NAME: auth_param
TYPE: authparam
+IFDEF: USE_AUTH
LOC: Auth::TheConfig
DEFAULT: none
DOC_START
FORMAT specifications
%LOGIN Authenticated user login name
- %EXT_USER Username from external acl
+ %EXT_USER Username from previous external acl
+ %EXT_LOG Log details from previous external acl
+ %EXT_TAG Tag from previous external acl
%IDENT Ident user name
%SRC Client IP
%SRCPORT Client source port
TYPE: acl
LOC: Config.aclList
DEFAULT: all src all
+DEFAULT: manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
+DEFAULT: localhost src 127.0.0.1/32 ::1
+DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
+DEFAULT_DOC: ACLs all, manager, localhost, and to_localhost are predefined.
DOC_START
Defining an Access List
When using "file", the file should contain one item per line.
- By default, regular expressions are CASE-SENSITIVE. To make
- them case-insensitive, use the -i option.
+ By default, regular expressions are CASE-SENSITIVE.
+ To make them case-insensitive, use the -i option. To return case-sensitive
+ use the +i option between patterns, or make a new ACL line without -i.
Some acl types require suspending the current request in order
to access some external data source.
***** ACL TYPES AVAILABLE *****
- acl aclname src ip-address/netmask ... # clients IP address [fast]
- acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
- acl aclname dst ip-address/netmask ... # URL host's IP address [slow]
- acl aclname myip ip-address/netmask ... # local socket IP address [fast]
+ acl aclname src ip-address/mask ... # clients IP address [fast]
+ acl aclname src addr1-addr2/mask ... # range of addresses [fast]
+ acl aclname dst ip-address/mask ... # URL host's IP address [slow]
+ acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
# The arp ACL requires the special configure option --enable-arp-acl.
acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
# ranges are alloed
- acl aclname myport 3128 ... # local socket TCP port [fast]
+ acl aclname localport 3128 ... # TCP port the client connected to [fast]
+ # NP: for interception mode this is usually '80'
+
acl aclname myportname 3128 ... # http(s)_port name [fast]
acl aclname proto HTTP FTP ... # request protocol [fast]
acl aclname maxconn number
# This will be matched when the client's IP address has
- # more than <number> HTTP connections established. [fast]
+ # more than <number> TCP connections established. [fast]
+ # NOTE: This only measures direct TCP links so X-Forwarded-For
+ # indirect clients are not counted.
acl aclname max_user_ip [-s] number
# This will be matched when the user attempts to log in from more
#
# Recommended minimum configuration:
#
-acl manager proto cache_object
-acl localhost src 127.0.0.1/32 ::1
-acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
Controls whether the indirect client address
(see follow_x_forwarded_for) is used instead of the
direct client address in acl matching.
+
+ NOTE: maxconn ACL considers direct TCP links and indirect
+ clients will always have zero. So no match.
DOC_END
NAME: delay_pool_uses_indirect_client
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
-http_access allow manager localhost
+http_access allow localhost manager
http_access deny manager
# Deny requests to certain unsafe ports
NAME: miss_access
TYPE: acl_access
LOC: Config.accessList.miss
-DEFAULT: allow all
+DEFAULT: none
DOC_START
Use to force your neighbors to use you as a sibling instead of
a parent. For example:
connections using the client IP address.
NP: disables authentication and maybe IPv6 on the port.
- accel Accelerator mode. Also needs at least one of
- vhost / vport / defaultsite.
+ accel Accelerator / reverse proxy mode
ssl-bump Intercept each CONNECT request matching ssl_bump ACL,
establish secure connection with the client and with
Accelerator Mode Options:
- allow-direct Allow direct forwarding in accelerator mode. Normally
- accelerated requests are denied direct forwarding as if
- never_direct was used.
-
defaultsite=domainname
What to use for the Host: header if it is not present
in a request. Determines what site (not origin server)
accelerators should consider the default.
- Implies accel.
- vhost Using the Host header for virtual domain support.
- Also uses the port as specified in Host: header.
+ no-vhost Disable using HTTP/1.1 Host header for virtual domain support.
+
+ protocol= Protocol to reconstruct accelerated requests with.
+ Defaults to http for http_port and https for
+ https_port
- vport IP based virtual host support. Using the http_port number
- in passed on Host: headers.
+ vport Virtual host port support. Using the http_port number
+ instead of the port passed on Host: headers.
- vport=NN Uses the specified port number rather than the
- http_port number.
+ vport=NN Virtual host port support. Using the specified port
+ number instead of the port passed on Host: headers.
- protocol= Protocol to reconstruct accelerated requests with.
- Defaults to http://.
+ act-as-origin
+ Act as if this Squid is the origin server.
+ This currently means generate new Date: and Expires:
+ headers on HIT instead of adding Age:.
ignore-cc Ignore request Cache-Control headers.
