-#
-# SQUID Web Proxy Cache http://www.squid-cache.org/
-# ----------------------------------------------------------
-#
-# Squid is the result of efforts by numerous individuals from
-# the Internet community; see the CONTRIBUTORS file for full
-# details. Many organizations have provided support for Squid's
-# development; see the SPONSORS file for full details. Squid is
-# Copyrighted (C) 2000 by the Regents of the University of
-# California; see the COPYRIGHT file for full details. Squid
-# incorporates software developed and/or copyrighted by other
-# sources; see the CREDITS file for full details.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
-#
+## Copyright (C) 1996-2015 The Squid Software Foundation and contributors
+##
+## Squid software is distributed under GPLv2+ license and includes
+## contributions from numerous individuals and organizations.
+## Please see the COPYING and CONTRIBUTORS files for details.
+##
COMMENT_START
WELCOME TO @SQUID@
For Digest there is no default, this parameter is mandatory.
For NTLM and Negotiate this parameter is ignored.
- "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
+ "children" numberofchildren [startup=N] [idle=N] [concurrency=N] [queue-size=N]
The maximum number of authenticator processes to spawn. If
you start too few Squid will have to wait for them to process
Concurrency must not be set unless it's known the helper
supports the input format with channel-ID fields.
+ The queue-size= option sets the maximum number of queued
+ requests. If the queued requests exceed queue size for more
+ than 3 minutes then squid aborts its operation.
+ The default value is set to 2*numberofchildren/
+
NOTE: NTLM and Negotiate schemes do not support concurrency
in the Squid code module even though some helpers can.
ttl=n TTL in seconds for cached results (defaults to 3600
for 1 hour)
+
negative_ttl=n
TTL for cached negative lookups (default same
as ttl)
+
+ grace=n Percentage remaining of TTL where a refresh of a
+ cached entry should be initiated without needing to
+ wait for a new reply. (default is for no grace period)
+
+ cache=n Limit the result cache size, default is 262144.
+ The expanded FORMAT value is used as the cache key, so
+ if the details in FORMAT are highly variable a larger
+ cache may be needed to produce reduction in helper load.
+
children-max=n
Maximum number of acl helper processes spawned to service
external acl lookups of this type. (default 20)
+
children-startup=n
Minimum number of acl helper processes to spawn during
startup and reconfigure to service external acl lookups
of this type. (default 0)
+
children-idle=n
Number of acl helper processes to keep ahead of traffic
loads. Squid will spawn this many at once whenever load
rises above the capabilities of existing processes.
Up to the value of children-max. (default 1)
+
concurrency=n concurrency level per process. Only used with helpers
capable of processing more than one query at a time.
- cache=n limit the result cache size, default is 262144.
- grace=n Percentage remaining of TTL where a refresh of a
- cached entry should be initiated without needing to
- wait for a new reply. (default is for no grace period)
- protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
+
+ queue-size=N The queue-size= option sets the maximum number of queued
+ requests. If the queued requests exceed queue size
+ the acl is ignored.
+ The default value is set to 2*children-max.
+
+ protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers.
+
ipv4 / ipv6 IP protocol used to communicate with this helper.
The default is to auto-detect IPv6 and use it when available.
+
FORMAT specifications
%LOGIN Authenticated user login name
%USER_CERTCHAIN SSL User certificate chain in PEM format
%USER_CERT_xx SSL User certificate subject attribute xx
%USER_CA_CERT_xx SSL User certificate issuer attribute xx
+ %ssl::>sni SSL client SNI sent to Squid
+ %ssl::<cert_subject SSL server certificate DN
+ %ssl::<cert_issuer SSL server certificate issuer DN
%>{Header} HTTP request header "Header"
%>{Hdr:member}
%ea in logformat specifications.
clt_conn_tag= Associates a TAG with the client TCP connection.
- Please see url_rewrite_program related documentation for
- this kv-pair.
+ Please see url_rewrite_program related documentation
+ for this kv-pair.
