-#
-# SQUID Web Proxy Cache http://www.squid-cache.org/
-# ----------------------------------------------------------
-#
-# Squid is the result of efforts by numerous individuals from
-# the Internet community; see the CONTRIBUTORS file for full
-# details. Many organizations have provided support for Squid's
-# development; see the SPONSORS file for full details. Squid is
-# Copyrighted (C) 2000 by the Regents of the University of
-# California; see the COPYRIGHT file for full details. Squid
-# incorporates software developed and/or copyrighted by other
-# sources; see the CREDITS file for full details.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
-#
+## Copyright (C) 1996-2015 The Squid Software Foundation and contributors
+##
+## Squid software is distributed under GPLv2+ license and includes
+## contributions from numerous individuals and organizations.
+## Please see the COPYING and CONTRIBUTORS files for details.
+##
COMMENT_START
WELCOME TO @SQUID@
This option is not yet supported by Squid-3.
DOC_END
+# Options removed in 3.6
+NAME: cache_peer_domain cache_host_domain
+TYPE: obsolete
+DOC_START
+ Replace with dstdomain ACLs and cache_peer_access.
+DOC_END
+
+NAME: sslproxy_cafile
+TYPE: obsolete
+DOC_START
+ Remove this line. Use tls_outgoing_options cafile= instead.
+DOC_END
+
+NAME: sslproxy_capath
+TYPE: obsolete
+DOC_START
+ Remove this line. Use tls_outgoing_options capath= instead.
+DOC_END
+
+NAME: sslproxy_cipher
+TYPE: obsolete
+DOC_START
+ Remove this line. Use tls_outgoing_options cipher= instead.
+DOC_END
+
+NAME: sslproxy_client_certificate
+TYPE: obsolete
+DOC_START
+ Remove this line. Use tls_outgoing_options cert= instead.
+DOC_END
+
+NAME: sslproxy_client_key
+TYPE: obsolete
+DOC_START
+ Remove this line. Use tls_outgoing_options key= instead.
+DOC_END
+
+NAME: sslproxy_flags
+TYPE: obsolete
+DOC_START
+ Remove this line. Use tls_outgoing_options flags= instead.
+DOC_END
+
+NAME: sslproxy_options
+TYPE: obsolete
+DOC_START
+ Remove this line. Use tls_outgoing_options options= instead.
+DOC_END
+
+NAME: sslproxy_version
+TYPE: obsolete
+DOC_START
+ Remove this line. Use tls_outgoing_options options= instead.
+DOC_END
+
# Options removed in 3.5
NAME: hierarchy_stoplist
TYPE: obsolete
Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use.
DOC_END
+# Options removed in 3.4
NAME: log_access
TYPE: obsolete
DOC_START
DOC_END
# Options Removed in 3.2
+NAME: chunked_request_body_max_size
+TYPE: obsolete
+DOC_START
+ Remove this line. Squid is now HTTP/1.1 compliant.
+DOC_END
+
NAME: dns_v4_fallback
TYPE: obsolete
DOC_START
Replace this line with 'cache_peer' configuration.
DOC_END
+COMMENT_START
+ OPTIONS FOR SMP
+ -----------------------------------------------------------------------------
+COMMENT_END
+
+NAME: workers
+TYPE: int
+LOC: Config.workers
+DEFAULT: 1
+DEFAULT_DOC: SMP support disabled.
+DOC_START
+ Number of main Squid processes or "workers" to fork and maintain.
+ 0: "no daemon" mode, like running "squid -N ..."
+ 1: "no SMP" mode, start one main Squid process daemon (default)
+ N: start N main Squid process daemons (i.e., SMP mode)
+
+ In SMP mode, each worker does nearly all what a single Squid daemon
+ does (e.g., listen on http_port and forward HTTP requests).
+DOC_END
+
+NAME: cpu_affinity_map
+TYPE: CpuAffinityMap
+LOC: Config.cpuAffinityMap
+DEFAULT: none
+DEFAULT_DOC: Let operating system decide.
+DOC_START
+ Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
+
+ Sets 1:1 mapping between Squid processes and CPU cores. For example,
+
+ cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
+
+ affects processes 1 through 4 only and places them on the first
+ four even cores, starting with core #1.
+
+ CPU cores are numbered starting from 1. Requires support for
+ sched_getaffinity(2) and sched_setaffinity(2) system calls.
+
+ Multiple cpu_affinity_map options are merged.
+
+ See also: workers
+DOC_END
+
COMMENT_START
OPTIONS FOR AUTHENTICATION
-----------------------------------------------------------------------------
For Digest there is no default, this parameter is mandatory.
For NTLM and Negotiate this parameter is ignored.
- "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
+ "children" numberofchildren [startup=N] [idle=N] [concurrency=N] [queue-size=N]
The maximum number of authenticator processes to spawn. If
you start too few Squid will have to wait for them to process
Concurrency must not be set unless it's known the helper
supports the input format with channel-ID fields.
+ The queue-size= option sets the maximum number of queued
+ requests. If the queued requests exceed queue size for more
+ than 3 minutes then squid aborts its operation.
+ The default value is set to 2*numberofchildren/
+
NOTE: NTLM and Negotiate schemes do not support concurrency
in the Squid code module even though some helpers can.
ttl=n TTL in seconds for cached results (defaults to 3600
for 1 hour)
+
negative_ttl=n
TTL for cached negative lookups (default same
as ttl)
+
+ grace=n Percentage remaining of TTL where a refresh of a
+ cached entry should be initiated without needing to
+ wait for a new reply. (default is for no grace period)
+
+ cache=n Limit the result cache size, default is 262144.
+ The expanded FORMAT value is used as the cache key, so
+ if the details in FORMAT are highly variable a larger
+ cache may be needed to produce reduction in helper load.
+
children-max=n
Maximum number of acl helper processes spawned to service
external acl lookups of this type. (default 20)
+
children-startup=n
Minimum number of acl helper processes to spawn during
startup and reconfigure to service external acl lookups
of this type. (default 0)
+
children-idle=n
Number of acl helper processes to keep ahead of traffic
loads. Squid will spawn this many at once whenever load
rises above the capabilities of existing processes.
Up to the value of children-max. (default 1)
+
concurrency=n concurrency level per process. Only used with helpers
capable of processing more than one query at a time.
- cache=n limit the result cache size, default is 262144.
- grace=n Percentage remaining of TTL where a refresh of a
- cached entry should be initiated without needing to
- wait for a new reply. (default is for no grace period)
- protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
+
+ queue-size=N The queue-size= option sets the maximum number of queued
+ requests. If the queued requests exceed queue size
+ the acl is ignored.
