across all Squid processes.
COMMENT_END
+# options still not yet ported from 2.7 to 3.x
+NAME: broken_vary_encoding
+TYPE: obsolete
+DOC_START
+ This option is not yet supported by Squid-3.
+DOC_END
+
+NAME: cache_vary
+TYPE: obsolete
+DOC_START
+ This option is not yet supported by Squid-3.
+DOC_END
+
+NAME: collapsed_forwarding
+TYPE: obsolete
+DOC_START
+ This option is not yet supported by Squid-3. see http://bugs.squid-cache.org/show_bug.cgi?id=3495
+DOC_END
+
+NAME: error_map
+TYPE: obsolete
+DOC_START
+ This option is not yet supported by Squid-3.
+DOC_END
+
+NAME: external_refresh_check
+TYPE: obsolete
+DOC_START
+ This option is not yet supported by Squid-3.
+DOC_END
+
+NAME: ignore_ims_on_miss
+TYPE: obsolete
+DOC_START
+ This option is not yet supported by Squid-3.
+DOC_END
+
+NAME: location_rewrite_program location_rewrite_access location_rewrite_children location_rewrite_concurrency
+TYPE: obsolete
+DOC_START
+ This option is not yet supported by Squid-3.
+DOC_END
+
+NAME: refresh_stale_hit
+TYPE: obsolete
+DOC_START
+ This option is not yet supported by Squid-3.
+DOC_END
+
+# no Options Removed in 3.3
+
# Options Removed in 3.2
NAME: ignore_expect_100
TYPE: obsolete
NAME: dns_v4_fallback
TYPE: obsolete
DOC_START
- Remove this line.
+ Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
DOC_END
NAME: ftp_list_width
Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
DOC_END
+NAME: maximum_single_addr_tries
+TYPE: obsolete
+DOC_START
+ Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
+DOC_END
+
+NAME: update_headers
+TYPE: obsolete
+DOC_START
+ Remove this line. The feature is supported by default in storage types where update is implemented.
+DOC_END
+
NAME: url_rewrite_concurrency
TYPE: obsolete
DOC_START
Remove this line. All valid methods for HTTP are accepted by default.
DOC_END
+# 2.7 Options Removed/Replaced in 3.2
+NAME: zero_buffers
+TYPE: obsolete
+DOC_NONE
+
# 2.7 Options Removed/Replaced in 3.1
NAME: incoming_rate
TYPE: obsolete
Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
DOC_END
+NAME: wais_relay_host
+TYPE: obsolete
+DOC_START
+ Replace this line with 'cache_peer' configuration.
+DOC_END
+
+NAME: wais_relay_port
+TYPE: obsolete
+DOC_START
+ Replace this line with 'cache_peer' configuration.
+DOC_END
+
COMMENT_START
OPTIONS FOR AUTHENTICATION
-----------------------------------------------------------------------------
"program" cmdline
Specify the command for the external authenticator. Such a program
- reads a line containing "username password" and replies "OK" or
- "ERR" in an endless loop. "ERR" responses may optionally be followed
- by a error description available as %m in the returned error page.
+ reads a line containing "username password" and replies with one of
+ three results:
+
+ OK
+ the user exists.
+
+ ERR
+ the user does not exist.
+
+ BH
+ An internal error occurred in the helper, preventing
+ a result being identified.
+
+ "ERR" and "BH" results may optionally be followed by message="..."
+ containing a description available as %m in the returned error page.
+
If you use an authenticator, make sure you have 1 acl of type
proxy_auth.
auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
"utf8" on|off
- HTTP uses iso-latin-1 as characterset, while some authentication
+ HTTP uses iso-latin-1 as character set, while some authentication
backends such as LDAP expects UTF-8. If this is set to on Squid will
translate the HTTP iso-latin-1 charset to UTF-8 before sending the
username & password to the helper.
supports one request at a time. Setting this to a number greater than
0 changes the protocol used to include a channel number first on the
request/response line, allowing multiple requests to be sent to the
- same helper in parallell without wating for the response.
+ same helper in parallel without waiting for the response.
Must not be set unless it's known the helper supports this.
auth_param basic children 20 startup=0 idle=1
"program" cmdline
Specify the command for the external authenticator. Such
a program reads a line containing "username":"realm" and
- replies with the appropriate H(A1) value hex encoded or
- ERR if the user (or his H(A1) hash) does not exists.
- See rfc 2616 for the definition of H(A1).
- "ERR" responses may optionally be followed by a error description
- available as %m in the returned error page.
+ replies with one of three results:
+
+ OK ha1="..."
+ the user exists. The ha1= key is mandatory and
+ contains the appropriate H(A1) value, hex encoded.
+ See rfc 2616 for the definition of H(A1).
+
+ ERR
+ the user does not exist.
+
+ BH
+ An internal error occurred in the helper, preventing
+ a result being identified.
+
+ "ERR" and "BH" results may optionally be followed by message="..."
+ containing a description available as %m in the returned error page.
By default, the digest authentication scheme is not used unless a
program is specified.
auth_param digest program @DEFAULT_PREFIX@/bin/digest_pw_auth @DEFAULT_PREFIX@/etc/digpass
"utf8" on|off
- HTTP uses iso-latin-1 as characterset, while some authentication
+ HTTP uses iso-latin-1 as character set, while some authentication
backends such as LDAP expects UTF-8. If this is set to on Squid will
translate the HTTP iso-latin-1 charset to UTF-8 before sending the
username & password to the helper.
supports one request at a time. Setting this to a number greater than
0 changes the protocol used to include a channel number first on the
request/response line, allowing multiple requests to be sent to the
- same helper in parallell without wating for the response.
+ same helper in parallel without waiting for the response.
Must not be set unless it's known the helper supports this.
auth_param digest children 20 startup=0 idle=1
"nonce_strictness" on|off
Determines if squid requires strict increment-by-1 behavior
for nonce counts, or just incrementing (off - for use when
- useragents generate nonce counts that occasionally miss 1
+ user agents generate nonce counts that occasionally miss 1
(ie, 1,2,4,6)). Default off.
"check_nonce_count" on|off
Such a program reads exchanged NTLMSSP packets with
the browser via Squid until authentication is completed.
If you use an NTLM authenticator, make sure you have 1 acl
- of type proxy_auth. By default, the NTLM authenticator_program
+ of type proxy_auth. By default, the NTLM authenticator program
is not used.
auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
using the Kerberos mechanisms.
If you use a Negotiate authenticator, make sure you have at least
one acl of type proxy_auth active. By default, the negotiate
- authenticator_program is not used.
+ authenticator program is not used.
The only supported program for this role is the ntlm_auth
program distributed as part of Samba, version 4 or later.