- Warning: This option violates HTTP specifications if
+ WARNING: This option violates HTTP specifications if
used in non-accelerator setups.
+ allow-direct Allow direct forwarding in accelerator mode. Normally
+ accelerated requests are denied direct forwarding as if
+ never_direct was used.
+
+ WARNING: this option opens accelerator mode to security
+ vulnerabilities usually only affecting in interception
+ mode. Make sure to protect forwarding with suitable
+ http_access rules when using this.
+
SSL Bump Mode Options:
DEFAULT: none
LOC: Config.Sockaddr.https
DOC_START
- Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
+ Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...]
The socket address where Squid will listen for HTTPS client
requests.
You may specify multiple socket addresses on multiple lines,
each with their own SSL certificate and/or options.
- Options:
+ Modes:
+
+ accel Accelerator / reverse proxy mode
- accel Accelerator mode. Also needs at least one of
- defaultsite or vhost.
+ Omitting the mode flag causes default forward proxy mode to be used.
- defaultsite= The name of the https site presented on
- this port. Implies accel.
- vhost Accelerator mode using Host header for virtual
- domain support. Requires a wildcard certificate
- or other certificate valid for more than one domain.
- Implies accel.
+ See http_port for a list of generic options
- protocol= Protocol to reconstruct accelerated requests with.
- Defaults to https.
+
+ SSL Options:
cert= Path to SSL certificate (PEM format).
sslcontext= SSL session ID context identifier.
- vport Accelerator with IP based virtual host support.
-
- vport=NN As above, but uses specified port number rather
- than the https_port number. Implies accel.
-
- name= Specifies a internal name for the port. Defaults to
- the port specification (port or addr:port)
-
DOC_END
NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
NAME: tcp_outgoing_mark
TYPE: acl_nfmark
-IFDEF: SO_MARK
+IFDEF: SO_MARK&&USE_LIBCAP
DEFAULT: none
LOC: Ip::Qos::TheConfig.nfmarkToServer
DOC_START
NAME: clientside_mark
TYPE: acl_nfmark
-IFDEF: SO_MARK
+IFDEF: SO_MARK&&USE_LIBCAP
DEFAULT: none
LOC: Ip::Qos::TheConfig.nfmarkToClient
DOC_START
tcp_outgoing_address ipaddr [[!]aclname] ...
- Example where requests from 10.0.0.0/24 will be forwarded
- with source address 10.1.0.1, 10.0.2.0/24 forwarded with
- source address 10.1.0.2 and the rest will be forwarded with
- source address 10.1.0.3.
+ For example;
+ Forwarding clients with dedicated IPs for certain subnets.
- acl normal_service_net src 10.0.0.0/24
- acl good_service_net src 10.0.2.0/24
- tcp_outgoing_address 10.1.0.1 normal_service_net
- tcp_outgoing_address 10.1.0.2 good_service_net
- tcp_outgoing_address 10.1.0.3
+ acl normal_service_net src 10.0.0.0/24
+ acl good_service_net src 10.0.2.0/24
+
+ tcp_outgoing_address 2001:db8::c001 good_service_net
+ tcp_outgoing_address 10.1.0.2 good_service_net
+
+ tcp_outgoing_address 2001:db8::beef normal_service_net
+ tcp_outgoing_address 10.1.0.1 normal_service_net
+
+ tcp_outgoing_address 2001:db8::1
+ tcp_outgoing_address 10.1.0.3
Processing proceeds in the order specified, and stops at first fully
matching line.
- Note: The use of this directive using client dependent ACLs is
+ Squid will add an implicit IP version test to each line.
+ Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
+ Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
+
+
+ NOTE: The use of this directive using client dependent ACLs is
incompatible with the use of server side persistent connections. To
ensure correct results it is best to set server_persistent_connections
to off when using this directive in such configurations.
- Note: The use of this directive to set a local IP on outgoing TCP links
+ NOTE: The use of this directive to set a local IP on outgoing TCP links
is incompatible with using TPROXY to set client IP out outbound TCP links.
- When needing to contact peers use the no-tproxy cache_peer option to
- re-enable normal forwarding such as this.
-
- IPv6 Magic:
-
- Squid is built with a capability of bridging the IPv4 and IPv6
- internets.
- tcp_outgoing_address as exampled above breaks this bridging by forcing
- all outbound traffic through a certain IPv4 which may be on the wrong
- side of the IPv4/IPv6 boundary.
-
- To operate with tcp_outgoing_address and keep the bridging benefits
- an additional ACL needs to be used which ensures the IPv6-bound traffic
- is never forced or permitted out the IPv4 interface.
