3 # $Id: cf.data.pre,v 1.428 2007/01/13 16:08:19 hno Exp $
6 # SQUID Web Proxy Cache http://www.squid-cache.org/
7 # ----------------------------------------------------------
9 # Squid is the result of efforts by numerous individuals from
10 # the Internet community; see the CONTRIBUTORS file for full
11 # details. Many organizations have provided support for Squid's
12 # development; see the SPONSORS file for full details. Squid is
13 # Copyrighted (C) 2000 by the Regents of the University of
14 # California; see the COPYRIGHT file for full details. Squid
15 # incorporates software developed and/or copyrighted by other
16 # sources; see the CREDITS file for full details.
18 # This program is free software; you can redistribute it and/or modify
19 # it under the terms of the GNU General Public License as published by
20 # the Free Software Foundation; either version 2 of the License, or
21 # (at your option) any later version.
23 # This program is distributed in the hope that it will be useful,
24 # but WITHOUT ANY WARRANTY; without even the implied warranty of
25 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 # GNU General Public License for more details.
28 # You should have received a copy of the GNU General Public License
29 # along with this program; if not, write to the Free Software
30 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
34 WELCOME TO SQUID @VERSION@
35 ----------------------------
37 This is the default Squid configuration file. You may wish
38 to look at the Squid home page (http://www.squid-cache.org/)
39 for the FAQ and other documentation.
41 The default Squid config file shows what the defaults for
42 various options happen to be. If you don't need to change the
43 default, you shouldn't uncomment the line. Doing so may cause
44 run-time problems. In some cases "none" refers to no default
45 setting at all, while in other cases it refers to a valid
46 option - the comments for that keyword indicate if this is the
53 -----------------------------------------------------------------------------
56 NAME: http_port ascii_port
59 LOC: Config.Sockaddr.http
62 hostname:port [options]
63 1.2.3.4:port [options]
65 The socket addresses where Squid will listen for HTTP client
66 requests. You may specify multiple socket addresses.
67 There are three forms: port alone, hostname with port, and
68 IP address with port. If you specify a hostname or IP
69 address, Squid binds the socket to that specific
70 address. This replaces the old 'tcp_incoming_address'
71 option. Most likely, you do not need to bind to a specific
72 address, so you can use the port number alone.
74 If you are running Squid in accelerator mode, you
75 probably want to listen on port 80 also, or instead.
77 The -a command line option will override the *first* port
78 number listed here. That option will NOT override an IP
81 You may specify multiple socket addresses on multiple lines.
85 transparent Support for transparent proxies
87 accel Accelerator mode. Also set implicit by the other
88 accelerator directives
90 vhost Accelerator mode using Host header for virtual
93 vport Accelerator with IP based virtual host support
95 vport=NN As above, but uses specified port number rather
96 than the http_port number
98 defaultsite= Main web site name for accelerators
100 protocol= Protocol to reconstruct accelerated requests with.
103 disable-pmtu-discovery=
104 Control Path-MTU discovery usage:
105 off lets OS decide on what to do (default).
106 transparent disable PMTU discovery when transparent
108 always disable always PMTU discovery.
110 In many setups of transparently intercepting proxies Path-MTU
111 discovery can not work on traffic towards the clients. This is
112 the case when the intercepting device does not fully track
113 connections and fails to forward ICMP must fragment messages
114 to the cache server. If you have such setup and experience that
115 certain clients sporadically hang or never complete requests set
116 disable-pmtu-discovery option to 'transparent'.
118 If you run Squid on a dual-homed machine with an internal
119 and an external interface we recommend you to specify the
120 internal address:port in http_port. This way Squid will only be
121 visible on the internal address.
123 # Squid normally listens to port 3128
124 http_port @DEFAULT_HTTP_PORT@
130 TYPE: https_port_list
132 LOC: Config.Sockaddr.https
134 Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
136 The socket address where Squid will listen for HTTPS client
139 This is really only useful for situations where you are running
140 squid in accelerator mode and you want to do the SSL work at the
143 You may specify multiple socket addresses on multiple lines,
144 each with their own SSL certificate and/or options.
148 defaultsite= The name of the https site presented on
151 protocol= Protocol to reconstruct accelerated requests
152 with. Defaults to https
154 cert= Path to SSL certificate (PEM format)
156 key= Path to SSL private key file (PEM format)
157 if not specified, the certificate file is
158 assumed to be a combined certificate and
161 version= The version of SSL/TLS supported
162 1 automatic (default)
167 cipher= Colon separated list of supported ciphers
169 options= Various SSL engine options. The most important
171 NO_SSLv2 Disallow the use of SSLv2
172 NO_SSLv3 Disallow the use of SSLv3
173 NO_TLSv1 Disallow the use of TLSv1
174 SINGLE_DH_USE Always create a new key when using
175 temporary/ephemeral DH key exchanges
176 See src/ssl_support.c or OpenSSL SSL_CTX_set_options
177 documentation for a complete list of options
179 clientca= File containing the list of CAs to use when
180 requesting a client certificate
182 cafile= File containing additional CA certificates to
183 use when verifying client certificates. If unset
184 clientca will be used
186 capath= Directory containing additional CA certificates
187 and CRL lists to use when verifying client certificates
189 crlfile= File of additional CRL lists to use when verifying
190 the client certificate, in addition to CRLs stored in
191 the capath. Implies VERIFY_CRL flag below.
193 dhparams= File containing DH parameters for temporary/ephemeral
196 sslflags= Various flags modifying the use of SSL:
198 Don't request client certificates
199 immediately, but wait until acl processing
200 requires a certificate (not yet implemented)
202 Don't use the default CA lists built in
205 Don't allow for session reuse. Each connection
206 will result in a new SSL session.
208 Verify CRL lists when accepting client
211 Verify CRL lists for all certificates in the
212 client certificate chain
214 sslcontext= SSL session ID context identifier.
216 accel Accelerator mode. Also set implicit by the other
217 accelerator directives
219 vhost Accelerator mode using Host header for virtual
222 vport Accelerator with IP based virtual host support
224 vport=NN As above, but uses specified port number rather
225 than the https_port number
229 NAME: ssl_unclean_shutdown
233 LOC: Config.SSL.unclean_shutdown
235 Some browsers (especially MSIE) bugs out on SSL shutdown
242 LOC: Config.SSL.ssl_engine
245 The openssl engine to use. You will need to set this if you
246 would like to use hardware SSL acceleration for example.
249 NAME: sslproxy_client_certificate
252 LOC: Config.ssl_client.cert
255 Client SSL Certificate to use when proxying https:// URLs
258 NAME: sslproxy_client_key
261 LOC: Config.ssl_client.key
264 Client SSL Key to use when proxying https:// URLs
267 NAME: sslproxy_version
270 LOC: Config.ssl_client.version
273 SSL version level to use when proxying https:// URLs
276 NAME: sslproxy_options
279 LOC: Config.ssl_client.options
282 SSL engine options to use when proxying https:// URLs
285 NAME: sslproxy_cipher
288 LOC: Config.ssl_client.cipher
291 SSL cipher list to use when proxying https:// URLs
294 NAME: sslproxy_cafile
297 LOC: Config.ssl_client.cafile
300 file containing CA certificates to use when verifying server
301 certificates while proxying https:// URLs
304 NAME: sslproxy_capath
307 LOC: Config.ssl_client.capath
310 directory containing CA certificates to use when verifying
311 server certificates while proxying https:// URLs
317 LOC: Config.ssl_client.flags
320 Various flags modifying the use of SSL while proxying https:// URLs:
321 DONT_VERIFY_PEER Accept certificates even if they fail to
323 NO_DEFAULT_CA Don't use the default CA list built in
327 NAME: sslpassword_program
330 LOC: Config.Program.ssl_password
333 Specify a program used for entering SSL key passphrases
334 when using encrypted SSL certificate keys. If not specified
335 keys must either be unencrypted, or Squid started with the -N
336 option to allow it to query interactively for the passphrase.
339 NAME: icp_port udp_port
344 The port number where Squid sends and receives ICP queries to
345 and from neighbor caches. The standard UDP port for ICP is 3130.
346 Default is disabled (0).
348 icp_port @DEFAULT_ICP_PORT@
356 LOC: Config.Port.htcp
358 The port number where Squid sends and receives HTCP queries to
359 and from neighbor caches. Default is 4827. To disable use
366 LOC: Config.mcast_group_list
369 This tag specifies a list of multicast groups which your server
370 should join to receive multicasted ICP queries.
372 NOTE! Be very careful what you put here! Be sure you
373 understand the difference between an ICP _query_ and an ICP
374 _reply_. This option is to be set only if you want to RECEIVE
375 multicast queries. Do NOT set this option to SEND multicast
376 ICP (use cache_peer for that). ICP replies are always sent via
377 unicast, so this option does not affect whether or not you will
378 receive replies from multicast group members.
380 You must be very careful to NOT use a multicast address which
381 is already in use by another group of caches.
383 If you are unsure about multicast, please read the Multicast
384 chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
386 Usage: mcast_groups 239.128.16.128 224.0.1.20
388 By default, Squid doesn't listen on any multicast groups.
392 NAME: udp_incoming_address
394 LOC:Config.Addrs.udp_incoming
398 NAME: udp_outgoing_address
400 LOC: Config.Addrs.udp_outgoing
401 DEFAULT: 255.255.255.255
403 udp_incoming_address is used for the ICP socket receiving packets
405 udp_outgoing_address is used for ICP packets sent out to other
408 The default behavior is to not bind to any specific address.
410 A udp_incoming_address value of 0.0.0.0 indicates Squid
411 should listen for UDP messages on all available interfaces.
413 If udp_outgoing_address is set to 255.255.255.255 (the default)
414 it will use the same socket as udp_incoming_address. Only
415 change this if you want to have ICP queries sent using another
416 address than where this Squid listens for ICP queries from other
419 NOTE, udp_incoming_address and udp_outgoing_address can not
420 have the same value since they both use port 3130.
424 OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
425 -----------------------------------------------------------------------------
433 To specify other caches in a hierarchy, use the format:
435 cache_peer hostname type http_port icp_port [options]
440 # hostname type port port options
441 # -------------------- -------- ----- ----- -----------
442 cache_peer parent.foo.net parent 3128 3130 [proxy-only]
443 cache_peer sib1.foo.net sibling 3128 3130 [proxy-only]
444 cache_peer sib2.foo.net sibling 3128 3130 [proxy-only]
446 type: either 'parent', 'sibling', or 'multicast'.
448 proxy_port: The port number where the cache listens for proxy
451 icp_port: Used for querying neighbor caches about
452 objects. To have a non-ICP neighbor
453 specify '7' for the ICP port and make sure the
454 neighbor machine has the UDP echo port
455 enabled in its /etc/inetd.conf file.
472 login=user:password | PASS | *:password
483 sslcert=/path/to/ssl/certificate
484 sslkey=/path/to/ssl/key
488 front-end-https[=on|auto]
490 use 'proxy-only' to specify objects fetched
491 from this cache should not be saved locally.
493 use 'weight=n' to specify a weighted parent.
494 The weight must be an integer. The default weight
495 is 1, larger weights are favored more.
497 use 'basetime=n' to specify a base amount to
498 be subtracted from round trip times of parents.
499 It is subtracted before division by weight in calculating
500 which parent to fectch from. If the rtt is less than the
501 base time the rtt is set to a minimal value.
503 use 'ttl=n' to specify a IP multicast TTL to use
504 when sending an ICP queries to this address.
505 Only useful when sending to a multicast group.
506 Because we don't accept ICP replies from random
507 hosts, you must configure other group members as
508 peers with the 'multicast-responder' option below.
510 use 'no-query' to NOT send ICP queries to this
513 use 'background-ping' to only send ICP queries to this
514 neighbor infrequently. This is used to keep the neighbor
515 round trip time updated and is usually used in
516 conjunction with weighted-round-robin.
518 use 'default' if this is a parent cache which can
519 be used as a "last-resort." You should probably
520 only use 'default' in situations where you cannot
521 use ICP with your parent cache(s).
523 use 'round-robin' to define a set of parents which
524 should be used in a round-robin fashion in the
525 absence of any ICP queries.
527 use 'weighted-round-robin' to define a set of parents
528 which should be used in a round-robin fashion with the
529 frequency of each parent being based on the round trip
530 time. Closer parents are used more often.
531 Usually used for background-ping parents.
533 use 'carp' to define a set of parents which should
534 be used as a CARP array. The requests will be
535 distributed among the parents based on the CARP load
536 balancing hash function based on their weigth.
538 'multicast-responder' indicates the named peer
539 is a member of a multicast group. ICP queries will
540 not be sent directly to the peer, but ICP replies
541 will be accepted from it.
543 'closest-only' indicates that, for ICP_OP_MISS
544 replies, we'll only forward CLOSEST_PARENT_MISSes
545 and never FIRST_PARENT_MISSes.
547 use 'no-digest' to NOT request cache digests from
550 'no-netdb-exchange' disables requesting ICMP
551 RTT database (NetDB) from the neighbor.
553 use 'no-delay' to prevent access to this neighbor
554 from influencing the delay pools.
556 use 'login=user:password' if this is a personal/workgroup
557 proxy and your parent requires proxy authentication.
558 Note: The string can include URL escapes (i.e. %20 for
559 spaces). This also means % must be written as %%.
561 use 'login=PASS' if users must authenticate against
562 the upstream proxy or in the case of a reverse proxy
563 configuration, the origin web server. This will pass
564 the users credentials as they are to the peer.
565 This only works for the Basic HTTP authentication scheme.
566 Note: To combine this with proxy_auth both proxies must
567 share the same user database as HTTP only allows for
569 Also be warned this will expose your users proxy
570 password to the peer. USE WITH CAUTION
572 use 'login=*:password' to pass the username to the
573 upstream cache, but with a fixed password. This is meant
574 to be used when the peer is in another administrative
575 domain, but it is still needed to identify each user.
576 The star can optionally be followed by some extra
577 information which is added to the username. This can
578 be used to identify this proxy to the peer, similar to
579 the login=username:password option above.
581 use 'connect-timeout=nn' to specify a peer
582 specific connect timeout (also see the
583 peer_connect_timeout directive)
585 use 'digest-url=url' to tell Squid to fetch the cache
586 digest (if digests are enabled) for this host from
587 the specified URL rather than the Squid default
590 use 'allow-miss' to disable Squid's use of only-if-cached
591 when forwarding requests to siblings. This is primarily
592 useful when icp_hit_stale is used by the sibling. To
593 extensive use of this option may result in forwarding
594 loops, and you should avoid having two-way peerings
595 with this option. (for example to deny peer usage on
596 requests from peer by denying cache_peer_access if the
599 use 'max-conn' to limit the amount of connections Squid
600 may open to this peer.
602 use 'htcp' to send HTCP, instead of ICP, queries
603 to the neighbor. You probably also want to
604 set the "icp port" to 4827 instead of 3130.
606 use 'htcp-oldsquid' to send HTCP to old Squid versions
608 'originserver' causes this parent peer to be contacted as
609 a origin server. Meant to be used in accelerator setups.
611 use 'name=xxx' if you have multiple peers on the same
612 host but different ports. This name can be used to
613 differentiate the peers in cache_peer_access and similar
616 use 'forceddomain=name' to forcibly set the Host header
617 of requests forwarded to this peer. Useful in accelerator
618 setups where the server (peer) expects a certain domain
619 name and using redirectors to feed this domainname
622 use 'ssl' to indicate connections to this peer should
623 bs SSL/TLS encrypted.
625 use 'sslcert=/path/to/ssl/certificate' to specify a client
626 SSL certificate to use when connecting to this peer.
628 use 'sslkey=/path/to/ssl/key' to specify the private SSL
629 key corresponding to sslcert above. If 'sslkey' is not
630 specified 'sslcert' is assumed to reference a
631 combined file containing both the certificate and the key.
633 use sslversion=1|2|3|4 to specify the SSL version to use
634 when connecting to this peer
635 1 = automatic (default)
640 use sslcipher=... to specify the list of valid SSL chipers
641 to use when connecting to this peer
643 use ssloptions=... to specify various SSL engine options:
644 NO_SSLv2 Disallow the use of SSLv2
645 NO_SSLv3 Disallow the use of SSLv3
646 NO_TLSv1 Disallow the use of TLSv1
647 See src/ssl_support.c or the OpenSSL documentation for
648 a more complete list.