The maximum number of authenticator processes to spawn (default 5).
If you start too few Squid will have to wait for them to
process a backlog of credential verifications, slowing it
- down. When crendential verifications are done via a (slow)
+ down. When credential verifications are done via a (slow)
network you are likely to need lots of authenticator
processes.
LOC: Config.authenticateGCInterval
DOC_START
The time period between garbage collection across the username cache.
- This is a tradeoff between memory utilization (long intervals - say
+ This is a trade-off between memory utilization (long intervals - say
2 days) and CPU (short intervals - say 1 minute). Only change if you
have good reason to.
DOC_END
this directive controls how long Squid remembers the IP
addresses associated with each user. Use a small value
(e.g., 60 seconds) if your users might change addresses
- quickly, as is the case with dialups. You might be safe
+ quickly, as is the case with dialup. You might be safe
using a larger value (e.g., 2 hours) in a corporate LAN
environment with relatively static address assignments.
DOC_END
cached entry should be initiated without needing to
wait for a new reply. (default is for no grace period)
protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
- ipv4 / ipv6 IP-mode used to communicate to this helper.
- For compatability with older configurations and helpers
- the default is currently 'ipv4'.
+ ipv4 / ipv6 IP protocol used to communicate with this helper.
+ The default is to auto-detect IPv6 and use it when available.
FORMAT specifications
%% The percent sign. Useful for helpers which need
an unchanging input format.
- In addition to the above, any string specified in the referencing
- acl will also be included in the helper request line, after the
- specified formats (see the "acl external" directive)
- The helper receives lines per the above format specification,
- and returns lines starting with OK or ERR indicating the validity
- of the request and optionally followed by additional keywords with
- more details.
+ General request syntax:
+
+ [channel-ID] FORMAT-values [acl-values ...]
+
+
+ FORMAT-values consists of transaction details expanded with
+ whitespace separation per the config file FORMAT specification
+ using the FORMAT macros listed above.
+
+ acl-values consists of any string specified in the referencing
+ config 'acl ... external' line. see the "acl external" directive.
+
+ Request values sent to the helper are URL escaped to protect
+ each value in requests against whitespaces.
+
+ If using protocol=2.5 then the request sent to the helper is not
+ URL escaped to protect against whitespace.
+
+ NOTE: protocol=3.0 is deprecated as no longer necessary.
+
+ When using the concurrency= option the protocol is changed by
+ introducing a query channel tag in front of the request/response.
+ The query channel tag is a number between 0 and concurrency-1.
+ This value must be echoed back unchanged to Squid as the first part
+ of the response relating to its request.
+
+
+ The helper receives lines expanded per the above format specification
+ and for each input line returns 1 line starting with OK/ERR/BH result
+ code and optionally followed by additional keywords with more details.
+
General result syntax:
- OK/ERR keyword=value ...
+ [channel-ID] result keyword=value ...
+
+ Result consists of one of the codes:
+
+ OK
+ the ACL test produced a match.
+
+ ERR
+ the ACL test does not produce a match.
+
+ BH
+ An internal error occurred in the helper, preventing
+ a result being identified.
+
+ The meaning of 'a match' is determined by your squid.conf
+ access control configuration. See the Squid wiki for details.
Defined keywords:
user= The users name (login)
+
password= The users password (for login= cache_peer option)
- message= Message describing the reason. Available as %o
- in error pages
- tag= Apply a tag to a request (for both ERR and OK results)
- Only sets a tag, does not alter existing tags.
+
+ message= Message describing the reason for this response.
+ Available as %o in error pages.
+ Useful on (ERR and BH results).
+
+ tag= Apply a tag to a request. Only sets a tag once,
+ does not alter existing tags.
+
log= String to be logged in access.log. Available as
- %ea in logformat specifications
+ %ea in logformat specifications.
- If protocol=3.0 (the default) then URL escaping is used to protect
- each value in both requests and responses.
+ Any keywords may be sent on any response whether OK, ERR or BH.
- If using protocol=2.5 then all values need to be enclosed in quotes
- if they may contain whitespace, or the whitespace escaped using \.
- And quotes or \ characters within the keyword value must be \ escaped.
+ All response keyword values need to be a single token with URL
+ escaping, or enclosed in double quotes (") and escaped using \ on
+ any double quotes or \ characters within the value. The wrapping
+ double quotes are removed before the value is interpreted by Squid.
+ \r and \n are also replace by CR and LF.
- When using the concurrency= option the protocol is changed by
- introducing a query channel tag infront of the request/response.
- The query channel tag is a number between 0 and concurrency-1.
+ Some example key values:
+
+ user=John%20Smith
+ user="John Smith"
+ user="J. \"Bob\" Smith"
DOC_END
NAME: acl
TYPE: acl
LOC: Config.aclList
+IF USE_SSL
+DEFAULT: ssl::certHasExpired ssl_error X509_V_ERR_CERT_HAS_EXPIRED
+DEFAULT: ssl::certNotYetValid ssl_error X509_V_ERR_CERT_NOT_YET_VALID
+DEFAULT: ssl::certDomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
+DEFAULT: ssl::certUntrusted ssl_error X509_V_ERR_INVALID_CA X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY X509_V_ERR_CERT_UNTRUSTED
+DEFAULT: ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
+ENDIF
DEFAULT: all src all
DEFAULT: manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
DEFAULT: localhost src 127.0.0.1/32 ::1
acl aclname url_regex [-i] ^http:// ...
# regex matching on whole URL [fast]
+ acl aclname urllogin [-i] [^a-zA-Z0-9] ...
+ # regex matching on URL login field
acl aclname urlpath_regex [-i] \.gif$ ...
# regex matching on URL path [fast]
# effect in rules that affect the reply data stream such as
# http_reply_access.
+IF USE_SSL
+ acl aclname ssl_error errorname
+ # match against SSL certificate validation error [fast]
+ #
+ # For valid error names see in @DEFAULT_ERROR_DIR@/templates/error-details.txt
+ # template file.
+ #
+ # The following can be used as shortcuts for certificate properties:
+ # [ssl::]certHasExpired: the "not after" field is in the past
+ # [ssl::]certNotYetValid: the "not before" field is in the future
+ # [ssl::]certUntrusted: The certificate issuer is not to be trusted.
+ # [ssl::]certSelfSigned: The certificate is self signed.
+ # [ssl::]certDomainMismatch: The certificate CN domain does not
+ # match the name the name of the host we are connecting to.
+ #
+ # The ssl::certHasExpired, ssl::certNotYetValid, ssl::certDomainMismatch,
+ # ssl::certUntrusted, and ssl::certSelfSigned can also be used as
+ # predefined ACLs, just like the 'all' ACL.