Any keywords may be sent on any response whether OK, ERR or BH.
acl aclname localport 3128 ... # TCP port the client connected to [fast]
# NP: for interception mode this is usually '80'
- acl aclname myportname 3128 ... # http(s)_port name [fast]
+ acl aclname myportname 3128 ... # *_port name [fast]
acl aclname proto HTTP FTP ... # request protocol [fast]
# Optional argument specifies the digest algorithm to use.
# The SHA1 digest algorithm is the default and is currently
# the only algorithm supported (-sha1).
+
+ acl aclname at_step step
+ # match against the current step during ssl_bump evaluation [fast]
+ # Never matches and should not be used outside the ssl_bump context.
+ #
+ # At each SslBump step, Squid evaluates ssl_bump directives to find
+ # the next bumping action (e.g., peek or splice). Valid SslBump step
+ # values and the corresponding ssl_bump evaluation moments are:
+ # SslBump1: After getting TCP-level and HTTP CONNECT info.
+ # SslBump2: After getting SSL Client Hello info.
+ # SslBump3: After getting SSL Server Hello info.
ENDIF
acl aclname any-of acl1 acl2 ...
# match any one of the acls [fast or slow]
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
-acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
-acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
-acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
-acl localnet src fc00::/7 # RFC 4193 local private network range
-acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
+acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
+acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
+acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
+acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
+acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
+acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
+acl localnet src fc00::/7 # RFC 4193 local private network range
+acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
TYPE: acl_access
LOC: Config.accessList.proxyProtocol
DEFAULT: none
-DEFAULT_DOC: all TCP connections will be denied
+DEFAULT_DOC: all TCP connections to ports with require-proxy-header will be denied
DOC_START
Determine which client proxies can be trusted to provide correct
information regarding real client IP address using PROXY protocol.
SECURITY CONSIDERATIONS:
- Any host for which we accept client IP details can place
+ Any host from which we accept client IP details can place
incorrect information in the relevant header, and Squid
will use the incorrect information as if it were the
source address of the request. This may enable remote
IFDEF: FOLLOW_X_FORWARDED_FOR
LOC: Config.accessList.followXFF
DEFAULT_IF_NONE: deny all
-DEFAULT_DOC: indirect client IP will not be accepted.
+DEFAULT_DOC: X-Forwarded-For header will be ignored.
DOC_START
Determine which client proxies can be trusted to provide correct
information regarding real client IP address.
SECURITY CONSIDERATIONS:
- Any host for which we accept client IP details can place
+ Any host from which we accept client IP details can place
incorrect information in the relevant header, and Squid
will use the incorrect information as if it were the
source address of the request. This may enable remote
DOC_START
Allowing or Denying access based on defined access lists
- Access to the HTTP port:
+ To allow or deny a message received on an HTTP, HTTPS, or FTP port:
http_access allow|deny [!]aclname ...
NOTE on default values:
version= The version of SSL/TLS supported
1 automatic (default)
- 2 SSLv2 only
3 SSLv3 only
4 TLSv1.0 only
5 TLSv1.1 only
options= Various SSL implementation options. The most important
being:
- NO_SSLv2 Disallow the use of SSLv2
NO_SSLv3 Disallow the use of SSLv3
NO_TLSv1 Disallow the use of TLSv1.0
NO_TLSv1_1 Disallow the use of TLSv1.1
version= The version of SSL/TLS supported
1 automatic (default)
- 2 SSLv2 only
3 SSLv3 only
4 TLSv1 only
options= Various SSL engine options. The most important
being:
- NO_SSLv2 Disallow the use of SSLv2
NO_SSLv3 Disallow the use of SSLv3
NO_TLSv1 Disallow the use of TLSv1
SINGLE_DH_USE Always create a new key when using
See http_port for a list of available options.
DOC_END
+NAME: ftp_port
+TYPE: PortCfg
+DEFAULT: none
+LOC: FtpPortList
+DOC_START
+ Enables Native FTP proxy by specifying the socket address where Squid
+ listens for FTP client requests. See http_port directive for various
+ ways to specify the listening address and mode.
+
+ Usage: ftp_port address [mode] [options]
+
+ WARNING: This is a new, experimental, complex feature that has seen
+ limited production exposure. Some Squid modules (e.g., caching) do not
+ currently work with native FTP proxying, and many features have not
+ even been tested for compatibility. Test well before deploying!