+ The default value is set to 2*children-max.
+
+ protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers.
+
ipv4 / ipv6 IP protocol used to communicate with this helper.
The default is to auto-detect IPv6 and use it when available.
+
FORMAT specifications
%LOGIN Authenticated user login name
+ %un A user name. Expands to the first available name
+ from the following list of information sources:
+ - authenticated user name, like %ul or %LOGIN
+ - user name sent by an external ACL, like %EXT_USER
+ - SSL client name, like %us in logformat
+ - ident user name, like %ui in logformat
%EXT_USER Username from previous external acl
%EXT_LOG Log details from previous external acl
%EXT_TAG Tag from previous external acl
%ea in logformat specifications.
clt_conn_tag= Associates a TAG with the client TCP connection.
- Please see url_rewrite_program related documentation for
- this kv-pair.
+ Please see url_rewrite_program related documentation
+ for this kv-pair.
Any keywords may be sent on any response whether OK, ERR or BH.
acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
- # The arp ACL requires the special configure option --enable-arp-acl.
- # Furthermore, the ARP ACL code is not portable to all operating systems.
- # It works on Linux, Solaris, Windows, FreeBSD, and some
- # other *BSD variants.
# [fast]
+ # The 'arp' ACL code is not portable to all operating systems.
+ # It works on Linux, Solaris, Windows, FreeBSD, and some other
+ # BSD variants.
+ #
+ # NOTE: Squid can only determine the MAC/EUI address for IPv4
+ # clients that are on the same subnet. If the client is on a
+ # different subnet, then Squid cannot find out its address.
#
- # NOTE: Squid can only determine the MAC address for clients that are on
- # the same subnet. If the client is on a different subnet,
- # then Squid cannot find out its MAC address.
+ # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either
+ # encoded directly in the IPv6 address or not available.
acl aclname srcdomain .foo.com ...
# reverse lookup, from client IP [slow]
acl aclname user_cert attribute values...
# match against attributes in a user SSL certificate
- # attribute is one of DN/C/O/CN/L/ST [fast]
+ # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
acl aclname ca_cert attribute values...
# match against attributes a users issuing CA SSL certificate
- # attribute is one of DN/C/O/CN/L/ST [fast]
+ # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
acl aclname ext_user username ...
acl aclname ext_user_regex [-i] pattern ...
# SslBump1: After getting TCP-level and HTTP CONNECT info.
# SslBump2: After getting SSL Client Hello info.
# SslBump3: After getting SSL Server Hello info.
+
+ acl aclname ssl::server_name .foo.com ...
+ # matches server name obtained from various sources [fast]
+ #
+ # The server name is obtained during Ssl-Bump steps from such sources
+ # as CONNECT request URI, client SNI, and SSL server certificate CN.
+ # During each Ssl-Bump step, Squid may improve its understanding of a
+ # "true server name". Unlike dstdomain, this ACL does not perform
+ # DNS lookups.
+
+ acl aclname ssl::server_name_regex [-i] \.foo\.com ...
+ # regex matches server name obtained from various sources [fast]
ENDIF
acl aclname any-of acl1 acl2 ...
# match any one of the acls [fast or slow]
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
-acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
-acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
-acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
-acl localnet src fc00::/7 # RFC 4193 local private network range
-acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
+acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
+acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
+acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
+acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
+acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
+acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
+acl localnet src fc00::/7 # RFC 4193 local private network range
+acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
SECURITY WARNING: Usage of this option is dangerous
and should not be used trivially. Correct configuration
- of follow_x_forewarded_for with a limited set of trusted
+ of follow_x_forwarded_for with a limited set of trusted
sources is required to prevent abuse of your proxy.
DOC_END
DEFAULT: none
DEFAULT_DOC: Allow, unless rules exist in squid.conf.
DOC_START
- Determins whether network access is permitted when satisfying a request.
+ Determines whether network access is permitted when satisfying a request.
For example;
to force your neighbors to use you as a sibling instead of
DOC_END
+NAME: on_unsupported_protocol
+TYPE: on_unsupported_protocol
+LOC: Config.accessList.on_unsupported_protocol
+DEFAULT: none
+DEFAULT_DOC: Respond with an error message to unidentifiable traffic
+DOC_START
+ Determines Squid behavior when encountering strange requests at the
+ beginning of an accepted TCP connection or the beginning of a bumped
+ CONNECT tunnel. Controlling Squid reaction to unexpected traffic is
+ especially useful in interception environments where Squid is likely
+ to see connections for unsupported protocols that Squid should either
+ terminate or tunnel at TCP level.
+
+ on_unsupported_protocol <action> [!]acl ...
+
+ The first matching action wins. Only fast ACLs are supported.
+
+ Supported actions are:
+
+ tunnel: Establish a TCP connection with the intended server and
+ blindly shovel TCP packets between the client and server.
+
+ respond: Respond with an error message, using the transfer protocol
+ for the Squid port that received the request (e.g., HTTP
+ for connections intercepted at the http_port). This is the
+ default.
+
+ Squid expects the following traffic patterns:
+
+ http_port: a plain HTTP request
+ https_port: SSL/TLS handshake followed by an [encrypted] HTTP request
+ ftp_port: a plain FTP command (no on_unsupported_protocol support yet!)
+ CONNECT tunnel on http_port: same as https_port
+ CONNECT tunnel on https_port: same as https_port
+
+ Currently, this directive has effect on intercepted connections and
+ bumped tunnels only. Other cases are not supported because Squid
+ cannot know the intended destination of other traffic.
+
+ For example:
+ # define what Squid errors indicate receiving non-HTTP traffic:
+ acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
+ # define what Squid errors indicate receiving nothing:
+ acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
+ # tunnel everything that does not look like HTTP:
+ on_unsupported_protocol tunnel foreignProtocol
+ # tunnel if we think the client waits for the server to talk first:
+ on_unsupported_protocol tunnel serverTalksFirstProtocol
+ # in all other error cases, just send an HTTP "error page" response:
+ on_unsupported_protocol respond all
+
+ See also: squid_error ACL
+DOC_END
+
COMMENT_START
NETWORK OPTIONS
-----------------------------------------------------------------------------
Modes:
- intercept Support for IP-Layer interception of
- outgoing requests without browser settings.
- NP: disables authentication and IPv6 on the port.
+ intercept Support for IP-Layer NAT interception delivering
+ traffic to this Squid port.
+ NP: disables authentication on the port.