+ #
+ # NOTE: The ssl_error ACL is only supported with sslproxy_cert_error,
+ # sslproxy_cert_sign, and sslproxy_cert_adapt options.
+
+ acl aclname server_cert_fingerprint [-sha1] fingerprint
+ # match against server SSL certificate fingerprint [fast]
+ #
+ # The fingerprint is the digest of the DER encoded version
+ # of the whole certificate. The user should use the form: XX:XX:...
+ # Optional argument specifies the digest algorithm to use.
+ # The SHA1 digest algorithm is the default and is currently
+ # the only algorithm supported (-sha1).
+ENDIF
+
Examples:
acl macaddress arp 09:00:2b:23:45:67
acl myexample dst_as 1241
COMMENT_END
NAME: http_port ascii_port
-TYPE: http_port_list
+TYPE: PortCfg
DEFAULT: none
LOC: Config.Sockaddr.http
DOC_START
accel Accelerator / reverse proxy mode
- ssl-bump Intercept each CONNECT request matching ssl_bump ACL,
+ ssl-bump For each CONNECT request allowed by ssl_bump ACLs,
establish secure connection with the client and with
- the server, decrypt HTTP messages as they pass through
+ the server, decrypt HTTPS messages as they pass through
Squid, and treat them as unencrypted HTTP messages,
becoming the man-in-the-middle.
The ssl_bump option is required to fully enable
- the SslBump feature.
+ bumping of CONNECT requests.
Omitting the mode flag causes default forward proxy mode to be used.
dynamic_cert_mem_cache_size=SIZE
Approximate total RAM size spent on cached generated
certificates. If set to zero, caching is disabled. The
- default value is 4MB. An average XXX-bit certificate
- consumes about XXX bytes of RAM.
+ default value is 4MB.
TLS / SSL Options:
1 automatic (default)
2 SSLv2 only
3 SSLv3 only
- 4 TLSv1 only
+ 4 TLSv1.0 only
+ 5 TLSv1.1 only
+ 6 TLSv1.2 only
cipher= Colon separated list of supported ciphers.
NOTE: some ciphers such as EDH ciphers depend on
options= Various SSL implementation options. The most important
being:
- NO_SSLv2 Disallow the use of SSLv2
- NO_SSLv3 Disallow the use of SSLv3
- NO_TLSv1 Disallow the use of TLSv1
+ NO_SSLv2 Disallow the use of SSLv2
+ NO_SSLv3 Disallow the use of SSLv3
+ NO_TLSv1 Disallow the use of TLSv1.0
+ NO_TLSv1_1 Disallow the use of TLSv1.1
+ NO_TLSv1_2 Disallow the use of TLSv1.2
SINGLE_DH_USE Always create a new key when using
temporary/ephemeral DH key exchanges
ALL Enable various bug workarounds
NAME: https_port
IFDEF: USE_SSL
-TYPE: https_port_list
+TYPE: PortCfg
DEFAULT: none
LOC: Config.Sockaddr.https
DOC_START
You may specify multiple socket addresses on multiple lines,
each with their own SSL certificate and/or options.
+ Modes:
+
+ accel Accelerator / reverse proxy mode
+
+ intercept Support for IP-Layer interception of
+ outgoing requests without browser settings.
+ NP: disables authentication and IPv6 on the port.
+
+ tproxy Support Linux TPROXY for spoofing outgoing
+ connections using the client IP address.
+ NP: disables authentication and maybe IPv6 on the port.
+
+ ssl-bump For each intercepted connection allowed by ssl_bump
+ ACLs, establish a secure connection with the client and with
+ the server, decrypt HTTPS messages as they pass through
+ Squid, and treat them as unencrypted HTTP messages,
+ becoming the man-in-the-middle.
+
+ An "ssl_bump server-first" match is required to
+ fully enable bumping of intercepted SSL connections.
+
+ Requires tproxy or intercept.
+
+ Omitting the mode flag causes default forward proxy mode to be used.
+
+
+ See http_port for a list of generic options
+
+
+ SSL Options:
+
+ cert= Path to SSL certificate (PEM format).
+
+ key= Path to SSL private key file (PEM format)
+ if not specified, the certificate file is
+ assumed to be a combined certificate and
+ key file.
+
+ version= The version of SSL/TLS supported
+ 1 automatic (default)
+ 2 SSLv2 only
+ 3 SSLv3 only
+ 4 TLSv1 only
+
+ cipher= Colon separated list of supported ciphers.
+
+ options= Various SSL engine options. The most important
+ being:
+ NO_SSLv2 Disallow the use of SSLv2
+ NO_SSLv3 Disallow the use of SSLv3
+ NO_TLSv1 Disallow the use of TLSv1
+ SINGLE_DH_USE Always create a new key when using
+ temporary/ephemeral DH key exchanges
+ See src/ssl_support.c or OpenSSL SSL_CTX_set_options
+ documentation for a complete list of options.
+
+ clientca= File containing the list of CAs to use when
+ requesting a client certificate.
+
+ cafile= File containing additional CA certificates to
+ use when verifying client certificates. If unset
+ clientca will be used.
+
+ capath= Directory containing additional CA certificates
+ and CRL lists to use when verifying client certificates.
+
+ crlfile= File of additional CRL lists to use when verifying
+ the client certificate, in addition to CRLs stored in
+ the capath. Implies VERIFY_CRL flag below.
+
+ dhparams= File containing DH parameters for temporary/ephemeral
+ DH key exchanges.
+
+ sslflags= Various flags modifying the use of SSL:
+ DELAYED_AUTH
+ Don't request client certificates
+ immediately, but wait until acl processing
+ requires a certificate (not yet implemented).
+ NO_DEFAULT_CA
+ Don't use the default CA lists built in
+ to OpenSSL.
+ NO_SESSION_REUSE
+ Don't allow for session reuse. Each connection
+ will result in a new SSL session.
+ VERIFY_CRL
+ Verify CRL lists when accepting client
+ certificates.
+ VERIFY_CRL_ALL
+ Verify CRL lists for all certificates in the
+ client certificate chain.
+
+ sslcontext= SSL session ID context identifier.
+
+ generate-host-certificates[=<on|off>]
+ Dynamically create SSL server certificates for the
+ destination hosts of bumped SSL requests.When
+ enabled, the cert and key options are used to sign
+ generated certificates. Otherwise generated
+ certificate will be selfsigned.
+ If there is CA certificate life time of generated
+ certificate equals lifetime of CA certificate. If
+ generated certificate is selfsigned lifetime is three
+ years.
+ This option is enabled by default when SslBump is used.
+ See the sslBump option above for more information.
+
+ dynamic_cert_mem_cache_size=SIZE
+ Approximate total RAM size spent on cached generated
+ certificates. If set to zero, caching is disabled. The
+ default value is 4MB.