650 use cafile=... to specify a file containing additional
651 CA certificates to use when verifying the peer certificate
653 use capath=... to specify a directory containing additional
654 CA certificates to use when verifying the peer certificate
656 use sslflags=... to specify various flags modifying the
659 Accept certificates even if they fail to
662 Don't use the default CA list built in
665 Don't verify the peer certificate
666 matches the server name
668 use sslname= to specify the peer name as advertised
669 in it's certificate. Used for verifying the correctness
670 of the received peer certificate. If not specified the
671 peer hostname will be used.
673 use front-end-https to enable the "Front-End-Https: On"
674 header needed when using Squid as a SSL frontend infront
675 of Microsoft OWA. See MS KB document Q307347 for details
676 on this header. If set to auto the header will
677 only be added if the request is forwarded as a https://
680 NOTE: non-ICP neighbors must be specified as 'parent'.
683 NAME: cache_peer_domain cache_host_domain
688 Use to limit the domains for which a neighbor cache will be
691 cache_peer_domain cache-host domain [domain ...]
692 cache_peer_domain cache-host !domain
694 For example, specifying
696 cache_peer_domain parent.foo.net .edu
698 has the effect such that UDP query packets are sent to
699 'bigserver' only when the requested object exists on a
700 server in the .edu domain. Prefixing the domainname
701 with '!' means the cache will be queried for objects
704 NOTE: * Any number of domains may be given for a cache-host,
705 either on the same or separate lines.
706 * When multiple domains are given for a particular
707 cache-host, the first matched domain is applied.
708 * Cache hosts with no domain restrictions are queried
710 * There are no defaults.
711 * There is also a 'cache_peer_access' tag in the ACL
716 NAME: neighbor_type_domain
721 usage: neighbor_type_domain neighbor parent|sibling domain domain ...
723 Modifying the neighbor type for specific domains is now
724 possible. You can treat some domains differently than the the
725 default neighbor type specified on the 'cache_peer' line.
726 Normally it should only be necessary to list domains which
727 should be treated differently because the default neighbor type
728 applies for hostnames which do not match domains listed here.
731 cache_peer parent cache.foo.org 3128 3130
732 neighbor_type_domain cache.foo.org sibling .com .net
733 neighbor_type_domain cache.foo.org sibling .au .de
736 NAME: icp_query_timeout
740 LOC: Config.Timeout.icp_query
742 Normally Squid will automatically determine an optimal ICP
743 query timeout value based on the round-trip-time of recent ICP
744 queries. If you want to override the value determined by
745 Squid, set this 'icp_query_timeout' to a non-zero value. This
746 value is specified in MILLISECONDS, so, to use a 2-second
747 timeout (the old default), you would write:
749 icp_query_timeout 2000
752 NAME: maximum_icp_query_timeout
756 LOC: Config.Timeout.icp_query_max
758 Normally the ICP query timeout is determined dynamically. But
759 sometimes it can lead to very large values (say 5 seconds).
760 Use this option to put an upper limit on the dynamic timeout
761 value. Do NOT use this option to always use a fixed (instead
762 of a dynamic) timeout value. To set a fixed timeout see the
763 'icp_query_timeout' directive.
766 NAME: minimum_icp_query_timeout
770 LOC: Config.Timeout.icp_query_min
772 Normally the ICP query timeout is determined dynamically. But
773 sometimes it can lead to very small timeouts, even lower than
774 the normal latency variance on your link due to traffic.
775 Use this option to put an lower limit on the dynamic timeout
776 value. Do NOT use this option to always use a fixed (instead
777 of a dynamic) timeout value. To set a fixed timeout see the
778 'icp_query_timeout' directive.
781 NAME: mcast_icp_query_timeout
785 LOC: Config.Timeout.mcast_icp_query
787 For Multicast peers, Squid regularly sends out ICP "probes" to
788 count how many other peers are listening on the given multicast
789 address. This value specifies how long Squid should wait to
790 count all the replies. The default is 2000 msec, or 2
794 NAME: dead_peer_timeout
798 LOC: Config.Timeout.deadPeer
800 This controls how long Squid waits to declare a peer cache
801 as "dead." If there are no ICP replies received in this
802 amount of time, Squid will declare the peer dead and not
803 expect to receive any further ICP replies. However, it
804 continues to send ICP queries, and will mark the peer as
805 alive upon receipt of the first subsequent ICP reply.
807 This timeout also affects when Squid expects to receive ICP
808 replies from peers. If more than 'dead_peer' seconds have
809 passed since the last ICP reply was received, Squid will not
810 expect to receive an ICP reply on the next query. Thus, if
811 your time between requests is greater than this timeout, you
812 will see a lot of requests sent DIRECT to origin servers
813 instead of to your parents.
817 NAME: hierarchy_stoplist
820 LOC: Config.hierarchy_stoplist
822 A list of words which, if found in a URL, cause the object to
823 be handled directly by this cache. In other words, use this
824 to not query neighbor caches for certain objects. You may
825 list this option multiple times.
827 #We recommend you to use at least the following line.
828 hierarchy_stoplist cgi-bin ?
836 LOC: Config.accessList.noCache
838 A list of ACL elements which, if matched, cause the request to
839 not be satisfied from the cache and the reply to not be cached.
840 In other words, use this to force certain objects to never be cached.
842 You must use the word 'DENY' to indicate the ACL names which should
845 Default is to allow all to be cached
847 #We recommend you to use the following two lines.
848 acl QUERY urlpath_regex cgi-bin \?
853 NAME: background_ping_rate
857 LOC: Config.backgroundPingRate
859 Controls how often the ICP pings are sent to siblings that
860 have background-ping set.
865 OPTIONS WHICH AFFECT THE CACHE SIZE
866 -----------------------------------------------------------------------------
873 LOC: Config.memMaxSize
875 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
876 IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
877 USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
878 THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
880 'cache_mem' specifies the ideal amount of memory to be used
884 * Negative-Cached objects
886 Data for these objects are stored in 4 KB blocks. This
887 parameter specifies the ideal upper limit on the total size of
888 4 KB blocks allocated. In-Transit objects take the highest
891 In-transit objects have priority over the others. When
892 additional space is needed for incoming data, negative-cached
893 and hot objects will be released. In other words, the
894 negative-cached and hot objects will fill up any unused space
895 not needed for in-transit objects.
897 If circumstances require, this limit will be exceeded.
898 Specifically, if your incoming request rate requires more than
899 'cache_mem' of memory to hold in-transit objects, Squid will
900 exceed this limit to satisfy the new requests. When the load
901 decreases, blocks will be freed until the high-water mark is
902 reached. Thereafter, blocks will be used to store hot
908 COMMENT: (percent, 0-100)
911 LOC: Config.Swap.lowWaterMark
914 NAME: cache_swap_high
915 COMMENT: (percent, 0-100)
918 LOC: Config.Swap.highWaterMark
921 The low- and high-water marks for cache object replacement.
922 Replacement begins when the swap (disk) usage is above the
923 low-water mark and attempts to maintain utilization near the
924 low-water mark. As swap utilization gets close to high-water
925 mark object eviction becomes more aggressive. If utilization is
926 close to the low-water mark less replacement is done each time.
928 Defaults are 90% and 95%. If you have a large cache, 5% could be
929 hundreds of MB. If this is the case you may wish to set these
930 numbers closer together.
933 NAME: maximum_object_size
937 LOC: Config.Store.maxObjectSize
939 Objects larger than this size will NOT be saved on disk. The
940 value is specified in kilobytes, and the default is 4MB. If
941 you wish to get a high BYTES hit ratio, you should probably
942 increase this (one 32 MB object hit counts for 3200 10KB
943 hits). If you wish to increase speed more than your want to
944 save bandwidth you should leave this low.
946 NOTE: if using the LFUDA replacement policy you should increase
947 this value to maximize the byte hit rate improvement of LFUDA!
948 See replacement_policy below for a discussion of this policy.
951 NAME: minimum_object_size
955 LOC: Config.Store.minObjectSize
957 Objects smaller than this size will NOT be saved on disk. The
958 value is specified in kilobytes, and the default is 0 KB, which
959 means there is no minimum.
962 NAME: maximum_object_size_in_memory
966 LOC: Config.Store.maxInMemObjSize
968 Objects greater than this size will not be attempted to kept in
969 the memory cache. This should be set high enough to keep objects
970 accessed frequently in memory to improve performance whilst low
971 enough to keep larger objects from hoarding cache_mem .
975 COMMENT: (number of entries)
978 LOC: Config.ipcache.size
985 LOC: Config.ipcache.low
992 LOC: Config.ipcache.high
994 The size, low-, and high-water marks for the IP cache.
998 COMMENT: (number of entries)
1001 LOC: Config.fqdncache.size
1003 Maximum number of FQDN cache entries.
1006 NAME: cache_replacement_policy
1008 LOC: Config.replPolicy
1011 The cache replacement policy parameter determines which
1012 objects are evicted (replaced) when disk space is needed.
1014 lru : Squid's original list based LRU policy
1015 heap GDSF : Greedy-Dual Size Frequency
1016 heap LFUDA: Least Frequently Used with Dynamic Aging
1017 heap LRU : LRU policy implemented using a heap
1019 Applies to any cache_dir lines listed below this.
1021 The LRU policies keeps recently referenced objects.
1023 The heap GDSF policy optimizes object hit rate by keeping smaller
1024 popular objects in cache so it has a better chance of getting a
1025 hit. It achieves a lower byte hit rate than LFUDA though since
1026 it evicts larger (possibly popular) objects.
1028 The heap LFUDA policy keeps popular objects in cache regardless of
1029 their size and thus optimizes byte hit rate at the expense of
1030 hit rate since one large, popular object will prevent many
1031 smaller, slightly less popular objects from being cached.
1033 Both policies utilize a dynamic aging mechanism that prevents
1034 cache pollution that can otherwise occur with frequency-based
1035 replacement policies.
1037 NOTE: if using the LFUDA replacement policy you should increase
1038 the value of maximum_object_size above its default of 4096 KB to
1039 to maximize the potential byte hit rate improvement of LFUDA.
1041 For more information about the GDSF and LFUDA cache replacement
1042 policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
1043 and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
1046 NAME: memory_replacement_policy
1048 LOC: Config.memPolicy
1051 The memory replacement policy parameter determines which
1052 objects are purged from memory when memory space is needed.
1054 See cache_replacement_policy for details.
1059 LOGFILE PATHNAMES AND CACHE DIRECTORIES
1060 -----------------------------------------------------------------------------
1066 DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256
1067 LOC: Config.cacheSwap
1071 cache_dir Type Directory-Name Fs-specific-data [options]
1073 You can specify multiple cache_dir lines to spread the
1074 cache among different disk partitions.
1076 Type specifies the kind of storage system to use. Only "ufs"
1077 is built by default. To enable any of the other storage systems
1078 see the --enable-storeio configure option.
1080 'Directory' is a top-level directory where cache swap
1081 files will be stored. If you want to use an entire disk
1082 for caching, this can be the mount-point directory.
1083 The directory must exist and be writable by the Squid
1084 process. Squid will NOT create this directory for you.
1088 "ufs" is the old well-known Squid storage format that has always
1091 cache_dir ufs Directory-Name Mbytes L1 L2 [options]
1093 'Mbytes' is the amount of disk space (MB) to use under this
1094 directory. The default is 100 MB. Change this to suit your
1095 configuration. Do NOT put the size of your disk drive here.
1096 Instead, if you want Squid to use the entire disk drive,
1097 subtract 20% and use that value.
1099 'Level-1' is the number of first-level subdirectories which
1100 will be created under the 'Directory'. The default is 16.
1102 'Level-2' is the number of second-level subdirectories which
1103 will be created under each first-level directory. The default
1106 The aufs store type:
1108 "aufs" uses the same storage format as "ufs", utilizing
1109 POSIX-threads to avoid blocking the main Squid process on
1110 disk-I/O. This was formerly known in Squid as async-io.
1112 cache_dir aufs Directory-Name Mbytes L1 L2 [options]
1114 see argument descriptions under ufs above
1116 The diskd store type:
1118 "diskd" uses the same storage format as "ufs", utilizing a
1119 separate process to avoid blocking the main Squid process on
1122 cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
1124 see argument descriptions under ufs above
1126 Q1 specifies the number of unacknowledged I/O requests when Squid
1127 stops opening new files. If this many messages are in the queues,
1128 Squid won't open new files. Default is 64
1130 Q2 specifies the number of unacknowledged messages when Squid
1131 starts blocking. If this many messages are in the queues,
1132 Squid blocks until it receives some replies. Default is 72
1134 When Q1 < Q2 (the default), the cache directory is optimized
1135 for lower response time at the expense of a decrease in hit
1136 ratio. If Q1 > Q2, the cache directory is optimized for
1137 higher hit ratio at the expense of an increase in response
1140 The coss store type:
1142 block-size=n defines the "block size" for COSS cache_dir's.
1143 Squid uses file numbers as block numbers. Since file numbers
1144 are limited to 24 bits, the block size determines the maximum
1145 size of the COSS partition. The default is 512 bytes, which
1146 leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
1147 you should not change the coss block size after Squid
1148 has written some objects to the cache_dir.
1150 The coss file store has changed from 2.5. Now it uses a file
1151 called 'stripe' in the directory names in the config - and
1152 this will be created by squid -z.
1156 read-only, this cache_dir is read only.
1158 max-size=n, refers to the max object size this storedir supports.
1159 It is used to initially choose the storedir to dump the object.
1160 Note: To make optimal use of the max-size limits you should order
1161 the cache_dir lines with the smallest max-size value first and the
1162 ones with no max-size specification last.
1164 Note for coss, max-size must be less than COSS_MEMBUF_SZ,
1165 which can be changed with the --with-coss-membuf-size=N configure
1168 The null store type:
1170 no options are allowed or required
1176 LOC: Config.Log.logformats
1181 logformat <name> <format specification>
1183 Defines an access log format.
1185 The <format specification> is a string with embedded % format codes
1187 % format codes all follow the same basic structure where all but
1188 the formatcode is optional. Output strings are automatically escaped
1189 as required according to their context and the output format
1190 modifiers are usually not needed, but can be specified if an explicit
1191 output format is desired.
1193 % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
1195 " output in quoted string format
1196 [ output in squid text log format as used by log_mime_hdrs
1197 # output in URL quoted format
1201 width field width. If starting with 0 the
1202 output is zero padded
1203 {arg} argument such as header name etc
1207 >a Client source IP address
1209 >p Client source port
1210 <A Server IP address or peer name
1211 la Local IP address (http_port)
1212 lp Local port number (http_port)
1213 ts Seconds since epoch
1214 tu subsecond time (milliseconds)
1215 tl Local time. Optional strftime format argument
1216 default %d/%b/%Y:%H:%M:S %z
1217 tg GMT time. Optional strftime format argument
1218 default %d/%b/%Y:%H:%M:S %z
1219 tr Response time (milliseconds)
1220 >h Request header. Optional header name argument
1221 on the format header[:[separator]element]
1222 <h Reply header. Optional header name argument
1227 ue User from external acl
1229 Ss Squid request status (TCP_MISS etc)
1230 Sh Squid hierarchy status (DEFAULT_PARENT etc)
1231 mt MIME content type
1232 rm Request method (GET/POST etc)
1234 rv Request protocol version
1235 et Tag returned by external acl
1236 ea Log string returned by external acl
1237 <st Reply size including HTTP headers
1238 <sH Reply high offset sent
1239 <sS Upstream object size
1240 % a literal % character
1242 logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
1243 logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
1244 logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
1245 logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
1248 NAME: access_log cache_access_log
1250 LOC: Config.Log.accesslogs
1252 DEFAULT_IF_NONE: @DEFAULT_ACCESS_LOG@
1254 These files log client request activities. Has a line every HTTP or
1255 ICP request. The format is:
1256 access_log <filepath> [<logformat name> [acl acl ...]]
1257 access_log none [acl acl ...]]
1259 Will log to the specified file using the specified format (which
1260 must be defined in a logformat directive) those entries which match
1261 ALL the acl's specified (which must be defined in acl clauses).
1262 If no acl is specified, all requests will be logged to this file.
1264 To disable logging of a request use the filepath "none", in which case
1265 a logformat name should not be specified.
1267 To log the request via syslog specify a filepath of "syslog":
1269 access_log syslog[:facility|priority] [format [acl1 [acl2 ....]]]
1270 where facility could be any of:
1271 LOG_AUTHPRIV, LOG_DAEMON, LOG_LOCAL0 .. LOG_LOCAL7 or LOG_USER.
1273 And priority could be any of:
1274 LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG.
1280 DEFAULT: @DEFAULT_CACHE_LOG@
1283 Cache logging file. This is where general information about
1284 your cache's behavior goes. You can increase the amount of data
1285 logged to this file with the "debug_options" tag below.
