-#
-# SQUID Web Proxy Cache http://www.squid-cache.org/
-# ----------------------------------------------------------
-#
-# Squid is the result of efforts by numerous individuals from
-# the Internet community; see the CONTRIBUTORS file for full
-# details. Many organizations have provided support for Squid's
-# development; see the SPONSORS file for full details. Squid is
-# Copyrighted (C) 2000 by the Regents of the University of
-# California; see the COPYRIGHT file for full details. Squid
-# incorporates software developed and/or copyrighted by other
-# sources; see the CREDITS file for full details.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
-#
+## Copyright (C) 1996-2015 The Squid Software Foundation and contributors
+##
+## Squid software is distributed under GPLv2+ license and includes
+## contributions from numerous individuals and organizations.
+## Please see the COPYING and CONTRIBUTORS files for details.
+##
COMMENT_START
WELCOME TO @SQUID@
This option is not yet supported by Squid-3.
DOC_END
+# Options removed in 3.5
+NAME: hierarchy_stoplist
+TYPE: obsolete
+DOC_START
+ Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use.
+DOC_END
+
+NAME: log_access
+TYPE: obsolete
+DOC_START
+ Remove this line. Use acls with access_log directives to control access logging
+DOC_END
+
+NAME: log_icap
+TYPE: obsolete
+DOC_START
+ Remove this line. Use acls with icap_log directives to control icap logging
+DOC_END
+
# Options Removed in 3.3
NAME: ignore_ims_on_miss
TYPE: obsolete
DOC_START
- Remove this line. The HTTP/1.1 feature is now fully supported by default.
+ Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'.
DOC_END
# Options Removed in 3.2
-NAME: ignore_expect_100
+NAME: dns_v4_fallback
TYPE: obsolete
DOC_START
- Remove this line. The HTTP/1.1 feature is now fully supported by default.
+ Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
DOC_END
-NAME: dns_v4_fallback
+NAME: emulate_httpd_log
TYPE: obsolete
DOC_START
- Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
+ Replace this with an access_log directive using the format 'common' or 'combined'.
+DOC_END
+
+NAME: forward_log
+TYPE: obsolete
+DOC_START
+ Use a regular access.log with ACL limiting it to MISS events.
DOC_END
NAME: ftp_list_width
Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
DOC_END
+NAME: ignore_expect_100
+TYPE: obsolete
+DOC_START
+ Remove this line. The HTTP/1.1 feature is now fully supported by default.
+DOC_END
+
+NAME: log_fqdn
+TYPE: obsolete
+DOC_START
+ Remove this option from your config. To log FQDN use %>A in the log format.
+DOC_END
+
+NAME: log_ip_on_direct
+TYPE: obsolete
+DOC_START
+ Remove this option from your config. To log server or peer names use %<A in the log format.
+DOC_END
+
NAME: maximum_single_addr_tries
TYPE: obsolete
DOC_START
Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
DOC_END
+NAME: referer_log referrer_log
+TYPE: obsolete
+DOC_START
+ Replace this with an access_log directive using the format 'referrer'.
+DOC_END
+
NAME: update_headers
TYPE: obsolete
DOC_START
Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
DOC_END
+NAME: useragent_log
+TYPE: obsolete
+DOC_START
+ Replace this with an access_log directive using the format 'useragent'.
+DOC_END
+
# Options Removed in 3.1
NAME: dns_testnames
TYPE: obsolete
This is used to define parameters for the various authentication
schemes supported by Squid.
- format: auth_param scheme parameter [setting]
+ format: auth_param scheme parameter [setting]
The order in which authentication schemes are presented to the client is
dependent on the order the scheme first appears in config file. IE
=== Parameters common to all schemes. ===
"program" cmdline
- Specifies the command for the external authenticator. Such a program
- runs a loop that, on every iteration, reads a request line from
- the standard and responds with a scheme-specific answer. The loop
- stops when all input is exchausted (EOF). See scheme-specific
- "program" descriptions below for details.
-
- "key_extras" format
- Specifies a string to be append to request line format for the
- authentication helper. "Quoted" format values may contain spaces and
- logformat %macros. In theory, any logformat %macro can be used.
- In practice, a %macro expands as a dash (-) if the helper request is
- sent before the required macro information is available to Squid.
- By default, Squid uses request formats provided in scheme-specific
- examples below (search for %credentials).
- The expanded key_extras value is added to the Squid credentials
- cache and, hence, will affect authentication. It can be used to
- autenticate different users with identical user names (e.g., when user
- authentication depends on http_port).
- Avoid adding frequently changing information to key_extras. For
- example, if you add user source IP, and it changes frequently
- in your environment, then max_user_ip ACL is going to treat every
- user+IP combination as a unique "user", breaking the ACL and
- wasting a lot of memory on those user records. It will also force
- users to authenticate from scratch whenever their IP changes.
-
- === Parameters for the basic scheme follow. ===
-
- "program" cmdline
- Specify the command for the external authenticator. Such a program
- reads a request_format line ("username password" by default) and
- replies with one of three results:
+ Specifies the command for the external authenticator.
- OK
- the user exists.
-
- ERR
- the user does not exist.
-
- BH
- An internal error occurred in the helper, preventing
- a result being identified.
-
- "ERR" and "BH" results may optionally be followed by message="..."
- containing a description available as %m in the returned error page.
-
- If you use an authenticator, make sure you have 1 acl of type
- proxy_auth.
-
- By default, the basic authentication scheme is not used unless a
- program is specified.
+ By default, each authentication scheme is not used unless a
+ program is specified.
- If you want to use the traditional NCSA proxy authentication, set
- this line to something like
+ See http://wiki.squid-cache.org/Features/AddonHelpers for
+ more details on helper operations and creating your own.
- auth_param basic program @DEFAULT_PREFIX@/libexec/basic_ncsa_auth @DEFAULT_PREFIX@/etc/passwd
+ "key_extras" format
+ Specifies a string to be append to request line format for
+ the authentication helper. "Quoted" format values may contain
+ spaces and logformat %macros. In theory, any logformat %macro
+ can be used. In practice, a %macro expands as a dash (-) if
+ the helper request is sent before the required macro
+ information is available to Squid.
+
+ By default, Squid uses request formats provided in
+ scheme-specific examples below (search for %credentials).
+
+ The expanded key_extras value is added to the Squid credentials
+ cache and, hence, will affect authentication. It can be used to
+ autenticate different users with identical user names (e.g.,
+ when user authentication depends on http_port).
+
+ Avoid adding frequently changing information to key_extras. For
+ example, if you add user source IP, and it changes frequently
+ in your environment, then max_user_ip ACL is going to treat
+ every user+IP combination as a unique "user", breaking the ACL
+ and wasting a lot of memory on those user records. It will also
+ force users to authenticate from scratch whenever their IP
+ changes.
+
+ "realm" string
+ Specifies the protection scope (aka realm name) which is to be
+ reported to the client for the authentication scheme. It is
+ commonly part of the text the user will see when prompted for
+ their username and password.
+
+ For Basic the default is "Squid proxy-caching web server".
+ For Digest there is no default, this parameter is mandatory.
+ For NTLM and Negotiate this parameter is ignored.
+
+ "children" numberofchildren [startup=N] [idle=N] [concurrency=N] [queue-size=N]
+
+ The maximum number of authenticator processes to spawn. If
+ you start too few Squid will have to wait for them to process
+ a backlog of credential verifications, slowing it down. When
+ password verifications are done via a (slow) network you are
+ likely to need lots of authenticator processes.