-
- acl to_ipv6 dst ipv6
- tcp_outgoing_address 2002::c001 good_service_net to_ipv6
- tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
-
- tcp_outgoing_address 2002::beef normal_service_net to_ipv6
- tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
-
- tcp_outgoing_address 2002::1 to_ipv6
- tcp_outgoing_address 10.1.0.3 !to_ipv6
+ When needing to contact peers use the no-tproxy cache_peer option and the
+ client_dst_passthru directive re-enable normal forwarding such as this.
- WARNING:
- 'dst ipv6' bases its selection assuming DIRECT access.
- If peers are used the peername ACL are needed to select outgoing
- address which can link to the peer.
+DOC_END
- 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used
- previously in the http_access rules to locate the destination IP.
- Some more magic may be needed for that:
- http_access allow to_ipv6 !all
- (meaning, allow if to IPv6 but not from anywhere ;)
+NAME: client_dst_passthru
+TYPE: onoff
+DEFAULT: on
+LOC: Config.onoff.client_dst_passthru
+DOC_START
+ With NAT or TPROXY intercepted traffic Squid may pass the request
+ directly to the original client destination IP or seek a faster
+ source.
+
+ This option (on by default) prevents cache_peer and alternative DNS
+ entries being used on intercepted traffic. Both of which lead to
+ the security vulnerability outlined below.
+
+ SECURITY WARNING:
+
+ This directive should only be disabled if cache_peer are required.
+
+ As described in CVE-2009-0801 when the Host: header alone is used
+ to determine the destination of a request it becomes trivial for
+ malicious scripts on remote websites to bypass browser same-origin
+ security policy and sandboxing protections.
+
+ The cause of this is that such applets are allowed to perform their
+ own HTTP stack, in which case the same-origin policy of the browser
+ sandbox only verifies that the applet tries to contact the same IP
+ as from where it was loaded at the IP level. The Host: header may
+ be different from the connected IP and approved origin.
DOC_END
By default, no requests are bumped.
- See also: http_port sslBump
+ See also: http_port ssl-bump
- This clause only supports fast acl types.
+ This clause supports both fast and slow acl types.
See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
to OpenSSL.
DOC_END
-
NAME: sslproxy_cert_error
IFDEF: USE_SSL
DEFAULT: none
Default setting: sslproxy_cert_error deny all
DOC_END
-
-
NAME: sslpassword_program
IFDEF: USE_SSL
DEFAULT: none
than the Squid default location.
+ ==== CARP OPTIONS ====
+
+ carp-key=key-specification
+ use a different key than the full URL to hash against the peer.
+ the key-specification is a comma-separated list of the keywords
+ scheme, host, port, path, params
+ Order is not important.
+
==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
originserver Causes this parent to be contacted as an origin server.
The first principal from the default keytab or defined by
the environment variable KRB5_KTNAME will be used.
+ WARNING: The connection may transmit requests from multiple
+ clients. Negotiate often assumes end-to-end authentication
+ and a single-client. Which is not strictly true here.
+
login=NEGOTIATE:principal_name
If this is a personal/workgroup proxy and your parent
requires a secure proxy authentication.
defined by the environment variable KRB5_KTNAME will be
used.
+ WARNING: The connection may transmit requests from multiple
+ clients. Negotiate often assumes end-to-end authentication
+ and a single-client. Which is not strictly true here.
+
connection-auth=on|off
Tell Squid that this peer does or not support Microsoft
connection oriented authentication, and any such
DOC_START
Controls how many different forward paths Squid will try
before giving up. See also forward_timeout.
+
+ NOTE: connect_retries (default: none) can make each of these
+ possible forwarding paths be tried multiple times.
DOC_END
NAME: hierarchy_stoplist
be handled directly by this cache. In other words, use this
to not query neighbor caches for certain objects. You may
list this option multiple times.
- Note: never_direct overrides this option.
-NOCOMMENT_START
-# We recommend you to use at least the following line.
-hierarchy_stoplist cgi-bin ?
-NOCOMMENT_END
+ Example:
+ hierarchy_stoplist cgi-bin ?
+
+ Note: never_direct overrides this option.
DOC_END
COMMENT_START
no-store, no new objects should be stored to this cache_dir
+ min-size=n, refers to the min object size in bytes this cache_dir
+ will accept. It's used to restrict a cache_dir to only store
+ large objects (e.g. aufs) while other storedirs are optimized
+ for smaller objects (e.g. COSS). Defaults to 0.
+
max-size=n, refers to the max object size in bytes this cache_dir
supports. It is used to select the cache_dir to store the object.
