From: robertc <> Date: Wed, 13 Aug 2003 06:17:24 +0000 (+0000) Subject: Summary: Add %sB", LFT_REQUEST_SIZE_BODY_NO_TE }, */ {"(al->cache.highOffset); + + doint = 1; + + break; + + case LFT_REPLY_OBJECTSIZE: + outint = static_cast(al->cache.objectSize); + + doint = 1; + + break; + /*case LFT_REPLY_SIZE_LINE: */ /*case LFT_REPLY_SIZE_HEADERS: */ /*case LFT_REPLY_SIZE_BODY: */ diff --git a/src/cf.data.pre b/src/cf.data.pre index 93357bc366..f43379cb9e 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.334 2003/07/25 17:54:35 hno Exp $ +# $Id: cf.data.pre,v 1.335 2003/08/13 00:17:24 robertc Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -31,1754 +31,1779 @@ # COMMENT_START - WELCOME TO SQUID @VERSION@ - ---------------------------- +WELCOME TO SQUID @VERSION@ +---------------------------- - This is the default Squid configuration file. You may wish - to look at the Squid home page (http://www.squid-cache.org/) - for the FAQ and other documentation. +This is the default Squid configuration file. You may wish - The default Squid config file shows what the defaults for - various options happen to be. If you don't need to change the - default, you shouldn't uncomment the line. Doing so may cause - run-time problems. In some cases "none" refers to no default - setting at all, while in other cases it refers to a valid - option - the comments for that keyword indicate if this is the - case. + to look at the Squid home page (http://www.squid-cache.org/) -COMMENT_END + for the FAQ and other documentation. -COMMENT_START - NETWORK OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: http_port ascii_port -TYPE: http_port_list -DEFAULT: none -LOC: Config.Sockaddr.http -DOC_START - Usage: port [options] - hostname:port [options] - 1.2.3.4:port [options] - - The socket addresses where Squid will listen for HTTP client - requests. You may specify multiple socket addresses. - There are three forms: port alone, hostname with port, and - IP address with port. If you specify a hostname or IP - address, then Squid binds the socket to that specific - address. This replaces the old 'tcp_incoming_address' - option. Most likely, you do not need to bind to a specific - address, so you can use the port number alone. - - If you are running Squid in accelerator mode, then you - probably want to listen on port 80 also, or instead. - - The -a command line option will override the *first* port - number listed here. That option will NOT override an IP - address, however. - - You may specify multiple socket addresses on multiple lines. - - options are: - accel Accelerator mode - transparent Support for transparent proxies - vhost Accelerator using Host directive - vport Accelerator with IP virtual host support - vport=NN As above, but uses specified port number - rather than the http_port number. - defaultsite=xx Main web site name for accelerators. - also implies accel - protocol= Protocol to reconstruct accelerated - requests with. Defaults to http. - - If you run Squid on a dual-homed machine with an internal - and an external interface then we recommend you to specify the - internal address:port in http_port. This way Squid will only be - visible on the internal address. -NOCOMMENT_START -# Squid normally listens to port 3128 -http_port 3128 -NOCOMMENT_END -DOC_END - -NAME: https_port -IFDEF: USE_SSL -TYPE: https_port_list -DEFAULT: none -LOC: Config.Sockaddr.https -DOC_START - Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] - - The socket address where Squid will listen for HTTPS client - requests. - - This is really only useful for situations where you are running - squid in accelerator mode and you want to do the SSL work at the - accelerator level. - - You may specify multiple socket addresses on multiple lines, - each with their own SSL certificate and/or options. - - Options: - - defaultsite= The name of the https site presented on - this port. - - protocol= Protocol to reconstruct accelerated requests - with. Defaults to https. - - cert= Path to SSL certificate (PEM format) - - key= Path to SSL private key file (PEM format) - if not specified, the certificate file is - assumed to be a combined certificate and - key file - - version= The version of SSL/TLS supported - 1 automatic (default) - 2 SSLv2 only - 3 SSLv3 only - 4 TLSv1 only - - cipher= Colon separated list of supported ciphers - - options= Varions SSL engine options. The most important - being: - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 - SINGLE_DH_USE Always create a new key when using - temporary/ephemeral DH key exchanges - See src/ssl_support.c or OpenSSL SSL_CTX_set_options - documentation for a complete list of options. - - clientca= File containing the list of CAs to use when - requesting a client certificate - - cafile= File containing additional CA certificates to - use when verifying client certificates. If unset - clientca will be used. - - capath= Directory containing additional CA certificates - to use when verifying client certificates - - dhparams= File containing DH parameters for temporary/ephemeral - DH key exchanges - - sslflags= Various flags modifying the use of SSL: - DELAYED_AUTH - Don't request client certificates - immediately, but wait until acl processing - requires a certificate - NO_DEFAULT_CA - Don't use the default CA list built in - to OpenSSL. - -DOC_END - -NAME: ssl_unclean_shutdown -IFDEF: USE_SSL -TYPE: onoff -DEFAULT: off -LOC: Config.SSL.unclean_shutdown -DOC_START - Some browsers (especially MSIE) bugs out on SSL shutdown - messages. -DOC_END - -NAME: ssl_engine -IFDEF: USE_SSL -TYPE: string -LOC: Config.SSL.ssl_engine -DEFAULT: none -DOC_START - The openssl engine to use. You will need to set this if you - would like to use hardware SSL acceleration for example. -DOC_END - -NAME: sslproxy_client_certificate -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.cert -TYPE: string -DOC_START - Client SSL Certificate to use when proxying https:// URLs -DOC_END - -NAME: sslproxy_client_key -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.key -TYPE: string -DOC_START - Client SSL Key to use when proxying https:// URLs -DOC_END - -NAME: sslproxy_version -IFDEF: USE_SSL -DEFAULT: 1 -LOC: Config.ssl_client.version -TYPE: int -DOC_START - SSL version level to use when proxying https:// URLs -DOC_END - -NAME: sslproxy_options -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.options -TYPE: string -DOC_START - SSL engine options to use when proxying https:// URLs -DOC_END - -NAME: sslproxy_cipher -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.cipher -TYPE: string -DOC_START - SSL cipher list to use when proxying https:// URLs -DOC_END - -NAME: sslproxy_cafile -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.cafile -TYPE: string -DOC_START - file containing CA certificates to use when verifying server - certificates while proxying https:// URLs -DOC_END - -NAME: sslproxy_capath -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.capath -TYPE: string -DOC_START - directory containing CA certificates to use when verifying - server certificates while proxying https:// URLs -DOC_END - -NAME: sslproxy_flags -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.flags -TYPE: string -DOC_START - Various flags modifying the use of SSL while proxying https:// URLs: - DONT_VERIFY_PEER Accept certificates even if they fail to - verify. - NO_DEFAULT_CA Don't use the default CA list built in - to OpenSSL. -DOC_END - -NAME: icp_port udp_port -TYPE: ushort -DEFAULT: 0 -LOC: Config.Port.icp -DOC_START - The port number where Squid sends and receives ICP queries to - and from neighbor caches. The standard UDP port for ICP is 3130. - Default is disabled (0). -NOCOMMENT_START -icp_port 3130 -NOCOMMENT_END -DOC_END - -NAME: htcp_port -IFDEF: USE_HTCP -TYPE: ushort -DEFAULT: 4827 -LOC: Config.Port.htcp -DOC_START - The port number where Squid sends and receives HTCP queries to - and from neighbor caches. Default is 4827. To disable use - "0". -DOC_END - - -NAME: mcast_groups -TYPE: wordlist -LOC: Config.mcast_group_list -DEFAULT: none -DOC_START - This tag specifies a list of multicast groups which your server - should join to receive multicasted ICP queries. - - NOTE! Be very careful what you put here! Be sure you - understand the difference between an ICP _query_ and an ICP - _reply_. This option is to be set only if you want to RECEIVE - multicast queries. Do NOT set this option to SEND multicast - ICP (use cache_peer for that). ICP replies are always sent via - unicast, so this option does not affect whether or not you will - receive replies from multicast group members. - - You must be very careful to NOT use a multicast address which - is already in use by another group of caches. - - If you are unsure about multicast, please read the Multicast - chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). - - Usage: mcast_groups 239.128.16.128 224.0.1.20 - - By default, Squid doesn't listen on any multicast groups. -DOC_END - - -NAME: udp_incoming_address -TYPE: address -LOC:Config.Addrs.udp_incoming -DEFAULT: 0.0.0.0 -DOC_NONE - -NAME: udp_outgoing_address -TYPE: address -LOC: Config.Addrs.udp_outgoing -DEFAULT: 255.255.255.255 -DOC_START - udp_incoming_address is used for the ICP socket receiving packets - from other caches. - udp_outgoing_address is used for ICP packets sent out to other - caches. - - The default behavior is to not bind to any specific address. - - A udp_incoming_address value of 0.0.0.0 indicates that Squid should - listen for UDP messages on all available interfaces. - - If udp_outgoing_address is set to 255.255.255.255 (the default) - then it will use the same socket as udp_incoming_address. Only - change this if you want to have ICP queries sent using another - address than where this Squid listens for ICP queries from other - caches. - - NOTE, udp_incoming_address and udp_outgoing_address can not - have the same value since they both use port 3130. -DOC_END + The default Squid config file shows what the defaults for + various options happen to be. If you don't need to change the + default, you shouldn't uncomment the line. Doing so may cause + run-time problems. In some cases "none" refers to no default + setting at all, while in other cases it refers to a valid + option - the comments for that keyword indicate if this is the + case. -COMMENT_START - OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM - ----------------------------------------------------------------------------- -COMMENT_END + COMMENT_END -NAME: cache_peer -TYPE: peer -DEFAULT: none -LOC: Config.peers -DOC_START - To specify other caches in a hierarchy, use the format: + COMMENT_START + NETWORK OPTIONS + ----------------------------------------------------------------------------- + COMMENT_END - cache_peer hostname type http_port icp_port [options] + NAME: http_port ascii_port - For example, + TYPE: http_port_list - # proxy icp - # hostname type port port options - # -------------------- -------- ----- ----- ----------- - cache_peer parent.foo.net parent 3128 3130 [proxy-only] - cache_peer sib1.foo.net sibling 3128 3130 [proxy-only] - cache_peer sib2.foo.net sibling 3128 3130 [proxy-only] - - type: either 'parent', 'sibling', or 'multicast'. - - proxy_port: The port number where the cache listens for proxy - requests. - - icp_port: Used for querying neighbor caches about - objects. To have a non-ICP neighbor - specify '7' for the ICP port and make sure the - neighbor machine has the UDP echo port - enabled in its /etc/inetd.conf file. - - options: proxy-only - weight=n - basetime=n - ttl=n - no-query - background-ping - default - round-robin - weighted-round-robin - carp - multicast-responder - closest-only - no-digest - no-netdb-exchange - no-delay - login=user:password | PASS | *:password - connect-timeout=nn - digest-url=url - allow-miss - max-conn - htcp - originserver - name=xxx - forceddomain=name - ssl - sslcert=/path/to/ssl/certificate - sslkey=/path/to/ssl/key - sslversion=1|2|3|4 - sslcipher=... - ssloptions=... - front-end-https[=on|auto] - - use 'proxy-only' to specify that objects fetched - from this cache should not be saved locally. - - use 'weight=n' to specify a weighted parent. - The weight must be an integer. The default weight - is 1, larger weights are favored more. - - use 'basetime=n' to specify a base amount to - be subtracted from round trip times of parents. - It is subtracted before division by weight in calculating - which parent to fectch from. If the rtt is less than the - base time then the rtt is set to a minimal value. - - use 'ttl=n' to specify a IP multicast TTL to use - when sending an ICP queries to this address. - Only useful when sending to a multicast group. - Because we don't accept ICP replies from random - hosts, you must configure other group members as - peers with the 'multicast-responder' option below. - - use 'no-query' to NOT send ICP queries to this - neighbor. - - use 'background-ping' to only send ICP queries to this - neighbor infrequently. This is used to keep the neighbor - round trip time updated and is usually used in - conjunction with weighted-round-robin. - - use 'default' if this is a parent cache which can - be used as a "last-resort." You should probably - only use 'default' in situations where you cannot - use ICP with your parent cache(s). - - use 'round-robin' to define a set of parents which - should be used in a round-robin fashion in the - absence of any ICP queries. - - use 'weighted-round-robin' to define a set of parents - which should be used in a round-robin fashion with the - frequency of each parent being based on the round trip - time. Closer parents are used more often. - Usually used for background-ping parents. - - use 'carp' to define a set of parents which should - be used as a CARP array. The requests will then be - distributed among the parents based on the CARP load - balancing hash function based on their weigth. - - 'multicast-responder' indicates that the named peer - is a member of a multicast group. ICP queries will - not be sent directly to the peer, but ICP replies - will be accepted from it. - - 'closest-only' indicates that, for ICP_OP_MISS - replies, we'll only forward CLOSEST_PARENT_MISSes - and never FIRST_PARENT_MISSes. - - use 'no-digest' to NOT request cache digests from - this neighbor. - - 'no-netdb-exchange' disables requesting ICMP - RTT database (NetDB) from the neighbor. - - use 'no-delay' to prevent access to this neighbor - from influencing the delay pools. - - use 'login=user:password' if this is a personal/workgroup - proxy and your parent requires proxy authentication. - Note: The string can include URL escapes (i.e. %20 for - spaces). This also means that % must be written as %%. - - use 'login=PASS' if users must authenticate against - the upstream proxy. This will pass the users credentials - as they are to the peer proxy. This only works for the - Basic HTTP authentication sheme. Note: To combine this - with proxy_auth both proxies must share the same user - database as HTTP only allows for one proxy login. - Also be warned that this will expose your users proxy - password to the peer. USE WITH CAUTION - - use 'login=*:password' to pass the username to the - upstream cache, but with a fixed password. This is meant - to be used when the peer is in another administrative - domain, but it is still needed to identify each user. - The star can optionally be followed by some extra - information which is added to the username. This can - be used to identify this proxy to the peer, similar to - the login=username:password option above. - - use 'connect-timeout=nn' to specify a peer - specific connect timeout (also see the - peer_connect_timeout directive) - - use 'digest-url=url' to tell Squid to fetch the cache - digest (if digests are enabled) for this host from - the specified URL rather than the Squid default - location. - - use 'allow-miss' to disable Squid's use of only-if-cached - when forwarding requests to siblings. This is primarily - useful when icp_hit_stale is used by the sibling. To - extensive use of this option may result in forwarding - loops, and you should avoid having two-way peerings - with this option. (for example to deny peer usage on - requests from peer by denying cache_peer_access if the - source is a peer) - - use 'max-conn' to limit the amount of connections Squid - may open to this peer. - - use 'htcp' to send HTCP, instead of ICP, queries - to the neighbor. You probably also want to - set the "icp port" to 4827 instead of 3130. - - 'originserver' causes this parent peer to be contacted as - a origin server. Meant to be used in accelerator setups. - - use 'name=xxx' if you have multiple peers on the same - host but different ports. This name can then be used to - differentiate the peers in cache_peer_access and similar - directives. - - use 'forceddomain=name' to forcibly set the Host header - of requests forwarded to this peer. Useful in accelerator - setups where the server (peer) expects a certain domain - name and using redirectors to feed this domainname - is not feasible. - - use 'ssl' to indicate that connections to this peer should - bs SSL/TLS encrypted. - - use 'sslcert=/path/to/ssl/certificate' to specify a client - SSL certificate to use when connecting to this peer. - - use 'sslkey=/path/to/ssl/key' to specify the private SSL - key corresponding to sslcert above. If 'sslkey' is not - specified then 'sslcert' is assumed to reference a - combined file containing both the certificate and the key. - - use sslversion=1|2|3|4 to specify the SSL version to use - when connecting to this peer - 1 = automatic (default) - 2 = SSL v2 only - 3 = SSL v3 only - 4 = TLS v1 only - - use sslcipher=... to specify the list of valid SSL chipers - to use when connecting to this peer - - use ssloptions=... to specify various SSL engine options: - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 - See src/ssl_support.c or the OpenSSL documentation for - a more complete list. - - use cafile=... to specify a file containing additional - CA certificates to use when verifying the peer certificate - - use capath=... to specify a directory containing additional - CA certificates to use when verifying the peer certificate - - use sslflags=... to specify various flags modifying the - SSL implementation: - DONT_VERIFY_PEER - Accept certificates even if they fail to - verify. - NO_DEFAULT_CA - Don't use the default CA list built in - to OpenSSL. - DONT_VERIFY_DOMAIN - Don't verify that the peer certificate - matches the server name - - use sslname= to specify the peer name as advertised - in it's certificate. Used for verifying the correctness - of the received peer certificate. If not specified the - peer hostname will be used. - - use front-end-https to enable the "Front-End-Https: On" - header needed when using Squid as a SSL frontend infront - of Microsoft OWA. See MS KB document Q307347 for details - on this header. If set to auto then the header will - only be added if the request is forwarded as a https:// - URL. - - NOTE: non-ICP neighbors must be specified as 'parent'. -DOC_END - -NAME: cache_peer_domain cache_host_domain -TYPE: hostdomain -DEFAULT: none -LOC: none -DOC_START - Use to limit the domains for which a neighbor cache will be - queried. Usage: - - cache_peer_domain cache-host domain [domain ...] - cache_peer_domain cache-host !domain - - For example, specifying - - cache_peer_domain parent.foo.net .edu - - has the effect such that UDP query packets are sent to - 'bigserver' only when the requested object exists on a - server in the .edu domain. Prefixing the domainname - with '!' means that the cache will be queried for objects - NOT in that domain. - - NOTE: * Any number of domains may be given for a cache-host, - either on the same or separate lines. - * When multiple domains are given for a particular - cache-host, the first matched domain is applied. - * Cache hosts with no domain restrictions are queried - for all requests. - * There are no defaults. - * There is also a 'cache_peer_access' tag in the ACL - section. -DOC_END - - -NAME: neighbor_type_domain -TYPE: hostdomaintype -DEFAULT: none -LOC: none -DOC_START - usage: neighbor_type_domain neighbor parent|sibling domain domain ... - - Modifying the neighbor type for specific domains is now - possible. You can treat some domains differently than the the - default neighbor type specified on the 'cache_peer' line. - Normally it should only be necessary to list domains which - should be treated differently because the default neighbor type - applies for hostnames which do not match domains listed here. - -EXAMPLE: - cache_peer parent cache.foo.org 3128 3130 - neighbor_type_domain cache.foo.org sibling .com .net - neighbor_type_domain cache.foo.org sibling .au .de -DOC_END - -NAME: icp_query_timeout -COMMENT: (msec) -DEFAULT: 0 -TYPE: int -LOC: Config.Timeout.icp_query -DOC_START - Normally Squid will automatically determine an optimal ICP - query timeout value based on the round-trip-time of recent ICP - queries. If you want to override the value determined by - Squid, set this 'icp_query_timeout' to a non-zero value. This - value is specified in MILLISECONDS, so, to use a 2-second - timeout (the old default), you would write: - - icp_query_timeout 2000 -DOC_END - -NAME: maximum_icp_query_timeout -COMMENT: (msec) -DEFAULT: 2000 -TYPE: int -LOC: Config.Timeout.icp_query_max -DOC_START - Normally the ICP query timeout is determined dynamically. But - sometimes it can lead to very large values (say 5 seconds). - Use this option to put an upper limit on the dynamic timeout - value. Do NOT use this option to always use a fixed (instead - of a dynamic) timeout value. To set a fixed timeout see the - 'icp_query_timeout' directive. -DOC_END - -NAME: minimum_icp_query_timeout -COMMENT: (msec) -DEFAULT: 5 -TYPE: int -LOC: Config.Timeout.icp_query_min -DOC_START - Normally the ICP query timeout is determined dynamically. But - sometimes it can lead to very small timeouts, even lower than - the normal latency variance on your link due to traffic. - Use this option to put an lower limit on the dynamic timeout - value. Do NOT use this option to always use a fixed (instead - of a dynamic) timeout value. To set a fixed timeout see the - 'icp_query_timeout' directive. -DOC_END - -NAME: mcast_icp_query_timeout -COMMENT: (msec) -DEFAULT: 2000 -TYPE: int -LOC: Config.Timeout.mcast_icp_query -DOC_START - For Multicast peers, Squid regularly sends out ICP "probes" to - count how many other peers are listening on the given multicast - address. This value specifies how long Squid should wait to - count all the replies. The default is 2000 msec, or 2 - seconds. -DOC_END - -NAME: dead_peer_timeout -COMMENT: (seconds) -DEFAULT: 10 seconds -TYPE: time_t -LOC: Config.Timeout.deadPeer -DOC_START - This controls how long Squid waits to declare a peer cache - as "dead." If there are no ICP replies received in this - amount of time, Squid will declare the peer dead and not - expect to receive any further ICP replies. However, it - continues to send ICP queries, and will mark the peer as - alive upon receipt of the first subsequent ICP reply. - - This timeout also affects when Squid expects to receive ICP - replies from peers. If more than 'dead_peer' seconds have - passed since the last ICP reply was received, Squid will not - expect to receive an ICP reply on the next query. Thus, if - your time between requests is greater than this timeout, you - will see a lot of requests sent DIRECT to origin servers - instead of to your parents. -DOC_END - - -NAME: hierarchy_stoplist -TYPE: wordlist -DEFAULT: none -LOC: Config.hierarchy_stoplist -DOC_START - A list of words which, if found in a URL, cause the object to - be handled directly by this cache. In other words, use this - to not query neighbor caches for certain objects. You may - list this option multiple times. -NOCOMMENT_START -#We recommend you to use at least the following line. -hierarchy_stoplist cgi-bin ? -NOCOMMENT_END -DOC_END + DEFAULT: none + LOC: Config.Sockaddr.http + DOC_START -NAME: no_cache -TYPE: acl_access -DEFAULT: none -LOC: Config.accessList.noCache -DOC_START - A list of ACL elements which, if matched, cause the request to - not be satisfied from the cache and the reply to not be cached. - In other words, use this to force certain objects to never be cached. + Usage: port [options] - You must use the word 'DENY' to indicate the ACL names which should - NOT be cached. + hostname:port [options] -NOCOMMENT_START -#We recommend you to use the following two lines. -acl QUERY urlpath_regex cgi-bin \? -no_cache deny QUERY -NOCOMMENT_END -DOC_END - -NAME: background_ping_rate -COMMENT: time-units -TYPE: time_t -DEFAULT: 10 seconds -LOC: Config.backgroundPingRate -DOC_START - Controls how often the ICP pings are sent to siblings that - have background-ping set. -DOC_END + 1.2.3.4:port [options] + The socket addresses where Squid will listen for HTTP client + requests. You may specify multiple socket addresses. -COMMENT_START - OPTIONS WHICH AFFECT THE CACHE SIZE - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: cache_mem -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: 8 MB -LOC: Config.memMaxSize -DOC_START - NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. - IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL - USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER - THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. - - 'cache_mem' specifies the ideal amount of memory to be used - for: - * In-Transit objects - * Hot Objects - * Negative-Cached objects - - Data for these objects are stored in 4 KB blocks. This - parameter specifies the ideal upper limit on the total size of - 4 KB blocks allocated. In-Transit objects take the highest - priority. - - In-transit objects have priority over the others. When - additional space is needed for incoming data, negative-cached - and hot objects will be released. In other words, the - negative-cached and hot objects will fill up any unused space - not needed for in-transit objects. - - If circumstances require, this limit will be exceeded. - Specifically, if your incoming request rate requires more than - 'cache_mem' of memory to hold in-transit objects, Squid will - exceed this limit to satisfy the new requests. When the load - decreases, blocks will be freed until the high-water mark is - reached. Thereafter, blocks will be used to store hot - objects. -DOC_END - - -NAME: cache_swap_low -COMMENT: (percent, 0-100) -TYPE: int -DEFAULT: 90 -LOC: Config.Swap.lowWaterMark -DOC_NONE - -NAME: cache_swap_high -COMMENT: (percent, 0-100) -TYPE: int -DEFAULT: 95 -LOC: Config.Swap.highWaterMark -DOC_START - - The low- and high-water marks for cache object replacement. - Replacement begins when the swap (disk) usage is above the - low-water mark and attempts to maintain utilization near the - low-water mark. As swap utilization gets close to high-water - mark object eviction becomes more aggressive. If utilization is - close to the low-water mark less replacement is done each time. - - Defaults are 90% and 95%. If you have a large cache, 5% could be - hundreds of MB. If this is the case you may wish to set these - numbers closer together. -DOC_END - -NAME: maximum_object_size -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: 4096 KB -LOC: Config.Store.maxObjectSize -DOC_START - Objects larger than this size will NOT be saved on disk. The - value is specified in kilobytes, and the default is 4MB. If - you wish to get a high BYTES hit ratio, you should probably - increase this (one 32 MB object hit counts for 3200 10KB - hits). If you wish to increase speed more than your want to - save bandwidth you should leave this low. - - NOTE: if using the LFUDA replacement policy you should increase - this value to maximize the byte hit rate improvement of LFUDA! - See replacement_policy below for a discussion of this policy. -DOC_END - -NAME: minimum_object_size -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: 0 KB -LOC: Config.Store.minObjectSize -DOC_START - Objects smaller than this size will NOT be saved on disk. The - value is specified in kilobytes, and the default is 0 KB, which - means there is no minimum. -DOC_END - -NAME: maximum_object_size_in_memory -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: 8 KB -LOC: Config.Store.maxInMemObjSize -DOC_START - Objects greater than this size will not be attempted to kept in - the memory cache. This should be set high enough to keep objects - accessed frequently in memory to improve performance whilst low - enough to keep larger objects from hoarding cache_mem . -DOC_END - -NAME: ipcache_size -COMMENT: (number of entries) -TYPE: int -DEFAULT: 1024 -LOC: Config.ipcache.size -DOC_NONE - -NAME: ipcache_low -COMMENT: (percent) -TYPE: int -DEFAULT: 90 -LOC: Config.ipcache.low -DOC_NONE - -NAME: ipcache_high -COMMENT: (percent) -TYPE: int -DEFAULT: 95 -LOC: Config.ipcache.high -DOC_START - The size, low-, and high-water marks for the IP cache. -DOC_END - -NAME: fqdncache_size -COMMENT: (number of entries) -TYPE: int -DEFAULT: 1024 -LOC: Config.fqdncache.size -DOC_START - Maximum number of FQDN cache entries. -DOC_END - -NAME: cache_replacement_policy -TYPE: removalpolicy -LOC: Config.replPolicy -DEFAULT: lru -DOC_START - The cache replacement policy parameter determines which - objects are evicted (replaced) when disk space is needed. - - lru : Squid's original list based LRU policy - heap GDSF : Greedy-Dual Size Frequency - heap LFUDA: Least Frequently Used with Dynamic Aging - heap LRU : LRU policy implemented using a heap - - Applies to any cache_dir lines listed below this. - - The LRU policies keeps recently referenced objects. - - The heap GDSF policy optimizes object hit rate by keeping smaller - popular objects in cache so it has a better chance of getting a - hit. It achieves a lower byte hit rate than LFUDA though since - it evicts larger (possibly popular) objects. - - The heap LFUDA policy keeps popular objects in cache regardless of - their size and thus optimizes byte hit rate at the expense of - hit rate since one large, popular object will prevent many - smaller, slightly less popular objects from being cached. - - Both policies utilize a dynamic aging mechanism that prevents - cache pollution that can otherwise occur with frequency-based - replacement policies. - - NOTE: if using the LFUDA replacement policy you should increase - the value of maximum_object_size above its default of 4096 KB to - to maximize the potential byte hit rate improvement of LFUDA. - - For more information about the GDSF and LFUDA cache replacement - policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html - and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. -DOC_END - -NAME: memory_replacement_policy -TYPE: removalpolicy -LOC: Config.memPolicy -DEFAULT: lru -DOC_START - The memory replacement policy parameter determines which - objects are purged from memory when memory space is needed. - - See cache_replacement_policy for details. -DOC_END + There are three forms: port alone, hostname with port, and + IP address with port. If you specify a hostname or IP + address, then Squid binds the socket to that specific + address. This replaces the old 'tcp_incoming_address' + option. Most likely, you do + not need to bind to a specific + address, so you can use the port number alone. + If you are running Squid in accelerator mode, then you + probably want to listen on port 80 also, or instead. -COMMENT_START - LOGFILE PATHNAMES AND CACHE DIRECTORIES - ----------------------------------------------------------------------------- -COMMENT_END + The -a command line option will override the *first* port + number listed here. That option will NOT override an IP + address, however. -NAME: cache_dir -TYPE: cachedir -DEFAULT: none -DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256 -LOC: Config.cacheSwap -DOC_START - Usage: - - cache_dir Type Directory-Name Fs-specific-data [options] + You may specify multiple socket addresses on multiple lines. - You can specify multiple cache_dir lines to spread the - cache among different disk partitions. + options are: + accel Accelerator mode + transparent Support for