+
+ The startup= and idle= options permit some skew in the exact
+ amount run. A minimum of startup=N will begin during startup
+ and reconfigure. Squid will start more in groups of up to
+ idle=N in an attempt to meet traffic needs and to keep idle=N
+ free above those traffic needs up to the maximum.
+
+ The concurrency= option sets the number of concurrent requests
+ the helper can process. The default of 0 is used for helpers
+ who only supports one request at a time. Setting this to a
+ number greater than 0 changes the protocol used to include a
+ channel ID field first on the request/response line, allowing
+ multiple requests to be sent to the same helper in parallel
+ without waiting for the response.
+
+ Concurrency must not be set unless it's known the helper
+ supports the input format with channel-ID fields.
+
+ The queue-size= option sets the maximum number of queued
+ requests. If the queued requests exceed queue size for more
+ than 3 minutes then squid aborts its operation.
+ The default value is set to 2*numberofchildren/
+
+ NOTE: NTLM and Negotiate schemes do not support concurrency
+ in the Squid code module even though some helpers can.
+
+
+IF HAVE_AUTH_MODULE_BASIC
+ === Basic authentication parameters ===
"utf8" on|off
- HTTP uses iso-latin-1 as character set, while some authentication
- backends such as LDAP expects UTF-8. If this is set to on Squid will
- translate the HTTP iso-latin-1 charset to UTF-8 before sending the
- username & password to the helper.
-
- "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
- The maximum number of authenticator processes to spawn. If you start too few
- Squid will have to wait for them to process a backlog of credential
- verifications, slowing it down. When password verifications are
- done via a (slow) network you are likely to need lots of
- authenticator processes.
-
- The startup= and idle= options permit some skew in the exact amount
- run. A minimum of startup=N will begin during startup and reconfigure.
- Squid will start more in groups of up to idle=N in an attempt to meet
- traffic needs and to keep idle=N free above those traffic needs up to
- the maximum.
-
- The concurrency= option sets the number of concurrent requests the
- helper can process. The default of 0 is used for helpers who only
- supports one request at a time. Setting this to a number greater than
- 0 changes the protocol used to include a channel number first on the
- request/response line, allowing multiple requests to be sent to the
- same helper in parallel without waiting for the response.
- Must not be set unless it's known the helper supports this.
-
- auth_param basic children 20 startup=0 idle=1
-
- "realm" realmstring
- Specifies the realm name which is to be reported to the
- client for the basic proxy authentication scheme (part of
- the text the user will see when prompted their username and
- password). There is no default.
- auth_param basic realm Squid proxy-caching web server
+ HTTP uses iso-latin-1 as character set, while some
+ authentication backends such as LDAP expects UTF-8. If this is
+ set to on Squid will translate the HTTP iso-latin-1 charset to
+ UTF-8 before sending the username and password to the helper.
"credentialsttl" timetolive
- Specifies how long squid assumes an externally validated
- username:password pair is valid for - in other words how
- often the helper program is called for that user. Set this
- low to force revalidation with short lived passwords. Note
- setting this high does not impact your susceptibility
- to replay attacks unless you are using an one-time password
- system (such as SecureID). If you are using such a system,
- you will be vulnerable to replay attacks unless you also
- use the max_user_ip ACL in an http_access rule.
-
- "casesensitive" on|off
- Specifies if usernames are case sensitive. Most user databases are
- case insensitive allowing the same username to be spelled using both
- lower and upper case letters, but some are case sensitive. This
- makes a big difference for user_max_ip ACL processing and similar.
- auth_param basic casesensitive off
-
- === Parameters for the digest scheme follow ===
-
- "program" cmdline
- Specify the command for the external authenticator. Such a program
- reads a request_format line ("username":"realm" by default) and
- replies with one of three results:
-
- OK ha1="..."
- the user exists. The ha1= key is mandatory and
- contains the appropriate H(A1) value, hex encoded.
- See rfc 2616 for the definition of H(A1).
-
- ERR
- the user does not exist.
+ Specifies how long squid assumes an externally validated
+ username:password pair is valid for - in other words how
+ often the helper program is called for that user. Set this
+ low to force revalidation with short lived passwords.
- BH
- An internal error occurred in the helper, preventing
- a result being identified.
-
- "ERR" and "BH" results may optionally be followed by message="..."
- containing a description available as %m in the returned error page.
-
- By default, the digest authentication scheme is not used unless a
- program is specified.
+ NOTE: setting this high does not impact your susceptibility
+ to replay attacks unless you are using an one-time password
+ system (such as SecureID). If you are using such a system,
+ you will be vulnerable to replay attacks unless you also
+ use the max_user_ip ACL in an http_access rule.
- If you want to use a digest authenticator, set this line to
- something like
+ "casesensitive" on|off
+ Specifies if usernames are case sensitive. Most user databases
+ are case insensitive allowing the same username to be spelled
+ using both lower and upper case letters, but some are case
+ sensitive. This makes a big difference for user_max_ip ACL
+ processing and similar.
- auth_param digest program @DEFAULT_PREFIX@/bin/digest_pw_auth @DEFAULT_PREFIX@/etc/digpass
+ENDIF
+IF HAVE_AUTH_MODULE_DIGEST
+ === Digest authentication parameters ===
"utf8" on|off
- HTTP uses iso-latin-1 as character set, while some authentication
- backends such as LDAP expects UTF-8. If this is set to on Squid will
- translate the HTTP iso-latin-1 charset to UTF-8 before sending the
- username & password to the helper.
-
- "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
- The maximum number of authenticator processes to spawn (default 5).
- If you start too few Squid will have to wait for them to
- process a backlog of H(A1) calculations, slowing it down.
- When the H(A1) calculations are done via a (slow) network
- you are likely to need lots of authenticator processes.
-
- The startup= and idle= options permit some skew in the exact amount
- run. A minimum of startup=N will begin during startup and reconfigure.
- Squid will start more in groups of up to idle=N in an attempt to meet
- traffic needs and to keep idle=N free above those traffic needs up to
- the maximum.
-
- The concurrency= option sets the number of concurrent requests the
- helper can process. The default of 0 is used for helpers who only
- supports one request at a time. Setting this to a number greater than
- 0 changes the protocol used to include a channel number first on the
- request/response line, allowing multiple requests to be sent to the
- same helper in parallel without waiting for the response.
- Must not be set unless it's known the helper supports this.
-
- auth_param digest children 20 startup=0 idle=1
-
- "realm" realmstring
- Specifies the realm name which is to be reported to the
- client for the digest proxy authentication scheme (part of
- the text the user will see when prompted their username and
- password). There is no default.
- auth_param digest realm Squid proxy-caching web server
+ HTTP uses iso-latin-1 as character set, while some
+ authentication backends such as LDAP expects UTF-8. If this is
+ set to on Squid will translate the HTTP iso-latin-1 charset to
+ UTF-8 before sending the username and password to the helper.
"nonce_garbage_interval" timeinterval
- Specifies the interval that nonces that have been issued
- to client_agent's are checked for validity.
+ Specifies the interval that nonces that have been issued
+ to client_agent's are checked for validity.
"nonce_max_duration" timeinterval
- Specifies the maximum length of time a given nonce will be
- valid for.
+ Specifies the maximum length of time a given nonce will be
+ valid for.
"nonce_max_count" number
- Specifies the maximum number of times a given nonce can be
- used.
+ Specifies the maximum number of times a given nonce can be
+ used.