+
See http_port for a list of available options.
DOC_END
DOC_START
Regardless of this option setting, when dealing with intercepted
traffic, Squid always verifies that the destination IP address matches
- the Host header domain or IP (called 'authority form URL'). Squid
- responds with an HTTP 409 (Conflict) error page and logs a security
- warning if there is no match.
-
- When set to ON, Squid verifies that the destination IP address matches
- the Host header for forward-proxy and reverse-proxy traffic as well. For
- those traffic types, Squid also enables the following checks, comparing
- the corresponding Host header and Request-URI components:
-
- * The host names (domain or IP) must be identical,
- but valueless or missing Host header disables all checks.
- For the two host names to match, both must be either IP or FQDN.
-
- * Port numbers must be identical,
- but if a port is missing, the scheme-default port is assumed.
+ the Host header domain or IP (called 'authority form URL').
This enforcement is performed to satisfy a MUST-level requirement in
RFC 2616 section 14.23: "The Host field value MUST represent the naming
authority of the origin server or gateway given by the original URL".
-DOC_END
-
-NAME: client_dst_passthru
-TYPE: onoff
-DEFAULT: on
-LOC: Config.onoff.client_dst_passthru
-DOC_START
- With NAT or TPROXY intercepted traffic Squid may pass the request
- directly to the original client destination IP or seek a faster
- source.
- This option (on by default) prevents cache_peer and alternative DNS
- entries being used on intercepted traffic. Both of which lead to
- the security vulnerability outlined below.
+ When set to ON:
+ Squid always responds with an HTTP 409 (Conflict) error
+ page and logs a security warning if there is no match.
+
+ Squid verifies that the destination IP address matches
+ the Host header for forward-proxy and reverse-proxy traffic
+ as well. For those traffic types, Squid also enables the
+ following checks, comparing the corresponding Host header
+ and Request-URI components:
+
+ * The host names (domain or IP) must be identical,
+ but valueless or missing Host header disables all checks.
+ For the two host names to match, both must be either IP
+ or FQDN.
+
+ * Port numbers must be identical, but if a port is missing
+ the scheme-default port is assumed.
+
+
+ When set to OFF (the default):
+ Squid allows suspicious requests to continue but logs a
+ security warning and blocks caching of the response.
+
+ * Forward-proxy traffic is not checked at all.
+
+ * Reverse-proxy traffic is not checked at all.
+
+ * Intercepted traffic which passes verification is handled
+ according to client_dst_passthru.
- SECURITY WARNING:
+ * Intercepted requests which fail verification are sent
+ to the client original destination instead of DIRECT.
+ This overrides 'client_dst_passthru off'.
- This directive should only be disabled if cache_peer are required.
+ For now suspicious intercepted CONNECT requests are always
+ responded to with an HTTP 409 (Conflict) error page.
+
+
+ SECURITY NOTE:
As described in CVE-2009-0801 when the Host: header alone is used
to determine the destination of a request it becomes trivial for
sandbox only verifies that the applet tries to contact the same IP
as from where it was loaded at the IP level. The Host: header may
be different from the connected IP and approved origin.
+
+DOC_END
+NAME: client_dst_passthru
+TYPE: onoff
+DEFAULT: on
+LOC: Config.onoff.client_dst_passthru
+DOC_START
+ With NAT or TPROXY intercepted traffic Squid may pass the request
+ directly to the original client destination IP or seek a faster
+ source using the HTTP Host header.
+
+ Using Host to locate alternative servers can provide faster
+ connectivity with a range of failure recovery options.
+ But can also lead to connectivity trouble when the client and
+ server are attempting stateful interactions unaware of the proxy.
+
+ This option (on by default) prevents alternative DNS entries being
+ located to send intercepted traffic DIRECT to an origin server.
+ The clients original destination IP and port will be used instead.
+
+ Regardless of this option setting, when dealing with intercepted
+ traffic Squid will verify the Host: header and any traffic which
+ fails Host verification will be treated as if this option were ON.
+
+ see host_verify_strict for details on the verification process.
DOC_END
COMMENT_START
TYPE: int
DOC_START
SSL version level to use when proxying https:// URLs
+
+ The versions of SSL/TLS supported:
+
+ 1 automatic (default)
+ 2 SSLv2 only
+ 3 SSLv3 only
+ 4 TLSv1.0 only
+ 5 TLSv1.1 only
+ 6 TLSv1.2 only
DOC_END
NAME: sslproxy_options
The most important being:
- NO_SSLv2 Disallow the use of SSLv2
- NO_SSLv3 Disallow the use of SSLv3
- NO_TLSv1 Disallow the use of TLSv1
+ NO_SSLv2 Disallow the use of SSLv2
+ NO_SSLv3 Disallow the use of SSLv3
+ NO_TLSv1 Disallow the use of TLSv1.0
+ NO_TLSv1_1 Disallow the use of TLSv1.1
+ NO_TLSv1_2 Disallow the use of TLSv1.2
SINGLE_DH_USE
Always create a new key when using temporary/ephemeral
DH key exchanges
NAME: ssl_bump
IFDEF: USE_SSL
-TYPE: acl_access
+TYPE: sslproxy_ssl_bump
LOC: Config.accessList.ssl_bump
DEFAULT: none
DOC_START
- This ACL controls which CONNECT requests to an http_port
- marked with an sslBump flag are actually "bumped". Please
- see the sslBump flag of an http_port option for more details
- about decoding proxied SSL connections.
+ This option is consulted when a CONNECT request is received on
+ an http_port (or a new connection is intercepted at an
+ https_port), provided that port was configured with an ssl-bump
+ flag. The subsequent data on the connection is either treated as
+ HTTPS and decrypted OR tunneled at TCP level without decryption,
+ depending on the first bumping "mode" which ACLs match.
+
+ ssl_bump <mode> [!]acl ...
+
+ The following bumping modes are supported:
- By default, no requests are bumped.
+ client-first
+ Allow bumping of the connection. Establish a secure connection
+ with the client first, then connect to the server. This old mode
+ does not allow Squid to mimic server SSL certificate and does
+ not work with intercepted SSL connections.
+
+ server-first
+ Allow bumping of the connection. Establish a secure connection
+ with the server first, then establish a secure connection with
+ the client, using a mimicked server certificate. Works with both
+ CONNECT requests and intercepted SSL connections.
+
+ none
+ Become a TCP tunnel without decoding the connection.
+ Works with both CONNECT requests and intercepted SSL
+ connections. This is the default behavior when no
+ ssl_bump option is given or no ssl_bump ACLs match.
+
+ By default, no connections are bumped.