transparent proxies + vhost Accelerator using Host directive + vport Accelerator with IP virtual host support + vport=NN As above, but uses specified port number + rather than the http_port number. + defaultsite=xx Main web site name for accelerators. + also implies accel + protocol= Protocol to reconstruct accelerated + requests with. Defaults to http. - Type specifies the kind of storage system to use. Only "ufs" - is built by default. To eanble any of the other storage systems - see the --enable-storeio configure option. + If you run Squid on a dual-homed machine with an internal - 'Directory' is a top-level directory where cache swap - files will be stored. If you want to use an entire disk - for caching, then this can be the mount-point directory. - The directory must exist and be writable by the Squid - process. Squid will NOT create this directory for you. + and an external interface then we recommend you to specify the + internal address:port in http_port. This way Squid will only be + visible on the internal address. + NOCOMMENT_START +# Squid normally listens to port 3128 + http_port 3128 + NOCOMMENT_END + DOC_END + + NAME: https_port + IFDEF: USE_SSL + TYPE: https_port_list + DEFAULT: none + LOC: Config.Sockaddr.https + DOC_START + Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] + + The socket address where Squid will listen for HTTPS client + requests. + + This is really only useful for situations where you are running + squid in accelerator mode and you want to do + the SSL work at the + accelerator level. + + You may specify multiple socket addresses on multiple lines, + each with their own SSL certificate and/or options. + + Options: + + defaultsite= The name of the https site presented on + this port. + + protocol= Protocol to reconstruct accelerated requests + with. Defaults to https. + + cert= Path to SSL certificate (PEM format) + + key= Path to SSL private key file (PEM format) + if not specified, the certificate file is + assumed to be a combined certificate and + key file + + version= The version of SSL/TLS supported + 1 automatic (default) + 2 SSLv2 only + 3 SSLv3 only + 4 TLSv1 only + + cipher= Colon separated list of supported ciphers + + options= Varions SSL engine options. The most important + being: + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1 + SINGLE_DH_USE Always create a new key when using + temporary/ephemeral DH key exchanges + See src/ssl_support.c or OpenSSL SSL_CTX_set_options + documentation for a complete list of options. + + clientca= File containing the list of CAs to use when + requesting a client certificate + + cafile= File containing additional CA certificates to + use when verifying client certificates. If unset + clientca will be used. + + capath= Directory containing additional CA certificates + to use when verifying client certificates + + dhparams= File containing DH parameters for temporary/ephemeral + DH key exchanges + + sslflags= Various flags modifying the use of SSL: + DELAYED_AUTH + Don't request client certificates + immediately, but wait until acl processing + requires a certificate + NO_DEFAULT_CA + Don't use the default CA list built in + to OpenSSL. + + DOC_END + + NAME: ssl_unclean_shutdown + IFDEF: USE_SSL + TYPE: onoff + DEFAULT: off + LOC: Config.SSL.unclean_shutdown + DOC_START + Some browsers (especially MSIE) bugs out on SSL shutdown + messages. + DOC_END + + NAME: ssl_engine + IFDEF: USE_SSL + TYPE: string + LOC: Config.SSL.ssl_engine + DEFAULT: none + DOC_START + The openssl engine to use. You will need to set + this if you + would like to use hardware SSL acceleration for example. + DOC_END + + NAME: sslproxy_client_certificate + IFDEF: USE_SSL + DEFAULT: none + LOC: Config.ssl_client.cert + TYPE: string + DOC_START + Client SSL Certificate to use when proxying https:// URLs + DOC_END + + NAME: sslproxy_client_key + IFDEF: USE_SSL + DEFAULT: none + LOC: Config.ssl_client.key + TYPE: string + DOC_START + Client SSL Key to use when proxying https:// URLs + DOC_END + + NAME: sslproxy_version + IFDEF: USE_SSL + DEFAULT: 1 + LOC: Config.ssl_client.version + TYPE: int + DOC_START + SSL version level to use when proxying https:// URLs + DOC_END + + NAME: sslproxy_options + IFDEF: USE_SSL + DEFAULT: none + LOC: Config.ssl_client.options + TYPE: string + DOC_START + SSL engine options to use when proxying https:// URLs + DOC_END + + NAME: sslproxy_cipher + IFDEF: USE_SSL + DEFAULT: none + LOC: Config.ssl_client.cipher + TYPE: string + DOC_START + SSL cipher list to use when proxying https:// URLs + DOC_END + + NAME: sslproxy_cafile + IFDEF: USE_SSL + DEFAULT: none + LOC: Config.ssl_client.cafile + TYPE: string + DOC_START + file containing CA certificates to use when verifying server + certificates while proxying https:// URLs + DOC_END + + NAME: sslproxy_capath + IFDEF: USE_SSL + DEFAULT: none + LOC: Config.ssl_client.capath + TYPE: string + DOC_START + directory containing CA certificates to use when verifying + server certificates while proxying https:// URLs + DOC_END + + NAME: sslproxy_flags + IFDEF: USE_SSL + DEFAULT: none + LOC: Config.ssl_client.flags + TYPE: string + DOC_START + Various flags modifying the use of SSL while proxying https:// URLs: + DONT_VERIFY_PEER Accept certificates even if they fail to + verify. + NO_DEFAULT_CA Don't use the default CA list built in + to OpenSSL. + DOC_END + + NAME: icp_port udp_port + TYPE: ushort + DEFAULT: 0 + LOC: Config.Port.icp + DOC_START + The port number where Squid sends and receives ICP queries to + and from neighbor caches. The standard UDP port for ICP is 3130. + Default is disabled (0). + NOCOMMENT_START + icp_port 3130 + NOCOMMENT_END + DOC_END + + NAME: htcp_port + IFDEF: USE_HTCP + TYPE: ushort + DEFAULT: 4827 + LOC: Config.Port.htcp + DOC_START + The port number where Squid sends and receives HTCP queries to + and from neighbor caches. Default is 4827. To disable use + "0". + DOC_END + + + NAME: mcast_groups + TYPE: wordlist + LOC: Config.mcast_group_list + DEFAULT: none + DOC_START + This tag specifies a list of multicast groups which your server + should join to receive multicasted ICP queries. + + NOTE! Be very careful what you put here! Be sure you + understand the difference between an ICP _query_ and an ICP + _reply_. This option is to be set only if you want to RECEIVE + multicast queries. Do NOT set this option to SEND multicast + ICP (use cache_peer for that). ICP replies are always sent via + unicast, so this option does not affect whether or not you will + receive replies from multicast group members. + + You must be very careful to NOT use a multicast address which + is already in use by another group of caches. + + If you are unsure about multicast, please read the Multicast + chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). + + Usage: mcast_groups 239.128.16.128 224.0.1.20 + + By default, Squid doesn't listen on any multicast groups. + DOC_END + + + NAME: udp_incoming_address + TYPE: address + LOC:Config.Addrs.udp_incoming + DEFAULT: 0.0.0.0 + DOC_NONE + + NAME: udp_outgoing_address + TYPE: address + LOC: Config.Addrs.udp_outgoing + DEFAULT: 255.255.255.255 + DOC_START + udp_incoming_address is used for the ICP socket receiving packets + from other caches. + udp_outgoing_address is used for ICP packets sent out to other + caches. + + The default behavior is to not bind to any specific address. + + A udp_incoming_address value of 0.0.0.0 indicates that Squid should + listen for UDP messages on all available interfaces. + + If udp_outgoing_address is set + to 255.255.255.255 (the default) + then it will use the same socket as udp_incoming_address. Only + change this if you want to have ICP queries sent using another + address than where this Squid listens for ICP queries from other + caches. + + NOTE, udp_incoming_address and udp_outgoing_address can not + have the same value since they both use port 3130. + DOC_END + + COMMENT_START + OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: cache_peer + TYPE: peer + DEFAULT: none + LOC: Config.peers + DOC_START + To specify other caches in a hierarchy, use the format: + + cache_peer hostname type http_port icp_port [options] + + For example, + +# proxy icp + # hostname type port port options + # -------------------- -------- ----- ----- ----------- + cache_peer parent.foo.net parent 3128 3130 [proxy-only] + cache_peer sib1.foo.net sibling 3128 3130 [proxy-only] + cache_peer sib2.foo.net sibling 3128 3130 [proxy-only] + + type: either 'parent', 'sibling', or 'multicast'. + + proxy_port: The port number where the cache listens for proxy + requests. + + icp_port: Used for querying neighbor caches about + objects. To have a non-ICP neighbor + specify '7' for the ICP port and make sure the + neighbor machine has the UDP echo port + enabled in its /etc/inetd.conf file. + + options: proxy-only + weight=n + basetime=n + ttl=n + no-query + background-ping + default + round-robin + weighted-round-robin + carp + multicast-responder + closest-only + no-digest + no-netdb-exchange + no-delay + login=user:password | PASS | *:password + connect-timeout=nn + digest-url=url + allow-miss + max-conn + htcp + originserver + name=xxx + forceddomain=name + ssl + sslcert=/path/to/ssl/certificate + sslkey=/path/to/ssl/key + sslversion=1|2|3|4 + sslcipher=... + ssloptions=... + front-end-https[=on|auto] + + use 'proxy-only' to specify that objects fetched + from this cache should not be saved locally. + + use 'weight=n' to specify a weighted parent. + The weight must be an integer. The default weight + is 1, larger weights are favored more. + + use 'basetime=n' to specify a base amount to + be subtracted from round trip times of parents. + It is subtracted before division by weight in calculating + which parent to fectch from. If the rtt is less than the + base time then the rtt is set + to a minimal value. + + use 'ttl=n' to specify a IP multicast TTL to use + when sending an ICP queries to this address. + Only useful when sending to a multicast group. + Because we don't accept ICP replies from random + hosts, you must configure other group members as + peers with the 'multicast-responder' option below. + + use 'no-query' to NOT send ICP queries to this + neighbor. + + use 'background-ping' to only send ICP queries to this + neighbor infrequently. This is used to keep the neighbor + round trip time updated and is usually used in + conjunction with weighted-round-robin. + + use 'default' if this is a parent cache which can + be used as a "last-resort." You should probably + only use 'default' in situations where you cannot + use ICP with your parent cache(s). + + use 'round-robin' to define a set of parents which + should be used in a round-robin fashion in the + absence of any ICP queries. + + use 'weighted-round-robin' to define a set of parents + which should be used in a round-robin fashion with the + frequency of each parent being based on the round trip + time. Closer parents are used more often. + Usually used for background-ping parents. + + use 'carp' to define a set of parents which should + be used as a CARP array. The requests will then be + distributed among the parents based on the CARP load + balancing hash function based on their weigth. + + 'multicast-responder' indicates that the named peer + is a member of a multicast group. ICP queries will + not be sent directly to the peer, but ICP replies + will be accepted from it. + + 'closest-only' indicates that, for ICP_OP_MISS + replies, we'll only forward CLOSEST_PARENT_MISSes + and never FIRST_PARENT_MISSes. + + use 'no-digest' to NOT request cache digests from + this neighbor. + + 'no-netdb-exchange' disables requesting ICMP + RTT database (NetDB) from the neighbor. + + use 'no-delay' to prevent access to this neighbor + from influencing the delay pools. + + use 'login=user:password' if this is a personal/workgroup + proxy and your parent requires proxy authentication. + Note: The string can include URL escapes (i.e. %20 for + spaces). This also means that % must be written as %%. + + use 'login=PASS' if users must authenticate against + the upstream proxy. This will pass the users credentials + as they are to the peer proxy. This only works for the + Basic HTTP authentication sheme. Note: To combine this + with proxy_auth both proxies must share the same user + database as HTTP only allows for one proxy login. + Also be warned that this will expose your users proxy + password to the peer. USE WITH CAUTION + + use 'login=*:password' to pass the username to the + upstream cache, but with a fixed password. This is meant + to be used when the peer is in another administrative + domain, but it is still needed to identify each user. + The star can optionally be followed by some extra + information which is added to the username. This can + be used to identify this proxy to the peer, similar to + the login=username:password option above. + + use 'connect-timeout=nn' to specify a peer + specific connect timeout (also see the + peer_connect_timeout directive) + + use 'digest-url=url' to tell Squid to fetch the cache + digest (if digests are enabled) for this host from + the specified URL rather than the Squid default + location. + + use 'allow-miss' to disable Squid's use of only-if-cached + when forwarding requests to siblings. This is primarily + useful when icp_hit_stale is used by the sibling. To + extensive use of this option may result in forwarding + loops, and you should avoid having two-way peerings + with this option. (for example to deny peer usage on + requests from peer by denying cache_peer_access if the + source is a peer) + + use 'max-conn' to limit the amount of connections Squid + may open to this peer. + + use 'htcp' to send HTCP, instead of ICP, queries + to the neighbor. You probably also want to + set the "icp port" to 4827 instead of 3130. + + 'originserver' causes this parent peer to be contacted as + a origin server. Meant to be used in accelerator setups. + + use 'name=xxx' if you have multiple peers on the same + host but different ports. This name can then be used to + differentiate the peers in cache_peer_access and similar + directives. + + use 'forceddomain=name' to forcibly set the Host header + of requests forwarded to this peer. Useful in accelerator + setups where the server (peer) expects a certain domain + name and using redirectors to feed this domainname + is not feasible. + + use 'ssl' to indicate that connections to this peer should + bs SSL/TLS encrypted. + + use 'sslcert=/path/to/ssl/certificate' to specify a client + SSL certificate to use when connecting to this peer. + + use 'sslkey=/path/to/ssl/key' to specify the private SSL + key corresponding to sslcert above. If 'sslkey' is not + specified then 'sslcert' is assumed to reference a + combined file containing both the certificate and the key. + + use sslversion=1|2|3|4 to specify the SSL version to use + when connecting to this peer + 1 = automatic (default) + 2 = SSL v2 only + 3 = SSL v3 only + 4 = TLS v1 only + + use sslcipher=... to specify the list of valid SSL chipers + to use when connecting to this peer + + use ssloptions=... to specify various SSL engine options: + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1 + See src/ssl_support.c or the OpenSSL documentation for + a more complete list. + + use cafile=... to specify a file containing additional + CA certificates to use when verifying the peer certificate + + use capath=... to specify a directory containing additional + CA certificates to use when verifying the peer certificate + + use sslflags=... to specify various flags modifying the + SSL implementation: + DONT_VERIFY_PEER + Accept certificates even if they fail to + verify. + NO_DEFAULT_CA + Don't use the default CA list built in + to OpenSSL. + DONT_VERIFY_DOMAIN + Don't verify that the peer certificate + matches the server name + + use sslname= to specify the peer name as advertised + in it's certificate. Used for verifying the correctness + of the received peer certificate. If not specified the + peer hostname will be used. + + use front-end-https to enable the "Front-End-Https: On" + header needed when using Squid as a SSL frontend infront + of Microsoft OWA. See MS KB document Q307347 for details + on this header. If set + to auto then the header will + only be added if the request is forwarded as a https:// + URL. + + NOTE: non-ICP neighbors must be specified as 'parent'. + DOC_END + + NAME: cache_peer_domain cache_host_domain + TYPE: hostdomain + DEFAULT: none + LOC: none + DOC_START + Use to limit the domains for which a neighbor cache will be + queried. Usage: + + cache_peer_domain cache-host domain [domain ...] + cache_peer_domain cache-host !domain + + For example, specifying + + cache_peer_domain parent.foo.net .edu + + has the effect such that UDP query packets are sent to + 'bigserver' only when the requested object exists on a + server in the .edu domain. Prefixing the domainname + with '!' means that the cache will be queried for objects + NOT in that domain. + + NOTE: * Any number of domains may be given for a cache-host, + either on the same or separate lines. + * When multiple domains are given for a particular + cache-host, the first matched domain is applied. + * Cache hosts with no domain restrictions are queried + for all requests. + * There are no defaults. + * There is also a 'cache_peer_access' tag in the ACL + section. + DOC_END + + + NAME: neighbor_type_domain + TYPE: hostdomaintype + DEFAULT: none + LOC: none + DOC_START + usage: neighbor_type_domain neighbor parent|sibling domain domain ... + + Modifying the neighbor type for specific domains is now + possible. You can treat some domains differently than the the + default neighbor type specified on the 'cache_peer' line. + Normally it should only be necessary to list domains which + should be treated differently because the default neighbor type + applies for hostnames which do + not match domains listed here. + + EXAMPLE: + cache_peer parent cache.foo.org 3128 3130 + neighbor_type_domain cache.foo.org sibling .com .net + neighbor_type_domain cache.foo.org sibling .au .de + DOC_END + + NAME: icp_query_timeout + COMMENT: (msec) + DEFAULT: 0 + TYPE: int + LOC: Config.Timeout.icp_query + DOC_START + Normally Squid will automatically determine an optimal ICP + query timeout value based on the round-trip-time of recent ICP + queries. If you want to override the value determined by + Squid, set + this 'icp_query_timeout' to a non-zero value. This + value is specified in MILLISECONDS, so, to use a 2-second + timeout (the old default), you would write: + + icp_query_timeout 2000 + DOC_END + + NAME: maximum_icp_query_timeout + COMMENT: (msec) + DEFAULT: 2000 + TYPE: int + LOC: Config.Timeout.icp_query_max + DOC_START + Normally the ICP query timeout is determined dynamically. But + sometimes it can lead to very large values (say 5 seconds). + Use this option to put an upper limit on the dynamic timeout + value. Do NOT use this option to always use a fixed (instead + of a dynamic) timeout value. To set + a fixed timeout see the + 'icp_query_timeout' directive. + DOC_END + + NAME: minimum_icp_query_timeout + COMMENT: (msec) + DEFAULT: 5 + TYPE: int + LOC: Config.Timeout.icp_query_min + DOC_START + Normally the ICP query timeout is determined dynamically. But + sometimes it can lead to very small timeouts, even lower than + the normal latency variance on your link due to traffic. + Use this option to put an lower limit on the dynamic timeout + value. Do NOT use this option to always use a fixed (instead + of a dynamic) timeout value. To set + a fixed timeout see the + 'icp_query_timeout' directive. + DOC_END + + NAME: mcast_icp_query_timeout + COMMENT: (msec) + DEFAULT: 2000 + TYPE: int + LOC: Config.Timeout.mcast_icp_query + DOC_START + For Multicast peers, Squid regularly sends out ICP "probes" to + count how many other peers are listening on the given multicast + address. This value specifies how long Squid should wait to + count all the replies. The default is 2000 msec, or 2 + seconds. + DOC_END + + NAME: dead_peer_timeout + COMMENT: (seconds) + DEFAULT: 10 seconds + TYPE: time_t + LOC: Config.Timeout.deadPeer + DOC_START + This controls how long Squid waits to declare a peer cache + as "dead." If there are no ICP replies received in this + amount of time, Squid will declare the peer dead and not + expect to receive any further ICP replies. However, it + continues to send ICP queries, and will mark the peer as + alive upon receipt of the first subsequent ICP reply. + + This timeout also affects when Squid expects to receive ICP + replies from peers. If more than 'dead_peer' seconds have + passed since the last ICP reply was received, Squid will not + expect to receive an ICP reply on the next query. Thus, if + your time between requests is greater than this timeout, you + will see a lot of requests sent DIRECT to origin servers + instead of to your parents. + DOC_END + + + NAME: hierarchy_stoplist + TYPE: wordlist + DEFAULT: none + LOC: Config.hierarchy_stoplist + DOC_START + A list of words which, if found in a URL, cause the object to + be handled directly by this cache. In other words, use this + to not query neighbor caches for certain objects. You may + list this option multiple times. + NOCOMMENT_START +#We recommend you to use at least the following line. + hierarchy_stoplist cgi-bin ? + NOCOMMENT_END + DOC_END - The ufs store type: - - "ufs" is the old well-known Squid storage format that has always - been there. - - cache_dir ufs Directory-Name Mbytes L1 L2 [options] - - 'Mbytes' is the amount of disk space (MB) to use under this - directory. The default is 100 MB. Change this to suit your - configuration. Do NOT put the size of your disk drive here. - Instead, if you want Squid to use the entire disk drive, - subtract 20% and use that value. - - 'Level-1' is the number of first-level subdirectories which - will be created under the 'Directory'. The default is 16. - - 'Level-2' is the number of second-level subdirectories which - will be created under each first-level directory. The default - is 256. - - The aufs store type: - - "aufs" uses the same storage format as "ufs", utilizing - POSIX-threads to avoid blocking the main Squid process on - disk-I/O. This was formerly known in Squid as async-io. - - cache_dir aufs Directory-Name Mbytes L1 L2 [options] - - see argument descriptions under ufs above - - The diskd store type: - - "diskd" uses the same storage format as "ufs", utilizing a - separate process to avoid blocking the main Squid process on - disk-I/O. - - cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] - - see argument descriptions under ufs above - - Q1 specifies the number of unacknowledged I/O requests when Squid - stops opening new files. If this many messages are in the queues, - Squid won't open new files. Default is 64 - - Q2 specifies the number of unacknowledged messages when Squid - starts blocking. If this many messages are in the queues, - Squid blocks until it recevies some replies. Default is 72 - - Common options: - - read-only, this cache_dir is read only. - - max-size=n, refers to the max object size this storedir supports. - It is used to initially choose the storedir to dump the object. - Note: To make optimal use of the max-size limits you should order - the cache_dir lines with the smallest max-size value first and the - ones with no max-size specification last. -DOC_END - - -NAME: logformat -TYPE: logformat -LOC: Config.Log.logformats -DEFAULT: none -DOC_START - Usage: - - logformat - - Defines an access log format. - - The is a string with embedded % format codes - - % format codes all follow the same basic structure where all but - the formatcode is optional. Output strings are automatically quoted - as required according to their context and the output format - modifiers are usually unneeded but can be specified if an explicit - quoting format is desired. - - % ["|[|'|#] [-] [[0]width] [{argument}] formatcode - - " quoted string output format - [ squid log quoted format as used by log_mime_hdrs - # URL quoted output format - ' No automatic quoting - - left aligned - width field width. If starting with 0 then the - output is zero padded - {arg} argument such as header name etc - - Format codes: - - >a Client source IP address - >A Client FQDN - h Request header. Optional header name argument - on the format header[:[separator]element] - h - un User name - ul User login - ui User ident - ue User from external acl - Hs HTTP status code - Ss Squid request status (TCP_MISS etc) - Sh Squid hierarchy status (DEFAULT_PARENT etc) - mt MIME content type - rm Request method (GET/POST etc) - ru Request URL - rv Request protocol version - et Tag returned by external acl - ea Log string returned by external acl - a %Ss/%03Hs %a %Ss/%03Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh -DOC_END - -NAME: access_log cache_access_log -TYPE: access_log -LOC: Config.Log.accesslogs -DEFAULT: none -DEFAULT_IF_NONE: @DEFAULT_ACCESS_LOG@ -DOC_START - These files log client request activities. Has a line every HTTP or - ICP request. The format is: - access_log [ [acl acl ...]] - access_log none [acl acl ...]] - - Will log to the specified file using the specified format (which - must be defined in a logformat directive) those entries which match - ALL the acl's specified (which must be defined in acl clauses). - If no acl is specified, all requests will be logged to this file. - - To disable logging of a request specify "none". -DOC_END - - -NAME: cache_log -TYPE: string -DEFAULT: @DEFAULT_CACHE_LOG@ -LOC: Config.Log.log -DOC_START - Cache logging file. This is where general information about - your cache's behavior goes. You can increase the amount of data - logged to this file with the "debug_options" tag below. -DOC_END - - -NAME: cache_store_log -TYPE: string -DEFAULT: @DEFAULT_STORE_LOG@ -LOC: Config.Log.store -DOC_START - Logs the activities of the storage manager. Shows which - objects are ejected from the cache, and which objects are - saved and for how long. To disable, enter "none". There are - not really utilities to analyze this data, so you can safely - disable it. -DOC_END - - -NAME: cache_swap_log -TYPE: string -LOC: Config.Log.swap -DEFAULT: none -DOC_START - Location for the cache "swap.log." This log file holds the - metadata of objects saved on disk. It is used to rebuild the - cache during startup. Normally this file resides in each - 'cache_dir' directory, but you may specify an alternate - pathname here. Note you must give a full filename, not just - a directory. Since this is the index for the whole object - list you CANNOT periodically rotate it! - - If %s can be used in the file name then it will be replaced with a - a representation of the cache_dir name where each / is replaced - with '.'. This is needed to allow adding/removing cache_dir - lines when cache_swap_log is being used. - - If have more than one 'cache_dir', and %s is not used in the name - then these swap logs will have names such as: - - cache_swap_log.00 - cache_swap_log.01 - cache_swap_log.02 - - The numbered extension (which is added automatically) - corresponds to the order of the 'cache_dir' lines in this - configuration file. If you change the order of the 'cache_dir' - lines in this file, then these log files will NOT correspond to - the correct 'cache_dir' entry (unless you manually rename - them). We recommend that you do NOT use this option. It is - better to keep these log files in each 'cache_dir' directory. -DOC_END - - -NAME: emulate_httpd_log -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.common_log -DOC_START - The Cache can emulate the log file format which many 'httpd' - programs use. To disable/enable this emulation, set - emulate_httpd_log to 'off' or 'on'. The default - is to use the native log format since it includes useful - information that Squid-specific log analyzers use. -DOC_END - -NAME: log_ip_on_direct -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.log_ip_on_direct -DOC_START - Log the destination IP address in the hierarchy log tag when going - direct. Earlier Squid versions logged the hostname here. If you - prefer the old way set this to off. -DOC_END - -NAME: mime_table -TYPE: string -DEFAULT: @DEFAULT_MIME_TABLE@ -LOC: Config.mimeTablePathname -DOC_START - Pathname to Squid's MIME table. You shouldn't need to change - this, but the default file contains examples and formatting - information if you do. -DOC_END - - -NAME: log_mime_hdrs -COMMENT: on|off -TYPE: onoff -LOC: Config.onoff.log_mime_hdrs -DEFAULT: off -DOC_START - The Cache can record both the request and the response MIME - headers for each HTTP transaction. The headers are encoded - safely and will appear as two bracketed fields at the end of - the access log (for either the native or httpd-emulated log - formats). To enable this logging set log_mime_hdrs to 'on'. -DOC_END - - -NAME: useragent_log -TYPE: string -LOC: Config.Log.useragent -DEFAULT: none -IFDEF: USE_USERAGENT_LOG -DOC_START - Squid will write the User-Agent field from HTTP requests - to the filename specified here. By default useragent_log - is disabled. -DOC_END - - -NAME: referer_log -TYPE: string -LOC: Config.Log.referer -DEFAULT: none -IFDEF: USE_REFERER_LOG -DOC_START - Squid will write the Referer field from HTTP requests to the - filename specified here. By default referer_log is disabled. -DOC_END - - -NAME: pid_filename -TYPE: string -DEFAULT: @DEFAULT_PID_FILE@ -LOC: Config.pidFilename -DOC_START - A filename to write the process-id to. To disable, enter "none". -DOC_END - - -NAME: debug_options -TYPE: eol -DEFAULT: ALL,1 -LOC: Config.debugOptions -DOC_START - Logging options are set as section,level where each source file - is assigned a unique section. Lower levels result in less - output, Full debugging (level 9) can result in a very large - log file, so be careful. The magic word "ALL" sets debugging - levels for all sections. We recommend normally running with - "ALL,1". -DOC_END - - -NAME: log_fqdn -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.log_fqdn -DOC_START - Turn this on if you wish to log fully qualified domain names - in the access.log. To do this Squid does a DNS lookup of all - IP's connecting to it. This can (in some situations) increase - latency, which makes your cache seem slower for interactive - browsing. -DOC_END - - -NAME: client_netmask -TYPE: address -LOC: Config.Addrs.client_netmask -DEFAULT: 255.255.255.255 -DOC_START - A netmask for client addresses in logfiles and cachemgr output. - Change this to protect the privacy of your cache clients. - A netmask of 255.255.255.0 will log all IP's in that range with - the last digit set to '0'. -DOC_END + NAME: no_cache + TYPE: acl_access + DEFAULT: none + LOC: Config.accessList.noCache + DOC_START + A list of ACL elements which, if matched, cause the request to + not be satisfied from the cache and the reply to not be cached. + In other words, use this to force certain objects to never be cached. -COMMENT_START - OPTIONS FOR EXTERNAL SUPPORT PROGRAMS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: ftp_user -TYPE: string -DEFAULT: Squid@ -LOC: Config.Ftp.anon_user -DOC_START - If you want the anonymous login password to be more informative - (and enable the use of picky ftp servers), set this to something - reasonable for your domain, like wwwuser@somewhere.net - - The reason why this is domainless by default is that the - request can be made on the behalf of a user in any domain, - depending on how the cache is used. - Some ftp server also validate that the email address is valid - (for example perl.com). -DOC_END - -NAME: ftp_list_width -TYPE: size_t -DEFAULT: 32 -LOC: Config.Ftp.list_width -DOC_START - Sets the width of ftp listings. This should be set to fit in - the width of a standard browser. Setting this too small - can cut off long filenames when browsing ftp sites. -DOC_END - -NAME: ftp_passive -TYPE: onoff -DEFAULT: on -LOC: Config.Ftp.passive -DOC_START - If your firewall does not allow Squid to use passive - connections, then turn off this option. -DOC_END - -NAME: ftp_sanitycheck -TYPE: onoff -DEFAULT: on -LOC: Config.Ftp.sanitycheck -DOC_START - For security and data integrity reasons Squid by