Note: To make optimal use of the max-size limits you should order
NAME: logformat
TYPE: logformat
-LOC: Config.Log.logformats
+LOC: Log::TheConfig
DEFAULT: none
DOC_START
Usage:
>a Client source IP address
>A Client FQDN
>p Client source port
- <A Server IP address or peer name
- la Local IP address (http_port)
- lp Local port number (http_port)
+ >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
+ >la Local IP address the client connected to
+ >lp Local port number the client connected to
+
+ <a Server IP address of the last server or peer connection
+ <A Server FQDN or peer name
+ <p Server port number of the last server or peer connection
+ <la Local IP address of the last server or peer connection
<lp Local port number of the last server or peer connection
Time related format codes:
tr Response time (milliseconds)
dt Total time spent making DNS lookups (milliseconds)
- HTTP cache related format codes:
+ Access Control related format codes:
+
+ et Tag returned by external acl
+ ea Log string returned by external acl
+ un User name (any available)
+ ul User name from authentication
+ ue User name from external acl helper
+ ui User name from ident
+ us User name from SSL
+
+ HTTP related format codes:
[http::]>h Original request header. Optional header name argument
on the format header[:[separator]element]
Optional header name argument as for >h
[http::]<h Reply header. Optional header name argument
as for >h
- [http::]un User name
- [http::]ul User name from authentication
- [http::]ui User name from ident
- [http::]us User name from SSL
- [http::]ue User name from external acl helper
[http::]>Hs HTTP status code sent to the client
[http::]<Hs HTTP status code received from the next hop
[http::]<bs Number of HTTP-equivalent message body bytes
transfer encoding and control messages.
Generated FTP/Gopher listings are treated as
received bodies.
- [http::]Ss Squid request status (TCP_MISS etc)
- [http::]Sh Squid hierarchy status (DEFAULT_PARENT etc)
[http::]mt MIME content type
[http::]rm Request method (GET/POST etc)
- [http::]ru Request URL
+ [http::]>rm Request method from client
+ [http::]<rm Request method sent to server or peer
+ [http::]ru Request URL from client (historic, filtered for logging)
+ [http::]>ru Request URL from client
+ [http::]<ru Request URL sent to server or peer
[http::]rp Request URL-Path excluding hostname
+ [http::]>rp Request URL-Path excluding hostname from client
+ [http::]<rp Request URL-Path excluding hostname sento to server or peer
[http::]rv Request protocol version
- [http::]et Tag returned by external acl
- [http::]ea Log string returned by external acl
+ [http::]>rv Request protocol version from client
+ [http::]<rv Request protocol version sent to server or peer
[http::]<st Sent reply size including HTTP headers
[http::]>st Received request size including HTTP headers. In the
case of chunked requests the chunked encoding metadata
sent to the first selected peer. The timer stops
with the last I/O with the last peer.
- If ICAP is enabled, the following two codes become available (as
+ Squid handling related format codes:
+
+ Ss Squid request status (TCP_MISS etc)
+ Sh Squid hierarchy status (DEFAULT_PARENT etc)
+
+ If ICAP is enabled, the following code becomes available (as
well as ICAP log codes documented with the icap_log option):
icap::tt Total ICAP processing time for the HTTP
ACLs are checked and when ICAP
transaction is in progress.
- icap::<last_h The header of the last ICAP response
- related to the HTTP transaction. Like
- <h, accepts an optional header name
- argument. Will not change semantics
- when multiple ICAP transactions per HTTP
- transaction are supported.
+ If adaptation is enabled the following three codes become available:
- If adaptation is enabled the following two codes become available:
+ adapt::<last_h The header of the last ICAP response or
+ meta-information from the last eCAP
+ transaction related to the HTTP transaction.
+ Like <h, accepts an optional header name
+ argument.
adapt::sum_trs Summed adaptation transaction response
times recorded as a comma-separated list in
The default formats available (which do not need re-defining) are:
-logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
-logformat squidmime %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
-logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
-logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
+logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<a %mt
+logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
+logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
+logformat referrer %ts.%03tu %>a %{Referer}>h %ru
+logformat useragent %>a [%tl] "%{User-Agent}>h"
+
+ NOTE: When the log_mime_hdrs directive is set to ON.
+ The squid, common and combined formats have a safely encoded copy
+ of the mime headers appended to each line within a pair of brackets.
+
+ NOTE: The common and combined formats are not quite true to the Apache definition.
+ The logs from Squid contain an extra status and hierarchy code appended.
+
DOC_END
NAME: access_log cache_access_log
logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
- See also: logformat, log_icap, and %icap::<last_h
+ See also: logformat, log_icap, and %adapt::<last_h
DOC_END
NAME: logfile_daemon
L<data>\n - logfile data
R\n - rotate file
T\n - truncate file
- O\n - repoen file
+ O\n - reopen file
F\n - flush file
r<n>\n - set rotate count to <n>
b<n>\n - 1 = buffer output, 0 = don't buffer output
DOC_END
NAME: emulate_httpd_log
-COMMENT: on|off
-TYPE: onoff
-DEFAULT: off
-LOC: Config.onoff.common_log
+TYPE: obsolete
DOC_START
- The Cache can emulate the log file format which many 'httpd'
- programs use. To disable/enable this emulation, set
- emulate_httpd_log to 'off' or 'on'. The default
- is to use the native log format since it includes useful
- information Squid-specific log analyzers use.