"nonce_strictness" on|off
- Determines if squid requires strict increment-by-1 behavior
- for nonce counts, or just incrementing (off - for use when
- user agents generate nonce counts that occasionally miss 1
- (ie, 1,2,4,6)). Default off.
+ Determines if squid requires strict increment-by-1 behavior
+ for nonce counts, or just incrementing (off - for use when
+ user agents generate nonce counts that occasionally miss 1
+ (ie, 1,2,4,6)). Default off.
"check_nonce_count" on|off
- This directive if set to off can disable the nonce count check
- completely to work around buggy digest qop implementations in
- certain mainstream browser versions. Default on to check the
- nonce count to protect from authentication replay attacks.
+ This directive if set to off can disable the nonce count check
+ completely to work around buggy digest qop implementations in
+ certain mainstream browser versions. Default on to check the
+ nonce count to protect from authentication replay attacks.
"post_workaround" on|off
- This is a workaround to certain buggy browsers who sends
- an incorrect request digest in POST requests when reusing
- the same nonce as acquired earlier on a GET request.
+ This is a workaround to certain buggy browsers who send an
+ incorrect request digest in POST requests when reusing the
+ same nonce as acquired earlier on a GET request.
- === NTLM scheme options follow ===
-
- "program" cmdline
- Specify the command for the external NTLM authenticator.
- Such a program reads exchanged NTLMSSP packets with
- the browser via Squid until authentication is completed.
- If you use an NTLM authenticator, make sure you have 1 acl
- of type proxy_auth. By default, the NTLM authenticator program
- is not used.
-
- auth_param ntlm program /usr/bin/ntlm_auth
-
- "children" numberofchildren [startup=N] [idle=N]
- The maximum number of authenticator processes to spawn (default 5).
- If you start too few Squid will have to wait for them to
- process a backlog of credential verifications, slowing it
- down. When credential verifications are done via a (slow)
- network you are likely to need lots of authenticator
- processes.
-
- The startup= and idle= options permit some skew in the exact amount
- run. A minimum of startup=N will begin during startup and reconfigure.
- Squid will start more in groups of up to idle=N in an attempt to meet
- traffic needs and to keep idle=N free above those traffic needs up to
- the maximum.
-
- auth_param ntlm children 20 startup=0 idle=1
+ENDIF
+IF HAVE_AUTH_MODULE_NEGOTIATE
+ === Negotiate authentication parameters ===
"keep_alive" on|off
- If you experience problems with PUT/POST requests when using the
- Negotiate authentication scheme then you can try setting this to
- off. This will cause Squid to forcibly close the connection on
- the initial requests where the browser asks which schemes are
- supported by the proxy.
-
- auth_param ntlm keep_alive on
-
- === Options for configuring the NEGOTIATE auth-scheme follow ===
+ If you experience problems with PUT/POST requests when using
+ the this authentication scheme then you can try setting this
+ to off. This will cause Squid to forcibly close the connection
+ on the initial request where the browser asks which schemes
+ are supported by the proxy.
- "program" cmdline
- Specify the command for the external Negotiate authenticator.
- This protocol is used in Microsoft Active-Directory enabled setups with
- the Microsoft Internet Explorer or Mozilla Firefox browsers.
- Its main purpose is to exchange credentials with the Squid proxy
- using the Kerberos mechanisms.
- If you use a Negotiate authenticator, make sure you have at least
- one acl of type proxy_auth active. By default, the negotiate
- authenticator program is not used.
- The only supported program for this role is the ntlm_auth
- program distributed as part of Samba, version 4 or later.
-
- auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego
-
- "children" numberofchildren [startup=N] [idle=N]
- The maximum number of authenticator processes to spawn (default 5).
- If you start too few Squid will have to wait for them to
- process a backlog of credential verifications, slowing it
- down. When credential verifications are done via a (slow)
- network you are likely to need lots of authenticator
- processes.
-
- The startup= and idle= options permit some skew in the exact amount
- run. A minimum of startup=N will begin during startup and reconfigure.
- Squid will start more in groups of up to idle=N in an attempt to meet
- traffic needs and to keep idle=N free above those traffic needs up to
- the maximum.
-
- auth_param negotiate children 20 startup=0 idle=1
+ENDIF
+IF HAVE_AUTH_MODULE_NTLM
+ === NTLM authentication parameters ===
"keep_alive" on|off
- If you experience problems with PUT/POST requests when using the
- Negotiate authentication scheme then you can try setting this to
- off. This will cause Squid to forcibly close the connection on
- the initial requests where the browser asks which schemes are
- supported by the proxy.
+ If you experience problems with PUT/POST requests when using
+ the this authentication scheme then you can try setting this
+ to off. This will cause Squid to forcibly close the connection
+ on the initial request where the browser asks which schemes
+ are supported by the proxy.
+ENDIF
- auth_param negotiate keep_alive on
-
- Examples:
+ === Example Configuration ===
+
+ This configuration displays the recommended authentication scheme
+ order from most to least secure with recommended minimum configuration
+ settings for each scheme:
-#Recommended minimum configuration per scheme:
#auth_param negotiate program <uncomment and complete this line to activate>
#auth_param negotiate children 20 startup=0 idle=1
#auth_param negotiate keep_alive on
#
-#auth_param ntlm program <uncomment and complete this line to activate>
-#auth_param ntlm children 20 startup=0 idle=1
-#auth_param ntlm keep_alive on
-#
-#auth_param digest program <uncomment and complete this line>
+#auth_param digest program <uncomment and complete this line to activate>
#auth_param digest children 20 startup=0 idle=1
#auth_param digest realm Squid proxy-caching web server
#auth_param digest nonce_garbage_interval 5 minutes
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
#
+#auth_param ntlm program <uncomment and complete this line to activate>
+#auth_param ntlm children 20 startup=0 idle=1
+#auth_param ntlm keep_alive on
+#
#auth_param basic program <uncomment and complete this line>
#auth_param basic children 5 startup=5 idle=1
#auth_param basic realm Squid proxy-caching web server
ttl=n TTL in seconds for cached results (defaults to 3600
for 1 hour)
+
negative_ttl=n
TTL for cached negative lookups (default same
as ttl)
+
+ grace=n Percentage remaining of TTL where a refresh of a
+ cached entry should be initiated without needing to
+ wait for a new reply. (default is for no grace period)
+
+ cache=n Limit the result cache size, default is 262144.
+ The expanded FORMAT value is used as the cache key, so
+ if the details in FORMAT are highly variable a larger
+ cache may be needed to produce reduction in helper load.
+
children-max=n
Maximum number of acl helper processes spawned to service
external acl lookups of this type. (default 20)
+
children-startup=n
Minimum number of acl helper processes to spawn during
startup and reconfigure to service external acl lookups
of this type. (default 0)
+
children-idle=n
Number of acl helper processes to keep ahead of traffic
loads. Squid will spawn this many at once whenever load
rises above the capabilities of existing processes.
Up to the value of children-max. (default 1)
+
concurrency=n concurrency level per process. Only used with helpers
capable of processing more than one query at a time.
- cache=n limit the result cache size, default is unbounded.
- grace=n Percentage remaining of TTL where a refresh of a
- cached entry should be initiated without needing to
- wait for a new reply. (default is for no grace period)
- protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
+
+ queue-size=N The queue-size= option sets the maximum number of queued
+ requests. If the queued requests exceed queue size
+ the acl is ignored.
+ The default value is set to 2*children-max.
+
+ protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers.
+
ipv4 / ipv6 IP protocol used to communicate with this helper.
The default is to auto-detect IPv6 and use it when available.