default performs - sanity checks of the addresses of FTP data connections ensure the - data connection is to the requested server. If you need to allow - FTP connections to servers using another IP address for the data - connection then turn this off. -DOC_END - -NAME: check_hostnames -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.check_hostnames -DOC_START - For security and stability reasons Squid by default checks - hostnames for Internet standard RFC compliance. If you do not want - Squid to perform these checks then turn this directive off. -DOC_END - -NAME: cache_dns_program -TYPE: string -IFDEF: USE_DNSSERVERS -DEFAULT: @DEFAULT_DNSSERVER@ -LOC: Config.Program.dnsserver -DOC_START - Specify the location of the executable for dnslookup process. -DOC_END - -NAME: dns_children -TYPE: int -IFDEF: USE_DNSSERVERS -DEFAULT: 5 -LOC: Config.dnsChildren -DOC_START - The number of processes spawn to service DNS name lookups. - For heavily loaded caches on large servers, you should - probably increase this value to at least 10. The maximum - is 32. The default is 5. - - You must have at least one dnsserver process. -DOC_END - -NAME: dns_retransmit_interval -TYPE: time_t -DEFAULT: 5 seconds -LOC: Config.Timeout.idns_retransmit -IFDEF: !USE_DNSSERVERS -DOC_START - Initial retransmit interval for DNS queries. The interval is - doubled each time all configured DNS servers have been tried. - -DOC_END - -NAME: dns_timeout -TYPE: time_t -DEFAULT: 5 minutes -LOC: Config.Timeout.idns_query -IFDEF: !USE_DNSSERVERS -DOC_START - DNS Query timeout. If no response is received to a DNS query - within this time then all DNS servers for the queried domain - is assumed to be unavailable. -DOC_END - -NAME: dns_defnames -COMMENT: on|off -IFDEF: USE_DNSSERVERS -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.res_defnames -IFDEF: USE_DNSSERVERS -DOC_START - Normally the 'dnsserver' disables the RES_DEFNAMES resolver - option (see res_init(3)). This prevents caches in a hierarchy - from interpreting single-component hostnames locally. To allow - dnsserver to handle single-component names, enable this - option. -DOC_END - -NAME: dns_nameservers -TYPE: wordlist -DEFAULT: none -LOC: Config.dns_nameservers -DOC_START - Use this if you want to specify a list of DNS name servers - (IP addresses) to use instead of those given in your - /etc/resolv.conf file. - On Windows platforms, if no value is specified here or in - the /etc/resolv.conf file, the list of DNS name servers are - taken from the Windows registry, both static and dynamic DHCP - configurations are supported. - - Example: dns_nameservers 10.0.0.1 192.172.0.4 -DOC_END - -NAME: hosts_file -TYPE: string -DEFAULT: @DEFAULT_HOSTS@ -LOC: Config.etcHostsPath -DOC_START - Location of the host-local IP name-address associations - database. Most Operating Systems have such a file on different - default locations: - - Un*X & Linux: /etc/hosts - - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts - (%SystemRoot% value install default is c:\winnt) - - Windows XP: %SystemRoot%\system32\drivers\etc\hosts - (%SystemRoot% value install default is c:\windows) - - Windows 9x/Me: %windir%\hosts - (%windir% value is usually c:\windows) - - Cygwin: /etc/hosts - - The file contains newline-separated definitions, in the - form ip_address_in_dotted_form name [name ...] names are - whitespace-separated. Lines beginnng with an hash (#) - character are comments. - - The file is checked at startup and upon configuration. - If set to 'none', it won't be checked. - If append_domain is used, that domain will be added to - domain-local (i.e. not containing any dot character) host - definitions. -DOC_END - -NAME: diskd_program -TYPE: string -DEFAULT: @DEFAULT_DISKD@ -LOC: Config.Program.diskd -DOC_START - Specify the location of the diskd executable. - Note that this is only useful if you have compiled in - diskd as one of the store io modules. -DOC_END - -NAME: unlinkd_program -IFDEF: USE_UNLINKD -TYPE: string -DEFAULT: @DEFAULT_UNLINKD@ -LOC: Config.Program.unlinkd -DOC_START - Specify the location of the executable for file deletion process. -DOC_END - -NAME: pinger_program -TYPE: string -DEFAULT: @DEFAULT_PINGER@ -LOC: Config.Program.pinger -IFDEF: USE_ICMP -DOC_START - Specify the location of the executable for the pinger process. -DOC_END - - -NAME: redirect_program -TYPE: wordlist -LOC: Config.Program.redirect -DEFAULT: none -DOC_START - Specify the location of the executable for the URL redirector. - Since they can perform almost any function there isn't one included. - See the FAQ (section 15) for information on how to write one. - By default, a redirector is not used. -DOC_END - - -NAME: redirect_children -TYPE: int -DEFAULT: 5 -LOC: Config.redirectChildren -DOC_START - The number of redirector processes to spawn. If you start - too few Squid will have to wait for them to process a backlog of - URLs, slowing it down. If you start too many they will use RAM - and other system resources. -DOC_END - -NAME: redirect_concurrency -TYPE: int -DEFAULT: 0 -LOC: Config.redirectConcurrency -DOC_START - The number of requests each redirector helper can handle in - parallell. Defaults to 0 which indicates that the redirector - is a old-style singlethreaded redirector. -DOC_END - -NAME: redirect_rewrites_host_header -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.redir_rewrites_host -DOC_START - By default Squid rewrites any Host: header in redirected - requests. If you are running an accelerator then this may - not be a wanted effect of a redirector. - - WARNING: Entries are cached on the result of the URL rewriting - process, so be careful if you have domain-virtual hosts. -DOC_END - -NAME: redirector_access -TYPE: acl_access -DEFAULT: none -LOC: Config.accessList.redirector -DOC_START - If defined, this access list specifies which requests are - sent to the redirector processes. By default all requests - are sent. -DOC_END - -NAME: auth_param -TYPE: authparam -LOC: Config.authConfiguration -DEFAULT: none -DOC_START - This is used to pass parameters to the various authentication - schemes. - format: auth_param scheme parameter [setting] - - auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd - would tell the basic authentication scheme it's program parameter. - - The order that authentication prompts are presented to the client_agent - is dependant on the order the scheme first appears in config file. - IE has a bug (it's not rfc 2617 compliant) in that it will use the basic - scheme if basic is the first entry presented, even if more secure schemes - are presented. For now use the order in the file below. If other browsers - have difficulties (don't recognise the schemes offered even if you are using - basic) then either put basic first, or disable the other schemes (by commenting - out their program entry). - - Once an authentication scheme is fully configured, it can only be shutdown - by shutting squid down and restarting. Changes can be made on the fly and - activated with a reconfigure. I.E. You can change to a different helper, - but not unconfigure the helper completely. - - === Parameters for the basic scheme follow. === - - "program" cmdline - Specify the command for the external authenticator. Such a - program reads a line containing "username password" and replies - "OK" or "ERR" in an endless loop. If you use an authenticator, - make sure you have 1 acl of type proxy_auth. By default, the - basic authentication sheme is not used unless a program is specified. - - If you want to use the traditional proxy authentication, - jump over to the ../auth_modules/NCSA directory and - type: - % make - % make install - - Then, set this line to something like - - auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd - - "children" numberofchildren - The number of authenticator processes to spawn (no default). - If you start too few Squid will have to wait for them to - process a backlog of usercode/password verifications, slowing - it down. When password verifications are done via a (slow) - network you are likely to need lots of authenticator - processes. - auth_param basic children 5 - - "concurrency" concurrency - The number of concurrent requests the helper can process. - The default of 0 is used for helpers who only supports - one request at a time. - auth_param basic concurrency 0 - - "realm" realmstring - Specifies the realm name which is to be reported to the - client for the basic proxy authentication scheme (part of - the text the user will see when prompted their username and - password). There is no default. - auth_param basic realm Squid proxy-caching web server - - "credentialsttl" timetolive - Specifies how long squid assumes an externally validated - username:password pair is valid for - in other words how - often the helper program is called for that user. Set this - low to force revalidation with short lived passwords. Note - that setting this high does not impact your susceptability - to replay attacks unless you are using an one-time password - system (such as SecureID). If you are using such a system, - you will be vulnerable to replay attacks unless you also - use the max_user_ip ACL in an http_access rule. - - === Parameters for the digest scheme follow === - - "program" cmdline - Specify the command for the external authenticator. Such - a program reads a line containing "username":"realm" and - replies with the appropriate H(A1) value base64 encoded. - See rfc 2616 for the definition of H(A1). If you use an - authenticator, make sure you have 1 acl of type proxy_auth. - By default, authentication is not used. - - If you want to use build an authenticator, - jump over to the ../digest_auth_modules directory and choose the - authenticator to use. It it's directory type - % make - % make install - - Then, set this line to something like - - auth_param digest program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass - - - "children" numberofchildren - The number of authenticator processes to spawn (no default). - If you start too few Squid will have to wait for them to - process a backlog of H(A1) calculations, slowing it down. - When the H(A1) calculations are done via a (slow) network - you are likely to need lots of authenticator processes. - auth_param digest children 5 - - "realm" realmstring - Specifies the realm name which is to be reported to the - client for the digest proxy authentication scheme (part of - the text the user will see when prompted their username and - password). There is no default. - auth_param digest realm Squid proxy-caching web server - - "nonce_garbage_interval" timeinterval - Specifies the interval that nonces that have been issued - to client_agent's are checked for validity. - - "nonce_max_duration" timeinterval - Specifies the maximum length of time a given nonce will be - valid for. - - "nonce_max_count" number - Specifies the maximum number of times a given nonce can be - used. - - "nonce_strictness" on|off - Determines if squid requires strict increment-by-1 behaviour - for nonce counts, or just incrementing (off - for use when - useragents generate nonce counts that occasionally miss 1 - (ie, 1,2,4,6)). Default off. - - "check_nonce_count" on|off - This directive if set to off can disable the nonce count check - completely to work around buggy digest qop implementations in - certain mainstream browser versions. Default on to check the - nonce count to protect from authentication replay attacks. - - "post_workaround" on|off - This is a workaround to certain buggy browsers who sends - an incorrect request digest in POST requests when reusing - the same nonce as aquired earlier on a GET request. - - - === NTLM scheme options follow === - - "program" cmdline - Specify the command for the external ntlm authenticator. - Such a program reads a line containing the uuencoded NEGOTIATE - and replies with the ntlm CHALLENGE, then waits for the - response and answers with "OK" or "ERR" in an endless loop. - If you use an ntlm authenticator, make sure you have 1 acl - of type proxy_auth. By default, the ntlm authenticator_program - is not used. - - auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth - - "children" numberofchildren - The number of authenticator processes to spawn (no default). - If you start too few Squid will have to wait for them to - process a backlog of credential verifications, slowing it - down. When crendential verifications are done via a (slow) - network you are likely to need lots of authenticator - processes. - auth_param ntlm children 5 - - "max_challenge_reuses" number - The maximum number of times a challenge given by a ntlm - authentication helper can be reused. Increasing this number - increases your exposure to replay attacks on your network. - 0 means use the challenge only once. (disable challenge - caching) See max_ntlm_challenge_lifetime for more information. - auth_param ntlm max_challenge_reuses 0 - - "max_challenge_lifetime" timespan - The maximum time period that a ntlm challenge is reused - over. The actual period will be the minimum of this time - AND the number of reused challenges. - auth_param ntlm max_challenge_lifetime 2 minutes - -NOCOMMENT_START + You must use the word 'DENY' to indicate the ACL names which should + NOT be cached. + + NOCOMMENT_START +#We recommend you to use the following two lines. + acl QUERY urlpath_regex cgi-bin \? + no_cache deny QUERY + NOCOMMENT_END + DOC_END + + NAME: background_ping_rate + COMMENT: time-units + TYPE: time_t + DEFAULT: 10 seconds + LOC: Config.backgroundPingRate + DOC_START + Controls how often the ICP pings are sent to siblings that + have background-ping set. + DOC_END + + + COMMENT_START + OPTIONS WHICH AFFECT THE CACHE SIZE + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: cache_mem + COMMENT: (bytes) + TYPE: b_size_t + DEFAULT: 8 MB + LOC: Config.memMaxSize + DOC_START + NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. + IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL + USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER + THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. + + 'cache_mem' specifies the ideal amount of memory to be used + for: + * In-Transit objects + * Hot Objects + * Negative-Cached objects + + Data for these objects are stored in 4 KB blocks. This + parameter specifies the ideal upper limit on the total size of + 4 KB blocks allocated. In-Transit objects take the highest + priority. + + In-transit objects have priority over the others. When + additional space is needed for incoming data, negative-cached + and hot objects will be released. In other words, the + negative-cached and hot objects will fill up any unused space + not needed for in-transit objects. + + If circumstances require, this limit will be exceeded. + Specifically, if your incoming request rate requires more than + 'cache_mem' of memory to hold in-transit objects, Squid will + exceed this limit to satisfy the new requests. When the load + decreases, blocks will be freed until the high-water mark is + reached. Thereafter, blocks will be used to store hot + objects. + DOC_END + + + NAME: cache_swap_low + COMMENT: (percent, 0-100) + TYPE: int + DEFAULT: 90 + LOC: Config.Swap.lowWaterMark + DOC_NONE + + NAME: cache_swap_high + COMMENT: (percent, 0-100) + TYPE: int + DEFAULT: 95 + LOC: Config.Swap.highWaterMark + DOC_START + + The low- and high-water marks for cache object replacement. + Replacement begins when the swap (disk) usage is above the + low-water mark and attempts to maintain utilization near the + low-water mark. As swap utilization gets close to high-water + mark object eviction becomes more aggressive. If utilization is + close to the low-water mark less replacement is done each time. + + Defaults are 90% and 95%. If you have a large cache, 5% could be + hundreds of MB. If this is the case you may wish to set + these + numbers closer together. + DOC_END + + NAME: maximum_object_size + COMMENT: (bytes) + TYPE: b_size_t + DEFAULT: 4096 KB + LOC: Config.Store.maxObjectSize + DOC_START + Objects larger than this size will NOT be saved on disk. The + value is specified in kilobytes, and the default is 4MB. If + you wish to get + a high BYTES hit ratio, you should probably + increase this (one 32 MB object hit counts for 3200 10KB + hits). If you wish to increase speed more than your want to + save bandwidth you should leave this low. + + NOTE: if using the LFUDA replacement policy you should increase + this value to maximize the byte hit rate improvement of LFUDA! + See replacement_policy below for a discussion of this policy. + DOC_END + + NAME: minimum_object_size + COMMENT: (bytes) + TYPE: b_size_t + DEFAULT: 0 KB + LOC: Config.Store.minObjectSize + DOC_START + Objects smaller than this size will NOT be saved on disk. The + value is specified in kilobytes, and the default is 0 KB, which + means there is no minimum. + DOC_END + + NAME: maximum_object_size_in_memory + COMMENT: (bytes) + TYPE: b_size_t + DEFAULT: 8 KB + LOC: Config.Store.maxInMemObjSize + DOC_START + Objects greater than this size will not be attempted to kept in + the memory cache. This should be set + high enough to keep objects + accessed frequently in memory to improve performance whilst low + enough to keep larger objects from hoarding cache_mem . + DOC_END + + NAME: ipcache_size + COMMENT: (number of entries) + TYPE: int + DEFAULT: 1024 + LOC: Config.ipcache.size + DOC_NONE + + NAME: ipcache_low + COMMENT: (percent) + TYPE: int + DEFAULT: 90 + LOC: Config.ipcache.low + DOC_NONE + + NAME: ipcache_high + COMMENT: (percent) + TYPE: int + DEFAULT: 95 + LOC: Config.ipcache.high + DOC_START + The size, low-, and high-water marks for the IP cache. + DOC_END + + NAME: fqdncache_size + COMMENT: (number of entries) + TYPE: int + DEFAULT: 1024 + LOC: Config.fqdncache.size + DOC_START + Maximum number of FQDN cache entries. + DOC_END + + NAME: cache_replacement_policy + TYPE: removalpolicy + LOC: Config.replPolicy + DEFAULT: lru + DOC_START + The cache replacement policy parameter determines which + objects are evicted (replaced) when disk space is needed. + + lru : Squid's original list based LRU policy + heap GDSF : Greedy-Dual Size Frequency + heap LFUDA: Least Frequently Used with Dynamic Aging + heap LRU : LRU policy implemented using a heap + + Applies to any cache_dir lines listed below this. + + The LRU policies keeps recently referenced objects. + + The heap GDSF policy optimizes object hit rate by keeping smaller + popular objects in cache so it has a better chance of getting a + hit. It achieves a lower byte hit rate than LFUDA though since + it evicts larger (possibly popular) objects. + + The heap LFUDA policy keeps popular objects in cache regardless of + their size and thus optimizes byte hit rate at the expense of + hit rate since one large, popular object will prevent many + smaller, slightly less popular objects from being cached. + + Both policies utilize a dynamic aging mechanism that prevents + cache pollution that can otherwise occur with frequency-based + replacement policies. + + NOTE: if using the LFUDA replacement policy you should increase + the value of maximum_object_size above its default of 4096 KB to + to maximize the potential byte hit rate improvement of LFUDA. + + For more information about the GDSF and LFUDA cache replacement + policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html + and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. + DOC_END + + NAME: memory_replacement_policy + TYPE: removalpolicy + LOC: Config.memPolicy + DEFAULT: lru + DOC_START + The memory replacement policy parameter determines which + objects are purged from memory when memory space is needed. + + See cache_replacement_policy for details. + DOC_END + + + COMMENT_START + LOGFILE PATHNAMES AND CACHE DIRECTORIES + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: cache_dir + TYPE: cachedir + DEFAULT: none + DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256 + LOC: Config.cacheSwap + DOC_START + Usage: + + cache_dir Type Directory-Name Fs-specific-data [options] + + You can specify multiple cache_dir lines to spread the + cache among different disk partitions. + + Type specifies the kind of storage system to use. Only "ufs" + is built by default. To eanble any of the other storage systems + see the --enable-storeio configure option. + + 'Directory' is a top-level directory where cache swap + files will be stored. If you want to use an entire disk + for caching, then this can be the mount-point directory. + The directory must exist and be writable by the Squid + process. Squid will NOT create this directory for you. + + The ufs store type: + + "ufs" is the old well-known Squid storage format that has always + been there. + + cache_dir ufs Directory-Name Mbytes L1 L2 [options] + + 'Mbytes' is the amount of disk space (MB) to use under this + directory. The default is 100 MB. Change this to suit your + configuration. Do NOT put the size of your disk drive here. + Instead, if you want Squid to use the entire disk drive, + subtract 20% and use that value. + + 'Level-1' is the number of first-level subdirectories which + will be created under the 'Directory'. The default is 16. + + 'Level-2' is the number of second-level subdirectories which + will be created under each first-level directory. The default + is 256. + + The aufs store type: + + "aufs" uses the same storage format as "ufs", utilizing + POSIX-threads to avoid blocking the main Squid process on + disk-I/O. This was formerly known in Squid as async-io. + + cache_dir aufs Directory-Name Mbytes L1 L2 [options] + + see argument descriptions under ufs above + + The diskd store type: + + "diskd" uses the same storage format as "ufs", utilizing a + separate process to avoid blocking the main Squid process on + disk-I/O. + + cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] + + see argument descriptions under ufs above + + Q1 specifies the number of unacknowledged I/O requests when Squid + stops opening new files. If this many messages are in the queues, + Squid won't open new files. Default is 64 + + Q2 specifies the number of unacknowledged messages when Squid + starts blocking. If this many messages are in the queues, + Squid blocks until it recevies some replies. Default is 72 + + Common options: + + read-only, this cache_dir is read only. + + max-size=n, refers to the max object size this storedir supports. + It is used to initially choose the storedir to dump the object. + Note: To make optimal use of the max-size limits you should order + the cache_dir lines with the smallest max-size value first and the + ones with no max-size specification last. + DOC_END + + + NAME: logformat + TYPE: logformat + LOC: Config.Log.logformats + DEFAULT: none + DOC_START + Usage: + + logformat + + Defines an access log format. + + The is a string with embedded % format codes + + % format codes all follow the same basic structure where all but + the formatcode is optional. Output strings are automatically quoted + as required according to their context and the output format + modifiers are usually unneeded but can be specified if an explicit + quoting format is desired. + + % ["|[|'|#] [-] [[0]width] [{argument}] formatcode + + " quoted string output format + [ squid log quoted format as used by log_mime_hdrs +# URL quoted output format + ' No automatic quoting + - left aligned + width field width. If starting with 0 then the + output is zero padded + {arg} argument such as header name etc + + Format codes: + + >a Client source IP address + >A Client FQDN + h Request header. Optional header name argument + on the format header[:[separator]element] + h + un User name + ul User login + ui User ident + ue User from external acl + Hs HTTP status code + Ss Squid request status (TCP_MISS etc) + Sh Squid hierarchy status (DEFAULT_PARENT etc) + mt MIME content type + rm Request method (GET/POST etc) + ru Request URL + rv Request protocol version + et Tag returned by external acl + ea Log string returned by external acl + a %Ss/%03Hs %a %Ss/%03Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh + DOC_END + + NAME: access_log cache_access_log + TYPE: access_log + LOC: Config.Log.accesslogs + DEFAULT: none + DEFAULT_IF_NONE: @DEFAULT_ACCESS_LOG@ + DOC_START + These files log client request activities. Has a line every HTTP or + ICP request. The format is: + access_log [ [acl acl ...]] + access_log none [acl acl ...]] + + Will log to the specified file using the specified format (which + must be defined in a logformat directive) those entries which match + ALL the acl's specified (which must be defined in acl clauses). + If no acl is specified, all requests will be logged to this file. + + To disable logging of a request specify "none". + DOC_END + + + NAME: cache_log + TYPE: string + DEFAULT: @DEFAULT_CACHE_LOG@ + LOC: Config.Log.log + DOC_START + Cache logging file. This is where general information about + your cache's behavior goes. You can increase the amount of data + logged to this file with the "debug_options" tag below. + DOC_END + + + NAME: cache_store_log + TYPE: string + DEFAULT: @DEFAULT_STORE_LOG@ + LOC: Config.Log.store + DOC_START + Logs the activities of the storage manager. Shows which + objects are ejected from the cache, and which objects are + saved and for how long. To disable, enter "none". There are + not really utilities to analyze this data, so you can safely + disable it. + DOC_END + + + NAME: cache_swap_log + TYPE: string + LOC: Config.Log.swap + DEFAULT: none + DOC_START + Location for the cache "swap.log." This log file holds the + metadata of objects saved on disk. It is used to rebuild the + cache during startup. Normally this file resides in each + 'cache_dir' directory, but you may specify an alternate + pathname here. Note you must give a full filename, not just + a directory. Since this is the index for the whole object + list you CANNOT periodically rotate it! + + If %s can be used in the file name then it will be replaced with a + a representation of the cache_dir name where each / is replaced + with '.'. This is needed to allow adding/removing cache_dir + lines when cache_swap_log is being used. + + If have more than one 'cache_dir', and %s is not used in the name + then these swap logs will have names such as: + + cache_swap_log.00 + cache_swap_log.01 + cache_swap_log.02 + + The numbered extension (which is added automatically) + corresponds to the order of the 'cache_dir' lines in this + configuration file. If you change the order of the 'cache_dir' + lines in this file, then these log files will NOT correspond to + the correct 'cache_dir' entry (unless you manually rename + them). We recommend that you do NOT use this option. It is + better to keep these log files in each 'cache_dir' directory. + DOC_END + + + NAME: emulate_httpd_log + COMMENT: on|off + TYPE: onoff + DEFAULT: off + LOC: Config.onoff.common_log + DOC_START + The Cache can emulate the log file format which many 'httpd' + programs use. To disable/enable this emulation, set + emulate_httpd_log to 'off' or 'on'. The default + is to use the native log format since it includes useful + information that Squid-specific log analyzers use. + DOC_END + + NAME: log_ip_on_direct + COMMENT: on|off + TYPE: onoff + DEFAULT: on + LOC: Config.onoff.log_ip_on_direct + DOC_START + Log the destination IP address in the hierarchy log tag when going + direct. Earlier Squid versions logged the hostname here. If you + prefer the old way set this to off. + DOC_END + + NAME: mime_table + TYPE: string + DEFAULT: @DEFAULT_MIME_TABLE@ + LOC: Config.mimeTablePathname + DOC_START + Pathname to Squid's MIME table. You shouldn't need to change + this, but the default file contains examples and formatting + information if you do. + DOC_END + + + NAME: log_mime_hdrs + COMMENT: on|off + TYPE: onoff + LOC: Config.onoff.log_mime_hdrs + DEFAULT: off + DOC_START + The Cache can record both the request and the response MIME + headers for each HTTP transaction. The headers are encoded + safely and will appear as two bracketed fields at the end of + the access log (for either the native or httpd-emulated log + formats). To enable this logging set log_mime_hdrs to 'on'. + DOC_END + + + NAME: useragent_log + TYPE: string + LOC: Config.Log.useragent + DEFAULT: none + IFDEF: USE_USERAGENT_LOG + DOC_START + Squid will write the User-Agent field from HTTP requests + to the filename specified here. By default useragent_log + is disabled. + DOC_END + + + NAME: referer_log + TYPE: string + LOC: Config.Log.referer + DEFAULT: none + IFDEF: USE_REFERER_LOG + DOC_START + Squid will write the Referer field from HTTP requests to the + filename specified here. By default referer_log is disabled. + DOC_END + + + NAME: pid_filename + TYPE: string + DEFAULT: @DEFAULT_PID_FILE@ + LOC: Config.pidFilename + DOC_START + A filename to write the process-id to. To disable, enter "none". + DOC_END + + + NAME: debug_options + TYPE: eol + DEFAULT: ALL,1 + LOC: Config.debugOptions + DOC_START + Logging options are set as section,level where each source file + is assigned a unique section. Lower levels result in less + output, Full debugging (level 9) can result in a very large + log file, so be careful. The magic word "ALL" sets debugging + levels for all sections. We recommend normally running with + "ALL,1". + DOC_END + + + NAME: log_fqdn + COMMENT: on|off + TYPE: onoff + DEFAULT: off + LOC: Config.onoff.log_fqdn + DOC_START + Turn this on if you wish to log fully qualified domain names + in the access.log. To do this Squid does a DNS lookup of all + IP's connecting to it. This can (in some situations) increase + latency, which makes your cache seem slower for interactive + browsing. + DOC_END + + + NAME: client_netmask + TYPE: address + LOC: Config.Addrs.client_netmask + DEFAULT: 255.255.255.255 + DOC_START + A netmask for client addresses in logfiles and cachemgr output. + Change this to protect the privacy of your cache clients. + A netmask of 255.255.255.0 will log all IP's in that range with + the last digit set to '0'. + DOC_END + + + COMMENT_START + OPTIONS FOR EXTERNAL SUPPORT PROGRAMS + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: ftp_user + TYPE: string + DEFAULT: Squid@ + LOC: Config.Ftp.anon_user + DOC_START + If you want the anonymous login password to be more informative + (and enable the use of picky ftp servers), set this to something + reasonable for your domain, like wwwuser@somewhere.net + + The reason why this is domainless by default is that the + request can be made on the behalf of a user in any domain, + depending on how the cache is used. + Some ftp server also validate that the email address is valid + (for example perl.com). + DOC_END + + NAME: ftp_list_width + TYPE: size_t + DEFAULT: 32 + LOC: Config.Ftp.list_width + DOC_START + Sets the width of ftp listings. This should be set to fit in + the width of a standard browser. Setting this too small + can cut off long filenames when browsing ftp sites. + DOC_END + + NAME: ftp_passive + TYPE: onoff + DEFAULT: on + LOC: Config.Ftp.passive + DOC_START + If your firewall does not allow Squid to use passive + connections, then turn off this option. + DOC_END + + NAME: ftp_sanitycheck + TYPE: onoff + DEFAULT: on + LOC: Config.Ftp.sanitycheck + DOC_START + For security and data integrity reasons Squid by default performs + sanity checks of the addresses of FTP data connections ensure the + data connection is to the requested server. If you need to allow + FTP connections to servers using another IP address for the data + connection then turn this off. + DOC_END + + NAME: check_hostnames + TYPE: onoff + DEFAULT: on + LOC: Config.onoff.check_hostnames + DOC_START + For security and stability reasons Squid by default checks + hostnames for Internet standard RFC compliance. If you do not want + Squid to perform these checks then turn this directive off. + DOC_END + + NAME: cache_dns_program + TYPE: string + IFDEF: USE_DNSSERVERS + DEFAULT: @DEFAULT_DNSSERVER@ + LOC: Config.Program.dnsserver + DOC_START + Specify the location of the executable for dnslookup process. + DOC_END + + NAME: dns_children + TYPE: int + IFDEF: USE_DNSSERVERS + DEFAULT: 5 + LOC: Config.dnsChildren + DOC_START + The number of