+ Replace this with an access_log directive using the format 'common' or 'combined'.
DOC_END
NAME: log_ip_on_direct
-COMMENT: on|off
-TYPE: onoff
-DEFAULT: on
-LOC: Config.onoff.log_ip_on_direct
+TYPE: obsolete
DOC_START
- Log the destination IP address in the hierarchy log tag when going
- direct. Earlier Squid versions logged the hostname here. If you
- prefer the old way set this to off.
+ Remove this option from your config. To log server or peer names use %<A in the log format.
DOC_END
NAME: mime_table
DOC_END
NAME: useragent_log
-TYPE: string
-LOC: Config.Log.useragent
-DEFAULT: none
-IFDEF: USE_USERAGENT_LOG
+TYPE: obsolete
DOC_START
- Squid will write the User-Agent field from HTTP requests
- to the filename specified here. By default useragent_log
- is disabled.
+ Replace this with an access_log directive using the format 'useragent'.
DOC_END
NAME: referer_log referrer_log
-TYPE: string
-LOC: Config.Log.referer
-DEFAULT: none
-IFDEF: USE_REFERER_LOG
+TYPE: obsolete
DOC_START
- Squid will write the Referer field from HTTP requests to the
- filename specified here. By default referer_log is disabled.
- Note that "referer" is actually a misspelling of "referrer"
- however the misspelt version has been accepted into the HTTP RFCs
- and we accept both.
+ Replace this with an access_log directive using the format 'referrer'.
DOC_END
NAME: pid_filename
DOC_END
NAME: forward_log
-IFDEF: WIP_FWD_LOG
-TYPE: string
-DEFAULT: none
-LOC: Config.Log.forward
+TYPE: obsolete
DOC_START
- Logs the server-side requests.
-
- This is currently work in progress.
+ Use a regular access.log with ACL limiting it to MISS events.
DOC_END
NAME: strip_query_terms
Requires ftp_passive to be ON (default) for any effect.
DOC_END
+NAME: ftp_eprt
+TYPE: onoff
+DEFAULT: on
+LOC: Config.Ftp.eprt
+DOC_START
+ FTP Protocol extensions permit the use of a special "EPRT" command.
+
+ This extension provides a protocol neutral alternative to the
+ IPv4-only PORT command. When supported it enables active FTP data
+ channels over IPv6 and efficient NAT handling.
+
+ Turning this OFF will prevent EPRT being attempted and will skip
+ straight to using PORT for IPv4 servers.
+
+ Some devices are known to not handle this extension correctly and
+ may result in crashes. Devices which suport EPRT enough to fail
+ cleanly will result in Squid attempting PORT anyway. This directive
+ should only be disabled when EPRT results in device failures.
+
+ WARNING: Doing so will convert Squid back to the old behavior with all
+ the related problems with external NAT devices/layers and IPv4-only FTP.
+DOC_END
+
NAME: ftp_sanitycheck
TYPE: onoff
DEFAULT: on
LOC: Config.Program.redirect
DEFAULT: none
DOC_START
- Specify the location of the executable for the URL rewriter.
+ Specify the location of the executable URL rewriter to use.
Since they can perform almost any function there isn't one included.
- For each requested URL rewriter will receive on line with the format
+ For each requested URL, the rewriter will receive on line with the format
URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
The rewriter can also indicate that a client-side redirect should
be performed to the new URL. This is done by prefixing the returned
- URL with "301:" (moved permanently) or 302: (moved temporarily).
+ URL with "301:" (moved permanently) or 302: (moved temporarily), etc.
By default, a URL rewriter is not used.
DOC_END
See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
DOC_END
+NAME: max_stale
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.maxStale
+DEFAULT: 1 week
+DOC_START
+ This option puts an upper limit on how stale content Squid
+ will serve from the cache if cache validation fails.
+ Can be overriden by the refresh_pattern max-stale option.
+DOC_END
+
NAME: refresh_pattern
TYPE: refreshpattern
LOC: Config.Refresh
ignore-must-revalidate
ignore-private
ignore-auth
+ max-stale=NN
refresh-ims
store-stale
not cache such responses because they usually can't be
reused. Note that such responses will be stale by default.
+ max-stale=NN provide a maximum staleness factor. Squid won't
+ serve objects more stale than this even if it failed to
+ validate the object. Default: use the max_stale global limit.
+
Basically a cached object is:
FRESH if expires < now, else STALE
be no limit imposed.
DOC_END
+NAME: client_request_buffer_max_size
+COMMENT: (bytes)
+TYPE: b_size_t
+DEFAULT: 512 KB
+LOC: Config.maxRequestBufferSize
+DOC_START
+ This specifies the maximum buffer size of a client request.
+ It prevents squid eating too much memory when somebody uploads
+ a large file.