+
FORMAT specifications
%LOGIN Authenticated user login name
%USER_CERT SSL User certificate in PEM format
%USER_CERTCHAIN SSL User certificate chain in PEM format
%USER_CERT_xx SSL User certificate subject attribute xx
- %USER_CA_xx SSL User certificate issuer attribute xx
+ %USER_CA_CERT_xx SSL User certificate issuer attribute xx
+ %ssl::>sni SSL client SNI sent to Squid
+ %ssl::<cert_subject SSL server certificate DN
+ %ssl::<cert_issuer SSL server certificate issuer DN
%>{Header} HTTP request header "Header"
%>{Hdr:member}
log= String to be logged in access.log. Available as
%ea in logformat specifications.
+ clt_conn_tag= Associates a TAG with the client TCP connection.
+ Please see url_rewrite_program related documentation
+ for this kv-pair.
+
Any keywords may be sent on any response whether OK, ERR or BH.
All response keyword values need to be a single token with URL
acl aclname localport 3128 ... # TCP port the client connected to [fast]
# NP: for interception mode this is usually '80'
- acl aclname myportname 3128 ... # http(s)_port name [fast]
+ acl aclname myportname 3128 ... # *_port name [fast]
acl aclname proto HTTP FTP ... # request protocol [fast]
# use REQUIRED to accept any non-null user name.
acl aclname tag tagvalue ...
- # string match on tag returned by external acl helper [slow]
+ # string match on tag returned by external acl helper [fast]
+ # DEPRECATED. Only the first tag will match with this ACL.
+ # Use the 'note' ACL instead for handling multiple tag values.
acl aclname hier_code codename ...
# string match against squid hierarchy code(s); [fast]
# The SHA1 digest algorithm is the default and is currently
# the only algorithm supported (-sha1).
- acl aclname atstep step
- # match against SSL bumping step. Valid SSL bumping step values:
- # step1: Get TCP-level and CONNECT info.
- # step2: Get SSL Client Hello info.
- # step3: Get SSL Server Hello info.
+ acl aclname at_step step
+ # match against the current step during ssl_bump evaluation [fast]
+ # Never matches and should not be used outside the ssl_bump context.
+ #
+ # At each SslBump step, Squid evaluates ssl_bump directives to find
+ # the next bumping action (e.g., peek or splice). Valid SslBump step
+ # values and the corresponding ssl_bump evaluation moments are:
+ # SslBump1: After getting TCP-level and HTTP CONNECT info.
+ # SslBump2: After getting SSL Client Hello info.
+ # SslBump3: After getting SSL Server Hello info.
ENDIF
acl aclname any-of acl1 acl2 ...
# match any one of the acls [fast or slow]
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
-acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
-acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
-acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
-acl localnet src fc00::/7 # RFC 4193 local private network range
-acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
+acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
+acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
+acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
+acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
+acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
+acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
+acl localnet src fc00::/7 # RFC 4193 local private network range
+acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
NOCOMMENT_END
DOC_END
+NAME: proxy_protocol_access
+TYPE: acl_access
+LOC: Config.accessList.proxyProtocol
+DEFAULT: none
+DEFAULT_DOC: all TCP connections to ports with require-proxy-header will be denied
+DOC_START
+ Determine which client proxies can be trusted to provide correct
+ information regarding real client IP address using PROXY protocol.
+
+ Requests may pass through a chain of several other proxies
+ before reaching us. The original source details may by sent in:
+ * HTTP message Forwarded header, or
+ * HTTP message X-Forwarded-For header, or
+ * PROXY protocol connection header.
+
+ This directive is solely for validating new PROXY protocol
+ connections received from a port flagged with require-proxy-header.
+ It is checked only once after TCP connection setup.
+
+ A deny match results in TCP connection closure.
+
+ An allow match is required for Squid to permit the corresponding
+ TCP connection, before Squid even looks for HTTP request headers.
+ If there is an allow match, Squid starts using PROXY header information
+ to determine the source address of the connection for all future ACL
+ checks, logging, etc.
+
+ SECURITY CONSIDERATIONS:
+
+ Any host from which we accept client IP details can place
+ incorrect information in the relevant header, and Squid
+ will use the incorrect information as if it were the
+ source address of the request. This may enable remote
+ hosts to bypass any access control restrictions that are
+ based on the client's source addresses.
+
+ This clause only supports fast acl types.
+ See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+DOC_END
+
NAME: follow_x_forwarded_for
TYPE: acl_access
IFDEF: FOLLOW_X_FORWARDED_FOR
DEFAULT_IF_NONE: deny all
DEFAULT_DOC: X-Forwarded-For header will be ignored.
DOC_START
- Allowing or Denying the X-Forwarded-For header to be followed to
- find the original source of a request.
+ Determine which client proxies can be trusted to provide correct
+ information regarding real client IP address.
Requests may pass through a chain of several other proxies
- before reaching us. The X-Forwarded-For header will contain a
- comma-separated list of the IP addresses in the chain, with the
- rightmost address being the most recent.
+ before reaching us. The original source details may by sent in:
+ * HTTP message Forwarded header, or
+ * HTTP message X-Forwarded-For header, or
+ * PROXY protocol connection header.
+
+ PROXY protocol connections are controlled by the proxy_protocol_access
+ directive which is checked before this.
If a request reaches us from a source that is allowed by this
- configuration item, then we consult the X-Forwarded-For header
- to see where that host received the request from. If the
- X-Forwarded-For header contains multiple addresses, we continue
- backtracking until we reach an address for which we are not allowed
- to follow the X-Forwarded-For header, or until we reach the first
- address in the list. For the purpose of ACL used in the
- follow_x_forwarded_for directive the src ACL type always matches
- the address we are testing and srcdomain matches its rDNS.
+ directive, then we trust the information it provides regarding
+ the IP of the client it received from (if any).
+
+ For the purpose of ACLs used in this directive the src ACL type always
+ matches the address we are testing and srcdomain matches its rDNS.
+
+ On each HTTP request Squid checks for X-Forwarded-For header fields.
+ If found the header values are iterated in reverse order and an allow
+ match is required for Squid to continue on to the next value.
+ The verification ends when a value receives a deny match, cannot be
+ tested, or there are no more values to test.
+ NOTE: Squid does not yet follow the Forwarded HTTP header.
The end result of this process is an IP address that we will
refer to as the indirect client address. This address may
SECURITY CONSIDERATIONS:
- Any host for which we follow the X-Forwarded-For header
- can place incorrect information in the header, and Squid
+ Any host from which we accept client IP details can place
+ incorrect information in the relevant header, and Squid
will use the incorrect information as if it were the
source address of the request. This may enable remote
hosts to bypass any access control restrictions that are
DOC_START
Allowing or Denying access based on defined access lists
- Access to the HTTP port:
+ To allow or deny a message received on an HTTP, HTTPS, or FTP port:
http_access allow|deny [!]aclname ...
NOTE on default values:
NAME: http_port ascii_port
TYPE: PortCfg
DEFAULT: none
-LOC: Config.Sockaddr.http
+LOC: HttpPortList
DOC_START
Usage: port [mode] [options]
hostname:port [mode] [options]
version= The version of SSL/TLS supported
1 automatic (default)
- 2 SSLv2 only
3 SSLv3 only
4 TLSv1.0 only
5 TLSv1.1 only
options= Various SSL implementation options. The most important
being:
- NO_SSLv2 Disallow the use of SSLv2
NO_SSLv3 Disallow the use of SSLv3
NO_TLSv1 Disallow the use of TLSv1.0
NO_TLSv1_1 Disallow the use of TLSv1.1
probing the connection, interval how often to probe, and
timeout the time before giving up.