- tproxy Support Linux TPROXY for spoofing outgoing
- connections using the client IP address.
- NP: disables authentication and maybe IPv6 on the port.
+ tproxy Support Linux TPROXY (or BSD divert-to) with spoofing
+ of outgoing connections using the client IP address.
+ NP: disables authentication on the port.
accel Accelerator / reverse proxy mode
assumed to be a combined certificate and
key file.
- version= The version of SSL/TLS supported
- 1 automatic (default)
- 2 SSLv2 only
- 3 SSLv3 only
- 4 TLSv1.0 only
- 5 TLSv1.1 only
- 6 TLSv1.2 only
-
cipher= Colon separated list of supported ciphers.
NOTE: some ciphers such as EDH ciphers depend on
additional settings. If those settings are
options= Various SSL implementation options. The most important
being:
- NO_SSLv2 Disallow the use of SSLv2
+
NO_SSLv3 Disallow the use of SSLv3
+
NO_TLSv1 Disallow the use of TLSv1.0
+
NO_TLSv1_1 Disallow the use of TLSv1.1
+
NO_TLSv1_2 Disallow the use of TLSv1.2
- SINGLE_DH_USE Always create a new key when using
+
+ SINGLE_DH_USE
+ Always create a new key when using
temporary/ephemeral DH key exchanges
+
+ SINGLE_ECDH_USE
+ Enable ephemeral ECDH key exchange.
+ The adopted curve should be specified
+ using the tls-dh option.
+
+ NO_TICKET
+ Disable use of RFC5077 session tickets.
+ Some servers may have problems
+ understanding the TLS extension due
+ to ambiguous specification in RFC4507.
+
ALL Enable various bug workarounds
suggested as "harmless" by OpenSSL
Be warned that this reduces SSL/TLS
strength to some attacks.
- See OpenSSL SSL_CTX_set_options documentation for a
- complete list of options.
+
+ See the OpenSSL SSL_CTX_set_options documentation for a
+ more complete list.
clientca= File containing the list of CAs to use when
requesting a client certificate.
the client certificate, in addition to CRLs stored in
the capath. Implies VERIFY_CRL flag below.
- dhparams= File containing DH parameters for temporary/ephemeral
- DH key exchanges. See OpenSSL documentation for details
- on how to create this file.
- WARNING: EDH ciphers will be silently disabled if this
- option is not set.
+ tls-dh=[curve:]file
+ File containing DH parameters for temporary/ephemeral DH key
+ exchanges, optionally prefixed by a curve for ephemeral ECDH
+ key exchanges.
+ See OpenSSL documentation for details on how to create the
+ DH parameter file. Supported curves for ECDH can be listed
+ using the "openssl ecparam -list_curves" command.
+ WARNING: EDH and EECDH ciphers will be silently disabled if
+ this option is not set.
sslflags= Various flags modifying the use of SSL:
DELAYED_AUTH
assumed to be a combined certificate and
key file.
- version= The version of SSL/TLS supported
- 1 automatic (default)
- 2 SSLv2 only
- 3 SSLv3 only
- 4 TLSv1 only
-
cipher= Colon separated list of supported ciphers.
options= Various SSL engine options. The most important
being:
- NO_SSLv2 Disallow the use of SSLv2
- NO_SSLv3 Disallow the use of SSLv3
- NO_TLSv1 Disallow the use of TLSv1
- SINGLE_DH_USE Always create a new key when using
+
+ NO_SSLv3 Disallow the use of SSLv3
+
+ NO_TLSv1 Disallow the use of TLSv1.0
+
+ NO_TLSv1_1 Disallow the use of TLSv1.1
+
+ NO_TLSv1_2 Disallow the use of TLSv1.2
+
+ SINGLE_DH_USE
+ Always create a new key when using
temporary/ephemeral DH key exchanges
- See src/ssl_support.c or OpenSSL SSL_CTX_set_options
- documentation for a complete list of options.
+
+ SINGLE_ECDH_USE
+ Enable ephemeral ECDH key exchange.
+ The adopted curve should be specified
+ using the tls-dh option.
+
+ SSL_OP_NO_TICKET
+ Disable use of RFC5077 session tickets.
+ Some servers may have problems
+ understanding the TLS extension due
+ to ambiguous specification in RFC4507.
+
+ ALL Enable various bug workarounds
+ suggested as "harmless" by OpenSSL
+ Be warned that this reduces SSL/TLS
+ strength to some attacks.
+
+ See the OpenSSL SSL_CTX_set_options documentation for a
+ more complete list.
clientca= File containing the list of CAs to use when
requesting a client certificate.
the client certificate, in addition to CRLs stored in
the capath. Implies VERIFY_CRL flag below.
- dhparams= File containing DH parameters for temporary/ephemeral
- DH key exchanges.
+ tls-dh=[curve:]file
+ File containing DH parameters for temporary/ephemeral DH key
+ exchanges, optionally prefixed by a curve for ephemeral ECDH
+ key exchanges.
sslflags= Various flags modifying the use of SSL:
DELAYED_AUTH
RFC2475, and RFC3260.
The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
- "default" to use whatever default your host has. Note that in
- practice often only multiples of 4 is usable as the two rightmost bits
- have been redefined for use by ECN (RFC 3168 section 23.1).
+ "default" to use whatever default your host has.
+ Note that only multiples of 4 are usable as the two rightmost bits have
+ been redefined for use by ECN (RFC 3168 section 23.1).
+ The squid parser will enforce this by masking away the ECN bits.
Processing proceeds in the order specified, and stops at first fully
matching line.
DEFAULT: none
LOC: Ip::Qos::TheConfig.tosToClient
DOC_START
- Allows you to select a TOS/Diffserv value for packets being transmitted
+ Allows you to select a TOS/DSCP value for packets being transmitted
on the client-side, based on an ACL.
clientside_tos ds-field [!]aclname ...
Note: This feature is incompatible with qos_flows. Any TOS values set here
will be overwritten by TOS values in qos_flows.
+
+ The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
+ "default" to use whatever default your host has.
+ Note that only multiples of 4 are usable as the two rightmost bits have
+ been redefined for use by ECN (RFC 3168 section 23.1).
+ The squid parser will enforce this by masking away the ECN bits.
+
DOC_END
NAME: tcp_outgoing_mark
know what you're specifying. For more information, see RFC2474,
RFC2475, and RFC3260.
- The TOS/DSCP byte must be exactly that - a octet value 0 - 255. Note that
- in practice often only multiples of 4 is usable as the two rightmost bits
- have been redefined for use by ECN (RFC 3168 section 23.1).
