#
-# $Id: cf.data.pre,v 1.337 2003/08/13 00:26:21 robertc Exp $
+# $Id: cf.data.pre,v 1.338 2003/08/13 00:34:51 robertc Exp $
#
#
# SQUID Web Proxy Cache http://www.squid-cache.org/
et Tag returned by external acl
ea Log string returned by external acl
<st Reply size including HTTP headers
- <sH Reply high offset sent
- <sS Upstream object size
% a literal % character
logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param basic program <uncomment and complete this line>
- auth_param basic children 5
- auth_param basic realm Squid proxy-caching web server
- auth_param basic credentialsttl 2 hours
- NOCOMMENT_END
- DOC_END
-
- NAME: authenticate_cache_garbage_interval
- TYPE: time_t
- DEFAULT: 1 hour
- LOC: Config.authenticateGCInterval
- DOC_START
- The time period between garbage collection across the
- username cache. This is a tradeoff between memory utilisation
- (long intervals - say 2 days) and CPU (short intervals -
- say 1 minute). Only change if you have good reason to.
- DOC_END
-
- NAME: authenticate_ttl
- TYPE: time_t
- DEFAULT: 1 hour
- LOC: Config.authenticateTTL
- DOC_START
- The time a user & their credentials stay in the logged in
- user cache since their last request. When the garbage
- interval passes, all user credentials that have passed their
- TTL are removed from memory.
- DOC_END
-
- NAME: authenticate_ip_ttl
- TYPE: time_t
- LOC: Config.authenticateIpTTL
- DEFAULT: 0 seconds
- DOC_START
- If you use proxy authentication and the 'max_user_ip' ACL,
- this directive controls how long Squid remembers the IP
- addresses associated with each user. Use a small value
- (e.g., 60 seconds) if your users might change addresses
- quickly, as is the case with dialups. You might be safe
- using a larger value (e.g., 2 hours) in a corporate LAN
- environment with relatively static address assignments.
- DOC_END
-
- NAME: external_acl_type
- TYPE: externalAclHelper
- LOC: Config.externalAclHelperList
- DEFAULT: none
- DOC_START
- This option defines external acl classes using a helper program
- to look up the status
-
- external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
-
- Options:
-
- ttl=n TTL in seconds for cached results (defaults to 3600
- for 1 hour)
- negative_ttl=n
- TTL for cached negative lookups (default same
- as ttl)
- children=n Number of acl helper processes spawn to service
- external acl lookups of this type.
- concurrency=n concurrency level per process. Use 0 for old style
- helpers who can only process a single request at a
- time.
- cache=n result cache size, 0 is unbounded (default)
- grace=n Percentage remaining of TTL where a refresh of a
- cached entry should be initiated without needing to
- wait for a new reply. (default 0 for no grace period)
-
- FORMAT specifications
-
- %LOGIN Authenticated user login name
- %IDENT Ident user name
- %SRC Client IP
- %SRCPORT Client source port
- %DST Requested host
- %PROTO Requested protocol
- %PORT Requested port
- %PATH Requested URL path
- %METHOD Request method
- %MYADDR Squid interface address
- %MYPORT Squid http_port number
- %USER_CERT_xx SSL User certificate attribute xx
- %USER_CA_xx SSL User certificate CA attribute xx
- %{Header}
-
- HTTP request header
-
- %{Hdr:member} HTTP request header list member
-
- %{Hdr:;member}
- HTTP request header list member using ; as
- list separator. ; can be any non-alphanumeric
- character.
-
- In addition, any string specified in the referencing acl will
- also be included in the helper request line, after the specified
- formats (see the "acl external" directive)
-
- The helper receives lines per the above format specification,
- and returns lines starting with OK or ERR indicating the validity
- of the request and optionally followed by additional keywords with
- more details.
-
- General result syntax:
-
- OK/ERR keyword=value ...
-
- Defined keywords:
-
- user= The users name (login)
- password= The users password (for login= cache_peer option)
- message= Message describing the reason. Available as %o
- in error pages
- tag= Apply a tag to a request (for both ERR and OK results)
- Only sets a tag, does not alter existing tags.
- log= String to be logged in access.log. Available as
- %ea in logformat specifications
-
- Keyword values need to be enclosed in quotes if they may
- contain whitespace, or the whitespace escaped using \. Any
- quotes or \ characters within the keyword value must be \
- escaped.
- DOC_END
-
- COMMENT_START
- OPTIONS FOR TUNING THE CACHE
- -----------------------------------------------------------------------------
- COMMENT_END
-
- NAME: wais_relay_host
-
- TYPE: string
-
- DEFAULT: none
-
- LOC: Config.Wais.relayHost
- DOC_NONE
-
- NAME: wais_relay_port
-
- TYPE: ushort
-
- DEFAULT: 0
-
- LOC: Config.Wais.relayPort
- DOC_START
- Relay WAIS request to host (1st arg) at port (2 arg).