processes spawn to service DNS name lookups. + For heavily loaded caches on large servers, you should + probably increase this value to at least 10. The maximum + is 32. The default is 5. + + You must have at least one dnsserver process. + DOC_END + + NAME: dns_retransmit_interval + TYPE: time_t + DEFAULT: 5 seconds + LOC: Config.Timeout.idns_retransmit + IFDEF: !USE_DNSSERVERS + DOC_START + Initial retransmit interval for DNS queries. The interval is + doubled each time all configured DNS servers have been tried. + + DOC_END + + NAME: dns_timeout + TYPE: time_t + DEFAULT: 5 minutes + LOC: Config.Timeout.idns_query + IFDEF: !USE_DNSSERVERS + DOC_START + DNS Query timeout. If no response is received to a DNS query + within this time then all DNS servers for the queried domain + is assumed to be unavailable. + DOC_END + + NAME: dns_defnames + COMMENT: on|off + IFDEF: USE_DNSSERVERS + TYPE: onoff + DEFAULT: off + LOC: Config.onoff.res_defnames + IFDEF: USE_DNSSERVERS + DOC_START + Normally the 'dnsserver' disables the RES_DEFNAMES resolver + option (see res_init(3)). This prevents caches in a hierarchy + from interpreting single-component hostnames locally. To allow + dnsserver to handle single-component names, enable this + option. + DOC_END + + NAME: dns_nameservers + TYPE: wordlist + DEFAULT: none + LOC: Config.dns_nameservers + DOC_START + Use this if you want to specify a list of DNS name servers + (IP addresses) to use instead of those given in your + /etc/resolv.conf file. + On Windows platforms, if no value is specified here or in + the /etc/resolv.conf file, the list of DNS name servers are + taken from the Windows registry, both static and dynamic DHCP + configurations are supported. + + Example: dns_nameservers 10.0.0.1 192.172.0.4 + DOC_END + + NAME: hosts_file + TYPE: string + DEFAULT: @DEFAULT_HOSTS@ + LOC: Config.etcHostsPath + DOC_START + Location of the host-local IP name-address associations + database. Most Operating Systems have such a file on different + default locations: + - Un*X & Linux: /etc/hosts + - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts + (%SystemRoot% value install default is c:\winnt) + - Windows XP: %SystemRoot%\system32\drivers\etc\hosts + (%SystemRoot% value install default is c:\windows) + - Windows 9x/Me: %windir%\hosts + (%windir% value is usually c:\windows) + - Cygwin: /etc/hosts + + The file contains newline-separated definitions, in the + form ip_address_in_dotted_form name [name ...] names are + whitespace-separated. Lines beginnng with an hash (#) + character are comments. + + The file is checked at startup and upon configuration. + If set to 'none', it won't be checked. + If append_domain is used, that domain will be added to + domain-local (i.e. not containing any dot character) host + definitions. + DOC_END + + NAME: diskd_program + TYPE: string + DEFAULT: @DEFAULT_DISKD@ + LOC: Config.Program.diskd + DOC_START + Specify the location of the diskd executable. + Note that this is only useful if you have compiled in + diskd as one of the store io modules. + DOC_END + + NAME: unlinkd_program + IFDEF: USE_UNLINKD + TYPE: string + DEFAULT: @DEFAULT_UNLINKD@ + LOC: Config.Program.unlinkd + DOC_START + Specify the location of the executable for file deletion process. + DOC_END + + NAME: pinger_program + TYPE: string + DEFAULT: @DEFAULT_PINGER@ + LOC: Config.Program.pinger + IFDEF: USE_ICMP + DOC_START + Specify the location of the executable for the pinger process. + DOC_END + + + NAME: redirect_program + TYPE: wordlist + LOC: Config.Program.redirect + DEFAULT: none + DOC_START + Specify the location of the executable for the URL redirector. + Since they can perform almost any function there isn't one included. + See the FAQ (section 15) for information on how to write one. + By default, a redirector is not used. + DOC_END + + + NAME: redirect_children + TYPE: int + DEFAULT: 5 + LOC: Config.redirectChildren + DOC_START + The number of redirector processes to spawn. If you start + too few Squid will have to wait for them to process a backlog of + URLs, slowing it down. If you start too many they will use RAM + and other system resources. + DOC_END + + NAME: redirect_concurrency + TYPE: int + DEFAULT: 0 + LOC: Config.redirectConcurrency + DOC_START + The number of requests each redirector helper can handle in + parallell. Defaults to 0 which indicates that the redirector + is a old-style singlethreaded redirector. + DOC_END + + NAME: redirect_rewrites_host_header + TYPE: onoff + DEFAULT: on + LOC: Config.onoff.redir_rewrites_host + DOC_START + By default Squid rewrites any Host: header in redirected + requests. If you are running an accelerator then this may + not be a wanted effect of a redirector. + + WARNING: Entries are cached on the result of the URL rewriting + process, so be careful if you have domain-virtual hosts. + DOC_END + + NAME: redirector_access + TYPE: acl_access + DEFAULT: none + LOC: Config.accessList.redirector + DOC_START + If defined, this access list specifies which requests are + sent to the redirector processes. By default all requests + are sent. + DOC_END + + NAME: auth_param + TYPE: authparam + LOC: Config.authConfiguration + DEFAULT: none + DOC_START + This is used to pass parameters to the various authentication + schemes. + format: auth_param scheme parameter [setting] + + auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd + would tell the basic authentication scheme it's program parameter. + + The order that authentication prompts are presented to the client_agent + is dependant on the order the scheme first appears in config file. + IE has a bug (it's not rfc 2617 compliant) in that it will use the basic + scheme if basic is the first entry presented, even if more secure schemes + are presented. For now use the order in the file below. If other browsers + have difficulties (don't recognise the schemes offered even if you are using + basic) then either put basic first, or disable the other schemes (by commenting + out their program entry). + + Once an authentication scheme is fully configured, it can only be shutdown + by shutting squid down and restarting. Changes can be made on the fly and + activated with a reconfigure. I.E. You can change to a different helper, + but not unconfigure the helper completely. + + === Parameters for the basic scheme follow. === + + "program" cmdline + Specify the command for the external authenticator. Such a + program reads a line containing "username password" and replies + "OK" or "ERR" in an endless loop. If you use an authenticator, + make sure you have 1 acl of type proxy_auth. By default, the + basic authentication sheme is not used unless a program is specified. + + If you want to use the traditional proxy authentication, + jump over to the ../auth_modules/NCSA directory and + type: + % make + % make install + + Then, set this line to something like + + auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd + + "children" numberofchildren + The number of authenticator processes to spawn (no default). + If you start too few Squid will have to wait for them to + process a backlog of usercode/password verifications, slowing + it down. When password verifications are done via a (slow) + network you are likely to need lots of authenticator + processes. + auth_param basic children 5 + + "concurrency" concurrency + The number of concurrent requests the helper can process. + The default of 0 is used for helpers who only supports + one request at a time. + auth_param basic concurrency 0 + + "realm" realmstring + Specifies the realm name which is to be reported to the + client for the basic proxy authentication scheme (part of + the text the user will see when prompted their username and + password). There is no default. + auth_param basic realm Squid proxy-caching web server + + "credentialsttl" timetolive + Specifies how long squid assumes an externally validated + username:password pair is valid for - in other words how + often the helper program is called for that user. Set this + low to force revalidation with short lived passwords. Note + that setting this high does not impact your susceptability + to replay attacks unless you are using an one-time password + system (such as SecureID). If you are using such a system, + you will be vulnerable to replay attacks unless you also + use the max_user_ip ACL in an http_access rule. + + === Parameters for the digest scheme follow === + + "program" cmdline + Specify the command for the external authenticator. Such + a program reads a line containing "username":"realm" and + replies with the appropriate H(A1) value base64 encoded. + See rfc 2616 for the definition of H(A1). If you use an + authenticator, make sure you have 1 acl of type proxy_auth. + By default, authentication is not used. + + If you want to use build an authenticator, + jump over to the ../digest_auth_modules directory and choose the + authenticator to use. It it's directory type + % make + % make install + + Then, set this line to something like + + auth_param digest program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass + + + "children" numberofchildren + The number of authenticator processes to spawn (no default). + If you start too few Squid will have to wait for them to + process a backlog of H(A1) calculations, slowing it down. + When the H(A1) calculations are done via a (slow) network + you are likely to need lots of authenticator processes. + auth_param digest children 5 + + "realm" realmstring + Specifies the realm name which is to be reported to the + client for the digest proxy authentication scheme (part of + the text the user will see when prompted their username and + password). There is no default. + auth_param digest realm Squid proxy-caching web server + + "nonce_garbage_interval" timeinterval + Specifies the interval that nonces that have been issued + to client_agent's are checked for validity. + + "nonce_max_duration" timeinterval + Specifies the maximum length of time a given nonce will be + valid for. + + "nonce_max_count" number + Specifies the maximum number of times a given nonce can be + used. + + "nonce_strictness" on|off + Determines if squid requires strict increment-by-1 behaviour + for nonce counts, or just incrementing (off - for use when + useragents generate nonce counts that occasionally miss 1 + (ie, 1,2,4,6)). Default off. + + "check_nonce_count" on|off + This directive if set to off can disable the nonce count check + completely to work around buggy digest qop implementations in + certain mainstream browser versions. Default on to check the + nonce count to protect from authentication replay attacks. + + "post_workaround" on|off + This is a workaround to certain buggy browsers who sends + an incorrect request digest in POST requests when reusing + the same nonce as aquired earlier on a GET request. + + + === NTLM scheme options follow === + + "program" cmdline + Specify the command for the external ntlm authenticator. + Such a program reads a line containing the uuencoded NEGOTIATE + and replies with the ntlm CHALLENGE, then waits for the + response and answers with "OK" or "ERR" in an endless loop. + If you use an ntlm authenticator, make sure you have 1 acl + of type proxy_auth. By default, the ntlm authenticator_program + is not used. + + auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth + + "children" numberofchildren + The number of authenticator processes to spawn (no default). + If you start too few Squid will have to wait for them to + process a backlog of credential verifications, slowing it + down. When crendential verifications are done via a (slow) + network you are likely to need lots of authenticator + processes. + auth_param ntlm children 5 + + "max_challenge_reuses" number + The maximum number of times a challenge given by a ntlm + authentication helper can be reused. Increasing this number + increases your exposure to replay attacks on your network. + 0 means use the challenge only once. (disable challenge + caching) See max_ntlm_challenge_lifetime for more information. + auth_param ntlm max_challenge_reuses 0 + + "max_challenge_lifetime" timespan + The maximum time period that a ntlm challenge is reused + over. The actual period will be the minimum of this time + AND the number of reused challenges. + auth_param ntlm max_challenge_lifetime 2 minutes + + NOCOMMENT_START #Recommended minimum configuration: #auth_param digest program #auth_param digest children 5 @@ -1791,561 +1816,613 @@ NOCOMMENT_START #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes #auth_param basic program -auth_param basic children 5 -auth_param basic realm Squid proxy-caching web server -auth_param basic credentialsttl 2 hours -NOCOMMENT_END -DOC_END - -NAME: authenticate_cache_garbage_interval -TYPE: time_t -DEFAULT: 1 hour -LOC: Config.authenticateGCInterval -DOC_START - The time period between garbage collection across the - username cache. This is a tradeoff between memory utilisation - (long intervals - say 2 days) and CPU (short intervals - - say 1 minute). Only change if you have good reason to. -DOC_END - -NAME: authenticate_ttl -TYPE: time_t -DEFAULT: 1 hour -LOC: Config.authenticateTTL -DOC_START - The time a user & their credentials stay in the logged in - user cache since their last request. When the garbage - interval passes, all user credentials that have passed their - TTL are removed from memory. -DOC_END - -NAME: authenticate_ip_ttl -TYPE: time_t -LOC: Config.authenticateIpTTL -DEFAULT: 0 seconds -DOC_START - If you use proxy authentication and the 'max_user_ip' ACL, - this directive controls how long Squid remembers the IP - addresses associated with each user. Use a small value - (e.g., 60 seconds) if your users might change addresses - quickly, as is the case with dialups. You might be safe - using a larger value (e.g., 2 hours) in a corporate LAN - environment with relatively static address assignments. -DOC_END - -NAME: external_acl_type -TYPE: externalAclHelper -LOC: Config.externalAclHelperList -DEFAULT: none -DOC_START - This option defines external acl classes using a helper program - to look up the status - - external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] - - Options: - - ttl=n TTL in seconds for cached results (defaults to 3600 - for 1 hour) - negative_ttl=n - TTL for cached negative lookups (default same - as ttl) - children=n Number of acl helper processes spawn to service - external acl lookups of this type. - concurrency=n concurrency level per process. Use 0 for old style - helpers who can only process a single request at a - time. - cache=n result cache size, 0 is unbounded (default) - grace=n Percentage remaining of TTL where a refresh of a - cached entry should be initiated without needing to - wait for a new reply. (default 0 for no grace period) - - FORMAT specifications - - %LOGIN Authenticated user login name - %IDENT Ident user name - %SRC Client IP - %SRCPORT Client source port - %DST Requested host - %PROTO Requested protocol - %PORT Requested port - %PATH Requested URL path - %METHOD Request method - %MYADDR Squid interface address - %MYPORT Squid http_port number - %USER_CERT_xx SSL User certificate attribute xx - %USER_CA_xx SSL User certificate CA attribute xx - %{Header} HTTP request header - %{Hdr:member} HTTP request header list member - %{Hdr:;member} - HTTP request header list member using ; as - list separator. ; can be any non-alphanumeric - character. - - In addition, any string specified in the referencing acl will - also be included in the helper request line, after the specified - formats (see the "acl external" directive) - - The helper receives lines per the above format specification, - and returns lines starting with OK or ERR indicating the validity - of the request and optionally followed by additional keywords with - more details. - - General result syntax: - - OK/ERR keyword=value ... - - Defined keywords: - - user= The users name (login) - password= The users password (for login= cache_peer option) - message= Message describing the reason. Available as %o - in error pages - tag= Apply a tag to a request (for both ERR and OK results) - Only sets a tag, does not alter existing tags. - log= String to be logged in access.log. Available as - %ea in logformat specifications - - Keyword values need to be enclosed in quotes if they may - contain whitespace, or the whitespace escaped using \. Any - quotes or \ characters within the keyword value must be \ - escaped. -DOC_END + auth_param basic children 5 + auth_param basic realm Squid proxy-caching web server + auth_param basic credentialsttl 2 hours + NOCOMMENT_END + DOC_END + + NAME: authenticate_cache_garbage_interval + TYPE: time_t + DEFAULT: 1 hour + LOC: Config.authenticateGCInterval + DOC_START + The time period between garbage collection across the + username cache. This is a tradeoff between memory utilisation + (long intervals - say 2 days) and CPU (short intervals - + say 1 minute). Only change if you have good reason to. + DOC_END + + NAME: authenticate_ttl + TYPE: time_t + DEFAULT: 1 hour + LOC: Config.authenticateTTL + DOC_START + The time a user & their credentials stay in the logged in + user cache since their last request. When the garbage + interval passes, all user credentials that have passed their + TTL are removed from memory. + DOC_END + + NAME: authenticate_ip_ttl + TYPE: time_t + LOC: Config.authenticateIpTTL + DEFAULT: 0 seconds + DOC_START + If you use proxy authentication and the 'max_user_ip' ACL, + this directive controls how long Squid remembers the IP + addresses associated with each user. Use a small value + (e.g., 60 seconds) if your users might change addresses + quickly, as is the case with dialups. You might be safe + using a larger value (e.g., 2 hours) in a corporate LAN + environment with relatively static address assignments. + DOC_END + + NAME: external_acl_type + TYPE: externalAclHelper + LOC: Config.externalAclHelperList + DEFAULT: none + DOC_START + This option defines external acl classes using a helper program + to look up the status + + external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] + + Options: + + ttl=n TTL in seconds for cached results (defaults to 3600 + for 1 hour) + negative_ttl=n + TTL for cached negative lookups (default same + as ttl) + children=n Number of acl helper processes spawn to service + external acl lookups of this type. + concurrency=n concurrency level per process. Use 0 for old style + helpers who can only process a single request at a + time. + cache=n result cache size, 0 is unbounded (default) + grace=n Percentage remaining of TTL where a refresh of a + cached entry should be initiated without needing to + wait for a new reply. (default 0 for no grace period) + + FORMAT specifications + + %LOGIN Authenticated user login name + %IDENT Ident user name + %SRC Client IP + %SRCPORT Client source port + %DST Requested host + %PROTO Requested protocol + %PORT Requested port + %PATH Requested URL path + %METHOD Request method + %MYADDR Squid interface address + %MYPORT Squid http_port number + %USER_CERT_xx SSL User certificate attribute xx + %USER_CA_xx SSL User certificate CA attribute xx + %{Header} + + HTTP request header + + %{Hdr:member} HTTP request header list member + + %{Hdr:;member} + HTTP request header list member using ; as + list separator. ; can be any non-alphanumeric + character. + + In addition, any string specified in the referencing acl will + also be included in the helper request line, after the specified + formats (see the "acl external" directive) + + The helper receives lines per the above format specification, + and returns lines starting with OK or ERR indicating the validity + of the request and optionally followed by additional keywords with + more details. + + General result syntax: + + OK/ERR keyword=value ... + + Defined keywords: + + user= The users name (login) + password= The users password (for login= cache_peer option) + message= Message describing the reason. Available as %o + in error pages + tag= Apply a tag to a request (for both ERR and OK results) + Only sets a tag, does not alter existing tags. + log= String to be logged in access.log. Available as + %ea in logformat specifications + + Keyword values need to be enclosed in quotes if they may + contain whitespace, or the whitespace escaped using \. Any + quotes or \ characters within the keyword value must be \ + escaped. + DOC_END -COMMENT_START - OPTIONS FOR TUNING THE CACHE - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: wais_relay_host -TYPE: string -DEFAULT: none -LOC: Config.Wais.relayHost -DOC_NONE - -NAME: wais_relay_port -TYPE: ushort -DEFAULT: 0 -LOC: Config.Wais.relayPort -DOC_START - Relay WAIS request to host (1st arg) at port (2 arg). -DOC_END - - -NAME: request_header_max_size -COMMENT: (KB) -TYPE: b_size_t -DEFAULT: 10 KB -LOC: Config.maxRequestHeaderSize -DOC_START - This specifies the maximum size for HTTP headers in a request. - Request headers are usually relatively small (about 512 bytes). - Placing a limit on the request header size will catch certain - bugs (for example with persistent connections) and possibly - buffer-overflow or denial-of-service attacks. -DOC_END - -NAME: request_body_max_size -COMMENT: (KB) -TYPE: b_size_t -DEFAULT: 0 KB -LOC: Config.maxRequestBodySize -DOC_START - This specifies the maximum size for an HTTP request body. - In other words, the maximum size of a PUT/POST request. - A user who attempts to send a request with a body larger - than this limit receives an "Invalid Request" error message. - If you set this parameter to a zero (the default), there will - be no limit imposed. -DOC_END - -NAME: refresh_pattern -TYPE: refreshpattern -LOC: Config.Refresh -DEFAULT: none -DOC_START - usage: refresh_pattern [-i] regex min percent max [options] - - By default, regular expressions are CASE-SENSITIVE. To make - them case-insensitive, use the -i option. - - 'Min' is the time (in minutes) an object without an explicit - expiry time should be considered fresh. The recommended - value is 0, any higher values may cause dynamic applications - to be erroneously cached unless the application designer - has taken the appropriate actions. - - 'Percent' is a percentage of the objects age (time since last - modification age) an object without explicit expiry time - will be considered fresh. - - 'Max' is an upper limit on how long objects without an explicit - expiry time will be considered fresh. - - options: override-expire - override-lastmod - reload-into-ims - ignore-reload - - override-expire enforces min age even if the server - sent a Expires: header. Doing this VIOLATES the HTTP - standard. Enabling this feature could make you liable - for problems which it causes. - - override-lastmod enforces min age even on objects - that was modified recently. - - reload-into-ims changes client no-cache or ``reload'' - to If-Modified-Since requests. Doing this VIOLATES the - HTTP standard. Enabling this feature could make you - liable for problems which it causes. - - ignore-reload ignores a client no-cache or ``reload'' - header. Doing this VIOLATES the HTTP standard. Enabling - this feature could make you liable for problems which - it causes. - - Basically a cached object is: - - FRESH if expires < now, else STALE - STALE if age > max - FRESH if lm-factor < percent, else STALE - FRESH if age < min - else STALE - - The refresh_pattern lines are checked in the order listed here. - The first entry which matches is used. If none of the entries - match, then the default will be used. - - Note, you must uncomment all the default lines if you want - to change one. The default setting is only active if none is - used. - -Suggested default: -NOCOMMENT_START -refresh_pattern ^ftp: 1440 20% 10080 -refresh_pattern ^gopher: 1440 0% 1440 -refresh_pattern . 0 20% 4320 -NOCOMMENT_END -DOC_END - -NAME: quick_abort_min -COMMENT: (KB) -TYPE: kb_size_t -DEFAULT: 16 KB -LOC: Config.quickAbort.min -DOC_NONE - -NAME: quick_abort_max -COMMENT: (KB) -TYPE: kb_size_t -DEFAULT: 16 KB -LOC: Config.quickAbort.max -DOC_NONE - -NAME: quick_abort_pct -COMMENT: (percent) -TYPE: int -DEFAULT: 95 -LOC: Config.quickAbort.pct -DOC_START - The cache by default continues downloading aborted requests - which are almost completed (less than 16 KB remaining). This - may be undesirable on slow (e.g. SLIP) links and/or very busy - caches. Impatient users may tie up file descriptors and - bandwidth by repeatedly requesting and immediately aborting - downloads. - - When the user aborts a request, Squid will check the - quick_abort values to the amount of data transfered until - then. - - If the transfer has less than 'quick_abort_min' KB remaining, - it will finish the retrieval. - - If the transfer has more than 'quick_abort_max' KB remaining, - it will abort the retrieval. - - If more than 'quick_abort_pct' of the transfer has completed, - it will finish the retrieval. - - If you do not want any retrieval to continue after the client - has aborted, set both 'quick_abort_min' and 'quick_abort_max' - to '0 KB'. - - If you want retrievals to always continue if they are being - cached then set 'quick_abort_min' to '-1 KB'. -DOC_END - -NAME: read_ahead_gap -COMMENT: buffer-size -TYPE: kb_size_t -LOC: Config.readAheadGap -DEFAULT: 16 KB -DOC_START - The amount of data the cache will buffer ahead of what has been - sent to the client when retrieving an object from another server. -DOC_END - -NAME: negative_ttl -COMMENT: time-units -TYPE: time_t -LOC: Config.negativeTtl -DEFAULT: 5 minutes -DOC_START - Time-to-Live (TTL) for failed requests. Certain types of - failures (such as "connection refused" and "404 Not Found") are - negatively-cached for a configurable amount of time. The - default is 5 minutes. Note that this is different from - negative caching of DNS lookups. -DOC_END - - -NAME: positive_dns_ttl -COMMENT: time-units -TYPE: time_t -LOC: Config.positiveDnsTtl -DEFAULT: 6 hours -DOC_START - Time-to-Live (TTL) for positive caching of successful DNS lookups. - Default is 6 hours (360 minutes). If you want to minimize the - use of Squid's ipcache, set this to 1, not 0. -DOC_END - - -NAME: negative_dns_ttl -COMMENT: time-units -TYPE: time_t -LOC: Config.negativeDnsTtl -DEFAULT: 5 minutes -DOC_START - Time-to-Live (TTL) for negative caching of failed DNS lookups. -DOC_END - -NAME: range_offset_limit -COMMENT: (bytes) -TYPE: b_size_t -LOC: Config.rangeOffsetLimit -DEFAULT: 0 KB -DOC_START - Sets a upper limit on how far into the the file a Range request - may be to cause Squid to prefetch the whole file. If beyond this - limit then Squid forwards the Range request as it is and the result - is NOT cached. - - This is to stop a far ahead range request (lets say start at 17MB) - from making Squid fetch the whole object up to that point before - sending anything to the client. - - A value of -1 causes Squid to always fetch the object from the - beginning so that it may cache the result. (2.0 style) - - A value of 0 causes Squid to never fetch more than the - client requested. (default) -DOC_END + COMMENT_START + OPTIONS FOR TUNING THE CACHE + ----------------------------------------------------------------------------- + COMMENT_END + NAME: wais_relay_host -COMMENT_START - TIMEOUTS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: connect_timeout -COMMENT: time-units -TYPE: time_t -LOC: Config.Timeout.connect -DEFAULT: 2 minutes -DOC_START - Some systems (notably Linux) can not be relied upon to properly - time out connect(2) requests. Therefore the Squid process - enforces its own timeout on server connections. This parameter - specifies how long to wait for the connect to complete. The - default is two minutes (120 seconds). -DOC_END - -NAME: peer_connect_timeout -COMMENT: time-units -TYPE: time_t -LOC: Config.Timeout.peer_connect -DEFAULT: 30 seconds -DOC_START - This parameter specifies how long to wait for a pending TCP - connection to a peer cache. The default is 30 seconds. You - may also set different timeout values for individual neighbors - with the 'connect-timeout' option on a 'cache_peer' line. -DOC_END - -NAME: read_timeout -COMMENT: time-units -TYPE: time_t -LOC: Config.Timeout.read -DEFAULT: 15 minutes -DOC_START - The read_timeout is applied on server-side connections. After - each successful read(), the timeout will be extended by this - amount. If no data is read again after this amount of time, - the request is aborted and logged with ERR_READ_TIMEOUT. The - default is 15 minutes. -DOC_END - - -NAME: request_timeout -TYPE: time_t -LOC: Config.Timeout.request -DEFAULT: 5 minutes -DOC_START - How long to wait for an HTTP request after initial - connection establishment. -DOC_END - - -NAME: persistent_request_timeout -TYPE: time_t -LOC: Config.Timeout.persistent_request -DEFAULT: 1 minute -DOC_START - How long to wait for the next HTTP request on a persistent - connection after the previous request completes. -DOC_END - - -NAME: client_lifetime -COMMENT: time-units -TYPE: time_t -LOC: Config.Timeout.lifetime -DEFAULT: 1 day -DOC_START - The maximum amount of time that a client (browser) is allowed to - remain connected to the cache process. This protects the Cache - from having a lot of sockets (and hence file descriptors) tied up - in a CLOSE_WAIT state from remote clients that go away without - properly shutting down (either because of a network failure or - because of a poor client implementation). The default is one - day, 1440 minutes. - - NOTE: The default value is intended to be much larger than any - client would ever need to be connected to your cache. You - should probably change client_lifetime only as a last resort. - If you seem to have many client connections tying up - filedescriptors, we recommend first tuning the read_timeout, - request_timeout, persistent_request_timeout and quick_abort values. -DOC_END - -NAME: half_closed_clients -TYPE: onoff -LOC: Config.onoff.half_closed_clients -DEFAULT: on -DOC_START - Some clients may shutdown the sending side of their TCP - connections, while leaving their receiving sides open. Sometimes, - Squid can not tell the difference between a half-closed and a - fully-closed TCP connection. By default, half-closed client - connections are kept open until a read(2) or write(2) on the - socket returns an error. Change this option to 'off' and Squid - will immediately close client connections when read(2) returns - "no more data to read." -DOC_END - -NAME: pconn_timeout -TYPE: time_t -LOC: Config.Timeout.pconn -DEFAULT: 120 seconds -DOC_START - Timeout for idle persistent connections to servers and other - proxies. -DOC_END - -NAME: ident_timeout -TYPE: time_t -IFDEF: USE_IDENT -LOC: Config.Timeout.ident -DEFAULT: 10 seconds -DOC_START - Maximum time to wait for IDENT lookups to complete. - - If this is too high, and you enabled IDENT lookups from untrusted - users, then you might be susceptible to denial-of-service by having - many ident requests going at once. -DOC_END - - -NAME: shutdown_lifetime -COMMENT: time-units -TYPE: time_t -LOC: Config.shutdownLifetime -DEFAULT: 30 seconds -DOC_START - When SIGTERM or SIGHUP is received, the cache is put into - "shutdown pending" mode until all active sockets are closed. - This value is the lifetime to set for all open descriptors - during shutdown mode. Any active clients after this many - seconds will receive a 'timeout' message. -DOC_END + TYPE: string + + DEFAULT: none + + LOC: Config.Wais.relayHost + DOC_NONE + + NAME: wais_relay_port + + TYPE: ushort + + DEFAULT: 0 + + LOC: Config.Wais.relayPort + DOC_START + Relay WAIS request to host (1st arg) at port (2 arg). + DOC_END + + + NAME: request_header_max_size + + COMMENT: (KB) + + TYPE: b_size_t + + DEFAULT: 10 KB + + LOC: Config.maxRequestHeaderSize + DOC_START + This specifies the maximum size for HTTP headers in a request. + Request headers are usually relatively small (about 512 bytes). + Placing a limit on the request header size will catch certain + bugs (for example with persistent connections) and possibly + buffer-overflow or denial-of-service attacks. + DOC_END + + NAME: request_body_max_size + + COMMENT: (KB) + + TYPE: b_size_t + + DEFAULT: 0 KB + + LOC: Config.maxRequestBodySize + DOC_START + This specifies the maximum size for an HTTP request body. + In other words, the maximum size of a PUT/POST request. + A user who attempts to send a request with a body larger + than this limit receives an "Invalid Request" error message. + If you set this parameter to a zero (the default), there will + be no limit imposed. + DOC_END + + NAME: refresh_pattern + + TYPE: refreshpattern + + LOC: Config.Refresh + + DEFAULT: none + DOC_START + + usage: refresh_pattern [-i] regex min percent max [options] + + By default, regular expressions are CASE-SENSITIVE. To make + them case-insensitive, use the -i option. + + 'Min' is the time (in minutes) an object without an explicit + expiry time should be considered fresh. The recommended + value is 0, any higher values may cause dynamic applications + to be erroneously cached unless the application designer + has taken the appropriate actions. + + 'Percent' is a percentage of the objects age (time since last + modification age) an object without explicit expiry time + will be considered fresh. + + 'Max' is an upper limit on how long objects without an explicit + expiry time will be considered fresh. + + options: override-expire + override-lastmod + reload-into-ims + ignore-reload + + override-expire enforces min age even if the server + + sent a Expires: header. Doing this VIOLATES the HTTP + standard. Enabling this feature could make you liable + for problems which it causes. + + override-lastmod enforces min age even on objects + that was modified recently. + + reload-into-ims changes client no-cache or ``reload'' + to If-Modified-Since requests. Doing this VIOLATES the + HTTP standard. Enabling this feature could make you + liable for problems which it causes. + + ignore-reload ignores a client no-cache or ``reload'' + header. Doing this VIOLATES the HTTP standard. Enabling + this feature could make you liable for problems which + it causes. + + Basically a cached object is: + + FRESH if expires < now, else STALE + STALE if age > max + FRESH if lm-factor < percent, else STALE + FRESH if age < min + else STALE + + The refresh_pattern lines are checked in the order listed here. + The first entry which matches is used. If none of the entries + match, then the default will be used. + + Note, you must uncomment all the default lines if you want + to change one. The default setting is only active if none is + used. + + Suggested default: + NOCOMMENT_START + + refresh_pattern ^ftp: 1440 20% 10080 + + refresh_pattern ^gopher: 1440 0% 1440 + refresh_pattern . 