+DOC_END
+
NAME: chunked_request_body_max_size
COMMENT: (bytes)
TYPE: b_int64_t
broken_posts allow buggy_server
DOC_END
-NAME: icap_uses_indirect_client
+NAME: adaptation_uses_indirect_client icap_uses_indirect_client
COMMENT: on|off
TYPE: onoff
-IFDEF: FOLLOW_X_FORWARDED_FOR&&ICAP_CLIENT
+IFDEF: FOLLOW_X_FORWARDED_FOR&&USE_ADAPTATION
DEFAULT: on
-LOC: Adaptation::Icap::TheConfig.icap_uses_indirect_client
+LOC: Adaptation::Config::use_indirect_client
DOC_START
- Controls whether the indirect client address
- (see follow_x_forwarded_for) instead of the
- direct client address is passed to an ICAP
- server as "X-Client-IP".
+ Controls whether the indirect client IP address (instead of the direct
+ client IP address) is passed to adaptation services.
+
+ See also: follow_x_forwarded_for adaptation_send_client_ip
DOC_END
NAME: via
performed).
DOC_END
-NAME: header_replace
+NAME: request_header_replace header_replace
IFDEF: USE_HTTP_VIOLATIONS
TYPE: http_header_replace[]
LOC: Config.request_header_access
DEFAULT: none
DOC_START
- Usage: header_replace header_name message
- Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
+ Usage: request_header_replace header_name message
+ Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
This option allows you to change the contents of headers
- denied with header_access above, by replacing them with
- some fixed string. This replaces the old fake_user_agent
+ denied with request_header_access above, by replacing them
+ with some fixed string. This replaces the old fake_user_agent
option.
This only applies to request headers, not reply headers.
By default, headers are removed if denied.
DOC_END
+NAME: reply_header_replace
+IFDEF: USE_HTTP_VIOLATIONS
+TYPE: http_header_replace[]
+LOC: Config.reply_header_access
+DEFAULT: none
+DOC_START
+ Usage: reply_header_replace header_name message
+ Example: reply_header_replace Server Foo/1.0
+
+ This option allows you to change the contents of headers
+ denied with reply_header_access above, by replacing them
+ with some fixed string.
+
+ This only applies to reply headers, not request headers.
+
+ By default, headers are removed if denied.
+DOC_END
+
NAME: relaxed_header_parser
COMMENT: on|off|warn
TYPE: tristate
DOC_NONE
NAME: announce_port
-TYPE: ushort
+TYPE: u_short
DEFAULT: 3131
LOC: Config.Announce.port
DOC_START
class 5 Requests are grouped according their tag (see
external_acl's tag= reply).
+
+ Each pool also requires a delay_parameters directive to configure the pool size
+ and speed limits used whenever the pool is applied to a request. Along with
+ a set of delay_access directives to determine when it is used.
+
NOTE: If an IP address is a.b.c.d
-> bits 25 through 32 are "d"
-> bits 17 through 24 are "c"
DOC_START
This defines the parameters for a delay pool. Each delay pool has
a number of "buckets" associated with it, as explained in the
- description of delay_class. For a class 1 delay pool, the syntax is:
+ description of delay_class.
-delay_parameters pool aggregate
+ For a class 1 delay pool, the syntax is:
+ delay_pools pool 1
+ delay_parameters pool aggregate
For a class 2 delay pool:
-
-delay_parameters pool aggregate individual
+ delay_pools pool 2
+ delay_parameters pool aggregate individual
For a class 3 delay pool:
-
-delay_parameters pool aggregate network individual
+ delay_pools pool 3
+ delay_parameters pool aggregate network individual
For a class 4 delay pool:
-
-delay_parameters pool aggregate network individual user
+ delay_pools pool 4
+ delay_parameters pool aggregate network individual user
For a class 5 delay pool:
+ delay_pools pool 5
+ delay_parameters pool tagrate
-delay_parameters pool tag
-
- The variables here are:
+ The option variables are:
pool a pool number - ie, a number between 1 and the
number specified in delay_pools as used in
delay_class lines.
- aggregate the "delay parameters" for the aggregate bucket
+ aggregate the speed limit parameters for the aggregate bucket
(class 1, 2, 3).
- individual the "delay parameters" for the individual
+ individual the speed limit parameters for the individual
buckets (class 2, 3).
- network the "delay parameters" for the network buckets
+ network the speed limit parameters for the network buckets
(class 3).
- user the delay parameters for the user buckets
+ user the speed limit parameters for the user buckets
(class 4).
- tag the delay parameters for the tag buckets
+ tagrate the speed limit parameters for the tag buckets
(class 5).
A pair of delay parameters is written restore/maximum, where restore is
quoted in bits) per second placed into the bucket, and maximum is the
maximum number of bytes which can be in the bucket at any time.
+ There must be one delay_parameters line for each delay pool.