- DOC_END
-
-
- NAME: request_header_max_size
+auth_param basic children 5
+auth_param basic realm Squid proxy-caching web server
+auth_param basic credentialsttl 2 hours
+NOCOMMENT_END
+DOC_END
- COMMENT: (KB)
+NAME: authenticate_cache_garbage_interval
+TYPE: time_t
+DEFAULT: 1 hour
+LOC: Config.authenticateGCInterval
+DOC_START
+ The time period between garbage collection across the
+ username cache. This is a tradeoff between memory utilisation
+ (long intervals - say 2 days) and CPU (short intervals -
+ say 1 minute). Only change if you have good reason to.
+DOC_END
- TYPE: b_size_t
+NAME: authenticate_ttl
+TYPE: time_t
+DEFAULT: 1 hour
+LOC: Config.authenticateTTL
+DOC_START
+ The time a user & their credentials stay in the logged in
+ user cache since their last request. When the garbage
+ interval passes, all user credentials that have passed their
+ TTL are removed from memory.
+DOC_END
- DEFAULT: 10 KB
+NAME: authenticate_ip_ttl
+TYPE: time_t
+LOC: Config.authenticateIpTTL
+DEFAULT: 0 seconds
+DOC_START
+ If you use proxy authentication and the 'max_user_ip' ACL,
+ this directive controls how long Squid remembers the IP
+ addresses associated with each user. Use a small value
+ (e.g., 60 seconds) if your users might change addresses
+ quickly, as is the case with dialups. You might be safe
+ using a larger value (e.g., 2 hours) in a corporate LAN
+ environment with relatively static address assignments.
+DOC_END
- LOC: Config.maxRequestHeaderSize
- DOC_START
- This specifies the maximum size for HTTP headers in a request.
- Request headers are usually relatively small (about 512 bytes).
- Placing a limit on the request header size will catch certain
- bugs (for example with persistent connections) and possibly
- buffer-overflow or denial-of-service attacks.
- DOC_END
+NAME: external_acl_type
+TYPE: externalAclHelper
+LOC: Config.externalAclHelperList
+DEFAULT: none
+DOC_START
+ This option defines external acl classes using a helper program
+ to look up the status
+
+ external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
+
+ Options:
- NAME: request_body_max_size
+ ttl=n TTL in seconds for cached results (defaults to 3600
+ for 1 hour)
+ negative_ttl=n
+ TTL for cached negative lookups (default same
+ as ttl)
+ children=n Number of acl helper processes spawn to service
+ external acl lookups of this type.
+ concurrency=n concurrency level per process. Use 0 for old style
+ helpers who can only process a single request at a
+ time.
+ cache=n result cache size, 0 is unbounded (default)
+ grace=n Percentage remaining of TTL where a refresh of a
+ cached entry should be initiated without needing to
+ wait for a new reply. (default 0 for no grace period)
+
+ FORMAT specifications
+
+ %LOGIN Authenticated user login name
+ %IDENT Ident user name
+ %SRC Client IP
+ %SRCPORT Client source port
+ %DST Requested host
+ %PROTO Requested protocol
+ %PORT Requested port
+ %PATH Requested URL path
+ %METHOD Request method
+ %MYADDR Squid interface address
+ %MYPORT Squid http_port number
+ %USER_CERT_xx SSL User certificate attribute xx
+ %USER_CA_xx SSL User certificate CA attribute xx
+ %{Header} HTTP request header
+ %{Hdr:member} HTTP request header list member
+ %{Hdr:;member}
+ HTTP request header list member using ; as
+ list separator. ; can be any non-alphanumeric
+ character.
+
+ In addition, any string specified in the referencing acl will
+ also be included in the helper request line, after the specified
+ formats (see the "acl external" directive)
+
+ The helper receives lines per the above format specification,
+ and returns lines starting with OK or ERR indicating the validity
+ of the request and optionally followed by additional keywords with
+ more details.
+
+ General result syntax:
+
+ OK/ERR keyword=value ...
- COMMENT: (KB)
+ Defined keywords:
- TYPE: b_size_t
+ user= The users name (login)
+ password= The users password (for login= cache_peer option)
+ message= Message describing the reason. Available as %o
+ in error pages
+ tag= Apply a tag to a request (for both ERR and OK results)
+ Only sets a tag, does not alter existing tags.
+ log= String to be logged in access.log. Available as
+ %ea in logformat specifications
- DEFAULT: 0 KB
+ Keyword values need to be enclosed in quotes if they may
+ contain whitespace, or the whitespace escaped using \. Any
+ quotes or \ characters within the keyword value must be \
+ escaped.
