acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
- # The arp ACL requires the special configure option --enable-arp-acl.
- # Furthermore, the ARP ACL code is not portable to all operating systems.
- # It works on Linux, Solaris, Windows, FreeBSD, and some
- # other *BSD variants.
# [fast]
+ # The 'arp' ACL code is not portable to all operating systems.
+ # It works on Linux, Solaris, Windows, FreeBSD, and some other
+ # BSD variants.
#
- # NOTE: Squid can only determine the MAC address for clients that are on
- # the same subnet. If the client is on a different subnet,
- # then Squid cannot find out its MAC address.
+ # NOTE: Squid can only determine the MAC/EUI address for IPv4
+ # clients that are on the same subnet. If the client is on a
+ # different subnet, then Squid cannot find out its address.
+ #
+ # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either
+ # encoded directly in the IPv6 address or not available.
acl aclname srcdomain .foo.com ...
# reverse lookup, from client IP [slow]
SECURITY WARNING: Usage of this option is dangerous
and should not be used trivially. Correct configuration
- of follow_x_forewarded_for with a limited set of trusted
+ of follow_x_forwarded_for with a limited set of trusted
sources is required to prevent abuse of your proxy.
DOC_END
DEFAULT: none
DEFAULT_DOC: Allow, unless rules exist in squid.conf.
DOC_START
- Determins whether network access is permitted when satisfying a request.
+ Determines whether network access is permitted when satisfying a request.
For example;
to force your neighbors to use you as a sibling instead of
Modes:
- intercept Support for IP-Layer interception of
- outgoing requests without browser settings.
- NP: disables authentication and IPv6 on the port.
+ intercept Support for IP-Layer NAT interception delivering
+ traffic to this Squid port.
+ NP: disables authentication on the port.
- tproxy Support Linux TPROXY for spoofing outgoing
- connections using the client IP address.
- NP: disables authentication and maybe IPv6 on the port.
+ tproxy Support Linux TPROXY (or BSD divert-to) with spoofing
+ of outgoing connections using the client IP address.
+ NP: disables authentication on the port.
accel Accelerator / reverse proxy mode
DEFAULT: 90
LOC: Config.Swap.lowWaterMark
DOC_START
- The low-water mark for cache object replacement.
- Replacement begins when the swap (disk) usage is above the
- low-water mark and attempts to maintain utilization near the
- low-water mark. As swap utilization gets close to high-water
- mark object eviction becomes more aggressive. If utilization is
- close to the low-water mark less replacement is done each time.
+ The low-water mark for AUFS/UFS/diskd cache object eviction by
+ the cache_replacement_policy algorithm.
+
+ Removal begins when the swap (disk) usage of a cache_dir is
+ above this low-water mark and attempts to maintain utilization
+ near the low-water mark.
+
+ As swap utilization increases towards the high-water mark set
+ by cache_swap_high object eviction becomes more agressive.
+
+ The value difference in percentages between low- and high-water
+ marks represent an eviction rate of 300 objects per second and
+ the rate continues to scale in agressiveness by multiples of
+ this above the high-water mark.
Defaults are 90% and 95%. If you have a large cache, 5% could be
hundreds of MB. If this is the case you may wish to set these
numbers closer together.
- See also cache_swap_high
+ See also cache_swap_high and cache_replacement_policy
DOC_END
NAME: cache_swap_high
DEFAULT: 95
LOC: Config.Swap.highWaterMark
DOC_START
- The high-water mark for cache object replacement.
- Replacement begins when the swap (disk) usage is above the
- low-water mark and attempts to maintain utilization near the
- low-water mark. As swap utilization gets close to high-water
- mark object eviction becomes more aggressive. If utilization is
- close to the low-water mark less replacement is done each time.
+ The high-water mark for AUFS/UFS/diskd cache object eviction by
+ the cache_replacement_policy algorithm.
+
+ Removal begins when the swap (disk) usage of a cache_dir is
+ above the low-water mark set by cache_swap_low and attempts to
+ maintain utilization near the low-water mark.
+
+ As swap utilization increases towards this high-water mark object
+ eviction becomes more agressive.
+
+ The value difference in percentages between low- and high-water
+ marks represent an eviction rate of 300 objects per second and
+ the rate continues to scale in agressiveness by multiples of
+ this above the high-water mark.
Defaults are 90% and 95%. If you have a large cache, 5% could be
hundreds of MB. If this is the case you may wish to set these
numbers closer together.
