snmp_incoming_address and snmp_outgoing_address can not have
3947 the same value since they both use port 3401.
3952 -----------------------------------------------------------------------------
3955 NAME: icp_port udp_port
3958 LOC: Config.Port.icp
3960 The port number where Squid sends and receives ICP queries to
3961 and from neighbor caches. The standard UDP port for ICP is 3130.
3962 Default is disabled (0).
3964 icp_port @DEFAULT_ICP_PORT@
3972 LOC: Config.Port.htcp
3974 The port number where Squid sends and receives HTCP queries to
3975 and from neighbor caches. Default is 4827. To disable use
3979 NAME: log_icp_queries
3983 LOC: Config.onoff.log_udp
3985 If set, ICP queries are logged to access.log. You may wish
3986 do disable this if your ICP load is VERY high to speed things
3987 up or to simplify log analysis.
3990 NAME: udp_incoming_address
3992 LOC:Config.Addrs.udp_incoming
3996 NAME: udp_outgoing_address
3998 LOC: Config.Addrs.udp_outgoing
3999 DEFAULT: 255.255.255.255
4001 udp_incoming_address is used for the ICP socket receiving packets
4003 udp_outgoing_address is used for ICP packets sent out to other
4006 The default behavior is to not bind to any specific address.
4008 A udp_incoming_address value of 0.0.0.0 indicates Squid
4009 should listen for UDP messages on all available interfaces.
4011 If udp_outgoing_address is set to 255.255.255.255 (the default)
4012 it will use the same socket as udp_incoming_address. Only
4013 change this if you want to have ICP queries sent using another
4014 address than where this Squid listens for ICP queries from other
4017 NOTE, udp_incoming_address and udp_outgoing_address can not
4018 have the same value since they both use port 3130.
4021 NAME: minimum_direct_hops
4024 LOC: Config.minDirectHops
4026 If using the ICMP pinging stuff, do direct fetches for sites
4027 which are no more than this many hops away.
4030 NAME: minimum_direct_rtt
4033 LOC: Config.minDirectRtt
4035 If using the ICMP pinging stuff, do direct fetches for sites
4036 which are no more than this many rtt milliseconds away.
4042 LOC: Config.Netdb.low
4048 LOC: Config.Netdb.high
4050 The low and high water marks for the ICMP measurement
4051 database. These are counts, not percents. The defaults are
4052 900 and 1000. When the high water mark is reached, database
4053 entries will be deleted until the low mark is reached.
4056 NAME: netdb_ping_period
4058 LOC: Config.Netdb.period
4061 The minimum period for measuring a site. There will be at
4062 least this much delay between successive pings to the same
4063 network. The default is five minutes.
4070 LOC: Config.onoff.query_icmp
4072 If you want to ask your peers to include ICMP data in their ICP
4073 replies, enable this option.
4075 If your peer has configured Squid (during compilation) with
4076 '--enable-icmp' that peer will send ICMP pings to origin server
4077 sites of the URLs it receives. If you enable this option the
4078 ICP replies from that peer will include the ICMP data (if available).
4079 Then, when choosing a parent cache, Squid will choose the parent with
4080 the minimal RTT to the origin server. When this happens, the
4081 hierarchy field of the access.log will be
4082 "CLOSEST_PARENT_MISS". This option is off by default.
4085 NAME: test_reachability
4089 LOC: Config.onoff.test_reachability
4091 When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
4092 instead of ICP_MISS if the target host is NOT in the ICMP
4093 database, or has a zero RTT.
4096 NAME: icp_query_timeout
4100 LOC: Config.Timeout.icp_query
4102 Normally Squid will automatically determine an optimal ICP
4103 query timeout value based on the round-trip-time of recent ICP
4104 queries. If you want to override the value determined by
4105 Squid, set this 'icp_query_timeout' to a non-zero value. This
4106 value is specified in MILLISECONDS, so, to use a 2-second
4107 timeout (the old default), you would write:
4109 icp_query_timeout 2000
4112 NAME: maximum_icp_query_timeout
4116 LOC: Config.Timeout.icp_query_max
4118 Normally the ICP query timeout is determined dynamically. But
4119 sometimes it can lead to very large values (say 5 seconds).