+
+ Native FTP proxying differs substantially from proxying HTTP requests
+ with ftp:// URIs because Squid works as an FTP server and receives
+ actual FTP commands (rather than HTTP requests with FTP URLs).
+
+ Native FTP commands accepted at ftp_port are internally converted or
+ wrapped into HTTP-like messages. The same happens to Native FTP
+ responses received from FTP origin servers. Those HTTP-like messages
+ are shoveled through regular access control and adaptation layers
+ between the FTP client and the FTP origin server. This allows Squid to
+ examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP
+ mechanisms when shoveling wrapped FTP messages. For example,
+ http_access and adaptation_access directives are used.
+
+ Modes:
+
+ intercept Same as http_port intercept. The FTP origin address is
+ determined based on the intended destination of the
+ intercepted connection.
+
+ tproxy Support Linux TPROXY for spoofing outgoing
+ connections using the client IP address.
+ NP: disables authentication and maybe IPv6 on the port.
+
+ By default (i.e., without an explicit mode option), Squid extracts the
+ FTP origin address from the login@origin parameter of the FTP USER
+ command. Many popular FTP clients support such native FTP proxying.
+
+ Options:
+
+ name=token Specifies an internal name for the port. Defaults to
+ the port address. Usable with myportname ACL.
+
+ ftp-track-dirs
+ Enables tracking of FTP directories by injecting extra
+ PWD commands and adjusting Request-URI (in wrapping
+ HTTP requests) to reflect the current FTP server
+ directory. Tracking is disabled by default.
+
+ protocol=FTP Protocol to reconstruct accelerated and intercepted
+ requests with. Defaults to FTP. No other accepted
+ values have been tested with. An unsupported value
+ results in a FATAL error. Accepted values are FTP,
+ HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1).
+
+ Other http_port modes and options that are not specific to HTTP and
+ HTTPS may also work.
+DOC_END
+
NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
TYPE: acl_tos
DEFAULT: none
The versions of SSL/TLS supported:
1 automatic (default)
- 2 SSLv2 only
3 SSLv3 only
4 TLSv1.0 only
5 TLSv1.1 only
The most important being:
- NO_SSLv2 Disallow the use of SSLv2
NO_SSLv3 Disallow the use of SSLv3
NO_TLSv1 Disallow the use of TLSv1.0
NO_TLSv1_1 Disallow the use of TLSv1.1
Sets the cache size to use for ssl session
DOC_END
+NAME: sslproxy_cert_sign_hash
+IFDEF: USE_OPENSSL
+DEFAULT: none
+LOC: Config.SSL.certSignHash
+TYPE: string
+DOC_START
+ Sets the hashing algorithm to use when signing generated certificates.
+ Valid algorithm names depend on the OpenSSL library used. The following
+ names are usually available: sha1, sha256, sha512, and md5. Please see
+ your OpenSSL library manual for the available hashes. By default, Squids
+ that support this option use sha256 hashes.
+
+ Squid does not forcefully purge cached certificates that were generated
+ with an algorithm other than the currently configured one. They remain
+ in the cache, subject to the regular cache eviction policy, and become
+ useful if the algorithm changes again.
+DOC_END
+
NAME: ssl_bump
IFDEF: USE_OPENSSL
TYPE: sslproxy_ssl_bump
LOC: Config.accessList.ssl_bump
-DEFAULT_DOC: Does not bump unless rules are present in squid.conf
+DEFAULT_DOC: Become a TCP tunnel without decrypting proxied traffic.
DEFAULT: none
DOC_START
This option is consulted when a CONNECT request is received on
https_port), provided that port was configured with an ssl-bump
flag. The subsequent data on the connection is either treated as
HTTPS and decrypted OR tunneled at TCP level without decryption,
- depending on the first bumping "mode" which ACLs match.
+ depending on the first matching bumping "action".
+
+ ssl_bump <action> [!]acl ...
+
+ The following bumping actions are currently supported:
+
+ splice
+ Become a TCP tunnel without decrypting proxied traffic.
+ This is the default action.
- ssl_bump <mode> [!]acl ...
+ bump
+ Establish a secure connection with the server and, using a
+ mimicked server certificate, with the client.
