-## Copyright (C) 1996-2016 The Squid Software Foundation and contributors
+## Copyright (C) 1996-2017 The Squid Software Foundation and contributors
##
## Squid software is distributed under GPLv2+ license and includes
## contributions from numerous individuals and organizations.
NOTE: NTLM and Negotiate schemes do not support concurrency
in the Squid code module even though some helpers can.
+ "keep_alive" on|off
+ If you experience problems with PUT/POST requests when using
+ the NTLM or Negotiate schemes then you can try setting this
+ to off. This will cause Squid to forcibly close the connection
+ on the initial request where the browser asks which schemes
+ are supported by the proxy.
-IF HAVE_AUTH_MODULE_BASIC
- === Basic authentication parameters ===
+ For Basic and Digest this parameter is ignored.
"utf8" on|off
HTTP uses iso-latin-1 as character set, while some
set to on Squid will translate the HTTP iso-latin-1 charset to
UTF-8 before sending the username and password to the helper.
+ For NTLM and Negotiate this parameter is ignored.
+
+IF HAVE_AUTH_MODULE_BASIC
+ === Basic authentication parameters ===
+
"credentialsttl" timetolive
Specifies how long squid assumes an externally validated
username:password pair is valid for - in other words how
IF HAVE_AUTH_MODULE_DIGEST
=== Digest authentication parameters ===
- "utf8" on|off
- HTTP uses iso-latin-1 as character set, while some
- authentication backends such as LDAP expects UTF-8. If this is
- set to on Squid will translate the HTTP iso-latin-1 charset to
- UTF-8 before sending the username and password to the helper.
-
"nonce_garbage_interval" timeinterval
Specifies the interval that nonces that have been issued
to client_agent's are checked for validity.
incorrect request digest in POST requests when reusing the
same nonce as acquired earlier on a GET request.
-ENDIF
-IF HAVE_AUTH_MODULE_NEGOTIATE
- === Negotiate authentication parameters ===
-
- "keep_alive" on|off
- If you experience problems with PUT/POST requests when using
- the this authentication scheme then you can try setting this
- to off. This will cause Squid to forcibly close the connection
- on the initial request where the browser asks which schemes
- are supported by the proxy.
-
-ENDIF
-IF HAVE_AUTH_MODULE_NTLM
- === NTLM authentication parameters ===
-
- "keep_alive" on|off
- If you experience problems with PUT/POST requests when using
- the this authentication scheme then you can try setting this
- to off. This will cause Squid to forcibly close the connection
- on the initial request where the browser asks which schemes
- are supported by the proxy.
ENDIF
=== Example Configuration ===
#auth_param negotiate program <uncomment and complete this line to activate>
#auth_param negotiate children 20 startup=0 idle=1
-#auth_param negotiate keep_alive on
#
#auth_param digest program <uncomment and complete this line to activate>
#auth_param digest children 20 startup=0 idle=1
#
#auth_param ntlm program <uncomment and complete this line to activate>
#auth_param ntlm children 20 startup=0 idle=1
-#auth_param ntlm keep_alive on
#
#auth_param basic program <uncomment and complete this line>
#auth_param basic children 5 startup=5 idle=1
-#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
DOC_END
IFDEF: USE_AUTH
TYPE: time_t
DEFAULT: 1 hour
-LOC: Auth::TheConfig.authenticateGCInterval
+LOC: Auth::TheConfig.garbageCollectInterval
DOC_START
The time period between garbage collection across the username cache.
This is a trade-off between memory utilization (long intervals - say
IFDEF: USE_AUTH
TYPE: time_t
DEFAULT: 1 hour
-LOC: Auth::TheConfig.authenticateTTL
+LOC: Auth::TheConfig.credentialsTtl
DOC_START
The time a user & their credentials stay in the logged in
user cache since their last request. When the garbage
NAME: authenticate_ip_ttl
IFDEF: USE_AUTH
TYPE: time_t
-LOC: Auth::TheConfig.authenticateIpTTL
+LOC: Auth::TheConfig.ipTtl
DEFAULT: 1 second
DOC_START
If you use proxy authentication and the 'max_user_ip' ACL,
DEFAULT: manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
DEFAULT: localhost src 127.0.0.1/32 ::1
DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
-DEFAULT_DOC: ACLs all, manager, localhost, and to_localhost are predefined.
