From: robertc <> Date: Wed, 13 Aug 2003 06:34:51 +0000 (+0000) Subject: the I need more sleep checkin X-Git-Tag: SQUID_3_0_PRE3~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6b698a21d87bf73b7b438ead91a12c2feeb61a32;p=thirdparty%2Fsquid.git the I need more sleep checkin --- diff --git a/src/cf.data.pre b/src/cf.data.pre index e8b3b78755..8e426e86b4 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.337 2003/08/13 00:26:21 robertc Exp $ +# $Id: cf.data.pre,v 1.338 2003/08/13 00:34:51 robertc Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -1138,8 +1138,6 @@ DOC_START et Tag returned by external acl ea Log string returned by external acl a %Ss/%03Hs % - auth_param basic children 5 - auth_param basic realm Squid proxy-caching web server - auth_param basic credentialsttl 2 hours - NOCOMMENT_END - DOC_END - - NAME: authenticate_cache_garbage_interval - TYPE: time_t - DEFAULT: 1 hour - LOC: Config.authenticateGCInterval - DOC_START - The time period between garbage collection across the - username cache. This is a tradeoff between memory utilisation - (long intervals - say 2 days) and CPU (short intervals - - say 1 minute). Only change if you have good reason to. - DOC_END - - NAME: authenticate_ttl - TYPE: time_t - DEFAULT: 1 hour - LOC: Config.authenticateTTL - DOC_START - The time a user & their credentials stay in the logged in - user cache since their last request. When the garbage - interval passes, all user credentials that have passed their - TTL are removed from memory. - DOC_END - - NAME: authenticate_ip_ttl - TYPE: time_t - LOC: Config.authenticateIpTTL - DEFAULT: 0 seconds - DOC_START - If you use proxy authentication and the 'max_user_ip' ACL, - this directive controls how long Squid remembers the IP - addresses associated with each user. Use a small value - (e.g., 60 seconds) if your users might change addresses - quickly, as is the case with dialups. You might be safe - using a larger value (e.g., 2 hours) in a corporate LAN - environment with relatively static address assignments. - DOC_END - - NAME: external_acl_type - TYPE: externalAclHelper - LOC: Config.externalAclHelperList - DEFAULT: none - DOC_START - This option defines external acl classes using a helper program - to look up the status - - external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] - - Options: - - ttl=n TTL in seconds for cached results (defaults to 3600 - for 1 hour) - negative_ttl=n - TTL for cached negative lookups (default same - as ttl) - children=n Number of acl helper processes spawn to service - external acl lookups of this type. - concurrency=n concurrency level per process. Use 0 for old style - helpers who can only process a single request at a - time. - cache=n result cache size, 0 is unbounded (default) - grace=n Percentage remaining of TTL where a refresh of a - cached entry should be initiated without needing to - wait for a new reply. (default 0 for no grace period) - - FORMAT specifications - - %LOGIN Authenticated user login name - %IDENT Ident user name - %SRC Client IP - %SRCPORT Client source port - %DST Requested host - %PROTO Requested protocol - %PORT Requested port - %PATH Requested URL path - %METHOD Request method - %MYADDR Squid interface address - %MYPORT Squid http_port number - %USER_CERT_xx SSL User certificate attribute xx - %USER_CA_xx SSL User certificate CA attribute xx - %{Header} - - HTTP request header - - %{Hdr:member} HTTP request header list member - - %{Hdr:;member} - HTTP request header list member using ; as - list separator. ; can be any non-alphanumeric - character. - - In addition, any string specified in the referencing acl will - also be included in the helper request line, after the specified - formats (see the "acl external" directive) - - The helper receives lines per the above format specification, - and returns lines starting with OK or ERR indicating the validity - of the request and optionally followed by additional keywords with - more details. - - General result syntax: - - OK/ERR keyword=value ... - - Defined keywords: - - user= The users name (login) - password= The users password (for login= cache_peer option) - message= Message describing the reason. Available as %o - in error pages - tag= Apply a tag to a request (for both ERR and OK results) - Only sets a tag, does not alter existing tags. - log= String to be logged in access.log. Available as - %ea in logformat specifications - - Keyword values need to be enclosed in quotes if they may - contain whitespace, or the