+
+ The first matching ssl_bump option wins. If no ACLs match, the
+ connection is not bumped. Unlike most allow/deny ACL lists, ssl_bump
+ does not have an implicit "negate the last given option" rule. You
+ must make that rule explicit if you convert old ssl_bump allow/deny
+ rules that rely on such an implicit rule.
- See also: http_port ssl-bump
-
This clause supports both fast and slow acl types.
See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+ See also: http_port ssl-bump, https_port ssl-bump
- # Example: Bump all requests except those originating from localhost and
- # those going to webax.com or example.com sites.
- acl localhost src 127.0.0.1/32
- acl broken_sites dstdomain .webax.com
+ # Example: Bump all requests except those originating from
+ # localhost and those going to example.com.
+
acl broken_sites dstdomain .example.com
- ssl_bump deny localhost
- ssl_bump deny broken_sites
- ssl_bump allow all
+ ssl_bump none localhost
+ ssl_bump none broken_sites
+ ssl_bump server-first all
DOC_END
NAME: sslproxy_flags
Use this ACL to bypass server certificate validation errors.
For example, the following lines will bypass all validation errors
- when talking to servers located at 172.16.0.0/16. All other
+ when talking to servers for example.com. All other
validation errors will result in ERR_SECURE_CONNECT_FAIL error.
- acl BrokenServersAtTrustedIP dst 172.16.0.0/16
- sslproxy_cert_error allow BrokenServersAtTrustedIP
+ acl BrokenButTrustedServers dstdomain example.com
+ sslproxy_cert_error allow BrokenButTrustedServers
sslproxy_cert_error deny all
This clause only supports fast acl types.
Default setting: sslproxy_cert_error deny all
DOC_END
+NAME: sslproxy_cert_sign
+IFDEF: USE_SSL
+DEFAULT: none
+POSTSCRIPTUM: signUntrusted ssl::certUntrusted
+POSTSCRIPTUM: signSelf ssl::certSelfSigned
+POSTSCRIPTUM: signTrusted all
+TYPE: sslproxy_cert_sign
+LOC: Config.ssl_client.cert_sign
+DOC_START
+
+ sslproxy_cert_sign <signing algorithm> acl ...
+
+ The following certificate signing algorithms are supported:
+ signTrusted
+ Sign using the configured CA certificate which is usually
+ placed in and trusted by end-user browsers. This is the
+ default for trusted origin server certificates.
+ signUntrusted
+ Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
+ This is the default for untrusted origin server certificates
+ that are not self-signed (see ssl::certUntrusted).
+ signSelf
+ Sign using a self-signed certificate with the right CN to
+ generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
+ browser. This is the default for self-signed origin server
+ certificates (see ssl::certSelfSigned).
+
+ This clause only supports fast acl types.
+
+ When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
+ signing algorithm to generate the certificate and ignores all
+ subsequent sslproxy_cert_sign options (the first match wins). If no
+ acl(s) match, the default signing algorithm is determined by errors
+ detected when obtaining and validating the origin server certificate.
+
+ WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
+ be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
+ CONNECT request that carries a domain name. In all other cases (CONNECT
+ to an IP address or an intercepted SSL connection), Squid cannot detect
+ the domain mismatch at certificate generation time when
+ bump-server-first is used.
+DOC_END
+
+NAME: sslproxy_cert_adapt
+IFDEF: USE_SSL
+DEFAULT: none
+TYPE: sslproxy_cert_adapt
+LOC: Config.ssl_client.cert_adapt
+DOC_START
+
+ sslproxy_cert_adapt <adaptation algorithm> acl ...
+
+ The following certificate adaptation algorithms are supported:
+ setValidAfter
+ Sets the "Not After" property to the "Not After" property of
+ the CA certificate used to sign generated certificates.
+ setValidBefore
+ Sets the "Not Before" property to the "Not Before" property of
+ the CA certificate used to sign generated certificates.
+ setCommonName or setCommonName{CN}
+ Sets Subject.CN property to the host name specified as a
+ CN parameter or, if no explicit CN parameter was specified,
+ extracted from the CONNECT request. It is a misconfiguration
+ to use setCommonName without an explicit parameter for
+ intercepted or tproxied SSL connections.
+
+ This clause only supports fast acl types.
+
+ Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
+ Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
+ corresponding adaptation algorithm to generate the certificate and
+ ignores all subsequent sslproxy_cert_adapt options in that algorithm's
+ group (i.e., the first match wins within each algorithm group). If no
+ acl(s) match, the default mimicking action takes place.
+
+ WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
+ be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
+ CONNECT request that carries a domain name. In all other cases (CONNECT
+ to an IP address or an intercepted SSL connection), Squid cannot detect
+ the domain mismatch at certificate generation time when
+ bump-server-first is used.
+DOC_END
+
NAME: sslpassword_program
IFDEF: USE_SSL
DEFAULT: none
You must have at least one ssl_crtd process.
DOC_END
+NAME: sslcrtvalidator_program
+TYPE: eol
+IFDEF: USE_SSL
+DEFAULT: none
+LOC: Ssl::TheConfig.ssl_crt_validator
+DOC_START
+ Specify the location and options of the executable for ssl_crt_validator
+ process. Usage:
+ sslcrtvalidator_program [ttl=n] [cache=n] path ...
+
+ Options:
+ ttl=n TTL in seconds for cached results.The default is 60 secs
+ cache=n limit the result cache size. The default value is 2048
+DOC_END
+
+NAME: sslcrtvalidator_children
+TYPE: HelperChildConfig
+IFDEF: USE_SSL
+DEFAULT: 32 startup=5 idle=1 concurrency=1
+LOC: Ssl::TheConfig.ssl_crt_validator_Children
+DOC_START
+ The maximum number of processes spawn to service ssl server.
+ The maximum this may be safely set to is 32.
+
+ The startup= and idle= options allow some measure of skew in your
+ tuning.
+
+ startup=N
+
+ Sets the minimum number of processes to spawn when Squid
+ starts or reconfigures. When set to zero the first request will
+ cause spawning of the first child process to handle it.
+
+ Starting too few children temporary slows Squid under load while it
+ tries to spawn enough additional processes to cope with traffic.
+
+ idle=N
+
+ Sets a minimum of how many processes Squid is to try and keep available
+ at all times. When traffic begins to rise above what the existing
+ processes can handle this many more will be spawned up to the maximum
+ configured. A minimum setting of 1 is required.
+
+ concurrency=
+
+ The number of requests each certificate validator helper can handle in
+ parallel. Defaults to 0 which indicates the certficate validator
+ is a old-style single threaded redirector.
+
+ When this directive is set to a value >= 1 then the protocol
+ used to communicate with the helper is modified to include
+ a request ID in front of the request/response. The request
+ ID from the request must be echoed back with the response
+ to that request.