1289 NAME: cache_store_log
1291 DEFAULT: @DEFAULT_STORE_LOG@
1292 LOC: Config.Log.store
1294 Logs the activities of the storage manager. Shows which
1295 objects are ejected from the cache, and which objects are
1296 saved and for how long. To disable, enter "none". There are
1297 not really utilities to analyze this data, so you can safely
1302 NAME: cache_swap_state cache_swap_log
1304 LOC: Config.Log.swap
1307 Location for the cache "swap.state" file. This index file holds
1308 the metadata of objects saved on disk. It is used to rebuild
1309 the cache during startup. Normally this file resides in each
1310 'cache_dir' directory, but you may specify an alternate
1311 pathname here. Note you must give a full filename, not just
1312 a directory. Since this is the index for the whole object
1313 list you CANNOT periodically rotate it!
1315 If %s can be used in the file name it will be replaced with a
1316 a representation of the cache_dir name where each / is replaced
1317 with '.'. This is needed to allow adding/removing cache_dir
1318 lines when cache_swap_log is being used.
1320 If have more than one 'cache_dir', and %s is not used in the name
1321 these swap logs will have names such as:
1327 The numbered extension (which is added automatically)
1328 corresponds to the order of the 'cache_dir' lines in this
1329 configuration file. If you change the order of the 'cache_dir'
1330 lines in this file, these log files will NOT correspond to
1331 the correct 'cache_dir' entry (unless you manually rename
1332 them). We recommend you do NOT use this option. It is
1333 better to keep these log files in each 'cache_dir' directory.
1337 NAME: emulate_httpd_log
1341 LOC: Config.onoff.common_log
1343 The Cache can emulate the log file format which many 'httpd'
1344 programs use. To disable/enable this emulation, set
1345 emulate_httpd_log to 'off' or 'on'. The default
1346 is to use the native log format since it includes useful
1347 information Squid-specific log analyzers use.
1350 NAME: log_ip_on_direct
1354 LOC: Config.onoff.log_ip_on_direct
1356 Log the destination IP address in the hierarchy log tag when going
1357 direct. Earlier Squid versions logged the hostname here. If you
1358 prefer the old way set this to off.
1363 DEFAULT: @DEFAULT_MIME_TABLE@
1364 LOC: Config.mimeTablePathname
1366 Pathname to Squid's MIME table. You shouldn't need to change
1367 this, but the default file contains examples and formatting
1368 information if you do.
1375 LOC: Config.onoff.log_mime_hdrs
1378 The Cache can record both the request and the response MIME
1379 headers for each HTTP transaction. The headers are encoded
1380 safely and will appear as two bracketed fields at the end of
1381 the access log (for either the native or httpd-emulated log
1382 formats). To enable this logging set log_mime_hdrs to 'on'.
1388 LOC: Config.Log.useragent
1390 IFDEF: USE_USERAGENT_LOG
1392 Squid will write the User-Agent field from HTTP requests
1393 to the filename specified here. By default useragent_log
1400 LOC: Config.Log.referer
1402 IFDEF: USE_REFERER_LOG
1404 Squid will write the Referer field from HTTP requests to the
1405 filename specified here. By default referer_log is disabled.
1411 DEFAULT: @DEFAULT_PID_FILE@
1412 LOC: Config.pidFilename
1414 A filename to write the process-id to. To disable, enter "none".
1421 LOC: Config.debugOptions
1423 Logging options are set as section,level where each source file
1424 is assigned a unique section. Lower levels result in less
1425 output, Full debugging (level 9) can result in a very large
1426 log file, so be careful. The magic word "ALL" sets debugging
1427 levels for all sections. We recommend normally running with
1436 LOC: Config.onoff.log_fqdn
1438 Turn this on if you wish to log fully qualified domain names
1439 in the access.log. To do this Squid does a DNS lookup of all
1440 IP's connecting to it. This can (in some situations) increase
1441 latency, which makes your cache seem slower for interactive
1446 NAME: client_netmask
1448 LOC: Config.Addrs.client_netmask
1449 DEFAULT: 255.255.255.255
1451 A netmask for client addresses in logfiles and cachemgr output.
1452 Change this to protect the privacy of your cache clients.
1453 A netmask of 255.255.255.0 will log all IP's in that range with
1454 the last digit set to '0'.
1459 OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
1460 -----------------------------------------------------------------------------
1466 LOC: Config.Ftp.anon_user
1468 If you want the anonymous login password to be more informative
1469 (and enable the use of picky ftp servers), set this to something
1470 reasonable for your domain, like wwwuser@somewhere.net
1472 The reason why this is domainless by default is the
1473 request can be made on the behalf of a user in any domain,
1474 depending on how the cache is used.
1475 Some ftp server also validate the email address is valid
1476 (for example perl.com).
1479 NAME: ftp_list_width
1482 LOC: Config.Ftp.list_width
1484 Sets the width of ftp listings. This should be set to fit in
1485 the width of a standard browser. Setting this too small
1486 can cut off long filenames when browsing ftp sites.
1492 LOC: Config.Ftp.passive
1494 If your firewall does not allow Squid to use passive
1495 connections, turn off this option.
1498 NAME: ftp_sanitycheck
1501 LOC: Config.Ftp.sanitycheck
1503 For security and data integrity reasons Squid by default performs
1504 sanity checks of the addresses of FTP data connections ensure the
1505 data connection is to the requested server. If you need to allow
1506 FTP connections to servers using another IP address for the data
1507 connection turn this off.
1510 NAME: check_hostnames
1513 LOC: Config.onoff.check_hostnames
1515 For security and stability reasons Squid by default checks
1516 hostnames for Internet standard RFC compliance. If you do not want
1517 Squid to perform these checks turn this directive off.
1520 NAME: ftp_telnet_protocol
1523 LOC: Config.Ftp.telnet
1525 The FTP protocol is officially defined to use the telnet protocol
1526 as transport channel for the control connection. However, many
1527 implementations are broken and does not respect this aspect of
1530 If you have trouble accessing files with ASCII code 255 in the
1531 path or similar problems involving this ASCII code you can
1532 try setting this directive to off. If that helps, report to the
1533 operator of the FTP server in question that their FTP server
1534 is broken and does not follow the FTP standard.
1537 NAME: cache_dns_program
1539 IFDEF: USE_DNSSERVERS
1540 DEFAULT: @DEFAULT_DNSSERVER@
1541 LOC: Config.Program.dnsserver
1543 Specify the location of the executable for dnslookup process.
1548 IFDEF: USE_DNSSERVERS
1550 LOC: Config.dnsChildren
1552 The number of processes spawn to service DNS name lookups.
1553 For heavily loaded caches on large servers, you should
1554 probably increase this value to at least 10. The maximum
1555 is 32. The default is 5.
1557 You must have at least one dnsserver process.
1560 NAME: dns_retransmit_interval
1563 LOC: Config.Timeout.idns_retransmit
1564 IFDEF: !USE_DNSSERVERS
1566 Initial retransmit interval for DNS queries. The interval is
1567 doubled each time all configured DNS servers have been tried.
1574 LOC: Config.Timeout.idns_query
1575 IFDEF: !USE_DNSSERVERS
1577 DNS Query timeout. If no response is received to a DNS query
1578 within this time all DNS servers for the queried domain
1579 are assumed to be unavailable.
1586 LOC: Config.onoff.res_defnames
1588 Normally the RES_DEFNAMES resolver option is disabled
1589 (see res_init(3)). This prevents caches in a hierarchy
1590 from interpreting single-component hostnames locally. To allow
1591 Squid to handle single-component names, enable this option.
1594 NAME: dns_nameservers
1597 LOC: Config.dns_nameservers
1599 Use this if you want to specify a list of DNS name servers
1600 (IP addresses) to use instead of those given in your
1601 /etc/resolv.conf file.
1602 On Windows platforms, if no value is specified here or in
1603 the /etc/resolv.conf file, the list of DNS name servers are
1604 taken from the Windows registry, both static and dynamic DHCP
1605 configurations are supported.
1607 Example: dns_nameservers 10.0.0.1 192.172.0.4
1612 DEFAULT: @DEFAULT_HOSTS@
1613 LOC: Config.etcHostsPath
1615 Location of the host-local IP name-address associations
1616 database. Most Operating Systems have such a file on different
1618 - Un*X & Linux: /etc/hosts
1619 - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
1620 (%SystemRoot% value install default is c:\winnt)
1621 - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
1622 (%SystemRoot% value install default is c:\windows)
1623 - Windows 9x/Me: %windir%\hosts
1624 (%windir% value is usually c:\windows)
1625 - Cygwin: /etc/hosts
1627 The file contains newline-separated definitions, in the
1628 form ip_address_in_dotted_form name [name ...] names are
1629 whitespace-separated. Lines beginning with an hash (#)
1630 character are comments.
1632 The file is checked at startup and upon configuration.
1633 If set to 'none', it won't be checked.
1634 If append_domain is used, that domain will be added to
1635 domain-local (i.e. not containing any dot character) host
1641 DEFAULT: @DEFAULT_DISKD@
1642 LOC: Config.Program.diskd
1644 Specify the location of the diskd executable.
1645 Note this is only useful if you have compiled in
1646 diskd as one of the store io modules.
1649 NAME: unlinkd_program
1652 DEFAULT: @DEFAULT_UNLINKD@
1653 LOC: Config.Program.unlinkd
1655 Specify the location of the executable for file deletion process.
1658 NAME: pinger_program
1660 DEFAULT: @DEFAULT_PINGER@
1661 LOC: Config.Program.pinger
1664 Specify the location of the executable for the pinger process.
1668 NAME: url_rewrite_program redirect_program
1670 LOC: Config.Program.redirect
1673 Specify the location of the executable for the URL redirector.
1674 Since they can perform almost any function there isn't one included.
1675 See the FAQ (section 15) for information on how to write one.
1676 By default, a redirector is not used.
1680 NAME: url_rewrite_children redirect_children
1683 LOC: Config.redirectChildren
1685 The number of redirector processes to spawn. If you start
1686 too few Squid will have to wait for them to process a backlog of
1687 URLs, slowing it down. If you start too many they will use RAM
1688 and other system resources.
1691 NAME: url_rewrite_concurrency redirect_concurrency
1694 LOC: Config.redirectConcurrency
1696 The number of requests each redirector helper can handle in
1697 parallell. Defaults to 0 which indicates the redirector
1698 is a old-style singlethreaded redirector.
1701 NAME: url_rewrite_host_header redirect_rewrites_host_header
1704 LOC: Config.onoff.redir_rewrites_host
1706 By default Squid rewrites any Host: header in redirected
1707 requests. If you are running an accelerator this may
1708 not be a wanted effect of a redirector.
1710 WARNING: Entries are cached on the result of the URL rewriting
1711 process, so be careful if you have domain-virtual hosts.
1714 NAME: redirector_access
1717 LOC: Config.accessList.redirector
1719 If defined, this access list specifies which requests are
1720 sent to the redirector processes. By default all requests
1726 LOC: Config.authConfiguration
1729 This is used to pass parameters to the various authentication
1731 format: auth_param scheme parameter [setting]
1733 auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
1734 would tell the basic authentication scheme it's program parameter.
1736 The order authentication prompts are presented to the client_agent
1737 is dependent on the order the scheme first appears in config file.
1738 IE has a bug (it's not rfc 2617 compliant) in that it will use the basic
1739 scheme if basic is the first entry presented, even if more secure schemes
1740 are presented. For now use the order in the file below. If other browsers
1741 have difficulties (don't recognize the schemes offered even if you are using
1742 basic) either put basic first, or disable the other schemes (by commenting
1743 out their program entry).
1745 Once an authentication scheme is fully configured, it can only be shutdown
1746 by shutting squid down and restarting. Changes can be made on the fly and
1747 activated with a reconfigure. I.E. You can change to a different helper,
1748 but not unconfigure the helper completely.
1750 === Parameters for the basic scheme follow. ===
1753 Specify the command for the external authenticator. Such a
1754 program reads a line containing "username password" and replies
1755 "ERR" in an endless loop. "ERR" responses may optionally be followed
1756 by a error description available as %m in the returned error page.
1757 If you use an authenticator, make sure you have 1 acl of type proxy_auth.
1758 By default, the basic authentication scheme is not used unless a program
1761 If you want to use the traditional proxy authentication,
1762 jump over to the ../helpers/basic_auth/NCSA directory and
1767 Then, set this line to something like
1769 auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
1771 "children" numberofchildren
1772 The number of authenticator processes to spawn (no default).
1773 If you start too few Squid will have to wait for them to
1774 process a backlog of usercode/password verifications, slowing
1775 it down. When password verifications are done via a (slow)
1776 network you are likely to need lots of authenticator
1778 auth_param basic children 5
1780 "concurrency" concurrency
1781 The number of concurrent requests the helper can process.
1782 The default of 0 is used for helpers who only supports
1783 one request at a time.
1784 auth_param basic concurrency 0
1787 Specifies the realm name which is to be reported to the
1788 client for the basic proxy authentication scheme (part of
1789 the text the user will see when prompted their username and
1790 password). There is no default.
1791 auth_param basic realm Squid proxy-caching web server
1793 "credentialsttl" timetolive
1794 Specifies how long squid assumes an externally validated
1795 username:password pair is valid for - in other words how
1796 often the helper program is called for that user. Set this
1797 low to force revalidation with short lived passwords. Note
1798 setting this high does not impact your susceptibility
1799 to replay attacks unless you are using an one-time password
1800 system (such as SecureID). If you are using such a system,
1801 you will be vulnerable to replay attacks unless you also
1802 use the max_user_ip ACL in an http_access rule.
1804 "casesensitive" on|off
1805 Specifies if usernames are case sensitive. Most user databases are
1806 case insensitive allowing the same username to be spelled using both
1807 lower and upper case letters, but some are case sensitive. This
1808 makes a big difference for user_max_ip ACL processing and similar.
1809 auth_param basic casesensitive off
1811 === Parameters for the digest scheme follow ===
1814 Specify the command for the external authenticator. Such
1815 a program reads a line containing "username":"realm" and
1816 replies with the appropriate H(A1) value hex encoded or
1817 ERR if the user (or his H(A1) hash) does not exists.
1818 See rfc 2616 for the definition of H(A1).
1819 "ERR" responses may optionally be followed by a error description
1820 available as %m in the returned error page.
1822 By default, the digest authentication is not used unless a
1823 program is specified.
1825 If you want to use a digest authenticator, jump over to the
1826 helpers/digest_auth/ directory and choose the authenticator
1827 to use. In it's directory type
1831 Then, set this line to something like
1833 auth_param digest program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass
1836 "children" numberofchildren
1837 The number of authenticator processes to spawn (no default).
1838 If you start too few Squid will have to wait for them to
1839 process a backlog of H(A1) calculations, slowing it down.
1840 When the H(A1) calculations are done via a (slow) network
1841 you are likely to need lots of authenticator processes.
1842 auth_param digest children 5
1845 Specifies the realm name which is to be reported to the
1846 client for the digest proxy authentication scheme (part of
1847 the text the user will see when prompted their username and
1848 password). There is no default.
1849 auth_param digest realm Squid proxy-caching web server
1851 "nonce_garbage_interval" timeinterval
1852 Specifies the interval that nonces that have been issued
1853 to client_agent's are checked for validity.
1855 "nonce_max_duration" timeinterval
1856 Specifies the maximum length of time a given nonce will be
1859 "nonce_max_count" number
1860 Specifies the maximum number of times a given nonce can be
1863 "nonce_strictness" on|off
1864 Determines if squid requires strict increment-by-1 behavior
1865 for nonce counts, or just incrementing (off - for use when
1866 useragents generate nonce counts that occasionally miss 1
1867 (ie, 1,2,4,6)). Default off.
1869 "check_nonce_count" on|off
1870 This directive if set to off can disable the nonce count check
1871 completely to work around buggy digest qop implementations in
1872 certain mainstream browser versions. Default on to check the
1873 nonce count to protect from authentication replay attacks.
1875 "post_workaround" on|off
1876 This is a workaround to certain buggy browsers who sends
1877 an incorrect request digest in POST requests when reusing
1878 the same nonce as acquired earlier on a GET request.
1880 === NTLM scheme options follow ===
1883 Specify the command for the external NTLM authenticator.
1884 Such a program reads exchanged NTLMSSP packets with
1885 the browser via Squid until authentication is completed.