whitespace escaped using \. Any - quotes or \ characters within the keyword value must be \ - escaped. - DOC_END - - COMMENT_START - OPTIONS FOR TUNING THE CACHE - ----------------------------------------------------------------------------- - COMMENT_END - - NAME: wais_relay_host - - TYPE: string - - DEFAULT: none - - LOC: Config.Wais.relayHost - DOC_NONE - - NAME: wais_relay_port - - TYPE: ushort - - DEFAULT: 0 - - LOC: Config.Wais.relayPort - DOC_START - Relay WAIS request to host (1st arg) at port (2 arg). - DOC_END - - - NAME: request_header_max_size +auth_param basic children 5 +auth_param basic realm Squid proxy-caching web server +auth_param basic credentialsttl 2 hours +NOCOMMENT_END +DOC_END - COMMENT: (KB) +NAME: authenticate_cache_garbage_interval +TYPE: time_t +DEFAULT: 1 hour +LOC: Config.authenticateGCInterval +DOC_START + The time period between garbage collection across the + username cache. This is a tradeoff between memory utilisation + (long intervals - say 2 days) and CPU (short intervals - + say 1 minute). Only change if you have good reason to. +DOC_END - TYPE: b_size_t +NAME: authenticate_ttl +TYPE: time_t +DEFAULT: 1 hour +LOC: Config.authenticateTTL +DOC_START + The time a user & their credentials stay in the logged in + user cache since their last request. When the garbage + interval passes, all user credentials that have passed their + TTL are removed from memory. +DOC_END - DEFAULT: 10 KB +NAME: authenticate_ip_ttl +TYPE: time_t +LOC: Config.authenticateIpTTL +DEFAULT: 0 seconds +DOC_START + If you use proxy authentication and the 'max_user_ip' ACL, + this directive controls how long Squid remembers the IP + addresses associated with each user. Use a small value + (e.g., 60 seconds) if your users might change addresses + quickly, as is the case with dialups. You might be safe + using a larger value (e.g., 2 hours) in a corporate LAN + environment with relatively static address assignments. +DOC_END - LOC: Config.maxRequestHeaderSize - DOC_START - This specifies the maximum size for HTTP headers in a request. - Request headers are usually relatively small (about 512 bytes). - Placing a limit on the request header size will catch certain - bugs (for example with persistent connections) and possibly - buffer-overflow or denial-of-service attacks. - DOC_END +NAME: external_acl_type +TYPE: externalAclHelper +LOC: Config.externalAclHelperList +DEFAULT: none +DOC_START + This option defines external acl classes using a helper program + to look up the status + + external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] + + Options: - NAME: request_body_max_size + ttl=n TTL in seconds for cached results (defaults to 3600 + for 1 hour) + negative_ttl=n + TTL for cached negative lookups (default same + as ttl) + children=n Number of acl helper processes spawn to service + external acl lookups of this type. + concurrency=n concurrency level per process. Use 0 for old style + helpers who can only process a single request at a + time. + cache=n result cache size, 0 is unbounded (default) + grace=n Percentage remaining of TTL where a refresh of a + cached entry should be initiated without needing to + wait for a new reply. (default 0 for no grace period) + + FORMAT specifications + + %LOGIN Authenticated user login name + %IDENT Ident user name + %SRC Client IP + %SRCPORT Client source port + %DST Requested host + %PROTO Requested protocol + %PORT Requested port + %PATH Requested URL path + %METHOD Request method + %MYADDR Squid interface address + %MYPORT Squid http_port number + %USER_CERT_xx SSL User certificate attribute xx + %USER_CA_xx SSL User certificate CA attribute xx + %{Header} HTTP request header + %{Hdr:member} HTTP request header list member + %{Hdr:;member} + HTTP request header list member using ; as + list separator. ; can be any non-alphanumeric + character. + + In addition, any string specified in the referencing acl will + also be included in the helper request line, after the specified + formats (see the "acl external" directive) + + The helper receives lines per the above format specification, + and returns lines starting with OK or ERR indicating the validity + of the request and optionally followed by additional keywords with + more details. + + General result syntax: + + OK/ERR keyword=value ... - COMMENT: (KB) + Defined keywords: - TYPE: b_size_t + user= The users name (login) + password= The users password (for login= cache_peer option) + message= Message describing the reason. Available as %o + in error pages + tag= Apply a tag to a request (for both ERR and OK results) + Only sets a tag, does not alter existing tags. + log= String to be logged in access.log. Available as + %ea in logformat specifications - DEFAULT: 0 KB + Keyword values need to be enclosed in quotes if they may + contain whitespace, or the whitespace escaped using \. Any + quotes or \ characters within the keyword value must be \ + escaped. +DOC_END - LOC: Config.maxRequestBodySize - DOC_START - This specifies the maximum size for an HTTP request body. - In other words, the maximum size of a PUT/POST request. - A user who attempts to send a request with a body larger - than this limit receives an "Invalid Request" error message. - If you set this parameter to a zero (the default), there will - be no limit imposed. - DOC_END +COMMENT_START + OPTIONS FOR TUNING THE CACHE + ----------------------------------------------------------------------------- +COMMENT_END - NAME: refresh_pattern +NAME: wais_relay_host +TYPE: string +DEFAULT: none +LOC: Config.Wais.relayHost +DOC_NONE - TYPE: refreshpattern +NAME: wais_relay_port +TYPE: ushort +DEFAULT: 0 +LOC: Config.Wais.relayPort +DOC_START + Relay WAIS request to host (1st arg) at port (2 arg). +DOC_END - LOC: Config.Refresh - DEFAULT: none - DOC_START +NAME: request_header_max_size +COMMENT: (KB) +TYPE: b_size_t +DEFAULT: 10 KB +LOC: Config.maxRequestHeaderSize +DOC_START + This specifies the maximum size for HTTP headers in a request. + Request headers are usually relatively small (about 512 bytes). + Placing a limit on the request header size will catch certain + bugs (for example with persistent connections) and possibly + buffer-overflow or denial-of-service attacks. +DOC_END - usage: refresh_pattern [-i] regex min percent max [options] +NAME: request_body_max_size +COMMENT: (KB) +TYPE: b_size_t +DEFAULT: 0 KB +LOC: Config.maxRequestBodySize +DOC_START + This specifies the maximum size for an HTTP request body. + In other words, the maximum size of a PUT/POST request. + A user who attempts to send a request with a body larger + than this limit receives an "Invalid Request" error message. + If you set this parameter to a zero (the default), there will + be no limit imposed. +DOC_END - By default, regular expressions are CASE-SENSITIVE. To make - them case-insensitive, use the -i option. +NAME: refresh_pattern +TYPE: refreshpattern +LOC: Config.Refresh +DEFAULT: none +DOC_START + usage: refresh_pattern [-i] regex min percent max [options] - 'Min' is the time (in minutes) an object without an explicit - expiry time should be considered fresh. The recommended - value is 0, any higher values may cause dynamic applications - to be erroneously cached unless the application designer - has taken the appropriate actions. + By default, regular expressions are CASE-SENSITIVE. To make + them case-insensitive, use the -i option. - 'Percent' is a percentage of the objects age (time since last - modification age) an object without explicit expiry time - will be considered fresh. + 'Min' is the time (in minutes) an object without an explicit + expiry time should be considered fresh. The recommended + value is 0, any higher values may cause dynamic applications + to be erroneously cached unless the application designer + has taken the appropriate actions. - 'Max' is an upper limit on how long objects without an explicit - expiry time will be considered fresh. + 'Percent' is a percentage of the objects age (time since last + modification age) an object without explicit expiry time + will be considered fresh. - options: override-expire - override-lastmod - reload-into-ims - ignore-reload + 'Max' is an upper limit on how long objects without an explicit + expiry time will be considered fresh. - override-expire enforces min age even if the server + options: override-expire + override-lastmod + reload-into-ims + ignore-reload - sent a Expires: header. Doing this VIOLATES the HTTP - standard. Enabling this feature could make you liable - for problems which it causes. + override-expire enforces min age even if the server + sent a Expires: header. Doing this VIOLATES the HTTP + standard. Enabling this feature could make you liable + for problems which it causes. - override-lastmod enforces min age even on objects - that was modified recently. + override-lastmod enforces min age even on objects + that was modified recently. - reload-into-ims changes client no-cache or ``reload'' - to If-Modified-Since requests. Doing this VIOLATES the - HTTP standard. Enabling this feature could make you - liable for problems which it causes. + reload-into-ims changes client no-cache or ``reload'' + to If-Modified-Since requests. Doing this VIOLATES the + HTTP standard. Enabling this feature could make you + liable for problems which it causes. - ignore-reload ignores a client no-cache or ``reload'' - header. Doing this VIOLATES the HTTP standard. Enabling - this feature could make you liable for problems which - it causes. + ignore-reload ignores a client no-cache or ``reload'' + header. Doing this VIOLATES the HTTP standard. Enabling + this feature could make you liable for problems which + it causes. + + Basically a cached object is: - Basically a cached object is: + FRESH if expires < now, else STALE + STALE if age > max + FRESH if lm-factor < percent, else STALE + FRESH if age < min + else STALE - FRESH if expires < now, else STALE - STALE if age > max - FRESH if lm-factor < percent, else STALE - FRESH if age < min - else STALE + The refresh_pattern lines are checked in the order listed here. + The first entry which matches is used. If none of the entries + match, then the default will be used. - The refresh_pattern lines are checked in the order listed here. - The first entry which matches is used. If none of the entries - match, then the default will be used. + Note, you must uncomment all the default lines if you want + to change one. The default setting is only active if none is + used. - Note, you must uncomment all the default lines if you want - to change one. The default setting is only active if none is - used. +Suggested default: +NOCOMMENT_START +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern . 0 20% 4320 +NOCOMMENT_END +DOC_END - Suggested default: - NOCOMMENT_START +NAME: quick_abort_min +COMMENT: (KB) +TYPE: kb_size_t +DEFAULT: 16 KB +LOC: Config.quickAbort.min +DOC_NONE - refresh_pattern ^ftp: 1440 20% 10080 +NAME: quick_abort_max +COMMENT: (KB) +TYPE: kb_size_t +DEFAULT: 16 KB +LOC: Config.quickAbort.max +DOC_NONE - refresh_pattern ^gopher: 1440 0% 1440 - refresh_pattern . 0 20% 4320 - NOCOMMENT_END - DOC_END +NAME: quick_abort_pct +COMMENT: (percent) +TYPE: int +DEFAULT: 95 +LOC: Config.quickAbort.pct +DOC_START + The cache by default continues downloading aborted requests + which are almost completed (less than 16 KB remaining). This + may be undesirable on slow (e.g. SLIP) links and/or very busy + caches. Impatient users may tie up file descriptors and + bandwidth by repeatedly requesting and immediately aborting + downloads. - NAME: quick_abort_min + When the user aborts a request, Squid will check the + quick_abort values to the amount of data transfered until + then. - COMMENT: (KB) + If the transfer has less than 'quick_abort_min' KB remaining, + it will finish the retrieval. - TYPE: kb_size_t + If the transfer has more than 'quick_abort_max' KB remaining, + it will abort the retrieval. - DEFAULT: 16 KB + If more than 'quick_abort_pct' of the transfer has completed, + it will finish the retrieval. - LOC: Config.quickAbort.min - DOC_NONE + If you do not want any retrieval to continue after the client + has aborted, set both 'quick_abort_min' and 'quick_abort_max' + to '0 KB'. - NAME: quick_abort_max + If you want retrievals to always continue if they are being + cached then set 'quick_abort_min' to '-1 KB'. +DOC_END - COMMENT: (KB) +NAME: read_ahead_gap +COMMENT: buffer-size +TYPE: kb_size_t +LOC: Config.readAheadGap +DEFAULT: 16 KB +DOC_START + The amount of data the cache will buffer ahead of what has been + sent to the client when retrieving an object from another server. +DOC_END - TYPE: kb_size_t +NAME: negative_ttl +COMMENT: time-units +TYPE: time_t +LOC: Config.negativeTtl +DEFAULT: 5 minutes +DOC_START + Time-to-Live (TTL) for failed requests. Certain types of + failures (such as "connection refused" and "404 Not Found") are + negatively-cached for a configurable amount of time. The + default is 5 minutes. Note that this is different from + negative caching of DNS lookups. +DOC_END - DEFAULT: 16 KB - LOC: Config.quickAbort.max - DOC_NONE +NAME: positive_dns_ttl +COMMENT: time-units +TYPE: time_t +LOC: Config.positiveDnsTtl +DEFAULT: 6 hours +DOC_START + Time-to-Live (TTL) for positive caching of successful DNS lookups. + Default is 6 hours (360 minutes). If you want to minimize the + use of Squid's ipcache, set this to 1, not 0. +DOC_END - NAME: quick_abort_pct - COMMENT: (percent) +NAME: negative_dns_ttl +COMMENT: time-units +TYPE: time_t +LOC: Config.negativeDnsTtl +DEFAULT: 5 minutes +DOC_START + Time-to-Live (TTL) for negative caching of failed DNS lookups. +DOC_END - TYPE: int +NAME: range_offset_limit +COMMENT: (bytes) +TYPE: b_size_t +LOC: Config.rangeOffsetLimit +DEFAULT: 0 KB +DOC_START + Sets a upper limit on how far into the the file a Range request + may be to cause Squid to prefetch the whole file. If beyond this + limit then Squid forwards the Range request as it is and the result + is NOT cached. - DEFAULT: 95 + This is to stop a far ahead range request (lets say start at 17MB) + from making Squid fetch the whole object up to that point before + sending anything to the client. - LOC: Config.quickAbort.pct - DOC_START - The cache by default continues downloading aborted requests - which are almost completed (less than 16 KB remaining). This - may be undesirable on slow (e.g. SLIP) links and/or very busy - caches. Impatient users may tie up file descriptors and - bandwidth by repeatedly requesting and immediately aborting - downloads. + A value of -1 causes Squid to always fetch the object from the + beginning so that it may cache the result. (2.0 style) - When the user aborts a request, Squid will check the - quick_abort values to the amount of data transfered until - then. + A value of 0 causes Squid to never fetch more than the + client requested. (default) +DOC_END - If the transfer has less than 'quick_abort_min' KB remaining, - it will finish the retrieval. - If the transfer has more than 'quick_abort_max' KB remaining, - it will abort the retrieval. +COMMENT_START + TIMEOUTS + ----------------------------------------------------------------------------- +COMMENT_END - If more than 'quick_abort_pct' of the transfer has completed, - it will finish the retrieval. +NAME: connect_timeout +COMMENT: time-units +TYPE: time_t +LOC: Config.Timeout.connect +DEFAULT: 2 minutes +DOC_START + Some systems (notably Linux) can not be relied upon to properly + time out connect(2) requests. Therefore the Squid process + enforces its own timeout on server connections. This parameter + specifies how long to wait for the connect to complete. The + default is two minutes (120 seconds). +DOC_END - If you do not want any retrieval to continue after the client - has aborted, set both 'quick_abort_min' and 'quick_abort_max' - to '0 KB'. +NAME: peer_connect_timeout +COMMENT: time-units +TYPE: time_t +LOC: Config.Timeout.peer_connect +DEFAULT: 30 seconds +DOC_START + This parameter specifies how long to wait for a pending TCP + connection to a peer cache. The default is 30 seconds. You + may also set different timeout values for individual neighbors + with the 'connect-timeout' option on a 'cache_peer' line. +DOC_END - If you want retrievals to always continue if they are being - cached then set 'quick_abort_min' to '-1 KB'. - DOC_END +NAME: read_timeout +COMMENT: time-units +TYPE: time_t +LOC: Config.Timeout.read +DEFAULT: 15 minutes +DOC_START + The read_timeout is applied on server-side connections. After + each successful read(), the timeout will be extended by this + amount. If no data is read again after this amount of time, + the request is aborted and logged with ERR_READ_TIMEOUT. The + default is 15 minutes. +DOC_END - NAME: read_ahead_gap - COMMENT: buffer-size +NAME: request_timeout +TYPE: time_t +LOC: Config.Timeout.request +DEFAULT: 5 minutes +DOC_START + How long to wait for an HTTP request after initial + connection establishment. +DOC_END - TYPE: kb_size_t - LOC: Config.readAheadGap +NAME: persistent_request_timeout +TYPE: time_t +LOC: Config.Timeout.persistent_request +DEFAULT: 1 minute +DOC_START + How long to wait for the next HTTP request on a persistent + connection after the previous request completes. +DOC_END - DEFAULT: 16 KB - DOC_START - The amount of data the cache will buffer ahead of what has been - sent to the client when retrieving an object from another server. - DOC_END - NAME: negative_ttl +NAME: client_lifetime +COMMENT: time-units +TYPE: time_t +LOC: Config.Timeout.lifetime +DEFAULT: 1 day +DOC_START + The maximum amount of time that a client (browser) is allowed to + remain connected to the cache process. This protects the Cache + from having a lot of sockets (and hence file descriptors) tied up + in a CLOSE_WAIT state from remote clients that go away without + properly shutting down (either because of a network failure or + because of a poor client implementation). The default is one + day, 1440 minutes. + + NOTE: The default value is intended