4120 Use this option to put an upper limit on the dynamic timeout
4121 value. Do NOT use this option to always use a fixed (instead
4122 of a dynamic) timeout value. To set a fixed timeout see the
4123 'icp_query_timeout' directive.
4126 NAME: minimum_icp_query_timeout
4130 LOC: Config.Timeout.icp_query_min
4132 Normally the ICP query timeout is determined dynamically. But
4133 sometimes it can lead to very small timeouts, even lower than
4134 the normal latency variance on your link due to traffic.
4135 Use this option to put an lower limit on the dynamic timeout
4136 value. Do NOT use this option to always use a fixed (instead
4137 of a dynamic) timeout value. To set a fixed timeout see the
4138 'icp_query_timeout' directive.
4141 NAME: background_ping_rate
4145 LOC: Config.backgroundPingRate
4147 Controls how often the ICP pings are sent to siblings that
4148 have background-ping set.
4155 LOC: Config.onoff.icp_hit_stale
4157 If you want to return ICP_HIT for stale cache objects, set this
4158 option to 'on'. If you have sibling relationships with caches
4159 in other administrative domains, this should be 'off'. If you only
4160 have sibling relationships with caches under your control,
4161 it is probably okay to set this to 'on'.
4162 If set to 'on', your siblings should use the option "allow-miss"
4163 on their cache_peer lines for connecting to you.
4167 MULTICAST ICP OPTIONS
4168 -----------------------------------------------------------------------------
4173 LOC: Config.mcast_group_list
4176 This tag specifies a list of multicast groups which your server
4177 should join to receive multicasted ICP queries.
4179 NOTE! Be very careful what you put here! Be sure you
4180 understand the difference between an ICP _query_ and an ICP
4181 _reply_. This option is to be set only if you want to RECEIVE
4182 multicast queries. Do NOT set this option to SEND multicast
4183 ICP (use cache_peer for that). ICP replies are always sent via
4184 unicast, so this option does not affect whether or not you will
4185 receive replies from multicast group members.
4187 You must be very careful to NOT use a multicast address which
4188 is already in use by another group of caches.
4190 If you are unsure about multicast, please read the Multicast
4191 chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
4193 Usage: mcast_groups 239.128.16.128 224.0.1.20
4195 By default, Squid doesn't listen on any multicast groups.
4198 NAME: mcast_miss_addr
4199 IFDEF: MULTICAST_MISS_STREAM
4201 LOC: Config.mcast_miss.addr
4202 DEFAULT: 255.255.255.255
4204 If you enable this option, every "cache miss" URL will
4205 be sent out on the specified multicast address.
4207 Do not enable this option unless you are are absolutely
4208 certain you understand what you are doing.
4211 NAME: mcast_miss_ttl
4212 IFDEF: MULTICAST_MISS_STREAM
4214 LOC: Config.mcast_miss.ttl
4217 This is the time-to-live value for packets multicasted
4218 when multicasting off cache miss URLs is enabled. By
4219 default this is set to 'site scope', i.e. 16.
4222 NAME: mcast_miss_port
4223 IFDEF: MULTICAST_MISS_STREAM
4225 LOC: Config.mcast_miss.port
4228 This is the port number to be used in conjunction with
4232 NAME: mcast_miss_encode_key
4233 IFDEF: MULTICAST_MISS_STREAM
4235 LOC: Config.mcast_miss.encode_key
4236 DEFAULT: XXXXXXXXXXXXXXXX
4238 The URLs that are sent in the multicast miss stream are
4239 encrypted. This is the encryption key.
4242 NAME: mcast_icp_query_timeout
4246 LOC: Config.Timeout.mcast_icp_query
4248 For multicast peers, Squid regularly sends out ICP "probes" to
4249 count how many other peers are listening on the given multicast
4250 address. This value specifies how long Squid should wait to
4251 count all the replies. The default is 2000 msec, or 2
4256 INTERNAL ICON OPTIONS
4257 -----------------------------------------------------------------------------
4260 NAME: icon_directory
4262 LOC: Config.icons.directory
4263 DEFAULT: @DEFAULT_ICON_DIR@
4265 Where the icons are stored. These are normally kept in
4269 NAME: global_internal_static
4271 LOC: Config.onoff.global_internal_static
4274 This directive controls is Squid should intercept all requests for
4275 /squid-internal-static/ no matter which host the URL is requesting
4276 (default on setting), or if nothing special should be done for
4277 such URLs (off setting). The purpose of this directive is to make
4278 icons etc work better in complex cache hierarchies where it may
4279 not always be possible for all corners in the cache mesh to reach
4280 the server generating a directory listing.