+DOC_END
- LOC: Config.maxRequestBodySize
- DOC_START
- This specifies the maximum size for an HTTP request body.
- In other words, the maximum size of a PUT/POST request.
- A user who attempts to send a request with a body larger
- than this limit receives an "Invalid Request" error message.
- If you set this parameter to a zero (the default), there will
- be no limit imposed.
- DOC_END
+COMMENT_START
+ OPTIONS FOR TUNING THE CACHE
+ -----------------------------------------------------------------------------
+COMMENT_END
- NAME: refresh_pattern
+NAME: wais_relay_host
+TYPE: string
+DEFAULT: none
+LOC: Config.Wais.relayHost
+DOC_NONE
- TYPE: refreshpattern
+NAME: wais_relay_port
+TYPE: ushort
+DEFAULT: 0
+LOC: Config.Wais.relayPort
+DOC_START
+ Relay WAIS request to host (1st arg) at port (2 arg).
+DOC_END
- LOC: Config.Refresh
- DEFAULT: none
- DOC_START
+NAME: request_header_max_size
+COMMENT: (KB)
+TYPE: b_size_t
+DEFAULT: 10 KB
+LOC: Config.maxRequestHeaderSize
+DOC_START
+ This specifies the maximum size for HTTP headers in a request.
+ Request headers are usually relatively small (about 512 bytes).
+ Placing a limit on the request header size will catch certain
+ bugs (for example with persistent connections) and possibly
+ buffer-overflow or denial-of-service attacks.
+DOC_END
- usage: refresh_pattern [-i] regex min percent max [options]
+NAME: request_body_max_size
+COMMENT: (KB)
+TYPE: b_size_t
+DEFAULT: 0 KB
+LOC: Config.maxRequestBodySize
+DOC_START
+ This specifies the maximum size for an HTTP request body.
+ In other words, the maximum size of a PUT/POST request.
+ A user who attempts to send a request with a body larger
+ than this limit receives an "Invalid Request" error message.
+ If you set this parameter to a zero (the default), there will
+ be no limit imposed.
+DOC_END
- By default, regular expressions are CASE-SENSITIVE. To make
- them case-insensitive, use the -i option.
+NAME: refresh_pattern
+TYPE: refreshpattern
+LOC: Config.Refresh
+DEFAULT: none
+DOC_START
+ usage: refresh_pattern [-i] regex min percent max [options]
- 'Min' is the time (in minutes) an object without an explicit
- expiry time should be considered fresh. The recommended
- value is 0, any higher values may cause dynamic applications
- to be erroneously cached unless the application designer
- has taken the appropriate actions.
+ By default, regular expressions are CASE-SENSITIVE. To make
+ them case-insensitive, use the -i option.
- 'Percent' is a percentage of the objects age (time since last
- modification age) an object without explicit expiry time
- will be considered fresh.
+ 'Min' is the time (in minutes) an object without an explicit
+ expiry time should be considered fresh. The recommended
+ value is 0, any higher values may cause dynamic applications
+ to be erroneously cached unless the application designer
+ has taken the appropriate actions.
- 'Max' is an upper limit on how long objects without an explicit
- expiry time will be considered fresh.
+ 'Percent' is a percentage of the objects age (time since last
+ modification age) an object without explicit expiry time
+ will be considered fresh.
- options: override-expire
- override-lastmod
- reload-into-ims
- ignore-reload
+ 'Max' is an upper limit on how long objects without an explicit
+ expiry time will be considered fresh.
- override-expire enforces min age even if the server
+ options: override-expire
+ override-lastmod
+ reload-into-ims
+ ignore-reload
- sent a Expires: header. Doing this VIOLATES the HTTP
- standard. Enabling this feature could make you liable
- for problems which it causes.
+ override-expire enforces min age even if the server
+ sent a Expires: header. Doing this VIOLATES the HTTP
+ standard. Enabling this feature could make you liable
+ for problems which it causes.
- override-lastmod enforces min age even on objects
- that was modified recently.
+ override-lastmod enforces min age even on objects
+ that was modified recently.
- reload-into-ims changes client no-cache or ``reload''
- to If-Modified-Since requests. Doing this VIOLATES the
- HTTP standard. Enabling this feature could make you
- liable for problems which it causes.
+ reload-into-ims changes client no-cache or ``reload''
+ to If-Modified-Since requests. Doing this VIOLATES the
+ HTTP standard. Enabling this feature could make you
+ liable for problems which it causes.
- ignore-reload ignores a client no-cache or ``reload''
- header. Doing this VIOLATES the HTTP standard. Enabling
- this feature could make you liable for problems which
- it causes.
