FORMAT specifications
%LOGIN Authenticated user login name
- %EXT_USER Username from external acl
+ %EXT_USER Username from previous external acl
+ %EXT_LOG Log details from previous external acl
+ %EXT_TAG Tag from previous external acl
%IDENT Ident user name
%SRC Client IP
%SRCPORT Client source port
When using "file", the file should contain one item per line.
- By default, regular expressions are CASE-SENSITIVE. To make
- them case-insensitive, use the -i option.
+ By default, regular expressions are CASE-SENSITIVE.
+ To make them case-insensitive, use the -i option. To return case-sensitive
+ use the +i option between patterns, or make a new ACL line without -i.
Some acl types require suspending the current request in order
to access some external data source.
***** ACL TYPES AVAILABLE *****
- acl aclname src ip-address/netmask ... # clients IP address [fast]
- acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
- acl aclname dst ip-address/netmask ... # URL host's IP address [slow]
- acl aclname myip ip-address/netmask ... # local socket IP address [fast]
+ acl aclname src ip-address/mask ... # clients IP address [fast]
+ acl aclname src addr1-addr2/mask ... # range of addresses [fast]
+ acl aclname dst ip-address/mask ... # URL host's IP address [slow]
+ acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
# The arp ACL requires the special configure option --enable-arp-acl.
acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
# ranges are alloed
- acl aclname myport 3128 ... # local socket TCP port [fast]
+ acl aclname localport 3128 ... # TCP port the client connected to [fast]
+ # NP: for interception mode this is usually '80'
+
acl aclname myportname 3128 ... # http(s)_port name [fast]
acl aclname proto HTTP FTP ... # request protocol [fast]
#
# Recommended minimum configuration:
#
-acl manager proto cache_object
+acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
-http_access allow manager localhost
+http_access allow localhost manager
http_access deny manager
# Deny requests to certain unsafe ports
connections using the client IP address.
NP: disables authentication and maybe IPv6 on the port.
- accel Accelerator mode. Also needs at least one of
- vhost / vport / defaultsite.
+ accel Accelerator / reverse proxy mode
ssl-bump Intercept each CONNECT request matching ssl_bump ACL,
establish secure connection with the client and with
Accelerator Mode Options:
- allow-direct Allow direct forwarding in accelerator mode. Normally
- accelerated requests are denied direct forwarding as if
- never_direct was used.
-
defaultsite=domainname
What to use for the Host: header if it is not present
in a request. Determines what site (not origin server)
accelerators should consider the default.
- Implies accel.
- vhost Using the Host header for virtual domain support.
- Also uses the port as specified in Host: header.
+ no-vhost Disable using HTTP/1.1 Host header for virtual domain support.
- vport IP based virtual host support. Using the http_port number
- in passed on Host: headers.
+ protocol= Protocol to reconstruct accelerated requests with.
+ Defaults to http for http_port and https for
+ https_port
- vport=NN Uses the specified port number rather than the
- http_port number.
+ vport Virtual host port support. Using the http_port number
+ instead of the port passed on Host: headers.
- protocol= Protocol to reconstruct accelerated requests with.
- Defaults to http://.
+ vport=NN Virtual host port support. Using the specified port
+ number instead of the port passed on Host: headers.
+
+ act-as-origin
+ Act as if this Squid is the origin server.
+ This currently means generate new Date: and Expires:
+ headers on HIT instead of adding Age:.
ignore-cc Ignore request Cache-Control headers.
- Warning: This option violates HTTP specifications if
+ WARNING: This option violates HTTP specifications if
used in non-accelerator setups.
+ allow-direct Allow direct forwarding in accelerator mode. Normally
+ accelerated requests are denied direct forwarding as if
+ never_direct was used.
+
+ WARNING: this option opens accelerator mode to security
+ vulnerabilities usually only affecting in interception
+ mode. Make sure to protect forwarding with suitable
+ http_access rules when using this.
