From: robertc <> Date: Tue, 20 May 2003 18:17:38 +0000 (+0000) Subject: Summary: Merge in external acl refactoring and tagged delay pools. X-Git-Tag: SQUID_3_0_PRE1~177 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1e5562e38ca48d8bf81a6049de49afbc0547de23;p=thirdparty%2Fsquid.git Summary: Merge in external acl refactoring and tagged delay pools. Keywords: Patches applied: * robertc@squid-cache.org--squid/squid--tagged-pools--3.0--patch-5 Enable class 5 pools. * robertc@squid-cache.org--squid/squid--tagged-pools--3.0--patch-4 Implement tag associated delay pools. * robertc@squid-cache.org--squid/squid--tagged-pools--3.0--patch-3 Refactoring external acl. * robertc@squid-cache.org--squid/squid--tagged-pools--3.0--patch-2 Extract ExternalACLState to separate files. * robertc@squid-cache.org--squid/squid--tagged-pools--3.0--patch-1 Create a tagging method for external acl replies. * robertc@squid-cache.org--squid/squid--tagged-pools--3.0--base-0 tag of robertc@squid-cache.org--squid/squid--HEAD--3.0--patch-171 --- diff --git a/src/ACLChecklist.h b/src/ACLChecklist.h index 82694d7787..e2dccb4770 100644 --- a/src/ACLChecklist.h +++ b/src/ACLChecklist.h @@ -1,6 +1,6 @@ /* - * $Id: ACLChecklist.h,v 1.10 2003/05/19 09:11:31 robertc Exp $ + * $Id: ACLChecklist.h,v 1.11 2003/05/20 12:17:38 robertc Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -36,6 +36,8 @@ #include "typedefs.h" +class ExternalACLEntry; + class ACLChecklist { @@ -126,7 +128,7 @@ class NullState : public AsyncState PF *callback; void *callback_data; - external_acl_entry *extacl_entry; + ExternalACLEntry *extacl_entry; bool destinationDomainChecked() const; void markDestinationDomainChecked(); bool sourceDomainChecked() const; diff --git a/src/CompositePoolNode.h b/src/CompositePoolNode.h index 6a5dc4702a..d034c73000 100644 --- a/src/CompositePoolNode.h +++ b/src/CompositePoolNode.h @@ -1,6 +1,6 @@ /* - * $Id: CompositePoolNode.h,v 1.3 2003/03/04 01:40:25 robertc Exp $ + * $Id: CompositePoolNode.h,v 1.4 2003/05/20 12:17:38 robertc Exp $ * * DEBUG: section 77 Delay Pools * AUTHOR: Robert Collins @@ -67,9 +67,21 @@ public: virtual void update(int incr) =0; virtual void parse() = 0; - virtual DelayIdComposite::Pointer id(struct in_addr &src_addr, AuthUserRequest *) = 0; + class CompositeSelectionDetails; + virtual DelayIdComposite::Pointer id(CompositeSelectionDetails &) = 0; void delayRead(DeferredRead const &); + class CompositeSelectionDetails + { + + public: + CompositeSelectionDetails() {} + + struct in_addr src_addr; + AuthUserRequest *user; + String tag; + }; + protected: void kickReads(); DeferredReadManager deferredReads; diff --git a/src/DelayConfig.cc b/src/DelayConfig.cc index 9618c5bce4..a3d72aafc3 100644 --- a/src/DelayConfig.cc +++ b/src/DelayConfig.cc @@ -1,6 +1,6 @@ /* - * $Id: DelayConfig.cc,v 1.5 2003/03/08 09:43:49 robertc Exp $ + * $Id: DelayConfig.cc,v 1.6 2003/05/20 12:17:38 robertc Exp $ * * DEBUG: section 77 Delay Pools * AUTHOR: Robert Collins @@ -71,8 +71,8 @@ DelayConfig::parsePoolClass() ushort delay_class_; ConfigParser::ParseUShort(&delay_class_); - if (delay_class_ < 1 || delay_class_ > 4) { - debug(3, 0) ("parse_delay_pool_class: Ignoring pool %d class %d not in 1 .. 4\n", pool, delay_class_); + if (delay_class_ < 1 || delay_class_ > 5) { + debug(3, 0) ("parse_delay_pool_class: Ignoring pool %d class %d not in 1 .. 5\n", pool, delay_class_); return; } diff --git a/src/DelayId.cc b/src/DelayId.cc index 8201fc01ce..be3ea7685f 100644 --- a/src/DelayId.cc +++ b/src/DelayId.cc @@ -1,6 +1,6 @@ /* - * $Id: DelayId.cc,v 1.9 2003/05/17 22:54:29 robertc Exp $ + * $Id: DelayId.cc,v 1.10 2003/05/20 12:17:38 robertc Exp $ * * DEBUG: section 77 Delay Pools * AUTHOR: Robert Collins @@ -117,7 +117,11 @@ DelayId::DelayClient(clientHttpRequest * http) if (DelayPools::delay_data[pool].theComposite().getRaw() && aclCheckFast(DelayPools::delay_data[pool].access, &ch)) { DelayId result (pool + 1); - result.compositePosition(DelayPools::delay_data[pool].theComposite()->id(ch.src_addr, r->auth_user_request)); + CompositePoolNode::CompositeSelectionDetails details; + details.src_addr = ch.src_addr; + details.user = r->auth_user_request; + details.tag = r->tag; + result.compositePosition(DelayPools::delay_data[pool].theComposite()->id(details)); return result; } } diff --git a/src/DelayTagged.cc b/src/DelayTagged.cc new file mode 100644 index 0000000000..25c3bb8950 --- /dev/null +++ b/src/DelayTagged.cc @@ -0,0 +1,245 @@ + +/* + * $Id: DelayTagged.cc,v 1.1 2003/05/20 12:17:38 robertc Exp $ + * + * DEBUG: section 77 Delay Pools + * AUTHOR: Robert Collins + * + * SQUID Web Proxy Cache http://www.squid-cache.org/ + * ---------------------------------------------------------- + * + * Squid is the result of efforts by numerous individuals from + * the Internet community; see the CONTRIBUTORS file for full + * details. Many organizations have provided support for Squid's + * development; see the SPONSORS file for full details. Squid is + * Copyrighted (C) 2001 by the Regents of the University of + * California; see the COPYRIGHT file for full details. Squid + * incorporates software developed and/or copyrighted by other + * sources; see the CREDITS file for full details. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + * + * + * Copyright (c) 2003, Robert Collins + */ + +#include "config.h" + +#if DELAY_POOLS +#include "squid.h" +#include "DelayTagged.h" +#include "authenticate.h" +#include "NullDelayId.h" +#include "Store.h" + +void * +DelayTagged::operator new(size_t size) +{ + DelayPools::MemoryUsed += sizeof (DelayTagged); + return ::operator new (size); +} + +void +DelayTagged::operator delete (void *address) +{ + DelayPools::MemoryUsed -= sizeof (DelayTagged); + ::operator delete (address); +} + +void +DelayTagged::deleteSelf() const +{ + delete this; +} + +DelayTagged::DelayTagged() +{ + DelayPools::registerForUpdates (this); +} + +static SplayNode::SPLAYFREE DelayTaggedFree; + +DelayTagged::~DelayTagged() +{ + DelayPools::deregisterForUpdates (this); + buckets.head->destroy (DelayTaggedFree); +} + +static SplayNode::SPLAYCMP DelayTaggedCmp; + +int +DelayTaggedCmp(DelayTaggedBucket::Pointer const &left, DelayTaggedBucket::Pointer const &right) +{ + /* for rate limiting, case insensitive */ + return left->tag.caseCmp(right->tag.buf()); +} + +void +DelayTaggedFree(DelayTaggedBucket::Pointer &) +{} + +void +DelayTaggedStatsWalkee(DelayTaggedBucket::Pointer const ¤t, void *state) +{ + current->stats ((StoreEntry *)state); +} + +void +DelayTagged::stats(StoreEntry * sentry) +{ + spec.stats (sentry, "Per Tag"); + + if (spec.restore_bps == -1) + return; + + storeAppendPrintf(sentry, "\t\tCurrent: "); + + if (!buckets.head) { + storeAppendPrintf (sentry, "Not used yet.\n\n"); + return; + } + + buckets.head->walk(DelayTaggedStatsWalkee, sentry); + storeAppendPrintf(sentry, "\n\n"); +} + +void +DelayTagged::dump(StoreEntry *entry) const +{ + spec.dump(entry); +} + +struct DelayTaggedUpdater +{ + DelayTaggedUpdater (DelaySpec &_spec, int _incr):spec(_spec),incr(_incr){}; + + DelaySpec spec; + int incr; +}; + +void +DelayTaggedUpdateWalkee(DelayTaggedBucket::Pointer const ¤t, void *state) +{ + DelayTaggedUpdater *t = (DelayTaggedUpdater *)state; + /* This doesn't change the value of the DelayTaggedBucket, so is safe */ + const_cast(current.getRaw())->theBucket.update(t->spec, t->incr); +} + +void +DelayTagged::update(int incr) +{ + DelayTaggedUpdater updater(spec, incr); + buckets.head->walk (DelayTaggedUpdateWalkee, &updater); +} + +void +DelayTagged::parse() +{ + spec.parse(); +} + +DelayIdComposite::Pointer + +DelayTagged::id(CompositePoolNode::CompositeSelectionDetails &details) +{ + if (!details.tag.size()) + return new NullDelayId; + + return new Id(this, details.tag); +} + +void * +DelayTagged::Id::operator new(size_t size) +{ + DelayPools::MemoryUsed += sizeof (Id); + return ::operator new (size); +} + +void +DelayTagged::Id::operator delete (void *address) +{ + DelayPools::MemoryUsed -= sizeof (Id); + ::operator delete (address); +} + +void +DelayTagged::Id::deleteSelf() const +{ + delete this; +} + +void * +DelayTaggedBucket::operator new(size_t size) +{ + DelayPools::MemoryUsed += sizeof (DelayTaggedBucket); + return ::operator new (size); +} + +void +DelayTaggedBucket::operator delete (void *address) +{ + DelayPools::MemoryUsed -= sizeof (DelayTaggedBucket); + ::operator delete (address); +} + +DelayTaggedBucket::DelayTaggedBucket(String &aTag) : tag (aTag) +{ + debug (77,3) ("DelayTaggedBucket::DelayTaggedBucket\n"); +} + +DelayTaggedBucket::~DelayTaggedBucket() +{ + debug (77,3) ("DelayTaggedBucket::~DelayTaggedBucket\n"); +} + +void +DelayTaggedBucket::stats (StoreEntry *entry) const +{ + storeAppendPrintf(entry, " %s:", tag.buf()); + theBucket.stats (entry); +} + +DelayTagged::Id::Id(DelayTagged::Pointer aDelayTagged, String &aTag) : theTagged(aDelayTagged) +{ + theBucket = new DelayTaggedBucket(aTag); + DelayTaggedBucket::Pointer const *existing = theTagged->buckets.find(theBucket, DelayTaggedCmp); + + if (existing) { + theBucket = *existing; + return; + } + + theBucket->theBucket.init(theTagged->spec); + theTagged->buckets.head = theTagged->buckets.head->insert (theBucket, DelayTaggedCmp); +} + +DelayTagged::Id::~Id() +{ + debug (77,3) ("DelayTagged::Id::~Id\n"); +} + +int +DelayTagged::Id::bytesWanted (int min, int max) const +{ + return theBucket->theBucket.bytesWanted(min,max); +} + +void +DelayTagged::Id::bytesIn(int qty) +{ + theBucket->theBucket.bytesIn(qty); +} + +#endif diff --git a/src/DelayTagged.h b/src/DelayTagged.h new file mode 100644 index 0000000000..1a4c73eec6 --- /dev/null +++ b/src/DelayTagged.h @@ -0,0 +1,110 @@ + +/* + * $Id: DelayTagged.h,v 1.1 2003/05/20 12:17:38 robertc Exp $ + * + * DEBUG: section 77 Delay Pools + * AUTHOR: Robert Collins + * + * SQUID Web Proxy Cache http://www.squid-cache.org/ + * ---------------------------------------------------------- + * + * Squid is the result of efforts by numerous individuals from + * the Internet community; see the CONTRIBUTORS file for full + * details. Many organizations have provided support for Squid's + * development; see the SPONSORS file for full details. Squid is + * Copyrighted (C) 2001 by the Regents of the University of + * California; see the COPYRIGHT file for full details. Squid + * incorporates software developed and/or copyrighted by other + * sources; see the CREDITS file for full details. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + * + * + * Copyright (c) 2003, Robert Collins + */ + +#include "config.h" + +#ifndef DELAYTAGGED_H +#define DELAYTAGGED_H + +#include "squid.h" +#include "authenticate.h" +#include "CompositePoolNode.h" +#include "DelayIdComposite.h" +#include "DelayBucket.h" +#include "DelaySpec.h" +#include "Array.h" +#include "splay.h" + +class DelayTaggedBucket : public RefCountable +{ + +public: + typedef RefCount Pointer; + void *operator new(size_t); + void operator delete (void *); + virtual void deleteSelf() const {delete this;} + + void stats(StoreEntry *)const; + DelayTaggedBucket(String &aTag); + ~DelayTaggedBucket(); + DelayBucket theBucket; + String tag; +}; + +class DelayTagged : public CompositePoolNode +{ + +public: + typedef RefCount Pointer; + void *operator new(size_t); + void operator delete (void *); + virtual void deleteSelf() const; + DelayTagged(); + virtual ~DelayTagged(); + virtual void stats(StoreEntry * sentry); + virtual void dump(StoreEntry *entry) const; + virtual void update(int incr); + virtual void parse(); + + virtual DelayIdComposite::Pointer id(CompositeSelectionDetails &); + +private: + +class Id:public DelayIdComposite + { + + public: + void *operator new(size_t); + void operator delete (void *); + virtual void deleteSelf() const; + Id (DelayTagged::Pointer, String &); + ~Id(); + virtual int bytesWanted (int min, int max) const; + virtual void bytesIn(int qty); + + private: + DelayTagged::Pointer theTagged; + DelayTaggedBucket::Pointer theBucket; + }; + + friend class Id; + + DelaySpec spec; + Splay buckets; +}; + +#endif /* DELAYTAGGED_H */ diff --git a/src/DelayUser.cc b/src/DelayUser.cc index 316eba9e86..82fd35de76 100644 --- a/src/DelayUser.cc +++ b/src/DelayUser.cc @@ -1,6 +1,6 @@ /* - * $Id: DelayUser.cc,v 1.4 2003/02/21 22:50:05 robertc Exp $ + * $Id: DelayUser.cc,v 1.5 2003/05/20 12:17:38 robertc Exp $ * * DEBUG: section 77 Delay Pools * AUTHOR: Robert Collins @@ -151,13 +151,12 @@ DelayUser::parse() } DelayIdComposite::Pointer - -DelayUser::id(struct in_addr &src_addr, AuthUserRequest *authRequest) +DelayUser::id(CompositePoolNode::CompositeSelectionDetails &details) { - if (!authRequest) + if (!details.user) return new NullDelayId; - return new Id(this, authRequest->auth_user); + return new Id(this, details.user->auth_user); } void * diff --git a/src/DelayUser.h b/src/DelayUser.h index 9973467e1b..5a3caea621 100644 --- a/src/DelayUser.h +++ b/src/DelayUser.h @@ -1,6 +1,6 @@ /* - * $Id: DelayUser.h,v 1.4 2003/03/06 11:51:55 robertc Exp $ + * $Id: DelayUser.h,v 1.5 2003/05/20 12:17:38 robertc Exp $ * * DEBUG: section 77 Delay Pools * AUTHOR: Robert Collins @@ -80,7 +80,7 @@ public: virtual void update(int incr); virtual void parse(); - virtual DelayIdComposite::Pointer id(struct in_addr &src_addr, AuthUserRequest *); + virtual DelayIdComposite::Pointer id(CompositeSelectionDetails &); private: diff --git a/src/DelayVector.cc b/src/DelayVector.cc index dde2aae886..b04cd417c8 100644 --- a/src/DelayVector.cc +++ b/src/DelayVector.cc @@ -1,6 +1,6 @@ /* - * $Id: DelayVector.cc,v 1.7 2003/05/19 09:11:30 robertc Exp $ + * $Id: DelayVector.cc,v 1.8 2003/05/20 12:17:38 robertc Exp $ * * DEBUG: section 77 Delay Pools * AUTHOR: Robert Collins @@ -119,10 +119,9 @@ DelayVector::parse() } DelayIdComposite::Pointer - -DelayVector::id(struct in_addr &src_addr, AuthUserRequest *authUser) +DelayVector::id(CompositeSelectionDetails &details) { - return new Id(this, src_addr, authUser); + return new Id(this, details); } void @@ -151,14 +150,13 @@ DelayVector::Id::deleteSelf() const delete this; } -DelayVector::Id::Id(DelayVector::Pointer aDelayVector,struct in_addr &src_addr, AuthUserRequest *authUser) : theVector(aDelayVector) +DelayVector::Id::Id(DelayVector::Pointer aDelayVector, CompositeSelectionDetails &details) : theVector(aDelayVector) { debug(77,3)("DelayVector::Id::Id\n"); DelayVector::iterator pos = theVector->pools.begin(); - while (pos != theVector->pools.end()) - { - ids.push_back ((*pos)->id (src_addr, authUser)); + while (pos != theVector->pools.end()) { + ids.push_back ((*pos)->id (details)); ++pos; } } diff --git a/src/DelayVector.h b/src/DelayVector.h index d6d96c1665..ddf49b8fa3 100644 --- a/src/DelayVector.h +++ b/src/DelayVector.h @@ -1,6 +1,6 @@ /* - * $Id: DelayVector.h,v 1.6 2003/05/15 07:06:24 robertc Exp $ + * $Id: DelayVector.h,v 1.7 2003/05/20 12:17:38 robertc Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -53,7 +53,7 @@ public: virtual void update(int incr); virtual void parse(); - virtual DelayIdComposite::Pointer id(struct in_addr &src_addr, AuthUserRequest *); + virtual DelayIdComposite::Pointer id(CompositeSelectionDetails &); void push_back (CompositePoolNode::Pointer); private: @@ -66,7 +66,7 @@ class Id:public DelayIdComposite void operator delete (void *); virtual void deleteSelf() const; - Id (DelayVector::Pointer,struct in_addr &src_addr, AuthUserRequest *); + Id (DelayVector::Pointer,CompositeSelectionDetails &); ~Id(); virtual int bytesWanted (int min, int max) const; virtual void bytesIn(int qty); diff --git a/src/ExternalACL.h b/src/ExternalACL.h index ed3c2106b7..bb35bed64b 100644 --- a/src/ExternalACL.h +++ b/src/ExternalACL.h @@ -1,6 +1,6 @@ /* - * $Id: ExternalACL.h,v 1.3 2003/02/25 12:22:34 robertc Exp $ + * $Id: ExternalACL.h,v 1.4 2003/05/20 12:17:38 robertc Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -38,6 +38,8 @@ #include "ACL.h" #include "ACLChecklist.h" +class external_acl; + class ExternalACLLookup : public ACLChecklist::AsyncState { diff --git a/src/ExternalACLEntry.cc b/src/ExternalACLEntry.cc new file mode 100644 index 0000000000..486b2cc0f9 --- /dev/null +++ b/src/ExternalACLEntry.cc @@ -0,0 +1,106 @@ + +/* + * $Id: ExternalACLEntry.cc,v 1.1 2003/05/20 12:17:38 robertc Exp $ + * + * DEBUG: section 82 External ACL + * AUTHOR: Henrik Nordstrom, MARA Systems AB + * + * SQUID Web Proxy Cache http://www.squid-cache.org/ + * ---------------------------------------------------------- + * + * The contents of this file is Copyright (C) 2002 by MARA Systems AB, + * Sweden, unless otherwise is indicated in the specific function. The + * author gives his full permission to include this file into the Squid + * software product under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * Squid is the result of efforts by numerous individuals from + * the Internet community; see the CONTRIBUTORS file for full + * details. Many organizations have provided support for Squid's + * development; see the SPONSORS file for full details. Squid is + * Copyrighted (C) 2001 by the Regents of the University of + * California; see the COPYRIGHT file for full details. Squid + * incorporates software developed and/or copyrighted by other + * sources; see the CREDITS file for full details. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + * + * Copyright (c) 2003, Robert Collins + */ + +#include "squid.h" +#include "ExternalACLEntry.h" + +/****************************************************************** + * external_acl cache + */ + +CBDATA_CLASS_INIT(ExternalACLEntry); + +void * +ExternalACLEntry::operator new (size_t byteCount) +{ + /* derived classes with different sizes must implement their own new */ + assert (byteCount == sizeof (ExternalACLEntry)); + CBDATA_INIT_TYPE(ExternalACLEntry); + return cbdataAlloc(ExternalACLEntry); +} + +void +ExternalACLEntry::operator delete (void *address) +{ + cbdataFree (address); +} + +void +ExternalACLEntry::deleteSelf() const +{ + delete this; +} + +ExternalACLEntry::ExternalACLEntry() +{ + lru.next = lru.prev = NULL; + result = 0; + date = 0; + user = NULL; + error = NULL; + def = NULL; +} + +ExternalACLEntry::~ExternalACLEntry() +{ + safe_free(key); + safe_free(user); + safe_free(error); +} + +void +ExternalACLEntry::update(ExternalACLEntryData const &someData) +{ + date = squid_curtime; + result = someData.result; + safe_free(user); + safe_free(error); + + if (someData.user) + user = xstrdup(someData.user); + + if (someData.error) + error = xstrdup(someData.error); + + tag = someData.tag; +} diff --git a/src/ExternalACLEntry.h b/src/ExternalACLEntry.h new file mode 100644 index 0000000000..325a58c9e9 --- /dev/null +++ b/src/ExternalACLEntry.h @@ -0,0 +1,99 @@ + +/* + * $Id: ExternalACLEntry.h,v 1.1 2003/05/20 12:17:38 robertc Exp $ + * + * DEBUG: section 82 External ACL + * AUTHOR: Henrik Nordstrom, MARA Systems AB + * + * SQUID Web Proxy Cache http://www.squid-cache.org/ + * ---------------------------------------------------------- + * + * The contents of this file is Copyright (C) 2002 by MARA Systems AB, + * Sweden, unless otherwise is indicated in the specific function. The + * author gives his full permission to include this file into the Squid + * software product under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * Squid is the result of efforts by numerous individuals from + * the Internet community; see the CONTRIBUTORS file for full + * details. Many organizations have provided support for Squid's + * development; see the SPONSORS file for full details. Squid is + * Copyrighted (C) 2001 by the Regents of the University of + * California; see the COPYRIGHT file for full details. Squid + * incorporates software developed and/or copyrighted by other + * sources; see the CREDITS file for full details. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + * + * Copyright (c) 2003, Robert Collins + */ + +#ifndef SQUID_EXTERNALACLENTRY_H +#define SQUID_EXTERNALACLENTRY_H + +/****************************************************************** + * ExternalACLEntryData + * Core data that ExternalACLEntry manages. + * Not meant to be used as remote storage at any point: + * stack or static or composition use only. + */ + +class ExternalACLEntryData +{ + +public: + ExternalACLEntryData() : result (-1) , user(NULL) , error (NULL){} + + // ExternalACLEntryData(int anInt, char const *aUser, char const *anError) : result (anInt), user(aUser),error(anError) {} + int result; + char const *user; + char const *error; + String tag; +}; + + +/******************************************************************* + * external_acl cache entry + * Used opaqueue in the interface + */ + +class ExternalACLEntry: public hash_link +{ + +public: + void *operator new (size_t bytesToAllocate); + void operator delete (void *address); + void deleteSelf() const; + + ExternalACLEntry(); + ~ExternalACLEntry(); + + void update(ExternalACLEntryData const &); + dlink_node lru; + int result; + time_t date; + char *user; + char *error; + String tag; + external_acl *def; + +private: + CBDATA_CLASS(ExternalACLEntry); +}; + +typedef class ExternalACLEntry external_acl_entry; + +#endif diff --git a/src/Makefile.am b/src/Makefile.am index 43867fd3c2..5b3ba76450 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,7 +1,7 @@ # # Makefile for the Squid Object Cache server # -# $Id: Makefile.am,v 1.75 2003/05/18 00:04:07 robertc Exp $ +# $Id: Makefile.am,v 1.76 2003/05/20 12:17:38 robertc Exp $ # # Uncomment and customize the following to suit your needs: # @@ -9,762 +9,798 @@ if USE_DNSSERVER DNSSOURCE = dns.cc -DNSSERVER = dnsserver -else -DNSSOURCE = dns_internal.cc -DNSSERVER = -endif - -if USE_SNMP -SNMPSOURCE = snmp_core.cc snmp_agent.cc -else -SNMPSOURCE = -endif - -DELAY_POOL_ALL_SOURCE = \ - CommonPool.h \ - CompositePoolNode.h \ - delay_pools.cc \ - DelayId.cc \ - DelayId.h \ - DelayIdComposite.h \ - DelayBucket.cc \ - DelayBucket.h \ - DelayConfig.cc \ - DelayConfig.h \ - DelayPool.cc \ - DelayPool.h \ - DelayPools.h \ - DelaySpec.cc \ - DelaySpec.h \ - DelayUser.cc \ - DelayUser.h \ - DelayVector.cc \ - DelayVector.h \ - NullDelayId.cc \ - NullDelayId.h -if USE_DELAY_POOLS -DELAY_POOL_SOURCE = $(DELAY_POOL_ALL_SOURCE) -else -DELAY_POOL_SOURCE = -endif - -ESI_ALL_SOURCE = \ - ElementList.h \ - ESI.cc \ - ESI.h \ - ESIAttempt.h \ - ESIContext.cc \ - ESIContext.h \ - ESICustomParser.cc \ - ESICustomParser.h \ - ESIElement.h \ - ESIExcept.h \ - ESIExpatParser.cc \ - ESIExpatParser.h \ - ESIExpression.cc \ - ESILiteral.h \ - ESIParser.cc \ - ESIParser.h \ - ESISegment.cc \ - ESISegment.h \ - ESISequence.cc \ - ESISequence.h -if USE_ESI - ESI_SOURCE = $(ESI_ALL_SOURCE) -else - ESI_SOURCE = -endif - -if ENABLE_XPROF_STATS -XPROF_STATS_SOURCE = ProfStats.cc -else -XPROF_STATS_SOURCE = -endif - -if ENABLE_HTCP -HTCPSOURCE = htcp.cc -endif - -if MAKE_LEAKFINDER -LEAKFINDERSOURCE = leakfinder.cc -else -LEAKFINDERSOURCE = -endif - -if ENABLE_UNLINKD -UNLINKDSOURCE = unlinkd.cc -UNLINKD = unlinkd -else -UNLINKDSOURCE = -UNLINKD = -endif - -if ENABLE_PINGER -PINGER = pinger -else -PINGER = -endif - -SSL_ALL_SOURCE = \ - ACLCertificateData.cc \ - ACLCertificateData.h \ - ACLCertificate.cc \ - ACLCertificate.h \ - ssl_support.cc \ - ssl_support.h -if ENABLE_SSL -SSL_SOURCE = $(SSL_ALL_SOURCE) -else -SSL_SOURCE = -endif - -if ENABLE_WIN32SPECIFIC -WIN32SOURCE = win32.cc -else -WIN32SOURCE = -endif - -IDENT_ALL_SOURCE = ACLIdent.cc ACLIdent.h ident.cc -if ENABLE_IDENT -IDENT_SOURCE = $(IDENT_ALL_SOURCE) -else -IDENT_SOURCE = -endif - -ARP_ACL_ALL_SOURCE = ACLARP.cc ACLARP.h -if ENABLE_ARP_ACL -ARP_ACL_SOURCE = $(ARP_ACL_ALL_SOURCE) -else -ARP_ACL_SOURCE = -endif - -AM_CFLAGS = @SQUID_CFLAGS@ -AM_CXXFLAGS = @SQUID_CXXFLAGS@ - -SUBDIRS = fs repl auth - -INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir)/lib/libTrie/include - -EXTRA_PROGRAMS = \ - unlinkd \ - pinger \ - dnsserver \ - recv-announce \ - ufsdump - -noinst_PROGRAMS = \ - cf_gen - -sbin_PROGRAMS = \ - squid - -bin_PROGRAMS = \ - squidclient - - -libexec_PROGRAMS = \ - $(PINGER) \ - $(DNSSERVER) \ - $(UNLINKD) \ - cachemgr$(CGIEXT) - -cf_gen_SOURCES = cf_gen.cc defines.h -nodist_cf_gen_HEADER = cf_gen_defines.h -cf_gen.$(OBJEXT): cf_gen_defines.h -squidclient_SOURCES = client.cc -cachemgr__CGIEXT__SOURCES = cachemgr.cc - -EXTRA_squid_SOURCES = \ - $(ARP_ACL_ALL_SOURCE) \ - $(DELAY_POOL_ALL_SOURCE) \ - dns.cc \ - dnsserver.cc \ - dns_internal.cc \ - htcp.cc \ - $(IDENT_ALL_SOURCE) \ - $(ESI_ALL_SOURCE) \ - ProfStats.cc \ - leakfinder.cc \ - snmp_core.cc \ - snmp_agent.cc \ - unlinkd.cc \ - $(SSL_ALL_SOURCE) \ - win32.cc - -squid_ACLSOURCES = \ - $(ARP_ACL_SOURCE) \ - ACLASN.cc \ - ACLASN.h \ - ACLDestinationASN.h \ - ACLSourceASN.h \ - ACLBrowser.cc \ - ACLBrowser.h \ - ACLData.h \ - ACLDestinationDomain.cc \ - ACLDestinationDomain.h \ - ACLDestinationIP.cc \ - ACLDestinationIP.h \ - ACLDomainData.h \ - ACLDomainData.cc \ - ACLIntRange.cc \ - ACLIntRange.h \ - ACLIP.cc \ - ACLIP.h \ - ACLMaxConnection.cc \ - ACLMaxConnection.h \ - ACLMaxUserIP.cc \ - ACLMaxUserIP.h \ - ACLMethod.cc \ - ACLMethod.h \ - ACLMethodData.cc \ - ACLMethodData.h \ - ACLMyIP.cc \ - ACLMyIP.h \ - ACLMyPort.cc \ - ACLMyPort.h \ - ACLProtocol.cc \ - ACLProtocol.h \ - ACLProtocolData.cc \ - ACLProtocolData.h \ - ACLProxyAuth.cc \ - ACLProxyAuth.h \ - ACLReferer.cc \ - ACLReferer.h \ - ACLRegexData.cc \ - ACLRegexData.h \ - ACLReplyHeaderStrategy.h \ - ACLReplyMIMEType.cc \ - ACLReplyMIMEType.h \ - ACLRequestHeaderStrategy.h \ - ACLRequestMIMEType.cc \ - ACLRequestMIMEType.h \ - ACLSourceDomain.cc \ - ACLSourceDomain.h \ - ACLSourceIP.cc \ - ACLSourceIP.h \ - ACLStrategised.cc \ - ACLStrategised.h \ - ACLStrategy.h \ - ACLStringData.cc \ - ACLStringData.h \ - ACLTime.cc \ - ACLTime.h \ - ACLTimeData.cc \ - ACLTimeData.h \ - ACLUrl.cc \ - ACLUrl.h \ - ACLUrlPath.cc \ - ACLUrlPath.h \ - ACLUrlPort.cc \ - ACLUrlPort.h \ - ACLUserData.cc \ - ACLUserData.h - -squid_SOURCES = \ - access_log.cc \ - acl.cc \ - ACL.h \ - ACLChecklist.cc \ - ACLChecklist.h \ - $(squid_ACLSOURCES) \ - asn.cc \ - authenticate.cc \ - authenticate.h \ - cache_cf.cc \ - CacheDigest.cc \ - cache_manager.cc \ - carp.cc \ - cbdata.cc \ - client_db.cc \ - client_side.cc \ - client_side.h \ - client_side_reply.cc \ - client_side_reply.h \ - client_side_request.cc \ - client_side_request.h \ - clientStream.cc \ - clientStream.h \ - comm.cc \ - comm.h \ - comm_select.cc \ - comm_poll.cc \ - comm_kqueue.cc \ - comm_epoll.cc \ - CommRead.h \ - ConfigParser.h \ - ConnectionDetail.h \ - debug.cc \ - Debug.h \ - defines.h \ - $(DELAY_POOL_SOURCE) \ - disk.cc \ - $(DNSSOURCE) \ - enums.h \ - errorpage.cc \ - $(ESI_SOURCE) \ - ETag.cc \ - event.cc \ - external_acl.cc \ - ExternalACL.h \ - fd.cc \ - fde.cc \ - fde.h \ - filemap.cc \ - forward.cc \ - fqdncache.cc \ - ftp.cc \ - Generic.h \ - globals.h \ - gopher.cc \ - helper.cc \ - $(HTCPSOURCE) \ - http.cc \ - http.h \ - HttpStatusLine.cc \ - HttpHdrCc.cc \ - HttpHdrRange.cc \ - HttpHdrSc.cc \ - HttpHdrScTarget.cc \ - HttpHdrContRange.cc \ - HttpHdrContRange.h \ - HttpHeader.cc \ - HttpHeader.h \ - HttpHeaderRange.h \ - HttpHeaderTools.cc \ - HttpBody.cc \ - HttpMsg.cc \ - HttpReply.cc \ - HttpReply.h \ - HttpRequest.cc \ - HttpRequest.h \ - icmp.cc \ - ICP.h \ - icp_v2.cc \ - icp_v3.cc \ - $(IDENT_SOURCE) \ - int.cc \ - internal.cc \ - ipc.cc \ - ipcache.cc \ - IPInterception.cc \ - IPInterception.h \ - $(LEAKFINDERSOURCE) \ - logfile.cc \ - main.cc \ - mem.cc \ - mem_node.cc \ - mem_node.h \ - Mem.h \ - MemBuf.cc \ - MemObject.cc \ - MemObject.h \ - mime.cc \ - multicast.cc \ - neighbors.cc \ - net_db.cc \ - Packer.cc \ - $(XPROF_STATS_SOURCE) \ - pconn.cc \ - peer_digest.cc \ - peer_select.cc \ - protos.h \ - redirect.cc \ - referer.cc \ - refresh.cc \ - send-announce.cc \ - $(SNMPSOURCE) \ - squid.h \ - tunnel.cc \ - $(SSL_SOURCE) \ - stat.cc \ - StatHist.cc \ - String.cc \ - stmem.cc \ - stmem.h \ - store.cc \ - Store.h \ - store_io.cc \ - StoreIOBuffer.h \ - StoreIOState.cc \ - StoreIOState.h \ - store_client.cc \ - StoreClient.h \ - store_digest.cc \ - store_dir.cc \ - store_key_md5.cc \ - store_log.cc \ - store_rebuild.cc \ - store_swapin.cc \ - store_swapmeta.cc \ - store_swapout.cc \ - StoreMeta.cc \ - StoreMeta.h \ - StoreMetaMD5.cc \ - StoreMetaMD5.h \ - StoreMetaSTD.cc \ - StoreMetaSTD.h \ - StoreMetaUnpacker.cc \ - StoreMetaUnpacker.h \ - StoreMetaURL.cc \ - StoreMetaURL.h \ - StoreMetaVary.cc \ - StoreMetaVary.h \ - structs.h \ - SwapDir.cc \ - SwapDir.h \ - tools.cc \ - typedefs.h \ - ufscommon.cc \ - ufscommon.h \ - $(UNLINKDSOURCE) \ - url.cc \ - urn.cc \ - useragent.cc \ - wais.cc \ - wccp.cc \ - whois.cc \ - $(WIN32SOURCE) - -noinst_HEADERS = ACLChecklist.cci \ - MemBuf.cci \ - MemBuf.h \ - Store.cci \ - String.cci \ - SquidString.h \ - ufscommon.cci \ - squid_windows.h - -nodist_squid_SOURCES = \ - repl_modules.cc \ - auth_modules.cc \ - store_modules.cc \ - cf_parser.h \ - globals.cc \ - string_arrays.c - -squid_LDADD = \ - -L../lib \ - @XTRA_OBJS@ \ - @REPL_OBJS@ \ - @STORE_OBJS@ \ - @AUTH_OBJS@ \ - @CRYPTLIB@ \ - @REGEXLIB@ \ - @SNMPLIB@ \ - @LIB_MALLOC@ \ - @SSLLIB@ \ - -lmiscutil \ - @XTRA_LIBS@ \ - @EPOLL_LIBS@ -squid_DEPENDENCIES = $(top_builddir)/lib/libmiscutil.a @STORE_OBJS@ - -unlinkd_SOURCES = unlinkd.cc -unlinkd_CXXFLAGS = -DUNLINK_DAEMON - -pinger_SOURCES = \ - pinger.cc \ - debug.cc - -dnsserver_SOURCES = dnsserver.cc -recv_announce_SOURCES = recv-announce.cc - -ufsdump_SOURCES = debug.cc \ - int.cc \ - ufsdump.cc \ - store.cc \ - StoreMeta.cc \ - StoreMeta.h \ - StoreMetaMD5.cc \ - StoreMetaMD5.h \ - StoreMetaSTD.cc \ - StoreMetaSTD.h \ - StoreMetaUnpacker.cc \ - StoreMetaUnpacker.h \ - StoreMetaURL.cc \ - StoreMetaURL.h \ - StoreMetaVary.cc \ - StoreMetaVary.h \ - access_log.cc \ - acl.cc \ - ACLChecklist.cc \ - $(squid_ACLSOURCES) \ - asn.cc \ - authenticate.cc \ - cache_cf.cc \ - CacheDigest.cc \ - cache_manager.cc \ - carp.cc \ - cbdata.cc \ - client_db.cc \ - client_side.cc \ - client_side_reply.cc \ - client_side_request.cc \ - client_side_request.h \ - clientStream.cc \ - clientStream.h \ - comm.cc \ - comm.h \ - comm_select.cc \ - comm_poll.cc \ - comm_kqueue.cc \ - comm_epoll.cc \ - defines.h \ - $(DELAY_POOL_SOURCE) \ - disk.cc \ - $(DNSSOURCE) \ - enums.h \ - errorpage.cc \ - $(ESI_SOURCE) \ - ETag.cc \ - event.cc \ - external_acl.cc \ - fd.cc \ - fde.cc \ - fde.h \ - filemap.cc \ - forward.cc \ - fqdncache.cc \ - ftp.cc \ - gopher.cc \ - helper.cc \ - $(HTCPSOURCE) \ - http.cc \ - HttpStatusLine.cc \ - HttpHdrCc.cc \ - HttpHdrRange.cc \ - HttpHdrSc.cc \ - HttpHdrScTarget.cc \ - HttpHdrContRange.cc \ - HttpHeader.cc \ - HttpHeaderTools.cc \ - HttpBody.cc \ - HttpMsg.cc \ - HttpReply.cc \ - HttpRequest.cc \ - HttpRequest.h \ - icmp.cc \ - icp_v2.cc \ - icp_v3.cc \ - $(IDENT_SOURCE) \ - internal.cc \ - ipc.cc \ - ipcache.cc \ - IPInterception.cc \ - IPInterception.h \ - $(LEAKFINDERSOURCE) \ - logfile.cc \ - mem.cc \ - mem_node.cc \ - mem_node.h \ - Mem.h \ - MemBuf.cc \ - MemObject.cc \ - MemObject.h \ - mime.cc \ - multicast.cc \ - neighbors.cc \ - net_db.cc \ - Packer.cc \ - $(XPROF_STATS_SOURCE) \ - pconn.cc \ - peer_digest.cc \ - peer_select.cc \ - protos.h \ - redirect.cc \ - referer.cc \ - refresh.cc \ - send-announce.cc \ - $(SNMPSOURCE) \ - squid.h \ - $(SSL_SOURCE) \ - tunnel.cc \ - stat.cc \ - StatHist.cc \ - String.cc \ - stmem.cc \ - store_io.cc \ - StoreIOBuffer.h \ - StoreIOState.cc \ - store_client.cc \ - StoreClient.h \ - store_digest.cc \ - store_dir.cc \ - store_key_md5.cc \ - store_log.cc \ - store_rebuild.cc \ - store_swapin.cc \ - store_swapmeta.cc \ - store_swapout.cc \ - structs.h \ - SwapDir.cc \ - tools.cc \ - typedefs.h \ - ufscommon.cc \ - ufscommon.h \ - $(UNLINKDSOURCE) \ - url.cc \ - urn.cc \ - useragent.cc \ - wais.cc \ - wccp.cc \ - whois.cc \ - $(WIN32SOURCE) -ufsdump_LDADD = \ - -L../lib \ - @XTRA_OBJS@ \ - @REPL_OBJS@ \ - @STORE_OBJS@ \ - @AUTH_OBJS@ \ - @CRYPTLIB@ \ - @REGEXLIB@ \ - @SNMPLIB@ \ - @LIB_MALLOC@ \ - @SSLLIB@ \ - -lmiscutil \ - @XTRA_LIBS@ \ - @EPOLL_LIBS@ -ufsdump_DEPENDENCIES = $(top_builddir)/lib/libmiscutil.a -nodist_ufsdump_SOURCES = \ - repl_modules.cc \ - auth_modules.cc \ - store_modules.cc \ - cf_parser.h \ - globals.cc \ - string_arrays.c - -nodist_pinger_SOURCES = \ - globals.cc - -BUILT_SOURCES = \ - cf_gen_defines.h \ - cf_parser.h \ - globals.cc \ - string_arrays.c \ - repl_modules.cc \ - auth_modules.cc \ - store_modules.cc - -sysconf_DATA = \ - squid.conf.default \ - mime.conf.default - -data_DATA = \ - mib.txt - -LDADD = -L../lib -lmiscutil @XTRA_LIBS@ @EPOLL_LIBS@ - -EXTRA_DIST = \ - cf_gen_defines \ - cf.data.pre \ - mk-globals-c.pl \ - mk-string-arrays.pl \ - auth_modules.sh \ - store_modules.sh \ - repl_modules.sh \ - mib.txt \ - mime.conf.default - -DEFAULT_PREFIX = $(prefix) -DEFAULT_CONFIG_FILE = $(sysconfdir)/squid.conf -DEFAULT_MIME_TABLE = $(sysconfdir)/mime.conf -DEFAULT_DNSSERVER = $(libexecdir)/dnsserver$(EXEEXT) -DEFAULT_LOG_PREFIX = $(localstatedir)/logs -DEFAULT_CACHE_LOG = $(DEFAULT_LOG_PREFIX)/cache.log -DEFAULT_ACCESS_LOG = $(DEFAULT_LOG_PREFIX)/access.log -DEFAULT_STORE_LOG = $(DEFAULT_LOG_PREFIX)/store.log -DEFAULT_PID_FILE = $(DEFAULT_LOG_PREFIX)/squid.pid -DEFAULT_SWAP_DIR = $(localstatedir)/cache -DEFAULT_PINGER = $(libexecdir)/pinger$(EXEEXT) -DEFAULT_UNLINKD = $(libexecdir)/unlinkd$(EXEEXT) -DEFAULT_DISKD = $(libexecdir)/diskd$(EXEEXT) -DEFAULT_ICON_DIR = $(datadir)/icons -DEFAULT_ERROR_DIR = $(datadir)/errors/@ERR_DEFAULT_LANGUAGE@ -DEFAULT_MIB_PATH = $(datadir)/mib.txt -DEFAULT_HOSTS = @OPT_DEFAULT_HOSTS@ - -DEFS = @DEFS@ -DDEFAULT_CONFIG_FILE=\"$(DEFAULT_CONFIG_FILE)\" - -$(OBJS): $(top_srcdir)/include/version.h ../include/autoconf.h - -snmp_core.o snmp_agent.o: ../snmplib/libsnmp.a $(top_srcdir)/include/cache_snmp.h - -globals.cc: globals.h mk-globals-c.pl - $(PERL) $(srcdir)/mk-globals-c.pl < $(srcdir)/globals.h > $@ - -string_arrays.c: enums.h mk-string-arrays.pl - $(PERL) $(srcdir)/mk-string-arrays.pl < $(srcdir)/enums.h > $@ - -cache_diff: cache_diff.o debug.o globals.o store_key_md5.o - $(CC) -o $@ $(LDFLAGS) $@.o debug.o globals.o store_key_md5.o $(STD_APP_LIBS) - -test_cache_digest: test_cache_digest.o CacheDigest.o debug.o globals.o store_key_md5.o - $(CC) -o $@ $(LDFLAGS) $@.o CacheDigest.o debug.o globals.o store_key_md5.o $(STD_APP_LIBS) + DNSSERVER = dnsserver + else + DNSSOURCE = dns_internal.cc + DNSSERVER = + endif + + if USE_SNMP + SNMPSOURCE = snmp_core.cc snmp_agent.cc + else + SNMPSOURCE = + endif + + DELAY_POOL_ALL_SOURCE = \ + CommonPool.h \ + CompositePoolNode.h \ + delay_pools.cc \ + DelayId.cc \ + DelayId.h \ + DelayIdComposite.h \ + DelayBucket.cc \ + DelayBucket.h \ + DelayConfig.cc \ + DelayConfig.h \ + DelayPool.cc \ + DelayPool.h \ + DelayPools.h \ + DelaySpec.cc \ + DelaySpec.h \ + DelayUser.cc \ + DelayUser.h \ + DelayTagged.cc \ + DelayTagged.h \ + DelayVector.cc \ + DelayVector.h \ + NullDelayId.cc \ + NullDelayId.h + if USE_DELAY_POOLS + DELAY_POOL_SOURCE = $(DELAY_POOL_ALL_SOURCE) + else + DELAY_POOL_SOURCE = + endif + + ESI_ALL_SOURCE = \ + ElementList.h \ + ESI.cc \ + ESI.h \ + ESIAttempt.h \ + ESIContext.cc \ + ESIContext.h \ + ESICustomParser.cc \ + ESICustomParser.h \ + ESIElement.h \ + ESIExcept.h \ + ESIExpatParser.cc \ + ESIExpatParser.h \ + ESIExpression.cc \ + ESILiteral.h \ + ESIParser.cc \ + ESIParser.h \ + ESISegment.cc \ + ESISegment.h \ + ESISequence.cc \ + ESISequence.h + if USE_ESI + ESI_SOURCE = $(ESI_ALL_SOURCE) + else + ESI_SOURCE = + endif + + if ENABLE_XPROF_STATS + XPROF_STATS_SOURCE = ProfStats.cc + else + XPROF_STATS_SOURCE = + endif + + if ENABLE_HTCP + HTCPSOURCE = htcp.cc + endif + + if MAKE_LEAKFINDER + LEAKFINDERSOURCE = leakfinder.cc + else + LEAKFINDERSOURCE = + endif + + if ENABLE_UNLINKD + UNLINKDSOURCE = unlinkd.cc + UNLINKD = unlinkd + else + UNLINKDSOURCE = + UNLINKD = + endif + + if ENABLE_PINGER + PINGER = pinger + else + PINGER = + endif + + SSL_ALL_SOURCE = \ + ACLCertificateData.cc \ + ACLCertificateData.h \ + ACLCertificate.cc \ + ACLCertificate.h \ + ssl_support.cc \ + ssl_support.h + if ENABLE_SSL + SSL_SOURCE = $(SSL_ALL_SOURCE) + else + SSL_SOURCE = + endif + + if ENABLE_WIN32SPECIFIC + WIN32SOURCE = win32.cc + else + WIN32SOURCE = + endif + + IDENT_ALL_SOURCE = ACLIdent.cc ACLIdent.h ident.cc + if ENABLE_IDENT + IDENT_SOURCE = $(IDENT_ALL_SOURCE) + else + IDENT_SOURCE = + endif + + ARP_ACL_ALL_SOURCE = ACLARP.cc ACLARP.h + if ENABLE_ARP_ACL + ARP_ACL_SOURCE = $(ARP_ACL_ALL_SOURCE) + else + ARP_ACL_SOURCE = + endif + + AM_CFLAGS = @SQUID_CFLAGS@ + AM_CXXFLAGS = @SQUID_CXXFLAGS@ + + SUBDIRS = fs repl auth + + INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir)/lib/libTrie/include + + EXTRA_PROGRAMS = \ + unlinkd \ + pinger \ + dnsserver \ + recv-announce \ + ufsdump + + noinst_PROGRAMS = \ + cf_gen + + sbin_PROGRAMS = \ + squid + + bin_PROGRAMS = \ + squidclient + + + libexec_PROGRAMS = \ + $(PINGER) \ + $(DNSSERVER) \ + $(UNLINKD) \ + cachemgr$(CGIEXT) + + cf_gen_SOURCES = cf_gen.cc defines.h + nodist_cf_gen_HEADER = cf_gen_defines.h + cf_gen.$(OBJEXT): cf_gen_defines.h + squidclient_SOURCES = client.cc + cachemgr__CGIEXT__SOURCES = cachemgr.cc + + EXTRA_squid_SOURCES = \ + $(ARP_ACL_ALL_SOURCE) \ + $(DELAY_POOL_ALL_SOURCE) \ + dns.cc \ + dnsserver.cc \ + dns_internal.cc \ + htcp.cc \ + $(IDENT_ALL_SOURCE) \ + $(ESI_ALL_SOURCE) \ + ProfStats.cc \ + leakfinder.cc \ + snmp_core.cc \ + snmp_agent.cc \ + unlinkd.cc \ + $(SSL_ALL_SOURCE) \ + win32.cc + + squid_ACLSOURCES = \ + $(ARP_ACL_SOURCE) \ + ACLASN.cc \ + ACLASN.h \ + ACLDestinationASN.h \ + ACLSourceASN.h \ + ACLBrowser.cc \ + ACLBrowser.h \ + ACLData.h \ + ACLDestinationDomain.cc \ + ACLDestinationDomain.h \ + ACLDestinationIP.cc \ + ACLDestinationIP.h \ + ACLDomainData.h \ + ACLDomainData.cc \ + ACLIntRange.cc \ + ACLIntRange.h \ + ACLIP.cc \ + ACLIP.h \ + ACLMaxConnection.cc \ + ACLMaxConnection.h \ + ACLMaxUserIP.cc \ + ACLMaxUserIP.h \ + ACLMethod.cc \ + ACLMethod.h \ + ACLMethodData.cc \ + ACLMethodData.h \ + ACLMyIP.cc \ + ACLMyIP.h \ + ACLMyPort.cc \ + ACLMyPort.h \ + ACLProtocol.cc \ + ACLProtocol.h \ + ACLProtocolData.cc \ + ACLProtocolData.h \ + ACLProxyAuth.cc \ + ACLProxyAuth.h \ + ACLReferer.cc \ + ACLReferer.h \ + ACLRegexData.cc \ + ACLRegexData.h \ + ACLReplyHeaderStrategy.h \ + ACLReplyMIMEType.cc \ + ACLReplyMIMEType.h \ + ACLRequestHeaderStrategy.h \ + ACLRequestMIMEType.cc \ + ACLRequestMIMEType.h \ + ACLSourceDomain.cc \ + ACLSourceDomain.h \ + ACLSourceIP.cc \ + ACLSourceIP.h \ + ACLStrategised.cc \ + ACLStrategised.h \ + ACLStrategy.h \ + ACLStringData.cc \ + ACLStringData.h \ + ACLTime.cc \ + ACLTime.h \ + ACLTimeData.cc \ + ACLTimeData.h \ + ACLUrl.cc \ + ACLUrl.h \ + ACLUrlPath.cc \ + ACLUrlPath.h \ + ACLUrlPort.cc \ + ACLUrlPort.h \ + ACLUserData.cc \ + ACLUserData.h + + squid_SOURCES = \ + access_log.cc \ + acl.cc \ + ACL.h \ + ACLChecklist.cc \ + ACLChecklist.h \ + $(squid_ACLSOURCES) \ + asn.cc \ + authenticate.cc \ + authenticate.h \ + cache_cf.cc \ + CacheDigest.cc \ + cache_manager.cc \ + carp.cc \ + cbdata.cc \ + client_db.cc \ + client_side.cc \ + client_side.h \ + client_side_reply.cc \ + client_side_reply.h \ + client_side_request.cc \ + client_side_request.h \ + clientStream.cc \ + clientStream.h \ + comm.cc \ + comm.h \ + comm_select.cc \ + comm_poll.cc \ + comm_kqueue.cc \ + comm_epoll.cc \ + CommRead.h \ + ConfigParser.h \ + ConnectionDetail.h \ + debug.cc \ + Debug.h \ + defines.h \ + $(DELAY_POOL_SOURCE) \ + disk.cc \ + $(DNSSOURCE) \ + enums.h \ + errorpage.cc \ + $(ESI_SOURCE) \ + ETag.cc \ + event.cc \ + external_acl.cc \ + ExternalACL.h \ + ExternalACLEntry.cc \ + ExternalACLEntry.h \ + fd.cc \ + fde.cc \ + fde.h \ + filemap.cc \ + forward.cc \ + fqdncache.cc \ + ftp.cc \ + Generic.h \ + globals.h \ + gopher.cc \ + helper.cc \ + $(HTCPSOURCE) \ + http.cc \ + http.h \ + HttpStatusLine.cc \ + HttpHdrCc.cc \ + HttpHdrRange.cc \ + HttpHdrSc.cc \ + HttpHdrScTarget.cc \ + HttpHdrContRange.cc \ + HttpHdrContRange.h \ + HttpHeader.cc \ + HttpHeader.h \ + HttpHeaderRange.h \ + HttpHeaderTools.cc \ + HttpBody.cc \ + HttpMsg.cc \ + HttpReply.cc \ + HttpReply.h \ + HttpRequest.cc \ + HttpRequest.h \ + icmp.cc \ + ICP.h \ + icp_v2.cc \ + icp_v3.cc \ + $(IDENT_SOURCE) \ + int.cc \ + internal.cc \ + ipc.cc \ + ipcache.cc \ + IPInterception.cc \ + IPInterception.h \ + $(LEAKFINDERSOURCE) \ + logfile.cc \ + main.cc \ + mem.cc \ + mem_node.cc \ + mem_node.h \ + Mem.h \ + MemBuf.cc \ + MemObject.cc \ + MemObject.h \ + mime.cc \ + multicast.cc \ + neighbors.cc \ + net_db.cc \ + Packer.cc \ + $(XPROF_STATS_SOURCE) \ + pconn.cc \ + peer_digest.cc \ + peer_select.cc \ + protos.h \ + redirect.cc \ + referer.cc \ + refresh.cc \ + send-announce.cc \ + $(SNMPSOURCE) \ + squid.h \ + tunnel.cc \ + $(SSL_SOURCE) \ + stat.cc \ + StatHist.cc \ + String.cc \ + stmem.cc \ + stmem.h \ + store.cc \ + Store.h \ + store_io.cc \ + StoreIOBuffer.h \ + StoreIOState.cc \ + StoreIOState.h \ + store_client.cc \ + StoreClient.h \ + store_digest.cc \ + store_dir.cc \ + store_key_md5.cc \ + store_log.cc \ + store_rebuild.cc \ + store_swapin.cc \ + store_swapmeta.cc \ + store_swapout.cc \ + StoreMeta.cc \ + StoreMeta.h \ + StoreMetaMD5.cc \ + StoreMetaMD5.h \ + StoreMetaSTD.cc \ + StoreMetaSTD.h \ + StoreMetaUnpacker.cc \ + StoreMetaUnpacker.h \ + StoreMetaURL.cc \ + StoreMetaURL.h \ + StoreMetaVary.cc \ + StoreMetaVary.h \ + structs.h \ + SwapDir.cc \ + SwapDir.h \ + tools.cc \ + typedefs.h \ + ufscommon.cc \ + ufscommon.h \ + $(UNLINKDSOURCE) \ + url.cc \ + urn.cc \ + useragent.cc \ + wais.cc \ + wccp.cc \ + whois.cc \ + $(WIN32SOURCE) + + noinst_HEADERS = ACLChecklist.cci \ + MemBuf.cci \ + MemBuf.h \ + Store.cci \ + String.cci \ + SquidString.h \ + ufscommon.cci \ + squid_windows.h + + nodist_squid_SOURCES = \ + repl_modules.cc \ + auth_modules.cc \ + store_modules.cc \ + cf_parser.h \ + globals.cc \ + string_arrays.c + + squid_LDADD = \ + -L../lib \ + @XTRA_OBJS@ \ + @REPL_OBJS@ \ + @STORE_OBJS@ \ + @AUTH_OBJS@ \ + @CRYPTLIB@ \ + @REGEXLIB@ \ + @SNMPLIB@ \ + @LIB_MALLOC@ \ + @SSLLIB@ \ + -lmiscutil \ + @XTRA_LIBS@ \ + @EPOLL_LIBS@ + squid_DEPENDENCIES = $(top_builddir)/lib/libmiscutil.a @STORE_OBJS@ + + unlinkd_SOURCES = unlinkd.cc + unlinkd_CXXFLAGS = -DUNLINK_DAEMON + + pinger_SOURCES = \ + pinger.cc \ + debug.cc + + dnsserver_SOURCES = dnsserver.cc + recv_announce_SOURCES = recv-announce.cc + + ufsdump_SOURCES = debug.cc \ + int.cc \ + ufsdump.cc \ + store.cc \ + StoreMeta.cc \ + StoreMeta.h \ + StoreMetaMD5.cc \ + StoreMetaMD5.h \ + StoreMetaSTD.cc \ + StoreMetaSTD.h \ + StoreMetaUnpacker.cc \ + StoreMetaUnpacker.h \ + StoreMetaURL.cc \ + StoreMetaURL.h \ + StoreMetaVary.cc \ + StoreMetaVary.h \ + access_log.cc \ + acl.cc \ + ACLChecklist.cc \ + $(squid_ACLSOURCES) \ + asn.cc \ + authenticate.cc \ + cache_cf.cc \ + CacheDigest.cc \ + cache_manager.cc \ + carp.cc \ + cbdata.cc \ + client_db.cc \ + client_side.cc \ + client_side_reply.cc \ + client_side_request.cc \ + client_side_request.h \ + clientStream.cc \ + clientStream.h \ + comm.cc \ + comm.h \ + comm_select.cc \ + comm_poll.cc \ + comm_kqueue.cc \ + comm_epoll.cc \ + defines.h \ + $(DELAY_POOL_SOURCE) \ + disk.cc \ + $(DNSSOURCE) \ + enums.h \ + errorpage.cc \ + $(ESI_SOURCE) \ + ETag.cc \ + event.cc \ + external_acl.cc \ + fd.cc \ + fde.cc \ + fde.h \ + filemap.cc \ + forward.cc \ + fqdncache.cc \ + ftp.cc \ + gopher.cc \ + helper.cc \ + $(HTCPSOURCE) \ + http.cc \ + HttpStatusLine.cc \ + HttpHdrCc.cc \ + HttpHdrRange.cc \ + HttpHdrSc.cc \ + HttpHdrScTarget.cc \ + HttpHdrContRange.cc \ + HttpHeader.cc \ + HttpHeaderTools.cc \ + HttpBody.cc \ + HttpMsg.cc \ + HttpReply.cc \ + HttpRequest.cc \ + HttpRequest.h \ + icmp.cc \ + icp_v2.cc \ + icp_v3.cc \ + $(IDENT_SOURCE) \ + internal.cc \ + ipc.cc \ + ipcache.cc \ + IPInterception.cc \ + IPInterception.h \ + $(LEAKFINDERSOURCE) \ + logfile.cc \ + mem.cc \ + mem_node.cc \ + mem_node.h \ + Mem.h \ + MemBuf.cc \ + MemObject.cc \ + MemObject.h \ + mime.cc \ + multicast.cc \ + neighbors.cc \ + net_db.cc \ + Packer.cc \ + $(XPROF_STATS_SOURCE) \ + pconn.cc \ + peer_digest.cc \ + peer_select.cc \ + protos.h \ + redirect.cc \ + referer.cc \ + refresh.cc \ + send-announce.cc \ + $(SNMPSOURCE) \ + squid.h \ + $(SSL_SOURCE) \ + tunnel.cc \ + stat.cc \ + StatHist.cc \ + String.cc \ + stmem.cc \ + store_io.cc \ + StoreIOBuffer.h \ + StoreIOState.cc \ + store_client.cc \ + StoreClient.h \ + store_digest.cc \ + store_dir.cc \ + store_key_md5.cc \ + store_log.cc \ + store_rebuild.cc \ + store_swapin.cc \ + store_swapmeta.cc \ + store_swapout.cc \ + structs.h \ + SwapDir.cc \ + tools.cc \ + typedefs.h \ + ufscommon.cc \ + ufscommon.h \ + $(UNLINKDSOURCE) \ + url.cc \ + urn.cc \ + useragent.cc \ + wais.cc \ + wccp.cc \ + whois.cc \ + $(WIN32SOURCE) + ufsdump_LDADD = \ + -L../lib \ + @XTRA_OBJS@ \ + @REPL_OBJS@ \ + @STORE_OBJS@ \ + @AUTH_OBJS@ \ + @CRYPTLIB@ \ + @REGEXLIB@ \ + @SNMPLIB@ \ + @LIB_MALLOC@ \ + @SSLLIB@ \ + -lmiscutil \ + @XTRA_LIBS@ \ + @EPOLL_LIBS@ + ufsdump_DEPENDENCIES = $(top_builddir)/lib/libmiscutil.a + nodist_ufsdump_SOURCES = \ + repl_modules.cc \ + auth_modules.cc \ + store_modules.cc \ + cf_parser.h \ + globals.cc \ + string_arrays.c + + nodist_pinger_SOURCES = \ + globals.cc + + BUILT_SOURCES = \ + cf_gen_defines.h \ + cf_parser.h \ + globals.cc \ + string_arrays.c \ + repl_modules.cc \ + auth_modules.cc \ + store_modules.cc + + sysconf_DATA = \ + squid.conf.default \ + mime.conf.default + + data_DATA = \ + mib.txt + + LDADD = -L../lib -lmiscutil @XTRA_LIBS@ @EPOLL_LIBS@ + + EXTRA_DIST = \ + cf_gen_defines \ + cf.data.pre \ + mk-globals-c.pl \ + mk-string-arrays.pl \ + auth_modules.sh \ + store_modules.sh \ + repl_modules.sh \ + mib.txt \ + mime.conf.default + + DEFAULT_PREFIX = $(prefix) + DEFAULT_CONFIG_FILE = $(sysconfdir)/squid.conf + DEFAULT_MIME_TABLE = $(sysconfdir)/mime.conf + DEFAULT_DNSSERVER = $(libexecdir)/dnsserver$(EXEEXT) + DEFAULT_LOG_PREFIX = $(localstatedir)/logs + DEFAULT_CACHE_LOG = $(DEFAULT_LOG_PREFIX)/cache.log + DEFAULT_ACCESS_LOG = $(DEFAULT_LOG_PREFIX)/access.log + DEFAULT_STORE_LOG = $(DEFAULT_LOG_PREFIX)/store.log + DEFAULT_PID_FILE = $(DEFAULT_LOG_PREFIX)/squid.pid + DEFAULT_SWAP_DIR = $(localstatedir)/cache + DEFAULT_PINGER = $(libexecdir)/pinger$(EXEEXT) + DEFAULT_UNLINKD = $(libexecdir)/unlinkd$(EXEEXT) + DEFAULT_DISKD = $(libexecdir)/diskd$(EXEEXT) + DEFAULT_ICON_DIR = $(datadir)/icons + DEFAULT_ERROR_DIR = $(datadir)/errors/@ERR_DEFAULT_LANGUAGE@ + DEFAULT_MIB_PATH = $(datadir)/mib.txt + DEFAULT_HOSTS = @OPT_DEFAULT_HOSTS@ + + DEFS = @DEFS@ -DDEFAULT_CONFIG_FILE=\"$(DEFAULT_CONFIG_FILE)\" + + $(OBJS): $(top_srcdir)/include/version.h ../include/autoconf.h + + snmp_core.o snmp_agent.o: ../snmplib/libsnmp.a $(top_srcdir)/include/cache_snmp.h + + globals.cc: globals.h mk-globals-c.pl + $(PERL) $(srcdir)/mk-globals-c.pl < $(srcdir)/globals.h > $@ + + string_arrays.c: enums.h mk-string-arrays.pl + $(PERL) $(srcdir)/mk-string-arrays.pl < $(srcdir)/enums.h > $@ + + cache_diff: cache_diff.o debug.o globals.o store_key_md5.o + $(CC) -o $@ $(LDFLAGS) $@.o debug.o globals.o store_key_md5.o $(STD_APP_LIBS) + + test_cache_digest: test_cache_digest.o CacheDigest.o debug.o globals.o store_key_md5.o + $(CC) -o $@ $(LDFLAGS) $@.o CacheDigest.o debug.o globals.o store_key_md5.o $(STD_APP_LIBS) ## If autodependency works well this is not needed anymore -cache_cf.o: cf_parser.h + cache_cf.o: cf_parser.h -squid.conf.default: cf_parser.h - $(SHELL) -c "test -f squid.conf.default || ./cf_gen cf.data" + squid.conf.default: cf_parser.h + $(SHELL) -c "test -f squid.conf.default || ./cf_gen cf.data" -cf_parser.h: cf.data cf_gen$(EXEEXT) - ./cf_gen cf.data + cf_parser.h: cf.data cf_gen$(EXEEXT) + ./cf_gen cf.data -cf_gen_defines.h: $(srcdir)/cf_gen_defines $(srcdir)/cf.data.pre - awk -f $(srcdir)/cf_gen_defines <$(srcdir)/cf.data.pre >cf_gen_defines.h + cf_gen_defines.h: $(srcdir)/cf_gen_defines $(srcdir)/cf.data.pre + awk -f $(srcdir)/cf_gen_defines <$(srcdir)/cf.data.pre >cf_gen_defines.h ## FIXME: generate a sed command file from configure. Then this doesn't -## depend on the Makefile. -cf.data: cf.data.pre Makefile - sed "\ - s%@DEFAULT_MIME_TABLE@%$(DEFAULT_MIME_TABLE)%g;\ - s%@DEFAULT_DNSSERVER@%$(DEFAULT_DNSSERVER)%g;\ - s%@DEFAULT_UNLINKD@%$(DEFAULT_UNLINKD)%g;\ - s%@DEFAULT_PINGER@%$(DEFAULT_PINGER)%g;\ - s%@DEFAULT_DISKD@%$(DEFAULT_DISKD)%g;\ - s%@DEFAULT_CACHE_LOG@%$(DEFAULT_CACHE_LOG)%g;\ - s%@DEFAULT_ACCESS_LOG@%$(DEFAULT_ACCESS_LOG)%g;\ - s%@DEFAULT_STORE_LOG@%$(DEFAULT_STORE_LOG)%g;\ - s%@DEFAULT_PID_FILE@%$(DEFAULT_PID_FILE)%g;\ - s%@DEFAULT_SWAP_DIR@%$(DEFAULT_SWAP_DIR)%g;\ - s%@DEFAULT_ICON_DIR@%$(DEFAULT_ICON_DIR)%g;\ - s%@DEFAULT_MIB_PATH@%$(DEFAULT_MIB_PATH)%g;\ - s%@DEFAULT_ERROR_DIR@%$(DEFAULT_ERROR_DIR)%g;\ - s%@DEFAULT_PREFIX@%$(DEFAULT_PREFIX)%g;\ - s%@DEFAULT_HOSTS@%$(DEFAULT_HOSTS)%g;\ - s%@[V]ERSION@%$(VERSION)%g;"\ - < $(srcdir)/cf.data.pre >$@ - -store_modules.cc: store_modules.sh Makefile - $(SHELL) $(srcdir)/store_modules.sh $(STORE_MODULES) >store_modules.cc - -repl_modules.cc: repl_modules.sh Makefile - $(SHELL) $(srcdir)/repl_modules.sh $(REPL_POLICIES) > repl_modules.cc - -auth_modules.cc: auth_modules.sh Makefile - @$(SHELL) $(srcdir)/auth_modules.sh $(AUTH_MODULES) >auth_modules.cc - -install-data-local: install-sysconfDATA install-dataDATA - @if test -f $(DESTDIR)$(DEFAULT_MIME_TABLE) ; then \ - echo "$@ will not overwrite existing $(DESTDIR)$(DEFAULT_MIME_TABLE)" ; \ - else \ - echo "$(INSTALL_DATA) $(srcdir)/mime.conf.default $(DESTDIR)$(DEFAULT_MIME_TABLE)" ;\ - $(INSTALL_DATA) $(srcdir)/mime.conf.default $(DESTDIR)$(DEFAULT_MIME_TABLE); \ - fi - @if test -f $(DESTDIR)$(DEFAULT_CONFIG_FILE) ; then \ - echo "$@ will not overwrite existing $(DESTDIR)$(DEFAULT_CONFIG_FILE)" ; \ - else \ - echo "$(INSTALL_DATA) squid.conf.default $(DESTDIR)$(DEFAULT_CONFIG_FILE)"; \ - $(INSTALL_DATA) squid.conf.default $(DESTDIR)$(DEFAULT_CONFIG_FILE); \ - fi - $(mkinstalldirs) $(DESTDIR)$(DEFAULT_LOG_PREFIX) +## depend on the Makefile. + cf.data: cf.data.pre Makefile + sed "\ + s%@DEFAULT_MIME_TABLE@%$(DEFAULT_MIME_TABLE)%g; + + \ + s%@DEFAULT_DNSSERVER@%$(DEFAULT_DNSSERVER)%g; + + \ + s%@DEFAULT_UNLINKD@%$(DEFAULT_UNLINKD)%g; + + \ + s%@DEFAULT_PINGER@%$(DEFAULT_PINGER)%g; + + \ + s%@DEFAULT_DISKD@%$(DEFAULT_DISKD)%g; + + \ + s%@DEFAULT_CACHE_LOG@%$(DEFAULT_CACHE_LOG)%g; + + \ + s%@DEFAULT_ACCESS_LOG@%$(DEFAULT_ACCESS_LOG)%g; + + \ + s%@DEFAULT_STORE_LOG@%$(DEFAULT_STORE_LOG)%g; + + \ + s%@DEFAULT_PID_FILE@%$(DEFAULT_PID_FILE)%g; + + \ + s%@DEFAULT_SWAP_DIR@%$(DEFAULT_SWAP_DIR)%g; + + \ + s%@DEFAULT_ICON_DIR@%$(DEFAULT_ICON_DIR)%g; + + \ + s%@DEFAULT_MIB_PATH@%$(DEFAULT_MIB_PATH)%g; + + \ + s%@DEFAULT_ERROR_DIR@%$(DEFAULT_ERROR_DIR)%g; + + \ + s%@DEFAULT_PREFIX@%$(DEFAULT_PREFIX)%g; + + \ + s%@DEFAULT_HOSTS@%$(DEFAULT_HOSTS)%g; + + \ + s%@[V]ERSION@%$(VERSION)%g;"\ + + < $(srcdir)/cf.data.pre >$@ + + store_modules.cc: store_modules.sh Makefile + $(SHELL) $(srcdir)/store_modules.sh $(STORE_MODULES) >store_modules.cc + + repl_modules.cc: repl_modules.sh Makefile + $(SHELL) $(srcdir)/repl_modules.sh $(REPL_POLICIES) > repl_modules.cc + + auth_modules.cc: auth_modules.sh Makefile + @$(SHELL) $(srcdir)/auth_modules.sh $(AUTH_MODULES) >auth_modules.cc + + install-data-local: install-sysconfDATA install-dataDATA + @if test -f $(DESTDIR)$(DEFAULT_MIME_TABLE) ; then \ +echo " +$@ will not overwrite existing $(DESTDIR)$(DEFAULT_MIME_TABLE)" ; \ +else \ + echo "$(INSTALL_DATA) $(srcdir)/mime.conf.default $(DESTDIR)$(DEFAULT_MIME_TABLE)" ;\ +$(INSTALL_DATA) $(srcdir)/mime.conf.default $(DESTDIR)$(DEFAULT_MIME_TABLE); \ +fi +@if test -f $(DESTDIR)$(DEFAULT_CONFIG_FILE) ; then \ +echo "$@ will not overwrite existing $(DESTDIR)$(DEFAULT_CONFIG_FILE)" ; \ +else \ + echo "$(INSTALL_DATA) squid.conf.default $(DESTDIR)$(DEFAULT_CONFIG_FILE)"; \ +$(INSTALL_DATA) squid.conf.default $(DESTDIR)$(DEFAULT_CONFIG_FILE); \ +fi +$(mkinstalldirs) $(DESTDIR)$(DEFAULT_LOG_PREFIX) uninstall-local: - @if test -f $(DESTDIR)$(DEFAULT_MIME_TABLE) ; then \ - echo "rm -f $(DESTDIR)$(DEFAULT_MIME_TABLE)"; \ - $(RM) -f $(DESTDIR)$(DEFAULT_MIME_TABLE); \ - fi +@if test -f $(DESTDIR)$(DEFAULT_MIME_TABLE) ; then \ +echo "rm -f $(DESTDIR)$(DEFAULT_MIME_TABLE)"; \ +$(RM) -f $(DESTDIR)$(DEFAULT_MIME_TABLE); \ +fi # Don't automatically uninstall config files # @if test -f $(DESTDIR)$(DEFAULT_CONFIG_FILE) ; then \ @@ -773,7 +809,7 @@ uninstall-local: # fi DISTCLEANFILES = cf_gen_defines.h cf.data cf_parser.h squid.conf.default \ - globals.cc string_arrays.c repl_modules.cc auth_modules.cc store_modules.cc + globals.cc string_arrays.c repl_modules.cc auth_modules.cc store_modules.cc ##install-pinger: ## @f=$(PINGER_EXE); \ diff --git a/src/cf.data.pre b/src/cf.data.pre index a60b132ad9..1db4c6098e 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.314 2003/05/17 19:02:15 hno Exp $ +# $Id: cf.data.pre,v 1.315 2003/05/20 12:17:38 robertc Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -31,1634 +31,1664 @@ # COMMENT_START - WELCOME TO SQUID @VERSION@ - ---------------------------- +WELCOME TO SQUID @VERSION@ +---------------------------- - This is the default Squid configuration file. You may wish - to look at the Squid home page (http://www.squid-cache.org/) - for the FAQ and other documentation. +This is the default Squid configuration file. You may wish - The default Squid config file shows what the defaults for - various options happen to be. If you don't need to change the - default, you shouldn't uncomment the line. Doing so may cause - run-time problems. In some cases "none" refers to no default - setting at all, while in other cases it refers to a valid - option - the comments for that keyword indicate if this is the - case. + to look at the Squid home page (http://www.squid-cache.org/) -COMMENT_END + for the FAQ and other documentation. -COMMENT_START - NETWORK OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: http_port ascii_port -TYPE: http_port_list -DEFAULT: none -LOC: Config.Sockaddr.http -DOC_START - Usage: port [options] - hostname:port [options] - 1.2.3.4:port [options] - - The socket addresses where Squid will listen for HTTP client - requests. You may specify multiple socket addresses. - There are three forms: port alone, hostname with port, and - IP address with port. If you specify a hostname or IP - address, then Squid binds the socket to that specific - address. This replaces the old 'tcp_incoming_address' - option. Most likely, you do not need to bind to a specific - address, so you can use the port number alone. - - If you are running Squid in accelerator mode, then you - probably want to listen on port 80 also, or instead. - - The -a command line option will override the *first* port - number listed here. That option will NOT override an IP - address, however. - - You may specify multiple socket addresses on multiple lines. - - options are: - accel Accelerator mode - transparent Support for transparent proxies - vhost Accelerator using Host directive - vport Accelerator with IP virtual host support - vport=NN As above, but uses specified port number - rather than the http_port number. - defaultsite=xx Main web site name for accelerators. - also implies accel - protocol= Protocol to reconstruct accelerated - requests with. Defaults to http. - - If you run Squid on a dual-homed machine with an internal - and an external interface then we recommend you to specify the - internal address:port in http_port. This way Squid will only be - visible on the internal address. -NOCOMMENT_START -# Squid normally listens to port 3128 -http_port 3128 -NOCOMMENT_END -DOC_END - -NAME: https_port -IFDEF: USE_SSL -TYPE: https_port_list -DEFAULT: none -LOC: Config.Sockaddr.https -DOC_START - Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] - - The socket address where Squid will listen for HTTPS client - requests. - - This is really only useful for situations where you are running - squid in accelerator mode and you want to do the SSL work at the - accelerator level. - - You may specify multiple socket addresses on multiple lines, - each with their own SSL certificate and/or options. - - Options: - - defaultsite= The name of the https site presented on - this port. - - protocol= Protocol to reconstruct accelerated requests - with. Defaults to https. - - cert= Path to SSL certificate (PEM format) - - key= Path to SSL private key file (PEM format) - if not specified, the certificate file is - assumed to be a combined certificate and - key file - - version= The version of SSL/TLS supported - 1 automatic (default) - 2 SSLv2 only - 3 SSLv3 only - 4 TLSv1 only - - cipher= Colon separated list of supported ciphers - - options= Varions SSL engine options. The most important - being: - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 - SINGLE_DH_USE Always create a new key when using - temporary/ephemeral DH key exchanges - See src/ssl_support.c or OpenSSL SSL_CTX_set_options - documentation for a complete list of options. - - clientca= File containing the list of CAs to use when - requesting a client certificate - - cafile= File containing additional CA certificates to - use when verifying client certificates. If unset - clientca will be used. - - capath= Directory containing additional CA certificates - to use when verifying client certificates - - dhparams= File containing DH parameters for temporary/ephemeral - DH key exchanges - - sslflags= Various flags modifying the use of SSL: - DELAYED_AUTH - Don't request client certificates - immediately, but wait until acl processing - requires a certificate - NO_DEFAULT_CA - Don't use the default CA list built in - to OpenSSL. - -DOC_END - -NAME: ssl_unclean_shutdown -IFDEF: USE_SSL -TYPE: onoff -DEFAULT: off -LOC: Config.SSL.unclean_shutdown -DOC_START - Some browsers (especially MSIE) bugs out on SSL shutdown - messages. -DOC_END - -NAME: ssl_engine -IFDEF: USE_SSL -TYPE: string -LOC: Config.SSL.ssl_engine -DEFAULT: none -DOC_START - The openssl engine to use. You will need to set this if you - would like to use hardware SSL acceleration for example. -DOC_END - -NAME: sslproxy_client_certificate -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.cert -TYPE: string -DOC_START - Client SSL Certificate to use when proxying https:// URLs -DOC_END - -NAME: sslproxy_client_key -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.key -TYPE: string -DOC_START - Client SSL Key to use when proxying https:// URLs -DOC_END - -NAME: sslproxy_version -IFDEF: USE_SSL -DEFAULT: 1 -LOC: Config.ssl_client.version -TYPE: int -DOC_START - SSL version level to use when proxying https:// URLs -DOC_END - -NAME: sslproxy_options -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.options -TYPE: string -DOC_START - SSL engine options to use when proxying https:// URLs -DOC_END - -NAME: sslproxy_cipher -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.cipher -TYPE: string -DOC_START - SSL cipher list to use when proxying https:// URLs -DOC_END - -NAME: sslproxy_cafile -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.cafile -TYPE: string -DOC_START -DOC_END - -NAME: sslproxy_capath -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.capath -TYPE: string -DOC_START -DOC_END - -NAME: sslproxy_flags -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.flags -TYPE: string -DOC_START -DOC_END - -NAME: icp_port udp_port -TYPE: ushort -DEFAULT: 0 -LOC: Config.Port.icp -DOC_START - The port number where Squid sends and receives ICP queries to - and from neighbor caches. The standard UDP port for ICP is 3130. - Default is disabled (0). -NOCOMMENT_START -icp_port 3130 -NOCOMMENT_END -DOC_END - -NAME: htcp_port -IFDEF: USE_HTCP -TYPE: ushort -DEFAULT: 4827 -LOC: Config.Port.htcp -DOC_START - The port number where Squid sends and receives HTCP queries to - and from neighbor caches. Default is 4827. To disable use - "0". -DOC_END - - -NAME: mcast_groups -TYPE: wordlist -LOC: Config.mcast_group_list -DEFAULT: none -DOC_START - This tag specifies a list of multicast groups which your server - should join to receive multicasted ICP queries. - - NOTE! Be very careful what you put here! Be sure you - understand the difference between an ICP _query_ and an ICP - _reply_. This option is to be set only if you want to RECEIVE - multicast queries. Do NOT set this option to SEND multicast - ICP (use cache_peer for that). ICP replies are always sent via - unicast, so this option does not affect whether or not you will - receive replies from multicast group members. - - You must be very careful to NOT use a multicast address which - is already in use by another group of caches. - - If you are unsure about multicast, please read the Multicast - chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). - - Usage: mcast_groups 239.128.16.128 224.0.1.20 - - By default, Squid doesn't listen on any multicast groups. -DOC_END - - -NAME: udp_incoming_address -TYPE: address -LOC:Config.Addrs.udp_incoming -DEFAULT: 0.0.0.0 -DOC_NONE - -NAME: udp_outgoing_address -TYPE: address -LOC: Config.Addrs.udp_outgoing -DEFAULT: 255.255.255.255 -DOC_START - udp_incoming_address is used for the ICP socket receiving packets - from other caches. - udp_outgoing_address is used for ICP packets sent out to other - caches. - - The default behavior is to not bind to any specific address. - - A udp_incoming_address value of 0.0.0.0 indicates that Squid should - listen for UDP messages on all available interfaces. - - If udp_outgoing_address is set to 255.255.255.255 (the default) - then it will use the same socket as udp_incoming_address. Only - change this if you want to have ICP queries sent using another - address than where this Squid listens for ICP queries from other - caches. - - NOTE, udp_incoming_address and udp_outgoing_address can not - have the same value since they both use port 3130. -DOC_END + The default Squid config file shows what the defaults for + various options happen to be. If you don't need to change the + default, you shouldn't uncomment the line. Doing so may cause + run-time problems. In some cases "none" refers to no default + setting at all, while in other cases it refers to a valid + option - the comments for that keyword indicate if this is the + case. -COMMENT_START - OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: cache_peer -TYPE: peer -DEFAULT: none -LOC: Config.peers -DOC_START - To specify other caches in a hierarchy, use the format: - - cache_peer hostname type http_port icp_port [options] - - For example, - - # proxy icp - # hostname type port port options - # -------------------- -------- ----- ----- ----------- - cache_peer parent.foo.net parent 3128 3130 [proxy-only] - cache_peer sib1.foo.net sibling 3128 3130 [proxy-only] - cache_peer sib2.foo.net sibling 3128 3130 [proxy-only] - - type: either 'parent', 'sibling', or 'multicast'. - - proxy_port: The port number where the cache listens for proxy - requests. - - icp_port: Used for querying neighbor caches about - objects. To have a non-ICP neighbor - specify '7' for the ICP port and make sure the - neighbor machine has the UDP echo port - enabled in its /etc/inetd.conf file. - - options: proxy-only - weight=n - basetime=n - ttl=n - no-query - background-ping - default - round-robin - weighted-round-robin - carp - multicast-responder - closest-only - no-digest - no-netdb-exchange - no-delay - login=user:password | PASS | *:password - connect-timeout=nn - digest-url=url - allow-miss - max-conn - originserver - name=xxx - forceddomain=name - ssl - sslcert=/path/to/ssl/certificate - sslkey=/path/to/ssl/key - sslversion=1|2|3|4 - sslcipher=... - ssloptions=... - front-end-https[=on|auto] - - use 'proxy-only' to specify that objects fetched - from this cache should not be saved locally. - - use 'weight=n' to specify a weighted parent. - The weight must be an integer. The default weight - is 1, larger weights are favored more. - - use 'basetime=n' to specify a base amount to - be subtracted from round trip times of parents. - It is subtracted before division by weight in calculating - which parent to fectch from. If the rtt is less than the - base time then the rtt is set to a minimal value. - - use 'ttl=n' to specify a IP multicast TTL to use - when sending an ICP queries to this address. - Only useful when sending to a multicast group. - Because we don't accept ICP replies from random - hosts, you must configure other group members as - peers with the 'multicast-responder' option below. - - use 'no-query' to NOT send ICP queries to this - neighbor. - - use 'background-ping' to only send ICP queries to this - neighbor infrequently. This is used to keep the neighbor - round trip time updated and is usually used in - conjunction with weighted-round-robin. - - use 'default' if this is a parent cache which can - be used as a "last-resort." You should probably - only use 'default' in situations where you cannot - use ICP with your parent cache(s). - - use 'round-robin' to define a set of parents which - should be used in a round-robin fashion in the - absence of any ICP queries. - - use 'weighted-round-robin' to define a set of parents - which should be used in a round-robin fashion with the - frequency of each parent being based on the round trip - time. Closer parents are used more often. - Usually used for background-ping parents. - - use 'carp' to define a set of parents which should - be used as a CARP array. The requests will then be - distributed among the parents based on the CARP load - balancing hash function based on their weigth. - - 'multicast-responder' indicates that the named peer - is a member of a multicast group. ICP queries will - not be sent directly to the peer, but ICP replies - will be accepted from it. - - 'closest-only' indicates that, for ICP_OP_MISS - replies, we'll only forward CLOSEST_PARENT_MISSes - and never FIRST_PARENT_MISSes. - - use 'no-digest' to NOT request cache digests from - this neighbor. - - 'no-netdb-exchange' disables requesting ICMP - RTT database (NetDB) from the neighbor. - - use 'no-delay' to prevent access to this neighbor - from influencing the delay pools. - - use 'login=user:password' if this is a personal/workgroup - proxy and your parent requires proxy authentication. - Note: The string can include URL escapes (i.e. %20 for - spaces). This also means that % must be written as %%. - - use 'login=PASS' if users must authenticate against - the upstream proxy. This will pass the users credentials - as they are to the peer proxy. This only works for the - Basic HTTP authentication sheme. Note: To combine this - with proxy_auth both proxies must share the same user - database as HTTP only allows for one proxy login. - Also be warned that this will expose your users proxy - password to the peer. USE WITH CAUTION - - use 'login=*:password' to pass the username to the - upstream cache, but with a fixed password. This is meant - to be used when the peer is in another administrative - domain, but it is still needed to identify each user. - The star can optionally be