#
-# $Id: cf.data.pre,v 1.474 2007/09/27 16:15:23 rousskov Exp $
+# $Id: cf.data.pre,v 1.492 2007/12/29 18:20:22 hno Exp $
#
# SQUID Web Proxy Cache http://www.squid-cache.org/
# ----------------------------------------------------------
cached entry should be initiated without needing to
wait for a new reply. (default 0 for no grace period)
protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
+ ipv4 / ipv6 IP-mode used to communicate to this helper.
+ For compatability with older configurations and helpers
+ 'ipv4' is the default unless --with-localhost-ipv6 is used.
+ --with-localhost-ipv6 changes the default to 'ipv6'.
+ SPECIAL NOTE: these options override --with-localhost-ipv6
FORMAT specifications
NAME: acl
TYPE: acl
LOC: Config.aclList
-DEFAULT: none
+DEFAULT: all src all
DOC_START
Defining an Access List
NOCOMMENT_START
#Recommended minimum configuration:
-acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
-acl localhost src 127.0.0.1/255.255.255.255
+acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
+#
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
+acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
+acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
+#
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
-# Example rule allowing access from your local networks. Adapt
-# to list your (internal) IP networks from where browsing should
-# be allowed
-#acl our_networks src 192.168.1.0/24 192.168.2.0/24
-#http_access allow our_networks
+# Example rule allowing access from your local networks.
+# Adapt localnet in the ACL section to list your (internal) IP networks
+# from where browsing should be allowed
+http_access allow localnet
# And finally deny all other access to this proxy
http_access deny all
See http_access for details
NOCOMMENT_START
-#Allow ICP queries from everyone
-icp_access allow all
+#Allow ICP queries from local networks only
+icp_access allow localnet
+icp_access deny all
NOCOMMENT_END
DOC_END
See http_access for details
-#Allow HTCP queries from everyone
-htcp_access allow all
+ NOTE: The default if no htcp_access lines are present is to
+ deny all traffic. This default may cause problems with peers
+ using the htcp or htcp-oldsquid options.
+
+NOCOMMENT_START
+#Allow HTCP queries from local networks only
+htcp_access allow localnet
+htcp_access deny all
+NOCOMMENT_END
DOC_END
NAME: htcp_clr_access
acl normal_service_net src 10.0.0.0/255.255.255.0
acl good_service_net src 10.0.1.0/255.255.255.0
- tcp_outgoing_tos 0x00 normal_service_net 0x00
+ tcp_outgoing_tos 0x00 normal_service_net
tcp_outgoing_tos 0x20 good_service_net
TOS/DSCP values really only have local significance - so you should
incompatible with the use of server side persistent connections. To
ensure correct results it is best to set server_persistent_connections
to off when using this directive in such configurations.
+
+
+ IPv6 Magic:
+
+ Squid is built with a capability of bridging the IPv4 and IPv6 internets.
+ tcp_outgoing_address as exampled above breaks this bridging by forcing
+ all outbound traffic through a certain IPv4 which may be on the wrong
+ side of the IPv4/IPv6 boundary.
+
+ To operate with tcp_outgoing_address and keep the bridging benefits
+ an additional ACL needs to be used which ensures the IPv6-bound traffic
+ is never forced or permitted out the IPv4 interface.
+
+ acl to_ipv6 dst ipv6
+ tcp_outgoing_address 2002::c001 good_service_net to_ipv6
+ tcp_outgoing_address 10.0.0.2 good_service_net !to_ipv6
+
+ tcp_outgoing_address 2002::beef normal_service_net to_ipv6
+ tcp_outgoing_address 10.0.0.1 normal_service_net !to_ipv6
+
+ tcp_outgoing_address 2002::1 to_ipv6
+ tcp_outgoing_address 10.0.0.3 !to_ipv6
DOC_END
COMMENT_START
use 'carp' to define a set of parents which should
be used as a CARP array. The requests will be
distributed among the parents based on the CARP load
- balancing hash function based on their weigth.
+ balancing hash function based on their weight.
'multicast-responder' indicates the named peer
is a member of a multicast group. ICP queries will
use 'htcp' to send HTCP, instead of ICP, queries
to the neighbor. You probably also want to
set the "icp port" to 4827 instead of 3130.
