TYPE: acl
LOC: Config.aclList
DEFAULT: all src all
+DEFAULT: manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
+DEFAULT: localhost src 127.0.0.1/32 ::1
+DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
+DEFAULT_DOC: ACLs all, manager, localhost, and to_localhost are predefined.
DOC_START
Defining an Access List
#
# Recommended minimum configuration:
#
-acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
-acl localhost src 127.0.0.1/32 ::1
-acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
NAME: miss_access
TYPE: acl_access
LOC: Config.accessList.miss
-DEFAULT: allow all
+DEFAULT: none
DOC_START
Use to force your neighbors to use you as a sibling instead of
a parent. For example:
connections using the client IP address.
NP: disables authentication and maybe IPv6 on the port.
- accel Accelerator mode. Also needs at least one of
- vhost / vport / defaultsite.
+ accel Accelerator / reverse proxy mode
ssl-bump Intercept each CONNECT request matching ssl_bump ACL,
establish secure connection with the client and with
Accelerator Mode Options:
- allow-direct Allow direct forwarding in accelerator mode. Normally
- accelerated requests are denied direct forwarding as if
- never_direct was used.
-
defaultsite=domainname
What to use for the Host: header if it is not present
in a request. Determines what site (not origin server)
accelerators should consider the default.
- Implies accel.
- vhost Using the Host header for virtual domain support.
- Also uses the port as specified in Host: header.
+ no-vhost Disable using HTTP/1.1 Host header for virtual domain support.
- vport IP based virtual host support. Using the http_port number
- in passed on Host: headers.
+ protocol= Protocol to reconstruct accelerated requests with.
+ Defaults to http for http_port and https for
+ https_port
- vport=NN Uses the specified port number rather than the
- http_port number.
+ vport Virtual host port support. Using the http_port number
+ instead of the port passed on Host: headers.
- protocol= Protocol to reconstruct accelerated requests with.
- Defaults to http://.
+ vport=NN Virtual host port support. Using the specified port
+ number instead of the port passed on Host: headers.
act-as-origin
Act as if this Squid is the origin server.
ignore-cc Ignore request Cache-Control headers.
- Warning: This option violates HTTP specifications if
+ WARNING: This option violates HTTP specifications if
used in non-accelerator setups.
+ allow-direct Allow direct forwarding in accelerator mode. Normally
+ accelerated requests are denied direct forwarding as if
+ never_direct was used.
+
+ WARNING: this option opens accelerator mode to security
+ vulnerabilities usually only affecting in interception
+ mode. Make sure to protect forwarding with suitable
+ http_access rules when using this.
+
SSL Bump Mode Options:
DEFAULT: none
LOC: Config.Sockaddr.https
DOC_START
- Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
+ Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...]
The socket address where Squid will listen for HTTPS client
requests.
You may specify multiple socket addresses on multiple lines,
each with their own SSL certificate and/or options.
- Options:
+ Modes:
+
+ accel Accelerator / reverse proxy mode
- accel Accelerator mode. Also needs at least one of
- defaultsite or vhost.
+ Omitting the mode flag causes default forward proxy mode to be used.
- defaultsite= The name of the https site presented on
- this port. Implies accel.
- vhost Accelerator mode using Host header for virtual
- domain support. Requires a wildcard certificate
- or other certificate valid for more than one domain.
- Implies accel.
+ See http_port for a list of generic options
- protocol= Protocol to reconstruct accelerated requests with.
- Defaults to https.
+
+ SSL Options:
cert= Path to SSL certificate (PEM format).
sslcontext= SSL session ID context identifier.
- vport Accelerator with IP based virtual host support.
-
- vport=NN As above, but uses specified port number rather
- than the https_port number. Implies accel.
-
- name= Specifies a internal name for the port. Defaults to
- the port specification (port or addr:port)
-
DOC_END
NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
DOC_END
+NAME: client_dst_passthru
+TYPE: onoff
+DEFAULT: on
+LOC: Config.onoff.client_dst_passthru
+DOC_START
+ With NAT or TPROXY intercepted traffic Squid may pass the request
+ directly to the original client destination IP or seek a faster
+ source.
+
+ This option (on by default) prevents cache_peer and alternative DNS
+ entries being used on intercepted traffic. Both of which lead to
+ the security vulnerability outlined below.
+
+ SECURITY WARNING:
+
+ This directive should only be disabled if cache_peer are required.
+
+ As described in CVE-2009-0801 when the Host: header alone is used
+ to determine the destination of a request it becomes trivial for
+ malicious scripts on remote websites to bypass browser same-origin
+ security policy and sandboxing protections.
+
+ The cause of this is that such applets are allowed to perform their
+ own HTTP stack, in which case the same-origin policy of the browser
+ sandbox only verifies that the applet tries to contact the same IP
+ as from where it was loaded at the IP level. The Host: header may
+ be different from the connected IP and approved origin.