+
+
For example, if delay pool number 1 is a class 2 delay pool as in the
- above example, and is being used to strictly limit each host to 64kbps
+ above example, and is being used to strictly limit each host to 64Kbit/sec
(plus overheads), with no overall limit, the line is:
-delay_parameters 1 -1/-1 8000/8000
+ delay_parameters 1 -1/-1 8000/8000
+
+ Note that 8 x 8000 KByte/sec -> 64Kbit/sec.
Note that the figure -1 is used to represent "unlimited".
+
And, if delay pool number 2 is a class 3 delay pool as in the above
- example, and you want to limit it to a total of 256kbps (strict limit)
- with each 8-bit network permitted 64kbps (strict limit) and each
- individual host permitted 4800bps with a bucket maximum size of 64kb
+ example, and you want to limit it to a total of 256Kbit/sec (strict limit)
+ with each 8-bit network permitted 64Kbit/sec (strict limit) and each
+ individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
to permit a decent web page to be downloaded at a decent speed
(if the network is not being limited due to overuse) but slow down
large downloads more significantly:
-delay_parameters 2 32000/32000 8000/8000 600/8000
+ delay_parameters 2 32000/32000 8000/8000 600/8000
+
+ Note that 8 x 32000 KByte/sec -> 256Kbit/sec.
+ 8 x 8000 KByte/sec -> 64Kbit/sec.
+ 8 x 600 Byte/sec -> 4800bit/sec.
- There must be one delay_parameters line for each delay pool.
Finally, for a class 4 delay pool as in the example - each user will
- be limited to 128Kb no matter how many workstations they are logged into.:
+ be limited to 128Kbits/sec no matter how many workstations they are logged into.:
-delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
+ delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
DOC_END
NAME: delay_initial_bucket_level
COMMENT: (percent, 0-100)
-TYPE: ushort
+TYPE: u_short
DEFAULT: 50
IFDEF: USE_DELAY_POOLS
LOC: Config.Delay.initial
NAME: client_delay_initial_bucket_level
COMMENT: (percent, 0-no_limit)
-TYPE: ushort
+TYPE: u_short
DEFAULT: 50
IFDEF: USE_DELAY_POOLS
LOC: Config.ClientDelay.initial
COMMENT_END
NAME: snmp_port
-TYPE: ushort
+TYPE: u_short
LOC: Config.Port.snmp
DEFAULT: 0
IFDEF: SQUID_SNMP
COMMENT_END
NAME: icp_port udp_port
-TYPE: ushort
+TYPE: u_short
DEFAULT: 0
LOC: Config.Port.icp
DOC_START
NAME: htcp_port
IFDEF: USE_HTCP
-TYPE: ushort
+TYPE: u_short
DEFAULT: 0
LOC: Config.Port.htcp
DOC_START
NAME: mcast_miss_ttl
IFDEF: MULTICAST_MISS_STREAM
-TYPE: ushort
+TYPE: u_short
LOC: Config.mcast_miss.ttl
DEFAULT: 16
DOC_START
NAME: mcast_miss_port
IFDEF: MULTICAST_MISS_STREAM
-TYPE: ushort
+TYPE: u_short
LOC: Config.mcast_miss.port
DEFAULT: 3135
DOC_START
the first authentication related acl encountered
- When none of the http_access lines matches. It's then the last
acl processed on the last http_access line.
+ - When the decision to deny access was made by an adaptation service,
+ the acl name is the corresponding eCAP or ICAP service_name.
NP: If providing your own custom error pages with error_directory
you may also specify them by your custom file name:
Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
+ By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
+ may be specified by prefixing the file name with the code and a colon.
+ e.g. 404:ERR_CUSTOM_ACCESS_DENIED
+
Alternatively you can tell Squid to reset the TCP connection
by specifying TCP_RESET.
Or you can specify an error URL or URL pattern. The browsers will
- get redirected (302) to the specified URL after formatting tags have
- been replaced.
+ get redirected to the specified URL after formatting tags have
+ been replaced. Redirect will be done with 302 or 307 according to
+ HTTP/1.1 specs. A different 3xx code may be specified by prefixing
+ the URL. e.g. 303:http://example.com/
URL FORMAT TAGS:
%a - username (if available. Password NOT included)
(HTTPS URLs terminate with *)
%u - Full canonical URL from client
%w - Admin email from squid.conf
+ %x - Error name
%% - Literal percent (%) code
DOC_END
an ICAP server.
DOC_END
-NAME: icap_send_client_ip
+NAME: adaptation_send_client_ip icap_send_client_ip
TYPE: onoff
-IFDEF: ICAP_CLIENT
+IFDEF: USE_ADAPTATION
COMMENT: on|off
-LOC: Adaptation::Icap::TheConfig.send_client_ip
+LOC: Adaptation::Config::send_client_ip
DEFAULT: off
DOC_START
- This adds the header "X-Client-IP" to ICAP requests.