1886 If you use an NTLM authenticator, make sure you have 1 acl
1887 of type proxy_auth. By default, the NTLM authenticator_program
1890 auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
1892 "children" numberofchildren
1893 The number of authenticator processes to spawn (no default).
1894 If you start too few Squid will have to wait for them to
1895 process a backlog of credential verifications, slowing it
1896 down. When credential verifications are done via a (slow)
1897 network you are likely to need lots of authenticator
1900 auth_param ntlm children 5
1903 If you experience problems with PUT/POST requests when using the
1904 Negotiate authentication scheme then you can try setting this to
1905 off. This will cause Squid to forcibly close the connection on
1906 the initial requests where the browser asks which schemes are
1907 supported by the proxy.
1909 auth_param ntlm keep_alive on
1911 === Options for configuring the NEGOTIATE auth-scheme follow ===
1914 Specify the command for the external Negotiate authenticator.
1915 This protocol is used in Microsoft Active-Directory enabled setups with
1916 the Microsoft Internet Explorer or Mozilla Firefox browsers.
1917 Its main purpose is to exchange credentials with the Squid proxy
1918 using the Kerberos mechanisms.
1919 If you use a Negotiate authenticator, make sure you have at least one acl
1920 of type proxy_auth active. By default, the negotiate authenticator_program
1922 The only supported program for this role is the ntlm_auth
1923 program distributed as part of Samba, version 4 or later.
1925 auth_param negotiate program @DEFAULT_PREFIX@/bin/ntlm_auth --helper-protocol=gss-spnego
1927 "children" numberofchildren
1928 The number of authenticator processes to spawn (no default).
1929 If you start too few Squid will have to wait for them to
1930 process a backlog of credential verifications, slowing it
1931 down. When crendential verifications are done via a (slow)
1932 network you are likely to need lots of authenticator
1934 auth_param negotiate children 5
1937 If you experience problems with PUT/POST requests when using the
1938 Negotiate authentication scheme then you can try setting this to
1939 off. This will cause Squid to forcibly close the connection on
1940 the initial requests where the browser asks which schemes are
1941 supported by the proxy.
1943 auth_param negotiate keep_alive on
1946 #Recommended minimum configuration per scheme:
1947 #auth_param negotiate program <uncomment and complete this line to activate>
1948 #auth_param negotiate children 5
1949 #auth_param negotiate keep_alive on
1950 #auth_param ntlm program <uncomment and complete this line to activate>
1951 #auth_param ntlm children 5
1952 #auth_param ntlm keep_alive on
1953 #auth_param digest program <uncomment and complete this line>
1954 #auth_param digest children 5
1955 #auth_param digest realm Squid proxy-caching web server
1956 #auth_param digest nonce_garbage_interval 5 minutes
1957 #auth_param digest nonce_max_duration 30 minutes
1958 #auth_param digest nonce_max_count 50
1959 #auth_param basic program <uncomment and complete this line>
1960 #auth_param basic children 5
1961 #auth_param basic realm Squid proxy-caching web server
1962 #auth_param basic credentialsttl 2 hours
1966 NAME: authenticate_cache_garbage_interval
1969 LOC: Config.authenticateGCInterval
1971 The time period between garbage collection across the
1972 username cache. This is a tradeoff between memory utilization
1973 (long intervals - say 2 days) and CPU (short intervals -
1974 say 1 minute). Only change if you have good reason to.
1977 NAME: authenticate_ttl
1980 LOC: Config.authenticateTTL
1982 The time a user & their credentials stay in the logged in
1983 user cache since their last request. When the garbage
1984 interval passes, all user credentials that have passed their
1985 TTL are removed from memory.
1988 NAME: authenticate_ip_ttl
1990 LOC: Config.authenticateIpTTL
1993 If you use proxy authentication and the 'max_user_ip' ACL,
1994 this directive controls how long Squid remembers the IP
1995 addresses associated with each user. Use a small value
1996 (e.g., 60 seconds) if your users might change addresses
1997 quickly, as is the case with dialups. You might be safe
1998 using a larger value (e.g., 2 hours) in a corporate LAN
1999 environment with relatively static address assignments.
2002 NAME: external_acl_type
2003 TYPE: externalAclHelper
2004 LOC: Config.externalAclHelperList
2007 This option defines external acl classes using a helper program
2008 to look up the status
2010 external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
2014 ttl=n TTL in seconds for cached results (defaults to 3600
2017 TTL for cached negative lookups (default same
2019 children=n Number of acl helper processes spawn to service
2020 external acl lookups of this type.
2021 concurrency=n concurrency level per process. Use 0 for old style
2022 helpers who can only process a single request at a
2024 cache=n result cache size, 0 is unbounded (default)
2025 grace=n Percentage remaining of TTL where a refresh of a
2026 cached entry should be initiated without needing to
2027 wait for a new reply. (default 0 for no grace period)
2028 protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
2030 FORMAT specifications
2032 %LOGIN Authenticated user login name
2033 %EXT_USER Username from external acl
2034 %IDENT Ident user name
2036 %SRCPORT Client source port
2038 %PROTO Requested protocol
2039 %PORT Requested port
2040 %PATH Requested URL path
2041 %METHOD Request method
2042 %MYADDR Squid interface address
2043 %MYPORT Squid http_port number
2044 %USER_CERT SSL User certificate in PEM format
2045 %USER_CERTCHAIN SSL User certificate chain in PEM format
2046 %USER_CERT_xx SSL User certificate subject attribute xx
2047 %USER_CA_xx SSL User certificate issuer attribute xx
2048 %{Header} HTTP request header
2049 %{Hdr:member} HTTP request header list member
2051 HTTP request header list member using ; as
2052 list separator. ; can be any non-alphanumeric
2055 In addition, any string specified in the referencing acl will
2056 also be included in the helper request line, after the specified
2057 formats (see the "acl external" directive)
2059 The helper receives lines per the above format specification,
2060 and returns lines starting with OK or ERR indicating the validity
2061 of the request and optionally followed by additional keywords with
2062 more details. To protect from odd characters the data is URL
2065 General result syntax:
2067 OK/ERR keyword=value ...
2071 user= The users name (login)
2072 password= The users password (for login= cache_peer option)
2073 message= Message describing the reason. Available as %o
2075 tag= Apply a tag to a request (for both ERR and OK results)
2076 Only sets a tag, does not alter existing tags.
2077 log= String to be logged in access.log. Available as
2078 %ea in logformat specifications
2080 Keyword values need to be URL escaped if they may contain
2081 contain whitespace or quotes.
2083 In Squid-2.5 compatibility mode quoting using " and \ is used
2084 instead of URL escaping.
2088 OPTIONS FOR TUNING THE CACHE
2089 -----------------------------------------------------------------------------
2092 NAME: wais_relay_host
2095 LOC: Config.Wais.relayHost
2098 NAME: wais_relay_port
2101 LOC: Config.Wais.relayPort
2103 Relay WAIS request to host (1st arg) at port (2 arg).
2107 NAME: request_header_max_size
2111 LOC: Config.maxRequestHeaderSize
2113 This specifies the maximum size for HTTP headers in a request.
2114 Request headers are usually relatively small (about 512 bytes).
2115 Placing a limit on the request header size will catch certain
2116 bugs (for example with persistent connections) and possibly
2117 buffer-overflow or denial-of-service attacks.
2120 NAME: request_body_max_size
2124 LOC: Config.maxRequestBodySize
2126 This specifies the maximum size for an HTTP request body.
2127 In other words, the maximum size of a PUT/POST request.
2128 A user who attempts to send a request with a body larger
2129 than this limit receives an "Invalid Request" error message.
2130 If you set this parameter to a zero (the default), there will
2131 be no limit imposed.
2134 NAME: refresh_pattern
2135 TYPE: refreshpattern
2139 usage: refresh_pattern [-i] regex min percent max [options]
2141 By default, regular expressions are CASE-SENSITIVE. To make
2142 them case-insensitive, use the -i option.
2144 'Min' is the time (in minutes) an object without an explicit
2145 expiry time should be considered fresh. The recommended
2146 value is 0, any higher values may cause dynamic applications
2147 to be erroneously cached unless the application designer
2148 has taken the appropriate actions.
2150 'Percent' is a percentage of the objects age (time since last
2151 modification age) an object without explicit expiry time
2152 will be considered fresh.
2154 'Max' is an upper limit on how long objects without an explicit
2155 expiry time will be considered fresh.
2157 options: override-expire
2167 override-expire enforces min age even if the server
2168 sent a Expires: header. Doing this VIOLATES the HTTP
2169 standard. Enabling this feature could make you liable
2170 for problems which it causes.
2172 override-lastmod enforces min age even on objects
2173 that were modified recently.
2175 reload-into-ims changes client no-cache or ``reload''
2176 to If-Modified-Since requests. Doing this VIOLATES the
2177 HTTP standard. Enabling this feature could make you
2178 liable for problems which it causes.
2180 ignore-reload ignores a client no-cache or ``reload''
2181 header. Doing this VIOLATES the HTTP standard. Enabling
2182 this feature could make you liable for problems which
2185 ignore-no-cache ignores any ``Pragma: no-cache'' and
2186 ``Cache-control: no-cache'' headers received from a server.
2187 The HTTP RFC never allows the use of this (Pragma) header
2188 from a server, only a client, though plenty of servers
2191 ignore-no-store ignores any ``Cache-control: no-store''
2192 headers received from a server. Doing this VIOLATES
2193 the HTTP standard. Enabling this feature could make you
2194 liable for problems which it causes.
2196 ignore-private ignores any ``Cache-control: private''
2197 headers received from a server. Doing this VIOLATES
2198 the HTTP standard. Enabling this feature could make you
2199 liable for problems which it causes.
2201 ignore-auth caches responses to requests with authorization,
2202 irrespective of ``Cache-control'' headers received from
2203 a server. Doing this VIOLATES the HTTP standard. Enabling
2204 this feature could make you liable for problems which
2207 refresh-ims causes squid to contact the origin server
2208 when a client issues an If-Modified-Since request. This
2209 ensures that the client will receive an updated version
2210 if one is available.
2212 Basically a cached object is:
2214 FRESH if expires < now, else STALE
2216 FRESH if lm-factor < percent, else STALE
2220 The refresh_pattern lines are checked in the order listed here.
2221 The first entry which matches is used. If none of the entries
2222 match the default will be used.
2224 Note, you must uncomment all the default lines if you want
2225 to change one. The default setting is only active if none is
2230 refresh_pattern ^ftp: 1440 20% 10080
2231 refresh_pattern ^gopher: 1440 0% 1440
2232 refresh_pattern . 0 20% 4320
2236 NAME: quick_abort_min
2240 LOC: Config.quickAbort.min
2243 NAME: quick_abort_max
2247 LOC: Config.quickAbort.max
2250 NAME: quick_abort_pct
2254 LOC: Config.quickAbort.pct
2256 The cache by default continues downloading aborted requests
2257 which are almost completed (less than 16 KB remaining). This
2258 may be undesirable on slow (e.g. SLIP) links and/or very busy
2259 caches. Impatient users may tie up file descriptors and
2260 bandwidth by repeatedly requesting and immediately aborting
2263 When the user aborts a request, Squid will check the
2264 quick_abort values to the amount of data transfered until
2267 If the transfer has less than 'quick_abort_min' KB remaining,
2268 it will finish the retrieval.
2270 If the transfer has more than 'quick_abort_max' KB remaining,
2271 it will abort the retrieval.
2273 If more than 'quick_abort_pct' of the transfer has completed,
2274 it will finish the retrieval.
2276 If you do not want any retrieval to continue after the client
2277 has aborted, set both 'quick_abort_min' and 'quick_abort_max'
2280 If you want retrievals to always continue if they are being
2281 cached set 'quick_abort_min' to '-1 KB'.
2284 NAME: read_ahead_gap
2285 COMMENT: buffer-size
2287 LOC: Config.readAheadGap
2290 The amount of data the cache will buffer ahead of what has been
2291 sent to the client when retrieving an object from another server.
2297 LOC: Config.negativeTtl
2300 Time-to-Live (TTL) for failed requests. Certain types of
2301 failures (such as "connection refused" and "404 Not Found") are
2302 negatively-cached for a configurable amount of time. The
2303 default is 5 minutes. Note that this is different from
2304 negative caching of DNS lookups.
2308 NAME: positive_dns_ttl
2311 LOC: Config.positiveDnsTtl
2314 Time-to-Live (TTL) for positive caching of successful DNS lookups.
2315 Default is 6 hours (360 minutes). If you want to minimize the
2316 use of Squid's ipcache, set this to 1, not 0.
2320 NAME: negative_dns_ttl
2323 LOC: Config.negativeDnsTtl
2326 Time-to-Live (TTL) for negative caching of failed DNS lookups.
2329 NAME: range_offset_limit
2332 LOC: Config.rangeOffsetLimit
2335 Sets a upper limit on how far into the the file a Range request
2336 may be to cause Squid to prefetch the whole file. If beyond this
2337 limit Squid forwards the Range request as it is and the result
2340 This is to stop a far ahead range request (lets say start at 17MB)
2341 from making Squid fetch the whole object up to that point before
2342 sending anything to the client.
2344 A value of -1 causes Squid to always fetch the object from the
2345 beginning so it may cache the result. (2.0 style)
2347 A value of 0 causes Squid to never fetch more than the
2348 client requested. (default)
2354 -----------------------------------------------------------------------------
2357 NAME: forward_timeout
2360 LOC: Config.Timeout.forward
2363 This parameter specifies how long Squid should at most attempt in
2364 finding a forwarding path for the request before giving up.
2367 NAME: connect_timeout
2370 LOC: Config.Timeout.connect
2373 This parameter specifies how long to wait for the TCP connect to
2374 the requested server or peer to complete before Squid should
2375 attempt to find another path where to forward the request.
2378 NAME: peer_connect_timeout
2381 LOC: Config.Timeout.peer_connect
2384 This parameter specifies how long to wait for a pending TCP
2385 connection to a peer cache. The default is 30 seconds. You
2386 may also set different timeout values for individual neighbors
2387 with the 'connect-timeout' option on a 'cache_peer' line.
2393 LOC: Config.Timeout.read
2396 The read_timeout is applied on server-side connections. After
2397 each successful read(), the timeout will be extended by this
2398 amount. If no data is read again after this amount of time,
2399 the request is aborted and logged with ERR_READ_TIMEOUT. The
2400 default is 15 minutes.
2404 NAME: request_timeout
2406 LOC: Config.Timeout.request
2409 How long to wait for an HTTP request after initial
2410 connection establishment.
2414 NAME: persistent_request_timeout
2416 LOC: Config.Timeout.persistent_request
2419 How long to wait for the next HTTP request on a persistent
2420 connection after the previous request completes.
2424 NAME: client_lifetime
2427 LOC: Config.Timeout.lifetime
2430 The maximum amount of time a client (browser) is allowed to
2431 remain connected to the cache process. This protects the Cache
2432 from having a lot of sockets (and hence file descriptors) tied up
2433 in a CLOSE_WAIT state from remote clients that go away without
2434 properly shutting down (either because of a network failure or
2435 because of a poor client implementation). The default is one
2438 NOTE: The default value is intended to be much larger than any
2439 client would ever need to be connected to your cache. You
2440 should probably change client_lifetime only as a last resort.
2441 If you seem to have many client connections tying up
2442 filedescriptors, we recommend first tuning the read_timeout,
2443 request_timeout, persistent_request_timeout and quick_abort values.
2446 NAME: half_closed_clients
2448 LOC: Config.onoff.half_closed_clients
2451 Some clients may shutdown the sending side of their TCP
2452 connections, while leaving their receiving sides open. Sometimes,
2453 Squid can not tell the difference between a half-closed and a
2454 fully-closed TCP connection. By default, half-closed client
2455 connections are kept open until a read(2) or write(2) on the
2456 socket returns an error. Change this option to 'off' and Squid
2457 will immediately close client connections when read(2) returns
2458 "no more data to read."
2463 LOC: Config.Timeout.pconn
2464 DEFAULT: 120 seconds
2466 Timeout for idle persistent connections to servers and other
2473 LOC: Config.Timeout.ident
2476 Maximum time to wait for IDENT lookups to complete.
2478 If this is too high, and you enabled IDENT lookups from untrusted
2479 users, you might be susceptible to denial-of-service by having
2480 many ident requests going at once.
2484 NAME: shutdown_lifetime
2487 LOC: Config.shutdownLifetime
2490 When SIGTERM or SIGHUP is received, the cache is put into
2491 "shutdown pending" mode until all active sockets are closed.
2492 This value is the lifetime to set for all open descriptors
2493 during shutdown mode. Any active clients after this many
2494 seconds will receive a 'timeout' message.
2499 -----------------------------------------------------------------------------
2507 Defining an Access List
2509 acl aclname acltype string1 ...
2510 acl aclname acltype "file" ...