+
SSL Bump Mode Options:
DEFAULT: none
LOC: Config.Sockaddr.https
DOC_START
- Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
+ Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...]
The socket address where Squid will listen for HTTPS client
requests.
You may specify multiple socket addresses on multiple lines,
each with their own SSL certificate and/or options.
- Options:
+ Modes:
- accel Accelerator mode. Also needs at least one of
- defaultsite or vhost.
+ accel Accelerator / reverse proxy mode
- defaultsite= The name of the https site presented on
- this port. Implies accel.
+ Omitting the mode flag causes default forward proxy mode to be used.
- vhost Accelerator mode using Host header for virtual
- domain support. Requires a wildcard certificate
- or other certificate valid for more than one domain.
- Implies accel.
- protocol= Protocol to reconstruct accelerated requests with.
- Defaults to https.
+ See http_port for a list of generic options
+
+
+ SSL Options:
cert= Path to SSL certificate (PEM format).
sslcontext= SSL session ID context identifier.
- vport Accelerator with IP based virtual host support.
-
- vport=NN As above, but uses specified port number rather
- than the https_port number. Implies accel.
-
- name= Specifies a internal name for the port. Defaults to
- the port specification (port or addr:port)
-
DOC_END
NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
NAME: tcp_outgoing_mark
TYPE: acl_nfmark
-IFDEF: SO_MARK
+IFDEF: SO_MARK&&USE_LIBCAP
DEFAULT: none
LOC: Ip::Qos::TheConfig.nfmarkToServer
DOC_START
NAME: clientside_mark
TYPE: acl_nfmark
-IFDEF: SO_MARK
+IFDEF: SO_MARK&&USE_LIBCAP
DEFAULT: none
LOC: Ip::Qos::TheConfig.nfmarkToClient
DOC_START
tcp_outgoing_address ipaddr [[!]aclname] ...
- Example where requests from 10.0.0.0/24 will be forwarded
- with source address 10.1.0.1, 10.0.2.0/24 forwarded with
- source address 10.1.0.2 and the rest will be forwarded with
- source address 10.1.0.3.
+ For example;
+ Forwarding clients with dedicated IPs for certain subnets.
- acl normal_service_net src 10.0.0.0/24
- acl good_service_net src 10.0.2.0/24
- tcp_outgoing_address 10.1.0.1 normal_service_net
- tcp_outgoing_address 10.1.0.2 good_service_net
- tcp_outgoing_address 10.1.0.3
+ acl normal_service_net src 10.0.0.0/24
+ acl good_service_net src 10.0.2.0/24
+
+ tcp_outgoing_address 2001:db8::c001 good_service_net
+ tcp_outgoing_address 10.1.0.2 good_service_net
+
+ tcp_outgoing_address 2001:db8::beef normal_service_net
+ tcp_outgoing_address 10.1.0.1 normal_service_net
+
+ tcp_outgoing_address 2001:db8::1
+ tcp_outgoing_address 10.1.0.3
Processing proceeds in the order specified, and stops at first fully
matching line.
- Note: The use of this directive using client dependent ACLs is
+ Squid will add an implicit IP version test to each line.
+ Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
+ Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
+
+
+ NOTE: The use of this directive using client dependent ACLs is
incompatible with the use of server side persistent connections. To
ensure correct results it is best to set server_persistent_connections
to off when using this directive in such configurations.
- Note: The use of this directive to set a local IP on outgoing TCP links
+ NOTE: The use of this directive to set a local IP on outgoing TCP links
is incompatible with using TPROXY to set client IP out outbound TCP links.
- When needing to contact peers use the no-tproxy cache_peer option to
- re-enable normal forwarding such as this.
-
- IPv6 Magic:
-
- Squid is built with a capability of bridging the IPv4 and IPv6
- internets.
- tcp_outgoing_address as exampled above breaks this bridging by forcing
- all outbound traffic through a certain IPv4 which may be on the wrong
- side of the IPv4/IPv6 boundary.