+ The TOS/DSCP byte must be exactly that - a octet value 0 - 255.
+ Note that only multiples of 4 are usable as the two rightmost bits have
+ been redefined for use by ECN (RFC 3168 section 23.1).
+ The squid parser will enforce this by masking away the ECN bits.
Mark values can be any unsigned 32-bit integer value.
DOC_END
COMMENT_START
- SSL OPTIONS
+ TLS OPTIONS
-----------------------------------------------------------------------------
COMMENT_END
-NAME: ssl_unclean_shutdown
-IFDEF: USE_OPENSSL
-TYPE: onoff
-DEFAULT: off
-LOC: Config.SSL.unclean_shutdown
+NAME: tls_outgoing_options
+IFDEF: USE_GNUTLS||USE_OPENSSL
+TYPE: securePeerOptions
+DEFAULT: min-version=1.0
+LOC: Security::ProxyOutgoingConfig
DOC_START
- Some browsers (especially MSIE) bugs out on SSL shutdown
- messages.
-DOC_END
+ disable Do not support https:// URLs.
+
+ cert=/path/to/client/certificate
+ A client TLS certificate to use when connecting.
+
+ key=/path/to/client/private_key
+ The private TLS key corresponding to the cert= above.
+ If key= is not specified cert= is assumed to reference
+ a PEM file containing both the certificate and the key.
+
+ cipher=... The list of valid TLS ciphers to use.
-NAME: ssl_engine
-IFDEF: USE_OPENSSL
-TYPE: string
-LOC: Config.SSL.ssl_engine
-DEFAULT: none
-DOC_START
- The OpenSSL engine to use. You will need to set this if you
- would like to use hardware SSL acceleration for example.
-DOC_END
+ min-version=1.N
+ The minimum TLS protocol version to permit.
+ To control SSLv3 use the options= parameter.
+ Supported Values: 1.0 (default), 1.1, 1.2
-NAME: sslproxy_client_certificate
-IFDEF: USE_OPENSSL
-DEFAULT: none
-LOC: Config.ssl_client.cert
-TYPE: string
-DOC_START
- Client SSL Certificate to use when proxying https:// URLs
-DOC_END
+ options=... Specify various TLS/SSL implementation options:
-NAME: sslproxy_client_key
-IFDEF: USE_OPENSSL
-DEFAULT: none
-LOC: Config.ssl_client.key
-TYPE: string
-DOC_START
- Client SSL Key to use when proxying https:// URLs
-DOC_END
+ NO_SSLv3 Disallow the use of SSLv3
-NAME: sslproxy_version
-IFDEF: USE_OPENSSL
-DEFAULT: 1
-DEFAULT_DOC: automatic SSL/TLS version negotiation
-LOC: Config.ssl_client.version
-TYPE: int
-DOC_START
- SSL version level to use when proxying https:// URLs
+ NO_TLSv1 Disallow the use of TLSv1.0
- The versions of SSL/TLS supported:
+ NO_TLSv1_1 Disallow the use of TLSv1.1
- 1 automatic (default)
- 2 SSLv2 only
- 3 SSLv3 only
- 4 TLSv1.0 only
- 5 TLSv1.1 only
- 6 TLSv1.2 only
-DOC_END
+ NO_TLSv1_2 Disallow the use of TLSv1.2
-NAME: sslproxy_options
-IFDEF: USE_OPENSSL
-DEFAULT: none
-LOC: Config.ssl_client.options
-TYPE: string
-DOC_START
- SSL implementation options to use when proxying https:// URLs
-
- The most important being:
+ SINGLE_DH_USE
+ Always create a new key when using
+ temporary/ephemeral DH key exchanges
- NO_SSLv2 Disallow the use of SSLv2
- NO_SSLv3 Disallow the use of SSLv3
- NO_TLSv1 Disallow the use of TLSv1.0
- NO_TLSv1_1 Disallow the use of TLSv1.1
- NO_TLSv1_2 Disallow the use of TLSv1.2
- SINGLE_DH_USE
- Always create a new key when using temporary/ephemeral
- DH key exchanges
- SSL_OP_NO_TICKET
- Disable use of RFC5077 session tickets. Some servers
- may have problems understanding the TLS extension due
- to ambiguous specification in RFC4507.
- ALL Enable various bug workarounds suggested as "harmless"
- by OpenSSL. Be warned that this may reduce SSL/TLS
- strength to some attacks.
-
- See the OpenSSL SSL_CTX_set_options documentation for a
- complete list of possible options.
-DOC_END
+ SSL_OP_NO_TICKET
+ Disable use of RFC5077 session tickets.
+ Some servers may have problems
+ understanding the TLS extension due
+ to ambiguous specification in RFC4507.
-NAME: sslproxy_cipher
-IFDEF: USE_OPENSSL
-DEFAULT: none
-LOC: Config.ssl_client.cipher
-TYPE: string
-DOC_START
- SSL cipher list to use when proxying https:// URLs
+ ALL Enable various bug workarounds
+ suggested as "harmless" by OpenSSL
+ Be warned that this reduces SSL/TLS
+ strength to some attacks.
- Colon separated list of supported ciphers.
+ See the OpenSSL SSL_CTX_set_options documentation for a
+ more complete list.
+
+ cafile=... A file containing additional CA certificates to use
+ when verifying the peer certificate.
+
+ capath=... A directory containing additional CA certificates to
+ use when verifying the peer certificate.
+
+ crlfile=... A certificate revocation list file to use when
+ verifying the peer certificate.
+
+ flags=... Specify various flags modifying the TLS implementation:
+
+ DONT_VERIFY_PEER
+ Accept certificates even if they fail to
+ verify.
+ NO_DEFAULT_CA
+ Don't use the default CA list built in
+ to OpenSSL.
+ DONT_VERIFY_DOMAIN
+ Don't verify the peer certificate
+ matches the server name
+
+ domain= The peer name as advertised in its certificate.
+ Used for verifying the correctness of the received peer
+ certificate. If not specified the peer hostname will be
+ used.
DOC_END
-NAME: sslproxy_cafile
+COMMENT_START
+ SSL OPTIONS
+ -----------------------------------------------------------------------------
+COMMENT_END
+
+NAME: ssl_unclean_shutdown
IFDEF: USE_OPENSSL
-DEFAULT: none
-LOC: Config.ssl_client.cafile
-TYPE: string
+TYPE: onoff
+DEFAULT: off
+LOC: Config.SSL.unclean_shutdown
DOC_START
- file containing CA certificates to use when verifying server
- certificates while proxying https:// URLs
+ Some browsers (especially MSIE) bugs out on SSL shutdown
+ messages.