2512 when using "file", the file should contain one item per line
2514 acltype is one of the types described below
2516 By default, regular expressions are CASE-SENSITIVE. To make
2517 them case-insensitive, use the -i option.
2519 acl aclname src ip-address/netmask ... (clients IP address)
2520 acl aclname src addr1-addr2/netmask ... (range of addresses)
2521 acl aclname dst ip-address/netmask ... (URL host's IP address)
2522 acl aclname myip ip-address/netmask ... (local socket IP address)
2524 acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
2525 # The arp ACL requires the special configure option --enable-arp-acl.
2526 # Furthermore, the ARP ACL code is not portable to all operating systems.
2527 # It works on Linux, Solaris, Windows, FreeBSD, and some other *BSD variants.
2529 # NOTE: Squid can only determine the MAC address for clients that are on
2530 # the same subnet. If the client is on a different subnet, then Squid cannot
2531 # find out its MAC address.
2533 acl aclname srcdomain .foo.com ... # reverse lookup, client IP
2534 acl aclname dstdomain .foo.com ... # Destination server from URL
2535 acl aclname srcdom_regex [-i] xxx ... # regex matching client name
2536 acl aclname dstdom_regex [-i] xxx ... # regex matching server
2537 # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
2538 # based URL is used and no match is found. The name "none" is used
2539 # if the reverse lookup fails.
2541 acl aclname http_status 200 301 500- 400-403 ... # status code in reply
2543 acl aclname time [day-abbrevs] [h1:m1-h2:m2]
2552 h1:m1 must be less than h2:m2
2553 acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
2554 acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
2555 acl aclname port 80 70 21 ...
2556 acl aclname port 0-1024 ... # ranges allowed
2557 acl aclname myport 3128 ... # (local socket TCP port)
2558 acl aclname proto HTTP FTP ...
2559 acl aclname method GET POST ...
2560 acl aclname browser [-i] regexp ...
2561 # pattern match on User-Agent header (see also req_header below)
2562 acl aclname referer_regex [-i] regexp ...
2563 # pattern match on Referer header
2564 # Referer is highly unreliable, so use with care
2565 acl aclname ident username ...
2566 acl aclname ident_regex [-i] pattern ...
2567 # string match on ident output.
2568 # use REQUIRED to accept any non-null ident.
2569 acl aclname src_as number ...
2570 acl aclname dst_as number ...
2571 # Except for access control, AS numbers can be used for
2572 # routing of requests to specific caches. Here's an
2573 # example for routing all requests for AS#1241 and only
2574 # those to mycache.mydomain.net:
2575 # acl asexample dst_as 1241
2576 # cache_peer_access mycache.mydomain.net allow asexample
2577 # cache_peer_access mycache_mydomain.net deny all
2579 acl aclname proxy_auth [-i] username ...
2580 acl aclname proxy_auth_regex [-i] pattern ...
2581 # list of valid usernames
2582 # use REQUIRED to accept any valid username.
2584 # NOTE: when a Proxy-Authentication header is sent but it is not
2585 # needed during ACL checking the username is NOT logged
2588 # NOTE: proxy_auth requires a EXTERNAL authentication program
2589 # to check username/password combinations (see
2590 # auth_param directive).
2592 # NOTE: proxy_auth can't be used in a transparent proxy as
2593 # the browser needs to be configured for using a proxy in order
2594 # to respond to proxy authentication.
2596 acl aclname snmp_community string ...
2597 # A community string to limit access to your SNMP Agent
2600 # acl snmppublic snmp_community public
2602 acl aclname maxconn number
2603 # This will be matched when the client's IP address has
2604 # more than <number> HTTP connections established.
2606 acl aclname max_user_ip [-s] number
2607 # This will be matched when the user attempts to log in from more
2608 # than <number> different ip addresses. The authenticate_ip_ttl
2609 # parameter controls the timeout on the ip entries.
2610 # If -s is specified the limit is strict, denying browsing
2611 # from any further IP addresses until the ttl has expired. Without
2612 # -s Squid will just annoy the user by "randomly" denying requests.
2613 # (the counter is reset each time the limit is reached and a
2614 # request is denied)
2615 # NOTE: in acceleration mode or where there is mesh of child proxies,
2616 # clients may appear to come from multiple addresses if they are
2617 # going through proxy farms, so a limit of 1 may cause user problems.
2619 acl aclname rep_mime_type mime-type1 ...
2620 # regex match against the mime type of the reply received by
2621 # squid. Can be used to detect file download or some
2622 # types HTTP tunneling requests.
2623 # NOTE: This has no effect in http_access rules. It only has
2624 # effect in rules that affect the reply data stream such as
2625 # http_reply_access.
2627 acl aclname rep_header header-name [-i] any\.regex\.here
2628 # regex match against any of the known reply headers. May be
2629 # thought of as a superset of "browser", "referer" and "mime-type"
2632 acl aclname req_mime_type mime-type1 ...
2633 # regex match agains the mime type of the request generated
2634 # by the client. Can be used to detect file upload or some
2635 # types HTTP tunneling requests.
2636 # NOTE: This does NOT match the reply. You cannot use this
2637 # to match the returned file type.
2639 acl aclname req_header header-name [-i] any\.regex\.here
2640 # regex match against any of the known request headers. May be
2641 # thought of as a superset of "browser", "referer" and "mime-type"
2644 acl acl_name external class_name [arguments...]
2645 # external ACL lookup via a helper class defined by the
2646 # external_acl_type directive.
2648 acl aclname user_cert attribute values...
2649 # match against attributes in a user SSL certificate
2650 # attribute is one of DN/C/O/CN/L/ST
2652 acl aclname ca_cert attribute values...
2653 # match against attributes a users issuing CA SSL certificate
2654 # attribute is one of DN/C/O/CN/L/ST
2656 acl aclname ext_user username ...
2657 acl aclname ext_user_regex [-i] pattern ...
2658 # string match on username returned by external acl processing
2659 # use REQUIRED to accept any non-null user name.
2662 acl macaddress arp 09:00:2b:23:45:67
2663 acl myexample dst_as 1241
2664 acl password proxy_auth REQUIRED
2665 acl fileupload req_mime_type -i ^multipart/form-data$
2666 acl javascript rep_mime_type -i ^application/x-javascript$
2669 #Recommended minimum configuration:
2670 acl all src 0.0.0.0/0.0.0.0
2671 acl manager proto cache_object
2672 acl localhost src 127.0.0.1/255.255.255.255
2673 acl to_localhost dst 127.0.0.0/8
2674 acl SSL_ports port 443
2675 acl Safe_ports port 80 # http
2676 acl Safe_ports port 21 # ftp
2677 acl Safe_ports port 443 # https
2678 acl Safe_ports port 70 # gopher
2679 acl Safe_ports port 210 # wais
2680 acl Safe_ports port 1025-65535 # unregistered ports
2681 acl Safe_ports port 280 # http-mgmt
2682 acl Safe_ports port 488 # gss-http
2683 acl Safe_ports port 591 # filemaker
2684 acl Safe_ports port 777 # multiling http
2685 acl CONNECT method CONNECT
2691 LOC: Config.accessList.http
2693 DEFAULT_IF_NONE: deny all
2695 Allowing or Denying access based on defined access lists
2697 Access to the HTTP port:
2698 http_access allow|deny [!]aclname ...
2700 NOTE on default values:
2702 If there are no "access" lines present, the default is to deny
2705 If none of the "access" lines cause a match, the default is the
2706 opposite of the last line in the list. If the last line was
2707 deny, the default is allow. Conversely, if the last line
2708 is allow, the default will be deny. For these reasons, it is a
2709 good idea to have an "deny all" or "allow all" entry at the end
2710 of your access lists to avoid potential confusion.
2713 #Recommended minimum configuration:
2715 # Only allow cachemgr access from localhost
2716 http_access allow manager localhost
2717 http_access deny manager
2718 # Deny requests to unknown ports
2719 http_access deny !Safe_ports
2720 # Deny CONNECT to other than SSL ports
2721 http_access deny CONNECT !SSL_ports
2723 # We strongly recommend the following be uncommented to protect innocent
2724 # web applications running on the proxy server who think the only
2725 # one who can access services on "localhost" is a local user
2726 #http_access deny to_localhost
2728 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
2730 # Example rule allowing access from your local networks. Adapt
2731 # to list your (internal) IP networks from where browsing should
2733 #acl our_networks src 192.168.1.0/24 192.168.2.0/24
2734 #http_access allow our_networks
2736 # And finally deny all other access to this proxy
2737 http_access deny all
2741 NAME: http_reply_access
2743 LOC: Config.accessList.reply
2745 DEFAULT_IF_NONE: allow all
2747 Allow replies to client requests. This is complementary to http_access.
2749 http_reply_access allow|deny [!] aclname ...
2751 NOTE: if there are no access lines present, the default is to allow
2754 If none of the access lines cause a match the opposite of the
2755 last line will apply. Thus it is good practice to end the rules
2756 with an "allow all" or "deny all" entry.
2759 #Recommended minimum configuration:
2761 # Insert your own rules here.
2764 # and finally allow by default
2765 http_reply_access allow all
2772 LOC: Config.accessList.icp
2774 DEFAULT_IF_NONE: deny all
2776 Allowing or Denying access to the ICP port based on defined
2779 icp_access allow|deny [!]aclname ...
2781 See http_access for details
2784 #Allow ICP queries from everyone
2785 icp_access allow all
2793 LOC: Config.accessList.htcp
2795 DEFAULT_IF_NONE: deny all
2797 Allowing or Denying access to the HTCP port based on defined
2800 htcp_access allow|deny [!]aclname ...
2802 See http_access for details
2804 #Allow HTCP queries from everyone
2805 htcp_access allow all
2808 NAME: htcp_clr_access
2811 LOC: Config.accessList.htcp_clr
2813 DEFAULT_IF_NONE: deny all
2815 Allowing or Denying access to purge content using HTCP based
2816 on defined access lists
2818 htcp_clr_access allow|deny [!]aclname ...
2820 See http_access for details
2822 #Allow HTCP CLR requests from trusted peers
2823 acl htcp_clr_peer src 172.16.1.2
2824 htcp_clr_access allow htcp_clr_peer
2830 LOC: Config.accessList.miss
2833 Use to force your neighbors to use you as a sibling instead of
2834 a parent. For example:
2836 acl localclients src 172.16.0.0/16
2837 miss_access allow localclients
2838 miss_access deny !localclients
2840 This means only your local clients are allowed to fetch
2841 MISSES and all other clients can only fetch HITS.
2843 By default, allow all clients who passed the http_access rules
2844 to fetch MISSES from us.
2848 # miss_access allow all
2853 NAME: cache_peer_access
2858 Similar to 'cache_peer_domain' but provides more flexibility by
2861 cache_peer_access cache-host allow|deny [!]aclname ...
2863 The syntax is identical to 'http_access' and the other lists of
2864 ACL elements. See the comments for 'http_access' below, or
2865 the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html).
2868 NAME: ident_lookup_access
2872 DEFAULT_IF_NONE: deny all
2873 LOC: Config.accessList.identLookup
2875 A list of ACL elements which, if matched, cause an ident
2876 (RFC 931) lookup to be performed for this request. For
2877 example, you might choose to always perform ident lookups
2878 for your main multi-user Unix boxes, but not for your Macs
2879 and PCs. By default, ident lookups are not performed for
2882 To enable ident lookups for specific client addresses, you
2883 can follow this example:
2885 acl ident_aware_hosts src 198.168.1.0/255.255.255.0
2886 ident_lookup_access allow ident_aware_hosts
2887 ident_lookup_access deny all
2889 Only src type ACL checks are fully supported. A src_domain
2890 ACL might work at times, but it will not always provide
2894 NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
2897 LOC: Config.accessList.outgoing_tos
2899 Allows you to select a TOS/Diffserv value to mark outgoing
2900 connections with, based on the username or source address
2903 tcp_outgoing_tos ds-field [!]aclname ...
2905 Example where normal_service_net uses the TOS value 0x00
2906 and normal_service_net uses 0x20
2908 acl normal_service_net src 10.0.0.0/255.255.255.0
2909 acl good_service_net src 10.0.1.0/255.255.255.0
2910 tcp_outgoing_tos 0x00 normal_service_net 0x00
2911 tcp_outgoing_tos 0x20 good_service_net
2913 TOS/DSCP values really only have local significance - so you should
2914 know what you're specifying. For more, see RFC 2474
2916 The TOS/DSCP byte must be exactly that - a byte, value 0 - 255, or
2917 "default" to use whatever default your host has.
2919 Processing proceeds in the order specified, and stops at first fully
2923 NAME: tcp_outgoing_address
2926 LOC: Config.accessList.outgoing_address
2928 Allows you to map requests to different outgoing IP addresses
2929 based on the username or sourceaddress of the user making
2932 tcp_outgoing_address ipaddr [[!]aclname] ...
2934 Example where requests from 10.0.0.0/24 will be forwarded
2935 with source address 10.1.0.1, 10.0.2.0/24 forwarded with
2936 source address 10.1.0.2 and the rest will be forwarded with
2937 source address 10.1.0.3.
2939 acl normal_service_net src 10.0.0.0/255.255.255.0
2940 acl good_service_net src 10.0.1.0/255.255.255.0
2941 tcp_outgoing_address 10.0.0.1 normal_service_net
2942 tcp_outgoing_address 10.0.0.2 good_service_net
2943 tcp_outgoing_address 10.0.0.3
2945 Processing proceeds in the order specified, and stops at first fully
2949 NAME: reply_header_max_size
2953 LOC: Config.maxReplyHeaderSize
2955 This specifies the maximum size for HTTP headers in a reply.
2956 Reply headers are usually relatively small (about 512 bytes).
2957 Placing a limit on the reply header size will catch certain
2958 bugs (for example with persistent connections) and possibly
2959 buffer-overflow or denial-of-service attacks.
2962 NAME: reply_body_max_size
2963 COMMENT: size [acl acl...]
2966 LOC: Config.ReplyBodySize
2968 This option specifies the maximum size of a reply body. It can be
2969 used to prevent users from downloading very large files, such as
2970 MP3's and movies. When the reply headers are received, the
2971 reply_body_max_size lines are processed, and the first line where
2972 all (if any) listed ACLs are true is used as the maximum body size
2975 This size is checked twice. First when we get the reply headers,
2976 we check the content-length value. If the content length value exists
2977 and is larger than the allowed size, the request is denied and the
2978 user receives an error message that says "the request or reply
2979 is too large." If there is no content-length, and the reply
2980 size exceeds this limit, the client's connection is just closed
2981 and they will receive a partial reply.
2983 WARNING: downstream caches probably can not detect a partial reply
2984 if there is no content-length header, so they will cache
2985 partial responses and give them out as hits. You should NOT
2986 use this option if you have downstream caches.
2988 WARNING: A maximum size smaller than the size of squid's error messages
2989 will cause an infinite loop and crash squid. Ensure that the smallest
2990 non-zero value you use is greater that the maximum header size plus
2991 the size of your largest error page.
2993 If you set this parameter none (the default), there will be
2999 LOC: Config.accessList.log
3001 COMMENT: allow|deny acl acl...
3003 This options allows you to control which requests gets logged
3004 to access.log (see access_log directive). Requests denied for
3005 logging will also not be accounted for in performance counters.
3009 ADMINISTRATIVE PARAMETERS
3010 -----------------------------------------------------------------------------
3016 LOC: Config.adminEmail
3018 Email-address of local cache manager who will receive
3019 mail if the cache dies. The default is "webmaster."
3026 LOC: Config.EmailFrom
3028 From: email-address for mail sent when the cache dies.
3029 The default is to use 'appname@unique_hostname'.
3030 Default appname value is "squid", can be changed into
3031 src/globals.h before building squid.
3038 LOC: Config.EmailProgram
3040 Email program used to send mail if the cache dies.
3041 The default is "mail". The specified program must complain
3042 with the standard Unix mail syntax:
3043 mail_program recipient < mailfile
3044 Optional command line options can be specified.
3048 NAME: cache_effective_user
3051 LOC: Config.effectiveUser
3053 If you start Squid as root, it will change its effective/real
3054 UID/GID to the user specified below. The default is to change
3055 to UID to nobody. If you define cache_effective_user, but not
3056 cache_effective_group, Squid sets the GID to the effective
3057 user's default group ID (taken from the password file) and
3058 supplementary group list from the from groups membership of
3059 cache_effective_user.