4283 NAME: short_icon_urls
4285 LOC: Config.icons.use_short_names
4288 If this is enabled Squid will use short URLs for icons.
4289 If disabled it will revert to the old behavior of including
4290 it's own name and port in the URL.
4292 If you run a complex cache hierarchy with a mix of Squid and
4293 other proxies you may need to disable this directive.
4298 -----------------------------------------------------------------------------
4301 NAME: error_directory
4303 LOC: Config.errorDirectory
4304 DEFAULT: @DEFAULT_ERROR_DIR@
4306 If you wish to create your own versions of the default
4307 (English) error files, either to customize them to suit your
4308 language or company copy the template English files to another
4309 directory and point this tag at them.
4311 The squid developers are interested in making squid available in
4312 a wide variety of languages. If you are making translations for a
4313 langauge that Squid does not currently provide please consider
4314 contributing your translation back to the project.
4319 LOC: Config.errHtmlText
4322 HTML text to include in error messages. Make this a "mailto"
4323 URL to your admin address, or maybe just a link to your
4324 organizations Web page.
4326 To include this in your error messages, you must rewrite
4327 the error template files (found in the "errors" directory).
4328 Wherever you want the 'err_html_text' line to appear,
4329 insert a %L tag in the error template file.
4332 NAME: email_err_data
4335 LOC: Config.onoff.emailErrData
4338 If enabled, information about the occurred error will be
4339 included in the mailto links of the ERR pages (if %W is set)
4340 so that the email body contains the data.
4341 Syntax is <A HREF="mailto:%w%W">%w</A>
4346 LOC: Config.denyInfoList
4349 Usage: deny_info err_page_name acl
4350 or deny_info http://... acl
4351 Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
4353 This can be used to return a ERR_ page for requests which
4354 do not pass the 'http_access' rules. Squid remembers the last
4355 acl it evaluated in http_access, and if a 'deny_info' line exists
4356 for that ACL Squid returns a corresponding error page.
4358 The acl is typically the last acl on the http_access deny line which
4359 denied access. The exceptions to this rule are:
4360 - When Squid needs to request authentication credentials. It's then
4361 the first authentication related acl encountered
4362 - When none of the http_access lines matches. It's then the last
4363 acl processed on the last http_access line.
4365 You may use ERR_ pages that come with Squid or create your own pages
4366 and put them into the configured errors/ directory.
4368 Alternatively you can specify an error URL. The browsers will
4369 get redirected (302) to the specified URL. %s in the redirection
4370 URL will be replaced by the requested URL.
4372 Alternatively you can tell Squid to reset the TCP connection
4373 by specifying TCP_RESET.
4377 OPTIONS INFLUENCING REQUEST FORWARDING
4378 -----------------------------------------------------------------------------
4381 NAME: nonhierarchical_direct
4383 LOC: Config.onoff.nonhierarchical_direct
4386 By default, Squid will send any non-hierarchical requests
4387 (matching hierarchy_stoplist or not cacheable request type) direct
4390 If you set this to off, Squid will prefer to send these
4391 requests to parents.
4393 Note that in most configurations, by turning this off you will only
4394 add latency to these request without any improvement in global hit
4397 If you are inside an firewall see never_direct instead of
4403 LOC: Config.onoff.prefer_direct
4406 Normally Squid tries to use parents for most requests. If you for some
4407 reason like it to first try going direct and only use a parent if
4408 going direct fails set this to on.
4410 By combining nonhierarchical_direct off and prefer_direct on you
4411 can set up Squid to use a parent as a backup path if going direct
4414 Note: If you want Squid to use parents for all requests see
4415 the never_direct directive. prefer_direct only modifies how Squid
4416 acts on cacheable requests.