+ You MUST also set htcp_access expicitly. The default of
+ deny all will prevent peer traffic.
use 'htcp-oldsquid' to send HTCP to old Squid versions
+ You MUST also set htcp_access expicitly. The default of
+ deny all will prevent peer traffic.
'originserver' causes this parent peer to be contacted as
a origin server. Meant to be used in accelerator setups.
NAME: cache_dir
TYPE: cachedir
DEFAULT: none
-DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256
LOC: Config.cacheSwap
DOC_START
Usage:
called 'stripe' in the directory names in the config - and
this will be created by squid -z.
- The null store type:
-
- no options are allowed or required
-
Common options:
no-store, no new objects should be stored to this cache_dir
Note for coss, max-size must be less than COSS_MEMBUF_SZ,
which can be changed with the --with-coss-membuf-size=N configure
option.
+NOCOMMENT_START
+DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256
+NOCOMMENT_END
DOC_END
NAME: store_dir_select_algorithm
DOC_END
NAME: debug_options
-TYPE: debug
+TYPE: eol
DEFAULT: ALL,1
LOC: Config.debugOptions
DOC_START
enabled in which case performance will suffer badly anyway..).
DOC_END
+NAME: netdb_filename
+TYPE: string
+DEFAULT: @DEFAULT_NETDB_FILE@
+LOC: Config.netdbFilename
+IFDEF: USE_ICMP
+DOC_START
+ A filename where Squid stores it's netdb state between restarts.
+ To disable, enter "none".
+DOC_END
+
COMMENT_START
OPTIONS FOR FTP GATEWAYING
-----------------------------------------------------------------------------
NAME: pinger_program
TYPE: string
DEFAULT: @DEFAULT_PINGER@
-LOC: Config.Program.pinger
+LOC: Config.pinger.program
IFDEF: USE_ICMP
DOC_START
Specify the location of the executable for the pinger process.
DOC_END
+NAME: pinger_enable
+TYPE: onoff
+DEFAULT: on
+LOC: Config.pinger.enable
+IFDEF: USE_ICMP
+DOC_START
+ Control whether the pinger is active at run-time.
+ Enables turning ICMP pinger on and off with a simple squid -k reconfigure.
+DOC_END
+
+
COMMENT_START
OPTIONS FOR URL REWRITING
-----------------------------------------------------------------------------
For each requested URL rewriter will receive on line with the format
- URL <SP> client_ip "/" fqdn <SP> user <SP> method <NL>
+ URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
+
+ In the future, the rewriter interface will be extended with
+ key=value pairs ("kvpairs" shown above). Rewriter programs
+ should be prepared to receive and possibly ignore additional
+ whitespace-separated tokens on each input line.
And the rewriter may return a rewritten URL. The other components of
the request line does not need to be returned (ignored if they are).
NAME: store_avg_object_size
COMMENT: (kbytes)
-TYPE: kb_size_t
+TYPE: kb_int64_t
DEFAULT: 13 KB
LOC: Config.Store.avgObjectSize
DOC_START
LOC: Config.EmailProgram
DOC_START
Email program used to send mail if the cache dies.
- The default is "mail". The specified program must complain
+ The default is "mail". The specified program must comply
with the standard Unix mail syntax:
- mail_program recipient < mailfile
+ mail-program recipient < mailfile
+
Optional command line options can be specified.
DOC_END
COMMENT_END
NAME: httpd_accel_surrogate_id
-IFDEF: ESI
+IFDEF: USE_SQUID_ESI
TYPE: string
LOC: Config.Accel.surrogate_id
DEFAULT: unset-id
DOC_END
NAME: http_accel_surrogate_remote
-IFDEF: ESI
+IFDEF: USE_SQUID_ESI
COMMENT: on|off
TYPE: onoff
DEFAULT: off
DOC_END
NAME: esi_parser
-IFDEF: ESI
+IFDEF: USE_SQUID_ESI
COMMENT: libxml2|expat|custom
TYPE: string
LOC: ESIParser::Type
IFDEF: USE_WCCP
DOC_NONE
NAME: wccp2_router
-TYPE: sockaddr_in_list
+TYPE: IPAddress_list
LOC: Config.Wccp2.router
DEFAULT: none
IFDEF: USE_WCCPv2
DOC_START
This controls whether the server will generate a Cache Digest
of its contents. By default, Cache Digest generation is
- enabled if Squid is compiled with USE_CACHE_DIGESTS defined.