-
- To operate with tcp_outgoing_address and keep the bridging benefits
- an additional ACL needs to be used which ensures the IPv6-bound traffic
- is never forced or permitted out the IPv4 interface.
-
- # IPv6 destination test along with a dummy access control to perofrm the required DNS
- # This MUST be place before any ALLOW rules.
- acl to_ipv6 dst ipv6
- http_access deny ipv6 !all
-
- tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6
- tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
-
- tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6
- tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
-
- tcp_outgoing_address 2001:db8::1 to_ipv6
- tcp_outgoing_address 10.1.0.3 !to_ipv6
-
- WARNING:
- 'dst ipv6' bases its selection assuming DIRECT access.
- If peers are used the peername ACL are needed to select outgoing
- address which can link to the peer.
-
- 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used
- previously in the http_access rules to locate the destination IP.
- Some more magic may be needed for that:
- http_access allow to_ipv6 !all
- (meaning, allow if to IPv6 but not from anywhere ;)
+ When needing to contact peers use the no-tproxy cache_peer option and the
+ client_dst_passthru directive re-enable normal forwarding such as this.
DOC_END
By default, no requests are bumped.
- See also: http_port sslBump
+ See also: http_port ssl-bump
- This clause only supports fast acl types.
+ This clause supports both fast and slow acl types.
See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
to OpenSSL.
DOC_END
-
NAME: sslproxy_cert_error
IFDEF: USE_SSL
DEFAULT: none
Default setting: sslproxy_cert_error deny all
DOC_END
-
-
NAME: sslpassword_program
IFDEF: USE_SSL
DEFAULT: none
than the Squid default location.
+ ==== CARP OPTIONS ====
+
+ carp-key=key-specification
+ use a different key than the full URL to hash against the peer.
+ the key-specification is a comma-separated list of the keywords
+ scheme, host, port, path, params
+ Order is not important.
+
==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
originserver Causes this parent to be contacted as an origin server.
The first principal from the default keytab or defined by
the environment variable KRB5_KTNAME will be used.
+ WARNING: The connection may transmit requests from multiple
+ clients. Negotiate often assumes end-to-end authentication
+ and a single-client. Which is not strictly true here.
+
login=NEGOTIATE:principal_name
If this is a personal/workgroup proxy and your parent
requires a secure proxy authentication.
defined by the environment variable KRB5_KTNAME will be
used.
+ WARNING: The connection may transmit requests from multiple
+ clients. Negotiate often assumes end-to-end authentication
+ and a single-client. Which is not strictly true here.
+
connection-auth=on|off
Tell Squid that this peer does or not support Microsoft
connection oriented authentication, and any such
DOC_START
Controls how many different forward paths Squid will try
before giving up. See also forward_timeout.
+
+ NOTE: connect_retries (default: none) can make each of these
+ possible forwarding paths be tried multiple times.
DOC_END
NAME: hierarchy_stoplist
<A Server IP address or peer name
la Local IP address (http_port)
lp Local port number (http_port)
+ <la Local IP address of the last server or peer connection
<lp Local port number of the last server or peer connection
Time related format codes:
[http::]Sh Squid hierarchy status (DEFAULT_PARENT etc)
[http::]mt MIME content type
[http::]rm Request method (GET/POST etc)
- [http::]ru Request URL
+ [http::]>rm Request method from client
+ [http::]<rm Request method sent to server or peer
+ [http::]ru Request URL from client (historic, filtered for logging)
+ [http::]>ru Request URL from client
+ [http::]<ru Request URL sent to server or peer
[http::]rp Request URL-Path excluding hostname
+ [http::]>rp Request URL-Path excluding hostname from client
+ [http::]<rp Request URL-Path excluding hostname sento to server or peer
[http::]rv Request protocol version
+ [http::]>rv Request protocol version from client
+ [http::]<rv Request protocol version sent to server or peer
[http::]et Tag returned by external acl
[http::]ea Log string returned by external acl
[http::]<st Sent reply size including HTTP headers
LOC: Config.Program.redirect
DEFAULT: none
DOC_START
- Specify the location of the executable for the URL rewriter.