followed by some extra - information which is added to the username. This can - be used to identify this proxy to the peer, similar to - the login=username:password option above. - - use 'connect-timeout=nn' to specify a peer - specific connect timeout (also see the - peer_connect_timeout directive) - - use 'digest-url=url' to tell Squid to fetch the cache - digest (if digests are enabled) for this host from - the specified URL rather than the Squid default - location. - - use 'allow-miss' to disable Squid's use of only-if-cached - when forwarding requests to siblings. This is primarily - useful when icp_hit_stale is used by the sibling. To - extensive use of this option may result in forwarding - loops, and you should avoid having two-way peerings - with this option. (for example to deny peer usage on - requests from peer by denying cache_peer_access if the - source is a peer) - - use 'max-conn' to limit the amount of connections Squid - may open to this peer. - - 'originserver' causes this parent peer to be contacted as - a origin server. Meant to be used in accelerator setups. - - use 'name=xxx' if you have multiple peers on the same - host but different ports. This name can then be used to - differentiate the peers in cache_peer_access and similar - directives. - - use 'forceddomain=name' to forcibly set the Host header - of requests forwarded to this peer. Useful in accelerator - setups where the server (peer) expects a certain domain - name and using redirectors to feed this domainname - is not feasible. - - use 'ssl' to indicate that connections to this peer should - bs SSL/TLS encrypted. - - use 'sslcert=/path/to/ssl/certificate' to specify a client - SSL certificate to use when connecting to this peer. - - use 'sslkey=/path/to/ssl/key' to specify the private SSL - key corresponding to sslcert above. If 'sslkey' is not - specified then 'sslcert' is assumed to reference a - combined file containing both the certificate and the key. - - use sslversion=1|2|3|4 to specify the SSL version to use - when connecting to this peer - 1 = automatic (default) - 2 = SSL v2 only - 3 = SSL v3 only - 4 = TLS v1 only - - use sslcipher=... to specify the list of valid SSL chipers - to use when connecting to this peer - - use ssloptions=... to specify various SSL engine options: - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 - See src/ssl_support.c or the OpenSSL documentation for - a more complete list. - - use cafile=... to specify a file containing additional - CA certificates to use when verifying the peer certificate - - use capath=... to specify a directory containing additional - CA certificates to use when verifying the peer certificate - - use sslflags=... to specify various flags modifying the - SSL implementation: - DONT_VERIFY_PEER - Accept certificates even if they fail to - verify. - NO_DEFAULT_CA - Don't use the default CA list built in - to OpenSSL. - DONT_VERIFY_DOMAIN - Don't verify that the peer certificate - matches the server name - - use sslname= to specify the peer name as advertised - in it's certificate. Used for verifying the correctness - of the received peer certificate. If not specified the - peer hostname will be used. - - use front-end-https to enable the "Front-End-Https: On" - header needed when using Squid as a SSL frontend infront - of Microsoft OWA. See MS KB document Q307347 for details - on this header. If set to auto then the header will - only be added if the request is forwarded as a https:// - URL. - - NOTE: non-ICP neighbors must be specified as 'parent'. -DOC_END - -NAME: cache_peer_domain cache_host_domain -TYPE: hostdomain -DEFAULT: none -LOC: none -DOC_START - Use to limit the domains for which a neighbor cache will be - queried. Usage: - - cache_peer_domain cache-host domain [domain ...] - cache_peer_domain cache-host !domain - - For example, specifying - - cache_peer_domain parent.foo.net .edu - - has the effect such that UDP query packets are sent to - 'bigserver' only when the requested object exists on a - server in the .edu domain. Prefixing the domainname - with '!' means that the cache will be queried for objects - NOT in that domain. - - NOTE: * Any number of domains may be given for a cache-host, - either on the same or separate lines. - * When multiple domains are given for a particular - cache-host, the first matched domain is applied. - * Cache hosts with no domain restrictions are queried - for all requests. - * There are no defaults. - * There is also a 'cache_peer_access' tag in the ACL - section. -DOC_END - - -NAME: neighbor_type_domain -TYPE: hostdomaintype -DEFAULT: none -LOC: none -DOC_START - usage: neighbor_type_domain parent|sibling domain domain ... - - Modifying the neighbor type for specific domains is now - possible. You can treat some domains differently than the the - default neighbor type specified on the 'cache_peer' line. - Normally it should only be necessary to list domains which - should be treated differently because the default neighbor type - applies for hostnames which do not match domains listed here. - -EXAMPLE: - cache_peer parent cache.foo.org 3128 3130 - neighbor_type_domain cache.foo.org sibling .com .net - neighbor_type_domain cache.foo.org sibling .au .de -DOC_END - -NAME: icp_query_timeout -COMMENT: (msec) -DEFAULT: 0 -TYPE: int -LOC: Config.Timeout.icp_query -DOC_START - Normally Squid will automatically determine an optimal ICP - query timeout value based on the round-trip-time of recent ICP - queries. If you want to override the value determined by - Squid, set this 'icp_query_timeout' to a non-zero value. This - value is specified in MILLISECONDS, so, to use a 2-second - timeout (the old default), you would write: - - icp_query_timeout 2000 -DOC_END - -NAME: maximum_icp_query_timeout -COMMENT: (msec) -DEFAULT: 2000 -TYPE: int -LOC: Config.Timeout.icp_query_max -DOC_START - Normally the ICP query timeout is determined dynamically. But - sometimes it can lead to very large values (say 5 seconds). - Use this option to put an upper limit on the dynamic timeout - value. Do NOT use this option to always use a fixed (instead - of a dynamic) timeout value. To set a fixed timeout see the - 'icp_query_timeout' directive. -DOC_END - -NAME: minimum_icp_query_timeout -COMMENT: (msec) -DEFAULT: 5 -TYPE: int -LOC: Config.Timeout.icp_query_min -DOC_START - Normally the ICP query timeout is determined dynamically. But - sometimes it can lead to very small timeouts, even lower than - the normal latency variance on your link due to traffic. - Use this option to put an lower limit on the dynamic timeout - value. Do NOT use this option to always use a fixed (instead - of a dynamic) timeout value. To set a fixed timeout see the - 'icp_query_timeout' directive. -DOC_END - -NAME: mcast_icp_query_timeout -COMMENT: (msec) -DEFAULT: 2000 -TYPE: int -LOC: Config.Timeout.mcast_icp_query -DOC_START - For Multicast peers, Squid regularly sends out ICP "probes" to - count how many other peers are listening on the given multicast - address. This value specifies how long Squid should wait to - count all the replies. The default is 2000 msec, or 2 - seconds. -DOC_END - -NAME: dead_peer_timeout -COMMENT: (seconds) -DEFAULT: 10 seconds -TYPE: time_t -LOC: Config.Timeout.deadPeer -DOC_START - This controls how long Squid waits to declare a peer cache - as "dead." If there are no ICP replies received in this - amount of time, Squid will declare the peer dead and not - expect to receive any further ICP replies. However, it - continues to send ICP queries, and will mark the peer as - alive upon receipt of the first subsequent ICP reply. - - This timeout also affects when Squid expects to receive ICP - replies from peers. If more than 'dead_peer' seconds have - passed since the last ICP reply was received, Squid will not - expect to receive an ICP reply on the next query. Thus, if - your time between requests is greater than this timeout, you - will see a lot of requests sent DIRECT to origin servers - instead of to your parents. -DOC_END - - -NAME: hierarchy_stoplist -TYPE: wordlist -DEFAULT: none -LOC: Config.hierarchy_stoplist -DOC_START - A list of words which, if found in a URL, cause the object to - be handled directly by this cache. In other words, use this - to not query neighbor caches for certain objects. You may - list this option multiple times. -NOCOMMENT_START -#We recommend you to use at least the following line. -hierarchy_stoplist cgi-bin ? -NOCOMMENT_END -DOC_END + COMMENT_END + COMMENT_START + NETWORK OPTIONS + ----------------------------------------------------------------------------- + COMMENT_END -NAME: no_cache -TYPE: acl_access -DEFAULT: none -LOC: Config.accessList.noCache -DOC_START - A list of ACL elements which, if matched, cause the request to - not be satisfied from the cache and the reply to not be cached. - In other words, use this to force certain objects to never be cached. + NAME: http_port ascii_port - You must use the word 'DENY' to indicate the ACL names which should - NOT be cached. + TYPE: http_port_list -NOCOMMENT_START -#We recommend you to use the following two lines. -acl QUERY urlpath_regex cgi-bin \? -no_cache deny QUERY -NOCOMMENT_END -DOC_END - -NAME: background_ping_rate -COMMENT: time-units -TYPE: time_t -DEFAULT: 10 seconds -LOC: Config.backgroundPingRate -DOC_START - Controls how often the ICP pings are sent to siblings that - have background-ping set. -DOC_END + DEFAULT: none + LOC: Config.Sockaddr.http + DOC_START -COMMENT_START - OPTIONS WHICH AFFECT THE CACHE SIZE - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: cache_mem -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: 8 MB -LOC: Config.memMaxSize -DOC_START - NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. - IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL - USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER - THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. - - 'cache_mem' specifies the ideal amount of memory to be used - for: - * In-Transit objects - * Hot Objects - * Negative-Cached objects - - Data for these objects are stored in 4 KB blocks. This - parameter specifies the ideal upper limit on the total size of - 4 KB blocks allocated. In-Transit objects take the highest - priority. - - In-transit objects have priority over the others. When - additional space is needed for incoming data, negative-cached - and hot objects will be released. In other words, the - negative-cached and hot objects will fill up any unused space - not needed for in-transit objects. - - If circumstances require, this limit will be exceeded. - Specifically, if your incoming request rate requires more than - 'cache_mem' of memory to hold in-transit objects, Squid will - exceed this limit to satisfy the new requests. When the load - decreases, blocks will be freed until the high-water mark is - reached. Thereafter, blocks will be used to store hot - objects. -DOC_END - - -NAME: cache_swap_low -COMMENT: (percent, 0-100) -TYPE: int -DEFAULT: 90 -LOC: Config.Swap.lowWaterMark -DOC_NONE - -NAME: cache_swap_high -COMMENT: (percent, 0-100) -TYPE: int -DEFAULT: 95 -LOC: Config.Swap.highWaterMark -DOC_START - - The low- and high-water marks for cache object replacement. - Replacement begins when the swap (disk) usage is above the - low-water mark and attempts to maintain utilization near the - low-water mark. As swap utilization gets close to high-water - mark object eviction becomes more aggressive. If utilization is - close to the low-water mark less replacement is done each time. - - Defaults are 90% and 95%. If you have a large cache, 5% could be - hundreds of MB. If this is the case you may wish to set these - numbers closer together. -DOC_END - -NAME: maximum_object_size -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: 4096 KB -LOC: Config.Store.maxObjectSize -DOC_START - Objects larger than this size will NOT be saved on disk. The - value is specified in kilobytes, and the default is 4MB. If - you wish to get a high BYTES hit ratio, you should probably - increase this (one 32 MB object hit counts for 3200 10KB - hits). If you wish to increase speed more than your want to - save bandwidth you should leave this low. - - NOTE: if using the LFUDA replacement policy you should increase - this value to maximize the byte hit rate improvement of LFUDA! - See replacement_policy below for a discussion of this policy. -DOC_END - -NAME: minimum_object_size -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: 0 KB -LOC: Config.Store.minObjectSize -DOC_START - Objects smaller than this size will NOT be saved on disk. The - value is specified in kilobytes, and the default is 0 KB, which - means there is no minimum. -DOC_END - -NAME: maximum_object_size_in_memory -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: 8 KB -LOC: Config.Store.maxInMemObjSize -DOC_START - Objects greater than this size will not be attempted to kept in - the memory cache. This should be set high enough to keep objects - accessed frequently in memory to improve performance whilst low - enough to keep larger objects from hoarding cache_mem . -DOC_END - -NAME: ipcache_size -COMMENT: (number of entries) -TYPE: int -DEFAULT: 1024 -LOC: Config.ipcache.size -DOC_NONE - -NAME: ipcache_low -COMMENT: (percent) -TYPE: int -DEFAULT: 90 -LOC: Config.ipcache.low -DOC_NONE - -NAME: ipcache_high -COMMENT: (percent) -TYPE: int -DEFAULT: 95 -LOC: Config.ipcache.high -DOC_START - The size, low-, and high-water marks for the IP cache. -DOC_END - -NAME: fqdncache_size -COMMENT: (number of entries) -TYPE: int -DEFAULT: 1024 -LOC: Config.fqdncache.size -DOC_START - Maximum number of FQDN cache entries. -DOC_END - -NAME: cache_replacement_policy -TYPE: removalpolicy -LOC: Config.replPolicy -DEFAULT: lru -DOC_START - The cache replacement policy parameter determines which - objects are evicted (replaced) when disk space is needed. - - lru : Squid's original list based LRU policy - heap GDSF : Greedy-Dual Size Frequency - heap LFUDA: Least Frequently Used with Dynamic Aging - heap LRU : LRU policy implemented using a heap - - Applies to any cache_dir lines listed below this. - - The LRU policies keeps recently referenced objects. - - The heap GDSF policy optimizes object hit rate by keeping smaller - popular objects in cache so it has a better chance of getting a - hit. It achieves a lower byte hit rate than LFUDA though since - it evicts larger (possibly popular) objects. - - The heap LFUDA policy keeps popular objects in cache regardless of - their size and thus optimizes byte hit rate at the expense of - hit rate since one large, popular object will prevent many - smaller, slightly less popular objects from being cached. - - Both policies utilize a dynamic aging mechanism that prevents - cache pollution that can otherwise occur with frequency-based - replacement policies. - - NOTE: if using the LFUDA replacement policy you should increase - the value of maximum_object_size above its default of 4096 KB to - to maximize the potential byte hit rate improvement of LFUDA. - - For more information about the GDSF and LFUDA cache replacement - policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html - and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. -DOC_END - -NAME: memory_replacement_policy -TYPE: removalpolicy -LOC: Config.memPolicy -DEFAULT: lru -DOC_START - The memory replacement policy parameter determines which - objects are purged from memory when memory space is needed. - - See cache_replacement_policy for details. -DOC_END + Usage: port [options] + hostname:port [options] -COMMENT_START - LOGFILE PATHNAMES AND CACHE DIRECTORIES - ----------------------------------------------------------------------------- -COMMENT_END + 1.2.3.4:port [options] + + The socket addresses where Squid will listen for HTTP client + requests. You may specify multiple socket addresses. + + There are three forms: port alone, hostname with port, and + IP address with port. If you specify a hostname or IP + address, then Squid binds the socket to that specific + address. This replaces the old 'tcp_incoming_address' + option. Most likely, you do + not need to bind to a specific + address, so you can use the port number alone. -NAME: cache_dir -TYPE: cachedir -DEFAULT: none -DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256 -LOC: Config.cacheSwap -DOC_START - Usage: - - cache_dir Type Directory-Name Fs-specific-data [options] + If you are running Squid in accelerator mode, then you + probably want to listen on port 80 also, or instead. - cache_dir diskd Maxobjsize Directory-Name MB L1 L2 Q1 Q2 + The -a command line option will override the *first* port + number listed here. That option will NOT override an IP + address, however. - You