to be much larger than any + client would ever need to be connected to your cache. You + should probably change client_lifetime only as a last resort. + If you seem to have many client connections tying up + filedescriptors, we recommend first tuning the read_timeout, + request_timeout, persistent_request_timeout and quick_abort values. +DOC_END + +NAME: half_closed_clients +TYPE: onoff +LOC: Config.onoff.half_closed_clients +DEFAULT: on +DOC_START + Some clients may shutdown the sending side of their TCP + connections, while leaving their receiving sides open. Sometimes, + Squid can not tell the difference between a half-closed and a + fully-closed TCP connection. By default, half-closed client + connections are kept open until a read(2) or write(2) on the + socket returns an error. Change this option to 'off' and Squid + will immediately close client connections when read(2) returns + "no more data to read." +DOC_END - COMMENT: time-units +NAME: pconn_timeout +TYPE: time_t +LOC: Config.Timeout.pconn +DEFAULT: 120 seconds +DOC_START + Timeout for idle persistent connections to servers and other + proxies. +DOC_END - TYPE: time_t +NAME: ident_timeout +TYPE: time_t +IFDEF: USE_IDENT +LOC: Config.Timeout.ident +DEFAULT: 10 seconds +DOC_START + Maximum time to wait for IDENT lookups to complete. + + If this is too high, and you enabled IDENT lookups from untrusted + users, then you might be susceptible to denial-of-service by having + many ident requests going at once. +DOC_END - LOC: Config.negativeTtl - DEFAULT: 5 minutes - DOC_START - Time-to-Live (TTL) for failed requests. Certain types of - failures (such as "connection refused" and "404 Not Found") are - negatively-cached for a configurable amount of time. The - default is 5 minutes. Note that this is different from - negative caching of DNS lookups. - DOC_END +NAME: shutdown_lifetime +COMMENT: time-units +TYPE: time_t +LOC: Config.shutdownLifetime +DEFAULT: 30 seconds +DOC_START + When SIGTERM or SIGHUP is received, the cache is put into + "shutdown pending" mode until all active sockets are closed. + This value is the lifetime to set for all open descriptors + during shutdown mode. Any active clients after this many + seconds will receive a 'timeout' message. +DOC_END +COMMENT_START + ACCESS CONTROLS + ----------------------------------------------------------------------------- +COMMENT_END - NAME: positive_dns_ttl +NAME: acl +TYPE: acl +LOC: Config.aclList +DEFAULT: none +DOC_START + Defining an Access List - COMMENT: time-units + acl aclname acltype string1 ... + acl aclname acltype "file" ... - TYPE: time_t + when using "file", the file should contain one item per line - LOC: Config.positiveDnsTtl + acltype is one of the types described below - DEFAULT: 6 hours - DOC_START - Time-to-Live (TTL) for positive caching of successful DNS lookups. - Default is 6 hours (360 minutes). If you want to minimize the - use of Squid's ipcache, set this to 1, not 0. - DOC_END + By default, regular expressions are CASE-SENSITIVE. To make + them case-insensitive, use the -i option. + acl aclname src ip-address/netmask ... (clients IP address) + acl aclname src addr1-addr2/netmask ... (range of addresses) + acl aclname dst ip-address/netmask ... (URL host's IP address) + acl aclname myip ip-address/netmask ... (local socket IP address) - NAME: negative_dns_ttl - COMMENT: time-units - TYPE: time_t - LOC: Config.negativeDnsTtl - DEFAULT: 5 minutes - DOC_START - Time-to-Live (TTL) for negative caching of failed DNS lookups. - DOC_END - - NAME: range_offset_limit - COMMENT: (bytes) - TYPE: b_size_t - LOC: Config.rangeOffsetLimit - DEFAULT: 0 KB - DOC_START - Sets a upper limit on how far into the the file a Range request - may be to cause Squid to prefetch the whole file. If beyond this - limit then Squid forwards the Range request as it is and the result - is NOT cached. - - This is to stop a far ahead range request (lets say start at 17MB) - from making Squid fetch the whole object up to that point before - sending anything to the client. - - A value of -1 causes Squid to always fetch the object from the - beginning so that it may cache the result. (2.0 style) - - A value of 0 causes Squid to never fetch more than the - client requested. (default) - DOC_END - - - COMMENT_START - TIMEOUTS - ----------------------------------------------------------------------------- - COMMENT_END - - NAME: connect_timeout - COMMENT: time-units - TYPE: time_t - LOC: Config.Timeout.connect - DEFAULT: 2 minutes - DOC_START - Some systems (notably Linux) can not be relied upon to properly - time out connect(2) requests. Therefore the Squid process - enforces its own timeout on server connections. This parameter - specifies how long to wait for the connect to complete. The - default is two minutes (120 seconds). - DOC_END - - NAME: peer_connect_timeout - COMMENT: time-units - TYPE: time_t - LOC: Config.Timeout.peer_connect - DEFAULT: 30 seconds - DOC_START - This parameter specifies how long to wait for a pending TCP - connection to a peer cache. The default is 30 seconds. You - may also set different timeout values for individual neighbors - with the 'connect-timeout' option on a 'cache_peer' line. - DOC_END - - NAME: read_timeout - COMMENT: time-units - TYPE: time_t - LOC: Config.Timeout.read - DEFAULT: 15 minutes - DOC_START - The read_timeout is applied on server-side connections. After - each successful read(), the timeout will be extended by this - amount. If no data is read again after this amount of time, - the request is aborted and logged with ERR_READ_TIMEOUT. The - default is 15 minutes. - DOC_END - - - NAME: request_timeout - TYPE: time_t - LOC: Config.Timeout.request - DEFAULT: 5 minutes - DOC_START - How long to wait for an HTTP request after initial - connection establishment. - DOC_END - - - NAME: persistent_request_timeout - TYPE: time_t - LOC: Config.Timeout.persistent_request - DEFAULT: 1 minute - DOC_START - How long to wait for the next HTTP request on a persistent - connection after the previous request completes. - DOC_END - - - NAME: client_lifetime - COMMENT: time-units - TYPE: time_t - LOC: Config.Timeout.lifetime - DEFAULT: 1 day - DOC_START - The maximum amount of time that a client (browser) is allowed to - remain connected to the cache process. This protects the Cache - from having a lot of sockets (and hence file descriptors) tied up - in a CLOSE_WAIT state from remote clients that go away without - properly shutting down (either because of a network failure or - because of a poor client implementation). The default is one - day, 1440 minutes. - - NOTE: The default value is intended to be much larger than any - client would ever need to be connected to your cache. You - should probably change client_lifetime only as a last resort. - If you seem to have many client connections tying up - filedescriptors, we recommend first tuning the read_timeout, - request_timeout, persistent_request_timeout and quick_abort values. - DOC_END - - NAME: half_closed_clients - TYPE: onoff - LOC: Config.onoff.half_closed_clients - DEFAULT: on - DOC_START - Some clients may shutdown the sending side of their TCP - connections, while leaving their receiving sides open. Sometimes, - Squid can not tell the difference between a half-closed and a - fully-closed TCP connection. By default, half-closed client - connections are kept open until a read(2) or write(2) on the - socket returns an error. Change this option to 'off' and Squid - will immediately close client connections when read(2) returns - "no more data to read." - DOC_END - - NAME: pconn_timeout - TYPE: time_t - LOC: Config.Timeout.pconn - DEFAULT: 120 seconds - DOC_START - Timeout for idle persistent connections to servers and other - proxies. - DOC_END - - NAME: ident_timeout - TYPE: time_t - IFDEF: USE_IDENT - LOC: Config.Timeout.ident - DEFAULT: 10 seconds - DOC_START - Maximum time to wait for IDENT lookups to complete. - - If this is too high, and you enabled IDENT lookups from untrusted - users, then you might be susceptible to denial-of-service by having - many ident requests going at once. - DOC_END - - - NAME: shutdown_lifetime - COMMENT: time-units - TYPE: time_t - LOC: Config.shutdownLifetime - DEFAULT: 30 seconds - DOC_START - When SIGTERM or SIGHUP is received, the cache is put into - "shutdown pending" mode until all active sockets are closed. - This value is the lifetime to set for all open descriptors - during shutdown mode. Any active clients after this many - seconds will receive a 'timeout' message. - DOC_END - - COMMENT_START - ACCESS CONTROLS - ----------------------------------------------------------------------------- - COMMENT_END - - NAME: acl - TYPE: acl - LOC: Config.aclList - DEFAULT: none - DOC_START - Defining an Access List - - acl aclname acltype string1 ... - acl aclname acltype "file" ... - - when using "file", the file should contain one item per line - - acltype is one of the types described below - - By default, regular expressions are CASE-SENSITIVE. To