4421 LOC: Config.accessList.AlwaysDirect
4424 Usage: always_direct allow|deny [!]aclname ...
4426 Here you can use ACL elements to specify requests which should
4427 ALWAYS be forwarded by Squid to the origin servers without using
4428 any peers. For example, to always directly forward requests for
4429 local servers ignoring any parents or siblings you may have use
4432 acl local-servers dstdomain my.domain.net
4433 always_direct allow local-servers
4435 To always forward FTP requests directly, use
4438 always_direct allow FTP
4440 NOTE: There is a similar, but opposite option named
4441 'never_direct'. You need to be aware that "always_direct deny
4442 foo" is NOT the same thing as "never_direct allow foo". You
4443 may need to use a deny rule to exclude a more-specific case of
4444 some other rule. Example:
4446 acl local-external dstdomain external.foo.net
4447 acl local-servers dstdomain .foo.net
4448 always_direct deny local-external
4449 always_direct allow local-servers
4451 NOTE: If your goal is to make the client forward the request
4452 directly to the origin server bypassing Squid then this needs
4453 to be done in the client configuration. Squid configuration
4454 can only tell Squid how Squid should fetch the object.
4456 NOTE: This directive is not related to caching. The replies
4457 is cached as usual even if you use always_direct. To not cache
4458 the replies see no_cache.
4460 This option replaces some v1.1 options such as local_domain
4466 LOC: Config.accessList.NeverDirect
4469 Usage: never_direct allow|deny [!]aclname ...
4471 never_direct is the opposite of always_direct. Please read
4472 the description for always_direct if you have not already.
4474 With 'never_direct' you can use ACL elements to specify
4475 requests which should NEVER be forwarded directly to origin
4476 servers. For example, to force the use of a proxy for all
4477 requests, except those in your local domain use something like:
4479 acl local-servers dstdomain .foo.net
4480 acl all src 0.0.0.0/0.0.0.0
4481 never_direct deny local-servers
4482 never_direct allow all
4484 or if Squid is inside a firewall and there are local intranet
4485 servers inside the firewall use something like:
4487 acl local-intranet dstdomain .foo.net
4488 acl local-external dstdomain external.foo.net
4489 always_direct deny local-external
4490 always_direct allow local-intranet
4491 never_direct allow all
4493 This option replaces some v1.1 options such as inside_firewall
4498 ADVANCED NETWORKING OPTIONS
4499 -----------------------------------------------------------------------------
4502 NAME: incoming_icp_average
4505 LOC: Config.comm_incoming.icp_average
4508 NAME: incoming_http_average
4511 LOC: Config.comm_incoming.http_average
4514 NAME: incoming_dns_average
4517 LOC: Config.comm_incoming.dns_average
4520 NAME: min_icp_poll_cnt
4523 LOC: Config.comm_incoming.icp_min_poll
4526 NAME: min_dns_poll_cnt
4529 LOC: Config.comm_incoming.dns_min_poll
4532 NAME: min_http_poll_cnt
4535 LOC: Config.comm_incoming.http_min_poll
4537 Heavy voodoo here. I can't even believe you are reading this.
4538 Are you crazy? Don't even think about adjusting these unless
4539 you understand the algorithms in comm_select.c first!
4543 IFDEF: SO_ACCEPTFILTER
4546 LOC: Config.accept_filter
4548 The name of an accept(2) filter to install on Squid's
4549 listen socket(s). This feature is perhaps specific to
4550 FreeBSD and requires support in the kernel.
4552 The 'httpready' filter delays delivering new connections
4553 to Squid until a full HTTP request has been recieved.
4554 See the accf_http(9) man page.
4557 accept_filter httpready
4560 NAME: tcp_recv_bufsize
4564 LOC: Config.tcpRcvBufsz
4566 Size of receive buffer to set for TCP sockets. Probably just
4567 as easy to change your kernel's default. Set to zero to use
4568 the default buffer size.
4573 -----------------------------------------------------------------------------
4580 LOC: TheICAPConfig.onoff
4583 If you want to enable the ICAP module support, set this to on.
4586 NAME: icap_connect_timeout
4589 LOC: TheICAPConfig.connect_timeout_raw
4592 This parameter specifies how long to wait for the TCP connect to
4593 the requested ICAP server to complete before giving up and either
4594 terminating the HTTP transaction or bypassing the failure.