+ ignore-reload ignores a client no-cache or ``reload''
+ header. Doing this VIOLATES the HTTP standard. Enabling
+ this feature could make you liable for problems which
+ it causes.
+
+ Basically a cached object is:
- Basically a cached object is:
+ FRESH if expires < now, else STALE
+ STALE if age > max
+ FRESH if lm-factor < percent, else STALE
+ FRESH if age < min
+ else STALE
- FRESH if expires < now, else STALE
- STALE if age > max
- FRESH if lm-factor < percent, else STALE
- FRESH if age < min
- else STALE
+ The refresh_pattern lines are checked in the order listed here.
+ The first entry which matches is used. If none of the entries
+ match, then the default will be used.
- The refresh_pattern lines are checked in the order listed here.
- The first entry which matches is used. If none of the entries
- match, then the default will be used.
+ Note, you must uncomment all the default lines if you want
+ to change one. The default setting is only active if none is
+ used.
- Note, you must uncomment all the default lines if you want
- to change one. The default setting is only active if none is
- used.
+Suggested default:
+NOCOMMENT_START
+refresh_pattern ^ftp: 1440 20% 10080
+refresh_pattern ^gopher: 1440 0% 1440
+refresh_pattern . 0 20% 4320
+NOCOMMENT_END
+DOC_END
- Suggested default:
- NOCOMMENT_START
+NAME: quick_abort_min
+COMMENT: (KB)
+TYPE: kb_size_t
+DEFAULT: 16 KB
+LOC: Config.quickAbort.min
+DOC_NONE
- refresh_pattern ^ftp: 1440 20% 10080
+NAME: quick_abort_max
+COMMENT: (KB)
+TYPE: kb_size_t
+DEFAULT: 16 KB
+LOC: Config.quickAbort.max
+DOC_NONE
- refresh_pattern ^gopher: 1440 0% 1440
- refresh_pattern . 0 20% 4320
- NOCOMMENT_END
- DOC_END
+NAME: quick_abort_pct
+COMMENT: (percent)
+TYPE: int
+DEFAULT: 95
+LOC: Config.quickAbort.pct
+DOC_START
+ The cache by default continues downloading aborted requests
+ which are almost completed (less than 16 KB remaining). This
+ may be undesirable on slow (e.g. SLIP) links and/or very busy
+ caches. Impatient users may tie up file descriptors and
+ bandwidth by repeatedly requesting and immediately aborting
+ downloads.
- NAME: quick_abort_min
+ When the user aborts a request, Squid will check the
+ quick_abort values to the amount of data transfered until
+ then.
- COMMENT: (KB)
+ If the transfer has less than 'quick_abort_min' KB remaining,
+ it will finish the retrieval.
- TYPE: kb_size_t
+ If the transfer has more than 'quick_abort_max' KB remaining,
+ it will abort the retrieval.
- DEFAULT: 16 KB
+ If more than 'quick_abort_pct' of the transfer has completed,
+ it will finish the retrieval.
- LOC: Config.quickAbort.min
- DOC_NONE
+ If you do not want any retrieval to continue after the client
+ has aborted, set both 'quick_abort_min' and 'quick_abort_max'
+ to '0 KB'.
- NAME: quick_abort_max
+ If you want retrievals to always continue if they are being
+ cached then set 'quick_abort_min' to '-1 KB'.
+DOC_END
- COMMENT: (KB)
+NAME: read_ahead_gap
+COMMENT: buffer-size
+TYPE: kb_size_t
+LOC: Config.readAheadGap
+DEFAULT: 16 KB
+DOC_START
+ The amount of data the cache will buffer ahead of what has been
+ sent to the client when retrieving an object from another server.
+DOC_END
- TYPE: kb_size_t
+NAME: negative_ttl
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.negativeTtl
+DEFAULT: 5 minutes
+DOC_START
+ Time-to-Live (TTL) for failed requests. Certain types of
+ failures (such as "connection refused" and "404 Not Found") are
+ negatively-cached for a configurable amount of time. The
+ default is 5 minutes. Note that this is different from
+ negative caching of DNS lookups.
+DOC_END
- DEFAULT: 16 KB
- LOC: Config.quickAbort.max
- DOC_NONE
+NAME: positive_dns_ttl
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.positiveDnsTtl
+DEFAULT: 6 hours
+DOC_START
+ Time-to-Live (TTL) for positive caching of successful DNS lookups.
+ Default is 6 hours (360 minutes). If you want to minimize the
+ use of Squid's ipcache, set this to 1, not 0.