+DEFAULT: CONNECT method CONNECT
+DEFAULT_DOC: ACLs all, manager, localhost, to_localhost, and CONNECT are predefined.
DOC_START
Defining an Access List
# Annotation sources include note and adaptation_meta directives
# as well as helper and eCAP responses.
+ acl aclname annotate_transaction [-m[=delimiters]] key=value ...
+ acl aclname annotate_transaction [-m[=delimiters]] key+=value ...
+ # Always matches. [fast]
+ # Used for its side effect: This ACL immediately adds a
+ # key=value annotation to the current master transaction.
+ # The added annotation can then be tested using note ACL and
+ # logged (or sent to helpers) using %note format code.
+ #
+ # Annotations can be specified using replacement and addition
+ # formats. The key=value form replaces old same-key annotation
+ # value(s). The key+=value form appends a new value to the old
+ # same-key annotation. Both forms create a new key=value
+ # annotation if no same-key annotation exists already. If
+ # -m flag is used, then the value is interpreted as a list
+ # and the annotation will contain key=token pair(s) instead of the
+ # whole key=value pair.
+ #
+ # This ACL is especially useful for recording complex multi-step
+ # ACL-driven decisions. For example, the following configuration
+ # avoids logging transactions accepted after aclX matched:
+ #
+ # # First, mark transactions accepted after aclX matched
+ # acl markSpecial annotate_transaction special=true
+ # http_access allow acl001
+ # ...
+ # http_access deny acl100
+ # http_access allow aclX markSpecial
+ #
+ # # Second, do not log marked transactions:
+ # acl markedSpecial note special true
+ # access_log ... deny markedSpecial
+ #
+ # # Note that the following would not have worked because aclX
+ # # alone does not determine whether the transaction was allowed:
+ # access_log ... deny aclX # Wrong!
+ #
+ # Warning: This ACL annotates the transaction even when negated
+ # and even if subsequent ACLs fail to match. For example, the
+ # following three rules will have exactly the same effect as far
+ # as annotations set by the "mark" ACL are concerned:
+ #
+ # some_directive acl1 ... mark # rule matches if mark is reached
+ # some_directive acl1 ... !mark # rule never matches
+ # some_directive acl1 ... mark !all # rule never matches
+
+ acl aclname annotate_client [-m[=delimiters]] key=value ...
+ acl aclname annotate_client [-m[=delimiters]] key+=value ...
+ #
+ # Always matches. [fast]
+ # Used for its side effect: This ACL immediately adds a
+ # key=value annotation to the current client-to-Squid
+ # connection. Connection annotations are propagated to the current
+ # and all future master transactions on the annotated connection.
+ # See the annotate_transaction ACL for details.
+ #
+ # For example, the following configuration avoids rewriting URLs
+ # of transactions bumped by SslBump:
+ #
+ # # First, mark bumped connections:
+ # acl markBumped annotate_client bumped=true
+ # ssl_bump peek acl1
+ # ssl_bump stare acl2
+ # ssl_bump bump acl3 markBumped
+ # ssl_bump splice all
+ #
+ # # Second, do not send marked transactions to the redirector:
+ # acl markedBumped note bumped true
+ # url_rewrite_access deny markedBumped
+ #
+ # # Note that the following would not have worked because acl3 alone
+ # # does not determine whether the connection is going to be bumped:
+ # url_rewrite_access deny acl3 # Wrong!
+
acl aclname adaptation_service service ...
# Matches the name of any icap_service, ecap_service,
# adaptation_service_set, or adaptation_service_chain that Squid
# adaptation_meta because it starts matching immediately after
# the service has been selected for adaptation.
+ acl aclname transaction_initiator initiator ...