3063 NAME: cache_effective_group
3066 LOC: Config.effectiveGroup
3068 If you want Squid to run with a specific GID regardless of
3069 the group memberships of the effective user then set this
3070 to the group (or GID) you want Squid to run as. When set
3071 all other group privileges of the effective user is ignored
3072 and only this GID is effective. If Squid is not started as
3073 root the user starting Squid must be member of the specified
3078 NAME: httpd_suppress_version_string
3082 LOC: Config.onoff.httpd_suppress_version_string
3084 Suppress Squid version string info in HTTP headers and HTML error pages.
3088 NAME: visible_hostname
3090 LOC: Config.visibleHostname
3093 If you want to present a special hostname in error messages, etc,
3094 define this. Otherwise, the return value of gethostname()
3095 will be used. If you have multiple caches in a cluster and
3096 get errors about IP-forwarding you must set them to have individual
3097 names with this setting.
3101 NAME: unique_hostname
3103 LOC: Config.uniqueHostname
3106 If you want to have multiple machines with the same
3107 'visible_hostname' you must give each machine a different
3108 'unique_hostname' so forwarding loops can be detected.
3112 NAME: hostname_aliases
3114 LOC: Config.hostnameAliases
3117 A list of other DNS names your cache has.
3121 OPTIONS FOR THE CACHE REGISTRATION SERVICE
3122 -----------------------------------------------------------------------------
3124 This section contains parameters for the (optional) cache
3125 announcement service. This service is provided to help
3126 cache administrators locate one another in order to join or
3127 create cache hierarchies.
3129 An 'announcement' message is sent (via UDP) to the registration
3130 service by Squid. By default, the announcement message is NOT
3131 SENT unless you enable it with 'announce_period' below.
3133 The announcement message includes your hostname, plus the
3134 following information from this configuration file:
3140 All current information is processed regularly and made
3141 available on the Web at http://www.ircache.net/Cache/Tracker/.
3144 NAME: announce_period
3146 LOC: Config.Announce.period
3149 This is how frequently to send cache announcements. The
3150 default is `0' which disables sending the announcement
3153 To enable announcing your cache, just uncomment the line
3157 #To enable announcing your cache, just uncomment the line below.
3158 #announce_period 1 day
3165 DEFAULT: tracker.ircache.net
3166 LOC: Config.Announce.host
3172 LOC: Config.Announce.file
3178 LOC: Config.Announce.port
3180 announce_host and announce_port set the hostname and port
3181 number where the registration message will be sent.
3183 Hostname will default to 'tracker.ircache.net' and port will
3184 default default to 3131. If the 'filename' argument is given,
3185 the contents of that file will be included in the announce
3189 NAME: httpd_accel_surrogate_id
3192 LOC: Config.Accel.surrogate_id
3195 Surrogates (http://www.esi.org/architecture_spec_1.0.html)
3196 need an identification token to allow control targeting. Because
3197 a farm of surrogates may all perform the same tasks, they may share
3198 an identification token.
3201 NAME: http_accel_surrogate_remote
3206 LOC: Config.onoff.surrogate_is_remote
3208 Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
3209 Set this to on to have squid behave as a remote surrogate.
3214 COMMENT: libxml2|expat|custom
3216 LOC: ESIParser::Type
3219 ESI markup is not strictly XML compatible. The custom ESI parser
3220 will give higher performance, but cannot handle non ASCII character
3226 -----------------------------------------------------------------------------
3231 LOC: Config.dns_testname_list
3233 DEFAULT_IF_NONE: netscape.com internic.net nlanr.net microsoft.com
3235 The DNS tests exit as soon as the first site is successfully looked up
3237 This test can be disabled with the -D command line option.
3241 NAME: logfile_rotate
3244 LOC: Config.Log.rotateNumber
3246 Specifies the number of logfile rotations to make when you
3247 type 'squid -k rotate'. The default is 10, which will rotate
3248 with extensions 0 through 9. Setting logfile_rotate to 0 will
3249 disable the file name rotation, but the logfiles are still closed
3250 and re-opened. This will enable you to rename the logfiles
3251 yourself just before sending the rotate signal.
3253 Note, the 'squid -k rotate' command normally sends a USR1
3254 signal to the running squid process. In certain situations
3255 (e.g. on Linux with Async I/O), USR1 is used for other
3256 purposes, so -k rotate uses another signal. It is best to get
3257 in the habit of using 'squid -k rotate' instead of 'kill -USR1
3264 LOC: Config.appendDomain
3267 Appends local domain name to hostnames without any dots in
3268 them. append_domain must begin with a period.
3270 Be warned there are now Internet names with no dots in
3271 them using only top-domain names, so setting this may
3272 cause some Internet sites to become unavailable.
3275 append_domain .yourdomain.com
3279 NAME: tcp_recv_bufsize
3283 LOC: Config.tcpRcvBufsz
3285 Size of receive buffer to set for TCP sockets. Probably just
3286 as easy to change your kernel's default. Set to zero to use
3287 the default buffer size.
3292 LOC: Config.errHtmlText
3295 HTML text to include in error messages. Make this a "mailto"
3296 URL to your admin address, or maybe just a link to your
3297 organizations Web page.
3299 To include this in your error messages, you must rewrite
3300 the error template files (found in the "errors" directory).
3301 Wherever you want the 'err_html_text' line to appear,
3302 insert a %L tag in the error template file.
3305 NAME: email_err_data
3308 LOC: Config.onoff.emailErrData
3311 If enabled, information about the occurred error will be
3312 included in the mailto links of the ERR pages (if %W is set)
3313 so that the email body contains the data.
3314 Syntax is <A HREF="mailto:%w%W">%w</A>
3320 LOC: Config.denyInfoList
3323 Usage: deny_info err_page_name acl
3324 or deny_info http://... acl
3325 Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
3327 This can be used to return a ERR_ page for requests which
3328 do not pass the 'http_access' rules. A single ACL will cause
3329 the http_access check to fail. If a 'deny_info' line exists
3330 for that ACL Squid returns a corresponding error page.
3332 You may use ERR_ pages that come with Squid or create your own pages
3333 and put them into the configured errors/ directory.
3335 Alternatively you can specify an error URL. The browsers will
3336 get redirected (302) to the specified URL. %s in the redirection
3337 URL will be replaced by the requested URL.
3339 Alternatively you can tell Squid to reset the TCP connection
3340 by specifying TCP_RESET.
3347 LOC: Config.onoff.mem_pools
3349 If set, Squid will keep pools of allocated (but unused) memory
3350 available for future use. If memory is a premium on your
3351 system and you believe your malloc library outperforms Squid
3352 routines, disable this.
3355 NAME: memory_pools_limit
3359 LOC: Config.MemPools.limit
3361 Used only with memory_pools on:
3362 memory_pools_limit 50 MB
3364 If set to a non-zero value, Squid will keep at most the specified
3365 limit of allocated (but unused) memory in memory pools. All free()
3366 requests that exceed this limit will be handled by your malloc
3367 library. Squid does not pre-allocate any memory, just safe-keeps
3368 objects that otherwise would be free()d. Thus, it is safe to set
3369 memory_pools_limit to a reasonably high value even if your
3370 configuration will use less memory.
3372 If set to zero, Squid will keep all memory it can. That is, there
3373 will be no limit on the total amount of memory used for safe-keeping.
3375 To disable memory allocation optimization, do not set
3376 memory_pools_limit to 0. Set memory_pools to "off" instead.
3378 An overhead for maintaining memory pools is not taken into account
3379 when the limit is checked. This overhead is close to four bytes per
3380 object kept. However, pools may actually _save_ memory because of
3381 reduced memory thrashing in your malloc library.
3385 IFDEF: HTTP_VIOLATIONS
3389 LOC: Config.onoff.via
3391 If set (default), Squid will include a Via header in requests and
3392 replies as required by RFC2616.
3399 LOC: opt_forwarded_for
3401 If set, Squid will include your system's IP address or name
3402 in the HTTP requests it forwards. By default it looks like
3405 X-Forwarded-For: 192.1.2.3
3407 If you disable this, it will appear as
3409 X-Forwarded-For: unknown
3412 NAME: log_icp_queries
3416 LOC: Config.onoff.log_udp
3418 If set, ICP queries are logged to access.log. You may wish
3419 do disable this if your ICP load is VERY high to speed things
3420 up or to simplify log analysis.
3427 LOC: Config.onoff.icp_hit_stale
3429 If you want to return ICP_HIT for stale cache objects, set this
3430 option to 'on'. If you have sibling relationships with caches
3431 in other administrative domains, this should be 'off'. If you only
3432 have sibling relationships with caches under your control,
3433 it is probably okay to set this to 'on'.
3434 If set to 'on', your siblings should use the option "allow-miss"
3435 on their cache_peer lines for connecting to you.
3439 NAME: minimum_direct_hops
3442 LOC: Config.minDirectHops
3444 If using the ICMP pinging stuff, do direct fetches for sites
3445 which are no more than this many hops away.
3448 NAME: minimum_direct_rtt
3451 LOC: Config.minDirectRtt
3453 If using the ICMP pinging stuff, do direct fetches for sites
3454 which are no more than this many rtt milliseconds away.
3457 NAME: cachemgr_passwd
3458 TYPE: cachemgrpasswd
3460 LOC: Config.passwd_list
3462 Specify passwords for cachemgr operations.
3464 Usage: cachemgr_passwd password action action ...
3466 Some valid actions are (see cache manager menu for a full list):
3505 * Indicates actions which will not be performed without a
3506 valid password, others can be performed if not listed here.
3508 To disable an action, set the password to "disable".
3509 To allow performing an action without a password, set the
3512 Use the keyword "all" to set the same password for all actions.
3515 cachemgr_passwd secret shutdown
3516 cachemgr_passwd lesssssssecret info stats/objects
3517 cachemgr_passwd disable all
3520 NAME: store_avg_object_size
3524 LOC: Config.Store.avgObjectSize
3526 Average object size, used to estimate number of objects your
3527 cache can hold. See doc/Release-Notes-1.1.txt. The default is
3531 NAME: store_objects_per_bucket
3534 LOC: Config.Store.objectsPerBucket
3536 Target number of objects per bucket in the store hash table.
3537 Lowering this value increases the total number of buckets and
3538 also the storage maintenance rate. The default is 20.
3545 LOC: Config.onoff.client_db
3547 If you want to disable collecting per-client statistics,
3548 turn off client_db here.
3555 LOC: Config.Netdb.low
3561 LOC: Config.Netdb.high
3563 The low and high water marks for the ICMP measurement
3564 database. These are counts, not percents. The defaults are
3565 900 and 1000. When the high water mark is reached, database
3566 entries will be deleted until the low mark is reached.
3570 NAME: netdb_ping_period
3572 LOC: Config.Netdb.period
3575 The minimum period for measuring a site. There will be at
3576 least this much delay between successive pings to the same
3577 network. The default is five minutes.
3585 LOC: Config.onoff.query_icmp
3587 If you want to ask your peers to include ICMP data in their ICP
3588 replies, enable this option.
3590 If your peer has configured Squid (during compilation) with
3591 '--enable-icmp' that peer will send ICMP pings to origin server
3592 sites of the URLs it receives. If you enable this option the
3593 ICP replies from that peer will include the ICMP data (if available).
3594 Then, when choosing a parent cache, Squid will choose the parent with
3595 the minimal RTT to the origin server. When this happens, the
3596 hierarchy field of the access.log will be
3597 "CLOSEST_PARENT_MISS". This option is off by default.
3600 NAME: test_reachability
3604 LOC: Config.onoff.test_reachability
3606 When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
3607 instead of ICP_MISS if the target host is NOT in the ICMP
3608 database, or has a zero RTT.
3615 LOC: Config.onoff.buffered_logs
3617 cache.log log file is written with stdio functions, and as such
3618 it can be buffered or unbuffered. By default it will be unbuffered.
3619 Buffering it can speed up the writing slightly (though you are
3620 unlikely to need to worry unless you run with tons of debugging
3621 enabled in which case performance will suffer badly anyway..).
3624 NAME: refresh_all_ims
3628 LOC: Config.onoff.refresh_all_ims
3630 When you enable this option, squid will always check
3631 the origin server for an update when a client sends an
3632 If-Modified-Since request. Many browsers use IMS
3633 requests when the user requests a reload, and this
3634 ensures those clients receive the latest version.
3636 By default (off), squid may return a Not Modified response
3637 based on the age of the cached version.
3640 NAME: reload_into_ims
3641 IFDEF: HTTP_VIOLATIONS
3645 LOC: Config.onoff.reload_into_ims
3647 When you enable this option, client no-cache or ``reload''
3648 requests will be changed to If-Modified-Since requests.
3649 Doing this VIOLATES the HTTP standard. Enabling this
3650 feature could make you liable for problems which it
3653 see also refresh_pattern for a more selective approach.
3658 LOC: Config.accessList.AlwaysDirect
3661 Usage: always_direct allow|deny [!]aclname ...
3663 Here you can use ACL elements to specify requests which should
3664 ALWAYS be forwarded directly to origin servers. For example,
3665 to always directly forward requests for local servers use
3668 acl local-servers dstdomain my.domain.net
3669 always_direct allow local-servers
3671 To always forward FTP requests directly, use
3674 always_direct allow FTP
3676 NOTE: There is a similar, but opposite option named
3677 'never_direct'. You need to be aware that "always_direct deny
3678 foo" is NOT the same thing as "never_direct allow foo". You
3679 may need to use a deny rule to exclude a more-specific case of
3680 some other rule. Example:
3682 acl local-external dstdomain external.foo.net
3683 acl local-servers dstdomain .foo.net
3684 always_direct deny local-external
3685 always_direct allow local-servers
3687 This option replaces some v1.1 options such as local_domain
3693 LOC: Config.accessList.NeverDirect
3696 Usage: never_direct allow|deny [!]aclname ...
3698 never_direct is the opposite of always_direct. Please read
3699 the description for always_direct if you have not already.
3701 With 'never_direct' you can use ACL elements to specify
3702 requests which should NEVER be forwarded directly to origin
3703 servers. For example, to force the use of a proxy for all
3704 requests, except those in your local domain use something like:
3706 acl local-servers dstdomain .foo.net
3707 acl all src 0.0.0.0/0.0.0.0
3708 never_direct deny local-servers
3709 never_direct allow all
3711 or if Squid is inside a firewall and there are local intranet
3712 servers inside the firewall use something like:
3714 acl local-intranet dstdomain .foo.net
3715 acl local-external dstdomain external.foo.net
3716 always_direct deny local-external
3717 always_direct allow local-intranet
3718 never_direct allow all
3720 This option replaces some v1.1 options such as inside_firewall
3724 NAME: request_header_access
3725 IFDEF: HTTP_VIOLATIONS
3726 TYPE: http_header_access[]
3727 LOC: Config.request_header_access
3730 Usage: request_header_access header_name allow|deny [!]aclname ...
3732 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3733 this feature could make you liable for problems which it
3736 This option replaces the old 'anonymize_headers' and the
3737 older 'http_anonymizer' option with something that is much
3738 more configurable. This new method creates a list of ACLs
3739 for each header, allowing you very fine-tuned header
3742 This option only applies to request headers, i.e., from the
3743 client to the server.
3745 You can only specify known headers for the header name.
3746 Other headers are reclassified as 'Other'. You can also
3747 refer to all the headers with 'All'.
3749 For example, to achieve the same behavior as the old
3750 'http_anonymizer standard' option, you should use:
3752 request_header_access From deny all
3753 request_header_access Referer deny all
3754 request_header_access Server deny all
3755 request_header_access User-Agent deny all
3756 request_header_access WWW-Authenticate deny all
3757 request_header_access Link deny all
3759 Or, to reproduce the old 'http_anonymizer paranoid' feature
3762 request_header_access Allow allow all
3763 request_header_access Authorization allow all
3764 request_header_access WWW-Authenticate allow all
3765 request_header_access Proxy-Authorization allow all
3766 request_header_access Proxy-Authenticate allow all
3767 request_header_access Cache-Control allow all
3768 request_header_access Content-Encoding allow all
3769 request_header_access Content-Length allow all
3770 request_header_access Content-Type allow all
3771 request_header_access Date allow all
3772 request_header_access Expires allow all
3773 request_header_access Host allow all
3774 request_header_access If-Modified-Since allow all
3775 request_header_access Last-Modified allow all
3776 request_header_access Location allow all
3777 request_header_access Pragma allow all
3778 request_header_access Accept allow all
3779 request_header_access Accept-Charset allow all
3780 request_header_access Accept-Encoding allow all
3781 request_header_access Accept-Language allow all
3782 request_header_access Content-Language allow all
3783 request_header_access Mime-Version allow all
3784 request_header_access Retry-After allow all
3785 request_header_access Title allow all
3786 request_header_access Connection allow all
3787 request_header_access Proxy-Connection allow all
3788 request_header_access All deny all
3790 although many of those are HTTP reply headers, and so should be
3791 controlled with the reply_header_access directive.