- The following bumping modes are supported:
+ peek
+ Receive client (step SslBump1) or server (step SslBump2)
+ certificate while preserving the possibility of splicing the
+ connection. Peeking at the server certificate (during step 2)
+ usually precludes bumping of the connection at step 3.
+
+ stare
+ Receive client (step SslBump1) or server (step SslBump2)
+ certificate while preserving the possibility of bumping the
+ connection. Staring at the server certificate (during step 2)
+ usually precludes splicing of the connection at step 3.
+
+ terminate
+ Close client and server connections.
+
+ Backward compatibility actions available at step SslBump1:
client-first
- Allow bumping of the connection. Establish a secure connection
- with the client first, then connect to the server. This old mode
- does not allow Squid to mimic server SSL certificate and does
- not work with intercepted SSL connections.
+ Bump the connection. Establish a secure connection with the
+ client first, then connect to the server. This old mode does
+ not allow Squid to mimic server SSL certificate and does not
+ work with intercepted SSL connections.
server-first
- Allow bumping of the connection. Establish a secure connection
- with the server first, then establish a secure connection with
- the client, using a mimicked server certificate. Works with both
- CONNECT requests and intercepted SSL connections.
+ Bump the connection. Establish a secure connection with the
+ server first, then establish a secure connection with the
+ client, using a mimicked server certificate. Works with both
+ CONNECT requests and intercepted SSL connections, but does
+ not allow to make decisions based on SSL handshake info.
- none
- Become a TCP tunnel without decoding the connection.
- Works with both CONNECT requests and intercepted SSL
- connections. This is the default behavior when no
- ssl_bump option is given or no ssl_bump ACLs match.
+ peek-and-splice
+ Decide whether to bump or splice the connection based on
+ client-to-squid and server-to-squid SSL hello messages.
+ XXX: Remove.
- By default, no connections are bumped.
+ none
+ Same as the "splice" action.
- The first matching ssl_bump option wins. If no ACLs match, the
- connection is not bumped. Unlike most allow/deny ACL lists, ssl_bump
- does not have an implicit "negate the last given option" rule. You
- must make that rule explicit if you convert old ssl_bump allow/deny
- rules that rely on such an implicit rule.
+ All ssl_bump rules are evaluated at each of the supported bumping
+ steps. Rules with actions that are impossible at the current step are
+ ignored. The first matching ssl_bump action wins and is applied at the
+ end of the current step. If no rules match, the splice action is used.
+ See the at_step ACL for a list of the supported SslBump steps.
This clause supports both fast and slow acl types.
See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
- See also: http_port ssl-bump, https_port ssl-bump
+ See also: http_port ssl-bump, https_port ssl-bump, and acl at_step.
# Example: Bump all requests except those originating from
# localhost or those going to example.com.
acl broken_sites dstdomain .example.com
- ssl_bump none localhost
- ssl_bump none broken_sites
- ssl_bump server-first all
+ ssl_bump splice localhost
+ ssl_bump splice broken_sites
+ ssl_bump bump all
DOC_END
NAME: sslproxy_flags
at all times. When traffic begins to rise above what the existing
processes can handle this many more will be spawned up to the maximum
configured. A minimum setting of 1 is required.
+
+ queue-size=N
+
+ Sets the maximum number of queued requests.
+ If the queued requests exceed queue size for more than 3 minutes
+ squid aborts its operation.
+ The default value is set to 2*numberofchildren.
You must have at least one ssl_crtd process.
DOC_END
a request ID in front of the request/response. The request
ID from the request must be echoed back with the response
to that request.
+
+ queue-size=N
+
+ Sets the maximum number of queued requests.
+ If the queued requests exceed queue size for more than 3 minutes
+ squid aborts its operation.
+ The default value is set to 2*numberofchildren.
You must have at least one ssl_crt_validator process.
DOC_END
reference a combined file containing both the
certificate and the key.