DOC_END
-NAME: sslproxy_capath
+NAME: ssl_engine
IFDEF: USE_OPENSSL
-DEFAULT: none
-LOC: Config.ssl_client.capath
TYPE: string
+LOC: Config.SSL.ssl_engine
+DEFAULT: none
DOC_START
- directory containing CA certificates to use when verifying
- server certificates while proxying https:// URLs
+ The OpenSSL engine to use. You will need to set this if you
+ would like to use hardware SSL acceleration for example.
DOC_END
NAME: sslproxy_session_ttl
Sets the cache size to use for ssl session
DOC_END
+NAME: sslproxy_cert_sign_hash
+IFDEF: USE_OPENSSL
+DEFAULT: none
+LOC: Config.SSL.certSignHash
+TYPE: string
+DOC_START
+ Sets the hashing algorithm to use when signing generated certificates.
+ Valid algorithm names depend on the OpenSSL library used. The following
+ names are usually available: sha1, sha256, sha512, and md5. Please see
+ your OpenSSL library manual for the available hashes. By default, Squids
+ that support this option use sha256 hashes.
+
+ Squid does not forcefully purge cached certificates that were generated
+ with an algorithm other than the currently configured one. They remain
+ in the cache, subject to the regular cache eviction policy, and become
+ useful if the algorithm changes again.
+DOC_END
+
NAME: ssl_bump
IFDEF: USE_OPENSSL
TYPE: sslproxy_ssl_bump
ssl_bump bump all
DOC_END
-NAME: sslproxy_flags
-IFDEF: USE_OPENSSL
-DEFAULT: none
-LOC: Config.ssl_client.flags
-TYPE: string
-DOC_START
- Various flags modifying the use of SSL while proxying https:// URLs:
- DONT_VERIFY_PEER Accept certificates that fail verification.
- For refined control, see sslproxy_cert_error.
- NO_DEFAULT_CA Don't use the default CA list built in
- to OpenSSL.
-DOC_END
-
NAME: sslproxy_cert_error
IFDEF: USE_OPENSSL
DEFAULT: none
at all times. When traffic begins to rise above what the existing
processes can handle this many more will be spawned up to the maximum
configured. A minimum setting of 1 is required.
+
+ queue-size=N
+
+ Sets the maximum number of queued requests.
+ If the queued requests exceed queue size for more than 3 minutes
+ squid aborts its operation.
+ The default value is set to 2*numberofchildren.
You must have at least one ssl_crtd process.
DOC_END
a request ID in front of the request/response. The request
ID from the request must be echoed back with the response
to that request.
+
+ queue-size=N
+
+ Sets the maximum number of queued requests.
+ If the queued requests exceed queue size for more than 3 minutes
+ squid aborts its operation.
+ The default value is set to 2*numberofchildren.
You must have at least one ssl_crt_validator process.
DOC_END
reference a combined file containing both the
certificate and the key.
- sslversion=1|2|3|4|5|6
- The SSL version to use when connecting to this peer
- 1 = automatic (default)
- 2 = SSL v2 only
- 3 = SSL v3 only
- 4 = TLS v1.0 only
- 5 = TLS v1.1 only
- 6 = TLS v1.2 only
-
sslcipher=... The list of valid SSL ciphers to use when connecting
to this peer.
-
+
+ tls-min-version=1.N
+ The minimum TLS protocol version to permit. To control
+ SSLv3 use the ssloptions= parameter.
+ Supported Values: 1.0 (default), 1.1, 1.2
+
ssloptions=... Specify various SSL implementation options:
- NO_SSLv2 Disallow the use of SSLv2
NO_SSLv3 Disallow the use of SSLv3
+
NO_TLSv1 Disallow the use of TLSv1.0
+
NO_TLSv1_1 Disallow the use of TLSv1.1
+
NO_TLSv1_2 Disallow the use of TLSv1.2
+
SINGLE_DH_USE
Always create a new key when using
temporary/ephemeral DH key exchanges
+
+ SSL_OP_NO_TICKET
+ Disable use of RFC5077 session tickets.
+ Some servers may have problems
+ understanding the TLS extension due
+ to ambiguous specification in RFC4507.
+
ALL Enable various bug workarounds
suggested as "harmless" by OpenSSL
Be warned that this reduces SSL/TLS
DONT_VERIFY_PEER
Accept certificates even if they fail to
verify.
+
NO_DEFAULT_CA
Don't use the default CA list built in
to OpenSSL.
+
DONT_VERIFY_DOMAIN
Don't verify the peer certificate
matches the server name
DOC_END
-NAME: cache_peer_domain cache_host_domain
-TYPE: hostdomain
-DEFAULT: none
-LOC: none
-DOC_START
- Use to limit the domains for which a neighbor cache will be
- queried.
-
- Usage:
- cache_peer_domain cache-host domain [domain ...]
- cache_peer_domain cache-host !domain
-
- For example, specifying
-
- cache_peer_domain parent.foo.net .edu
-
- has the effect such that UDP query packets are sent to
- 'bigserver' only when the requested object exists on a
- server in the .edu domain. Prefixing the domainname
- with '!' means the cache will be queried for objects
- NOT in that domain.
-
- NOTE: * Any number of domains may be given for a cache-host,
- either on the same or separate lines.
- * When multiple domains are given for a particular
- cache-host, the first matched domain is applied.
- * Cache hosts with no domain restrictions are queried
- for all requests.
- * There are no defaults.
- * There is also a 'cache_peer_access' tag in the ACL
- section.
-DOC_END
-
NAME: cache_peer_access
TYPE: peer_access
DEFAULT: none
LOC: none
DOC_START
- Similar to 'cache_peer_domain' but provides more flexibility by
- using ACL elements.
+ Use to limit the requests for which a neighbor proxy will be
+ queried. Peers with no restrictions are queried for all requests.
Usage:
cache_peer_access cache-host allow|deny [!]aclname ...
The syntax is identical to 'http_access' and the other lists of
- ACL elements. See the comments for 'http_access' below, or
- the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl).
+ ACL elements. See the comments for 'http_access', or the
+ Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl).
DOC_END
NAME: neighbor_type_domain
DEFAULT: 90
LOC: Config.Swap.lowWaterMark
DOC_START
- The low-water mark for cache object replacement.
- Replacement begins when the swap (disk) usage is above the
- low-water mark and attempts to maintain utilization near the
- low-water mark. As swap utilization gets close to high-water
- mark object eviction becomes more aggressive. If utilization is
- close to the low-water mark less replacement is done each time.