+ require-proxy-header
+ Require PROXY protocol version 1 or 2 connections.
+ The proxy_protocol_access is required to whitelist
+ downstream proxies which can be trusted.
+
If you run Squid on a dual-homed machine with an internal
and an external interface we recommend you to specify the
internal address:port in http_port. This way Squid will only be
IFDEF: USE_OPENSSL
TYPE: PortCfg
DEFAULT: none
-LOC: Config.Sockaddr.https
+LOC: HttpsPortList
DOC_START
Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...]
version= The version of SSL/TLS supported
1 automatic (default)
- 2 SSLv2 only
3 SSLv3 only
4 TLSv1 only
options= Various SSL engine options. The most important
being:
- NO_SSLv2 Disallow the use of SSLv2
NO_SSLv3 Disallow the use of SSLv3
NO_TLSv1 Disallow the use of TLSv1
SINGLE_DH_USE Always create a new key when using
See http_port for a list of available options.
DOC_END
+NAME: ftp_port
+TYPE: PortCfg
+DEFAULT: none
+LOC: FtpPortList
+DOC_START
+ Enables Native FTP proxy by specifying the socket address where Squid
+ listens for FTP client requests. See http_port directive for various
+ ways to specify the listening address and mode.
+
+ Usage: ftp_port address [mode] [options]
+
+ WARNING: This is a new, experimental, complex feature that has seen
+ limited production exposure. Some Squid modules (e.g., caching) do not
+ currently work with native FTP proxying, and many features have not
+ even been tested for compatibility. Test well before deploying!
+
+ Native FTP proxying differs substantially from proxying HTTP requests
+ with ftp:// URIs because Squid works as an FTP server and receives
+ actual FTP commands (rather than HTTP requests with FTP URLs).
+
+ Native FTP commands accepted at ftp_port are internally converted or
+ wrapped into HTTP-like messages. The same happens to Native FTP
+ responses received from FTP origin servers. Those HTTP-like messages
+ are shoveled through regular access control and adaptation layers
+ between the FTP client and the FTP origin server. This allows Squid to
+ examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP
+ mechanisms when shoveling wrapped FTP messages. For example,
+ http_access and adaptation_access directives are used.
+
+ Modes:
+
+ intercept Same as http_port intercept. The FTP origin address is
+ determined based on the intended destination of the
+ intercepted connection.
+
+ tproxy Support Linux TPROXY for spoofing outgoing
+ connections using the client IP address.
+ NP: disables authentication and maybe IPv6 on the port.
+
+ By default (i.e., without an explicit mode option), Squid extracts the
+ FTP origin address from the login@origin parameter of the FTP USER
+ command. Many popular FTP clients support such native FTP proxying.
+
+ Options:
+
+ name=token Specifies an internal name for the port. Defaults to
+ the port address. Usable with myportname ACL.
+
+ ftp-track-dirs
+ Enables tracking of FTP directories by injecting extra
+ PWD commands and adjusting Request-URI (in wrapping
+ HTTP requests) to reflect the current FTP server
+ directory. Tracking is disabled by default.
+
+ protocol=FTP Protocol to reconstruct accelerated and intercepted
+ requests with. Defaults to FTP. No other accepted
+ values have been tested with. An unsupported value
+ results in a FATAL error. Accepted values are FTP,
+ HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1).
+
+ Other http_port modes and options that are not specific to HTTP and
+ HTTPS may also work.
+DOC_END
+
NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
TYPE: acl_tos
DEFAULT: none
Processing proceeds in the order specified, and stops at first fully
matching line.
+
+ Only fast ACLs are supported.
DOC_END
NAME: clientside_tos
acl good_service_net src 10.0.1.0/24
tcp_outgoing_mark 0x00 normal_service_net
tcp_outgoing_mark 0x20 good_service_net
+
+ Only fast ACLs are supported.
DOC_END
NAME: clientside_mark
The versions of SSL/TLS supported:
1 automatic (default)
- 2 SSLv2 only
3 SSLv3 only
4 TLSv1.0 only
5 TLSv1.1 only
The most important being:
- NO_SSLv2 Disallow the use of SSLv2
NO_SSLv3 Disallow the use of SSLv3
NO_TLSv1 Disallow the use of TLSv1.0
NO_TLSv1_1 Disallow the use of TLSv1.1
Sets the cache size to use for ssl session
DOC_END
+NAME: sslproxy_cert_sign_hash
+IFDEF: USE_OPENSSL
+DEFAULT: none
+LOC: Config.SSL.certSignHash
+TYPE: string
+DOC_START
+ Sets the hashing algorithm to use when signing generated certificates.
+ Valid algorithm names depend on the OpenSSL library used. The following
+ names are usually available: sha1, sha256, sha512, and md5. Please see
+ your OpenSSL library manual for the available hashes. By default, Squids
+ that support this option use sha256 hashes.
+
+ Squid does not forcefully purge cached certificates that were generated
+ with an algorithm other than the currently configured one. They remain
+ in the cache, subject to the regular cache eviction policy, and become
+ useful if the algorithm changes again.
+DOC_END
+
NAME: ssl_bump
IFDEF: USE_OPENSSL
TYPE: sslproxy_ssl_bump
LOC: Config.accessList.ssl_bump
-DEFAULT_DOC: Does not bump unless rules are present in squid.conf
+DEFAULT_DOC: Become a TCP tunnel without decrypting proxied traffic.
DEFAULT: none
DOC_START
This option is consulted when a CONNECT request is received on
https_port), provided that port was configured with an ssl-bump
flag. The subsequent data on the connection is either treated as
HTTPS and decrypted OR tunneled at TCP level without decryption,
- depending on the first bumping "mode" which ACLs match.
+ depending on the first matching bumping "action".
+
+ ssl_bump <action> [!]acl ...
- ssl_bump <mode> [!]acl ...
+ The following bumping actions are currently supported:
- The following bumping modes are supported:
splice
- Become a TCP tunnel without decoding the connection.
+ Become a TCP tunnel without decrypting proxied traffic.
+ This is the default action.
bump
Establish a secure connection with the server and, using a
mimicked server certificate, with the client.
peek
- Receive client (step1) or server (step2) certificate while
- preserving the possibility of splicing the connection. Peeking
- at the server certificate usually precludes future bumping of
- the connection. This action is the focus of this project.
+ Receive client (step SslBump1) or server (step SslBump2)
+ certificate while preserving the possibility of splicing the
+ connection. Peeking at the server certificate (during step 2)
+ usually precludes bumping of the connection at step 3.
stare
- Receive client (step1) or server (step2) certificate while
- preserving the possibility of bumping the connection. Staring
- at the server certificate usually precludes future splicing of
- the connection. Currently, we are not aware of any work being
- done to support this action.
+ Receive client (step SslBump1) or server (step SslBump2)
+ certificate while preserving the possibility of bumping the
+ connection. Staring at the server certificate (during step 2)
+ usually precludes splicing of the connection at step 3.
terminate
Close client and server connections.
- Compatibility modes:
+ Backward compatibility actions available at step SslBump1:
client-first
- Allow bumping of the connection. Establish a secure connection
- with the client first, then connect to the server. This old mode
- does not allow Squid to mimic server SSL certificate and does
- not work with intercepted SSL connections.