0 20% 4320 + NOCOMMENT_END + DOC_END + + NAME: quick_abort_min + + COMMENT: (KB) + + TYPE: kb_size_t + + DEFAULT: 16 KB + + LOC: Config.quickAbort.min + DOC_NONE + + NAME: quick_abort_max + + COMMENT: (KB) + + TYPE: kb_size_t + + DEFAULT: 16 KB + + LOC: Config.quickAbort.max + DOC_NONE + + NAME: quick_abort_pct + + COMMENT: (percent) + + TYPE: int + + DEFAULT: 95 + + LOC: Config.quickAbort.pct + DOC_START + The cache by default continues downloading aborted requests + which are almost completed (less than 16 KB remaining). This + may be undesirable on slow (e.g. SLIP) links and/or very busy + caches. Impatient users may tie up file descriptors and + bandwidth by repeatedly requesting and immediately aborting + downloads. + + When the user aborts a request, Squid will check the + quick_abort values to the amount of data transfered until + then. + + If the transfer has less than 'quick_abort_min' KB remaining, + it will finish the retrieval. + + If the transfer has more than 'quick_abort_max' KB remaining, + it will abort the retrieval. + + If more than 'quick_abort_pct' of the transfer has completed, + it will finish the retrieval. + + If you do not want any retrieval to continue after the client + has aborted, set both 'quick_abort_min' and 'quick_abort_max' + to '0 KB'. + + If you want retrievals to always continue if they are being + cached then set 'quick_abort_min' to '-1 KB'. + DOC_END + + NAME: read_ahead_gap + + COMMENT: buffer-size + + TYPE: kb_size_t + + LOC: Config.readAheadGap + + DEFAULT: 16 KB + DOC_START + The amount of data the cache will buffer ahead of what has been + sent to the client when retrieving an object from another server. + DOC_END + + NAME: negative_ttl + + COMMENT: time-units + + TYPE: time_t + + LOC: Config.negativeTtl + + DEFAULT: 5 minutes + DOC_START + Time-to-Live (TTL) for failed requests. Certain types of + failures (such as "connection refused" and "404 Not Found") are + negatively-cached for a configurable amount of time. The + default is 5 minutes. Note that this is different from + negative caching of DNS lookups. + DOC_END -COMMENT_START - ACCESS CONTROLS - ----------------------------------------------------------------------------- -COMMENT_END -NAME: acl -TYPE: acl -LOC: Config.aclList -DEFAULT: none -DOC_START - Defining an Access List + NAME: positive_dns_ttl - acl aclname acltype string1 ... - acl aclname acltype "file" ... + COMMENT: time-units - when using "file", the file should contain one item per line + TYPE: time_t - acltype is one of the types described below + LOC: Config.positiveDnsTtl - By default, regular expressions are CASE-SENSITIVE. To make - them case-insensitive, use the -i option. + DEFAULT: 6 hours + DOC_START + Time-to-Live (TTL) for positive caching of successful DNS lookups. + Default is 6 hours (360 minutes). If you want to minimize the + use of Squid's ipcache, set this to 1, not 0. + DOC_END - acl aclname src ip-address/netmask ... (clients IP address) - acl aclname src addr1-addr2/netmask ... (range of addresses) - acl aclname dst ip-address/netmask ... (URL host's IP address) - acl aclname myip ip-address/netmask ... (local socket IP address) - acl aclname srcdomain .foo.com ... # reverse lookup, client IP - acl aclname dstdomain .foo.com ... # Destination server from URL - acl aclname srcdom_regex [-i] xxx ... # regex matching client name - acl aclname dstdom_regex [-i] xxx ... # regex matching server + NAME: negative_dns_ttl + COMMENT: time-units + TYPE: time_t + LOC: Config.negativeDnsTtl + DEFAULT: 5 minutes + DOC_START + Time-to-Live (TTL) for negative caching of failed DNS lookups. + DOC_END + + NAME: range_offset_limit + COMMENT: (bytes) + TYPE: b_size_t + LOC: Config.rangeOffsetLimit + DEFAULT: 0 KB + DOC_START + Sets a upper limit on how far into the the file a Range request + may be to cause Squid to prefetch the whole file. If beyond this + limit then Squid forwards the Range request as it is and the result + is NOT cached. + + This is to stop a far ahead range request (lets say start at 17MB) + from making Squid fetch the whole object up to that point before + sending anything to the client. + + A value of -1 causes Squid to always fetch the object from the + beginning so that it may cache the result. (2.0 style) + + A value of 0 causes Squid to never fetch more than the + client requested. (default) + DOC_END + + + COMMENT_START + TIMEOUTS + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: connect_timeout + COMMENT: time-units + TYPE: time_t + LOC: Config.Timeout.connect + DEFAULT: 2 minutes + DOC_START + Some systems (notably Linux) can not be relied upon to properly + time out connect(2) requests. Therefore the Squid process + enforces its own timeout on server connections. This parameter + specifies how long to wait for the connect to complete. The + default is two minutes (120 seconds). + DOC_END + + NAME: peer_connect_timeout + COMMENT: time-units + TYPE: time_t + LOC: Config.Timeout.peer_connect + DEFAULT: 30 seconds + DOC_START + This parameter specifies how long to wait for a pending TCP + connection to a peer cache. The default is 30 seconds. You + may also set different timeout values for individual neighbors + with the 'connect-timeout' option on a 'cache_peer' line. + DOC_END + + NAME: read_timeout + COMMENT: time-units + TYPE: time_t + LOC: Config.Timeout.read + DEFAULT: 15 minutes + DOC_START + The read_timeout is applied on server-side connections. After + each successful read(), the timeout will be extended by this + amount. If no data is read again after this amount of time, + the request is aborted and logged with ERR_READ_TIMEOUT. The + default is 15 minutes. + DOC_END + + + NAME: request_timeout + TYPE: time_t + LOC: Config.Timeout.request + DEFAULT: 5 minutes + DOC_START + How long to wait for an HTTP request after initial + connection establishment. + DOC_END + + + NAME: persistent_request_timeout + TYPE: time_t + LOC: Config.Timeout.persistent_request + DEFAULT: 1 minute + DOC_START + How long to wait for the next HTTP request on a persistent + connection after the previous request completes. + DOC_END + + + NAME: client_lifetime + COMMENT: time-units + TYPE: time_t + LOC: Config.Timeout.lifetime + DEFAULT: 1 day + DOC_START + The maximum amount of time that a client (browser) is allowed to + remain connected to the cache process. This protects the Cache + from having a lot of sockets (and hence file descriptors) tied up + in a CLOSE_WAIT state from remote clients that go away without + properly shutting down (either because of a network failure or + because of a poor client implementation). The default is one + day, 1440 minutes. + + NOTE: The default value is intended to be much larger than any + client would ever need to be connected to your cache. You + should probably change client_lifetime only as a last resort. + If you seem to have many client connections tying up + filedescriptors, we recommend first tuning the read_timeout, + request_timeout, persistent_request_timeout and quick_abort values. + DOC_END + + NAME: half_closed_clients + TYPE: onoff + LOC: Config.onoff.half_closed_clients + DEFAULT: on + DOC_START + Some clients may shutdown the sending side of their TCP + connections, while leaving their receiving sides open. Sometimes, + Squid can not tell the difference between a half-closed and a + fully-closed TCP connection. By default, half-closed client + connections are kept open until a read(2) or write(2) on the + socket returns an error. Change this option to 'off' and Squid + will immediately close client connections when read(2) returns + "no more data to read." + DOC_END + + NAME: pconn_timeout + TYPE: time_t + LOC: Config.Timeout.pconn + DEFAULT: 120 seconds + DOC_START + Timeout for idle persistent connections to servers and other + proxies. + DOC_END + + NAME: ident_timeout + TYPE: time_t + IFDEF: USE_IDENT + LOC: Config.Timeout.ident + DEFAULT: 10 seconds + DOC_START + Maximum time to wait for IDENT lookups to complete. + + If this is too high, and you enabled IDENT lookups from untrusted + users, then you might be susceptible to denial-of-service by having + many ident requests going at once. + DOC_END + + + NAME: shutdown_lifetime + COMMENT: time-units + TYPE: time_t + LOC: Config.shutdownLifetime + DEFAULT: 30 seconds + DOC_START + When SIGTERM or SIGHUP is received, the cache is put into + "shutdown pending" mode until all active sockets are closed. + This value is the lifetime to set for all open descriptors + during shutdown mode. Any active clients after this many + seconds will receive a 'timeout' message. + DOC_END + + COMMENT_START + ACCESS CONTROLS + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: acl + TYPE: acl + LOC: Config.aclList + DEFAULT: none + DOC_START + Defining an Access List + + acl aclname acltype string1 ... + acl aclname acltype "file" ... + + when using "file", the file should contain one item per line + + acltype is one of the types described below + + By default, regular expressions are CASE-SENSITIVE. To make + them case-insensitive, use the -i option. + + acl aclname src ip-address/netmask ... (clients IP address) + acl aclname src addr1-addr2/netmask ... (range of addresses) + acl aclname dst ip-address/netmask ... (URL host's IP address) + acl aclname myip ip-address/netmask ... (local socket IP address) + + acl aclname srcdomain .foo.com ... # reverse lookup, client IP + acl aclname dstdomain .foo.com ... # Destination server from URL + acl aclname srcdom_regex [-i] xxx ... # regex matching client name + acl aclname dstdom_regex [-i] xxx ... # regex matching server # For dstdomain and dstdom_regex a reverse lookup is tried if a IP # based URL is used. The name "none" is used if the reverse lookup # fails. - acl aclname time [day-abbrevs] [h1:m1-h2:m2] - day-abbrevs: - S - Sunday - M - Monday - T - Tuesday - W - Wednesday - H - Thursday - F - Friday - A - Saturday - h1:m1 must be less than h2:m2 - acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL - acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path - acl aclname port 80 70 21 ... - acl aclname port 0-1024 ... # ranges allowed - acl aclname myport 3128 ... # (local socket TCP port) - acl aclname proto HTTP FTP ... - acl aclname method GET POST ... - acl aclname browser [-i] regexp ... - # pattern match on User-Agent header - acl aclname referer_regex [-i] regexp ... - # pattern match on Referer header + acl aclname time [day-abbrevs] [h1:m1-h2:m2] + + day-abbrevs: + S - Sunday + M - Monday + T - Tuesday + W - Wednesday + H - Thursday + F - Friday + A - Saturday + + h1:m1 must be less than h2:m2 + + acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL + acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path + acl aclname port 80 70 21 ... + acl aclname port 0-1024 ... # ranges allowed + acl aclname myport 3128 ... # (local socket TCP port) + acl aclname proto HTTP FTP ... + acl aclname method GET POST ... + acl aclname browser [-i] regexp ... +# pattern match on User-Agent header + acl aclname referer_regex [-i] regexp ... +# pattern match on Referer header # Referer is highly unreliable, so use with care - acl aclname ident username ... - acl aclname ident_regex [-i] pattern ... - # string match on ident output. + acl aclname ident username ... + acl aclname ident_regex [-i] pattern ... +# string match on ident output. # use REQUIRED to accept any non-null ident. - acl aclname src_as number ... - acl aclname dst_as number ... - # Except for access control, AS numbers can be used for + acl aclname src_as number ... + acl aclname dst_as number ... +# Except for access control, AS numbers can be used for # routing of requests to specific caches. Here's an # example for routing all requests for AS#1241 and only # those to mycache.mydomain.net: @@ -2353,9 +2430,9 @@ DOC_START # cache_peer_access mycache.mydomain.net allow asexample # cache_peer_access mycache_mydomain.net deny all - acl aclname proxy_auth [-i] username ... - acl aclname proxy_auth_regex [-i] pattern ... - # list of valid usernames + acl aclname proxy_auth [-i] username ... + acl aclname proxy_auth_regex [-i] pattern ... +# list of valid usernames # use REQUIRED to accept any valid username. # # NOTE: when a Proxy-Authentication header is sent but it is not @@ -2370,18 +2447,18 @@ DOC_START # the browser needs to be configured for using a proxy in order # to respond to proxy authentication. - acl aclname snmp_community string ... - # A community string to limit access to your SNMP Agent + acl aclname snmp_community string ... +# A community string to limit access to your SNMP Agent # Example: # # acl snmppublic snmp_community public - acl aclname maxconn number - # This will be matched when the client's IP address has + acl aclname maxconn number +# This will be matched when the client's IP address has # more than HTTP connections established. - acl aclname max_user_ip [-s] number - # This will be matched when the user attempts to log in from more + acl aclname max_user_ip [-s] number +# This will be matched when the user attempts to log in from more # than different ip addresses. The authenticate_ip_ttl # parameter controls the timeout on the ip entries. # If -s is specified then the limit is strict, denying browsing @@ -2393,98 +2470,102 @@ DOC_START # clients may appear to come from multiple addresses if they are # going through proxy farms, so a limit of 1 may cause user problems. - acl aclname req_mime_type mime-type1 ... - # regex match agains the mime type of the request generated + acl aclname req_mime_type mime-type1 ... +# regex match agains the mime type of the request generated # by the client. Can be used to detect file upload or some # types HTTP tunelling requests. # NOTE: This does NOT match the reply. You cannot use this # to match the returned file type. - acl aclname rep_mime_type mime-type1 ... - # regex match against the mime type of the reply recieved by + acl aclname rep_mime_type mime-type1 ... +# regex match against the mime type of the reply recieved by # squid. Can be used to detect file download or some # types HTTP tunelling requests. # NOTE: This has no effect in http_access rules. It only has # effect in rules that affect the reply data stream such as # http_reply_access. - acl acl_name external class_name [arguments...] - # external ACL lookup via a helper class defined by the + acl acl_name external class_name [arguments...] +# external ACL lookup via a helper class defined by the # external_acl_type directive. - acl aclname user_cert attribute values... - # match against attributes in a user SSL certificate + acl aclname user_cert attribute values... +# match against attributes in a user SSL certificate # attribute is one of DN/C/O/CN/L/ST - acl aclname ca_cert attribute values... - # match against attributes a users issuing CA SSL certificate + acl aclname ca_cert attribute values... +# match against attributes a users issuing CA SSL certificate # attribute is one of DN/C/O/CN/L/ST - acl aclname ext_user username ... - acl aclname ext_user_regex [-i] pattern ... - # string match on username returned by external acl processing + acl aclname ext_user username ... + acl aclname ext_user_regex [-i] pattern ... +# string match on username returned by external acl processing # use REQUIRED to accept any non-null user name. -Examples: -acl myexample dst_as 1241 -acl password proxy_auth REQUIRED -acl fileupload req_mime_type -i ^multipart/form-data$ -acl javascript rep_mime_type -i ^application/x-javascript$ + Examples: + acl myexample dst_as 1241 + acl password proxy_auth REQUIRED + acl fileupload req_mime_type -i ^multipart/form-data$ + acl javascript rep_mime_type -i ^application/x-javascript$ -NOCOMMENT_START + NOCOMMENT_START #Recommended minimum configuration: -acl all src 0.0.0.0/0.0.0.0 -acl manager proto cache_object -acl localhost src 127.0.0.1/255.255.255.255 -acl to_localhost dst 127.0.0.0/8 -acl SSL_ports port 443 563 -acl Safe_ports port 80 # http -acl Safe_ports port 21 # ftp -acl Safe_ports port 443 563 # https, snews -acl Safe_ports port 70 # gopher -acl Safe_ports port 210 # wais -acl Safe_ports port 1025-65535 # unregistered ports -acl Safe_ports port 280 # http-mgmt -acl Safe_ports port 488 # gss-http -acl Safe_ports port 591 # filemaker -acl Safe_ports port 777 # multiling http -acl CONNECT method CONNECT -NOCOMMENT_END -DOC_END - -NAME: http_access -TYPE: acl_access -LOC: Config.accessList.http -DEFAULT: none -DEFAULT_IF_NONE: deny all -DOC_START - Allowing or Denying access based on defined access lists - - Access to the HTTP port: - http_access allow|deny [!]aclname ... - - NOTE on default values: - - If there are no "access" lines present, the default is to deny - the request. - - If none of the "access" lines cause a match, the default is the - opposite of the last line in the list. If the last line was - deny, then the default is allow. Conversely, if the last line - is allow, the default will be deny. For these reasons, it is a - good idea to have an "deny all" or "allow all" entry at the end - of your access lists to avoid potential confusion. - -NOCOMMENT_START + acl all src 0.0.0.0/0.0.0.0 + acl manager proto cache_object + acl localhost src 127.0.0.1/255.255.255.255 + acl to_localhost dst 127.0.0.0/8 + acl SSL_ports port 443 563 + acl Safe_ports port 80 # http + acl Safe_ports port 21 # ftp + acl Safe_ports port 443 563 # https, snews + acl Safe_ports port 70 # gopher + acl Safe_ports port 210 # wais + acl Safe_ports port 1025-65535 # unregistered ports + acl Safe_ports port 280 # http-mgmt + acl Safe_ports port 488 # gss-http + acl Safe_ports port 591 # filemaker + acl Safe_ports port 777 # multiling http + acl CONNECT method CONNECT + NOCOMMENT_END + DOC_END + + NAME: http_access + + TYPE: acl_access + + LOC: Config.accessList.http + + DEFAULT: none + + DEFAULT_IF_NONE: deny all + DOC_START + Allowing or Denying access based on defined access lists + + Access to the HTTP port: + http_access allow|deny [!]aclname ... + + NOTE on default values: + + If there are no "access" lines present, the default is to deny + the request. + + If none of the "access" lines cause a match, the default is the + opposite of the last line in the list. If the last line was + deny, then the default is allow. Conversely, if the last line + is allow, the default will be deny. For these reasons, it is a + good idea to have an "deny all" or "allow all" entry at the end + of your access lists to avoid potential confusion. + + NOCOMMENT_START #Recommended minimum configuration: # # Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager + http_access allow manager localhost + http_access deny manager # Deny requests to unknown ports -http_access deny !Safe_ports + http_access deny !Safe_ports # Deny CONNECT to other than SSL ports -http_access deny CONNECT !SSL_ports + http_access deny CONNECT !SSL_ports # # We strongly recommend to uncomment the following to protect innocent # web applications running on the proxy server who think that the only @@ -2500,1786 +2581,1974 @@ http_access deny CONNECT !SSL_ports #http_access allow our_networks # And finally deny all other access to this proxy -http_access deny all -NOCOMMENT_END -DOC_END + http_access deny all + NOCOMMENT_END + DOC_END -NAME: http_reply_access -TYPE: acl_access -LOC: Config.accessList.reply -DEFAULT: none -DEFAULT_IF_NONE: allow all -DOC_START - Allow replies to client requests. This is complementary to http_access. + NAME: http_reply_access - http_reply_access allow|deny [!] aclname ... + TYPE: acl_access - NOTE: if there are no access lines present, the default is to allow - all replies + LOC: Config.accessList.reply - If none of the access lines cause a match, then the opposite of the - last line will apply. Thus it is good practice to end the rules - with an "allow all" or "deny all" entry. + DEFAULT: none -NOCOMMENT_START + DEFAULT_IF_NONE: allow all + DOC_START + Allow replies to client requests. This is complementary to http_access. + + http_reply_access allow|deny [!] aclname ... + + NOTE: if there are no access lines present, the default is to allow + all replies + + If none of the access lines cause a match, then the opposite of the + last line will apply. Thus it is good practice to end the rules + with an "allow all" or "deny all" entry. + + NOCOMMENT_START #Recommended minimum configuration: # # Insert your own rules here. # # # and finally allow by default -http_reply_access allow all -NOCOMMENT_END -DOC_END + http_reply_access allow all + NOCOMMENT_END + DOC_END + + + NAME: icp_access + TYPE: acl_access -NAME: icp_access -TYPE: acl_access -LOC: Config.accessList.icp -DEFAULT: none -DEFAULT_IF_NONE: deny all -DOC_START - Allowing or Denying access to the ICP port based on defined - access lists + LOC: Config.accessList.icp - icp_access allow|deny [!]aclname ... + DEFAULT: none - See http_access for details + DEFAULT_IF_NONE: deny all + DOC_START + Allowing or Denying access to the ICP port based on defined + access lists -NOCOMMENT_START + icp_access allow|deny [!]aclname ... + + See http_access for details + + NOCOMMENT_START #Allow ICP queries from everyone -icp_access allow all -NOCOMMENT_END -DOC_END + icp_access allow all + NOCOMMENT_END + DOC_END + + + NAME: miss_access + + TYPE: acl_access + + LOC: Config.accessList.miss + DEFAULT: none + DOC_START + Use to force your neighbors to use you as a sibling instead of -NAME: miss_access -TYPE: acl_access -LOC: Config.accessList.miss -DEFAULT: none -DOC_START - Use to force your neighbors to use you as a sibling instead of - a parent. For example: + a parent. For example: - acl localclients src 172.16.0.0/16 - miss_access allow localclients - miss_access deny !localclients + acl localclients src 172.16.0.0/16 + miss_access allow localclients + miss_access deny !localclients - This means that only your local clients are allowed to fetch - MISSES and all other clients can only fetch HITS. + This means that only your local clients are allowed to fetch + MISSES and all other clients can only fetch HITS. - By default, allow all clients who passed the http_access rules - to fetch MISSES from us. + By default, allow all clients who passed the http_access rules + to fetch MISSES from us. -NOCOMMENT_START + NOCOMMENT_START #Default setting: # miss_access allow all -NOCOMMENT_END -DOC_END - - -NAME: cache_peer_access -TYPE: peer_access -DEFAULT: none -LOC: none -DOC_START - Similar to 'cache_peer_domain' but provides more flexibility by - using ACL elements. - - cache_peer_access cache-host allow|deny [!]aclname ... - - The syntax is identical to 'http_access' and the other lists of - ACL elements. See the comments for 'http_access' below, or - the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html). -DOC_END - -NAME: ident_lookup_access -TYPE: acl_access -IFDEF: USE_IDENT -DEFAULT: none -DEFAULT_IF_NONE: deny all -LOC: Config.accessList.identLookup -DOC_START - A list of ACL elements which, if matched, cause an ident - (RFC 931) lookup to be performed for this request. For - example, you might choose to always perform ident lookups - for your main multi-user Unix boxes, but not for your Macs - and PCs. By default, ident lookups are not performed for - any requests. - - To enable ident lookups for specific client addresses, you - can follow this example: - - acl ident_aware_hosts src 198.168.1.0/255.255.255.0 - ident_lookup_access allow ident_aware_hosts - ident_lookup_access deny all - - Only src type ACL checks are fully supported. A src_domain - ACL might work at times, but it will not always provide - the correct result. -DOC_END - -NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp -TYPE: acl_tos -DEFAULT: none -LOC: Config.accessList.outgoing_tos -DOC_START - Allows you to select a TOS/Diffserv value to mark outgoing - connections with, based on the username or source address - making the request. - - tcp_outgoing_tos ds-field [!]aclname ... - - Example where normal_service_net uses the TOS value 0x00 - and normal_service_net uses 0x20 - - acl normal_service_net src 10.0.0.0/255.255.255.0 - acl good_service_net src 10.0.1.0/255.255.255.0 - tcp_outgoing_tos 0x00 normal_service_net 0x00 - tcp_outgoing_tos 0x20 good_service_net - - TOS/DSCP values really only have local significance - so you should - know what you're specifying. For more, see RFC 2474 - - The TOS/DSCP byte must be exactly that - a byte, value 0 - 255, or - "default" to use whatever default your host has. - - Processing proceeds in the order specified, and stops at first fully - matching line. -DOC_END - -NAME: tcp_outgoing_address -TYPE: acl_address -DEFAULT: none -LOC: Config.accessList.outgoing_address -DOC_START - Allows you to map requests to different outgoing IP addresses - based on the username or sourceaddress of the user making - the request. - - tcp_outgoing_address ipaddr [[!]aclname] ... - - Example where requests from 10.0.0.0/24 will be forwareded - with source address 10.1.0.1, 10.0.2.0/24 forwarded with - source address 10.1.0.2 and the rest will be forwarded with - source address 10.1.0.3. - - acl normal_service_net src 10.0.0.0/255.255.255.0 - acl good_service_net src 10.0.1.0/255.255.255.0 - tcp_outgoing_address 10.0.0.1 normal_service_net - tcp_outgoing_address 10.0.0.2 good_service_net - tcp_outgoing_address 10.0.0.3 - - Processing proceeds in the order specified, and stops at first fully - matching line. -DOC_END - -NAME: reply_body_max_size -COMMENT: size [acl acl...] -TYPE: acl_b_size_t -DEFAULT: none -LOC: Config.ReplyBodySize -DOC_START - This option specifies the maximum size of a reply body. It can be - used to prevent users from downloading very large files, such as - MP3's and movies. When the reply headers are recieved, the - reply_body_max_size lines are processed, and the first line where - all (if any) listed acls are true is used as the maximum body size - for this reply. - - This size is then checked twice. First when we get the reply headers, - we check the content-length value. If the content length value exists - and is larger than the allowed size, the request is denied and the - user receives an error message that says "the request or reply - is too large." If there is no content-length, and the reply - size exceeds this limit, the client's connection is just closed - and they will receive a partial reply. - - WARNING: downstream caches probably can not detect a partial reply - if there is no content-length header, so they will cache - partial responses and give them out as hits. You should NOT - use this option if you have downstream caches. - - WARNING: A maximum size smaller than the size of squid's error messages - will cause an infinite loop and crash squid. Ensure that the smallest - non-zero value you use is greater that the maximum header size plus - the size of your largest error page. - - If you set this parameter none (the default), there will be - no limit imposed. -DOC_END - -NAME: log_access -TYPE: acl_access -LOC: Config.accessList.log -DEFAULT: none -COMMENT: allow|deny acl acl... -DOC_START - This options allows you to control which requests gets logged - to access.log (see access_log directive). Requests denied for - logging will also not be accounted for in performance counters. -DOC_END + NOCOMMENT_END + DOC_END -COMMENT_START - ADMINISTRATIVE PARAMETERS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: cache_mgr -TYPE: string -DEFAULT: webmaster -LOC: Config.adminEmail -DOC_START - Email-address of local cache manager who will receive - mail if the cache dies. The default is "webmaster." -DOC_END - - -NAME: cache_effective_user -TYPE: string -DEFAULT: nobody -LOC: Config.effectiveUser -DOC_NONE - -NAME: cache_effective_group -TYPE: string -DEFAULT: none -LOC: Config.effectiveGroup -DOC_START - - If you start Squid as root, it will change its effective/real - UID/GID to the UID/GID specified below. The default is to - change to UID to nobody. If you define cache_effective_user, - but not cache_effective_group, Squid sets the GID the - effective user's default group ID (taken from the password - file). - - If Squid is not started as root, the cache_effective_user - value is ignored and the GID value is unchanged by default. - However, you can make Squid change its GID to another group - that the process owner is a member of. Note that if Squid - is not started as root then you cannot set http_port to a - value lower than 1024. -DOC_END - - -NAME: visible_hostname -TYPE: string -LOC: Config.visibleHostname -DEFAULT: none -DOC_START - If you want to present a special hostname in error messages, etc, - then define this. Otherwise, the return value of gethostname() - will be used. If you have multiple caches in a cluster and - get errors about IP-forwarding you must set them to have individual - names with this setting. -DOC_END - - -NAME: unique_hostname -TYPE: string -LOC: Config.uniqueHostname -DEFAULT: none -DOC_START - If you want to have multiple machines with the same - 'visible_hostname' then you must give each machine a different - 'unique_hostname' so that forwarding loops can be detected. -DOC_END - - -NAME: hostname_aliases -TYPE: wordlist -LOC: Config.hostnameAliases -DEFAULT: none -DOC_START - A list of other DNS names that your cache has. -DOC_END -COMMENT_START - OPTIONS FOR THE CACHE REGISTRATION SERVICE - ----------------------------------------------------------------------------- - - This section contains parameters for the (optional) cache - announcement service. This service is provided to help - cache administrators locate one another in order to join or - create cache hierarchies. - - An 'announcement' message is sent (via UDP) to the registration - service by Squid. By default, the announcement message is NOT - SENT unless you