+ # Matches transaction's initiator [fast]
+ #
+ # Supported initiators are:
+ # esi: matches transactions fetching ESI resources
+ # certificate-fetching: matches transactions fetching
+ # a missing intermediate TLS certificate
+ # cache-digest: matches transactions fetching Cache Digests
+ # from a cache_peer
+ # htcp: matches HTCP requests from peers
+ # icp: matches ICP requests to peers
+ # icmp: matches ICMP RTT database (NetDB) requests to peers
+ # asn: matches asns db requests
+ # internal: matches any of the above
+ # client: matches transactions containing an HTTP or FTP
+ # client request received at a Squid *_port
+ # all: matches any transaction, including internal transactions
+ # without a configurable initiator and hopefully rare
+ # transactions without a known-to-Squid initiator
+ #
+ # Multiple initiators are ORed.
+
+ acl aclname has component
+ # matches a transaction "component" [fast]
+ #
+ # Supported transaction components are:
+ # request: transaction has a request header (at least)
+ # response: transaction has a response header (at least)
+ # ALE: transaction has an internally-generated Access Log Entry
+ # structure; bugs notwithstanding, all transaction have it
+ #
+ # For example, the following configuration helps when dealing with HTTP
+ # clients that close connections without sending a request header:
+ #
+ # acl hasRequest has request
+ # acl logMe note important_transaction
+ # # avoid "logMe ACL is used in context without an HTTP request" warnings
+ # access_log ... logformat=detailed hasRequest logMe
+ # # log request-less transactions, instead of ignoring them
+ # access_log ... logformat=brief !hasRequest
+ #
+ # Multiple components are not supported for one "acl" rule, but
+ # can be specified (and are ORed) using multiple same-name rules:
+ #
+ # # OK, this strange logging daemon needs request or response,
+ # # but can work without either a request or a response:
+ # acl hasWhatMyLoggingDaemonNeeds has request
+ # acl hasWhatMyLoggingDaemonNeeds has response
+
IF USE_OPENSSL
acl aclname ssl_error errorname
# match against SSL certificate validation error [fast]
# SslBump2: After getting SSL Client Hello info.
# SslBump3: After getting SSL Server Hello info.
- acl aclname ssl::server_name .foo.com ...
+ acl aclname ssl::server_name [option] .foo.com ...
# matches server name obtained from various sources [fast]
#
- # The server name is obtained during Ssl-Bump steps from such sources
- # as CONNECT request URI, client SNI, and SSL server certificate CN.
- # During each Ssl-Bump step, Squid may improve its understanding of a
- # "true server name". Unlike dstdomain, this ACL does not perform
- # DNS lookups.
- # The "none" name can be used to match transactions where Squid
+ # The ACL computes server name(s) using such information sources as
+ # CONNECT request URI, TLS client SNI, and TLS server certificate
+ # subject (CN and SubjectAltName). The computed server name(s) usually
+ # change with each SslBump step, as more info becomes available:
+ # * SNI is used as the server name instead of the request URI,
+ # * subject name(s) from the server certificate (CN and
+ # SubjectAltName) are used as the server names instead of SNI.
+ #
+ # When the ACL computes multiple server names, matching any single
+ # computed name is sufficient for the ACL to match.
+ #
+ # The "none" name can be used to match transactions where the ACL
# could not compute the server name using any information source
- # already available at the ACL evaluation time.
+ # that was both available and allowed to be used by the ACL options at
+ # the ACL evaluation time.
+ #
+ # Unlike dstdomain, this ACL does not perform DNS lookups.
+ #
+ # An ACL option below may be used to restrict what information
+ # sources are used to extract the server names from:
+ #
+ # --client-requested
+ # The server name is SNI regardless of what the server says.
+ # --server-provided
+ # The server name(s) are the certificate subject name(s), regardless
+ # of what the client has requested. If the server certificate is
+ # unavailable, then the name is "none".
+ # --consensus
+ # The server name is either SNI (if SNI matches at least one of the
+ # certificate subject names) or "none" (otherwise). When the server
+ # certificate is unavailable, the consensus server name is SNI.