+ Bump the connection. Establish a secure connection with the
+ client first, then connect to the server. This old mode does
+ not allow Squid to mimic server SSL certificate and does not
+ work with intercepted SSL connections.
server-first
- Allow bumping of the connection. Establish a secure connection
- with the server first, then establish a secure connection with
- the client, using a mimicked server certificate. Works with both
- CONNECT requests and intercepted SSL connections.
-
- peek-and-splice
- Decides if the connection should bumped or not based on
+ Bump the connection. Establish a secure connection with the
+ server first, then establish a secure connection with the
+ client, using a mimicked server certificate. Works with both
+ CONNECT requests and intercepted SSL connections, but does
+ not allow to make decisions based on SSL handshake info.
+
+ peek-and-splice
+ Decide whether to bump or splice the connection based on
client-to-squid and server-to-squid SSL hello messages.
+ XXX: Remove.
none
- Become a TCP tunnel without decoding the connection.
- Works with both CONNECT requests and intercepted SSL
- connections. This is the default behavior when no
- ssl_bump option is given or no ssl_bump ACLs match.
-
- By default, no connections are bumped.
+ Same as the "splice" action.
- The first matching ssl_bump option wins. If no ACLs match, the
- connection is not bumped. Unlike most allow/deny ACL lists, ssl_bump
- does not have an implicit "negate the last given option" rule. You
- must make that rule explicit if you convert old ssl_bump allow/deny
- rules that rely on such an implicit rule.
+ All ssl_bump rules are evaluated at each of the supported bumping
+ steps. Rules with actions that are impossible at the current step are
+ ignored. The first matching ssl_bump action wins and is applied at the
+ end of the current step. If no rules match, the splice action is used.
+ See the at_step ACL for a list of the supported SslBump steps.
This clause supports both fast and slow acl types.
See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
- See also: http_port ssl-bump, https_port ssl-bump
+ See also: http_port ssl-bump, https_port ssl-bump, and acl at_step.
# Example: Bump all requests except those originating from
# localhost or those going to example.com.
acl broken_sites dstdomain .example.com
- ssl_bump none localhost
- ssl_bump none broken_sites
- ssl_bump server-first all
+ ssl_bump splice localhost
+ ssl_bump splice broken_sites
+ ssl_bump bump all
DOC_END
NAME: sslproxy_flags
at all times. When traffic begins to rise above what the existing
processes can handle this many more will be spawned up to the maximum
configured. A minimum setting of 1 is required.
+
+ queue-size=N
+
+ Sets the maximum number of queued requests.
+ If the queued requests exceed queue size for more than 3 minutes
+ squid aborts its operation.
+ The default value is set to 2*numberofchildren.
You must have at least one ssl_crtd process.
DOC_END
a request ID in front of the request/response. The request
ID from the request must be echoed back with the response
to that request.
+
+ queue-size=N
+
+ Sets the maximum number of queued requests.
+ If the queued requests exceed queue size for more than 3 minutes
+ squid aborts its operation.
+ The default value is set to 2*numberofchildren.
You must have at least one ssl_crt_validator process.
DOC_END
reference a combined file containing both the
certificate and the key.
- sslversion=1|2|3|4|5|6
+ sslversion=1|3|4|5|6
The SSL version to use when connecting to this peer
1 = automatic (default)
- 2 = SSL v2 only
3 = SSL v3 only
4 = TLS v1.0 only
5 = TLS v1.1 only
ssloptions=... Specify various SSL implementation options:
- NO_SSLv2 Disallow the use of SSLv2
NO_SSLv3 Disallow the use of SSLv3
NO_TLSv1 Disallow the use of TLSv1.0
NO_TLSv1_1 Disallow the use of TLSv1.1
connect-fail-limit=N
How many times connecting to a peer must fail before
- it is marked as down. Default is 10.
+ it is marked as down. Standby connection failures
+ count towards this limit. Default is 10.
allow-miss Disable Squid's use of only-if-cached when forwarding
requests to siblings. This is primarily useful when
For example to deny peer usage on requests from peer
by denying cache_peer_access if the source is a peer.
- max-conn=N Limit the amount of connections Squid may open to this
- peer. see also
+ max-conn=N Limit the number of concurrent connections the Squid
+ may open to this peer, including already opened idle
+ and standby connections. There is no peer-specific
+ connection limit by default.
+
+ A peer exceeding the limit is not used for new
+ requests unless a standby connection is available.
+
+ max-conn currently works poorly with idle persistent
+ connections: When a peer reaches its max-conn limit,
+ and there are idle persistent connections to the peer,
+ the peer may not be selected because the limiting code
+ does not know whether Squid can reuse those idle
+ connections.
+
+ standby=N Maintain a pool of N "hot standby" connections to an
+ UP peer, available for requests when no idle
+ persistent connection is available (or safe) to use.
+ By default and with zero N, no such pool is maintained.
+ N must not exceed the max-conn limit (if any).
+
+ At start or after reconfiguration, Squid opens new TCP
+ standby connections until there are N connections
+ available and then replenishes the standby pool as
+ opened connections are used up for requests. A used
+ connection never goes back to the standby pool, but
+ may go to the regular idle persistent connection pool
+ shared by all peers and origin servers.
+
+ Squid never opens multiple new standby connections
+ concurrently. This one-at-a-time approach minimizes
+ flooding-like effect on peers. Furthermore, just a few
+ standby connections should be sufficient in most cases
+ to supply most new requests with a ready-to-use
+ connection.
+
+ Standby connections obey server_idle_pconn_timeout.
+ For the feature to work as intended, the peer must be
+ configured to accept and keep them open longer than
+ the idle timeout at the connecting Squid, to minimize
+ race conditions typical to idle used persistent
+ connections. Default request_timeout and
+ server_idle_pconn_timeout values ensure such a
+ configuration.
name=xxx Unique name for the peer.
Required if you have multiple peers on the same host
possible forwarding paths be tried multiple times.
DOC_END
-NAME: hierarchy_stoplist
-TYPE: wordlist
-DEFAULT: none
-LOC: Config.hierarchy_stoplist
-DOC_START
- A list of words which, if found in a URL, cause the object to
- be handled directly by this cache. In other words, use this
- to not query neighbor caches for certain objects. You may
- list this option multiple times.
-
- Example:
- hierarchy_stoplist cgi-bin ?
-
- Note: never_direct overrides this option.
-DOC_END
-
COMMENT_START
MEMORY CACHE OPTIONS
-----------------------------------------------------------------------------
DEFAULT: 4 MB
LOC: Config.Store.maxObjectSize
DOC_START
- Set the default value for max-size parameter on any cache_dir
- which follow.
-
+ Set the default value for max-size parameter on any cache_dir.
The value is specified in bytes, and the default is 4 MB.
If you wish to get a high BYTES hit ratio, you should probably
max-size=n the maximum object size in bytes this cache_dir
supports.
- The value in maximum_object_size directive above
- this cache_dir line sets a default unless more
- specific details are available (ie a small store
- capacity).
+ The value in maximum_object_size directive sets
+ the default unless more specific details are
+ available (ie a small store capacity).
Note: To make optimal use of the max-size limits you should order
the cache_dir lines with the smallest max-size value first.
disks. This algorithm does not spread objects by size, so any
I/O loading per-disk may appear very unbalanced and volatile.