enable it with 'announce_period' below. - - The announcement message includes your hostname, plus the - following information from this configuration file: - - http_port - icp_port - cache_mgr - - All current information is processed regularly and made - available on the Web at http://www.ircache.net/Cache/Tracker/. -COMMENT_END - -NAME: announce_period -TYPE: time_t -LOC: Config.Announce.period -DEFAULT: 0 -DOC_START - This is how frequently to send cache announcements. The - default is `0' which disables sending the announcement - messages. - - To enable announcing your cache, just uncomment the line - below. - -NOCOMMENT_START + NAME: cache_peer_access + + TYPE: peer_access + + DEFAULT: none + + LOC: none + DOC_START + Similar to 'cache_peer_domain' but provides more flexibility by + using ACL elements. + + cache_peer_access cache-host allow|deny [!]aclname ... + + The syntax is identical to 'http_access' and the other lists of + ACL elements. See the comments for 'http_access' below, or + + the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html). + DOC_END + + NAME: ident_lookup_access + + TYPE: acl_access + + IFDEF: USE_IDENT + + DEFAULT: none + + DEFAULT_IF_NONE: deny all + + LOC: Config.accessList.identLookup + DOC_START + A list of ACL elements which, if matched, cause an ident + (RFC 931) lookup to be performed for this request. For + example, you might choose to always perform ident lookups + for your main multi-user Unix boxes, but not for your Macs + and PCs. By default, ident lookups are not performed for + any requests. + + To enable ident lookups for specific client addresses, you + + can follow this example: + + acl ident_aware_hosts src 198.168.1.0/255.255.255.0 + ident_lookup_access allow ident_aware_hosts + ident_lookup_access deny all + + Only src type ACL checks are fully supported. A src_domain + ACL might work at times, but it will not always provide + the correct result. + DOC_END + + NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp + + TYPE: acl_tos + + DEFAULT: none + + LOC: Config.accessList.outgoing_tos + DOC_START + Allows you to select a TOS/Diffserv value to mark outgoing + connections with, based on the username or source address + making the request. + + tcp_outgoing_tos ds-field [!]aclname ... + + Example where normal_service_net uses the TOS value 0x00 + and normal_service_net uses 0x20 + + acl normal_service_net src 10.0.0.0/255.255.255.0 + acl good_service_net src 10.0.1.0/255.255.255.0 + tcp_outgoing_tos 0x00 normal_service_net 0x00 + tcp_outgoing_tos 0x20 good_service_net + + TOS/DSCP values really only have local significance - so you should + know what you're specifying. For more, see RFC 2474 + + The TOS/DSCP byte must be exactly that - a byte, value 0 - 255, or + "default" to use whatever default your host has. + + Processing proceeds in the order specified, and stops at first fully + matching line. + DOC_END + + NAME: tcp_outgoing_address + TYPE: acl_address + DEFAULT: none + LOC: Config.accessList.outgoing_address + DOC_START + Allows you to map requests to different outgoing IP addresses + based on the username or sourceaddress of the user making + the request. + + tcp_outgoing_address ipaddr [[!]aclname] ... + + Example where requests from 10.0.0.0/24 will be forwareded + with source address 10.1.0.1, 10.0.2.0/24 forwarded with + source address 10.1.0.2 and the rest will be forwarded with + source address 10.1.0.3. + + acl normal_service_net src 10.0.0.0/255.255.255.0 + acl good_service_net src 10.0.1.0/255.255.255.0 + tcp_outgoing_address 10.0.0.1 normal_service_net + tcp_outgoing_address 10.0.0.2 good_service_net + tcp_outgoing_address 10.0.0.3 + + Processing proceeds in the order specified, and stops at first fully + matching line. + DOC_END + + NAME: reply_body_max_size + COMMENT: size [acl acl...] + TYPE: acl_b_size_t + DEFAULT: none + LOC: Config.ReplyBodySize + DOC_START + This option specifies the maximum size of a reply body. It can be + used to prevent users from downloading very large files, such as + MP3's and movies. When the reply headers are recieved, the + reply_body_max_size lines are processed, and the first line where + all (if any) listed acls are true is used as the maximum body size + for this reply. + + This size is then checked twice. First when we get the reply headers, + we check the content-length value. If the content length value exists + and is larger than the allowed size, the request is denied and the + user receives an error message that says "the request or reply + is too large." If there is no content-length, and the reply + size exceeds this limit, the client's connection is just closed + and they will receive a partial reply. + + WARNING: downstream caches probably can not detect a partial reply + if there is no content-length header, so they will cache + partial responses and give them out as hits. You should NOT + use this option if you have downstream caches. + + WARNING: A maximum size smaller than the size of squid's error messages + will cause an infinite loop and crash squid. Ensure that the smallest + non-zero value you use is greater that the maximum header size plus + the size of your largest error page. + + If you set this parameter none (the default), there will be + no limit imposed. + DOC_END + + NAME: log_access + + TYPE: acl_access + + LOC: Config.accessList.log + + DEFAULT: none + + COMMENT: allow|deny acl acl... + DOC_START + This options allows you to control which requests gets logged + to access.log (see access_log directive). Requests denied for + logging will also not be accounted for in performance counters. + DOC_END + + COMMENT_START + ADMINISTRATIVE PARAMETERS + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: cache_mgr + + TYPE: string + + DEFAULT: webmaster + + LOC: Config.adminEmail + DOC_START + Email-address of local cache manager who will receive + mail if the cache dies. The default is "webmaster." + DOC_END + + + NAME: cache_effective_user + + TYPE: string + + DEFAULT: nobody + + LOC: Config.effectiveUser + DOC_NONE + + NAME: cache_effective_group + + TYPE: string + + DEFAULT: none + + LOC: Config.effectiveGroup + DOC_START + + If you start Squid as root, it will change its effective/real + UID/GID to the UID/GID specified below. The default is to + change to UID to nobody. If you define cache_effective_user, + but not cache_effective_group, Squid sets the GID the + effective user's default group ID (taken from the password + file). + + If Squid is not started as root, the cache_effective_user + value is ignored and the GID value is unchanged by default. + However, you can make Squid change its GID to another group + that the process owner is a member of. Note that if Squid + is not started as root then you cannot set http_port to a + value lower than 1024. + DOC_END + + + NAME: visible_hostname + TYPE: string + LOC: Config.visibleHostname + DEFAULT: none + DOC_START + If you want to present a special hostname in error messages, etc, + then define this. Otherwise, the return value of gethostname() + will be used. If you have multiple caches in a cluster and + get errors about IP-forwarding you must set them to have individual + names with this setting. + DOC_END + + + NAME: unique_hostname + TYPE: string + LOC: Config.uniqueHostname + DEFAULT: none + DOC_START + If you want to have multiple machines with the same + 'visible_hostname' then you must give each machine a different + 'unique_hostname' so that forwarding loops can be detected. + DOC_END + + + NAME: hostname_aliases + TYPE: wordlist + LOC: Config.hostnameAliases + DEFAULT: none + DOC_START + A list of other DNS names that your cache has. + DOC_END + + COMMENT_START + OPTIONS FOR THE CACHE REGISTRATION SERVICE + ----------------------------------------------------------------------------- + + This section contains parameters for the (optional) cache + announcement service. This service is provided to help + cache administrators locate one another in order to join or + create cache hierarchies. + + An 'announcement' message is sent (via UDP) to the registration + service by Squid. By default, the announcement message is NOT + SENT unless you enable it with 'announce_period' below. + + The announcement message includes your hostname, plus the + following information from this configuration file: + + http_port + icp_port + cache_mgr + + All current information is processed regularly and made + available on the Web at http://www.ircache.net/Cache/Tracker/. + COMMENT_END + + NAME: announce_period + TYPE: time_t + LOC: Config.Announce.period + DEFAULT: 0 + DOC_START + This is how frequently to send cache announcements. The + default is `0' which disables sending the announcement + messages. + + To enable announcing your cache, just uncomment the line + below. + + NOCOMMENT_START #To enable announcing your cache, just uncomment the line below. #announce_period 1 day -NOCOMMENT_END -DOC_END - - -NAME: announce_host -TYPE: string -DEFAULT: tracker.ircache.net -LOC: Config.Announce.host -DOC_NONE - -NAME: announce_file -TYPE: string -DEFAULT: none -LOC: Config.Announce.file -DOC_NONE - -NAME: announce_port -TYPE: ushort -DEFAULT: 3131 -LOC: Config.Announce.port -DOC_START - announce_host and announce_port set the hostname and port - number where the registration message will be sent. - - Hostname will default to 'tracker.ircache.net' and port will - default default to 3131. If the 'filename' argument is given, - the contents of that file will be included in the announce - message. -DOC_END - -NAME: httpd_accel_surrogate_id -IFDEF: ESI -TYPE: string -LOC: Config.Accel.surrogate_id -DEFAULT: unset-id -DOC_START - Surrogates (http://www.esi.org/architecture_spec_1.0.html) - need an identification token to allow control targeting. Because - a farm of surrogates may all perform the same tasks, they may share - an identification token. -DOC_END - -NAME: http_accel_surrogate_remote -IFDEF: ESI -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.surrogate_is_remote -DOC_START - Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. - Set this to on to have squid behave as a remote surrogate. -DOC_END - -NAME: esi_parser -IFDEF: ESI -COMMENT: expat|custom -TYPE: string -LOC: ESIParser::Type -DEFAULT: custom -DOC_START - ESI markup is not strictly XML compatible. The custom ESI parser - will give higher performance, but cannot handle non ASCII character - encodings. -DOC_END + NOCOMMENT_END + DOC_END -COMMENT_START - MISCELLANEOUS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: dns_testnames -TYPE: wordlist -LOC: Config.dns_testname_list -DEFAULT: none -DEFAULT_IF_NONE: netscape.com internic.net nlanr.net microsoft.com -DOC_START - The DNS tests exit as soon as the first site is successfully looked up - - This test can be disabled with the -D command line option. -DOC_END - - -NAME: logfile_rotate -TYPE: int -DEFAULT: 10 -LOC: Config.Log.rotateNumber -DOC_START - Specifies the number of logfile rotations to make when you - type 'squid -k rotate'. The default is 10, which will rotate - with extensions 0 through 9. Setting logfile_rotate to 0 will - disable the rotation, but the logfiles are still closed and - re-opened. This will enable you to rename the logfiles - yourself just before sending the rotate signal. - - Note, the 'squid -k rotate' command normally sends a USR1 - signal to the running squid process. In certain situations - (e.g. on Linux with Async I/O), USR1 is used for other - purposes, so -k rotate uses another signal. It is best to get - in the habit of using 'squid -k rotate' instead of 'kill -USR1 - '. -DOC_END - - -NAME: append_domain -TYPE: string -LOC: Config.appendDomain -DEFAULT: none -DOC_START - Appends local domain name to hostnames without any dots in - them. append_domain must begin with a period. - - Be warned that there today is Internet names with no dots in - them using only top-domain names, so setting this may - cause some Internet sites to become unavailable. - -Example: - append_domain .yourdomain.com -DOC_END - - -NAME: tcp_recv_bufsize -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: 0 bytes -LOC: Config.tcpRcvBufsz -DOC_START - Size of receive buffer to set for TCP sockets. Probably just - as easy to change your kernel's default. Set to zero to use - the default buffer size. -DOC_END - -NAME: err_html_text -TYPE: eol -LOC: Config.errHtmlText -DEFAULT: none -DOC_START - HTML text to include in error messages. Make this a "mailto" - URL to your admin address, or maybe just a link to your - organizations Web page. - - To include this in your error messages, you must rewrite - the error template files (found in the "errors" directory). - Wherever you want the 'err_html_text' line to appear, - insert a %L tag in the error template file. -DOC_END - -NAME: email_err_data -COMMENT: on|off -TYPE: onoff -LOC: Config.onoff.emailErrData -DEFAULT: on -DOC_START - If enabled, information about the occurred error will be - included in the mailto links of the ERR pages (if %W is set) - so that the email body then contains the data. - Syntax is %w -DOC_END - - -NAME: deny_info -TYPE: denyinfo -LOC: Config.denyInfoList -DEFAULT: none -DOC_START - Usage: deny_info err_page_name acl - or deny_info http://... acl - Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys - - This can be used to return a ERR_ page for requests which - do not pass the 'http_access' rules. A single ACL will cause - the http_access check to fail. If a 'deny_info' line exists - for that ACL then Squid returns a corresponding error page. - - You may use ERR_ pages that come with Squid or create your own pages - and put them into the configured errors/ directory. - - Alternatively you can specify an error URL. The browsers will then - get redirected (302) to the specified URL. %s in the redirection - URL will be replaced by the requested URL. - - Alternatively you can tell Squid to reset the TCP connection - by specifying TCP_RESET. -DOC_END - -NAME: memory_pools -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.mem_pools -DOC_START - If set, Squid will keep pools of allocated (but unused) memory - available for future use. If memory is a premium on your - system and you believe your malloc library outperforms Squid - routines, disable this. -DOC_END - -NAME: memory_pools_limit -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: none -LOC: Config.MemPools.limit -DOC_START - Used only with memory_pools on: - memory_pools_limit 50 MB - - If set to a non-zero value, Squid will keep at most the specified - limit of allocated (but unused) memory in memory pools. All free() - requests that exceed this limit will be handled by your malloc - library. Squid does not pre-allocate any memory, just safe-keeps - objects that otherwise would be free()d. Thus, it is safe to set - memory_pools_limit to a reasonably high value even if your - configuration will use less memory. - - If not set (default) or set to zero, Squid will keep all memory it - can. That is, there will be no limit on the total amount of memory - used for safe-keeping. - - To disable memory allocation optimization, do not set - memory_pools_limit to 0. Set memory_pools to "off" instead. - - An overhead for maintaining memory pools is not taken into account - when the limit is checked. This overhead is close to four bytes per - object kept. However, pools may actually _save_ memory because of - reduced memory thrashing in your malloc library. -DOC_END - -NAME: via -IFDEF: HTTP_VIOLATIONS -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.via -DOC_START - If set (default), Squid will include a Via header in requests and - replies as required by RFC2616. -DOC_END - -NAME: forwarded_for -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: opt_forwarded_for -DOC_START - If set, Squid will include your system's IP address or name - in the HTTP requests it forwards. By default it looks like - this: - - X-Forwarded-For: 192.1.2.3 - - If you disable this, it will appear as - - X-Forwarded-For: unknown -DOC_END - -NAME: log_icp_queries -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.log_udp -DOC_START - If set, ICP queries are logged to access.log. You may wish - do disable this if your ICP load is VERY high to speed things - up or to simplify log analysis. -DOC_END - -NAME: icp_hit_stale -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.icp_hit_stale -DOC_START - If you want to return ICP_HIT for stale cache objects, set this - option to 'on'. If you have sibling relationships with caches - in other administrative domains, this should be 'off'. If you only - have sibling relationships with caches under your control, then - it is probably okay to set this to 'on'. - If set to 'on', then your siblings should use the option "allow-miss" - on their cache_peer lines for connecting to you. -DOC_END - - -NAME: minimum_direct_hops -TYPE: int -DEFAULT: 4 -LOC: Config.minDirectHops -DOC_START - If using the ICMP pinging stuff, do direct fetches for sites - which are no more than this many hops away. -DOC_END - -NAME: minimum_direct_rtt -TYPE: int -DEFAULT: 400 -LOC: Config.minDirectRtt -DOC_START - If using the ICMP pinging stuff, do direct fetches for sites - which are no more than this many rtt milliseconds away. -DOC_END - -NAME: cachemgr_passwd -TYPE: cachemgrpasswd -DEFAULT: none -LOC: Config.passwd_list -DOC_START - Specify passwords for cachemgr operations. - - Usage: cachemgr_passwd password action action ... - - Some valid actions are (see cache manager menu for a full list): - 5min - 60min - asndb - authenticator - cbdata - client_list - comm_incoming - config * - counters - delay - digest_stats - dns - events - filedescriptors - fqdncache - histograms - http_headers - info - io - ipcache - mem - menu - netdb - non_peers - objects - offline_toggle * - pconn - peer_select - redirector - refresh - server_list - shutdown * - store_digest - storedir - utilization - via_headers - vm_objects - - * Indicates actions which will not be performed without a - valid password, others can be performed if not listed here. - - To disable an action, set the password to "disable". - To allow performing an action without a password, set the - password to "none". - - Use the keyword "all" to set the same password for all actions. - -Example: - cachemgr_passwd secret shutdown - cachemgr_passwd lesssssssecret info stats/objects - cachemgr_passwd disable all -DOC_END - -NAME: store_avg_object_size -COMMENT: (kbytes) -TYPE: kb_size_t -DEFAULT: 13 KB -LOC: Config.Store.avgObjectSize -DOC_START - Average object size, used to estimate number of objects your - cache can hold. See doc/Release-Notes-1.1.txt. The default is - 13 KB. -DOC_END - -NAME: store_objects_per_bucket -TYPE: int -DEFAULT: 20 -LOC: Config.Store.objectsPerBucket -DOC_START - Target number of objects per bucket in the store hash table. - Lowering this value increases the total number of buckets and - also the storage maintenance rate. The default is 50. -DOC_END - -NAME: client_db -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.client_db -DOC_START - If you want to disable collecting per-client statistics, then - turn off client_db here. -DOC_END - - -NAME: netdb_low -TYPE: int -DEFAULT: 900 -LOC: Config.Netdb.low -DOC_NONE - -NAME: netdb_high -TYPE: int -DEFAULT: 1000 -LOC: Config.Netdb.high -DOC_START - The low and high water marks for the ICMP measurement - database. These are counts, not percents. The defaults are - 900 and 1000. When the high water mark is reached, database - entries will be deleted until the low mark is reached. -DOC_END - - -NAME: netdb_ping_period -TYPE: time_t -LOC: Config.Netdb.period -DEFAULT: 5 minutes -DOC_START - The minimum period for measuring a site. There will be at - least this much delay between successive pings to the same - network. The default is five minutes. -DOC_END - - -NAME: query_icmp -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.query_icmp -DOC_START - If you want to ask your peers to include ICMP data in their ICP - replies, enable this option. - - If your peer has configured Squid (during compilation) with - '--enable-icmp' then that peer will send ICMP pings to origin server - sites of the URLs it receives. If you enable this option then the - ICP replies from that peer will include the ICMP data (if available). - Then, when choosing a parent cache, Squid will choose the parent with - the minimal RTT to the origin server. When this happens, the - hierarchy field of the access.log will be - "CLOSEST_PARENT_MISS". This option is off by default. -DOC_END - -NAME: test_reachability -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.test_reachability -DOC_START - When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH - instead of ICP_MISS if the target host is NOT in the ICMP - database, or has a zero RTT. -DOC_END - -NAME: buffered_logs -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.buffered_logs -DOC_START - cache.log log file is written with stdio functions, and as such - it can be buffered or unbuffered. By default it will be unbuffered. - Buffering it can speed up the writing slightly (though you are - unlikely to need to worry unless you run with tons of debugging - enabled in which case performance will suffer badly anyway..). -DOC_END - -NAME: reload_into_ims -IFDEF: HTTP_VIOLATIONS -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.reload_into_ims -DOC_START - When you enable this option, client no-cache or ``reload'' - requests will be changed to If-Modified-Since requests. - Doing this VIOLATES the HTTP standard. Enabling this - feature could make you liable for problems which it - causes. - - see also refresh_pattern for a more selective approach. -DOC_END - -NAME: always_direct -TYPE: acl_access -LOC: Config.accessList.AlwaysDirect -DEFAULT: none -DOC_START - Usage: always_direct allow|deny [!]aclname ... - - Here you can use ACL elements to specify requests which should - ALWAYS be forwarded directly to origin servers. For example, - to always directly forward requests for local servers use - something like: - - acl local-servers dstdomain my.domain.net - always_direct allow local-servers - - To always forward FTP requests directly, use - - acl FTP proto FTP - always_direct allow FTP - - NOTE: There is a similar, but opposite option named - 'never_direct'. You need to be aware that "always_direct deny - foo" is NOT the same thing as "never_direct allow foo". You - may need to use a deny rule to exclude a more-specific case of - some other rule. Example: - - acl local-external dstdomain external.foo.net - acl local-servers dstdomain .foo.net - always_direct deny local-external - always_direct allow local-servers - - This option replaces some v1.1 options such as local_domain - and local_ip. -DOC_END - -NAME: never_direct -TYPE: acl_access -LOC: Config.accessList.NeverDirect -DEFAULT: none -DOC_START - Usage: never_direct allow|deny [!]aclname ... - - never_direct is the opposite of always_direct. Please read - the description for always_direct if you have not already. - - With 'never_direct' you can use ACL elements to specify - requests which should NEVER be forwarded directly to origin - servers. For example, to force the use of a proxy for all - requests, except those in your local domain use something like: - - acl local-servers dstdomain .foo.net - acl all src 0.0.0.0/0.0.0.0 - never_direct deny local-servers - never_direct allow all - - or if squid is inside a firewall and there is local intranet - servers inside the firewall then use something like: - - acl local-intranet dstdomain .foo.net - acl local-external dstdomain external.foo.net - always_direct deny local-external - always_direct allow local-intranet - never_direct allow all - - This option replaces some v1.1 options such as inside_firewall - and firewall_ip. -DOC_END - -NAME: header_access -IFDEF: HTTP_VIOLATIONS -TYPE: http_header_access[] -LOC: Config.header_access -DEFAULT: none -DOC_START - Usage: header_access header_name allow|deny [!]aclname ... - - WARNING: Doing this VIOLATES the HTTP standard. Enabling - this feature could make you liable for problems which it - causes. - - This option replaces the old 'anonymize_headers' and the - older 'http_anonymizer' option with something that is much - more configurable. This new method creates a list of ACLs - for each header, allowing you very fine-tuned header - mangling. - - You can only specify known headers for the header name. - Other headers are reclassified as 'Other'. You can also - refer to all the headers with 'All'. - - For example, to achieve the same behaviour as the old - 'http_anonymizer standard' option, you should use: - - header_access From deny all - header_access Referer deny all - header_access Server deny all - header_access User-Agent deny all - header_access WWW-Authenticate deny all - header_access Link deny all - - Or, to reproduce the old 'http_anonymizer paranoid' feature - you should use: - - header_access Allow allow all - header_access Authorization allow all - header_access WWW-Authenticate allow all - header_access Cache-Control allow all - header_access Content-Encoding allow all - header_access Content-Length allow all - header_access Content-Type allow all - header_access Date allow all - header_access Expires allow all - header_access Host allow all - header_access If-Modified-Since allow all - header_access Last-Modified allow all - header_access Location allow all - header_access Pragma allow all - header_access Accept allow all - header_access Accept-Charset allow all - header_access Accept-Encoding allow all - header_access Accept-Language allow all - header_access Content-Language allow all - header_access Mime-Version allow all - header_access Retry-After allow all - header_access Title allow all - header_access Connection allow all - header_access Proxy-Connection allow all - header_access All deny all - - By default, all headers are allowed (no anonymizing is - performed). -DOC_END - -NAME: header_replace -IFDEF: HTTP_VIOLATIONS -TYPE: http_header_replace[] -LOC: Config.header_access -DEFAULT: none -DOC_START - Usage: header_replace header_name message - Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) - - This option allows you to change the contents of headers - denied with header_access above, by replacing them with - some fixed string. This replaces the old fake_user_agent - option. - - By default, headers are removed if denied. -DOC_END - -NAME: icon_directory -TYPE: string -LOC: Config.icons.directory -DEFAULT: @DEFAULT_ICON_DIR@ -DOC_START - Where the icons are stored. These are normally kept in - @DEFAULT_ICON_DIR@ -DOC_END - -NAME: error_directory -TYPE: string -LOC: Config.errorDirectory -DEFAULT: @DEFAULT_ERROR_DIR@ -DOC_START - If you wish to create your own versions of the default - (English) error files, either to customize them to suit your - language or company copy the template English files to another - directory and point this tag at them. -DOC_END - -NAME: maximum_single_addr_tries -TYPE: int -LOC: Config.retry.maxtries -DEFAULT: 3 -DOC_START - This sets the maximum number of connection attempts for a - host that only has one address (for multiple-address hosts, - each address is tried once). - - The default value is three tries, the (not recommended) - maximum is 255 tries. A warning message will be generated - if it is set to a value greater than ten. -DOC_END - -NAME: snmp_port -TYPE: ushort -LOC: Config.Port.snmp -DEFAULT: 3401 -IFDEF: SQUID_SNMP -DOC_START - Squid can now serve statistics and status information via SNMP. - By default it listens to port 3401 on the machine. If you don't - wish to use SNMP, set this to "0". -DOC_END - -NAME: snmp_access -TYPE: acl_access -LOC: Config.accessList.snmp -DEFAULT: none -DEFAULT_IF_NONE: deny all -IFDEF: SQUID_SNMP -DOC_START - Allowing or denying access to the SNMP port. - - All access to the agent is denied by default. - usage: - - snmp_access allow|deny [!]aclname ... - -Example: - snmp_access allow snmppublic localhost - snmp_access deny all -DOC_END - -NAME: snmp_incoming_address -TYPE: address -LOC: Config.Addrs.snmp_incoming -DEFAULT: 0.0.0.0 -IFDEF: SQUID_SNMP -DOC_NONE -NAME: snmp_outgoing_address -TYPE: address -LOC: Config.Addrs.snmp_outgoing -DEFAULT: 255.255.255.255 -IFDEF: SQUID_SNMP -DOC_START - Just like 'udp_incoming_address' above, but for the SNMP port. - - snmp_incoming_address is used for the SNMP socket receiving - messages from SNMP agents. - snmp_outgoing_address is used for SNMP packets returned to SNMP - agents. - - The default snmp_incoming_address (0.0.0.0) is to listen on all - available network interfaces. - - If snmp_outgoing_address is set to 255.255.255.255 (the default) - then it will use the same socket as snmp_incoming_address. Only - change this if you want to have SNMP replies sent using another - address than where this Squid listens for SNMP queries. - - NOTE, snmp_incoming_address and snmp_outgoing_address can not have - the same value since they both use port 3401. -DOC_END - -NAME: as_whois_server -TYPE: string -LOC: Config.as_whois_server -DEFAULT: whois.ra.net -DEFAULT_IF_NONE: whois.ra.net -DOC_START - WHOIS server to query for AS numbers. NOTE: AS numbers are - queried only when Squid starts up, not for every request. -DOC_END - -NAME: wccp_router -TYPE: address -LOC: Config.Wccp.router -DEFAULT: 0.0.0.0 -IFDEF: USE_WCCP -DOC_START - Use this option to define your WCCP ``home'' router for - Squid. Setting the 'wccp_router' to 0.0.0.0 (the default) - disables WCCP. -DOC_END - -NAME: wccp_version -TYPE: int -LOC: Config.Wccp.version -DEFAULT: 4 -IFDEF: USE_WCCP -DOC_START - According to some users, Cisco IOS 11.2 only supports WCCP - version 3. If you're using that version of IOS, change - this value to 3. -DOC_END - -NAME: wccp_incoming_address -TYPE: address -LOC: Config.Wccp.incoming -DEFAULT: 0.0.0.0 -IFDEF: USE_WCCP -DOC_NONE -NAME: wccp_outgoing_address -TYPE: address -LOC: Config.Wccp.outgoing -DEFAULT: 255.255.255.255 -IFDEF: USE_WCCP -DOC_START - wccp_incoming_address Use this option if you require WCCP - messages to be received on only one - interface. Do NOT use this option if - you're unsure how many interfaces you - have, or if you know you have only one - interface. - - wccp_outgoing_address Use this option if you require WCCP - messages to be sent out on only one - interface. Do NOT use this option if - you're unsure how many interfaces you - have, or if you know you have only one - interface. - - The default behavior is to not bind to any specific address. - - NOTE, wccp_incoming_address and wccp_outgoing_address can not have - the same value since they both use port 2048. -DOC_END + NAME: announce_host -COMMENT_START - DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option) - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: delay_pools -TYPE: delay_pool_count -DEFAULT: 0 -IFDEF: DELAY_POOLS -LOC: Config.Delay -DOC_START - This represents the number of delay pools to be used. For example, - if you have one class 2 delay pool and one class 3 delays pool, you - have a total of 2 delay pools. -DOC_END - -NAME: delay_class -TYPE: delay_pool_class -DEFAULT: none -IFDEF: DELAY_POOLS -LOC: Config.Delay -DOC_START - This defines the class of each delay pool. There must be exactly one - delay_class line for each delay pool. For example, to define two - delay pools, one of class 2 and one of class 3, the settings above - and here would be: - -Example: - delay_pools 4 # 4 delay pools - delay_class 1 2 # pool 1 is a class 2 pool - delay_class 2 3 # pool 2 is a class 3 pool - delay_class 3 4 # pool 3 is a class 4 pool - delay_class 4 5 # pool 4 is a class 5 pool - - The delay pool classes are: - - class 1 Everything is limited by a single aggregate - bucket. - - class 2 Everything is limited by a single aggregate - bucket as well as an "individual" bucket chosen - from bits 25 through 32 of the IP address. - - class 3 Everything is limited by a single aggregate - bucket as well as a "network" bucket chosen - from bits 17 through 24 of the IP address and a - "individual" bucket chosen from bits 17 through - 32 of the IP address. - - class 4 Everything in a class 3 delay pool, with an - additional limit on a per user basis. This - only takes effect if the