- sslversion=1|2|3|4|5|6
+ sslversion=1|3|4|5|6
The SSL version to use when connecting to this peer
1 = automatic (default)
- 2 = SSL v2 only
3 = SSL v3 only
4 = TLS v1.0 only
5 = TLS v1.1 only
ssloptions=... Specify various SSL implementation options:
- NO_SSLv2 Disallow the use of SSLv2
NO_SSLv3 Disallow the use of SSLv3
NO_TLSv1 Disallow the use of TLSv1.0
NO_TLSv1_1 Disallow the use of TLSv1.1
[http::]>rs Request URL scheme from client
[http::]<rs Request URL scheme sent to server or peer
[http::]>rd Request URL domain from client
- [http::]>rd Request URL domain sent to server or peer
+ [http::]<rd Request URL domain sent to server or peer
[http::]>rP Request URL port from client
[http::]<rP Request URL port sent to server or peer
[http::]rp Request URL path excluding hostname
[http::]<pt Peer response time in milliseconds. The timer starts
when the last request byte is sent to the next hop
and stops when the last response byte is received.
- [http::]<tt Total server-side time in milliseconds. The timer
+ [http::]<tt Total time in milliseconds. The timer
starts with the first connect request (or write I/O)
sent to the first selected peer. The timer stops
with the last I/O with the last peer.
In all other cases, a single dash ("-") is
logged.
+ ssl::>sni SSL client SNI sent to Squid. Available only
+ after the peek, stare, or splice SSL bumping
+ actions.
+
If ICAP is enabled, the following code becomes available (as
well as ICAP log codes documented with the icap_log option):
used to communicate with the helper is modified to include
an ID in front of the request/response. The ID from the request
must be echoed back with the response to that request.
+
+ queue-size=N
+
+ Sets the maximum number of queued requests.
+ If the queued requests exceed queue size and redirector_bypass
+ configuration option is set, then redirector is bypassed. Otherwise, if
+ overloading persists squid may abort its operation.
+ The default value is set to 2*numberofchildren.
DOC_END
NAME: url_rewrite_host_header redirect_rewrites_host_header
redirectors for access control, and you enable this option,
users may have access to pages they should not
be allowed to request.
+ This options sets default queue-size option of the url_rewrite_children
+ to 0.
DOC_END
NAME: url_rewrite_extras
sent before the required macro information is available to Squid.
DOC_END
+NAME: url_rewrite_timeout
+TYPE: UrlHelperTimeout
+LOC: Config.onUrlRewriteTimeout
+DEFAULT: none
+DEFAULT_DOC: Squid waits for the helper response forever
+DOC_START
+ Squid times active requests to redirector. The timeout value and Squid
+ reaction to a timed out request are configurable using the following
+ format:
+
+ url_rewrite_timeout timeout time-units on_timeout=<action> [response=<quoted-response>]
+
+ supported timeout actions:
+ fail Squid return a ERR_GATEWAY_FAILURE error page
+
+ bypass Do not re-write the URL
+
+ retry Send the lookup to the helper again
+
+ use_configured_response
+ Use the <quoted-response> as helper response
+DOC_END
+
COMMENT_START
OPTIONS FOR STORE ID
-----------------------------------------------------------------------------
used to communicate with the helper is modified to include
an ID in front of the request/response. The ID from the request
must be echoed back with the response to that request.
+
+ queue-size=N
+
+ Sets the maximum number of queued requests.
+ If the queued requests exceed queue size and store_id_bypass
+ configuration option is set, then storeID helper is bypassed. Otherwise,
+ if overloading persists squid may abort its operation.
+ The default value is set to 2*numberofchildren.
DOC_END
NAME: store_id_access storeurl_rewrite_access
are not critical to your caching system. If you use
helpers for critical caching components, and you enable this
option, users may not get objects from cache.
+ This options sets default queue-size option of the store_id_children
+ to 0.
DOC_END
COMMENT_START
LOC: Config.Timeout.read
DEFAULT: 15 minutes
DOC_START
- The read_timeout is applied on server-side connections. After
- each successful read(), the timeout will be extended by this
+ Applied on peer server connections.
+
+ After each successful read(), the timeout will be extended by this
amount. If no data is read again after this amount of time,
- the request is aborted and logged with ERR_READ_TIMEOUT. The
- default is 15 minutes.
+ the request is aborted and logged with ERR_READ_TIMEOUT.
+
+ The default is 15 minutes.