+ Specify the location of the executable URL rewriter to use.
Since they can perform almost any function there isn't one included.
- For each requested URL rewriter will receive on line with the format
+ For each requested URL, the rewriter will receive on line with the format
URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
The rewriter can also indicate that a client-side redirect should
be performed to the new URL. This is done by prefixing the returned
- URL with "301:" (moved permanently) or 302: (moved temporarily).
+ URL with "301:" (moved permanently) or 302: (moved temporarily), etc.
By default, a URL rewriter is not used.
DOC_END
DEFAULT: on
LOC: Adaptation::Config::use_indirect_client
DOC_START
- Controls whether the indirect client address
- (see follow_x_forwarded_for) instead of the
- direct client address is passed to an ICAP
- server as "X-Client-IP".
+ Controls whether the indirect client IP address (instead of the direct
+ client IP address) is passed to adaptation services.
+
+ See also: follow_x_forwarded_for adaptation_send_client_ip
DOC_END
NAME: via
performed).
DOC_END
-NAME: header_replace
+NAME: request_header_replace header_replace
IFDEF: USE_HTTP_VIOLATIONS
TYPE: http_header_replace[]
LOC: Config.request_header_access
DEFAULT: none
DOC_START
- Usage: header_replace header_name message
- Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
+ Usage: request_header_replace header_name message
+ Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
This option allows you to change the contents of headers
- denied with header_access above, by replacing them with
- some fixed string. This replaces the old fake_user_agent
+ denied with request_header_access above, by replacing them
+ with some fixed string. This replaces the old fake_user_agent
option.
This only applies to request headers, not reply headers.
By default, headers are removed if denied.
DOC_END
+NAME: reply_header_replace
+IFDEF: USE_HTTP_VIOLATIONS
+TYPE: http_header_replace[]
+LOC: Config.reply_header_access
+DEFAULT: none
+DOC_START
+ Usage: reply_header_replace header_name message
+ Example: reply_header_replace Server Foo/1.0
+
+ This option allows you to change the contents of headers
+ denied with reply_header_access above, by replacing them
+ with some fixed string.
+
+ This only applies to reply headers, not request headers.
+
+ By default, headers are removed if denied.
+DOC_END
+
NAME: relaxed_header_parser
COMMENT: on|off|warn
TYPE: tristate
DOC_NONE
NAME: announce_port
-TYPE: ushort
+TYPE: u_short
DEFAULT: 3131
LOC: Config.Announce.port
DOC_START
class 5 Requests are grouped according their tag (see
external_acl's tag= reply).
+
+ Each pool also requires a delay_parameters directive to configure the pool size
+ and speed limits used whenever the pool is applied to a request. Along with
+ a set of delay_access directives to determine when it is used.
+
NOTE: If an IP address is a.b.c.d
-> bits 25 through 32 are "d"
-> bits 17 through 24 are "c"
DOC_START
This defines the parameters for a delay pool. Each delay pool has
a number of "buckets" associated with it, as explained in the
- description of delay_class. For a class 1 delay pool, the syntax is:
+ description of delay_class.
-delay_parameters pool aggregate
+ For a class 1 delay pool, the syntax is:
+ delay_pools pool 1
+ delay_parameters pool aggregate
For a class 2 delay pool:
-
-delay_parameters pool aggregate individual
+ delay_pools pool 2
+ delay_parameters pool aggregate individual
For a class 3 delay pool:
-
-delay_parameters pool aggregate network individual
+ delay_pools pool 3
+ delay_parameters pool aggregate network individual
For a class 4 delay pool:
-
-delay_parameters pool aggregate network individual user
+ delay_pools pool 4
+ delay_parameters pool aggregate network individual user
For a class 5 delay pool:
+ delay_pools pool 5
+ delay_parameters pool tagrate
-delay_parameters pool tag
-
- The variables here are:
+ The option variables are:
pool a pool number - ie, a number between 1 and the
number specified in delay_pools as used in
delay_class lines.