+
+DOC_END
+
COMMENT_START
SSL OPTIONS
-----------------------------------------------------------------------------
than the Squid default location.
+ ==== CARP OPTIONS ====
+
+ carp-key=key-specification
+ use a different key than the full URL to hash against the peer.
+ the key-specification is a comma-separated list of the keywords
+ scheme, host, port, path, params
+ Order is not important.
+
==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
originserver Causes this parent to be contacted as an origin server.
be handled directly by this cache. In other words, use this
to not query neighbor caches for certain objects. You may
list this option multiple times.
- Note: never_direct overrides this option.
-NOCOMMENT_START
-# We recommend you to use at least the following line.
-hierarchy_stoplist cgi-bin ?
-NOCOMMENT_END
+ Example:
+ hierarchy_stoplist cgi-bin ?
+
+ Note: never_direct overrides this option.
DOC_END
COMMENT_START
>a Client source IP address
>A Client FQDN
>p Client source port
- >eui Client EUI (MAC address, EUI-48 or EUI-64 identifier)
- <A Server IP address or peer name
- la Local IP address (http_port)
- lp Local port number (http_port)
+ >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
+ >la Local IP address the client connected to
+ >lp Local port number the client connected to
+
+ <a Server IP address of the last server or peer connection
+ <A Server FQDN or peer name
+ <p Server port number of the last server or peer connection
<la Local IP address of the last server or peer connection
<lp Local port number of the last server or peer connection
tr Response time (milliseconds)
dt Total time spent making DNS lookups (milliseconds)
- HTTP cache related format codes:
+ Access Control related format codes:
+
+ et Tag returned by external acl
+ ea Log string returned by external acl
+ un User name (any available)
+ ul User name from authentication
+ ue User name from external acl helper
+ ui User name from ident
+ us User name from SSL
+
+ HTTP related format codes:
[http::]>h Original request header. Optional header name argument
on the format header[:[separator]element]
Optional header name argument as for >h
[http::]<h Reply header. Optional header name argument
as for >h
- [http::]un User name
- [http::]ul User name from authentication
- [http::]ui User name from ident
- [http::]us User name from SSL
- [http::]ue User name from external acl helper
[http::]>Hs HTTP status code sent to the client
[http::]<Hs HTTP status code received from the next hop
[http::]<bs Number of HTTP-equivalent message body bytes
transfer encoding and control messages.
Generated FTP/Gopher listings are treated as
received bodies.
- [http::]Ss Squid request status (TCP_MISS etc)
- [http::]Sh Squid hierarchy status (DEFAULT_PARENT etc)
[http::]mt MIME content type
[http::]rm Request method (GET/POST etc)
[http::]>rm Request method from client
[http::]rv Request protocol version
[http::]>rv Request protocol version from client
[http::]<rv Request protocol version sent to server or peer
- [http::]et Tag returned by external acl
- [http::]ea Log string returned by external acl
[http::]<st Sent reply size including HTTP headers
[http::]>st Received request size including HTTP headers. In the
case of chunked requests the chunked encoding metadata
sent to the first selected peer. The timer stops
with the last I/O with the last peer.
+ Squid handling related format codes:
+
+ Ss Squid request status (TCP_MISS etc)
+ Sh Squid hierarchy status (DEFAULT_PARENT etc)
+
If ICAP is enabled, the following code becomes available (as
well as ICAP log codes documented with the icap_log option):
The default formats available (which do not need re-defining) are:
-logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
+logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<a %mt
logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
logformat referrer %ts.%03tu %>a %{Referer}>h %ru
logformat useragent %>a [%tl] "%{User-Agent}>h"
- When the log_mime_hdrs directive is set to ON. The squid, common and combined
- formats have a safely encoded copy of the mime headers appended to each line
- within a pair of brackets.
+ NOTE: When the log_mime_hdrs directive is set to ON.
+ The squid, common and combined formats have a safely encoded copy
+ of the mime headers appended to each line within a pair of brackets.
+
+ NOTE: The common and combined formats are not quite true to the Apache definition.
+ The logs from Squid contain an extra status and hierarchy code appended.
- The common and combined formats are not quite true to the Apache definition.
- The logs from Squid contain an extra status and hierarchy code appended.
DOC_END
NAME: access_log cache_access_log
DOC_END
NAME: log_ip_on_direct
-COMMENT: on|off
-TYPE: onoff
-DEFAULT: on
-LOC: Config.onoff.log_ip_on_direct
+TYPE: obsolete
DOC_START
- Log the destination IP address in the hierarchy log tag when going
- direct. Earlier Squid versions logged the hostname here. If you
- prefer the old way set this to off.
+ Remove this option from your config. To log server or peer names use %<A in the log format.
DOC_END
NAME: mime_table