DOC_END
NAME: write_timeout
client connection after the previous request completes.
DOC_END
+NAME: ftp_client_idle_timeout
+TYPE: time_t
+LOC: Config.Timeout.ftpClientIdle
+DEFAULT: 30 minutes
+DOC_START
+ How long to wait for an FTP request on a connection to Squid ftp_port.
+ Many FTP clients do not deal with idle connection closures well,
+ necessitating a longer default timeout than client_idle_pconn_timeout
+ used for incoming HTTP requests.
+DOC_END
+
NAME: client_lifetime
COMMENT: time-units
TYPE: time_t
request_timeout, persistent_request_timeout and quick_abort values.
DOC_END
+NAME: pconn_lifetime
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.Timeout.pconnLifetime
+DEFAULT: 0 seconds
+DOC_START
+ Desired maximum lifetime of a persistent connection.
+ When set, Squid will close a now-idle persistent connection that
+ exceeded configured lifetime instead of moving the connection into
+ the idle connection pool (or equivalent). No effect on ongoing/active
+ transactions. Connection lifetime is the time period from the
+ connection acceptance or opening time until "now".
+
+ This limit is useful in environments with long-lived connections
+ where Squid configuration or environmental factors change during a
+ single connection lifetime. If unrestricted, some connections may
+ last for hours and even days, ignoring those changes that should
+ have affected their behavior or their existence.
+
+ Currently, a new lifetime value supplied via Squid reconfiguration
+ has no effect on already idle connections unless they become busy.
+
+ When set to '0' this limit is not used.
+DOC_END
+
NAME: half_closed_clients
TYPE: onoff
LOC: Config.onoff.half_closed_clients
description of delay_class.
For a class 1 delay pool, the syntax is:
- delay_pools pool 1
+ delay_class pool 1
delay_parameters pool aggregate
For a class 2 delay pool:
- delay_pools pool 2
+ delay_class pool 2
delay_parameters pool aggregate individual
For a class 3 delay pool:
- delay_pools pool 3
+ delay_class pool 3
delay_parameters pool aggregate network individual
For a class 4 delay pool:
- delay_pools pool 4
+ delay_class pool 4
delay_parameters pool aggregate network individual user
For a class 5 delay pool:
- delay_pools pool 5
+ delay_class pool 5
delay_parameters pool tagrate
The option variables are:
above example, and is being used to strictly limit each host to 64Kbit/sec
(plus overheads), with no overall limit, the line is:
- delay_parameters 1 -1/-1 8000/8000
+ delay_parameters 1 none 8000/8000
Note that 8 x 8000 KByte/sec -> 64Kbit/sec.
- Note that the figure -1 is used to represent "unlimited".
+ Note that the word 'none' is used to represent no limit.
And, if delay pool number 2 is a class 3 delay pool as in the above
See also: workers
DOC_END
+NAME: force_request_body_continuation
+TYPE: acl_access
+LOC: Config.accessList.forceRequestBodyContinuation
+DEFAULT: none
+DEFAULT_DOC: Deny, unless rules exist in squid.conf.
+DOC_START
+ This option controls how Squid handles data upload requests from HTTP
+ and FTP agents that require a "Please Continue" control message response
+ to actually send the request body to Squid. It is mostly useful in
+ adaptation environments.
+
+ When Squid receives an HTTP request with an "Expect: 100-continue"
+ header or an FTP upload command (e.g., STOR), Squid normally sends the
+ request headers or FTP command information to an adaptation service (or
+ peer) and waits for a response. Most adaptation services (and some
+ broken peers) may not respond to Squid at that stage because they may
+ decide to wait for the HTTP request body or FTP data transfer. However,
+ that request body or data transfer may never come because Squid has not
+ responded with the HTTP 100 or FTP 150 (Please Continue) control message
+ to the request sender yet!
+
+ An allow match tells Squid to respond with the HTTP 100 or FTP 150
+ (Please Continue) control message on its own, before forwarding the
+ request to an adaptation service or peer. Such a response usually forces
+ the request sender to proceed with sending the body. A deny match tells
+ Squid to delay that control response until the origin server confirms
+ that the request body is needed. Delaying is the default behavior.
+DOC_END
+
EOF