make - them case-insensitive, use the -i option. - - acl aclname src ip-address/netmask ... (clients IP address) - acl aclname src addr1-addr2/netmask ... (range of addresses) - acl aclname dst ip-address/netmask ... (URL host's IP address) - acl aclname myip ip-address/netmask ... (local socket IP address) - - acl aclname srcdomain .foo.com ... # reverse lookup, client IP - acl aclname dstdomain .foo.com ... # Destination server from URL - acl aclname srcdom_regex [-i] xxx ... # regex matching client name - acl aclname dstdom_regex [-i] xxx ... # regex matching server + acl aclname srcdomain .foo.com ... # reverse lookup, client IP + acl aclname dstdomain .foo.com ... # Destination server from URL + acl aclname srcdom_regex [-i] xxx ... # regex matching client name + acl aclname dstdom_regex [-i] xxx ... # regex matching server # For dstdomain and dstdom_regex a reverse lookup is tried if a IP # based URL is used. The name "none" is used if the reverse lookup # fails. - acl aclname time [day-abbrevs] [h1:m1-h2:m2] - - day-abbrevs: - S - Sunday - M - Monday - T - Tuesday - W - Wednesday - H - Thursday - F - Friday - A - Saturday - - h1:m1 must be less than h2:m2 - - acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL - acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path - acl aclname port 80 70 21 ... - acl aclname port 0-1024 ... # ranges allowed - acl aclname myport 3128 ... # (local socket TCP port) - acl aclname proto HTTP FTP ... - acl aclname method GET POST ... - acl aclname browser [-i] regexp ... -# pattern match on User-Agent header - acl aclname referer_regex [-i] regexp ... -# pattern match on Referer header + acl aclname time [day-abbrevs] [h1:m1-h2:m2] + day-abbrevs: + S - Sunday + M - Monday + T - Tuesday + W - Wednesday + H - Thursday + F - Friday + A - Saturday + h1:m1 must be less than h2:m2 + acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL + acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path + acl aclname port 80 70 21 ... + acl aclname port 0-1024 ... # ranges allowed + acl aclname myport 3128 ... # (local socket TCP port) + acl aclname proto HTTP FTP ... + acl aclname method GET POST ... + acl aclname browser [-i] regexp ... + # pattern match on User-Agent header + acl aclname referer_regex [-i] regexp ... + # pattern match on Referer header # Referer is highly unreliable, so use with care - acl aclname ident username ... - acl aclname ident_regex [-i] pattern ... -# string match on ident output. + acl aclname ident username ... + acl aclname ident_regex [-i] pattern ... + # string match on ident output. # use REQUIRED to accept any non-null ident. - acl aclname src_as number ... - acl aclname dst_as number ... -# Except for access control, AS numbers can be used for + acl aclname src_as number ... + acl aclname dst_as number ... + # Except for access control, AS numbers can be used for # routing of requests to specific caches. Here's an # example for routing all requests for AS#1241 and only # those to mycache.mydomain.net: @@ -2407,9 +2353,9 @@ NOCOMMENT_START # cache_peer_access mycache.mydomain.net allow asexample # cache_peer_access mycache_mydomain.net deny all - acl aclname proxy_auth [-i] username ... - acl aclname proxy_auth_regex [-i] pattern ... -# list of valid usernames + acl aclname proxy_auth [-i] username ... + acl aclname proxy_auth_regex [-i] pattern ... + # list of valid usernames # use REQUIRED to accept any valid username. # # NOTE: when a Proxy-Authentication header is sent but it is not @@ -2424,18 +2370,18 @@ NOCOMMENT_START # the browser needs to be configured for using a proxy in order # to respond to proxy authentication. - acl aclname snmp_community string ... -# A community string to limit access to your SNMP Agent + acl aclname snmp_community string ... + # A community string to limit access to your SNMP Agent # Example: # # acl snmppublic snmp_community public - acl aclname maxconn number -# This will be matched when the client's IP address has + acl aclname maxconn number + # This will be matched when the client's IP address has # more than HTTP connections established. - acl aclname max_user_ip [-s] number -# This will be matched when the user attempts to log in from more + acl aclname max_user_ip [-s] number + # This will be matched when the user attempts to log in from more # than different ip addresses. The authenticate_ip_ttl # parameter controls the timeout on the ip entries. # If -s is specified then the limit is strict, denying browsing