+DOC_END
- NAME: quick_abort_pct
- COMMENT: (percent)
+NAME: negative_dns_ttl
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.negativeDnsTtl
+DEFAULT: 5 minutes
+DOC_START
+ Time-to-Live (TTL) for negative caching of failed DNS lookups.
+DOC_END
- TYPE: int
+NAME: range_offset_limit
+COMMENT: (bytes)
+TYPE: b_size_t
+LOC: Config.rangeOffsetLimit
+DEFAULT: 0 KB
+DOC_START
+ Sets a upper limit on how far into the the file a Range request
+ may be to cause Squid to prefetch the whole file. If beyond this
+ limit then Squid forwards the Range request as it is and the result
+ is NOT cached.
- DEFAULT: 95
+ This is to stop a far ahead range request (lets say start at 17MB)
+ from making Squid fetch the whole object up to that point before
+ sending anything to the client.
- LOC: Config.quickAbort.pct
- DOC_START
- The cache by default continues downloading aborted requests
- which are almost completed (less than 16 KB remaining). This
- may be undesirable on slow (e.g. SLIP) links and/or very busy
- caches. Impatient users may tie up file descriptors and
- bandwidth by repeatedly requesting and immediately aborting
- downloads.
+ A value of -1 causes Squid to always fetch the object from the
+ beginning so that it may cache the result. (2.0 style)
- When the user aborts a request, Squid will check the
- quick_abort values to the amount of data transfered until
- then.
+ A value of 0 causes Squid to never fetch more than the
+ client requested. (default)
+DOC_END
- If the transfer has less than 'quick_abort_min' KB remaining,
- it will finish the retrieval.
- If the transfer has more than 'quick_abort_max' KB remaining,
- it will abort the retrieval.
+COMMENT_START
+ TIMEOUTS
+ -----------------------------------------------------------------------------
+COMMENT_END
- If more than 'quick_abort_pct' of the transfer has completed,
- it will finish the retrieval.
+NAME: connect_timeout
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.Timeout.connect
+DEFAULT: 2 minutes
+DOC_START
+ Some systems (notably Linux) can not be relied upon to properly
+ time out connect(2) requests. Therefore the Squid process
+ enforces its own timeout on server connections. This parameter
+ specifies how long to wait for the connect to complete. The
+ default is two minutes (120 seconds).
+DOC_END
- If you do not want any retrieval to continue after the client
- has aborted, set both 'quick_abort_min' and 'quick_abort_max'
- to '0 KB'.
+NAME: peer_connect_timeout
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.Timeout.peer_connect
+DEFAULT: 30 seconds
+DOC_START
+ This parameter specifies how long to wait for a pending TCP
+ connection to a peer cache. The default is 30 seconds. You
+ may also set different timeout values for individual neighbors
+ with the 'connect-timeout' option on a 'cache_peer' line.
+DOC_END
- If you want retrievals to always continue if they are being
- cached then set 'quick_abort_min' to '-1 KB'.
- DOC_END
+NAME: read_timeout
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.Timeout.read
+DEFAULT: 15 minutes
+DOC_START
+ The read_timeout is applied on server-side connections. After
+ each successful read(), the timeout will be extended by this
+ amount. If no data is read again after this amount of time,
+ the request is aborted and logged with ERR_READ_TIMEOUT. The
+ default is 15 minutes.
+DOC_END
- NAME: read_ahead_gap
- COMMENT: buffer-size
+NAME: request_timeout
+TYPE: time_t
+LOC: Config.Timeout.request
+DEFAULT: 5 minutes
+DOC_START
+ How long to wait for an HTTP request after initial
+ connection establishment.
+DOC_END
- TYPE: kb_size_t
- LOC: Config.readAheadGap
+NAME: persistent_request_timeout
+TYPE: time_t
+LOC: Config.Timeout.persistent_request
+DEFAULT: 1 minute
+DOC_START
+ How long to wait for the next HTTP request on a persistent
+ connection after the previous request completes.
+DOC_END
- DEFAULT: 16 KB
- DOC_START
- The amount of data the cache will buffer ahead of what has been
- sent to the client when retrieving an object from another server.
- DOC_END
- NAME: negative_ttl
+NAME: client_lifetime
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.Timeout.lifetime
+DEFAULT: 1 day
+DOC_START
+ The maximum amount of time that a client (browser) is allowed to
+ remain connected to the cache process. This protects the Cache
+ from having a lot of sockets (and hence file descriptors) tied up
+ in a CLOSE_WAIT state from remote clients that go away without
+ properly shutting down (either because of a network failure or
+ because of a poor client implementation). The default is one
+ day, 1440 minutes.
+
+ NOTE: The default value is intended to be much larger than any
+ client would ever need to be connected to your cache. You
+ should probably change client_lifetime only as a last resort.