+ #
+ # Combining multiple options in one ACL is a fatal configuration
+ # error.
+ #
+ # For all options: If no SNI is available, then the CONNECT request
+ # target (a.k.a. URI) is used instead of SNI (for an intercepted
+ # connection, this target is the destination IP address).
acl aclname ssl::server_name_regex [-i] \.foo\.com ...
# regex matches server name obtained from various sources [fast]
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
-acl CONNECT method CONNECT
NOCOMMENT_END
DOC_END
To control SSLv3 use the options= parameter.
Supported Values: 1.0 (default), 1.1, 1.2
- options=... Specify various TLS/SSL implementation options:
-
- NO_SSLv3 Disallow the use of SSLv3
-
- NO_TLSv1 Disallow the use of TLSv1.0
+ options=... Specify various TLS/SSL implementation options.
- NO_TLSv1_1 Disallow the use of TLSv1.1
+ OpenSSL options most important are:
- NO_TLSv1_2 Disallow the use of TLSv1.2
+ NO_SSLv3 Disallow the use of SSLv3
SINGLE_DH_USE
Always create a new key when using
Be warned that this reduces SSL/TLS
strength to some attacks.
- See the OpenSSL SSL_CTX_set_options documentation for a
- more complete list.
+ See the OpenSSL SSL_CTX_set_options documentation
+ for a more complete list.
+
+ GnuTLS options most important are:
+
+ %NO_TICKETS
+ Disable use of RFC5077 session tickets.
+ Some servers may have problems
+ understanding the TLS extension due
+ to ambiguous specification in RFC4507.
+
+ See the GnuTLS Priority Strings documentation
+ for a more complete list.
+ http://www.gnutls.org/manual/gnutls.html#Priority-Strings
+
cafile= PEM file containing CA certificates to use when verifying
the peer certificate. May be repeated to load multiple files.
This is the default action.
bump
- Establish a secure connection with the server and, using a
- mimicked server certificate, with the client.
+ When used on step SslBump1, establishes a secure connection
+ with the client first, then connect to the server.
+ When used on step SslBump2 or SslBump3, establishes a secure
+ connection with the server and, using a mimicked server
+ certificate, with the client.
peek
Receive client (step SslBump1) or server (step SslBump2)
tls-min-version=1.N
The minimum TLS protocol version to permit. To control
- SSLv3 use the ssloptions= parameter.
+ SSLv3 use the tls-options= parameter.
Supported Values: 1.0 (default), 1.1, 1.2
- ssloptions=... Specify various SSL implementation options:
-
- NO_SSLv3 Disallow the use of SSLv3
-
- NO_TLSv1 Disallow the use of TLSv1.0
+ tls-options=... Specify various TLS implementation options.
- NO_TLSv1_1 Disallow the use of TLSv1.1
+ OpenSSL options most important are:
- NO_TLSv1_2 Disallow the use of TLSv1.2
+ NO_SSLv3 Disallow the use of SSLv3
SINGLE_DH_USE
Always create a new key when using
See the OpenSSL SSL_CTX_set_options documentation for a
more complete list.
-
+
+ GnuTLS options most important are:
+
+ %NO_TICKETS
+ Disable use of RFC5077 session tickets.
+ Some servers may have problems
+ understanding the TLS extension due
+ to ambiguous specification in RFC4507.
+
+ See the GnuTLS Priority Strings documentation
+ for a more complete list.
+ http://www.gnutls.org/manual/gnutls.html#Priority-Strings
+
tls-cafile= PEM file containing CA certificates to use when verifying
the peer certificate. May be repeated to load multiple files.
For CONNECT requests that initiated bumping of
a connection and for any request received on
an already bumped connection, Squid logs the
- corresponding SslBump mode ("server-first" or
- "client-first"). See the ssl_bump option for
- more information about these modes.