- aggregate the "delay parameters" for the aggregate bucket
+ aggregate the speed limit parameters for the aggregate bucket
(class 1, 2, 3).
- individual the "delay parameters" for the individual
+ individual the speed limit parameters for the individual
buckets (class 2, 3).
- network the "delay parameters" for the network buckets
+ network the speed limit parameters for the network buckets
(class 3).
- user the delay parameters for the user buckets
+ user the speed limit parameters for the user buckets
(class 4).
- tag the delay parameters for the tag buckets
+ tagrate the speed limit parameters for the tag buckets
(class 5).
A pair of delay parameters is written restore/maximum, where restore is
quoted in bits) per second placed into the bucket, and maximum is the
maximum number of bytes which can be in the bucket at any time.
+ There must be one delay_parameters line for each delay pool.
+
+
For example, if delay pool number 1 is a class 2 delay pool as in the
- above example, and is being used to strictly limit each host to 64kbps
+ above example, and is being used to strictly limit each host to 64Kbit/sec
(plus overheads), with no overall limit, the line is:
-delay_parameters 1 -1/-1 8000/8000
+ delay_parameters 1 -1/-1 8000/8000
+
+ Note that 8 x 8000 KByte/sec -> 64Kbit/sec.
Note that the figure -1 is used to represent "unlimited".
+
And, if delay pool number 2 is a class 3 delay pool as in the above
- example, and you want to limit it to a total of 256kbps (strict limit)
- with each 8-bit network permitted 64kbps (strict limit) and each
- individual host permitted 4800bps with a bucket maximum size of 64kb
+ example, and you want to limit it to a total of 256Kbit/sec (strict limit)
+ with each 8-bit network permitted 64Kbit/sec (strict limit) and each
+ individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
to permit a decent web page to be downloaded at a decent speed
(if the network is not being limited due to overuse) but slow down
large downloads more significantly:
-delay_parameters 2 32000/32000 8000/8000 600/8000
+ delay_parameters 2 32000/32000 8000/8000 600/8000
+
+ Note that 8 x 32000 KByte/sec -> 256Kbit/sec.
+ 8 x 8000 KByte/sec -> 64Kbit/sec.
+ 8 x 600 Byte/sec -> 4800bit/sec.
- There must be one delay_parameters line for each delay pool.
Finally, for a class 4 delay pool as in the example - each user will
- be limited to 128Kb no matter how many workstations they are logged into.:
+ be limited to 128Kbits/sec no matter how many workstations they are logged into.:
-delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
+ delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
DOC_END
NAME: delay_initial_bucket_level
COMMENT: (percent, 0-100)
-TYPE: ushort
+TYPE: u_short
DEFAULT: 50
IFDEF: USE_DELAY_POOLS
LOC: Config.Delay.initial
NAME: client_delay_initial_bucket_level
COMMENT: (percent, 0-no_limit)
-TYPE: ushort
+TYPE: u_short
DEFAULT: 50
IFDEF: USE_DELAY_POOLS
LOC: Config.ClientDelay.initial
COMMENT_END
NAME: snmp_port
-TYPE: ushort
+TYPE: u_short
LOC: Config.Port.snmp
DEFAULT: 0
IFDEF: SQUID_SNMP
COMMENT_END
NAME: icp_port udp_port
-TYPE: ushort
+TYPE: u_short
DEFAULT: 0
LOC: Config.Port.icp
DOC_START
NAME: htcp_port
IFDEF: USE_HTCP
-TYPE: ushort
+TYPE: u_short
DEFAULT: 0
LOC: Config.Port.htcp
DOC_START
NAME: mcast_miss_ttl
IFDEF: MULTICAST_MISS_STREAM
-TYPE: ushort
+TYPE: u_short
LOC: Config.mcast_miss.ttl
DEFAULT: 16
DOC_START
NAME: mcast_miss_port
IFDEF: MULTICAST_MISS_STREAM
-TYPE: ushort
+TYPE: u_short
LOC: Config.mcast_miss.port
DEFAULT: 3135
DOC_START
(HTTPS URLs terminate with *)
%u - Full canonical URL from client
%w - Admin email from squid.conf
+ %x - Error name
%% - Literal percent (%) code
DOC_END
LOC: Adaptation::Config::send_client_ip
DEFAULT: off
DOC_START
- This adds the header "X-Client-IP" to ICAP requests.