+ If enabled, Squid shares HTTP client IP information with adaptation
+ services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
+ For eCAP, Squid sets the libecap::metaClientIp transaction option.
+
+ See also: adaptation_uses_indirect_client
DOC_END
-NAME: icap_send_client_username
+NAME: adaptation_send_username icap_send_client_username
TYPE: onoff
-IFDEF: ICAP_CLIENT
+IFDEF: USE_ADAPTATION
COMMENT: on|off
-LOC: Adaptation::Icap::TheConfig.send_client_username
+LOC: Adaptation::Config::send_username
DEFAULT: off
DOC_START
This sends authenticated HTTP client username (if available) to
- the ICAP service. The username value is encoded based on the
+ the adaptation service.
+
+ For ICAP, the username value is encoded based on the
icap_client_username_encode option and is sent using the header
specified by the icap_client_username_header option.
DOC_END
LOC: Adaptation::Icap::TheConfig.client_username_header
DEFAULT: X-Client-Username
DOC_START
- ICAP request header name to use for send_client_username.
+ ICAP request header name to use for adaptation_send_username.
DOC_END
NAME: icap_client_username_encode
is to use IPv4-only connections. When set to 'on' this option will
make Squid use IPv6-only connections to contact this ICAP service.
+ on-overload=block|bypass|wait|force
+ If the service Max-Connections limit has been reached, do
+ one of the following for each new ICAP transaction:
+ * block: send an HTTP error response to the client
+ * bypass: ignore the "over-connected" ICAP service
+ * wait: wait (in a FIFO queue) for an ICAP connection slot
+ * force: proceed, ignoring the Max-Connections limit
+
+ In SMP mode with N workers, each worker assumes the service
+ connection limit is Max-Connections/N, even though not all
+ workers may use a given service.
+
+ The default value is "bypass" if service is bypassable,
+ otherwise it is set to "wait".
+
+
+ max-conn=number
+ Use the given number as the Max-Connections limit, regardless
+ of the Max-Connections value given by the service, if any.
+
Older icap_service format without optional named parameters is
deprecated but supported for backward compatibility.
An ICAP REQMOD or RESPMOD transaction may set an entry in the
shared table by returning an ICAP header field with a name
- specified in adaptation_masterx_shared_names. Squid will store
- and forward that ICAP header field to subsequent ICAP
+ specified in adaptation_masterx_shared_names.
+
+ An eCAP REQMOD or RESPMOD transaction may set an entry in the
+ shared table by implementing the libecap::visitEachOption() API
+ to provide an option with a name specified in
+ adaptation_masterx_shared_names.
+
+ Squid will store and forward the set entry to subsequent adaptation
transactions within the same master transaction scope.
Only one shared entry name is supported at this time.
DOC_END
NAME: dns_retransmit_interval
-TYPE: time_t
+TYPE: time_msec
DEFAULT: 5 seconds
LOC: Config.Timeout.idns_retransmit
IFDEF: !USE_DNSSERVERS
DOC_END
NAME: dns_timeout
-TYPE: time_t
-DEFAULT: 2 minutes
+TYPE: time_msec
+DEFAULT: 30 seconds
LOC: Config.Timeout.idns_query
IFDEF: !USE_DNSSERVERS
DOC_START
X-Forwarded-For header.
If set to "truncate", Squid will remove all existing
- X-Forwarded-For entries, and place itself as the sole entry.
+ X-Forwarded-For entries, and place the client IP as the sole entry.
DOC_END
NAME: cachemgr_passwd
see also refresh_pattern for a more selective approach.
DOC_END
-NAME: maximum_single_addr_tries
+NAME: connect_retries
TYPE: int
-LOC: Config.retry.maxtries
-DEFAULT: 1
+LOC: Config.connect_retries
+DEFAULT: 0
DOC_START
- This sets the maximum number of connection attempts for a
- host that only has one address (for multiple-address hosts,
- each address is tried once).
+ This sets the maximum number of connection attempts made for each
+ TCP connection. The connect_retries attempts must all still
+ complete within the connection timeout period.
- The default value is one attempt, the (not recommended)
- maximum is 255 tries. A warning message will be generated
- if it is set to a value greater than ten.
+ The default is not to re-try if the first connection attempt fails.
+ The (not recommended) maximum is 10 tries.
- Note: This is in addition to the request re-forwarding which
- takes place if Squid fails to get a satisfying response.
+ A warning message will be generated if it is set to a too-high
+ value and the configured value will be over-ridden.
+
+ Note: These re-tries are in addition to forward_max_tries
+ which limit how many different addresses may be tried to find
+ a useful server.
DOC_END
NAME: retry_on_error
Defaults to off for bandwidth management and access logging
reasons.
+
+ WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
DOC_END
NAME: high_response_time_warning