3793 By default, all headers are allowed (no anonymizing is
3797 NAME: reply_header_access
3798 IFDEF: HTTP_VIOLATIONS
3799 TYPE: http_header_access[]
3800 LOC: Config.reply_header_access
3803 Usage: reply_header_access header_name allow|deny [!]aclname ...
3805 WARNING: Doing this VIOLATES the HTTP standard. Enabling
3806 this feature could make you liable for problems which it
3809 This option only applies to reply headers, i.e., from the
3810 server to the client.
3812 This is the same as request_header_access, but in the other
3815 This option replaces the old 'anonymize_headers' and the
3816 older 'http_anonymizer' option with something that is much
3817 more configurable. This new method creates a list of ACLs
3818 for each header, allowing you very fine-tuned header
3821 You can only specify known headers for the header name.
3822 Other headers are reclassified as 'Other'. You can also
3823 refer to all the headers with 'All'.
3825 For example, to achieve the same behavior as the old
3826 'http_anonymizer standard' option, you should use:
3828 reply_header_access From deny all
3829 reply_header_access Referer deny all
3830 reply_header_access Server deny all
3831 reply_header_access User-Agent deny all
3832 reply_header_access WWW-Authenticate deny all
3833 reply_header_access Link deny all
3835 Or, to reproduce the old 'http_anonymizer paranoid' feature
3838 reply_header_access Allow allow all
3839 reply_header_access Authorization allow all
3840 reply_header_access WWW-Authenticate allow all
3841 reply_header_access Proxy-Authorization allow all
3842 reply_header_access Proxy-Authenticate allow all
3843 reply_header_access Cache-Control allow all
3844 reply_header_access Content-Encoding allow all
3845 reply_header_access Content-Length allow all
3846 reply_header_access Content-Type allow all
3847 reply_header_access Date allow all
3848 reply_header_access Expires allow all
3849 reply_header_access Host allow all
3850 reply_header_access If-Modified-Since allow all
3851 reply_header_access Last-Modified allow all
3852 reply_header_access Location allow all
3853 reply_header_access Pragma allow all
3854 reply_header_access Accept allow all
3855 reply_header_access Accept-Charset allow all
3856 reply_header_access Accept-Encoding allow all
3857 reply_header_access Accept-Language allow all
3858 reply_header_access Content-Language allow all
3859 reply_header_access Mime-Version allow all
3860 reply_header_access Retry-After allow all
3861 reply_header_access Title allow all
3862 reply_header_access Connection allow all
3863 reply_header_access Proxy-Connection allow all
3864 reply_header_access All deny all
3866 although the HTTP request headers won't be usefully controlled
3867 by this directive -- see request_header_access for details.
3869 By default, all headers are allowed (no anonymizing is
3873 NAME: header_replace
3874 IFDEF: HTTP_VIOLATIONS
3875 TYPE: http_header_replace[]
3876 LOC: Config.request_header_access
3879 Usage: header_replace header_name message
3880 Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
3882 This option allows you to change the contents of headers
3883 denied with header_access above, by replacing them with
3884 some fixed string. This replaces the old fake_user_agent
3887 This only applies to request headers, not reply headers.
3889 By default, headers are removed if denied.
3892 NAME: icon_directory
3894 LOC: Config.icons.directory
3895 DEFAULT: @DEFAULT_ICON_DIR@
3897 Where the icons are stored. These are normally kept in
3901 NAME: global_internal_static
3903 LOC: Config.onoff.global_internal_static
3906 This directive controls is Squid should intercept all requests for
3907 /squid-internal-static/ no matter which host the URL is requesting
3908 (default on setting), or if nothing special should be done for
3909 such URLs (off setting). The purpose of this directive is to make
3910 icons etc work better in complex cache hierarchies where it may
3911 not always be possible for all corners in the cache mesh to reach
3912 the server generating a directory listing.
3915 NAME: short_icon_urls
3917 LOC: Config.icons.use_short_names
3920 If this is enabled Squid will use short URLs for icons.
3921 If disabled it will revert to the old behavior of including
3922 it's own name and port in the URL.
3924 If you run a complex cache hierarchy with a mix of Squid and
3925 other proxies you may need to disable this directive.
3928 NAME: error_directory
3930 LOC: Config.errorDirectory
3931 DEFAULT: @DEFAULT_ERROR_DIR@
3933 If you wish to create your own versions of the default
3934 (English) error files, either to customize them to suit your
3935 language or company copy the template English files to another
3936 directory and point this tag at them.
3939 NAME: maximum_single_addr_tries
3941 LOC: Config.retry.maxtries
3944 This sets the maximum number of connection attempts for a
3945 host that only has one address (for multiple-address hosts,
3946 each address is tried once).
3948 The default value is one attempt, the (not recommended)
3949 maximum is 255 tries. A warning message will be generated
3950 if it is set to a value greater than ten.
3952 Note: This is in addition to the request re-forwarding which
3953 takes place if Squid fails to get a satisfying response.
3956 NAME: retry_on_error
3958 LOC: Config.retry.onerror
3961 If set to on Squid will automatically retry requests when
3962 receiving an error response. This is mainly useful if you
3963 are in a complex cache hierarchy to work around access
3969 LOC: Config.Port.snmp
3973 Squid can now serve statistics and status information via SNMP.
3974 By default it listens to port 3401 on the machine. If you don't
3975 wish to use SNMP, set this to "0".
3977 Note: If you want Squid to use parents for all requests see
3978 the never_direct directive. prefer_direct only modifies how Squid
3979 acts on cachable requests.
3984 LOC: Config.accessList.snmp
3986 DEFAULT_IF_NONE: deny all
3989 Allowing or denying access to the SNMP port.
3991 All access to the agent is denied by default.
3994 snmp_access allow|deny [!]aclname ...
3997 snmp_access allow snmppublic localhost
3998 snmp_access deny all
4001 NAME: snmp_incoming_address
4003 LOC: Config.Addrs.snmp_incoming
4007 NAME: snmp_outgoing_address
4009 LOC: Config.Addrs.snmp_outgoing
4010 DEFAULT: 255.255.255.255
4013 Just like 'udp_incoming_address' above, but for the SNMP port.
4015 snmp_incoming_address is used for the SNMP socket receiving
4016 messages from SNMP agents.
4017 snmp_outgoing_address is used for SNMP packets returned to SNMP
4020 The default snmp_incoming_address (0.0.0.0) is to listen on all
4021 available network interfaces.
4023 If snmp_outgoing_address is set to 255.255.255.255 (the default)
4024 it will use the same socket as snmp_incoming_address. Only
4025 change this if you want to have SNMP replies sent using another
4026 address than where this Squid listens for SNMP queries.
4028 NOTE, snmp_incoming_address and snmp_outgoing_address can not have
4029 the same value since they both use port 3401.
4032 NAME: as_whois_server
4034 LOC: Config.as_whois_server
4035 DEFAULT: whois.ra.net
4036 DEFAULT_IF_NONE: whois.ra.net
4038 WHOIS server to query for AS numbers. NOTE: AS numbers are
4039 queried only when Squid starts up, not for every request.
4044 LOC: Config.Wccp.router
4049 TYPE: sockaddr_in_list
4050 LOC: Config.Wccp2.router
4054 Use this option to define your WCCP ``home'' router for
4057 wccp_router supports a single WCCP(v1) router
4059 wccp2_router supports multiple WCCPv2 routers
4061 only one of the two may be used at the same time and defines
4062 which version of WCCP to use.
4067 LOC: Config.Wccp.version
4071 This directive is only relevant if you need to set up WCCP(v1)
4072 to some very old and end-of-life Cisco routers. In all other
4073 setups it must be left unset or at the default setting.
4074 It defines an internal version in the WCCP(v1) protocol,
4075 with version 4 being the officially documented protocol.
4077 According to some users, Cisco IOS 11.2 and earlier only
4078 support WCCP version 3. If you're using that or an earlier
4079 version of IOS, you may need to change this value to 3, otherwise
4080 do not specify this parameter.
4083 NAME: wccp2_rebuild_wait
4085 LOC: Config.Wccp2.rebuildwait
4089 If this is enabled Squid will wait for the cache dir rebuild to finish
4090 before sending the first wccp2 HereIAm packet
4093 NAME: wccp2_forwarding_method
4095 LOC: Config.Wccp2.forwarding_method
4099 WCCP2 allows the setting of forwarding methods between the
4100 router/switch and the cache. Valid values are as follows:
4102 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4103 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
4105 Currently (as of IOS 12.4) cisco routers only support GRE.
4106 Cisco switches only support the L2 redirect assignment method.
4109 NAME: wccp2_return_method
4111 LOC: Config.Wccp2.return_method
4115 WCCP2 allows the setting of return methods between the
4116 router/switch and the cache for packets that the cache
4117 decides not to handle. Valid values are as follows:
4119 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4120 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
4122 Currently (as of IOS 12.4) cisco routers only support GRE.
4123 Cisco switches only support the L2 redirect assignment.
4125 If the "ip wccp redirect exclude in" command has been
4126 enabled on the cache interface, then it is still safe for
4127 the proxy server to use a l2 redirect method even if this
4128 option is set to GRE.
4131 NAME: wccp2_assignment_method
4133 LOC: Config.Wccp2.assignment_method
4137 WCCP2 allows the setting of methods to assign the WCCP hash
4138 Valid values are as follows:
4143 As a general rule, cisco routers support the hash assignment method
4144 and cisco switches support the mask assignment method.
4149 LOC: Config.Wccp2.info
4151 DEFAULT_IF_NONE: standard 0
4154 WCCP2 allows for multiple traffic services. There are two
4155 types: "standard" and "dynamic". The standard type defines
4156 one service id - http (id 0). The dynamic service ids can be from
4157 51 to 255 inclusive. In order to use a dynamic service id
4158 one must define the type of traffic to be redirected; this is done
4159 using the wccp2_service_info option.
4161 The "standard" type does not require a wccp2_service_info option,
4162 just specifying the service id will suffice.
4164 MD5 service authentication can be enabled by adding
4165 "password=<password>" to the end of this service declaration.
4169 wccp2_service standard 0 # for the 'web-cache' standard service
4170 wccp2_service dynamic 80 # a dynamic service type which will be
4171 # fleshed out with subsequent options.
4172 wccp2_service standard 0 password=foo
4176 NAME: wccp2_service_info
4177 TYPE: wccp2_service_info
4178 LOC: Config.Wccp2.info
4182 Dynamic WCCPv2 services require further information to define the
4183 traffic you wish to have diverted.
4187 wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
4188 priority=<priority> ports=<port>,<port>..
4190 The relevant WCCPv2 flags:
4191 + src_ip_hash, dst_ip_hash
4192 + source_port_hash, dest_port_hash
4193 + src_ip_alt_hash, dst_ip_alt_hash
4194 + src_port_alt_hash, dst_port_alt_hash
4197 The port list can be one to eight entries.
4201 wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
4202 priority=240 ports=80
4204 Note: the service id must have been defined by a previous
4205 'wccp2_service dynamic <id>' entry.
4210 LOC: Config.Wccp2.weight
4214 Each cache server gets assigned a set of the destination
4215 hash proportional to their weight.
4220 LOC: Config.Wccp.address
4226 LOC: Config.Wccp2.address
4230 Use this option if you require WCCP to use a specific
4233 The default behavior is to not bind to any specific address.
4238 DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
4239 -----------------------------------------------------------------------------
4243 TYPE: delay_pool_count
4248 This represents the number of delay pools to be used. For example,
4249 if you have one class 2 delay pool and one class 3 delays pool, you
4250 have a total of 2 delay pools.
4254 TYPE: delay_pool_class
4259 This defines the class of each delay pool. There must be exactly one
4260 delay_class line for each delay pool. For example, to define two
4261 delay pools, one of class 2 and one of class 3, the settings above
4265 delay_pools 4 # 4 delay pools
4266 delay_class 1 2 # pool 1 is a class 2 pool
4267 delay_class 2 3 # pool 2 is a class 3 pool
4268 delay_class 3 4 # pool 3 is a class 4 pool
4269 delay_class 4 5 # pool 4 is a class 5 pool
4271 The delay pool classes are:
4273 class 1 Everything is limited by a single aggregate
4276 class 2 Everything is limited by a single aggregate
4277 bucket as well as an "individual" bucket chosen
4278 from bits 25 through 32 of the IP address.
4280 class 3 Everything is limited by a single aggregate
4281 bucket as well as a "network" bucket chosen
4282 from bits 17 through 24 of the IP address and a
4283 "individual" bucket chosen from bits 17 through
4284 32 of the IP address.
4286 class 4 Everything in a class 3 delay pool, with an
4287 additional limit on a per user basis. This
4288 only takes effect if the username is established
4289 in advance - by forcing authentication in your
4292 class 5 Requests are grouped according their tag (see
4293 external_acl's tag= reply).
4295 NOTE: If an IP address is a.b.c.d
4296 -> bits 25 through 32 are "d"
4297 -> bits 17 through 24 are "c"
4298 -> bits 17 through 32 are "c * 256 + d"
4302 TYPE: delay_pool_access
4307 This is used to determine which delay pool a request falls into.
4309 delay_access is sorted per pool and the matching starts with pool 1,
4310 then pool 2, ..., and finally pool N. The first delay pool where the
4311 request is allowed is selected for the request. If it does not allow
4312 the request to any pool then the request is not delayed (default).
4314 For example, if you want some_big_clients in delay
4315 pool 1 and lotsa_little_clients in delay pool 2:
4318 delay_access 1 allow some_big_clients
4319 delay_access 1 deny all
4320 delay_access 2 allow lotsa_little_clients
4321 delay_access 2 deny all
4322 delay_access 3 allow authenticated_clients
4325 NAME: delay_parameters
4326 TYPE: delay_pool_rates
4331 This defines the parameters for a delay pool. Each delay pool has
4332 a number of "buckets" associated with it, as explained in the
4333 description of delay_class. For a class 1 delay pool, the syntax is:
4335 delay_parameters pool aggregate
4337 For a class 2 delay pool:
4339 delay_parameters pool aggregate individual
4341 For a class 3 delay pool:
4343 delay_parameters pool aggregate network individual
4345 For a class 4 delay pool:
4347 delay_parameters pool aggregate network individual user
4349 For a class 5 delay pool:
4351 delay_parameters pool tag
4353 The variables here are:
4355 pool a pool number - ie, a number between 1 and the
4356 number specified in delay_pools as used in
4359 aggregate the "delay parameters" for the aggregate bucket
4362 individual the "delay parameters" for the individual
4363 buckets (class 2, 3).
4365 network the "delay parameters" for the network buckets
4368 user the delay parameters for the user buckets
4371 tag the delay parameters for the tag buckets
4374 A pair of delay parameters is written restore/maximum, where restore is
4375 the number of bytes (not bits - modem and network speeds are usually
4376 quoted in bits) per second placed into the bucket, and maximum is the
4377 maximum number of bytes which can be in the bucket at any time.
4379 For example, if delay pool number 1 is a class 2 delay pool as in the
4380 above example, and is being used to strictly limit each host to 64kbps
4381 (plus overheads), with no overall limit, the line is:
4383 delay_parameters 1 -1/-1 8000/8000
4385 Note that the figure -1 is used to represent "unlimited".
4387 And, if delay pool number 2 is a class 3 delay pool as in the above
4388 example, and you want to limit it to a total of 256kbps (strict limit)
4389 with each 8-bit network permitted 64kbps (strict limit) and each
4390 individual host permitted 4800bps with a bucket maximum size of 64kb
4391 to permit a decent web page to be downloaded at a decent speed
4392 (if the network is not being limited due to overuse) but slow down
4393 large downloads more significantly:
4395 delay_parameters 2 32000/32000 8000/8000 600/8000
4397 There must be one delay_parameters line for each delay pool.
4399 Finally, for a class 4 delay pool as in the example - each user will
4400 be limited to 128Kb no matter how many workstations they are logged into.:
4402 delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
4405 NAME: delay_initial_bucket_level
4406 COMMENT: (percent, 0-100)
4410 LOC: Config.Delay.initial
4412 The initial bucket percentage is used to determine how much is put
4413 in each bucket when squid starts, is reconfigured, or first notices
4414 a host accessing it (in class 2 and class 3, individual hosts and
4415 networks only have buckets associated with them once they have been
4419 NAME: incoming_icp_average
4422 LOC: Config.comm_incoming.icp_average
4425 NAME: incoming_http_average
4428 LOC: Config.comm_incoming.http_average
4431 NAME: incoming_dns_average
4434 LOC: Config.comm_incoming.dns_average
4437 NAME: min_icp_poll_cnt
4440 LOC: Config.comm_incoming.icp_min_poll
4443 NAME: min_dns_poll_cnt
4446 LOC: Config.comm_incoming.dns_min_poll
4449 NAME: min_http_poll_cnt
4452 LOC: Config.comm_incoming.http_min_poll
4454 Heavy voodoo here. I can't even believe you are reading this.
4455 Are you crazy? Don't even think about adjusting these unless
4456 you understand the algorithms in comm_select.c first!