can specify multiple cache_dir lines to spread the - cache among different disk partitions. + You may specify multiple socket addresses on multiple lines. - Type specifies the kind of storage system to use. Only "ufs" - is built by default. To eanble any of the other storage systems - see the --enable-storeio configure option. + options are: + accel Accelerator mode + transparent Support for transparent proxies + vhost Accelerator using Host directive + vport Accelerator with IP virtual host support + vport=NN As above, but uses specified port number + rather than the http_port number. + defaultsite=xx Main web site name for accelerators. + also implies accel + protocol= Protocol to reconstruct accelerated + requests with. Defaults to http. - 'Directory' is a top-level directory where cache swap - files will be stored. If you want to use an entire disk - for caching, then this can be the mount-point directory. - The directory must exist and be writable by the Squid - process. Squid will NOT create this directory for you. + If you run Squid on a dual-homed machine with an internal - The ufs store type: + and an external interface then we recommend you to specify the + internal address:port in http_port. This way Squid will only be + visible on the internal address. + NOCOMMENT_START +# Squid normally listens to port 3128 + http_port 3128 + NOCOMMENT_END + DOC_END + + NAME: https_port + IFDEF: USE_SSL + TYPE: https_port_list + DEFAULT: none + LOC: Config.Sockaddr.https + DOC_START + Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] + + The socket address where Squid will listen for HTTPS client + requests. + + This is really only useful for situations where you are running + squid in accelerator mode and you want to do + the SSL work at the + accelerator level. + + You may specify multiple socket addresses on multiple lines, + each with their own SSL certificate and/or options. + + Options: + + defaultsite= The name of the https site presented on + this port. + + protocol= Protocol to reconstruct accelerated requests + with. Defaults to https. + + cert= Path to SSL certificate (PEM format) + + key= Path to SSL private key file (PEM format) + if not specified, the certificate file is + assumed to be a combined certificate and + key file + + version= The version of SSL/TLS supported + 1 automatic (default) + 2 SSLv2 only + 3 SSLv3 only + 4 TLSv1 only + + cipher= Colon separated list of supported ciphers + + options= Varions SSL engine options. The most important + being: + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1 + SINGLE_DH_USE Always create a new key when using + temporary/ephemeral DH key exchanges + See src/ssl_support.c or OpenSSL SSL_CTX_set_options + documentation for a complete list of options. + + clientca= File containing the list of CAs to use when + requesting a client certificate + + cafile= File containing additional CA certificates to + use when verifying client certificates. If unset + clientca will be used. + + capath= Directory containing additional CA certificates + to use when verifying client certificates + + dhparams= File containing DH parameters for temporary/ephemeral + DH key exchanges + + sslflags= Various flags modifying the use of SSL: + DELAYED_AUTH + Don't request client certificates + immediately, but wait until acl processing + requires a certificate + NO_DEFAULT_CA + Don't use the default CA list built in + to OpenSSL. + + DOC_END + + NAME: ssl_unclean_shutdown + IFDEF: USE_SSL + TYPE: onoff + DEFAULT: off + LOC: Config.SSL.unclean_shutdown + DOC_START + Some browsers (especially MSIE) bugs out on SSL shutdown + messages. + DOC_END + + NAME: ssl_engine + IFDEF: USE_SSL + TYPE: string + LOC: Config.SSL.ssl_engine + DEFAULT: none + DOC_START + The openssl engine to use. You will need to set + this if you + would like to use hardware SSL acceleration for example. + DOC_END + + NAME: sslproxy_client_certificate + IFDEF: USE_SSL + DEFAULT: none + LOC: Config.ssl_client.cert + TYPE: string + DOC_START + Client SSL Certificate to use when proxying https:// URLs + DOC_END + + NAME: sslproxy_client_key + IFDEF: USE_SSL + DEFAULT: none + LOC: Config.ssl_client.key + TYPE: string + DOC_START + Client SSL Key to use when proxying https:// URLs + DOC_END + + NAME: sslproxy_version + IFDEF: USE_SSL + DEFAULT: 1 + LOC: Config.ssl_client.version + TYPE: int + DOC_START + SSL version level to use when proxying https:// URLs + DOC_END + + NAME: sslproxy_options + IFDEF: USE_SSL + DEFAULT: none + LOC: Config.ssl_client.options + TYPE: string + DOC_START + SSL engine options to use when proxying https:// URLs + DOC_END + + NAME: sslproxy_cipher + IFDEF: USE_SSL + DEFAULT: none + LOC: Config.ssl_client.cipher + TYPE: string + DOC_START + SSL cipher list to use when proxying https:// URLs + DOC_END + + NAME: sslproxy_cafile + IFDEF: USE_SSL + DEFAULT: none + LOC: Config.ssl_client.cafile + TYPE: string + DOC_START + DOC_END + + NAME: sslproxy_capath + IFDEF: USE_SSL + DEFAULT: none + LOC: Config.ssl_client.capath + TYPE: string + DOC_START + DOC_END + + NAME: sslproxy_flags + IFDEF: USE_SSL + DEFAULT: none + LOC: Config.ssl_client.flags + TYPE: string + DOC_START + DOC_END + + NAME: icp_port udp_port + TYPE: ushort + DEFAULT: 0 + LOC: Config.Port.icp + DOC_START + The port number where Squid sends and receives ICP queries to + and from neighbor caches. The standard UDP port for ICP is 3130. + Default is disabled (0). + NOCOMMENT_START + icp_port 3130 + NOCOMMENT_END + DOC_END + + NAME: htcp_port + IFDEF: USE_HTCP + TYPE: ushort + DEFAULT: 4827 + LOC: Config.Port.htcp + DOC_START + The port number where Squid sends and receives HTCP queries to + and from neighbor caches. Default is 4827. To disable use + "0". + DOC_END + + + NAME: mcast_groups + TYPE: wordlist + LOC: Config.mcast_group_list + DEFAULT: none + DOC_START + This tag specifies a list of multicast groups which your server + should join to receive multicasted ICP queries. + + NOTE! Be very careful what you put here! Be sure you + understand the difference between an ICP _query_ and an ICP + _reply_. This option is to be set + only if you want to RECEIVE + multicast queries. Do NOT set + this option to SEND multicast + ICP (use cache_peer for that). ICP replies are always sent via + unicast, so this option does not affect whether or not you will + receive replies from multicast group members. + + You must be very careful to NOT use a multicast address which + is already in use by another group of caches. + + If you are unsure about multicast, please read the Multicast + chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). + + Usage: mcast_groups 239.128.16.128 224.0.1.20 + + By default, Squid doesn't listen on any multicast groups. + DOC_END + + + NAME: udp_incoming_address + TYPE: address + LOC:Config.Addrs.udp_incoming + DEFAULT: 0.0.0.0 + DOC_NONE + + NAME: udp_outgoing_address + TYPE: address + LOC: Config.Addrs.udp_outgoing + DEFAULT: 255.255.255.255 + DOC_START + udp_incoming_address is used for the ICP socket receiving packets + from other caches. + udp_outgoing_address is used for ICP packets sent out to other + caches. + + The default behavior is to not bind to any specific address. + + A udp_incoming_address value of 0.0.0.0 indicates that Squid should + listen for UDP messages on all available interfaces. + + If udp_outgoing_address is set to 255.255.255.255 (the default) + then it will use the same socket as udp_incoming_address. Only + change this if you want to have ICP queries sent using another + address than where this Squid listens for ICP queries from other + caches. + + NOTE, udp_incoming_address and udp_outgoing_address can not + have the same value since they both use port 3130. + DOC_END + + COMMENT_START + OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: cache_peer + TYPE: peer + DEFAULT: none + LOC: Config.peers + DOC_START + To specify other caches in a hierarchy, use the format: + + cache_peer hostname type http_port icp_port [options] + + For example, + +# proxy icp +# hostname type port port options +# -------------------- -------- ----- ----- ----------- + cache_peer parent.foo.net parent 3128 3130 [proxy-only] + cache_peer sib1.foo.net sibling 3128 3130 [proxy-only] + cache_peer sib2.foo.net sibling 3128 3130 [proxy-only] + + type: either 'parent', 'sibling', or 'multicast'. + + proxy_port: The port number where the cache listens for proxy + requests. + + icp_port: Used for querying neighbor caches about + objects. To have a non-ICP neighbor + specify '7' for the ICP port and make sure the + neighbor machine has the UDP echo port + enabled in its /etc/inetd.conf file. + + options: proxy-only + weight=n + basetime=n + ttl=n + no-query + background-ping + default + round-robin + weighted-round-robin + carp + multicast-responder + closest-only + no-digest + no-netdb-exchange + no-delay + login=user:password | PASS | *:password + connect-timeout=nn + digest-url=url + allow-miss + max-conn + originserver + name=xxx + forceddomain=name + ssl + sslcert=/path/to/ssl/certificate + sslkey=/path/to/ssl/key + sslversion=1|2|3|4 + sslcipher=... + ssloptions=... + front-end-https[=on|auto] + + use 'proxy-only' to specify that objects fetched + from this cache should not be saved locally. + + use 'weight=n' to specify a weighted parent. + The weight must be an integer. The default weight + is 1, larger weights are favored more. + + use 'basetime=n' to specify a base amount to + be subtracted from round trip times of parents. + It is subtracted before division by weight in calculating + which parent to fectch from. If the rtt is less than the + base time then the rtt is set to a minimal value. + + use 'ttl=n' to specify a IP multicast TTL to use + when sending an ICP queries to this address. + Only useful when sending to a multicast group. + Because we don't accept ICP replies from random + hosts, you must configure other group members as + peers with the 'multicast-responder' option below. + + use 'no-query' to NOT send ICP queries to this + neighbor. + + use 'background-ping' to only send ICP queries to this + neighbor infrequently. This is used to keep the neighbor + round trip time updated and is usually used in + conjunction with weighted-round-robin. + + use 'default' if this is a parent cache which can + be used as a "last-resort." You should probably + only use 'default' in situations where you cannot + use ICP with your parent cache(s). + + use 'round-robin' to define a set + of parents which + should be used in a round-robin fashion in the + absence of any ICP queries. + + use 'weighted-round-robin' to define a set + of parents + which should be used in a round-robin fashion with the + frequency of each parent being based on the round trip + time. Closer parents are used more often. + Usually used for background-ping parents. + + use 'carp' to define a set + of parents which should + be used as a CARP array. The requests will then be + distributed among the parents based on the CARP load + balancing hash function based on their weigth. + + 'multicast-responder' indicates that the named peer + is a member of a multicast group. ICP queries will + not be sent directly to the peer, but ICP replies + will be accepted from it. + + 'closest-only' indicates that, for ICP_OP_MISS + replies, we'll only forward CLOSEST_PARENT_MISSes + and never FIRST_PARENT_MISSes. + + use 'no-digest' to NOT request cache digests from + this neighbor. + + 'no-netdb-exchange' disables requesting ICMP + RTT database (NetDB) from the neighbor. + + use 'no-delay' to prevent access to this neighbor + from influencing the delay pools. + + use 'login=user:password' if this is a personal/workgroup + proxy and your parent requires proxy authentication. + Note: The string can include URL escapes (i.e. %20 for + spaces). This also means that % must be written as %%. + + use 'login=PASS' if users must authenticate against + the upstream proxy. This will pass the users credentials + as they are to the peer proxy. This only works for the + Basic HTTP authentication sheme. Note: To combine this + with proxy_auth both proxies must share the same user + database as HTTP only allows for one proxy login. + Also be warned that this will expose your users proxy + password to the peer. USE WITH CAUTION + + use 'login=*:password' to pass the username to the + upstream cache, but with a fixed password. This is meant + to be used when the peer is in another administrative + domain, but it is still needed to identify each user. + The star can optionally be followed by some extra + information which is added to the username. This can + be used to identify this proxy to the peer, similar to + the login=username:password option above. + + use 'connect-timeout=nn' to specify a peer + specific connect timeout (also see the + peer_connect_timeout directive) + + use 'digest-url=url' to tell Squid to fetch the cache + digest (if digests are enabled) for this host from + the specified URL rather than the Squid default + location. + + use 'allow-miss' to disable Squid's use of only-if-cached + when forwarding requests to siblings. This is primarily + useful when icp_hit_stale is used by the sibling. To + extensive use of this option may result in forwarding + loops, and you should avoid having two-way peerings + with this option. (for example to deny peer usage on + requests from peer by denying cache_peer_access if the + source is a peer) + + use 'max-conn' to limit the amount of connections Squid + may open to this peer. + + 'originserver' causes this parent peer to be contacted as + a origin server. Meant to be used in accelerator setups. + + use 'name=xxx' if you have multiple peers on the same + host but different ports. This name can then be used to + differentiate the peers in cache_peer_access and similar + directives. + + use 'forceddomain=name' to forcibly set + the Host header + of requests forwarded to this peer. Useful in accelerator + setups where the server (peer) expects a certain domain + name and using redirectors to feed this domainname + is not feasible. + + use 'ssl' to indicate that connections to this peer should + bs SSL/TLS encrypted. + + use 'sslcert=/path/to/ssl/certificate' to specify a client + SSL certificate to use when connecting to this peer. + + use 'sslkey=/path/to/ssl/key' to specify the private SSL + key corresponding to sslcert above. If 'sslkey' is not + specified then 'sslcert' is assumed to reference a + combined file containing both the certificate and the key. + + use sslversion=1|2|3|4 to specify the SSL version to use + when connecting to this peer + 1 = automatic (default) + 2 = SSL v2 only + 3 = SSL v3 only + 4 = TLS v1 only + + use sslcipher=... to specify the list of valid SSL chipers + to use when connecting to this peer + + use ssloptions=... to specify various SSL engine options: + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1 + See src/ssl_support.c or the OpenSSL documentation for + a more complete list. + + use cafile=... to specify a file containing additional + CA certificates to use when verifying the peer certificate + + use capath=... to specify a directory containing additional + CA certificates to use when verifying the peer certificate + + use sslflags=... to specify various flags modifying the + SSL implementation: + DONT_VERIFY_PEER + Accept certificates even if they fail to + verify. + NO_DEFAULT_CA + Don't use the default CA list built in + to OpenSSL. + DONT_VERIFY_DOMAIN + Don't verify that the peer certificate + matches the server name + + use sslname= to specify the peer name as advertised + in it's certificate. Used for verifying the correctness + of the received peer certificate. If not specified the + peer hostname will be used. + + use front-end-https to enable the "Front-End-Https: On" + header needed when using Squid as a SSL frontend infront + of Microsoft OWA. See MS KB document Q307347 for details + on this header. If set to auto then the header will + only be added if the request is forwarded as a https:// + URL. + + NOTE: non-ICP neighbors must be specified as 'parent'. + DOC_END + + NAME: cache_peer_domain cache_host_domain + TYPE: hostdomain + DEFAULT: none + LOC: none + DOC_START + Use to limit the domains for which a neighbor cache will be + queried. Usage: + + cache_peer_domain cache-host domain [domain ...] + cache_peer_domain cache-host !domain + + For example, specifying + + cache_peer_domain parent.foo.net .edu + + has the effect such that UDP query packets are sent to + 'bigserver' only when the requested object exists on a + server in the .edu domain. Prefixing the domainname + with '!' means that the cache will be queried for objects + NOT in that domain. + + NOTE: * Any number of domains