+
+ You must have at least one ssl_crt_validator process.
+DOC_END
+
COMMENT_START
OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
-----------------------------------------------------------------------------
reference a combined file containing both the
certificate and the key.
- sslversion=1|2|3|4
+ sslversion=1|2|3|4|5|6
The SSL version to use when connecting to this peer
1 = automatic (default)
2 = SSL v2 only
3 = SSL v3 only
- 4 = TLS v1 only
+ 4 = TLS v1.0 only
+ 5 = TLS v1.1 only
+ 6 = TLS v1.2 only
sslcipher=... The list of valid SSL ciphers to use when connecting
to this peer.
ssloptions=... Specify various SSL implementation options:
- NO_SSLv2 Disallow the use of SSLv2
- NO_SSLv3 Disallow the use of SSLv3
- NO_TLSv1 Disallow the use of TLSv1
+ NO_SSLv2 Disallow the use of SSLv2
+ NO_SSLv3 Disallow the use of SSLv3
+ NO_TLSv1 Disallow the use of TLSv1.0
+ NO_TLSv1_1 Disallow the use of TLSv1.1
+ NO_TLSv1_2 Disallow the use of TLSv1.2
SINGLE_DH_USE
Always create a new key when using
temporary/ephemeral DH key exchanges
err_code The ID of an error response served by Squid or
a similar internal error identifier.
err_detail Additional err_code-dependent error information.
+ note The meta header specified by the argument. Also
+ logs the adaptation meta headers set by the
+ adaptation_meta configuration parameter.
+ If no argument given all meta headers logged.
Connection related format codes:
Ss Squid request status (TCP_MISS etc)
Sh Squid hierarchy status (DEFAULT_PARENT etc)
+ SSL-related format codes:
+
+ ssl::bump_mode SslBump decision for the transaction:
+
+ For CONNECT requests that initiated bumping of
+ a connection and for any request received on
+ an already bumped connection, Squid logs the
+ corresponding SslBump mode ("server-first" or
+ "client-first"). See the ssl_bump option for
+ more information about these modes.
+
+ A "none" token is logged for requests that
+ triggered "ssl_bump" ACL evaluation matching
+ either a "none" rule or no rules at all.
+
+ In all other cases, a single dash ("-") is
+ logged.
+
If ICAP is enabled, the following code becomes available (as
well as ICAP log codes documented with the icap_log option):
service name in curly braces to record response time(s) specific
to that service. For example: %{my_service}adapt::sum_trs
+ If SSL is enabled, the following formating codes become available:
+
+ %ssl::>cert_subject The Subject field of the received client
+ SSL certificate or a dash ('-') if Squid has
+ received an invalid/malformed certificate or
+ no certificate at all. Consider encoding the
+ logged value because Subject often has spaces.
+
+ %ssl::>cert_issuer The Issuer field of the received client
+ SSL certificate or a dash ('-') if Squid has
+ received an invalid/malformed certificate or
+ no certificate at all. Consider encoding the
+ logged value because Issuer often has spaces.
+
The default formats available (which do not need re-defining) are:
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
DOC_START
Logs the activities of the storage manager. Shows which
objects are ejected from the cache, and which objects are
- saved and for how long. To disable, enter "none" or remove the line.
+ saved and for how long.
There are not really utilities to analyze this data, so you can safely
- disable it.
-
+ disable it (the default).
+
+ Store log uses modular logging outputs. See access_log for the list
+ of modules supported.
+
Example:
- cache_store_log @DEFAULT_STORE_LOG@
+ cache_store_log stdio:@DEFAULT_STORE_LOG@
+ cache_store_log daemon:@DEFAULT_STORE_LOG@
DOC_END
NAME: cache_swap_state cache_swap_log
For each requested URL, the rewriter will receive on line with the format
- URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
+ [channel-ID <SP>] URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kv-pairs]<NL>
+
+
+ After processing the request the helper must reply using the following format:
+
+ [channel-ID <SP>] result [<SP> kv-pairs]
+
+ The result code can be:
- In the future, the rewriter interface will be extended with
- key=value pairs ("kvpairs" shown above). Rewriter programs
+ OK status=30N url="..."
+ Redirect the URL to the one supplied in 'url='.
+ 'status=' is optional and contains the status code to send
+ the client in Squids HTTP response. It must be one of the
+ HTTP redirect status codes: 301, 302, 303, 307, 308.
+ When no status is given Squid will use 302.
+
+ OK rewrite-url="..."
+ Rewrite the URL to the one supplied in 'rewrite-url='.
+ The new URL is fetched directly by Squid and returned to
+ the client as the response to its request.
+
+ ERR
+ Do not change the URL.
+
+ BH
+ An internal error occurred in the helper, preventing
+ a result being identified.
+
+
+ In the future, the interface protocol will be extended with
+ key=value pairs ("kv-pairs" shown above). Helper programs
should be prepared to receive and possibly ignore additional
whitespace-separated tokens on each input line.
- And the rewriter may return a rewritten URL. The other components of
- the request line does not need to be returned (ignored if they are).
+ When using the concurrency= option the protocol is changed by
+ introducing a query channel tag in front of the request/response.
+ The query channel tag is a number between 0 and concurrency-1.
+ This value must be echoed back unchanged to Squid as the first part
+ of the response relating to its request.
+
+ WARNING: URL re-writing ability should be avoided whenever possible.
+ Use the URL redirect form of response instead.
- The rewriter can also indicate that a client-side redirect should
- be performed to the new URL. This is done by prefixing the returned
- URL with "301:" (moved permanently) or 302: (moved temporarily), etc.
+ Re-write creates a difference in the state held by the client
+ and server. Possibly causing confusion when the server response
+ contains snippets of its view state. Embeded URLs, response
+ and content Location headers, etc. are not re-written by this
+ interface.
By default, a URL rewriter is not used.
DOC_END
When this directive is set to a value >= 1 then the protocol
used to communicate with the helper is modified to include
- a request ID in front of the request/response. The request
- ID from the request must be echoed back with the response
- to that request.
+ an ID in front of the request/response. The ID from the request
+ must be echoed back with the response to that request.
DOC_END
NAME: url_rewrite_host_header redirect_rewrites_host_header
be allowed to request.
DOC_END
+COMMENT_START
+ OPTIONS FOR STORE ID
+ -----------------------------------------------------------------------------
+COMMENT_END
+
+NAME: store_id_program storeurl_rewrite_program
+TYPE: wordlist
+LOC: Config.Program.store_id
+DEFAULT: none
+DOC_START
+ Specify the location of the executable StoreID helper to use.
+ Since they can perform almost any function there isn't one included.