4596 The default for optional services is peer_connect_timeout.
4597 The default for essential services is connect_timeout.
4598 If this option is explicitly set, its value applies to all services.
4601 NAME: icap_io_timeout
4605 LOC: TheICAPConfig.io_timeout_raw
4608 This parameter specifies how long to wait for an I/O activity on
4609 an established, active ICAP connection before giving up and
4610 either terminating the HTTP transaction or bypassing the
4613 The default is read_timeout.
4616 NAME: icap_service_failure_limit
4619 LOC: TheICAPConfig.service_failure_limit
4622 The limit specifies the number of failures that Squid tolerates
4623 when establishing a new TCP connection with an ICAP service. If
4624 the number of failures exceeds the limit, the ICAP service is
4625 not used for new ICAP requests until it is time to refresh its
4626 OPTIONS. The per-service failure counter is reset to zero each
4627 time Squid fetches new service OPTIONS.
4629 A negative value disables the limit. Without the limit, an ICAP
4630 service will not be considered down due to connectivity failures
4631 between ICAP OPTIONS requests.
4634 NAME: icap_service_revival_delay
4637 LOC: TheICAPConfig.service_revival_delay
4640 The delay specifies the number of seconds to wait after an ICAP
4641 OPTIONS request failure before requesting the options again. The
4642 failed ICAP service is considered "down" until fresh OPTIONS are
4645 The actual delay cannot be smaller than the hardcoded minimum
4646 delay of 30 seconds.
4649 NAME: icap_preview_enable
4653 LOC: TheICAPConfig.preview_enable
4656 Set this to 'on' if you want to enable the ICAP preview
4660 NAME: icap_preview_size
4663 LOC: TheICAPConfig.preview_size
4666 The default size of preview data to be sent to the ICAP server.
4667 -1 means no preview. This value might be overwritten on a per server
4668 basis by OPTIONS requests.
4671 NAME: icap_default_options_ttl
4674 LOC: TheICAPConfig.default_options_ttl
4677 The default TTL value for ICAP OPTIONS responses that don't have
4678 an Options-TTL header.
4681 NAME: icap_persistent_connections
4685 LOC: TheICAPConfig.reuse_connections
4688 Whether or not Squid should use persistent connections to
4692 NAME: icap_send_client_ip
4696 LOC: TheICAPConfig.send_client_ip
4699 This adds the header "X-Client-IP" to ICAP requests.
4702 NAME: icap_send_client_username
4706 LOC: TheICAPConfig.send_client_username
4709 This sends authenticated HTTP client username (if available) to
4710 the ICAP service. The username value is encoded based on the
4711 icap_client_username_encode option and is sent using the header
4712 specified by the icap_client_username_header option.
4715 NAME: icap_client_username_header
4718 LOC: TheICAPConfig.client_username_header
4719 DEFAULT: X-Client-Username
4721 ICAP request header name to use for send_client_username.
4724 NAME: icap_client_username_encode
4728 LOC: TheICAPConfig.client_username_encode
4731 Whether to base64 encode the authenticated client username.
4735 TYPE: icap_service_type
4740 Defines a single ICAP service
4742 icap_service servicename vectoring_point bypass service_url
4744 vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
4745 This specifies at which point of request processing the ICAP
4746 service should be plugged in.
4748 If set to 1 and the ICAP server cannot be reached, the request will go
4749 through without being processed by an ICAP server
4750 service_url = icap://servername:port/service
4752 Note: reqmod_precache and respmod_postcache is not yet implemented
4755 icap_service service_1 reqmod_precache 0 icap://icap1.mydomain.net:1344/reqmod
4756 icap_service service_2 respmod_precache 0 icap://icap2.mydomain.net:1344/respmod
4760 TYPE: icap_class_type
4765 Defines an ICAP service chain. If there are multiple services per
4766 vectoring point, they are processed in the specified order.
4768 icap_class classname servicename...
4771 icap_class class_1 service_1 service_2
4772 icap class class_2 service_1 service_3
4776 TYPE: icap_access_type
4781 Redirects a request through an ICAP service class, depending
4784 icap_access classname allow|deny [!]aclname...
4786 The icap_access statements are processed in the order they appear in
4787 this configuration file. If an access list matches, the processing stops.
4788 For an "allow" rule, the specified class is used for the request. A "deny"
4789 rule simply stops processing without using the class. You can also use the
4790 special classname "None".