4459 NAME: max_open_disk_fds
4461 LOC: Config.max_open_disk_fds
4464 To avoid having disk as the I/O bottleneck Squid can optionally
4465 bypass the on-disk cache if more than this amount of disk file
4466 descriptors are open.
4468 A value of 0 indicates no limit.
4473 LOC: Config.onoff.offline
4476 Enable this option and Squid will never try to validate cached
4480 NAME: uri_whitespace
4481 TYPE: uri_whitespace
4482 LOC: Config.uri_whitespace
4485 What to do with requests that have whitespace characters in the
4488 strip: The whitespace characters are stripped out of the URL.
4489 This is the behavior recommended by RFC2396.
4490 deny: The request is denied. The user receives an "Invalid
4492 allow: The request is allowed and the URI is not changed. The
4493 whitespace characters remain in the URI. Note the
4494 whitespace is passed to redirector processes if they
4496 encode: The request is allowed and the whitespace characters are
4497 encoded according to RFC1738. This could be considered
4498 a violation of the HTTP/1.1
4499 RFC because proxies are not allowed to rewrite URI's.
4500 chop: The request is allowed and the URI is chopped at the
4501 first whitespace. This might also be considered a
4508 LOC: Config.accessList.brokenPosts
4510 A list of ACL elements which, if matched, causes Squid to send
4511 an extra CRLF pair after the body of a PUT/POST request.
4513 Some HTTP servers has broken implementations of PUT/POST,
4514 and rely on an extra CRLF pair sent by some WWW clients.
4516 Quote from RFC 2068 section 4.1 on this matter:
4518 Note: certain buggy HTTP/1.0 client implementations generate an
4519 extra CRLF's after a POST request. To restate what is explicitly
4520 forbidden by the BNF, an HTTP/1.1 client must not preface or follow
4521 a request with an extra CRLF.
4524 acl buggy_server url_regex ^http://....
4525 broken_posts allow buggy_server
4528 NAME: mcast_miss_addr
4529 IFDEF: MULTICAST_MISS_STREAM
4531 LOC: Config.mcast_miss.addr
4532 DEFAULT: 255.255.255.255
4534 If you enable this option, every "cache miss" URL will
4535 be sent out on the specified multicast address.
4537 Do not enable this option unless you are are absolutely
4538 certain you understand what you are doing.
4541 NAME: mcast_miss_ttl
4542 IFDEF: MULTICAST_MISS_STREAM
4544 LOC: Config.mcast_miss.ttl
4547 This is the time-to-live value for packets multicasted
4548 when multicasting off cache miss URLs is enabled. By
4549 default this is set to 'site scope', i.e. 16.
4552 NAME: mcast_miss_port
4553 IFDEF: MULTICAST_MISS_STREAM
4555 LOC: Config.mcast_miss.port
4558 This is the port number to be used in conjunction with
4562 NAME: mcast_miss_encode_key
4563 IFDEF: MULTICAST_MISS_STREAM
4565 LOC: Config.mcast_miss.encode_key
4566 DEFAULT: XXXXXXXXXXXXXXXX
4568 The URLs that are sent in the multicast miss stream are
4569 encrypted. This is the encryption key.
4572 NAME: nonhierarchical_direct
4574 LOC: Config.onoff.nonhierarchical_direct
4577 By default, Squid will send any non-hierarchical requests
4578 (matching hierarchy_stoplist or not cachable request type) direct
4581 If you set this to off, Squid will prefer to send these
4582 requests to parents.
4584 Note that in most configurations, by turning this off you will only
4585 add latency to these request without any improvement in global hit
4588 If you are inside an firewall see never_direct instead of
4594 LOC: Config.onoff.prefer_direct
4597 Normally Squid tries to use parents for most requests. If you for some
4598 reason like it to first try going direct and only use a parent if
4599 going direct fails set this to on.
4601 By combining nonhierarchical_direct off and prefer_direct on you
4602 can set up Squid to use a parent as a backup path if going direct
4606 NAME: strip_query_terms
4608 LOC: Config.onoff.strip_query_terms
4611 By default, Squid strips query terms from requested URLs before
4612 logging. This protects your user's privacy.
4617 LOC: Config.coredump_dir
4619 DEFAULT_IF_NONE: none
4621 By default Squid leaves core files in the directory from where
4622 it was started. If you set 'coredump_dir' to a directory
4623 that exists, Squid will chdir() to that directory at startup
4624 and coredump files will be left there.
4627 # Leave coredumps in the first cache dir
4628 coredump_dir @DEFAULT_SWAP_DIR@
4632 NAME: redirector_bypass
4634 LOC: Config.onoff.redirector_bypass
4637 When this is 'on', a request will not go through the
4638 redirector if all redirectors are busy. If this is 'off'
4639 and the redirector queue grows too large, Squid will exit
4640 with a FATAL error and ask you to increase the number of
4641 redirectors. You should only enable this if the redirectors
4642 are not critical to your caching system. If you use
4643 redirectors for access control, and you enable this option,
4644 users may have access to pages they should not
4645 be allowed to request.
4648 NAME: ignore_unknown_nameservers
4650 LOC: Config.onoff.ignore_unknown_nameservers
4653 By default Squid checks that DNS responses are received
4654 from the same IP addresses they are sent to. If they
4655 don't match, Squid ignores the response and writes a warning
4656 message to cache.log. You can allow responses from unknown
4657 nameservers by setting this option to 'off'.
4660 NAME: digest_generation
4661 IFDEF: USE_CACHE_DIGESTS
4663 LOC: Config.onoff.digest_generation
4666 This controls whether the server will generate a Cache Digest
4667 of its contents. By default, Cache Digest generation is
4668 enabled if Squid is compiled with USE_CACHE_DIGESTS defined.
4671 NAME: digest_bits_per_entry
4672 IFDEF: USE_CACHE_DIGESTS
4674 LOC: Config.digest.bits_per_entry
4677 This is the number of bits of the server's Cache Digest which
4678 will be associated with the Digest entry for a given HTTP
4679 Method and URL (public key) combination. The default is 5.
4682 NAME: digest_rebuild_period
4683 IFDEF: USE_CACHE_DIGESTS
4686 LOC: Config.digest.rebuild_period
4689 This is the number of seconds between Cache Digest rebuilds.
4692 NAME: digest_rewrite_period
4694 IFDEF: USE_CACHE_DIGESTS
4696 LOC: Config.digest.rewrite_period
4699 This is the number of seconds between Cache Digest writes to
4703 NAME: digest_swapout_chunk_size
4706 IFDEF: USE_CACHE_DIGESTS
4707 LOC: Config.digest.swapout_chunk_size
4710 This is the number of bytes of the Cache Digest to write to
4711 disk at a time. It defaults to 4096 bytes (4KB), the Squid
4715 NAME: digest_rebuild_chunk_percentage
4716 COMMENT: (percent, 0-100)
4717 IFDEF: USE_CACHE_DIGESTS
4719 LOC: Config.digest.rebuild_chunk_percentage
4722 This is the percentage of the Cache Digest to be scanned at a
4723 time. By default it is set to 10% of the Cache Digest.
4728 LOC: Config.chroot_dir
4731 Use this to have Squid do a chroot() while initializing. This
4732 also causes Squid to fully drop root privileges after
4733 initializing. This means, for example, if you use a HTTP
4734 port less than 1024 and try to reconfigure, you will get an
4738 NAME: client_persistent_connections
4740 LOC: Config.onoff.client_pconns
4744 NAME: server_persistent_connections
4746 LOC: Config.onoff.server_pconns
4749 Persistent connection support for clients and servers. By
4750 default, Squid uses persistent connections (when allowed)
4751 with its clients and servers. You can use these options to
4752 disable persistent connections with clients and/or servers.
4755 NAME: persistent_connection_after_error
4757 LOC: Config.onoff.error_pconns
4760 With this directive the use of persistent connections after
4761 HTTP errors can be disabled. Useful if you have clients
4762 who fail to handle errors on persistent connections proper.
4765 NAME: detect_broken_pconn
4767 LOC: Config.onoff.detect_broken_server_pconns
4770 Some servers have been found to incorrectly signal the use
4771 of HTTP/1.0 persistent connections even on replies not
4772 compatible, causing significant delays. This server problem
4773 has mostly been seen on redirects.
4775 By enabling this directive Squid attempts to detect such
4776 broken replies and automatically assume the reply is finished
4777 after 10 seconds timeout.
4780 NAME: balance_on_multiple_ip
4782 LOC: Config.onoff.balance_on_multiple_ip
4785 Some load balancing servers based on round robin DNS have been
4786 found not to preserve user session state across requests
4787 to different IP addresses.
4789 By default Squid rotates IP's per request. By disabling
4790 this directive only connection failure triggers rotation.
4793 NAME: pipeline_prefetch
4795 LOC: Config.onoff.pipeline_prefetch
4798 To boost the performance of pipelined requests to closer
4799 match that of a non-proxied environment Squid can try to fetch
4800 up to two requests in parallel from a pipeline.
4802 Defaults to off for bandwidth management and access logging
4806 NAME: extension_methods
4808 LOC: Config.ext_methods
4811 Squid only knows about standardized HTTP request methods.
4812 You can add up to 20 additional "extension" methods here.
4815 NAME: request_entities
4817 LOC: Config.onoff.request_entities
4820 Squid defaults to deny GET and HEAD requests with request entities,
4821 as the meaning of such requests are undefined in the HTTP standard
4822 even if not explicitly forbidden.
4824 Set this directive to on if you have clients which insists
4825 on sending request entities in GET or HEAD requests.
4828 NAME: high_response_time_warning
4831 LOC: Config.warnings.high_rptm
4834 If the one-minute median response time exceeds this value,
4835 Squid prints a WARNING with debug level 0 to get the
4836 administrators attention. The value is in milliseconds.
4839 NAME: high_page_fault_warning
4841 LOC: Config.warnings.high_pf
4844 If the one-minute average page fault rate exceeds this
4845 value, Squid prints a WARNING with debug level 0 to get
4846 the administrators attention. The value is in page faults
4850 NAME: high_memory_warning
4852 LOC: Config.warnings.high_memory
4855 If the memory usage (as determined by mallinfo) exceeds
4856 value, Squid prints a WARNING with debug level 0 to get
4857 the administrators attention.
4860 NAME: store_dir_select_algorithm
4862 LOC: Config.store_dir_select_algorithm
4865 Set this to 'round-robin' as an alternative.
4872 LOC: Config.Log.forward
4874 Logs the server-side requests.
4876 This is currently work in progress.
4882 LOC: Config.onoff.ie_refresh
4885 Microsoft Internet Explorer up until version 5.5 Service
4886 Pack 1 has an issue with transparent proxies, wherein it
4887 is impossible to force a refresh. Turning this on provides
4888 a partial fix to the problem, by causing all IMS-REFRESH
4889 requests from older IE versions to check the origin server
4890 for fresh content. This reduces hit ratio by some amount
4891 (~10% in my experience), but allows users to actually get
4892 fresh content when they want it. Note because Squid
4893 cannot tell if the user is using 5.5 or 5.5SP1, the behavior
4894 of 5.5 is unchanged from old versions of Squid (i.e. a
4895 forced refresh is impossible). Newer versions of IE will,
4896 hopefully, continue to have the new behavior and will be
4897 handled based on that assumption. This option defaults to
4898 the old Squid behavior, which is better for hit ratios but
4899 worse for clients using IE, if they need to be able to
4900 force fresh content.
4903 NAME: vary_ignore_expire
4906 LOC: Config.onoff.vary_ignore_expire
4909 Many HTTP servers supporting Vary gives such objects
4910 immediate expiry time with no cache-control header
4911 when requested by a HTTP/1.0 client. This option
4912 enables Squid to ignore such expiry times until
4913 HTTP/1.1 is fully implemented.
4914 WARNING: This may eventually cause some varying
4915 objects not intended for caching to get cached.
4918 NAME: sleep_after_fork
4919 COMMENT: (microseconds)
4921 LOC: Config.sleep_after_fork
4924 When this is set to a non-zero value, the main Squid process
4925 sleeps the specified number of microseconds after a fork()
4926 system call. This sleep may help the situation where your
4927 system reports fork() failures due to lack of (virtual)
4928 memory. Note, however, if you have a lot of child
4929 processes, these sleep delays will add up and your
4930 Squid will not service requests for some amount of time
4931 until all the child processes have been started.
4932 On Windows value less then 1000 (1 millisencond) are
4936 NAME: minimum_expiry_time
4939 LOC: Config.minimum_expiry_time
4942 The minimum caching time according to (Expires - Date)
4943 Headers Squid honors if the object can't be revalidated
4944 defaults to 60 seconds. In reverse proxy enorinments it
4945 might be desirable to honor shorter object lifetimes. It
4946 is most likely better to make your server return a
4947 meaningful Last-Modified header however. In ESI environments
4948 where page fragments often have short lifetimes, this will
4949 often be best set to 0.
4952 NAME: relaxed_header_parser
4953 COMMENT: on|off|warn
4955 LOC: Config.onoff.relaxed_header_parser
4958 In the default "on" setting Squid accepts certain forms
4959 of non-compliant HTTP messages where it is unambiguous
4960 what the sending application intended even if the message
4961 is not correctly formatted. The messages is then normalized
4962 to the correct form when forwarded by Squid.
4964 If set to "warn" then a warning will be emitted in cache.log
4965 each time such HTTP error is encountered.
4967 If set to "off" then such HTTP errors will cause the request
4968 or response to be rejected.
4973 -----------------------------------------------------------------------------
4980 LOC: TheICAPConfig.onoff
4983 If you want to enable the ICAP module support, set this to on.
4986 NAME: icap_preview_enable
4990 LOC: TheICAPConfig.preview_enable
4993 Set this to 'on' if you want to enable the ICAP preview
4997 NAME: icap_preview_size
5000 LOC: TheICAPConfig.preview_size
5003 The default size of preview data to be sent to the ICAP server.
5004 -1 means no preview. This value might be overwritten on a per server
5005 basis by OPTIONS requests.
5008 NAME: icap_default_options_ttl
5011 LOC: TheICAPConfig.default_options_ttl
5014 The default TTL value for ICAP OPTIONS responses that don't have
5015 an Options-TTL header.
5018 NAME: icap_persistent_connections
5022 LOC: TheICAPConfig.reuse_connections
5025 Whether or not Squid should use persistent connections to
5029 NAME: icap_send_client_ip
5033 LOC: TheICAPConfig.send_client_ip
5036 This adds the header "X-Client-IP" to ICAP requests.
5039 NAME: icap_send_client_username
5043 LOC: TheICAPConfig.send_client_username
5046 This adds the header "X-Client-Username" to ICAP requests
5047 if proxy access is authentified.
5051 TYPE: icap_service_type
5056 Defines a single ICAP service
5058 icap_service servicename vectoring_point bypass service_url
5060 vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
5061 This specifies at which point of request processing the ICAP
5062 service should be plugged in.
5064 If set to 1 and the ICAP server cannot be reached, the request will go
5065 through without being processed by an ICAP server
5066 service_url = icap://servername:port/service
5068 Note: reqmod_precache and respmod_postcache is not yet implemented
5071 icap_service service_1 reqmod_precache 0 icap://icap1.mydomain.net:1344/reqmod
5072 icap_service service_2 respmod_precache 0 icap://icap2.mydomain.net:1344/respmod
5076 TYPE: icap_class_type
5081 Defines an ICAP service chain. If there are multiple services per
5082 vectoring point, they are processed in the specified order.
5084 icap_class classname servicename...
5087 icap_class class_1 service_1 service_2
5088 icap class class_2 service_1 service_3
5092 TYPE: icap_access_type
5097 Redirects a request through an ICAP service class, depending
5100 icap_access classname allow|deny [!]aclname...
5102 The icap_access statements are processed in the order they appear in
5103 this configuration file. If an access list matches, the processing stops.
5104 For an "allow" rule, the specified class is used for the request. A "deny"
5105 rule simply stops processing without using the class. You can also use the
5106 special classname "None".
5108 For backward compatibility, it is also possible to use services
5111 icap_access class_1 allow all