+
+ For each requested URL, the helper will receive one line with the format
+
+ [channel-ID <SP>] URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kv-pairs]<NL>
+
+
+ After processing the request the helper must reply using the following format:
+
+ [channel-ID <SP>] result [<SP> kv-pairs]
+
+ The result code can be:
+
+ OK store-id="..."
+ Use the StoreID supplied in 'store-id='.
+
+ ERR
+ The default is to use HTTP request URL as the store ID.
+
+ BH
+ An internal error occured in the helper, preventing
+ a result being identified.
+
+
+ Helper programs should be prepared to receive and possibly ignore additional
+ kv-pairs with keys they do not support.
+
+ When using the concurrency= option the protocol is changed by
+ introducing a query channel tag in front of the request/response.
+ The query channel tag is a number between 0 and concurrency-1.
+ This value must be echoed back unchanged to Squid as the first part
+ of the response relating to its request.
+
+ NOTE: when using StoreID refresh_pattern will apply to the StoreID
+ returned from the helper and not the URL.
+
+ WARNING: Wrong StoreID value returned by a careless helper may result
+ in the wrong cached response returned to the user.
+
+ By default, a StoreID helper is not used.
+DOC_END
+
+NAME: store_id_children storeurl_rewrite_children
+TYPE: HelperChildConfig
+DEFAULT: 20 startup=0 idle=1 concurrency=0
+LOC: Config.storeIdChildren
+DOC_START
+ The maximum number of StoreID helper processes to spawn. If you limit
+ it too few Squid will have to wait for them to process a backlog of
+ requests, slowing it down. If you allow too many they will use RAM
+ and other system resources noticably.
+
+ The startup= and idle= options allow some measure of skew in your
+ tuning.
+
+ startup=
+
+ Sets a minimum of how many processes are to be spawned when Squid
+ starts or reconfigures. When set to zero the first request will
+ cause spawning of the first child process to handle it.
+
+ Starting too few will cause an initial slowdown in traffic as Squid
+ attempts to simultaneously spawn enough processes to cope.
+
+ idle=
+
+ Sets a minimum of how many processes Squid is to try and keep available
+ at all times. When traffic begins to rise above what the existing
+ processes can handle this many more will be spawned up to the maximum
+ configured. A minimum setting of 1 is required.
+
+ concurrency=
+
+ The number of requests each storeID helper can handle in
+ parallel. Defaults to 0 which indicates the helper
+ is a old-style single threaded program.
+
+ When this directive is set to a value >= 1 then the protocol
+ used to communicate with the helper is modified to include
+ an ID in front of the request/response. The ID from the request
+ must be echoed back with the response to that request.
+DOC_END
+
+NAME: store_id_access storeurl_rewrite_access
+TYPE: acl_access
+DEFAULT: none
+LOC: Config.accessList.store_id
+DOC_START
+ If defined, this access list specifies which requests are
+ sent to the StoreID processes. By default all requests
+ are sent.
+
+ This clause supports both fast and slow acl types.
+ See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+DOC_END
+
+NAME: store_id_bypass storeurl_rewrite_bypass
+TYPE: onoff
+LOC: Config.onoff.store_id_bypass
+DEFAULT: on
+DOC_START
+ When this is 'on', a request will not go through the
+ helper if all helpers are busy. If this is 'off'
+ and the helper queue grows too large, Squid will exit
+ with a FATAL error and ask you to increase the number of
+ helpers. You should only enable this if the helperss
+ are not critical to your caching system. If you use
+ helpers for critical caching components, and you enable this
+ option, users may not get objects from cache.
+DOC_END
+
COMMENT_START
OPTIONS FOR TUNING THE CACHE
-----------------------------------------------------------------------------
override-lastmod
reload-into-ims
ignore-reload
- ignore-no-cache
ignore-no-store
ignore-must-revalidate
ignore-private
this feature could make you liable for problems which
it causes.
- ignore-no-cache ignores any ``Pragma: no-cache'' and
- ``Cache-control: no-cache'' headers received from a server.
- The HTTP RFC never allows the use of this (Pragma) header
- from a server, only a client, though plenty of servers
- send it anyway.
-
ignore-no-store ignores any ``Cache-control: no-store''
headers received from a server. Doing this VIOLATES
the HTTP standard. Enabling this feature could make you
NAME: request_header_access
IFDEF: USE_HTTP_VIOLATIONS
-TYPE: http_header_access[]
+TYPE: http_header_access
LOC: Config.request_header_access
DEFAULT: none
DOC_START
This option replaces the old 'anonymize_headers' and the
older 'http_anonymizer' option with something that is much
- more configurable. This new method creates a list of ACLs
- for each header, allowing you very fine-tuned header
- mangling.
-
- This option only applies to request headers, i.e., from the
- client to the server.
-
- You can only specify known headers for the header name.
- Other headers are reclassified as 'Other'. You can also
- refer to all the headers with 'All'.
+ more configurable. A list of ACLs for each header name allows
+ removal of specific header fields under specific conditions.
+
+ This option only applies to outgoing HTTP request headers (i.e.,
+ headers sent by Squid to the next HTTP hop such as a cache peer
+ or an origin server). The option has no effect during cache hit
+ detection. The equivalent adaptation vectoring point in ICAP
+ terminology is post-cache REQMOD.
+
+ The option is applied to individual outgoing request header
+ fields. For each request header field F, Squid uses the first
+ qualifying sets of request_header_access rules:
+
+ 1. Rules with header_name equal to F's name.
+ 2. Rules with header_name 'Other', provided F's name is not
+ on the hard-coded list of commonly used HTTP header names.
+ 3. Rules with header_name 'All'.
+
+ Within that qualifying rule set, rule ACLs are checked as usual.
+ If ACLs of an "allow" rule match, the header field is allowed to
+ go through as is. If ACLs of a "deny" rule match, the header is
+ removed and request_header_replace is then checked to identify
+ if the removed header has a replacement. If no rules within the
+ set have matching ACLs, the header field is left as is.
For example, to achieve the same behavior as the old
'http_anonymizer standard' option, you should use:
NAME: reply_header_access
IFDEF: USE_HTTP_VIOLATIONS
-TYPE: http_header_access[]
+TYPE: http_header_access
LOC: Config.reply_header_access
DEFAULT: none
DOC_START
server to the client.
This is the same as request_header_access, but in the other
- direction.
-
- This option replaces the old 'anonymize_headers' and the
- older 'http_anonymizer' option with something that is much
- more configurable. This new method creates a list of ACLs
- for each header, allowing you very fine-tuned header
- mangling.
-
- You can only specify known headers for the header name.
- Other headers are reclassified as 'Other'. You can also
- refer to all the headers with 'All'.