+ corresponding SslBump mode ("splice", "bump",
+ "peek", "stare", "terminate", "server-first"
+ or "client-first"). See the ssl_bump option
+ for more information about these modes.
A "none" token is logged for requests that
triggered "ssl_bump" ACL evaluation matching
- either a "none" rule or no rules at all.
+ a "none" rule.
In all other cases, a single dash ("-") is
logged.
- ssl::>sni SSL client SNI sent to Squid. Available only
- after the peek, stare, or splice SSL bumping
- actions.
+ ssl::>sni SSL client SNI sent to Squid.
ssl::>cert_subject
The Subject field of the received client
will be considered fresh.
'Max' is an upper limit on how long objects without an explicit
- expiry time will be considered fresh.
+ expiry time will be considered fresh. The value is also used
+ to form Cache-Control: max-age header for a request sent from
+ Squid to origin/parent.
options: override-expire
override-lastmod
See also client_delay_parameters and client_delay_pools.
DOC_END
+NAME: response_delay_pool
+TYPE: response_delay_pool_parameters
+DEFAULT: none
+IFDEF: USE_DELAY_POOLS
+LOC: Config.MessageDelay
+DOC_START
+ This option configures client response bandwidth limits using the
+ following format:
+
+ response_delay_pool name [option=value] ...
+
+ name the response delay pool name
+
+ available options:
+
+ individual-restore The speed limit of an individual
+ bucket(bytes/s). To be used in conjunction
+ with 'individual-maximum'.
+
+ individual-maximum The maximum number of bytes which can
+ be placed into the individual bucket. To be used
+ in conjunction with 'individual-restore'.
+
+ aggregate-restore The speed limit for the aggregate
+ bucket(bytes/s). To be used in conjunction with
+ 'aggregate-maximum'.
+
+ aggregate-maximum The maximum number of bytes which can
+ be placed into the aggregate bucket. To be used
+ in conjunction with 'aggregate-restore'.
+
+ initial-bucket-level The initial bucket size as a percentage
+ of individual-maximum.
+
+ Individual and(or) aggregate bucket options may not be specified,
+ meaning no individual and(or) aggregate speed limitation.
+ See also response_delay_pool_access and delay_parameters for
+ terminology details.
+DOC_END
+
+NAME: response_delay_pool_access
+TYPE: response_delay_pool_access
+DEFAULT: none
+DEFAULT_DOC: Deny use of the pool, unless allow rules exist in squid.conf for the pool.
+IFDEF: USE_DELAY_POOLS
+LOC: Config.MessageDelay
+DOC_START
+ Determines whether a specific named response delay pool is used
+ for the transaction. The syntax for this directive is:
+
+ response_delay_pool_access pool_name allow|deny acl_name
+
+ All response_delay_pool_access options are checked in the order
+ they appear in this configuration file. The first rule with a
+ matching ACL wins. If (and only if) an "allow" rule won, Squid
+ assigns the response to the corresponding named delay pool.
+DOC_END
+
COMMENT_START
WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
-----------------------------------------------------------------------------
tls-min-version=1.N
The minimum TLS protocol version to permit. To control
- SSLv3 use the ssloptions= parameter.
+ SSLv3 use the tls-options= parameter.
Supported Values: 1.0 (default), 1.1, 1.2
tls-options=... Specify various OpenSSL library options:
NO_SSLv3 Disallow the use of SSLv3
- NO_TLSv1 Disallow the use of TLSv1.0
- NO_TLSv1_1 Disallow the use of TLSv1.1
- NO_TLSv1_2 Disallow the use of TLSv1.2
-
SINGLE_DH_USE
Always create a new key when using
temporary/ephemeral DH key exchanges
DOC_END
NAME: dns_nameservers
-TYPE: wordlist
+TYPE: SBufList
DEFAULT: none
DEFAULT_DOC: Use operating system definitions
-LOC: Config.dns_nameservers
+LOC: Config.dns.nameservers
DOC_START
Use this if you want to specify a list of DNS name servers
(IP addresses) to use instead of those given in your
projects / thirdparty / squid.git / blobdiff