username is established - in advance - by forcing authentication in your - http_access rules. - - class 5 Requests are grouped according their tag (see - external_acl's tag= reply). - - NOTE: If an IP address is a.b.c.d - -> bits 25 through 32 are "d" - -> bits 17 through 24 are "c" - -> bits 17 through 32 are "c * 256 + d" -DOC_END - -NAME: delay_access -TYPE: delay_pool_access -DEFAULT: none -IFDEF: DELAY_POOLS -LOC: Config.Delay -DOC_START - This is used to determine which delay pool a request falls into. - The first matched delay pool is always used, i.e., if a request falls - into delay pool number one, no more delay are checked, otherwise the - rest are checked in order of their delay pool number until they have - all been checked. For example, if you want some_big_clients in delay - pool 1 and lotsa_little_clients in delay pool 2: - -Example: - delay_access 1 allow some_big_clients - delay_access 1 deny all - delay_access 2 allow lotsa_little_clients - delay_access 2 deny all - delay_access 3 allow authenticated_clients -DOC_END - -NAME: delay_parameters -TYPE: delay_pool_rates -DEFAULT: none -IFDEF: DELAY_POOLS -LOC: Config.Delay -DOC_START - This defines the parameters for a delay pool. Each delay pool has - a number of "buckets" associated with it, as explained in the - description of delay_class. For a class 1 delay pool, the syntax is: - -delay_parameters pool aggregate - - For a class 2 delay pool: - -delay_parameters pool aggregate individual - - For a class 3 delay pool: - -delay_parameters pool aggregate network individual - - For a class 4 delay pool: - -delay_parameters pool aggregate network individual user - - For a class 5 delay pool: - -delay_parameters pool tag - - The variables here are: - - pool a pool number - ie, a number between 1 and the - number specified in delay_pools as used in - delay_class lines. - - aggregate the "delay parameters" for the aggregate bucket - (class 1, 2, 3). - - individual the "delay parameters" for the individual - buckets (class 2, 3). - - network the "delay parameters" for the network buckets - (class 3). - - user the delay parameters for the user buckets - (class 4). - - tag the delay parameters for the tag buckets - (class 5). - - A pair of delay parameters is written restore/maximum, where restore is - the number of bytes (not bits - modem and network speeds are usually - quoted in bits) per second placed into the bucket, and maximum is the - maximum number of bytes which can be in the bucket at any time. - - For example, if delay pool number 1 is a class 2 delay pool as in the - above example, and is being used to strictly limit each host to 64kbps - (plus overheads), with no overall limit, the line is: - -delay_parameters 1 -1/-1 8000/8000 - - Note that the figure -1 is used to represent "unlimited". - - And, if delay pool number 2 is a class 3 delay pool as in the above - example, and you want to limit it to a total of 256kbps (strict limit) - with each 8-bit network permitted 64kbps (strict limit) and each - individual host permitted 4800bps with a bucket maximum size of 64kb - to permit a decent web page to be downloaded at a decent speed - (if the network is not being limited due to overuse) but slow down - large downloads more significantly: - -delay_parameters 2 32000/32000 8000/8000 600/8000 - - There must be one delay_parameters line for each delay pool. - - Finally, for a class 4 delay pool as in the example - each user will - be limited to 128Kb no matter how many workstations they are logged into.: - -delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 -DOC_END - -NAME: delay_initial_bucket_level -COMMENT: (percent, 0-100) -TYPE: ushort -DEFAULT: 50 -IFDEF: DELAY_POOLS -LOC: Config.Delay.initial -DOC_START - The initial bucket percentage is used to determine how much is put - in each bucket when squid starts, is reconfigured, or first notices - a host accessing it (in class 2 and class 3, individual hosts and - networks only have buckets associated with them once they have been - "seen" by squid). -DOC_END - -NAME: incoming_icp_average -TYPE: int -DEFAULT: 6 -LOC: Config.comm_incoming.icp_average -DOC_NONE - -NAME: incoming_http_average -TYPE: int -DEFAULT: 4 -LOC: Config.comm_incoming.http_average -DOC_NONE - -NAME: incoming_dns_average -TYPE: int -DEFAULT: 4 -LOC: Config.comm_incoming.dns_average -DOC_NONE - -NAME: min_icp_poll_cnt -TYPE: int -DEFAULT: 8 -LOC: Config.comm_incoming.icp_min_poll -DOC_NONE - -NAME: min_dns_poll_cnt -TYPE: int -DEFAULT: 8 -LOC: Config.comm_incoming.dns_min_poll -DOC_NONE - -NAME: min_http_poll_cnt -TYPE: int -DEFAULT: 8 -LOC: Config.comm_incoming.http_min_poll -DOC_START - Heavy voodoo here. I can't even believe you are reading this. - Are you crazy? Don't even think about adjusting these unless - you understand the algorithms in comm_select.c first! -DOC_END - -NAME: max_open_disk_fds -TYPE: int -LOC: Config.max_open_disk_fds -DEFAULT: 0 -DOC_START - To avoid having disk as the I/O bottleneck Squid can optionally - bypass the on-disk cache if more than this amount of disk file - descriptors are open. - - A value of 0 indicates no limit. -DOC_END - -NAME: offline_mode -TYPE: onoff -LOC: Config.onoff.offline -DEFAULT: off -DOC_START - Enable this option and Squid will never try to validate cached - objects. -DOC_END - -NAME: uri_whitespace -TYPE: uri_whitespace -LOC: Config.uri_whitespace -DEFAULT: strip -DOC_START - What to do with requests that have whitespace characters in the - URI. Options: - - strip: The whitespace characters are stripped out of the URL. - This is the behavior recommended by RFC2396. - deny: The request is denied. The user receives an "Invalid - Request" message. - allow: The request is allowed and the URI is not changed. The - whitespace characters remain in the URI. Note the - whitespace is passed to redirector processes if they - are in use. - encode: The request is allowed and the whitespace characters are - encoded according to RFC1738. This could be considered - a violation of the HTTP/1.1 - RFC because proxies are not allowed to rewrite URI's. - chop: The request is allowed and the URI is chopped at the - first whitespace. This might also be considered a - violation. -DOC_END - -NAME: broken_posts -TYPE: acl_access -DEFAULT: none -LOC: Config.accessList.brokenPosts -DOC_START - A list of ACL elements which, if matched, causes Squid to send - an extra CRLF pair after the body of a PUT/POST request. - - Some HTTP servers has broken implementations of PUT/POST, - and rely on an extra CRLF pair sent by some WWW clients. - - Quote from RFC 2068 section 4.1 on this matter: - - Note: certain buggy HTTP/1.0 client implementations generate an - extra CRLF's after a POST request. To restate what is explicitly - forbidden by the BNF, an HTTP/1.1 client must not preface or follow - a request with an extra CRLF. - -Example: - acl buggy_server url_regex ^http://.... - broken_posts allow buggy_server -DOC_END - -NAME: mcast_miss_addr -IFDEF: MULTICAST_MISS_STREAM -TYPE: address -LOC: Config.mcast_miss.addr -DEFAULT: 255.255.255.255 -DOC_START - If you enable this option, every "cache miss" URL will - be sent out on the specified multicast address. - - Do not enable this option unless you are are absolutely - certain you understand what you are doing. -DOC_END - -NAME: mcast_miss_ttl -IFDEF: MULTICAST_MISS_TTL -TYPE: ushort -LOC: Config.mcast_miss.ttl -DEFAULT: 16 -DOC_START - This is the time-to-live value for packets multicasted - when multicasting off cache miss URLs is enabled. By - default this is set to 'site scope', i.e. 16. -DOC_END - -NAME: mcast_miss_port -IFDEF: MULTICAST_MISS_STREAM -TYPE: ushort -LOC: Config.mcast_miss.port -DEFAULT: 3135 -DOC_START - This is the port number to be used in conjunction with - 'mcast_miss_addr'. -DOC_END - -NAME: mcast_miss_encode_key -IFDEF: MULTICAST_MISS_STREAM -TYPE: string -LOC: Config.mcast_miss.encode_key -DEFAULT: XXXXXXXXXXXXXXXX -DOC_START - The URLs that are sent in the multicast miss stream are - encrypted. This is the encryption key. -DOC_END - -NAME: nonhierarchical_direct -TYPE: onoff -LOC: Config.onoff.nonhierarchical_direct -DEFAULT: on -DOC_START - By default, Squid will send any non-hierarchical requests - (matching hierarchy_stoplist or not cachable request type) direct - to origin servers. - - If you set this to off, then Squid will prefer to send these - requests to parents. - - Note that in most configurations, by turning this off you will only - add latency to these request without any improvement in global hit - ratio. - - If you are inside an firewall then see never_direct instead of - this directive. -DOC_END - -NAME: prefer_direct -TYPE: onoff -LOC: Config.onoff.prefer_direct -DEFAULT: off -DOC_START - Normally Squid tries to use parents for most requests. If you by some - reason like it to first try going direct and only use a parent if - going direct fails then set this to on. - - By combining nonhierarchical_direct off and prefer_direct on you - can set up Squid to use a parent as a backup path if going direct - fails. -DOC_END - -NAME: strip_query_terms -TYPE: onoff -LOC: Config.onoff.strip_query_terms -DEFAULT: on -DOC_START - By default, Squid strips query terms from requested URLs before - logging. This protects your user's privacy. -DOC_END - -NAME: coredump_dir -TYPE: string -LOC: Config.coredump_dir -DEFAULT: none -DEFAULT_IF_NONE: none -DOC_START - By default Squid leaves core files in the directory from where - it was started. If you set 'coredump_dir' to a directory - that exists, Squid will chdir() to that directory at startup - and coredump files will be left there. - -NOCOMMENT_START + TYPE: string + + DEFAULT: tracker.ircache.net + + LOC: Config.Announce.host + DOC_NONE + + NAME: announce_file + + TYPE: string + + DEFAULT: none + + LOC: Config.Announce.file + DOC_NONE + + NAME: announce_port + + TYPE: ushort + + DEFAULT: 3131 + + LOC: Config.Announce.port + DOC_START + announce_host and announce_port set the hostname and port + number where the registration message will be sent. + + Hostname will default to 'tracker.ircache.net' and port will + default default to 3131. If the 'filename' argument is given, + the contents of that file will be included in the announce + message. + DOC_END + + NAME: httpd_accel_surrogate_id + + IFDEF: ESI + + TYPE: string + + LOC: Config.Accel.surrogate_id + + DEFAULT: unset-id + DOC_START + + Surrogates (http://www.esi.org/architecture_spec_1.0.html) + need an identification token to allow control targeting. Because + a farm of surrogates may all perform the same tasks, they may share + an identification token. + DOC_END + + NAME: http_accel_surrogate_remote + + IFDEF: ESI + + COMMENT: on|off + + TYPE: onoff + + DEFAULT: off + + LOC: Config.onoff.surrogate_is_remote + DOC_START + + Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. + Set this to on to have squid behave as a remote surrogate. + DOC_END + + NAME: esi_parser + + IFDEF: ESI + + COMMENT: expat|custom + + TYPE: string + + LOC: ESIParser::Type + + DEFAULT: custom + DOC_START + ESI markup is not strictly XML compatible. The custom ESI parser + will give higher performance, but cannot handle non ASCII character + encodings. + DOC_END + + COMMENT_START + MISCELLANEOUS + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: dns_testnames + + TYPE: wordlist + + LOC: Config.dns_testname_list + + DEFAULT: none + + DEFAULT_IF_NONE: netscape.com internic.net nlanr.net microsoft.com + DOC_START + The DNS tests exit as soon as the first site is successfully looked up + + This test can be disabled with the -D command line option. + DOC_END + + + NAME: logfile_rotate + + TYPE: int + + DEFAULT: 10 + + LOC: Config.Log.rotateNumber + DOC_START + Specifies the number of logfile rotations to make when you + type 'squid -k rotate'. The default is 10, which will rotate + with extensions 0 through 9. Setting logfile_rotate to 0 will + disable the rotation, but the logfiles are still closed and + re-opened. This will enable you to rename the logfiles + yourself just before sending the rotate signal. + + Note, the 'squid -k rotate' command normally sends a USR1 + signal to the running squid process. In certain situations + (e.g. on Linux with Async I/O), USR1 is used for other + purposes, so -k rotate uses another signal. It is best to get + in the habit of using 'squid -k rotate' instead of 'kill -USR1 + '. + DOC_END + + + NAME: append_domain + + TYPE: string + + LOC: Config.appendDomain + + DEFAULT: none + DOC_START + Appends local domain name to hostnames without any dots in + them. append_domain must begin with a period. + + Be warned that there today is Internet names with no dots in + them using only top-domain names, so setting this may + cause some Internet sites to become unavailable. + + Example: + append_domain .yourdomain.com + DOC_END + + + NAME: tcp_recv_bufsize + + COMMENT: (bytes) + + TYPE: b_size_t + + DEFAULT: 0 bytes + + LOC: Config.tcpRcvBufsz + DOC_START + Size of receive buffer to set for TCP sockets. Probably just + as easy to change your kernel's default. Set to zero to use + the default buffer size. + DOC_END + + NAME: err_html_text + TYPE: eol + LOC: Config.errHtmlText + DEFAULT: none + DOC_START + HTML text to include in error messages. Make this a "mailto" + URL to your admin address, or maybe just a link to your + organizations Web page. + + To include this in your error messages, you must rewrite + the error template files (found in the "errors" directory). + Wherever you want the 'err_html_text' line to appear, + insert a %L tag in the error template file. + DOC_END + + NAME: email_err_data + COMMENT: on|off + TYPE: onoff + LOC: Config.onoff.emailErrData + DEFAULT: on + DOC_START + If enabled, information about the occurred error will be + included in the mailto links of the ERR pages (if %W is set) + so that the email body then contains the data. + Syntax is %w + DOC_END + + + NAME: deny_info + TYPE: denyinfo + LOC: Config.denyInfoList + DEFAULT: none + DOC_START + Usage: deny_info err_page_name acl + or deny_info http://... acl + Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys + + This can be used to return a ERR_ page for requests which + do not pass the 'http_access' rules. A single ACL will cause + the http_access check to fail. If a 'deny_info' line exists + for that ACL then Squid returns a corresponding error page. + + You may use ERR_ pages that come with Squid or create your own pages + and put them into the configured errors/ directory. + + Alternatively you can specify an error URL. The browsers will then + get redirected (302) to the specified URL. %s in the redirection + URL will be replaced by the requested URL. + + Alternatively you can tell Squid to reset the TCP connection + by specifying TCP_RESET. + DOC_END + + NAME: memory_pools + COMMENT: on|off + TYPE: onoff + DEFAULT: on + LOC: Config.onoff.mem_pools + DOC_START + If set, Squid will keep pools of allocated (but unused) memory + available for future use. If memory is a premium on your + system and you believe your malloc library outperforms Squid + routines, disable this. + DOC_END + + NAME: memory_pools_limit + COMMENT: (bytes) + TYPE: b_size_t + DEFAULT: none + LOC: Config.MemPools.limit + DOC_START + Used only with memory_pools on: + memory_pools_limit 50 MB + + If set to a non-zero value, Squid will keep at most the specified + limit of allocated (but unused) memory in memory pools. All free() + requests that exceed this limit will be handled by your malloc + library. Squid does not pre-allocate any memory, just safe-keeps + objects that otherwise would be free()d. Thus, it is safe to set + memory_pools_limit to a reasonably high value even if your + configuration will use less memory. + + If not set (default) or set to zero, Squid will keep all memory it + can. That is, there will be no limit on the total amount of memory + used for safe-keeping. + + To disable memory allocation optimization, do not set + memory_pools_limit to 0. Set memory_pools to "off" instead. + + An overhead for maintaining memory pools is not taken into account + when the limit is checked. This overhead is close to four bytes per + object kept. However, pools may actually _save_ memory because of + reduced memory thrashing in your malloc library. + DOC_END + + NAME: via + IFDEF: HTTP_VIOLATIONS + COMMENT: on|off + TYPE: onoff + DEFAULT: on + LOC: Config.onoff.via + DOC_START + If set (default), Squid will include a Via header in requests and + replies as required by RFC2616. + DOC_END + + NAME: forwarded_for + COMMENT: on|off + TYPE: onoff + DEFAULT: on + LOC: opt_forwarded_for + DOC_START + If set, Squid will include your system's IP address or name + in the HTTP requests it forwards. By default it looks like + + this: + + X-Forwarded-For: 192.1.2.3 + + If you disable this, it will appear as + + X-Forwarded-For: unknown + DOC_END + + NAME: log_icp_queries + + COMMENT: on|off + + TYPE: onoff + + DEFAULT: on + + LOC: Config.onoff.log_udp + DOC_START + If set, ICP queries are logged to access.log. You may wish + do disable this if your ICP load is VERY high to speed things + up or to simplify log analysis. + DOC_END + + NAME: icp_hit_stale + + COMMENT: on|off + + TYPE: onoff + + DEFAULT: off + + LOC: Config.onoff.icp_hit_stale + DOC_START + If you want to return ICP_HIT for stale cache objects, set this + option to 'on'. If you have sibling relationships with caches + in other administrative domains, this should be 'off'. If you only + have sibling relationships with caches under your control, then + it is probably okay to set this to 'on'. + If set to 'on', then your siblings should use the option "allow-miss" + on their cache_peer lines for connecting to you. + DOC_END + + + NAME: minimum_direct_hops + + TYPE: int + + DEFAULT: 4 + + LOC: Config.minDirectHops + DOC_START + If using the ICMP pinging stuff, do direct fetches for sites + which are no more than this many hops away. + DOC_END + + NAME: minimum_direct_rtt + + TYPE: int + + DEFAULT: 400 + + LOC: Config.minDirectRtt + DOC_START + If using the ICMP pinging stuff, do direct fetches for sites + which are no more than this many rtt milliseconds away. + DOC_END + + NAME: cachemgr_passwd + + TYPE: cachemgrpasswd + + DEFAULT: none + + LOC: Config.passwd_list + DOC_START + Specify passwords for cachemgr operations. + + Usage: cachemgr_passwd password action action ... + + Some valid actions are (see cache manager menu for a full list): + 5min + 60min + asndb + authenticator + cbdata + client_list + comm_incoming + config * + counters + delay + digest_stats + dns + events + filedescriptors + fqdncache + histograms + http_headers + info + io + ipcache + mem + menu + netdb + non_peers + objects + offline_toggle * + pconn + peer_select + redirector + refresh + server_list + shutdown * + store_digest + storedir + utilization + via_headers + vm_objects + + * Indicates actions which will not be performed without a + valid password, others can be performed if not listed here. + + To disable an action, set the password to "disable". + To allow performing an action without a password, set the + password to "none". + + Use the keyword "all" to set the same password for all actions. + + Example: + cachemgr_passwd secret shutdown + cachemgr_passwd lesssssssecret info stats/objects + cachemgr_passwd disable all + DOC_END + + NAME: store_avg_object_size + + COMMENT: (kbytes) + + TYPE: kb_size_t + + DEFAULT: 13 KB + + LOC: Config.Store.avgObjectSize + DOC_START + Average object size, used to estimate number of objects your + cache can hold. See doc/Release-Notes-1.1.txt. The default is + 13 KB. + DOC_END + + NAME: store_objects_per_bucket + + TYPE: int + + DEFAULT: 20 + + LOC: Config.Store.objectsPerBucket + DOC_START + Target number of objects per bucket in the store hash table. + Lowering this value increases the total number of buckets and + also the storage maintenance rate. The default is 50. + DOC_END + + NAME: client_db + + COMMENT: on|off + + TYPE: onoff + + DEFAULT: on + + LOC: Config.onoff.client_db + DOC_START + If you want to disable collecting per-client statistics, then + turn off client_db here. + DOC_END + + + NAME: netdb_low + + TYPE: int + + DEFAULT: 900 + + LOC: Config.Netdb.low + DOC_NONE + + NAME: netdb_high + + TYPE: int + + DEFAULT: 1000 + + LOC: Config.Netdb.high + DOC_START + The low and high water marks for the ICMP measurement + database. These are counts, not percents. The defaults are + 900 and 1000. When the high water mark is reached, database + entries will be deleted until the low mark is reached. + DOC_END + + + NAME: netdb_ping_period + + TYPE: time_t + + LOC: Config.Netdb.period + + DEFAULT: 5 minutes + DOC_START + The minimum period for measuring a site. There will be at + least this much delay between successive pings to the same + network. The default is five minutes. + DOC_END + + + NAME: query_icmp + + COMMENT: on|off + + TYPE: onoff + + DEFAULT: off + + LOC: Config.onoff.query_icmp + DOC_START + If you want to ask your peers to include ICMP data in their ICP + replies, enable this option. + + If your peer has configured Squid (during compilation) with + '--enable-icmp' then that peer will send ICMP pings to origin server + sites of the URLs it receives. If you enable this option then the + ICP replies from that peer will include the ICMP data (if available). + Then, when choosing a parent cache, Squid will choose the parent with + the minimal RTT to the origin server. When this happens, the + hierarchy field of the access.log will be + "CLOSEST_PARENT_MISS". This option is off by default. + DOC_END + + NAME: test_reachability + + COMMENT: on|off + + TYPE: onoff + + DEFAULT: off + + LOC: Config.onoff.test_reachability + DOC_START + When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH + instead of ICP_MISS if the target host is NOT in the ICMP + database, or has a zero RTT. + DOC_END + + NAME: buffered_logs + + COMMENT: on|off + + TYPE: onoff + + DEFAULT: off + + LOC: Config.onoff.buffered_logs + DOC_START + cache.log log file is written with stdio functions, and as such + it can be buffered or unbuffered. By default it will be unbuffered. + Buffering it can speed up the writing slightly (though you are + unlikely to need to worry unless you run with tons of debugging + enabled in which case performance will suffer badly anyway..). + DOC_END + + NAME: reload_into_ims + + IFDEF: HTTP_VIOLATIONS + + COMMENT: on|off + + TYPE: onoff + + DEFAULT: off + + LOC: Config.onoff.reload_into_ims + DOC_START + When you enable this option, client no-cache or ``reload'' + requests will be changed to If-Modified-Since requests. + Doing this VIOLATES the HTTP standard. Enabling this + feature could make you liable for problems which it + causes. + + see also refresh_pattern for a more selective approach. + DOC_END + + NAME: always_direct + + TYPE: acl_access + + LOC: Config.accessList.AlwaysDirect + + DEFAULT: none + DOC_START + + Usage: always_direct allow|deny [!]aclname ... + + Here you can use ACL elements to specify requests which should + ALWAYS be forwarded directly to origin servers. For example, + to always directly forward requests for local servers use + + something like: + + acl local-servers dstdomain my.domain.net + always_direct allow local-servers + + To always forward FTP requests directly, use + + acl FTP proto FTP + always_direct allow FTP + + NOTE: There is a similar, but opposite option named + 'never_direct'. You need to be aware that "always_direct deny + foo" is NOT the same thing as "never_direct allow foo". You + may need to use a deny rule to exclude a more-specific case of + + some other rule. Example: + + acl local-external dstdomain external.foo.net + acl local-servers dstdomain .foo.net + always_direct deny local-external + always_direct allow local-servers + + This option replaces some v1.1 options such as local_domain + and local_ip. + DOC_END + + NAME: never_direct + + TYPE: acl_access + + LOC: Config.accessList.NeverDirect + + DEFAULT: none + DOC_START + + Usage: never_direct allow|deny [!]aclname ... + + never_direct is the opposite of always_direct. Please read + the description for always_direct if you have not already. + + With 'never_direct' you can use ACL elements to specify + requests which should NEVER be forwarded directly to origin + servers. For example, to force the use of a proxy for all + + requests, except those in your local domain use something like: + + acl local-servers dstdomain .foo.net + acl all src 0.0.0.0/0.0.0.0 + never_direct deny local-servers + never_direct allow all + + or if squid is inside a firewall and there is local intranet + + servers inside the firewall then use something like: + + acl local-intranet dstdomain .foo.net + acl local-external dstdomain external.foo.net + always_direct deny local-external + always_direct allow local-intranet + never_direct allow all + + This option replaces some v1.1 options such as inside_firewall + and firewall_ip. + DOC_END + + NAME: header_access + + IFDEF: HTTP_VIOLATIONS + + TYPE: http_header_access[] + + LOC: Config.header_access + + DEFAULT: none + DOC_START + + Usage: header_access header_name allow|deny [!]aclname ... + + WARNING: Doing this VIOLATES the HTTP standard. Enabling + this feature could make you liable for problems which it + causes. + + This option replaces the old 'anonymize_headers' and the + older 'http_anonymizer' option with something that is much + more configurable. This new method creates a list of ACLs + for each header, allowing you very fine-tuned header + mangling. + + You can only specify known headers for the header name. + Other headers are reclassified as 'Other'. You can also + refer to all the headers with 'All'. + + For example, to achieve the same behaviour as the old + + 'http_anonymizer standard' option, you should use: + + header_access From deny all + header_access Referer deny all + header_access Server deny all + header_access User-Agent deny all + header_access WWW-Authenticate deny all + header_access Link deny all + + Or, to reproduce the old 'http_anonymizer paranoid' feature + + you should use: + + header_access Allow allow all + header_access Authorization allow all + header_access WWW-Authenticate allow all + header_access Cache-Control allow all + header_access Content-Encoding allow all + header_access Content-Length allow all + header_access Content-Type allow all + header_access Date allow all + header_access Expires allow all + header_access Host allow all + header_access If-Modified-Since allow all + header_access Last-Modified allow all + header_access Location allow all + header_access Pragma allow all + header_access Accept allow all + header_access Accept-Charset allow all + header_access Accept-Encoding allow all + header_access Accept-Language allow all + header_access Content-Language allow all + header_access Mime-Version allow all + header_access Retry-After allow all + header_access Title allow all + header_access Connection allow all + header_access Proxy-Connection allow all + header_access All deny all + + By default, all headers are allowed (no anonymizing is + performed). + DOC_END + + NAME: header_replace + + IFDEF: HTTP_VIOLATIONS + + TYPE: http_header_replace[] + + LOC: Config.header_access + + DEFAULT: none + DOC_START + + Usage: header_replace header_name message + + Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) + + This option allows you to change the contents of headers + denied with header_access above, by replacing them with + some fixed string. This replaces the old fake_user_agent + option. + + By default, headers are removed if denied. + DOC_END + + NAME: icon_directory + + TYPE: string + + LOC: Config.icons.directory + + DEFAULT: @DEFAULT_ICON_DIR@ + DOC_START + Where the icons are stored. These are normally kept in + @DEFAULT_ICON_DIR@ + DOC_END + + NAME: error_directory + + TYPE: string + + LOC: Config.errorDirectory + + DEFAULT: @DEFAULT_ERROR_DIR@ + DOC_START + If you wish to create your own versions of the default + (English) error files, either to customize them to suit your + language or company copy the template English files to another + directory and point this tag at them. + DOC_END + + NAME: maximum_single_addr_tries + + TYPE: int + + LOC: Config.retry.maxtries + + DEFAULT: 3 + DOC_START + This sets the maximum number of connection attempts for a + host that only has one address (for multiple-address hosts, + each address is tried once). + + The default value is three tries, the (not recommended) + maximum is 255 tries. A warning message will be generated + if it is set to a value greater than ten. + DOC_END + + NAME: snmp_port + + TYPE: ushort + + LOC: Config.Port.snmp + + DEFAULT: 3401 + + IFDEF: SQUID_SNMP + DOC_START + Squid can now serve statistics and status information via SNMP. + By default it listens to port 3401 on the machine. If you don't + wish to use SNMP, set this to "0". + DOC_END + + NAME: snmp_access + TYPE: acl_access + LOC: Config.accessList.snmp + DEFAULT: none + DEFAULT_IF_NONE: deny all + IFDEF: SQUID_SNMP + DOC_START + Allowing or denying access to the SNMP port. + + All access to the agent is denied by default. + usage: + + snmp_access allow|deny [!]aclname ... + + Example: + snmp_access allow snmppublic localhost + snmp_access deny all + DOC_END + + NAME: snmp_incoming_address + TYPE: address + LOC: Config.Addrs.snmp_incoming + DEFAULT: 0.0.0.0 + IFDEF: SQUID_SNMP + DOC_NONE + NAME: snmp_outgoing_address + TYPE: address + LOC: Config.Addrs.snmp_outgoing + DEFAULT: 255.255.255.255 + IFDEF: SQUID_SNMP + DOC_START + Just like 'udp_incoming_address' above, but for the SNMP port. + + snmp_incoming_address is used for the SNMP socket receiving + messages from SNMP agents. + snmp_outgoing_address is used for SNMP packets returned to SNMP + agents. + + The default snmp_incoming_address (0.0.0.0) is to listen on all + available network interfaces. + + If snmp_outgoing_address is set to 255.255.255.255 (the default) + then it will use the same socket as snmp_incoming_address. Only + change this if you want to have SNMP replies sent using another + address than where this Squid listens for SNMP queries. + + NOTE, snmp_incoming_address and snmp_outgoing_address can not have + the same value since they both use port 3401. + DOC_END + + NAME: as_whois_server + TYPE: string + LOC: Config.as_whois_server + DEFAULT: whois.ra.net + DEFAULT_IF_NONE: whois.ra.net + DOC_START + WHOIS server to query for AS numbers. NOTE: AS numbers are + queried only when Squid starts up, not for every request. + DOC_END + + NAME: wccp_router + TYPE: address + LOC: Config.Wccp.router + DEFAULT: 0.0.0.0 + IFDEF: USE_WCCP + DOC_START + Use this option to define your WCCP ``home'' router for + Squid. Setting the 'wccp_router' to 0.0.0.0 (the default) + disables WCCP. + DOC_END + + NAME: wccp_version + TYPE: int + LOC: Config.Wccp.version + DEFAULT: 4 + IFDEF: USE_WCCP + DOC_START + According to some users, Cisco IOS 11.2 only supports WCCP + version 3. If you're using that version of IOS, change + this value to 3. + DOC_END + + NAME: wccp_incoming_address + + TYPE: address + + LOC: Config.Wccp.incoming + + DEFAULT: 0.0.0.0 + + IFDEF: USE_WCCP + DOC_NONE + + NAME: wccp_outgoing_address + + TYPE: address + + LOC: Config.Wccp.outgoing + + DEFAULT: 255.255.255.255 + + IFDEF: USE_WCCP + DOC_START + wccp_incoming_address Use this option if you require WCCP + messages to be received on only one + interface. Do NOT use this option if + you're unsure how many interfaces you + have, or if you know you have only one + interface. + + wccp_outgoing_address Use this option if you require WCCP + messages to be sent out on only one + interface. Do NOT use this option if + you're unsure how many interfaces you + have, or if you know you have only one + interface. + + The default behavior is to not bind to any specific address. + + NOTE, wccp_incoming_address and wccp_outgoing_address can not have + the same value since they both use port 2048. + DOC_END + + + COMMENT_START + DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option) + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: delay_pools + + TYPE: delay_pool_count + + DEFAULT: 0 + + IFDEF: DELAY_POOLS + + LOC: Config.Delay + DOC_START + This represents the number of