+ direction. Please see request_header_access for detailed
+ documentation.
For example, to achieve the same behavior as the old
'http_anonymizer standard' option, you should use:
NAME: request_header_replace header_replace
IFDEF: USE_HTTP_VIOLATIONS
-TYPE: http_header_replace[]
+TYPE: http_header_replace
LOC: Config.request_header_access
DEFAULT: none
DOC_START
NAME: reply_header_replace
IFDEF: USE_HTTP_VIOLATIONS
-TYPE: http_header_replace[]
+TYPE: http_header_replace
LOC: Config.reply_header_access
DEFAULT: none
DOC_START
By default, headers are removed if denied.
DOC_END
+NAME: request_header_add
+TYPE: HeaderWithAclList
+LOC: Config.request_header_add
+DEFAULT: none
+DOC_START
+ Usage: request_header_add field-name field-value acl1 [acl2] ...
+ Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
+
+ This option adds header fields to outgoing HTTP requests (i.e.,
+ request headers sent by Squid to the next HTTP hop such as a
+ cache peer or an origin server). The option has no effect during
+ cache hit detection. The equivalent adaptation vectoring point
+ in ICAP terminology is post-cache REQMOD.
+
+ Field-name is a token specifying an HTTP header name. If a
+ standard HTTP header name is used, Squid does not check whether
+ the new header conflicts with any existing headers or violates
+ HTTP rules. If the request to be modified already contains a
+ field with the same name, the old field is preserved but the
+ header field values are not merged.
+
+ Field-value is either a token or a quoted string. If quoted
+ string format is used, then the surrounding quotes are removed
+ while escape sequences and %macros are processed.
+
+ In theory, all of the logformat codes can be used as %macros.
+ However, unlike logging (which happens at the very end of
+ transaction lifetime), the transaction may not yet have enough
+ information to expand a macro when the new header value is needed.
+ And some information may already be available to Squid but not yet
+ committed where the macro expansion code can access it (report
+ such instances!). The macro will be expanded into a single dash
+ ('-') in such cases. Not all macros have been tested.
+
+ One or more Squid ACLs may be specified to restrict header
+ injection to matching requests. As always in squid.conf, all
+ ACLs in an option ACL list must be satisfied for the insertion
+ to happen. The request_header_add option supports fast ACLs
+ only.
+DOC_END
+
+NAME: note
+TYPE: note
+LOC: Config.notes
+DEFAULT: none
+DOC_START
+ This option used to log custom information about the master
+ transaction. For example, an admin may configure Squid to log
+ which "user group" the transaction belongs to, where "user group"
+ will be determined based on a set of ACLs and not [just]
+ authentication information.
+ Values of key/value pairs can be logged using %{key}note macros:
+
+ note key value acl ...
+ logformat myFormat ... %{key}note ...
+DOC_END
+
NAME: relaxed_header_parser
COMMENT: on|off|warn
TYPE: tristate
LOC: Config.Timeout.request
DEFAULT: 5 minutes
DOC_START
- How long to wait for an HTTP request after initial
+ How long to wait for complete HTTP request headers after initial
connection establishment.
DOC_END
-----------------------------------------------------------------------------
COMMENT_END
-NAME: incoming_icp_average
+NAME: incoming_udp_average incoming_icp_average
TYPE: int
DEFAULT: 6
-LOC: Config.comm_incoming.icp_average
-DOC_NONE
+LOC: Config.comm_incoming.udp.average
+DOC_START
+ Heavy voodoo here. I can't even believe you are reading this.
+ Are you crazy? Don't even think about adjusting these unless
+ you understand the algorithms in comm_select.c first!
+DOC_END
-NAME: incoming_http_average
+NAME: incoming_tcp_average incoming_http_average
TYPE: int
DEFAULT: 4
-LOC: Config.comm_incoming.http_average
-DOC_NONE
+LOC: Config.comm_incoming.tcp.average
+DOC_START
+ Heavy voodoo here. I can't even believe you are reading this.
+ Are you crazy? Don't even think about adjusting these unless
+ you understand the algorithms in comm_select.c first!
+DOC_END
NAME: incoming_dns_average
TYPE: int
DEFAULT: 4
-LOC: Config.comm_incoming.dns_average
-DOC_NONE
+LOC: Config.comm_incoming.dns.average
+DOC_START
+ Heavy voodoo here. I can't even believe you are reading this.
+ Are you crazy? Don't even think about adjusting these unless
+ you understand the algorithms in comm_select.c first!
+DOC_END
-NAME: min_icp_poll_cnt
+NAME: min_udp_poll_cnt min_icp_poll_cnt
TYPE: int
DEFAULT: 8
-LOC: Config.comm_incoming.icp_min_poll
-DOC_NONE
+LOC: Config.comm_incoming.udp.min_poll
+DOC_START
+ Heavy voodoo here. I can't even believe you are reading this.
+ Are you crazy? Don't even think about adjusting these unless
+ you understand the algorithms in comm_select.c first!
+DOC_END
NAME: min_dns_poll_cnt
TYPE: int
DEFAULT: 8
-LOC: Config.comm_incoming.dns_min_poll
-DOC_NONE
+LOC: Config.comm_incoming.dns.min_poll
+DOC_START
+ Heavy voodoo here. I can't even believe you are reading this.
+ Are you crazy? Don't even think about adjusting these unless
+ you understand the algorithms in comm_select.c first!
+DOC_END
-NAME: min_http_poll_cnt
+NAME: min_tcp_poll_cnt min_http_poll_cnt
TYPE: int
DEFAULT: 8
-LOC: Config.comm_incoming.http_min_poll
+LOC: Config.comm_incoming.tcp.min_poll
DOC_START
Heavy voodoo here. I can't even believe you are reading this.
Are you crazy? Don't even think about adjusting these unless
DOC_END
NAME: adaptation_meta
-TYPE: adaptation_meta_type
+TYPE: note
IFDEF: USE_ADAPTATION
LOC: Adaptation::Config::metaHeaders
DEFAULT: none
any character, which is currently only useful for escaping backslashes
and double quotes. For example,
"this string has one backslash (\\) and two \"quotes\""
+
+ Used adaptation_meta header values may be logged via %note
+ logformat code. If multiple adaptation_meta headers with the same name
+ are used during master transaction lifetime, the header values are
+ logged in the order they were used and duplicate values are ignored
+ (only the first repeated value will be logged).
DOC_END
NAME: icap_retry
DOC_END
NAME: windows_ipaddrchangemonitor
-IFDEF: _SQUID_MSWIN_
+IFDEF: _SQUID_WINDOWS_
COMMENT: on|off
TYPE: onoff
DEFAULT: on
projects / thirdparty / squid.git / blobdiff