+ If you seem to have many client connections tying up
+ filedescriptors, we recommend first tuning the read_timeout,
+ request_timeout, persistent_request_timeout and quick_abort values.
+DOC_END
+
+NAME: half_closed_clients
+TYPE: onoff
+LOC: Config.onoff.half_closed_clients
+DEFAULT: on
+DOC_START
+ Some clients may shutdown the sending side of their TCP
+ connections, while leaving their receiving sides open. Sometimes,
+ Squid can not tell the difference between a half-closed and a
+ fully-closed TCP connection. By default, half-closed client
+ connections are kept open until a read(2) or write(2) on the
+ socket returns an error. Change this option to 'off' and Squid
+ will immediately close client connections when read(2) returns
+ "no more data to read."
+DOC_END
- COMMENT: time-units
+NAME: pconn_timeout
+TYPE: time_t
+LOC: Config.Timeout.pconn
+DEFAULT: 120 seconds
+DOC_START
+ Timeout for idle persistent connections to servers and other
+ proxies.
+DOC_END
- TYPE: time_t
+NAME: ident_timeout
+TYPE: time_t
+IFDEF: USE_IDENT
+LOC: Config.Timeout.ident
+DEFAULT: 10 seconds
+DOC_START
+ Maximum time to wait for IDENT lookups to complete.
+
+ If this is too high, and you enabled IDENT lookups from untrusted
+ users, then you might be susceptible to denial-of-service by having
+ many ident requests going at once.
+DOC_END
- LOC: Config.negativeTtl
- DEFAULT: 5 minutes
- DOC_START
- Time-to-Live (TTL) for failed requests. Certain types of
- failures (such as "connection refused" and "404 Not Found") are
- negatively-cached for a configurable amount of time. The
- default is 5 minutes. Note that this is different from
- negative caching of DNS lookups.
- DOC_END
+NAME: shutdown_lifetime
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.shutdownLifetime
+DEFAULT: 30 seconds
+DOC_START
+ When SIGTERM or SIGHUP is received, the cache is put into
+ "shutdown pending" mode until all active sockets are closed.
+ This value is the lifetime to set for all open descriptors
+ during shutdown mode. Any active clients after this many
+ seconds will receive a 'timeout' message.
+DOC_END
+COMMENT_START
+ ACCESS CONTROLS
+ -----------------------------------------------------------------------------
+COMMENT_END
- NAME: positive_dns_ttl
+NAME: acl
+TYPE: acl
+LOC: Config.aclList
+DEFAULT: none
+DOC_START
+ Defining an Access List
- COMMENT: time-units
+ acl aclname acltype string1 ...
+ acl aclname acltype "file" ...
- TYPE: time_t
+ when using "file", the file should contain one item per line
- LOC: Config.positiveDnsTtl
+ acltype is one of the types described below
- DEFAULT: 6 hours
- DOC_START
- Time-to-Live (TTL) for positive caching of successful DNS lookups.
- Default is 6 hours (360 minutes). If you want to minimize the
- use of Squid's ipcache, set this to 1, not 0.
- DOC_END
+ By default, regular expressions are CASE-SENSITIVE. To make
+ them case-insensitive, use the -i option.
+ acl aclname src ip-address/netmask ... (clients IP address)
+ acl aclname src addr1-addr2/netmask ... (range of addresses)
+ acl aclname dst ip-address/netmask ... (URL host's IP address)
+ acl aclname myip ip-address/netmask ... (local socket IP address)
- NAME: negative_dns_ttl
- COMMENT: time-units
- TYPE: time_t
- LOC: Config.negativeDnsTtl
- DEFAULT: 5 minutes
- DOC_START
- Time-to-Live (TTL) for negative caching of failed DNS lookups.
- DOC_END
-
- NAME: range_offset_limit
- COMMENT: (bytes)
- TYPE: b_size_t
- LOC: Config.rangeOffsetLimit
- DEFAULT: 0 KB
- DOC_START
- Sets a upper limit on how far into the the file a Range request
- may be to cause Squid to prefetch the whole file. If beyond this
- limit then Squid forwards the Range request as it is and the result
- is NOT cached.
-
- This is to stop a far ahead range request (lets say start at 17MB)
- from making Squid fetch the whole object up to that point before
- sending anything to the client.
-
- A value of -1 causes Squid to always fetch the object from the
- beginning so that it may cache the result. (2.0 style)
-
- A value of 0 causes Squid to never fetch more than the
- client requested. (default)
- DOC_END
-
-
- COMMENT_START
- TIMEOUTS
- -----------------------------------------------------------------------------
- COMMENT_END
-
- NAME: connect_timeout
- COMMENT: time-units
- TYPE: time_t
- LOC: Config.Timeout.connect
- DEFAULT: 2 minutes
- DOC_START
- Some systems (notably Linux) can not be relied upon to properly
- time out connect(2) requests. Therefore the Squid process
- enforces its own timeout on server connections. This parameter
- specifies how long to wait for the connect to complete. The
- default is two minutes (120 seconds).