4792 For backward compatibility, it is also possible to use services
4795 icap_access class_1 allow all
4800 -----------------------------------------------------------------------------
4803 NAME: check_hostnames
4806 LOC: Config.onoff.check_hostnames
4808 For security and stability reasons Squid can check
4809 hostnames for Internet standard RFC compliance. If you want
4810 Squid to perform these checks turn this directive on.
4813 NAME: allow_underscore
4816 LOC: Config.onoff.allow_underscore
4818 Underscore characters is not strictly allowed in Internet hostnames
4819 but nevertheless used by many sites. Set this to off if you want
4820 Squid to be strict about the standard.
4821 This check is performed only when check_hostnames is set to on.
4824 NAME: cache_dns_program
4826 IFDEF: USE_DNSSERVERS
4827 DEFAULT: @DEFAULT_DNSSERVER@
4828 LOC: Config.Program.dnsserver
4830 Specify the location of the executable for dnslookup process.
4835 IFDEF: USE_DNSSERVERS
4837 LOC: Config.dnsChildren
4839 The number of processes spawn to service DNS name lookups.
4840 For heavily loaded caches on large servers, you should
4841 probably increase this value to at least 10. The maximum
4842 is 32. The default is 5.
4844 You must have at least one dnsserver process.
4847 NAME: dns_retransmit_interval
4850 LOC: Config.Timeout.idns_retransmit
4851 IFDEF: !USE_DNSSERVERS
4853 Initial retransmit interval for DNS queries. The interval is
4854 doubled each time all configured DNS servers have been tried.
4861 LOC: Config.Timeout.idns_query
4862 IFDEF: !USE_DNSSERVERS
4864 DNS Query timeout. If no response is received to a DNS query
4865 within this time all DNS servers for the queried domain
4866 are assumed to be unavailable.
4873 LOC: Config.onoff.res_defnames
4875 Normally the RES_DEFNAMES resolver option is disabled
4876 (see res_init(3)). This prevents caches in a hierarchy
4877 from interpreting single-component hostnames locally. To allow
4878 Squid to handle single-component names, enable this option.
4881 NAME: dns_nameservers
4884 LOC: Config.dns_nameservers
4886 Use this if you want to specify a list of DNS name servers
4887 (IP addresses) to use instead of those given in your
4888 /etc/resolv.conf file.
4889 On Windows platforms, if no value is specified here or in
4890 the /etc/resolv.conf file, the list of DNS name servers are
4891 taken from the Windows registry, both static and dynamic DHCP
4892 configurations are supported.
4894 Example: dns_nameservers 10.0.0.1 192.172.0.4
4899 DEFAULT: @DEFAULT_HOSTS@
4900 LOC: Config.etcHostsPath
4902 Location of the host-local IP name-address associations
4903 database. Most Operating Systems have such a file on different
4905 - Un*X & Linux: /etc/hosts
4906 - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
4907 (%SystemRoot% value install default is c:\winnt)
4908 - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
4909 (%SystemRoot% value install default is c:\windows)
4910 - Windows 9x/Me: %windir%\hosts
4911 (%windir% value is usually c:\windows)
4912 - Cygwin: /etc/hosts
4914 The file contains newline-separated definitions, in the
4915 form ip_address_in_dotted_form name [name ...] names are
4916 whitespace-separated. Lines beginning with an hash (#)
4917 character are comments.
4919 The file is checked at startup and upon configuration.
4920 If set to 'none', it won't be checked.
4921 If append_domain is used, that domain will be added to
4922 domain-local (i.e. not containing any dot character) host
4928 LOC: Config.dns_testname_list
4930 DEFAULT_IF_NONE: netscape.com internic.net nlanr.net microsoft.com
4932 The DNS tests exit as soon as the first site is successfully looked up
4934 This test can be disabled with the -D command line option.
4939 LOC: Config.appendDomain
4942 Appends local domain name to hostnames without any dots in
4943 them. append_domain must begin with a period.
4945 Be warned there are now Internet names with no dots in
4946 them using only top-domain names, so setting this may
4947 cause some Internet sites to become unavailable.
4950 append_domain .yourdomain.com
4953 NAME: ignore_unknown_nameservers
4955 LOC: Config.onoff.ignore_unknown_nameservers
4958 By default Squid checks that DNS responses are received
4959 from the same IP addresses they are sent to. If they
4960 don't match, Squid ignores the response and writes a warning
4961 message to cache.log. You can allow responses from unknown
4962 nameservers by setting this option to 'off'.