+ If enabled, Squid shares HTTP client IP information with adaptation
+ services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
+ For eCAP, Squid sets the libecap::metaClientIp transaction option.
+
+ See also: adaptation_uses_indirect_client
DOC_END
NAME: adaptation_send_username icap_send_client_username
LOC: Adaptation::Icap::TheConfig.client_username_header
DEFAULT: X-Client-Username
DOC_START
- ICAP request header name to use for send_username.
+ ICAP request header name to use for adaptation_send_username.
DOC_END
NAME: icap_client_username_encode
is to use IPv4-only connections. When set to 'on' this option will
make Squid use IPv6-only connections to contact this ICAP service.
+ on-overload=block|bypass|wait|force
+ If the service Max-Connections limit has been reached, do
+ one of the following for each new ICAP transaction:
+ * block: send an HTTP error response to the client
+ * bypass: ignore the "over-connected" ICAP service
+ * wait: wait (in a FIFO queue) for an ICAP connection slot
+ * force: proceed, ignoring the Max-Connections limit
+
+ In SMP mode with N workers, each worker assumes the service
+ connection limit is Max-Connections/N, even though not all
+ workers may use a given service.
+
+ The default value is "bypass" if service is bypassable,
+ otherwise it is set to "wait".
+
+
+ max-conn=number
+ Use the given number as the Max-Connections limit, regardless
+ of the Max-Connections value given by the service, if any.
+
Older icap_service format without optional named parameters is
deprecated but supported for backward compatibility.
DOC_END
NAME: dns_retransmit_interval
-TYPE: time_t
+TYPE: time_msec
DEFAULT: 5 seconds
LOC: Config.Timeout.idns_retransmit
IFDEF: !USE_DNSSERVERS
DOC_END
NAME: dns_timeout
-TYPE: time_t
-DEFAULT: 2 minutes
+TYPE: time_msec
+DEFAULT: 30 seconds
LOC: Config.Timeout.idns_query
IFDEF: !USE_DNSSERVERS
DOC_START
see also refresh_pattern for a more selective approach.
DOC_END
-NAME: maximum_single_addr_tries
+NAME: connect_retries
TYPE: int
-LOC: Config.retry.maxtries
-DEFAULT: 1
+LOC: Config.connect_retries
+DEFAULT: 0
DOC_START
- This sets the maximum number of connection attempts for a
- host that only has one address (for multiple-address hosts,
- each address is tried once).
+ This sets the maximum number of connection attempts made for each
+ TCP connection. The connect_retries attempts must all still
+ complete within the connection timeout period.
+
+ The default is not to re-try if the first connection attempt fails.
+ The (not recommended) maximum is 10 tries.
- The default value is one attempt, the (not recommended)
- maximum is 255 tries. A warning message will be generated
- if it is set to a value greater than ten.
+ A warning message will be generated if it is set to a too-high
+ value and the configured value will be over-ridden.
- Note: This is in addition to the request re-forwarding which
- takes place if Squid fails to get a satisfying response.
+ Note: These re-tries are in addition to forward_max_tries
+ which limit how many different addresses may be tried to find
+ a useful server.
DOC_END
NAME: retry_on_error
projects / thirdparty / squid.git / blobdiff