- See also cache_swap_low
+ See also cache_swap_low and cache_replacement_policy
DOC_END
COMMENT_START
ul User name from authentication
ue User name from external acl helper
ui User name from ident
- us User name from SSL
un A user name. Expands to the first available name
from the following list of information sources:
- authenticated user name, like %ul
no certificate at all. Consider encoding the
logged value because Issuer often has spaces.
+ %ssl::<cert_errors The list of certificate validation errors
+ detected by Squid (including OpenSSL and
+ certificate validation helper components). The
+ errors are listed in the discovery order. By
+ default, the error codes are separated by ':'.
+ Accepts an optional separator argument.
+
The default formats available (which do not need re-defining) are:
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
Basically a cached object is:
- FRESH if expires < now, else STALE
+ FRESH if expire > now, else STALE
STALE if age > max
FRESH if lm-factor < percent, else STALE
FRESH if age < min
Use the given number as the Max-Connections limit, regardless
of the Max-Connections value given by the service, if any.
- ==== SSL / ICAPS / TLS OPTIONS ====
+ ==== ICAPS / TLS OPTIONS ====
These options are used for Secure ICAP (icaps://....) services only.
- sslcert=/path/to/ssl/certificate
+ tls-cert=/path/to/ssl/certificate
A client SSL certificate to use when connecting to
this icap server.
- sslkey=/path/to/ssl/key
- The private SSL key corresponding to sslcert above.
- If 'sslkey' is not specified 'sslcert' is assumed to
- reference a combined file containing both the
+ tls-key=/path/to/ssl/key
+ The private TLS/SSL key corresponding to sslcert above.
+ If 'tls-key' is not specified 'tls-cert' is assumed to
+ reference a combined PEM format file containing both the
certificate and the key.
- sslcipher=... The list of valid SSL ciphers to use when connecting
+ tls-cipher=... The list of valid TLS/SSL ciphers to use when connecting
to this icap server.
tls-min-version=1.N
SSLv3 use the ssloptions= parameter.
Supported Values: 1.0 (default), 1.1, 1.2
- ssloptions=... Specify various SSL implementation options:
+ tls-options=... Specify various OpenSSL library options:
NO_SSLv3 Disallow the use of SSLv3
+
NO_TLSv1 Disallow the use of TLSv1.0
NO_TLSv1_1 Disallow the use of TLSv1.1
NO_TLSv1_2 Disallow the use of TLSv1.2
+
SINGLE_DH_USE
Always create a new key when using
temporary/ephemeral DH key exchanges
+
ALL Enable various bug workarounds
- suggested as "harmless" by OpenSSL
- Be warned that this reduces SSL/TLS
- strength to some attacks.
+ suggested as "harmless" by OpenSSL
+ Be warned that this reduces SSL/TLS
+ strength to some attacks.
See the OpenSSL SSL_CTX_set_options documentation for a
- more complete list.
+ more complete list. Options relevant only to SSLv2 are
+ not supported.
- sslcafile=... A file containing additional CA certificates to use
- when verifying the icap server certificate.
+ tls-cafile=... A PEM file containing additional CA certificates to use
+ when verifying the icap server certificate. Used
+ to specify intermediate CA certificate(s) if not sent
+ by the server. Or the full CA chain for the server
+ when using the NO_DEFAULT_CA flag.
- sslcapath=... A directory containing additional CA certificates to
+ tls-capath=... A directory containing additional CA certificates to
use when verifying the icap server certificate.
- sslcrlfile=... A certificate revocation list file to use when
+ tls-crlfile=... A certificate revocation list file to use when
verifying the icap server certificate.
- sslflags=... Specify various flags modifying the SSL implementation:
+ tls-flags=... Specify various flags modifying the Squid TLS implementation:
DONT_VERIFY_PEER
Accept certificates even if they fail to
verify.
NO_DEFAULT_CA
- Don't use the default CA list built in
- to OpenSSL.
+ Don't use the default CA list built into
+ OpenSSL.
DONT_VERIFY_DOMAIN
Don't verify the icap server certificate
matches the server name
- ssldomain= The icap server name as advertised in it's certificate.
+ tls-domain= The icap server name as advertised in it's certificate.
Used for verifying the correctness of the received icap
server certificate. If not specified the icap server
hostname extracted from ICAP URI will be used.