- DOC_END
-
- NAME: peer_connect_timeout
- COMMENT: time-units
- TYPE: time_t
- LOC: Config.Timeout.peer_connect
- DEFAULT: 30 seconds
- DOC_START
- This parameter specifies how long to wait for a pending TCP
- connection to a peer cache. The default is 30 seconds. You
- may also set different timeout values for individual neighbors
- with the 'connect-timeout' option on a 'cache_peer' line.
- DOC_END
-
- NAME: read_timeout
- COMMENT: time-units
- TYPE: time_t
- LOC: Config.Timeout.read
- DEFAULT: 15 minutes
- DOC_START
- The read_timeout is applied on server-side connections. After
- each successful read(), the timeout will be extended by this
- amount. If no data is read again after this amount of time,
- the request is aborted and logged with ERR_READ_TIMEOUT. The
- default is 15 minutes.
- DOC_END
-
-
- NAME: request_timeout
- TYPE: time_t
- LOC: Config.Timeout.request
- DEFAULT: 5 minutes
- DOC_START
- How long to wait for an HTTP request after initial
- connection establishment.
- DOC_END
-
-
- NAME: persistent_request_timeout
- TYPE: time_t
- LOC: Config.Timeout.persistent_request
- DEFAULT: 1 minute
- DOC_START
- How long to wait for the next HTTP request on a persistent
- connection after the previous request completes.
- DOC_END
-
-
- NAME: client_lifetime
- COMMENT: time-units
- TYPE: time_t
- LOC: Config.Timeout.lifetime
- DEFAULT: 1 day
- DOC_START
- The maximum amount of time that a client (browser) is allowed to
- remain connected to the cache process. This protects the Cache
- from having a lot of sockets (and hence file descriptors) tied up
- in a CLOSE_WAIT state from remote clients that go away without
- properly shutting down (either because of a network failure or
- because of a poor client implementation). The default is one
- day, 1440 minutes.
-
- NOTE: The default value is intended to be much larger than any
- client would ever need to be connected to your cache. You
- should probably change client_lifetime only as a last resort.
- If you seem to have many client connections tying up
- filedescriptors, we recommend first tuning the read_timeout,
- request_timeout, persistent_request_timeout and quick_abort values.
- DOC_END
-
- NAME: half_closed_clients
- TYPE: onoff
- LOC: Config.onoff.half_closed_clients
- DEFAULT: on
- DOC_START
- Some clients may shutdown the sending side of their TCP
- connections, while leaving their receiving sides open. Sometimes,
- Squid can not tell the difference between a half-closed and a
- fully-closed TCP connection. By default, half-closed client
- connections are kept open until a read(2) or write(2) on the
- socket returns an error. Change this option to 'off' and Squid
- will immediately close client connections when read(2) returns
- "no more data to read."
- DOC_END
-
- NAME: pconn_timeout
- TYPE: time_t
- LOC: Config.Timeout.pconn
- DEFAULT: 120 seconds
- DOC_START
- Timeout for idle persistent connections to servers and other
- proxies.
- DOC_END
-
- NAME: ident_timeout
- TYPE: time_t
- IFDEF: USE_IDENT
- LOC: Config.Timeout.ident
- DEFAULT: 10 seconds
- DOC_START
- Maximum time to wait for IDENT lookups to complete.
-
- If this is too high, and you enabled IDENT lookups from untrusted
- users, then you might be susceptible to denial-of-service by having
- many ident requests going at once.
- DOC_END
-
-
- NAME: shutdown_lifetime
- COMMENT: time-units
- TYPE: time_t
- LOC: Config.shutdownLifetime
- DEFAULT: 30 seconds
- DOC_START
- When SIGTERM or SIGHUP is received, the cache is put into
- "shutdown pending" mode until all active sockets are closed.
- This value is the lifetime to set for all open descriptors
- during shutdown mode. Any active clients after this many
- seconds will receive a 'timeout' message.
- DOC_END
-
- COMMENT_START
- ACCESS CONTROLS
- -----------------------------------------------------------------------------
- COMMENT_END
-
- NAME: acl
- TYPE: acl
- LOC: Config.aclList
- DEFAULT: none
- DOC_START
- Defining an Access List
-
- acl aclname acltype string1 ...
- acl aclname acltype "file" ...
-
- when using "file", the file should contain one item per line
-
- acltype is one of the types described below
-
- By default, regular expressions are CASE-SENSITIVE. To make
- them case-insensitive, use the -i option.