+ If several cache_dirs use similar min-size, max-size, or other
+ limits to to reject certain responses, then do not group such
+ cache_dir lines together, to avoid round-robin selection bias
+ towards the first cache_dir after the group. Instead, interleave
+ cache_dir lines from different groups. For example:
+
+ store_dir_select_algorithm round-robin
+ cache_dir rock /hdd1 ... min-size=100000
+ cache_dir rock /ssd1 ... max-size=99999
+ cache_dir rock /hdd2 ... min-size=100000
+ cache_dir rock /ssd2 ... max-size=99999
+ cache_dir rock /hdd3 ... min-size=100000
+ cache_dir rock /ssd3 ... max-size=99999
DOC_END
NAME: max_open_disk_fds
err_code The ID of an error response served by Squid or
a similar internal error identifier.
err_detail Additional err_code-dependent error information.
- note The meta header specified by the argument. Also
+ note The annotation specified by the argument. Also
logs the adaptation meta headers set by the
adaptation_meta configuration parameter.
- If no argument given all meta headers logged.
+ If no argument given all annotations logged.
+ The argument may include a separator to use with
+ annotation values:
+ name[:separator]
+ By default, multiple note values are separated with ","
+ and multiple notes are separated with "\r\n".
+ When logging named notes with %{name}note, the
+ explicitly configured separator is used between note
+ values. When logging all notes with %note, the
+ explicitly configured separator is used between
+ individual notes. There is currently no way to
+ specify both value and notes separators when logging
+ all notes with %note.
Connection related format codes:
[http::]ru Request URL from client (historic, filtered for logging)
[http::]>ru Request URL from client
[http::]<ru Request URL sent to server or peer
+ [http::]>rs Request URL scheme from client
+ [http::]<rs Request URL scheme sent to server or peer
[http::]>rd Request URL domain from client
- [http::]rp Request URL-Path excluding hostname
- [http::]>rp Request URL-Path excluding hostname from client
- [http::]<rp Request URL-Path excluding hostname sent to server or peer
+ [http::]<rd Request URL domain sent to server or peer
+ [http::]>rP Request URL port from client
+ [http::]<rP Request URL port sent to server or peer
+ [http::]rp Request URL path excluding hostname
+ [http::]>rp Request URL path excluding hostname from client
+ [http::]<rp Request URL path excluding hostname sent to server or peer
[http::]rv Request protocol version
[http::]>rv Request protocol version from client
[http::]<rv Request protocol version sent to server or peer
- [http::]>h Original received request header.
+ [http::]>h Original received request header.
Usually differs from the request header sent by
Squid, although most fields are often preserved.
Accepts optional header field name/value filter
[http::]<pt Peer response time in milliseconds. The timer starts
when the last request byte is sent to the next hop
and stops when the last response byte is received.
- [http::]<tt Total server-side time in milliseconds. The timer
+ [http::]<tt Total time in milliseconds. The timer
starts with the first connect request (or write I/O)
sent to the first selected peer. The timer stops
with the last I/O with the last peer.
In all other cases, a single dash ("-") is
logged.
+ ssl::>sni SSL client SNI sent to Squid. Available only
+ after the peek, stare, or splice SSL bumping
+ actions.
+
If ICAP is enabled, the following code becomes available (as
well as ICAP log codes documented with the icap_log option):
No responses is expected.
DOC_END
-NAME: log_access
-TYPE: obsolete
-DOC_START
- Remove this line. Use acls with access_log directives to control access logging
-DOC_END
-
-NAME: log_icap
-TYPE: obsolete
-DOC_START
- Remove this line. Use acls with icap_log directives to control icap logging
-DOC_END
-
NAME: stats_collection
TYPE: acl_access
LOC: Config.accessList.stats_collection
that log can be rotated separately by using debug_options.
DOC_END
-NAME: emulate_httpd_log
-TYPE: obsolete
-DOC_START
- Replace this with an access_log directive using the format 'common' or 'combined'.
-DOC_END
-
-NAME: log_ip_on_direct
-TYPE: obsolete
-DOC_START
- Remove this option from your config. To log server or peer names use %<A in the log format.
-DOC_END
-
NAME: mime_table
TYPE: string
DEFAULT: @DEFAULT_MIME_TABLE@
formats). To enable this logging set log_mime_hdrs to 'on'.
DOC_END
-NAME: useragent_log
-TYPE: obsolete
-DOC_START
- Replace this with an access_log directive using the format 'useragent'.
-DOC_END
-
-NAME: referer_log referrer_log
-TYPE: obsolete
-DOC_START
- Replace this with an access_log directive using the format 'referrer'.
-DOC_END
-
NAME: pid_filename
TYPE: string
DEFAULT: @DEFAULT_PID_FILE@
A filename to write the process-id to. To disable, enter "none".
DOC_END
-NAME: log_fqdn
-TYPE: obsolete
-DOC_START
- Remove this option from your config. To log FQDN use %>A in the log format.
-DOC_END
-
NAME: client_netmask
TYPE: address
LOC: Config.Addrs.client_netmask
the last digit set to '0'.
DOC_END
-NAME: forward_log
-TYPE: obsolete
-DOC_START
- Use a regular access.log with ACL limiting it to MISS events.
-DOC_END
-
NAME: strip_query_terms
TYPE: onoff
LOC: Config.onoff.strip_query_terms
[channel-ID <SP>] URL [<SP> extras]<NL>
-
+ See url_rewrite_extras on how to send "extras" with optional values to
+ the helper.
After processing the request the helper must reply using the following format:
[channel-ID <SP>] result [<SP> kv-pairs]
reserved for delivering a log message.
- In the future, the interface protocol will be extended with
- key=value pairs ("kv-pairs" shown above). Helper programs
- should be prepared to receive and possibly ignore additional
- whitespace-separated tokens on each input line.
+ In addition to the above kv-pairs Squid also understands the following
+ optional kv-pairs received from URL rewriters:
+ clt_conn_tag=TAG
+ Associates a TAG with the client TCP connection.
+ The TAG is treated as a regular annotation but persists across
+ future requests on the client connection rather than just the
+ current request. A helper may update the TAG during subsequent
+ requests be returning a new kv-pair.
When using the concurrency= option the protocol is changed by
introducing a query channel tag in front of the request/response.
used to communicate with the helper is modified to include
an ID in front of the request/response. The ID from the request
must be echoed back with the response to that request.
+
+ queue-size=N
+
+ Sets the maximum number of queued requests.
+ If the queued requests exceed queue size and redirector_bypass
+ configuration option is set, then redirector is bypassed. Otherwise, if
+ overloading persists squid may abort its operation.
+ The default value is set to 2*numberofchildren.
DOC_END
NAME: url_rewrite_host_header redirect_rewrites_host_header
redirectors for access control, and you enable this option,
users may have access to pages they should not
be allowed to request.
+ This options sets default queue-size option of the url_rewrite_children
+ to 0.
DOC_END
NAME: url_rewrite_extras
sent before the required macro information is available to Squid.
DOC_END
+NAME: url_rewrite_timeout
+TYPE: UrlHelperTimeout
+LOC: Config.onUrlRewriteTimeout
+DEFAULT: none
+DEFAULT_DOC: Squid waits for the helper response forever
+DOC_START
+ Squid times active requests to redirector. The timeout value and Squid
+ reaction to a timed out request are configurable using the following
+ format:
+
+ url_rewrite_timeout timeout time-units on_timeout=<action> [response=<quoted-response>]
+
+ supported timeout actions:
+ fail Squid return a ERR_GATEWAY_FAILURE error page
+
+ bypass Do not re-write the URL
+
+ retry Send the lookup to the helper again
+
+ use_configured_response
+ Use the <quoted-response> as helper response
+DOC_END
+
COMMENT_START
OPTIONS FOR STORE ID
-----------------------------------------------------------------------------
An internal error occured in the helper, preventing
a result being identified.