may be given for a cache-host, + either on the same or separate lines. + * When multiple domains are given for a particular + cache-host, the first matched domain is applied. + * Cache hosts with no domain restrictions are queried + for all requests. + * There are no defaults. + * There is also a 'cache_peer_access' tag in the ACL + section. + DOC_END + + + NAME: neighbor_type_domain + TYPE: hostdomaintype + DEFAULT: none + LOC: none + DOC_START + usage: neighbor_type_domain parent|sibling domain domain ... + + Modifying the neighbor type for specific domains is now + possible. You can treat some domains differently than the the + default neighbor type specified on the 'cache_peer' line. + Normally it should only be necessary to list domains which + should be treated differently because the default neighbor type + applies for hostnames which do not match domains listed here. + + EXAMPLE: + cache_peer parent cache.foo.org 3128 3130 + neighbor_type_domain cache.foo.org sibling .com .net + neighbor_type_domain cache.foo.org sibling .au .de + DOC_END + + NAME: icp_query_timeout + COMMENT: (msec) + DEFAULT: 0 + TYPE: int + LOC: Config.Timeout.icp_query + DOC_START + Normally Squid will automatically determine an optimal ICP + query timeout value based on the round-trip-time of recent ICP + queries. If you want to override the value determined by + Squid, set this 'icp_query_timeout' to a non-zero value. This + value is specified in MILLISECONDS, so, to use a 2-second + timeout (the old default), you would write: + + icp_query_timeout 2000 + DOC_END + + NAME: maximum_icp_query_timeout + COMMENT: (msec) + DEFAULT: 2000 + TYPE: int + LOC: Config.Timeout.icp_query_max + DOC_START + Normally the ICP query timeout is determined dynamically. But + sometimes it can lead to very large values (say 5 seconds). + Use this option to put an upper limit on the dynamic timeout + value. Do NOT use this option to always use a fixed (instead + of a dynamic) timeout value. To set a fixed timeout see the + 'icp_query_timeout' directive. + DOC_END + + NAME: minimum_icp_query_timeout + COMMENT: (msec) + DEFAULT: 5 + TYPE: int + LOC: Config.Timeout.icp_query_min + DOC_START + Normally the ICP query timeout is determined dynamically. But + sometimes it can lead to very small timeouts, even lower than + the normal latency variance on your link due to traffic. + Use this option to put an lower limit on the dynamic timeout + value. Do NOT use this option to always use a fixed (instead + of a dynamic) timeout value. To set a fixed timeout see the + 'icp_query_timeout' directive. + DOC_END + + NAME: mcast_icp_query_timeout + COMMENT: (msec) + DEFAULT: 2000 + TYPE: int + LOC: Config.Timeout.mcast_icp_query + DOC_START + For Multicast peers, Squid regularly sends out ICP "probes" to + count how many other peers are listening on the given multicast + address. This value specifies how long Squid should wait to + count all the replies. The default is 2000 msec, or 2 + seconds. + DOC_END + + NAME: dead_peer_timeout + COMMENT: (seconds) + DEFAULT: 10 seconds + TYPE: time_t + LOC: Config.Timeout.deadPeer + DOC_START + This controls how long Squid waits to declare a peer cache + as "dead." If there are no ICP replies received in this + amount of time, Squid will declare the peer dead and not + expect to receive any further ICP replies. However, it + continues to send ICP queries, and will mark the peer as + alive upon receipt of the first subsequent ICP reply. + + This timeout also affects when Squid expects to receive ICP + replies from peers. If more than 'dead_peer' seconds have + passed since the last ICP reply was received, Squid will not + expect to receive an ICP reply on the next query. Thus, if + your time between requests is greater than this timeout, you + will see a lot of requests sent DIRECT to origin servers + instead of to your parents. + DOC_END + + + NAME: hierarchy_stoplist + TYPE: wordlist + DEFAULT: none + LOC: Config.hierarchy_stoplist + DOC_START + A list of words which, if found in a URL, cause the object to + be handled directly by this cache. In other words, use this + to not query neighbor caches for certain objects. You may + list this option multiple times. + NOCOMMENT_START +#We recommend you to use at least the following line. + hierarchy_stoplist cgi-bin ? + NOCOMMENT_END + DOC_END - "ufs" is the old well-known Squid storage format that has always - been there. - - cache_dir ufs Directory-Name Mbytes L1 L2 [options] - - 'Mbytes' is the amount of disk space (MB) to use under this - directory. The default is 100 MB. Change this to suit your - configuration. Do NOT put the size of your disk drive here. - Instead, if you want Squid to use the entire disk drive, - subtract 20% and use that value. - - 'Level-1' is the number of first-level subdirectories which - will be created under the 'Directory'. The default is 16. - - 'Level-2' is the number of second-level subdirectories which - will be created under each first-level directory. The default - is 256. - - The aufs store type: - - "aufs" uses the same storage format as "ufs", utilizing - POSIX-threads to avoid blocking the main Squid process on - disk-I/O. This was formerly known in Squid as async-io. - - cache_dir aufs Directory-Name Mbytes L1 L2 [options] - - see argument descriptions under ufs above - - The diskd store type: - - "diskd" uses the same storage format as "ufs", utilizing a - separate process to avoid blocking the main Squid process on - disk-I/O. - - cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] - - see argument descriptions under ufs above - - Q1 specifies the number of unacknowledged I/O requests when Squid - stops opening new files. If this many messages are in the queues, - Squid won't open new files. Default is 64 - - Q2 specifies the number of unacknowledged messages when Squid - starts blocking. If this many messages are in the queues, - Squid blocks until it recevies some replies. Default is 72 - - Common options: - - read-only, this cache_dir is read only. - - max-size=n, refers to the max object size this storedir supports. - It is used to initially choose the storedir to dump the object. - Note: To make optimal use of the max-size limits you should order - the cache_dir lines with the smallest max-size value first and the - ones with no max-size specification last. -DOC_END - - -NAME: cache_access_log -TYPE: string -DEFAULT: @DEFAULT_ACCESS_LOG@ -LOC: Config.Log.access -DOC_START - Logs the client request activity. Contains an entry for - every HTTP and ICP queries received. To disable, enter "none". -DOC_END - - -NAME: cache_log -TYPE: string -DEFAULT: @DEFAULT_CACHE_LOG@ -LOC: Config.Log.log -DOC_START - Cache logging file. This is where general information about - your cache's behavior goes. You can increase the amount of data - logged to this file with the "debug_options" tag below. -DOC_END - - -NAME: cache_store_log -TYPE: string -DEFAULT: @DEFAULT_STORE_LOG@ -LOC: Config.Log.store -DOC_START - Logs the activities of the storage manager. Shows which - objects are ejected from the cache, and which objects are - saved and for how long. To disable, enter "none". There are - not really utilities to analyze this data, so you can safely - disable it. -DOC_END - - -NAME: cache_swap_log -TYPE: string -LOC: Config.Log.swap -DEFAULT: none -DOC_START - Location for the cache "swap.log." This log file holds the - metadata of objects saved on disk. It is used to rebuild the - cache during startup. Normally this file resides in each - 'cache_dir' directory, but you may specify an alternate - pathname here. Note you must give a full filename, not just - a directory. Since this is the index for the whole object - list you CANNOT periodically rotate it! - - If %s can be used in the file name then it will be replaced with a - a representation of the cache_dir name where each / is replaced - with '.'. This is needed to allow adding/removing cache_dir - lines when cache_swap_log is being used. - - If have more than one 'cache_dir', and %s is not used in the name - then these swap logs will have names such as: - - cache_swap_log.00 - cache_swap_log.01 - cache_swap_log.02 - - The numbered extension (which is added automatically) - corresponds to the order of the 'cache_dir' lines in this - configuration file. If you change the order of the 'cache_dir' - lines in this file, then these log files will NOT correspond to - the correct 'cache_dir' entry (unless you manually rename - them). We recommend that you do NOT use this option. It is - better to keep these log files in each 'cache_dir' directory. -DOC_END - - -NAME: emulate_httpd_log -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.common_log -DOC_START - The Cache can emulate the log file format which many 'httpd' - programs use. To disable/enable this emulation, set - emulate_httpd_log to 'off' or 'on'. The default - is to use the native log format since it includes useful - information that Squid-specific log analyzers use. -DOC_END - -NAME: log_ip_on_direct -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.log_ip_on_direct -DOC_START - Log the destination IP address in the hierarchy log tag when going - direct. Earlier Squid versions logged the hostname here. If you - prefer the old way set this to off. -DOC_END - -NAME: mime_table -TYPE: string -DEFAULT: @DEFAULT_MIME_TABLE@ -LOC: Config.mimeTablePathname -DOC_START - Pathname to Squid's MIME table. You shouldn't need to change - this, but the default file contains examples and formatting - information if you do. -DOC_END - - -NAME: log_mime_hdrs -COMMENT: on|off -TYPE: onoff -LOC: Config.onoff.log_mime_hdrs -DEFAULT: off -DOC_START - The Cache can record both the request and the response MIME - headers for each HTTP transaction. The headers are encoded - safely and will appear as two bracketed fields at the end of - the access log (for either the native or httpd-emulated log - formats). To enable this logging set log_mime_hdrs to 'on'. -DOC_END - - -NAME: useragent_log -TYPE: string -LOC: Config.Log.useragent -DEFAULT: none -IFDEF: USE_USERAGENT_LOG -DOC_START - Squid will write the User-Agent field from HTTP requests - to the filename specified here. By default useragent_log - is disabled. -DOC_END - - -NAME: referer_log -TYPE: string -LOC: Config.Log.referer -DEFAULT: none -IFDEF: USE_REFERER_LOG -DOC_START - Squid will write the Referer field from HTTP requests to the - filename specified here. By default referer_log is disabled. -DOC_END - - -NAME: pid_filename -TYPE: string -DEFAULT: @DEFAULT_PID_FILE@ -LOC: Config.pidFilename -DOC_START - A filename to write the process-id to. To disable, enter "none". -DOC_END - - -NAME: debug_options -TYPE: eol -DEFAULT: ALL,1 -LOC: Config.debugOptions -DOC_START - Logging options are set as section,level where each source file - is assigned a unique section. Lower levels result in less - output, Full debugging (level 9) can result in a very large - log file, so be careful. The magic word "ALL" sets debugging - levels for all sections. We recommend normally running with - "ALL,1". -DOC_END - - -NAME: log_fqdn -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.log_fqdn -DOC_START - Turn this on if you wish to log fully qualified domain names - in the access.log. To do this Squid does a DNS lookup of all - IP's connecting to it. This can (in some situations) increase - latency, which makes your cache seem slower for interactive - browsing. -DOC_END - - -NAME: client_netmask -TYPE: address -LOC: Config.Addrs.client_netmask -DEFAULT: 255.255.255.255 -DOC_START - A netmask for client addresses in logfiles and cachemgr output. - Change this to protect the privacy of your cache clients. - A netmask of 255.255.255.0 will log all IP's in that range with - the last digit set to '0'. -DOC_END + NAME: no_cache + TYPE: acl_access + DEFAULT: none + LOC: Config.accessList.noCache + DOC_START + A list of ACL elements which, if matched, cause the request to + not be satisfied from the cache and the reply to not be cached. + In other words, use this to force certain objects to never be cached. -COMMENT_START - OPTIONS FOR EXTERNAL SUPPORT PROGRAMS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: ftp_user -TYPE: string -DEFAULT: Squid@ -LOC: Config.Ftp.anon_user -DOC_START - If you want the anonymous login password to be more informative - (and enable the use of picky ftp servers), set this to something - reasonable for your domain, like wwwuser@somewhere.net - - The reason why this is domainless by default is that the - request can be made on the behalf of a user in any domain, - depending on how the cache is used. - Some ftp server also validate that the email address is valid - (for example perl.com). -DOC_END - -NAME: ftp_list_width -TYPE: size_t -DEFAULT: 32 -LOC: Config.Ftp.list_width -DOC_START - Sets the width of ftp listings. This should be set to fit in - the width of a standard browser. Setting this too small - can cut off long filenames when browsing ftp sites. -DOC_END - -NAME: ftp_passive -TYPE: onoff -DEFAULT: on -LOC: Config.Ftp.passive -DOC_START - If your firewall does not allow Squid to use passive - connections, then turn off this option. -DOC_END - -NAME: ftp_sanitycheck -TYPE: onoff -DEFAULT: on -LOC: Config.Ftp.sanitycheck -DOC_START - For security and data integrity reasons Squid by default performs - sanity checks of the addresses of FTP data connections ensure the - data connection is to the requested server. If you need to allow - FTP connections to servers using another IP address for the data - connection then turn this off. -DOC_END - -NAME: check_hostnames -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.check_hostnames -DOC_START - For security and stability reasons Squid by default checks - hostnames for Internet standard RFC compliance. If you do not want - Squid to perform these checks then turn this directive off. -DOC_END - -NAME: cache_dns_program -TYPE: string -IFDEF: USE_DNSSERVERS -DEFAULT: @DEFAULT_DNSSERVER@ -LOC: Config.Program.dnsserver -DOC_START - Specify the location of the executable for dnslookup process. -DOC_END - -NAME: dns_children -TYPE: int -IFDEF: USE_DNSSERVERS -DEFAULT: 5 -LOC: Config.dnsChildren -DOC_START - The number of processes spawn to service DNS name lookups. - For heavily loaded caches on large servers, you should - probably increase this value to at least 10. The maximum - is 32. The default is 5. - - You must have at least one dnsserver process. -DOC_END - -NAME: dns_retransmit_interval -TYPE: time_t -DEFAULT: 5 seconds -LOC: Config.Timeout.idns_retransmit -IFDEF: !USE_DNSSERVERS -DOC_START - Initial retransmit interval for DNS queries. The interval is - doubled each time all configured DNS servers have been tried. - -DOC_END - -NAME: dns_timeout -TYPE: time_t -DEFAULT: 5 minutes -LOC: Config.Timeout.idns_query -IFDEF: !USE_DNSSERVERS -DOC_START - DNS Query timeout. If no response is received to a DNS query - within this time then all DNS servers for the queried domain - is assumed to be unavailable. -DOC_END - -NAME: dns_defnames -COMMENT: on|off -IFDEF: USE_DNSSERVERS -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.res_defnames -IFDEF: USE_DNSSERVERS -DOC_START - Normally the 'dnsserver' disables the RES_DEFNAMES resolver - option (see res_init(3)). This prevents caches in a hierarchy - from interpreting single-component hostnames locally. To allow - dnsserver to handle single-component names, enable this - option. -DOC_END - -NAME: dns_nameservers -TYPE: wordlist -DEFAULT: none -LOC: Config.dns_nameservers -DOC_START - Use this if you want to specify a list of DNS name servers - (IP addresses) to use instead of those given in your - /etc/resolv.conf file. - On Windows platforms, if no value is specified here or in - the /etc/resolv.conf file, the list of DNS name servers are - taken from the Windows registry, both static and dynamic DHCP - configurations are supported. - - Example: dns_nameservers 10.0.0.1 192.172.0.4 -DOC_END - -NAME: hosts_file -TYPE: string -DEFAULT: @DEFAULT_HOSTS@ -LOC: Config.etcHostsPath -DOC_START - Location of the host-local IP name-address associations - database. Most Operating Systems have such a file on different - default locations: - - Un*X & Linux: /etc/hosts - - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts - (%SystemRoot% value install default is c:\winnt) - - Windows XP: %SystemRoot%\system32\drivers\etc\hosts - (%SystemRoot% value install default is c:\windows) - - Windows 9x/Me: %windir%\hosts - (%windir% value is usually c:\windows) - - Cygwin: /etc/hosts - - The file contains newline-separated definitions, in the - form ip_address_in_dotted_form name [name ...] names are - whitespace-separated. Lines beginnng