+ enabled if Squid is compiled with --enable-cache-digests defined.
DOC_END
NAME: digest_bits_per_entry
LOC: Config.digest.rebuild_period
DEFAULT: 1 hour
DOC_START
- This is the number of seconds between Cache Digest rebuilds.
+ This is the wait time between Cache Digest rebuilds.
DOC_END
NAME: digest_rewrite_period
LOC: Config.digest.rewrite_period
DEFAULT: 1 hour
DOC_START
- This is the number of seconds between Cache Digest writes to
+ This is the wait time between Cache Digest writes to
disk.
DOC_END
TYPE: address
LOC:Config.Addrs.udp_incoming
DEFAULT: 0.0.0.0
-DOC_NONE
+DOC_START
+ udp_incoming_address is used for UDP packets received from other
+ caches.
+
+ The default behavior is to not bind to any specific address.
+
+ Only change this if you want to have all UDP queries received on
+ a specific interface/address.
+
+ NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
+ modules. Altering it will affect all of them in the same manner.
+
+ see also; udp_outgoing_address
+
+ NOTE, udp_incoming_address and udp_outgoing_address can not
+ have the same value since they both use the same port.
+DOC_END
NAME: udp_outgoing_address
TYPE: address
LOC: Config.Addrs.udp_outgoing
DEFAULT: 255.255.255.255
DOC_START
- udp_incoming_address is used for the ICP socket receiving packets
- from other caches.
- udp_outgoing_address is used for ICP packets sent out to other
+ udp_outgoing_address is used for UDP packets sent out to other
caches.
The default behavior is to not bind to any specific address.
- A udp_incoming_address value of 0.0.0.0 indicates Squid
- should listen for UDP messages on all available interfaces.
-
- If udp_outgoing_address is set to 255.255.255.255 (the default)
- it will use the same socket as udp_incoming_address. Only
- change this if you want to have ICP queries sent using another
- address than where this Squid listens for ICP queries from other
+ Instead it will use the same socket as udp_incoming_address.
+ Only change this if you want to have UDP queries sent using another
+ address than where this Squid listens for UDP queries from other
caches.
+ NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
+ modules. Altering it will affect all of them in the same manner.
+
+ see also; udp_incoming_address
+
NOTE, udp_incoming_address and udp_outgoing_address can not
- have the same value since they both use port 3130.
+ have the same value since they both use the same port.
DOC_END
NAME: icp_hit_stale
nameservers by setting this option to 'off'.
DOC_END
+NAME: dns_v4_fallback
+TYPE: onoff
+DEFAULT: on
+LOC: Config.onoff.dns_require_A
+DOC_START
+ Standard practice with DNS is to lookup either A or AAAA records
+ and use the results if it succeeds. Only looking up the other if
+ the first attempt fails or otherwise produces no results.
+
+ That policy however will cause squid to produce error pages for some
+ servers that advertise AAAA but are unreachable over IPv6.
+
+ If this is ON squid will always lookup both AAAA and A, using both.
+ If this is OFF squid will lookup AAAA and only try A if none found.
+
+ WARNING: There are some possibly unwanted side-effects with this on:
+ *) Doubles the load placed by squid on the DNS network.
+ *) May negatively impact connection delay times.
+DOC_END
+
NAME: ipcache_size
COMMENT: (number of entries)
TYPE: int
NAME: balance_on_multiple_ip
TYPE: onoff
LOC: Config.onoff.balance_on_multiple_ip
-DEFAULT: on
+DEFAULT: off
DOC_START
+ Modern IP resolvers in squid sort lookup results by preferred access.
+ By default squid will use these IP in order and only rotates to
+ the next listed when the most preffered fails.
+
Some load balancing servers based on round robin DNS have been
found not to preserve user session state across requests
to different IP addresses.
- By default Squid rotates IP's per request. By disabling
- this directive only connection failure triggers rotation.
+ Enabling this directive Squid rotates IP's per request.
DOC_END
NAME: pipeline_prefetch