+ In addition to the above kv-pairs Squid also understands the following
+ optional kv-pairs received from URL rewriters:
+ clt_conn_tag=TAG
+ Associates a TAG with the client TCP connection.
+ Please see url_rewrite_program related documentation for this
+ kv-pair
Helper programs should be prepared to receive and possibly ignore
additional whitespace-separated tokens on each input line.
used to communicate with the helper is modified to include
an ID in front of the request/response. The ID from the request
must be echoed back with the response to that request.
+
+ queue-size=N
+
+ Sets the maximum number of queued requests.
+ If the queued requests exceed queue size and store_id_bypass
+ configuration option is set, then storeID helper is bypassed. Otherwise,
+ if overloading persists squid may abort its operation.
+ The default value is set to 2*numberofchildren.
DOC_END
NAME: store_id_access storeurl_rewrite_access
are not critical to your caching system. If you use
helpers for critical caching components, and you enable this
option, users may not get objects from cache.
+ This options sets default queue-size option of the store_id_children
+ to 0.
DOC_END
COMMENT_START
downloads.
When the user aborts a request, Squid will check the
- quick_abort values to the amount of data transfered until
+ quick_abort values to the amount of data transferred until
then.
If the transfer has less than 'quick_abort_min' KB remaining,
LOC: Config.Timeout.read
DEFAULT: 15 minutes
DOC_START
- The read_timeout is applied on server-side connections. After
- each successful read(), the timeout will be extended by this
+ Applied on peer server connections.
+
+ After each successful read(), the timeout will be extended by this
amount. If no data is read again after this amount of time,
- the request is aborted and logged with ERR_READ_TIMEOUT. The
- default is 15 minutes.
+ the request is aborted and logged with ERR_READ_TIMEOUT.
+
+ The default is 15 minutes.
DOC_END
NAME: write_timeout
client connection after the previous request completes.
DOC_END
+NAME: ftp_client_idle_timeout
+TYPE: time_t
+LOC: Config.Timeout.ftpClientIdle
+DEFAULT: 30 minutes
+DOC_START
+ How long to wait for an FTP request on a connection to Squid ftp_port.
+ Many FTP clients do not deal with idle connection closures well,
+ necessitating a longer default timeout than client_idle_pconn_timeout
+ used for incoming HTTP requests.
+DOC_END
+
NAME: client_lifetime
COMMENT: time-units
TYPE: time_t
request_timeout, persistent_request_timeout and quick_abort values.
DOC_END
+NAME: pconn_lifetime
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.Timeout.pconnLifetime
+DEFAULT: 0 seconds
+DOC_START
+ Desired maximum lifetime of a persistent connection.
+ When set, Squid will close a now-idle persistent connection that
+ exceeded configured lifetime instead of moving the connection into
+ the idle connection pool (or equivalent). No effect on ongoing/active
+ transactions. Connection lifetime is the time period from the
+ connection acceptance or opening time until "now".
+
+ This limit is useful in environments with long-lived connections
+ where Squid configuration or environmental factors change during a
+ single connection lifetime. If unrestricted, some connections may
+ last for hours and even days, ignoring those changes that should
+ have affected their behavior or their existence.
+
+ Currently, a new lifetime value supplied via Squid reconfiguration
+ has no effect on already idle connections unless they become busy.
+
+ When set to '0' this limit is not used.
+DOC_END
+
NAME: half_closed_clients
TYPE: onoff
LOC: Config.onoff.half_closed_clients
description of delay_class.
For a class 1 delay pool, the syntax is:
- delay_pools pool 1
+ delay_class pool 1
delay_parameters pool aggregate
For a class 2 delay pool:
- delay_pools pool 2
+ delay_class pool 2
delay_parameters pool aggregate individual
For a class 3 delay pool:
- delay_pools pool 3
+ delay_class pool 3
delay_parameters pool aggregate network individual
For a class 4 delay pool:
- delay_pools pool 4
+ delay_class pool 4
delay_parameters pool aggregate network individual user
For a class 5 delay pool:
- delay_pools pool 5
+ delay_class pool 5
delay_parameters pool tagrate
The option variables are:
above example, and is being used to strictly limit each host to 64Kbit/sec
(plus overheads), with no overall limit, the line is:
- delay_parameters 1 -1/-1 8000/8000
+ delay_parameters 1 none 8000/8000
Note that 8 x 8000 KByte/sec -> 64Kbit/sec.
- Note that the figure -1 is used to represent "unlimited".
+ Note that the word 'none' is used to represent no limit.
And, if delay pool number 2 is a class 3 delay pool as in the above
DEFAULT: on
DOC_START
By default, Squid will send any non-hierarchical requests
- (matching hierarchy_stoplist or not cacheable request type) direct
- to origin servers.
+ (not cacheable request type) direct to origin servers.
When this is set to "off", Squid will prefer to send these
requests to parents.
DEFAULT: on
LOC: Config.onoff.cache_miss_revalidate
DOC_START
- Whether Squid on cache MISS will pass client revalidation requests
- to the server or tries to fetch new content for caching.
- This is useful while the cache is mostly empty to more quickly
- have the cache populated.
+ RFC 7232 defines a conditional request mechanism to prevent
+ response objects being unnecessarily transferred over the network.
+ If that mechanism is used by the client and a cache MISS occurs
+ it can prevent new cache entries being created.
+
+ This option determines whether Squid on cache MISS will pass the
+ client revalidation request to the server or tries to fetch new
+ content for caching. It can be useful while the cache is mostly
+ empty to more quickly have the cache populated by generating
+ non-conditional GETs.
When set to 'on' (default), Squid will pass all client If-* headers
- to the server.
+ to the server. This permits server responses without a cacheable
+ payload to be delivered and on MISS no new cache entry is created.
When set to 'off' and if the request is cacheable, Squid will
remove the clients If-Modified-Since and If-None-Match headers from
- the request sent to the server.
+ the request sent to the server. This requests a 200 status response
+ from the server to create a new cache entry with.
DOC_END
NAME: always_direct
See also: workers
DOC_END
+NAME: force_request_body_continuation
+TYPE: acl_access
+LOC: Config.accessList.forceRequestBodyContinuation
+DEFAULT: none
+DEFAULT_DOC: Deny, unless rules exist in squid.conf.
+DOC_START
+ This option controls how Squid handles data upload requests from HTTP
+ and FTP agents that require a "Please Continue" control message response
+ to actually send the request body to Squid. It is mostly useful in
+ adaptation environments.
+
+ When Squid receives an HTTP request with an "Expect: 100-continue"
+ header or an FTP upload command (e.g., STOR), Squid normally sends the
+ request headers or FTP command information to an adaptation service (or
+ peer) and waits for a response. Most adaptation services (and some
+ broken peers) may not respond to Squid at that stage because they may
+ decide to wait for the HTTP request body or FTP data transfer. However,
+ that request body or data transfer may never come because Squid has not
+ responded with the HTTP 100 or FTP 150 (Please Continue) control message
+ to the request sender yet!
+
+ An allow match tells Squid to respond with the HTTP 100 or FTP 150
+ (Please Continue) control message on its own, before forwarding the
+ request to an adaptation service or peer. Such a response usually forces
+ the request sender to proceed with sending the body. A deny match tells
+ Squid to delay that control response until the origin server confirms
+ that the request body is needed. Delaying is the default behavior.
+DOC_END
+
EOF
projects / thirdparty / squid.git / blobdiff