-
- acl aclname src ip-address/netmask ... (clients IP address)
- acl aclname src addr1-addr2/netmask ... (range of addresses)
- acl aclname dst ip-address/netmask ... (URL host's IP address)
- acl aclname myip ip-address/netmask ... (local socket IP address)
-
- acl aclname srcdomain .foo.com ... # reverse lookup, client IP
- acl aclname dstdomain .foo.com ... # Destination server from URL
- acl aclname srcdom_regex [-i] xxx ... # regex matching client name
- acl aclname dstdom_regex [-i] xxx ... # regex matching server
+ acl aclname srcdomain .foo.com ... # reverse lookup, client IP
+ acl aclname dstdomain .foo.com ... # Destination server from URL
+ acl aclname srcdom_regex [-i] xxx ... # regex matching client name
+ acl aclname dstdom_regex [-i] xxx ... # regex matching server
# For dstdomain and dstdom_regex a reverse lookup is tried if a IP
# based URL is used. The name "none" is used if the reverse lookup
# fails.
- acl aclname time [day-abbrevs] [h1:m1-h2:m2]
-
- day-abbrevs:
- S - Sunday
- M - Monday
- T - Tuesday
- W - Wednesday
- H - Thursday
- F - Friday
- A - Saturday
-
- h1:m1 must be less than h2:m2
-
- acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
- acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
- acl aclname port 80 70 21 ...
- acl aclname port 0-1024 ... # ranges allowed
- acl aclname myport 3128 ... # (local socket TCP port)
- acl aclname proto HTTP FTP ...
- acl aclname method GET POST ...
- acl aclname browser [-i] regexp ...
-# pattern match on User-Agent header
- acl aclname referer_regex [-i] regexp ...
-# pattern match on Referer header
+ acl aclname time [day-abbrevs] [h1:m1-h2:m2]
+ day-abbrevs:
+ S - Sunday
+ M - Monday
+ T - Tuesday
+ W - Wednesday
+ H - Thursday
+ F - Friday
+ A - Saturday
+ h1:m1 must be less than h2:m2
+ acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
+ acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
+ acl aclname port 80 70 21 ...
+ acl aclname port 0-1024 ... # ranges allowed
+ acl aclname myport 3128 ... # (local socket TCP port)
+ acl aclname proto HTTP FTP ...
+ acl aclname method GET POST ...
+ acl aclname browser [-i] regexp ...
+ # pattern match on User-Agent header
+ acl aclname referer_regex [-i] regexp ...
+ # pattern match on Referer header
# Referer is highly unreliable, so use with care
- acl aclname ident username ...
- acl aclname ident_regex [-i] pattern ...
-# string match on ident output.
+ acl aclname ident username ...
+ acl aclname ident_regex [-i] pattern ...
+ # string match on ident output.
# use REQUIRED to accept any non-null ident.
- acl aclname src_as number ...
- acl aclname dst_as number ...
-# Except for access control, AS numbers can be used for
+ acl aclname src_as number ...
+ acl aclname dst_as number ...
+ # Except for access control, AS numbers can be used for
# routing of requests to specific caches. Here's an
# example for routing all requests for AS#1241 and only
# those to mycache.mydomain.net:
# cache_peer_access mycache.mydomain.net allow asexample
# cache_peer_access mycache_mydomain.net deny all
- acl aclname proxy_auth [-i] username ...
- acl aclname proxy_auth_regex [-i] pattern ...
-# list of valid usernames
+ acl aclname proxy_auth [-i] username ...
+ acl aclname proxy_auth_regex [-i] pattern ...
+ # list of valid usernames
# use REQUIRED to accept any valid username.
#
# NOTE: when a Proxy-Authentication header is sent but it is not
# the browser needs to be configured for using a proxy in order
# to respond to proxy authentication.
- acl aclname snmp_community string ...
-# A community string to limit access to your SNMP Agent
+ acl aclname snmp_community string ...
+ # A community string to limit access to your SNMP Agent
# Example:
#
# acl snmppublic snmp_community public
- acl aclname maxconn number
-# This will be matched when the client's IP address has
+ acl aclname maxconn number
+ # This will be matched when the client's IP address has
# more than <number> HTTP connections established.
- acl aclname max_user_ip [-s] number
-# This will be matched when the user attempts to log in from more
+ acl aclname max_user_ip [-s] number
+ # This will be matched when the user attempts to log in from more
# than <number> different ip addresses. The authenticate_ip_ttl
# parameter controls the timeout on the ip entries.
# If -s is specified then the limit is strict, denying browsing
projects / thirdparty / squid.git / commitdiff