delay pools to be used. For example, + if you have one class 2 delay pool and one class 3 delays pool, you + have a total of 2 delay pools. + DOC_END + + NAME: delay_class + + TYPE: delay_pool_class + + DEFAULT: none + + IFDEF: DELAY_POOLS + + LOC: Config.Delay + DOC_START + This defines the class of each delay pool. There must be exactly one + delay_class line for each delay pool. For example, to define two + delay pools, one of class 2 and one of class 3, the settings above + + and here would be: + + Example: + delay_pools 4 # 4 delay pools + delay_class 1 2 # pool 1 is a class 2 pool + delay_class 2 3 # pool 2 is a class 3 pool + delay_class 3 4 # pool 3 is a class 4 pool + delay_class 4 5 # pool 4 is a class 5 pool + + The delay pool classes are: + + class 1 Everything is limited by a single aggregate + bucket. + + class 2 Everything is limited by a single aggregate + bucket as well as an "individual" bucket chosen + from bits 25 through 32 of the IP address. + + class 3 Everything is limited by a single aggregate + bucket as well as a "network" bucket chosen + from bits 17 through 24 of the IP address and a + "individual" bucket chosen from bits 17 through + 32 of the IP address. + + class 4 Everything in a class 3 delay pool, with an + additional limit on a per user basis. This + only takes effect if the username is established + in advance - by forcing authentication in your + http_access rules. + + class 5 Requests are grouped according their tag (see + external_acl's tag= reply). + + NOTE: If an IP address is a.b.c.d + -> bits 25 through 32 are "d" + -> bits 17 through 24 are "c" + -> bits 17 through 32 are "c * 256 + d" + DOC_END + + NAME: delay_access + TYPE: delay_pool_access + DEFAULT: none + IFDEF: DELAY_POOLS + LOC: Config.Delay + DOC_START + This is used to determine which delay pool a request falls into. + The first matched delay pool is always used, i.e., if a request falls + into delay pool number one, no more delay are checked, otherwise the + rest are checked in order of their delay pool number until they have + all been checked. For example, if you want some_big_clients in delay + pool 1 and lotsa_little_clients in delay pool 2: + + Example: + delay_access 1 allow some_big_clients + delay_access 1 deny all + delay_access 2 allow lotsa_little_clients + delay_access 2 deny all + delay_access 3 allow authenticated_clients + DOC_END + + NAME: delay_parameters + TYPE: delay_pool_rates + DEFAULT: none + IFDEF: DELAY_POOLS + LOC: Config.Delay + DOC_START + This defines the parameters for a delay pool. Each delay pool has + a number of "buckets" associated with it, as explained in the + description of delay_class. For a class 1 delay pool, the syntax is: + + delay_parameters pool aggregate + + For a class 2 delay pool: + + delay_parameters pool aggregate individual + + For a class 3 delay pool: + + delay_parameters pool aggregate network individual + + For a class 4 delay pool: + + delay_parameters pool aggregate network individual user + + For a class 5 delay pool: + + delay_parameters pool tag + + The variables here are: + + pool a pool number - ie, a number between 1 and the + number specified in delay_pools as used in + delay_class lines. + + aggregate the "delay parameters" for the aggregate bucket + (class 1, 2, 3). + + individual the "delay parameters" for the individual + buckets (class 2, 3). + + network the "delay parameters" for the network buckets + (class 3). + + user the delay parameters for the user buckets + (class 4). + + tag the delay parameters for the tag buckets + (class 5). + + A pair of delay parameters is written restore/maximum, where restore is + the number of bytes (not bits - modem and network speeds are usually + quoted in bits) per second placed into the bucket, and maximum is the + maximum number of bytes which can be in the bucket at any time. + + For example, if delay pool number 1 is a class 2 delay pool as in the + above example, and is being used to strictly limit each host to 64kbps + (plus overheads), with no overall limit, the line is: + + delay_parameters 1 -1/-1 8000/8000 + + Note that the figure -1 is used to represent "unlimited". + + And, if delay pool number 2 is a class 3 delay pool as in the above + example, and you want to limit it to a total of 256kbps (strict limit) + with each 8-bit network permitted 64kbps (strict limit) and each + individual host permitted 4800bps with a bucket maximum size of 64kb + to permit a decent web page to be downloaded at a decent speed + (if the network is not being limited due to overuse) but slow down + large downloads more significantly: + + delay_parameters 2 32000/32000 8000/8000 600/8000 + + There must be one delay_parameters line for each delay pool. + + Finally, for a class 4 delay pool as in the example - each user will + be limited to 128Kb no matter how many workstations they are logged into.: + + delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 + DOC_END + + NAME: delay_initial_bucket_level + COMMENT: (percent, 0-100) + TYPE: ushort + DEFAULT: 50 + IFDEF: DELAY_POOLS + LOC: Config.Delay.initial + DOC_START + The initial bucket percentage is used to determine how much is put + in each bucket when squid starts, is reconfigured, or first notices + a host accessing it (in class 2 and class 3, individual hosts and + networks only have buckets associated with them once they have been + "seen" by squid). + DOC_END + + NAME: incoming_icp_average + TYPE: int + DEFAULT: 6 + LOC: Config.comm_incoming.icp_average + DOC_NONE + + NAME: incoming_http_average + TYPE: int + DEFAULT: 4 + LOC: Config.comm_incoming.http_average + DOC_NONE + + NAME: incoming_dns_average + TYPE: int + DEFAULT: 4 + LOC: Config.comm_incoming.dns_average + DOC_NONE + + NAME: min_icp_poll_cnt + TYPE: int + DEFAULT: 8 + LOC: Config.comm_incoming.icp_min_poll + DOC_NONE + + NAME: min_dns_poll_cnt + TYPE: int + DEFAULT: 8 + LOC: Config.comm_incoming.dns_min_poll + DOC_NONE + + NAME: min_http_poll_cnt + TYPE: int + DEFAULT: 8 + LOC: Config.comm_incoming.http_min_poll + DOC_START + Heavy voodoo here. I can't even believe you are reading this. + Are you crazy? Don't even think about adjusting these unless + you understand the algorithms in comm_select.c first! + DOC_END + + NAME: max_open_disk_fds + TYPE: int + LOC: Config.max_open_disk_fds + DEFAULT: 0 + DOC_START + To avoid having disk as the I/O bottleneck Squid can optionally + bypass the on-disk cache if more than this amount of disk file + descriptors are open. + + A value of 0 indicates no limit. + DOC_END + + NAME: offline_mode + TYPE: onoff + LOC: Config.onoff.offline + DEFAULT: off + DOC_START + Enable this option and Squid will never try to validate cached + objects. + DOC_END + + NAME: uri_whitespace + TYPE: uri_whitespace + LOC: Config.uri_whitespace + DEFAULT: strip + DOC_START + What to do with requests that have whitespace characters in the + URI. Options: + + strip: The whitespace characters are stripped out of the URL. + This is the behavior recommended by RFC2396. + deny: The request is denied. The user receives an "Invalid + Request" message. + allow: The request is allowed and the URI is not changed. The + whitespace characters remain in the URI. Note the + whitespace is passed to redirector processes if they + are in use. + encode: The request is allowed and the whitespace characters are + encoded according to RFC1738. This could be considered + a violation of the HTTP/1.1 + RFC because proxies are not allowed to rewrite URI's. + chop: The request is allowed and the URI is chopped at the + first whitespace. This might also be considered a + violation. + DOC_END + + NAME: broken_posts + TYPE: acl_access + DEFAULT: none + LOC: Config.accessList.brokenPosts + DOC_START + A list of ACL elements which, if matched, causes Squid to send + an extra CRLF pair after the body of a PUT/POST request. + + Some HTTP servers has broken implementations of PUT/POST, + and rely on an extra CRLF pair sent by some WWW clients. + + Quote from RFC 2068 section 4.1 on this matter: + + Note: certain buggy HTTP/1.0 client implementations generate an + extra CRLF's after a POST request. To restate what is explicitly + forbidden by the BNF, an HTTP/1.1 client must not preface or follow + a request with an extra CRLF. + + Example: + acl buggy_server url_regex ^http://.... + broken_posts allow buggy_server + DOC_END + + NAME: mcast_miss_addr + IFDEF: MULTICAST_MISS_STREAM + TYPE: address + LOC: Config.mcast_miss.addr + DEFAULT: 255.255.255.255 + DOC_START + If you enable this option, every "cache miss" URL will + be sent out on the specified multicast address. + + Do not enable this option unless you are are absolutely + certain you understand what you are doing. + DOC_END + + NAME: mcast_miss_ttl + IFDEF: MULTICAST_MISS_TTL + TYPE: ushort + LOC: Config.mcast_miss.ttl + DEFAULT: 16 + DOC_START + This is the time-to-live value for packets multicasted + when multicasting off cache miss URLs is enabled. By + default this is set to 'site scope', i.e. 16. + DOC_END + + NAME: mcast_miss_port + IFDEF: MULTICAST_MISS_STREAM + TYPE: ushort + LOC: Config.mcast_miss.port + DEFAULT: 3135 + DOC_START + This is the port number to be used in conjunction with + 'mcast_miss_addr'. + DOC_END + + NAME: mcast_miss_encode_key + IFDEF: MULTICAST_MISS_STREAM + TYPE: string + LOC: Config.mcast_miss.encode_key + DEFAULT: XXXXXXXXXXXXXXXX + DOC_START + The URLs that are sent in the multicast miss stream are + encrypted. This is the encryption key. + DOC_END + + NAME: nonhierarchical_direct + TYPE: onoff + LOC: Config.onoff.nonhierarchical_direct + DEFAULT: on + DOC_START + By default, Squid will send any non-hierarchical requests + (matching hierarchy_stoplist or not cachable request type) direct + to origin servers. + + If you set this to off, then Squid will prefer to send these + requests to parents. + + Note that in most configurations, by turning this off you will only + add latency to these request without any improvement in global hit + ratio. + + If you are inside an firewall then see never_direct instead of + this directive. + DOC_END + + NAME: prefer_direct + TYPE: onoff + LOC: Config.onoff.prefer_direct + DEFAULT: off + DOC_START + Normally Squid tries to use parents for most requests. If you by some + reason like it to first try going direct and only use a parent if + going direct fails then set this to on. + + By combining nonhierarchical_direct off and prefer_direct on you + can set up Squid to use a parent as a backup path if going direct + fails. + DOC_END + + NAME: strip_query_terms + TYPE: onoff + LOC: Config.onoff.strip_query_terms + DEFAULT: on + DOC_START + By default, Squid strips query terms from requested URLs before + logging. This protects your user's privacy. + DOC_END + + NAME: coredump_dir + TYPE: string + LOC: Config.coredump_dir + DEFAULT: none + DEFAULT_IF_NONE: none + DOC_START + By default Squid leaves core files in the directory from where + it was started. If you set 'coredump_dir' to a directory + that exists, Squid will chdir() to that directory at startup + and coredump files will be left there. + + NOCOMMENT_START # Leave coredumps in the first cache dir -coredump_dir @DEFAULT_SWAP_DIR@ -NOCOMMENT_END -DOC_END - -NAME: redirector_bypass -TYPE: onoff -LOC: Config.onoff.redirector_bypass -DEFAULT: off -DOC_START - When this is 'on', a request will not go through the - redirector if all redirectors are busy. If this is 'off' - and the redirector queue grows too large, Squid will exit - with a FATAL error and ask you to increase the number of - redirectors. You should only enable this if the redirectors - are not critical to your caching system. If you use - redirectors for access control, and you enable this option, - then users may have access to pages that they should not - be allowed to request. -DOC_END - -NAME: ignore_unknown_nameservers -TYPE: onoff -LOC: Config.onoff.ignore_unknown_nameservers -DEFAULT: on -DOC_START - By default Squid checks that DNS responses are received - from the same IP addresses that they are sent to. If they - don't match, Squid ignores the response and writes a warning - message to cache.log. You can allow responses from unknown - nameservers by setting this option to 'off'. -DOC_END - -NAME: digest_generation -IFDEF: USE_CACHE_DIGESTS -TYPE: onoff -LOC: Config.onoff.digest_generation -DEFAULT: on -DOC_START - This controls whether the server will generate a Cache Digest - of its contents. By default, Cache Digest generation is - enabled if Squid is compiled with USE_CACHE_DIGESTS defined. -DOC_END - -NAME: digest_bits_per_entry -IFDEF: USE_CACHE_DIGESTS -TYPE: int -LOC: Config.digest.bits_per_entry -DEFAULT: 5 -DOC_START - This is the number of bits of the server's Cache Digest which - will be associated with the Digest entry for a given HTTP - Method and URL (public key) combination. The default is 5. -DOC_END - -NAME: digest_rebuild_period -IFDEF: USE_CACHE_DIGESTS -COMMENT: (seconds) -TYPE: time_t -LOC: Config.digest.rebuild_period -DEFAULT: 1 hour -DOC_START - This is the number of seconds between Cache Digest rebuilds. -DOC_END - -NAME: digest_rewrite_period -COMMENT: (seconds) -IFDEF: USE_CACHE_DIGESTS -TYPE: time_t -LOC: Config.digest.rewrite_period -DEFAULT: 1 hour -DOC_START - This is the number of seconds between Cache Digest writes to - disk. -DOC_END - -NAME: digest_swapout_chunk_size -COMMENT: (bytes) -TYPE: b_size_t -IFDEF: USE_CACHE_DIGESTS -LOC: Config.digest.swapout_chunk_size -DEFAULT: 4096 bytes -DOC_START - This is the number of bytes of the Cache Digest to write to - disk at a time. It defaults to 4096 bytes (4KB), the Squid - default swap page. -DOC_END - -NAME: digest_rebuild_chunk_percentage -COMMENT: (percent, 0-100) -IFDEF: USE_CACHE_DIGESTS -TYPE: int -LOC: Config.digest.rebuild_chunk_percentage -DEFAULT: 10 -DOC_START - This is the percentage of the Cache Digest to be scanned at a - time. By default it is set to 10% of the Cache Digest. -DOC_END - -NAME: chroot -TYPE: string -LOC: Config.chroot_dir -DEFAULT: none -DOC_START - Use this to have Squid do a chroot() while initializing. This - also causes Squid to fully drop root privileges after - initializing. This means, for example, that if you use a HTTP - port less than 1024 and try to reconfigure, you will get an - error. -DOC_END - -NAME: client_persistent_connections -TYPE: onoff -LOC: Config.onoff.client_pconns -DEFAULT: on -DOC_NONE - -NAME: server_persistent_connections -TYPE: onoff -LOC: Config.onoff.server_pconns -DEFAULT: on -DOC_START - Persistent connection support for clients and servers. By - default, Squid uses persistent connections (when allowed) - with its clients and servers. You can use these options to - disable persistent connections with clients and/or servers. -DOC_END - -NAME: pipeline_prefetch -TYPE: onoff -LOC: Config.onoff.pipeline_prefetch -DEFAULT: off -DOC_START - To boost the performance of pipelined requests to closer - match that of a non-proxied environment Squid can try to fetch - up to two requests in parallell from a pipeline. - - Defaults to off for bandwidth management and access logging - reasons. -DOC_END - -NAME: extension_methods -TYPE: wordlist -LOC: Config.ext_methods -DEFAULT: none -DOC_START - Squid only knows about standardized HTTP request methods. - You can add up to 20 additional "extension" methods here. -DOC_END - -NAME: request_entities -TYPE: onoff -LOC: Config.onoff.request_entities -DEFAULT: off -DOC_START - Squid defaults to deny GET and HEAD requests with request entities, - as the meaning of such requests are undefined in the HTTP standard - even if not explicitly forbidden. - - Set this directive to on if you have clients which insists - on sending request entities in GET or HEAD requests. -DOC_END - -NAME: high_response_time_warning -TYPE: int -COMMENT: (msec) -LOC: Config.warnings.high_rptm -DEFAULT: 0 -DOC_START - If the one-minute median response time exceeds this value, - Squid prints a WARNING with debug level 0 to get the - administrators attention. The value is in milliseconds. -DOC_END - -NAME: high_page_fault_warning -TYPE: int -LOC: Config.warnings.high_pf -DEFAULT: 0 -DOC_START - If the one-minute average page fault rate exceeds this - value, Squid prints a WARNING with debug level 0 to get - the administrators attention. The value is in page faults - per second. -DOC_END - -NAME: high_memory_warning -TYPE: b_size_t -LOC: Config.warnings.high_memory -DEFAULT: 0 -DOC_START - If the memory usage (as determined by mallinfo) exceeds - value, Squid prints a WARNING with debug level 0 to get - the administrators attention. -DOC_END - -NAME: store_dir_select_algorithm -TYPE: string -LOC: Config.store_dir_select_algorithm -DEFAULT: least-load -DOC_START - Set this to 'round-robin' as an alternative. -DOC_END - -NAME: forward_log -IFDEF: WIP_FWD_LOG -TYPE: string -DEFAULT: none -LOC: Config.Log.forward -DOC_START - Logs the server-side requests. - - This is currently work in progress. -DOC_END - -NAME: ie_refresh -COMMENT: on|off -TYPE: onoff -LOC: Config.onoff.ie_refresh -DEFAULT: off -DOC_START - Microsoft Internet Explorer up until version 5.5 Service - Pack 1 has an issue with transparent proxies, wherein it - is impossible to force a refresh. Turning this on provides - a partial fix to the problem, by causing all IMS-REFRESH - requests from older IE versions to check the origin server - for fresh content. This reduces hit ratio by some amount - (~10% in my experience), but allows users to actually get - fresh content when they want it. Note that because Squid - cannot tell if the user is using 5.5 or 5.5SP1, the behavior - of 5.5 is unchanged from old versions of Squid (i.e. a - forced refresh is impossible). Newer versions of IE will, - hopefully, continue to have the new behavior and will be - handled based on that assumption. This option defaults to - the old Squid behavior, which is better for hit ratios but - worse for clients using IE, if they need to be able to - force fresh content. -DOC_END - -NAME: vary_ignore_expire -COMMENT: on|off -TYPE: onoff -LOC: Config.onoff.vary_ignore_expire -DEFAULT: off -DOC_START - Many HTTP servers supporting Vary gives such objects - immediate expiry time with no cache-control header - when requested by a HTTP/1.0 client. This option - enables Squid to ignore such expiry times until - HTTP/1.1 is fully implemented. - WARNING: This may eventually cause some varying - objects not intended for caching to get cached. -DOC_END - -NAME: sleep_after_fork -COMMENT: (microseconds) -TYPE: int -LOC: Config.sleep_after_fork -DEFAULT: 0 -DOC_START - When this is set to a non-zero value, the main Squid process - sleeps the specified number of microseconds after a fork() - system call. This sleep may help the situation where your - system reports fork() failures due to lack of (virtual) - memory. Note, however, that if you have a lot of child - processes, then these sleep delays will add up and your - Squid will not service requests for some amount of time - until all the child processes have been started. -DOC_END - -EOF + coredump_dir @DEFAULT_SWAP_DIR@ + NOCOMMENT_END + DOC_END + + NAME: redirector_bypass + TYPE: onoff + LOC: Config.onoff.redirector_bypass + DEFAULT: off + DOC_START + When this is 'on', a request will not go through the + redirector if all redirectors are busy. If this is 'off' + and the redirector queue grows too large, Squid will exit + with a FATAL error and ask you to increase the number of + redirectors. You should only enable this if the redirectors + are not critical to your caching system. If you use + redirectors for access control, and you enable this option, + then users may have access to pages that they should not + be allowed to request. + DOC_END + + NAME: ignore_unknown_nameservers + TYPE: onoff + LOC: Config.onoff.ignore_unknown_nameservers + DEFAULT: on + DOC_START + By default Squid checks that DNS responses are received + from the same IP addresses that they are sent to. If they + don't match, Squid ignores the response and writes a warning + message to cache.log. You can allow responses from unknown + nameservers by setting this option to 'off'. + DOC_END + + NAME: digest_generation + IFDEF: USE_CACHE_DIGESTS + TYPE: onoff + LOC: Config.onoff.digest_generation + DEFAULT: on + DOC_START + This controls whether the server will generate a Cache Digest + of its contents. By default, Cache Digest generation is + enabled if Squid is compiled with USE_CACHE_DIGESTS defined. + DOC_END + + NAME: digest_bits_per_entry + IFDEF: USE_CACHE_DIGESTS + TYPE: int + LOC: Config.digest.bits_per_entry + DEFAULT: 5 + DOC_START + This is the number of bits of the server's Cache Digest which + will be associated with the Digest entry for a given HTTP + Method and URL (public key) combination. The default is 5. + DOC_END + + NAME: digest_rebuild_period + IFDEF: USE_CACHE_DIGESTS + COMMENT: (seconds) + TYPE: time_t + LOC: Config.digest.rebuild_period + DEFAULT: 1 hour + DOC_START + This is the number of seconds between Cache Digest rebuilds. + DOC_END + + NAME: digest_rewrite_period + COMMENT: (seconds) + IFDEF: USE_CACHE_DIGESTS + TYPE: time_t + LOC: Config.digest.rewrite_period + DEFAULT: 1 hour + DOC_START + This is the number of seconds between Cache Digest writes to + disk. + DOC_END + + NAME: digest_swapout_chunk_size + COMMENT: (bytes) + TYPE: b_size_t + IFDEF: USE_CACHE_DIGESTS + LOC: Config.digest.swapout_chunk_size + DEFAULT: 4096 bytes + DOC_START + This is the number of bytes of the Cache Digest to write to + disk at a time. It defaults to 4096 bytes (4KB), the Squid + default swap page. + DOC_END + + NAME: digest_rebuild_chunk_percentage + COMMENT: (percent, 0-100) + IFDEF: USE_CACHE_DIGESTS + TYPE: int + LOC: Config.digest.rebuild_chunk_percentage + DEFAULT: 10 + DOC_START + This is the percentage of the Cache Digest to be scanned at a + time. By default it is set to 10% of the Cache Digest. + DOC_END + + NAME: chroot + TYPE: string + LOC: Config.chroot_dir + DEFAULT: none + DOC_START + Use this to have Squid do a chroot() while initializing. This + also causes Squid to fully drop root privileges after + initializing. This means, for example, that if you use a HTTP + port less than 1024 and try to reconfigure, you will get an + error. + DOC_END + + NAME: client_persistent_connections + TYPE: onoff + LOC: Config.onoff.client_pconns + DEFAULT: on + DOC_NONE + + NAME: server_persistent_connections + TYPE: onoff + LOC: Config.onoff.server_pconns + DEFAULT: on + DOC_START + Persistent connection support for clients and servers. By + default, Squid uses persistent connections (when allowed) + with its clients and servers. You can use these options to + disable persistent connections with clients and/or servers. + DOC_END + + NAME: pipeline_prefetch + TYPE: onoff + LOC: Config.onoff.pipeline_prefetch + DEFAULT: off + DOC_START + To boost the performance of pipelined requests to closer + match that of a non-proxied environment Squid can try to fetch + up to two requests in parallell from a pipeline. + + Defaults to off for bandwidth management and access logging + reasons. + DOC_END + + NAME: extension_methods + TYPE: wordlist + LOC: Config.ext_methods + DEFAULT: none + DOC_START + Squid only knows about standardized HTTP request methods. + You can add up to 20 additional "extension" methods here. + DOC_END + + NAME: request_entities + TYPE: onoff + LOC: Config.onoff.request_entities + DEFAULT: off + DOC_START + Squid defaults to deny GET and HEAD requests with request entities, + as the meaning of such requests are undefined in the HTTP standard + even if not explicitly forbidden. + + Set this directive to on if you have clients which insists + on sending request entities in GET or HEAD requests. + DOC_END + + NAME: high_response_time_warning + TYPE: int + COMMENT: (msec) + LOC: Config.warnings.high_rptm + DEFAULT: 0 + DOC_START + If the one-minute median response time exceeds this value, + Squid prints a WARNING with debug level 0 to get the + administrators attention. The value is in milliseconds. + DOC_END + + NAME: high_page_fault_warning + TYPE: int + LOC: Config.warnings.high_pf + DEFAULT: 0 + DOC_START + If the one-minute average page fault rate exceeds this + value, Squid prints a WARNING with debug level 0 to get + the administrators attention. The value is in page faults + per second. + DOC_END + + NAME: high_memory_warning + TYPE: b_size_t + LOC: Config.warnings.high_memory + DEFAULT: 0 + DOC_START + If the memory usage (as determined by mallinfo) exceeds + value, Squid prints a WARNING with debug level 0 to get + the administrators attention. + DOC_END + + NAME: store_dir_select_algorithm + TYPE: string + LOC: Config.store_dir_select_algorithm + DEFAULT: least-load + DOC_START + Set this to 'round-robin' as an alternative. + DOC_END + + NAME: forward_log + IFDEF: WIP_FWD_LOG + TYPE: string + DEFAULT: none + LOC: Config.Log.forward + DOC_START + Logs the server-side requests. + + This is currently work in progress. + DOC_END + + NAME: ie_refresh + COMMENT: on|off + TYPE: onoff + LOC: Config.onoff.ie_refresh + DEFAULT: off + DOC_START + Microsoft Internet Explorer up until version 5.5 Service + Pack 1 has an issue with transparent proxies, wherein it + is impossible to force a refresh. Turning this on provides + a partial fix to the problem, by causing all IMS-REFRESH + requests from older IE versions to check the origin server + for fresh content. This reduces hit ratio by some amount + (~10% in my experience), but allows users to actually get + fresh content when they want it. Note that because Squid + cannot tell if the user is using 5.5 or 5.5SP1, the behavior + of 5.5 is unchanged from old versions of Squid (i.e. a + forced refresh is impossible). Newer versions of IE will, + hopefully, continue to have the new behavior and will be + handled based on that assumption. This option defaults to + the old Squid behavior, which is better for hit ratios but + worse for clients using IE, if they need to be able to + force fresh content. + DOC_END + + NAME: vary_ignore_expire + COMMENT: on|off + TYPE: onoff + LOC: Config.onoff.vary_ignore_expire + DEFAULT: off + DOC_START + Many HTTP servers supporting Vary gives such objects + immediate expiry time with no cache-control header + when requested by a HTTP/1.0 client. This option + enables Squid to ignore such expiry times until + HTTP/1.1 is fully implemented. + WARNING: This may eventually cause some varying + objects not intended for caching to get cached. + DOC_END + + NAME: sleep_after_fork + COMMENT: (microseconds) + TYPE: int + LOC: Config.sleep_after_fork + DEFAULT: 0 + DOC_START + When this is set to a non-zero value, the main Squid process + sleeps the specified number of microseconds after a fork() + system call. This sleep may help the situation where your + system reports fork() failures due to lack of (virtual) + memory. Note, however, that if you have a lot of child + processes, then these sleep delays will add up and your + Squid will not service requests for some amount of time + until all the child processes have been started. + DOC_END + + EOF diff --git a/src/client_side.cc b/src/client_side.cc index 156adb9f3d..f3cc51a11a 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -1,6 +1,6 @@ /* - * $Id: client_side.cc,v 1.655 2003/08/11 21:55:47 robertc Exp $ + * $Id: client_side.cc,v 1.656 2003/08/13 00:17:26 robertc Exp $ * * DEBUG: section 33 Client-side Routines * AUTHOR: Duane Wessels @@ -499,13 +499,15 @@ ClientHttpRequest::logRequest() al.url = log_uri; debug(33, 9) ("clientLogRequest: al.url='%s'\n", al.url); - if (memObject()) { - al.http.code = memObject()->getReply()->sline.status; - al.http.content_type = memObject()->getReply()->content_type.buf(); + if (loggingEntry() && loggingEntry()->mem_obj) { + al.http.code = loggingEntry()->mem_obj->getReply()->sline.status; + al.http.content_type = loggingEntry()->mem_obj->getReply()->content_type.buf(); + al.cache.objectSize = contentLen(loggingEntry()); } al.cache.caddr = getConn().getRaw() != NULL ? getConn()->log_addr : no_addr; al.cache.size = out.size; + al.cache.highOffset = out.offset; al.cache.code = logType; al.cache.msec = tvSubMsec(start, current_time); diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc index fc07abcd7e..fddf263ae4 100644 --- a/src/client_side_reply.cc +++ b/src/client_side_reply.cc @@ -1,6 +1,6 @@ /* - * $Id: client_side_reply.cc,v 1.64 2003/08/10 11:00:42 robertc Exp $ + * $Id: client_side_reply.cc,v 1.65 2003/08/13 00:17:26 robertc Exp $ * * DEBUG: section 88 Client-side Reply Routines * AUTHOR: Robert Collins (Originally Duane Wessels in client_side.c) @@ -1881,11 +1881,17 @@ clientReplyContext::processReplyAccessResult(bool accessAllowed) return; } + /* Ok, the reply is allowed, */ + http->loggingEntry(http->storeEntry()); + ssize_t body_size = reqofs - rep->hdr_sz; + assert(body_size >= 0); + debug(88,3) ("clientReplyContext::sendMoreData: Appending %d bytes after %d bytes of headers\n", (int) body_size, rep->hdr_sz); + #if ESI if (http->flags.accel && rep->sline.status != HTTP_FORBIDDEN && diff --git a/src/client_side_request.cc b/src/client_side_request.cc index bfa580af5c..d4f102d1c6 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -1,6 +1,6 @@ /* - * $Id: client_side_request.cc,v 1.31 2003/08/10 11:00:42 robertc Exp $ + * $Id: client_side_request.cc,v 1.32 2003/08/13 00:17:26 robertc Exp $ * * DEBUG: section 85 Client-side Request Routines * AUTHOR: Robert Collins (Originally Duane Wessels in client_side.c) @@ -158,7 +158,7 @@ ClientHttpRequest::operator delete (void *address) cbdataReferenceDone (temp); } -ClientHttpRequest::ClientHttpRequest() +ClientHttpRequest::ClientHttpRequest() : loggingEntry_(NULL) { /* reset range iterator */ start = current_time; @@ -254,6 +254,8 @@ ClientHttpRequest::~ClientHttpRequest() logRequest(); + loggingEntry(NULL); + if (request) checkFailureRatio(request->errType, al.hier.code); @@ -899,6 +901,17 @@ ClientHttpRequest::storeEntry(StoreEntry *newEntry) entry_ = newEntry; } +void +ClientHttpRequest::loggingEntry(StoreEntry *newEntry) +{ + if (loggingEntry_) + storeUnlockObject(loggingEntry_); + + loggingEntry_ = newEntry; + + if (loggingEntry_) + storeLockObject(loggingEntry_); +} #ifndef _USE_INLINE_ #include "client_side_request.cci" diff --git a/src/client_side_request.cci b/src/client_side_request.cci index d33a8acc99..8463179e38 100644 --- a/src/client_side_request.cci +++ b/src/client_side_request.cci @@ -1,6 +1,6 @@ /* - * $Id: client_side_request.cci,v 1.3 2003/07/11 01:40:36 robertc Exp $ + * $Id: client_side_request.cci,v 1.4 2003/08/13 00:17:26 robertc Exp $ * * DEBUG: section 85 Client-side Request Routines * AUTHOR: Robert Collins @@ -67,3 +67,9 @@ ClientHttpRequest::setConn(ConnStateData::Pointer aConn) assert (conn_.getRaw() == NULL || aConn.getRaw() == NULL); conn_ = aConn; } + +StoreEntry * +ClientHttpRequest::loggingEntry() const +{ + return loggingEntry_; +} diff --git a/src/client_side_request.h b/src/client_side_request.h index 3fd1981b37..92a07ee19e 100644 --- a/src/client_side_request.h +++ b/src/client_side_request.h @@ -1,6 +1,6 @@ /* - * $Id: client_side_request.h,v 1.17 2003/08/10 11:00:42 robertc Exp $ + * $Id: client_side_request.h,v 1.18 2003/08/13 00:17:26 robertc Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -72,6 +72,8 @@ public: bool gotEnough() const; _SQUID_INLINE_ StoreEntry *storeEntry() const; void storeEntry(StoreEntry *); + _SQUID_INLINE_ StoreEntry *loggingEntry() const; + void loggingEntry(StoreEntry *); _SQUID_INLINE_ ConnStateData::Pointer getConn(); _SQUID_INLINE_ ConnStateData::Pointer const getConn() const; @@ -136,6 +138,7 @@ private: CBDATA_CLASS(ClientHttpRequest); ssize_t maxReplyBodySize_; StoreEntry *entry_; + StoreEntry *loggingEntry_; ConnStateData::Pointer conn_; }; diff --git a/src/structs.h b/src/structs.h index d3639d011c..94948fb05a 100644 --- a/src/structs.h +++ b/src/structs.h @@ -1,6 +1,6 @@ /* - * $Id: structs.h,v 1.478 2003/08/10 11:00:44 robertc Exp $ + * $Id: structs.h,v 1.479 2003/08/13 00:17:26 robertc Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -1021,6 +1021,8 @@ struct _AccessLogEntry struct in_addr caddr; size_t size; + off_t highOffset; + size_t objectSize; log_type code; int msec; const char *rfc931;