4967 -----------------------------------------------------------------------------
4974 LOC: Config.onoff.mem_pools
4976 If set, Squid will keep pools of allocated (but unused) memory
4977 available for future use. If memory is a premium on your
4978 system and you believe your malloc library outperforms Squid
4979 routines, disable this.
4982 NAME: memory_pools_limit
4986 LOC: Config.MemPools.limit
4988 Used only with memory_pools on:
4989 memory_pools_limit 50 MB
4991 If set to a non-zero value, Squid will keep at most the specified
4992 limit of allocated (but unused) memory in memory pools. All free()
4993 requests that exceed this limit will be handled by your malloc
4994 library. Squid does not pre-allocate any memory, just safe-keeps
4995 objects that otherwise would be free()d. Thus, it is safe to set
4996 memory_pools_limit to a reasonably high value even if your
4997 configuration will use less memory.
4999 If set to zero, Squid will keep all memory it can. That is, there
5000 will be no limit on the total amount of memory used for safe-keeping.
5002 To disable memory allocation optimization, do not set
5003 memory_pools_limit to 0. Set memory_pools to "off" instead.
5005 An overhead for maintaining memory pools is not taken into account
5006 when the limit is checked. This overhead is close to four bytes per
5007 object kept. However, pools may actually _save_ memory because of
5008 reduced memory thrashing in your malloc library.
5015 LOC: opt_forwarded_for
5017 If set, Squid will include your system's IP address or name
5018 in the HTTP requests it forwards. By default it looks like
5021 X-Forwarded-For: 192.1.2.3
5023 If you disable this, it will appear as
5025 X-Forwarded-For: unknown
5028 NAME: cachemgr_passwd
5029 TYPE: cachemgrpasswd
5031 LOC: Config.passwd_list
5033 Specify passwords for cachemgr operations.
5035 Usage: cachemgr_passwd password action action ...
5037 Some valid actions are (see cache manager menu for a full list):
5076 * Indicates actions which will not be performed without a
5077 valid password, others can be performed if not listed here.
5079 To disable an action, set the password to "disable".
5080 To allow performing an action without a password, set the
5083 Use the keyword "all" to set the same password for all actions.
5086 cachemgr_passwd secret shutdown
5087 cachemgr_passwd lesssssssecret info stats/objects
5088 cachemgr_passwd disable all
5095 LOC: Config.onoff.client_db
5097 If you want to disable collecting per-client statistics,
5098 turn off client_db here.
5101 NAME: refresh_all_ims
5105 LOC: Config.onoff.refresh_all_ims
5107 When you enable this option, squid will always check
5108 the origin server for an update when a client sends an
5109 If-Modified-Since request. Many browsers use IMS
5110 requests when the user requests a reload, and this
5111 ensures those clients receive the latest version.
5113 By default (off), squid may return a Not Modified response
5114 based on the age of the cached version.
5117 NAME: reload_into_ims
5118 IFDEF: HTTP_VIOLATIONS
5122 LOC: Config.onoff.reload_into_ims
5124 When you enable this option, client no-cache or ``reload''
5125 requests will be changed to If-Modified-Since requests.
5126 Doing this VIOLATES the HTTP standard. Enabling this
5127 feature could make you liable for problems which it
5130 see also refresh_pattern for a more selective approach.
5133 NAME: maximum_single_addr_tries
5135 LOC: Config.retry.maxtries
5138 This sets the maximum number of connection attempts for a
5139 host that only has one address (for multiple-address hosts,
5140 each address is tried once).
5142 The default value is one attempt, the (not recommended)
5143 maximum is 255 tries. A warning message will be generated
5144 if it is set to a value greater than ten.
5146 Note: This is in addition to the request re-forwarding which
5147 takes place if Squid fails to get a satisfying response.
5150 NAME: retry_on_error
5152 LOC: Config.retry.onerror
5155 If set to on Squid will automatically retry requests when
5156 receiving an error response. This is mainly useful if you
5157 are in a complex cache hierarchy to work around access
5161 NAME: as_whois_server
5163 LOC: Config.as_whois_server
5164 DEFAULT: whois.ra.net
5165 DEFAULT_IF_NONE: whois.ra.net
5167 WHOIS server to query for AS numbers. NOTE: AS numbers are
5168 queried only when Squid starts up, not for every request.