+ The low-water mark for AUFS/UFS/diskd cache object eviction by
+ the cache_replacement_policy algorithm.
+
+ Removal begins when the swap (disk) usage of a cache_dir is
+ above this low-water mark and attempts to maintain utilization
+ near the low-water mark.
+
+ As swap utilization increases towards the high-water mark set
+ by cache_swap_high object eviction becomes more agressive.
+
+ The value difference in percentages between low- and high-water
+ marks represent an eviction rate of 300 objects per second and
+ the rate continues to scale in agressiveness by multiples of
+ this above the high-water mark.
Defaults are 90% and 95%. If you have a large cache, 5% could be
hundreds of MB. If this is the case you may wish to set these
numbers closer together.
- See also cache_swap_high
+ See also cache_swap_high and cache_replacement_policy
DOC_END
NAME: cache_swap_high
DEFAULT: 95
LOC: Config.Swap.highWaterMark
DOC_START
- The high-water mark for cache object replacement.
- Replacement begins when the swap (disk) usage is above the
- low-water mark and attempts to maintain utilization near the
- low-water mark. As swap utilization gets close to high-water
- mark object eviction becomes more aggressive. If utilization is
- close to the low-water mark less replacement is done each time.
+ The high-water mark for AUFS/UFS/diskd cache object eviction by
+ the cache_replacement_policy algorithm.
+
+ Removal begins when the swap (disk) usage of a cache_dir is
+ above the low-water mark set by cache_swap_low and attempts to
+ maintain utilization near the low-water mark.
+
+ As swap utilization increases towards this high-water mark object
+ eviction becomes more agressive.
+
+ The value difference in percentages between low- and high-water
+ marks represent an eviction rate of 300 objects per second and
+ the rate continues to scale in agressiveness by multiples of
+ this above the high-water mark.
Defaults are 90% and 95%. If you have a large cache, 5% could be
hundreds of MB. If this is the case you may wish to set these
numbers closer together.
- See also cache_swap_low
+ See also cache_swap_low and cache_replacement_policy
DOC_END
COMMENT_START
ul User name from authentication
ue User name from external acl helper
ui User name from ident
- us User name from SSL
+ un A user name. Expands to the first available name
+ from the following list of information sources:
+ - authenticated user name, like %ul
+ - user name supplied by an external ACL, like %ue
+ - SSL client name, like %us
+ - ident user name, like %ui
credentials Client credentials. The exact meaning depends on
the authentication scheme: For Basic authentication,
it is the password; for Digest, the realm sent by the
[http::]>rs Request URL scheme from client
[http::]<rs Request URL scheme sent to server or peer
[http::]>rd Request URL domain from client
- [http::]>rd Request URL domain sent to server or peer
+ [http::]<rd Request URL domain sent to server or peer
[http::]>rP Request URL port from client
[http::]<rP Request URL port sent to server or peer
[http::]rp Request URL path excluding hostname
[http::]<pt Peer response time in milliseconds. The timer starts
when the last request byte is sent to the next hop
and stops when the last response byte is received.
- [http::]<tt Total server-side time in milliseconds. The timer
+ [http::]<tt Total time in milliseconds. The timer
starts with the first connect request (or write I/O)
sent to the first selected peer. The timer stops
with the last I/O with the last peer.
no certificate at all. Consider encoding the
logged value because Issuer often has spaces.
+ %ssl::<cert_errors The list of certificate validation errors
+ detected by Squid (including OpenSSL and
+ certificate validation helper components). The
+ errors are listed in the discovery order. By
+ default, the error codes are separated by ':'.
+ Accepts an optional separator argument.
+
The default formats available (which do not need re-defining) are:
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
support has not been tested for modules other
than tcp.
+ rotate=N Specifies the number of log file rotations to
+ make when you run 'squid -k rotate'. The default
+ is to obey the logfile_rotate directive. Setting
+ rotate=0 will disable the file name rotation,
+ but the log files are still closed and re-opened.
+ This will enable you to rename the logfiles
+ yourself just before sending the rotate signal.
+ Only supported by the stdio module.
+
===== Modules Currently available =====
none Do not log any requests matching these ACL.
DEFAULT: 10
LOC: Config.Log.rotateNumber
DOC_START
- Specifies the number of logfile rotations to make when you
+ Specifies the default number of logfile rotations to make when you
type 'squid -k rotate'. The default is 10, which will rotate
with extensions 0 through 9. Setting logfile_rotate to 0 will
disable the file name rotation, but the logfiles are still closed
and re-opened. This will enable you to rename the logfiles
yourself just before sending the rotate signal.
+ Note, from Squid-3.1 this option is only a default for cache.log,
+ that log can be rotated separately by using debug_options.
+
+ Note, from Squid-3.6 this option is only a default for access.log
+ recorded by stdio: module. Those logs can be rotated separately by
+ using the rotate=N option on their access_log directive.
+
Note, the 'squid -k rotate' command normally sends a USR1
signal to the running squid process. In certain situations
(e.g. on Linux with Async I/O), USR1 is used for other
in the habit of using 'squid -k rotate' instead of 'kill -USR1
<pid>'.
- Note, from Squid-3.1 this option is only a default for cache.log,
- that log can be rotated separately by using debug_options.
DOC_END
NAME: mime_table
DOC_END
NAME: pinger_program
-TYPE: string
-DEFAULT: @DEFAULT_PINGER@
-LOC: Config.pinger.program
IFDEF: USE_ICMP
+TYPE: icmp
+DEFAULT: @DEFAULT_PINGER@
+LOC: IcmpCfg
DOC_START
Specify the location of the executable for the pinger process.
DOC_END
NAME: pinger_enable
TYPE: onoff
DEFAULT: on
-LOC: Config.pinger.enable
+LOC: IcmpCfg.enable
IFDEF: USE_ICMP
DOC_START
Control whether the pinger is active at run-time.
used to communicate with the helper is modified to include
an ID in front of the request/response. The ID from the request
must be echoed back with the response to that request.
+
+ queue-size=N
+
+ Sets the maximum number of queued requests.
+ If the queued requests exceed queue size and redirector_bypass
+ configuration option is set, then redirector is bypassed. Otherwise, if
+ overloading persists squid may abort its operation.
+ The default value is set to 2*numberofchildren.
DOC_END
NAME: url_rewrite_host_header redirect_rewrites_host_header
redirectors for access control, and you enable this option,
users may have access to pages they should not
be allowed to request.
+ This options sets default queue-size option of the url_rewrite_children
+ to 0.
DOC_END
NAME: url_rewrite_extras
sent before the required macro information is available to Squid.
DOC_END
+NAME: url_rewrite_timeout
+TYPE: UrlHelperTimeout
+LOC: Config.onUrlRewriteTimeout
+DEFAULT: none
+DEFAULT_DOC: Squid waits for the helper response forever
+DOC_START
+ Squid times active requests to redirector. The timeout value and Squid
+ reaction to a timed out request are configurable using the following
+ format:
+
+ url_rewrite_timeout timeout time-units on_timeout=<action> [response=<quoted-response>]
+
+ supported timeout actions:
+ fail Squid return a ERR_GATEWAY_FAILURE error page
+
+ bypass Do not re-write the URL
+
+ retry Send the lookup to the helper again
+
+ use_configured_response
+ Use the <quoted-response> as helper response
+DOC_END
+
COMMENT_START
OPTIONS FOR STORE ID
-----------------------------------------------------------------------------
used to communicate with the helper is modified to include
an ID in front of the request/response. The ID from the request
must be echoed back with the response to that request.
+
+ queue-size=N
+
+ Sets the maximum number of queued requests.
+ If the queued requests exceed queue size and store_id_bypass
+ configuration option is set, then storeID helper is bypassed. Otherwise,
+ if overloading persists squid may abort its operation.
+ The default value is set to 2*numberofchildren.
DOC_END
NAME: store_id_access storeurl_rewrite_access
are not critical to your caching system. If you use
helpers for critical caching components, and you enable this
option, users may not get objects from cache.
+ This options sets default queue-size option of the store_id_children
+ to 0.
DOC_END
COMMENT_START
reload-into-ims
ignore-reload
ignore-no-store
- ignore-must-revalidate
ignore-private
- ignore-auth
max-stale=NN
refresh-ims
store-stale
the HTTP standard. Enabling this feature could make you
liable for problems which it causes.
- ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
- headers received from a server. Doing this VIOLATES
- the HTTP standard. Enabling this feature could make you
- liable for problems which it causes.
-
ignore-private ignores any ``Cache-control: private''
headers received from a server. Doing this VIOLATES
the HTTP standard. Enabling this feature could make you
liable for problems which it causes.
- ignore-auth caches responses to requests with authorization,
- as if the originserver had sent ``Cache-control: public''
- in the response header. Doing this VIOLATES the HTTP standard.
- Enabling this feature could make you liable for problems which
- it causes.
-
refresh-ims causes squid to contact the origin server
when a client issues an If-Modified-Since request. This
ensures that the client will receive an updated version
Basically a cached object is:
- FRESH if expires < now, else STALE
+ FRESH if expire > now, else STALE
STALE if age > max
FRESH if lm-factor < percent, else STALE
FRESH if age < min
a large file.
DOC_END
-NAME: chunked_request_body_max_size
-COMMENT: (bytes)
-TYPE: b_int64_t
-DEFAULT: 64 KB
-LOC: Config.maxChunkedRequestBodySize
-DOC_START
- A broken or confused HTTP/1.1 client may send a chunked HTTP
- request to Squid. Squid does not have full support for that
- feature yet. To cope with such requests, Squid buffers the
- entire request and then dechunks request body to create a
- plain HTTP/1.0 request with a known content length. The plain
- request is then used by the rest of Squid code as usual.
-
- The option value specifies the maximum size of the buffer used
- to hold the request before the conversion. If the chunked
- request size exceeds the specified limit, the conversion
- fails, and the client receives an "unsupported request" error,
- as if dechunking was disabled.
-
- Dechunking is enabled by default. To disable conversion of
- chunked requests, set the maximum to zero.
-
- Request dechunking feature and this option in particular are a
- temporary hack. When chunking requests and responses are fully
- supported, there will be no need to buffer a chunked request.
-DOC_END
-
NAME: broken_posts
IFDEF: USE_HTTP_VIOLATIONS
TYPE: acl_access
LOC: Config.Timeout.read
DEFAULT: 15 minutes
DOC_START
- The read_timeout is applied on server-side connections. After
- each successful read(), the timeout will be extended by this
+ Applied on peer server connections.
+
+ After each successful read(), the timeout will be extended by this
amount. If no data is read again after this amount of time,
- the request is aborted and logged with ERR_READ_TIMEOUT. The
- default is 15 minutes.
+ the request is aborted and logged with ERR_READ_TIMEOUT.
+
+ The default is 15 minutes.
DOC_END
NAME: write_timeout
connection establishment.
DOC_END
+NAME: request_start_timeout
+TYPE: time_t
+LOC: Config.Timeout.request_start_timeout
+DEFAULT: 5 minutes
+DOC_START
+ How long to wait for the first request byte after initial
+ connection establishment.
+DOC_END
+
NAME: client_idle_pconn_timeout persistent_request_timeout
TYPE: time_t
LOC: Config.Timeout.clientIdlePconn
request_timeout, persistent_request_timeout and quick_abort values.
DOC_END
+NAME: pconn_lifetime
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.Timeout.pconnLifetime
+DEFAULT: 0 seconds
+DOC_START
+ Desired maximum lifetime of a persistent connection.
+ When set, Squid will close a now-idle persistent connection that
+ exceeded configured lifetime instead of moving the connection into
+ the idle connection pool (or equivalent). No effect on ongoing/active
+ transactions. Connection lifetime is the time period from the
+ connection acceptance or opening time until "now".
+
+ This limit is useful in environments with long-lived connections
+ where Squid configuration or environmental factors change during a
+ single connection lifetime. If unrestricted, some connections may
+ last for hours and even days, ignoring those changes that should
+ have affected their behavior or their existence.
+
+ Currently, a new lifetime value supplied via Squid reconfiguration
+ has no effect on already idle connections unless they become busy.
+
+ When set to '0' this limit is not used.
+DOC_END
+
NAME: half_closed_clients
TYPE: onoff
LOC: Config.onoff.half_closed_clients
description of delay_class.
For a class 1 delay pool, the syntax is:
- delay_pools pool 1
+ delay_class pool 1
delay_parameters pool aggregate
For a class 2 delay pool:
- delay_pools pool 2
+ delay_class pool 2
delay_parameters pool aggregate individual
For a class 3 delay pool:
- delay_pools pool 3
+ delay_class pool 3
delay_parameters pool aggregate network individual
For a class 4 delay pool:
- delay_pools pool 4
+ delay_class pool 4
delay_parameters pool aggregate network individual user
For a class 5 delay pool:
- delay_pools pool 5
+ delay_class pool 5
delay_parameters pool tagrate
The option variables are:
above example, and is being used to strictly limit each host to 64Kbit/sec
(plus overheads), with no overall limit, the line is:
- delay_parameters 1 -1/-1 8000/8000
+ delay_parameters 1 none 8000/8000
Note that 8 x 8000 KByte/sec -> 64Kbit/sec.