5173 LOC: Config.onoff.offline
5176 Enable this option and Squid will never try to validate cached
5180 NAME: uri_whitespace
5181 TYPE: uri_whitespace
5182 LOC: Config.uri_whitespace
5185 What to do with requests that have whitespace characters in the
5188 strip: The whitespace characters are stripped out of the URL.
5189 This is the behavior recommended by RFC2396.
5190 deny: The request is denied. The user receives an "Invalid
5192 allow: The request is allowed and the URI is not changed. The
5193 whitespace characters remain in the URI. Note the
5194 whitespace is passed to redirector processes if they
5196 encode: The request is allowed and the whitespace characters are
5197 encoded according to RFC1738. This could be considered
5198 a violation of the HTTP/1.1
5199 RFC because proxies are not allowed to rewrite URI's.
5200 chop: The request is allowed and the URI is chopped at the
5201 first whitespace. This might also be considered a
5207 LOC: Config.coredump_dir
5209 DEFAULT_IF_NONE: none
5211 By default Squid leaves core files in the directory from where
5212 it was started. If you set 'coredump_dir' to a directory
5213 that exists, Squid will chdir() to that directory at startup
5214 and coredump files will be left there.
5217 # Leave coredumps in the first cache dir
5218 coredump_dir @DEFAULT_SWAP_DIR@
5222 NAME: redirector_bypass
5224 LOC: Config.onoff.redirector_bypass
5227 When this is 'on', a request will not go through the
5228 redirector if all redirectors are busy. If this is 'off'
5229 and the redirector queue grows too large, Squid will exit
5230 with a FATAL error and ask you to increase the number of
5231 redirectors. You should only enable this if the redirectors
5232 are not critical to your caching system. If you use
5233 redirectors for access control, and you enable this option,
5234 users may have access to pages they should not
5235 be allowed to request.
5240 LOC: Config.chroot_dir
5243 Use this to have Squid do a chroot() while initializing. This
5244 also causes Squid to fully drop root privileges after
5245 initializing. This means, for example, if you use a HTTP
5246 port less than 1024 and try to reconfigure, you will may get an
5247 error saying that Squid can not open the port.
5250 NAME: balance_on_multiple_ip
5252 LOC: Config.onoff.balance_on_multiple_ip
5255 Some load balancing servers based on round robin DNS have been
5256 found not to preserve user session state across requests
5257 to different IP addresses.
5259 By default Squid rotates IP's per request. By disabling
5260 this directive only connection failure triggers rotation.
5263 NAME: pipeline_prefetch
5265 LOC: Config.onoff.pipeline_prefetch
5268 To boost the performance of pipelined requests to closer
5269 match that of a non-proxied environment Squid can try to fetch
5270 up to two requests in parallel from a pipeline.
5272 Defaults to off for bandwidth management and access logging
5276 NAME: high_response_time_warning
5279 LOC: Config.warnings.high_rptm
5282 If the one-minute median response time exceeds this value,
5283 Squid prints a WARNING with debug level 0 to get the
5284 administrators attention. The value is in milliseconds.
5287 NAME: high_page_fault_warning
5289 LOC: Config.warnings.high_pf
5292 If the one-minute average page fault rate exceeds this
5293 value, Squid prints a WARNING with debug level 0 to get
5294 the administrators attention. The value is in page faults
5298 NAME: high_memory_warning
5300 LOC: Config.warnings.high_memory
5303 If the memory usage (as determined by mallinfo) exceeds
5304 value, Squid prints a WARNING with debug level 0 to get
5305 the administrators attention.
5308 NAME: sleep_after_fork
5309 COMMENT: (microseconds)
5311 LOC: Config.sleep_after_fork
5314 When this is set to a non-zero value, the main Squid process
5315 sleeps the specified number of microseconds after a fork()
5316 system call. This sleep may help the situation where your
5317 system reports fork() failures due to lack of (virtual)
5318 memory. Note, however, if you have a lot of child
5319 processes, these sleep delays will add up and your
5320 Squid will not service requests for some amount of time
5321 until all the child processes have been started.
5322 On Windows value less then 1000 (1 milliseconds) are