- Note that the figure -1 is used to represent "unlimited".
+ Note that the word 'none' is used to represent no limit.
And, if delay pool number 2 is a class 3 delay pool as in the above
uri: icap://servername:port/servicepath
ICAP server and service location.
+ icaps://servername:port/servicepath
+ The "icap:" URI scheme is used for traditional ICAP server and
+ service location (default port is 1344, connections are not
+ encrypted). The "icaps:" URI scheme is for Secure ICAP
+ services that use SSL/TLS-encrypted ICAP connections (by
+ default, on port 11344).
ICAP does not allow a single service to handle both REQMOD and RESPMOD
transactions. Squid does not enforce that requirement. You can specify
Use the given number as the Max-Connections limit, regardless
of the Max-Connections value given by the service, if any.
+ ==== ICAPS / TLS OPTIONS ====
+
+ These options are used for Secure ICAP (icaps://....) services only.
+
+ tls-cert=/path/to/ssl/certificate
+ A client SSL certificate to use when connecting to
+ this icap server.
+
+ tls-key=/path/to/ssl/key
+ The private TLS/SSL key corresponding to sslcert above.
+ If 'tls-key' is not specified 'tls-cert' is assumed to
+ reference a combined PEM format file containing both the
+ certificate and the key.
+
+ tls-cipher=... The list of valid TLS/SSL ciphers to use when connecting
+ to this icap server.
+
+ tls-min-version=1.N
+ The minimum TLS protocol version to permit. To control
+ SSLv3 use the ssloptions= parameter.
+ Supported Values: 1.0 (default), 1.1, 1.2
+
+ tls-options=... Specify various OpenSSL library options:
+
+ NO_SSLv3 Disallow the use of SSLv3
+
+ NO_TLSv1 Disallow the use of TLSv1.0
+ NO_TLSv1_1 Disallow the use of TLSv1.1
+ NO_TLSv1_2 Disallow the use of TLSv1.2
+
+ SINGLE_DH_USE
+ Always create a new key when using
+ temporary/ephemeral DH key exchanges
+
+ ALL Enable various bug workarounds
+ suggested as "harmless" by OpenSSL
+ Be warned that this reduces SSL/TLS
+ strength to some attacks.
+
+ See the OpenSSL SSL_CTX_set_options documentation for a
+ more complete list. Options relevant only to SSLv2 are
+ not supported.
+
+ tls-cafile=... A PEM file containing additional CA certificates to use
+ when verifying the icap server certificate. Used
+ to specify intermediate CA certificate(s) if not sent
+ by the server. Or the full CA chain for the server
+ when using the NO_DEFAULT_CA flag.
+
+ tls-capath=... A directory containing additional CA certificates to
+ use when verifying the icap server certificate.
+
+ tls-crlfile=... A certificate revocation list file to use when
+ verifying the icap server certificate.
+
+ tls-flags=... Specify various flags modifying the Squid TLS implementation:
+
+ DONT_VERIFY_PEER
+ Accept certificates even if they fail to
+ verify.
+ NO_DEFAULT_CA
+ Don't use the default CA list built into
+ OpenSSL.
+ DONT_VERIFY_DOMAIN
+ Don't verify the icap server certificate
+ matches the server name
+
+ tls-domain= The icap server name as advertised in it's certificate.
+ Used for verifying the correctness of the received icap
+ server certificate. If not specified the icap server
+ hostname extracted from ICAP URI will be used.
+
Older icap_service format without optional named parameters is
deprecated but supported for backward compatibility.
Example:
icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0
-icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on
+icap_service svcLogger reqmod_precache icaps://icap2.mydomain.net:11344/reqmod routing=on
DOC_END
NAME: icap_class
not all I/O types supports large values (eg on Windows).
DOC_END
-NAME: workers
-TYPE: int
-LOC: Config.workers
-DEFAULT: 1
-DEFAULT_DOC: SMP support disabled.
-DOC_START
- Number of main Squid processes or "workers" to fork and maintain.
- 0: "no daemon" mode, like running "squid -N ..."
- 1: "no SMP" mode, start one main Squid process daemon (default)
- N: start N main Squid process daemons (i.e., SMP mode)
-
- In SMP mode, each worker does nearly all what a single Squid daemon
- does (e.g., listen on http_port and forward HTTP requests).
-DOC_END
-
-NAME: cpu_affinity_map
-TYPE: CpuAffinityMap
-LOC: Config.cpuAffinityMap
+NAME: force_request_body_continuation
+TYPE: acl_access
+LOC: Config.accessList.forceRequestBodyContinuation
DEFAULT: none
-DEFAULT_DOC: Let operating system decide.
+DEFAULT_DOC: Deny, unless rules exist in squid.conf.
DOC_START
- Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
-
- Sets 1:1 mapping between Squid processes and CPU cores. For example,
-
- cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
-
- affects processes 1 through 4 only and places them on the first
- four even cores, starting with core #1.
-
- CPU cores are numbered starting from 1. Requires support for
- sched_getaffinity(2) and sched_setaffinity(2) system calls.
-
- Multiple cpu_affinity_map options are merged.
-
- See also: workers
+ This option controls how Squid handles data upload requests from HTTP
+ and FTP agents that require a "Please Continue" control message response
+ to actually send the request body to Squid. It is mostly useful in
+ adaptation environments.
+
+ When Squid receives an HTTP request with an "Expect: 100-continue"
+ header or an FTP upload command (e.g., STOR), Squid normally sends the
+ request headers or FTP command information to an adaptation service (or
+ peer) and waits for a response. Most adaptation services (and some
+ broken peers) may not respond to Squid at that stage because they may
+ decide to wait for the HTTP request body or FTP data transfer. However,
+ that request body or data transfer may never come because Squid has not
+ responded with the HTTP 100 or FTP 150 (Please Continue) control message
+ to the request sender yet!
+
+ An allow match tells Squid to respond with the HTTP 100 or FTP 150
+ (Please Continue) control message on its own, before forwarding the
+ request to an adaptation service or peer. Such a response usually forces
+ the request sender to proceed with sending the body. A deny match tells
+ Squid to delay that control response until the origin server confirms
+ that the request body is needed. Delaying is the default behavior.
DOC_END
EOF
projects / thirdparty / squid.git / blobdiff