with an hash (#) - character are comments. - - The file is checked at startup and upon configuration. - If set to 'none', it won't be checked. - If append_domain is used, that domain will be added to - domain-local (i.e. not containing any dot character) host - definitions. -DOC_END - -NAME: diskd_program -TYPE: string -DEFAULT: @DEFAULT_DISKD@ -LOC: Config.Program.diskd -DOC_START - Specify the location of the diskd executable. - Note that this is only useful if you have compiled in - diskd as one of the store io modules. -DOC_END - -NAME: unlinkd_program -IFDEF: USE_UNLINKD -TYPE: string -DEFAULT: @DEFAULT_UNLINKD@ -LOC: Config.Program.unlinkd -DOC_START - Specify the location of the executable for file deletion process. -DOC_END - -NAME: pinger_program -TYPE: string -DEFAULT: @DEFAULT_PINGER@ -LOC: Config.Program.pinger -IFDEF: USE_ICMP -DOC_START - Specify the location of the executable for the pinger process. -DOC_END - - -NAME: redirect_program -TYPE: wordlist -LOC: Config.Program.redirect -DEFAULT: none -DOC_START - Specify the location of the executable for the URL redirector. - Since they can perform almost any function there isn't one included. - See the FAQ (section 15) for information on how to write one. - By default, a redirector is not used. -DOC_END - - -NAME: redirect_children -TYPE: int -DEFAULT: 5 -LOC: Config.redirectChildren -DOC_START - The number of redirector processes to spawn. If you start - too few Squid will have to wait for them to process a backlog of - URLs, slowing it down. If you start too many they will use RAM - and other system resources. -DOC_END - -NAME: redirect_rewrites_host_header -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.redir_rewrites_host -DOC_START - By default Squid rewrites any Host: header in redirected - requests. If you are running an accelerator then this may - not be a wanted effect of a redirector. - - WARNING: Entries are cached on the result of the URL rewriting - process, so be careful if you have domain-virtual hosts. -DOC_END - -NAME: redirector_access -TYPE: acl_access -DEFAULT: none -LOC: Config.accessList.redirector -DOC_START - If defined, this access list specifies which requests are - sent to the redirector processes. By default all requests - are sent. -DOC_END - -NAME: auth_param -TYPE: authparam -LOC: Config.authConfiguration -DEFAULT: none -DOC_START - This is used to pass parameters to the various authentication - schemes. - format: auth_param scheme parameter [setting] - - auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd - would tell the basic authentication scheme it's program parameter. - - The order that authentication prompts are presented to the client_agent - is dependant on the order the scheme first appears in config file. - IE has a bug (it's not rfc 2617 compliant) in that it will use the basic - scheme if basic is the first entry presented, even if more secure schemes - are presented. For now use the order in the file below. If other browsers - have difficulties (don't recognise the schemes offered even if you are using - basic) then either put basic first, or disable the other schemes (by commenting - out their program entry). - - Once an authentication scheme is fully configured, it can only be shutdown - by shutting squid down and restarting. Changes can be made on the fly and - activated with a reconfigure. I.E. You can change to a different helper, - but not unconfigure the helper completely. - - === Parameters for the basic scheme follow. === - - "program" cmdline - Specify the command for the external authenticator. Such a - program reads a line containing "username password" and replies - "OK" or "ERR" in an endless loop. If you use an authenticator, - make sure you have 1 acl of type proxy_auth. By default, the - basic authentication sheme is not used unless a program is specified. - - If you want to use the traditional proxy authentication, - jump over to the ../auth_modules/NCSA directory and - type: - % make - % make install - - Then, set this line to something like - - auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd - - "children" numberofchildren - The number of authenticator processes to spawn (no default). - If you start too few Squid will have to wait for them to - process a backlog of usercode/password verifications, slowing - it down. When password verifications are done via a (slow) - network you are likely to need lots of authenticator - processes. - auth_param basic children 5 - - "realm" realmstring - Specifies the realm name which is to be reported to the - client for the basic proxy authentication scheme (part of - the text the user will see when prompted their username and - password). There is no default. - auth_param basic realm Squid proxy-caching web server - - "credentialsttl" timetolive - Specifies how long squid assumes an externally validated - username:password pair is valid for - in other words how - often the helper program is called for that user. Set this - low to force revalidation with short lived passwords. Note - that setting this high does not impact your susceptability - to replay attacks unless you are using an one-time password - system (such as SecureID). If you are using such a system, - you will be vulnerable to replay attacks unless you also - use the max_user_ip ACL in an http_access rule. - - === Parameters for the digest scheme follow === - - "program" cmdline - Specify the command for the external authenticator. Such - a program reads a line containing "username":"realm" and - replies with the appropriate H(A1) value base64 encoded. - See rfc 2616 for the definition of H(A1). If you use an - authenticator, make sure you have 1 acl of type proxy_auth. - By default, authentication is not used. - - If you want to use build an authenticator, - jump over to the ../digest_auth_modules directory and choose the - authenticator to use. It it's directory type - % make - % make install - - Then, set this line to something like - - auth_param digest program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass - - - "children" numberofchildren - The number of authenticator processes to spawn (no default). - If you start too few Squid will have to wait for them to - process a backlog of H(A1) calculations, slowing it down. - When the H(A1) calculations are done via a (slow) network - you are likely to need lots of authenticator processes. - auth_param digest children 5 - - "realm" realmstring - Specifies the realm name which is to be reported to the - client for the digest proxy authentication scheme (part of - the text the user will see when prompted their username and - password). There is no default. - auth_param digest realm Squid proxy-caching web server - - "nonce_garbage_interval" timeinterval - Specifies the interval that nonces that have been issued - to client_agent's are checked for validity. - - "nonce_max_duration" timeinterval - Specifies the maximum length of time a given nonce will be - valid for. - - "nonce_max_count" number - Specifies the maximum number of times a given nonce can be - used. - - "nonce_strictness" on|off - Determines if squid requires increment-by-1 behaviour for - nonce counts (on - the default), or strictly incrementing - (off - for use when useragents generate nonce counts that - occasionally miss 1 (ie, 1,2,4,6)). - - === NTLM scheme options follow === - - "program" cmdline - Specify the command for the external ntlm authenticator. - Such a program reads a line containing the uuencoded NEGOTIATE - and replies with the ntlm CHALLENGE, then waits for the - response and answers with "OK" or "ERR" in an endless loop. - If you use an ntlm authenticator, make sure you have 1 acl - of type proxy_auth. By default, the ntlm authenticator_program - is not used. - - auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth - - "children" numberofchildren - The number of authenticator processes to spawn (no default). - If you start too few Squid will have to wait for them to - process a backlog of credential verifications, slowing it - down. When crendential verifications are done via a (slow) - network you are likely to need lots of authenticator - processes. - auth_param ntlm children 5 - - "max_challenge_reuses" number - The maximum number of times a challenge given by a ntlm - authentication helper can be reused. Increasing this number - increases your exposure to replay attacks on your network. - 0 means use the challenge only once. (disable challenge - caching) See max_ntlm_challenge_lifetime for more information. - auth_param ntlm max_challenge_reuses 0 - - "max_challenge_lifetime" timespan - The maximum time period that a ntlm challenge is reused - over. The actual period will be the minimum of this time - AND the number of reused challenges. - auth_param ntlm max_challenge_lifetime 2 minutes - -NOCOMMENT_START + You must use the word 'DENY' to indicate the ACL names which should + NOT be cached. + + NOCOMMENT_START +#We recommend you to use the following two lines. + acl QUERY urlpath_regex cgi-bin \? + no_cache deny QUERY + NOCOMMENT_END + DOC_END + + NAME: background_ping_rate + COMMENT: time-units + TYPE: time_t + DEFAULT: 10 seconds + LOC: Config.backgroundPingRate + DOC_START + Controls how often the ICP pings are sent to siblings that + have background-ping set. + DOC_END + + + COMMENT_START + OPTIONS WHICH AFFECT THE CACHE SIZE + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: cache_mem + COMMENT: (bytes) + TYPE: b_size_t + DEFAULT: 8 MB + LOC: Config.memMaxSize + DOC_START + NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. + IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL + USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER + THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. + + 'cache_mem' specifies the ideal amount of memory to be used + for: + * In-Transit objects + * Hot Objects + * Negative-Cached objects + + Data for these objects are stored in 4 KB blocks. This + parameter specifies the ideal upper limit on the total size of + 4 KB blocks allocated. In-Transit objects take the highest + priority. + + In-transit objects have priority over the others. When + additional space is needed for incoming data, negative-cached + and hot objects will be released. In other words, the + negative-cached and hot objects will fill up any unused space + not needed for in-transit objects. + + If circumstances require, this limit will be exceeded. + Specifically, if your incoming request rate requires more than + 'cache_mem' of memory to hold in-transit objects, Squid will + exceed this limit to satisfy the new requests. When the load + decreases, blocks will be freed until the high-water mark is + reached. Thereafter, blocks will be used to store hot + objects. + DOC_END + + + NAME: cache_swap_low + COMMENT: (percent, 0-100) + TYPE: int + DEFAULT: 90 + LOC: Config.Swap.lowWaterMark + DOC_NONE + + NAME: cache_swap_high + COMMENT: (percent, 0-100) + TYPE: int + DEFAULT: 95 + LOC: Config.Swap.highWaterMark + DOC_START + + The low- and high-water marks for cache object replacement. + Replacement begins when the swap (disk) usage is above the + low-water mark and attempts to maintain utilization near the + low-water mark. As swap utilization gets close to high-water + mark object eviction becomes more aggressive. If utilization is + close to the low-water mark less replacement is done each time. + + Defaults are 90% and 95%. If you have a large cache, 5% could be + hundreds of MB. If this is the case you may wish to set these + numbers closer together. + DOC_END + + NAME: maximum_object_size + COMMENT: (bytes) + TYPE: b_size_t + DEFAULT: 4096 KB + LOC: Config.Store.maxObjectSize + DOC_START + Objects larger than this size will NOT be saved on disk. The + value is specified in kilobytes, and the default is 4MB. If + you wish to get a high BYTES hit ratio, you should probably + increase this (one 32 MB object hit counts for 3200 10KB + hits). If you wish to increase speed more than your want to + save bandwidth you should leave this low. + + NOTE: if using the LFUDA replacement policy you should increase + this value to maximize the byte hit rate improvement of LFUDA! + See replacement_policy below for a discussion of this policy. + DOC_END + + NAME: minimum_object_size + COMMENT: (bytes) + TYPE: b_size_t + DEFAULT: 0 KB + LOC: Config.Store.minObjectSize + DOC_START + Objects smaller than this size will NOT be saved on disk. The + value is specified in kilobytes, and the default is 0 KB, which + means there is no minimum. + DOC_END + + NAME: maximum_object_size_in_memory + COMMENT: (bytes) + TYPE: b_size_t + DEFAULT: 8 KB + LOC: Config.Store.maxInMemObjSize + DOC_START + Objects greater than this size will not be attempted to kept in + the memory cache. This should be set high enough to keep objects + accessed frequently in memory to improve performance whilst low + enough to keep larger objects from hoarding cache_mem . + DOC_END + + NAME: ipcache_size + COMMENT: (number of entries) + TYPE: int + DEFAULT: 1024 + LOC: Config.ipcache.size + DOC_NONE + + NAME: ipcache_low + COMMENT: (percent) + TYPE: int + DEFAULT: 90 + LOC: Config.ipcache.low + DOC_NONE + + NAME: ipcache_high + COMMENT: (percent) + TYPE: int + DEFAULT: 95 + LOC: Config.ipcache.high + DOC_START + The size, low-, and high-water marks for the IP cache. + DOC_END + + NAME: fqdncache_size + COMMENT: (number of entries) + TYPE: int + DEFAULT: 1024 + LOC: Config.fqdncache.size + DOC_START + Maximum number of FQDN cache entries. + DOC_END + + NAME: cache_replacement_policy + TYPE: removalpolicy + LOC: Config.replPolicy + DEFAULT: lru + DOC_START + The cache replacement policy parameter determines which + objects are evicted (replaced) when disk space is needed. + + lru : Squid's original list based LRU policy + heap GDSF : Greedy-Dual Size Frequency + heap LFUDA: Least Frequently Used with Dynamic Aging + heap LRU : LRU policy implemented using a heap + + Applies to any cache_dir lines listed below this. + + The LRU policies keeps recently referenced objects. + + The heap GDSF policy optimizes object hit rate by keeping smaller + popular objects in cache so it has a better chance of getting a + hit. It achieves a lower byte hit rate than LFUDA though since + it evicts larger (possibly popular) objects. + + The heap LFUDA policy keeps popular objects in cache regardless of + their size and thus optimizes byte hit rate at the expense of + hit rate since one large, popular object will prevent many + smaller, slightly less popular objects from being cached. + + Both policies utilize a dynamic aging mechanism that prevents + cache pollution that can otherwise occur with frequency-based + replacement policies. + + NOTE: if using the LFUDA replacement policy you should increase + the value of maximum_object_size above its default of 4096 KB to + to maximize the potential byte hit rate improvement of LFUDA. + + For more information about the GDSF and LFUDA cache replacement + policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html + and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. + DOC_END + + NAME: memory_replacement_policy + TYPE: removalpolicy + LOC: Config.memPolicy + DEFAULT: lru + DOC_START + The memory replacement policy parameter determines which + objects are purged from memory when memory space is needed. + + See cache_replacement_policy for details. + DOC_END + + + COMMENT_START + LOGFILE PATHNAMES AND CACHE DIRECTORIES + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: cache_dir + TYPE: cachedir + DEFAULT: none + DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256 + LOC: Config.cacheSwap + DOC_START + Usage: + + cache_dir Type Directory-Name Fs-specific-data [options] + + cache_dir diskd Maxobjsize Directory-Name MB L1 L2 Q1 Q2 + + You can specify multiple cache_dir lines to spread the + cache among different disk partitions. + + Type specifies the kind of storage system to use. Only "ufs" + is built by default. To eanble any of the other storage systems + see the --enable-storeio configure option. + + 'Directory' is a top-level directory where cache swap + files will be stored. If you want to use an entire disk + for caching, then this can be the mount-point directory. + The directory must exist and be writable by the Squid + process. Squid will NOT create this directory for you. + + The ufs store type: + + "ufs" is the old well-known Squid storage format that has always + been there. + + cache_dir ufs Directory-Name Mbytes L1 L2 [options] + + 'Mbytes' is the amount of disk space (MB) to use under this + directory. The default is 100 MB. Change this to suit your + configuration. Do NOT put the size of your disk drive here. + Instead, if you want Squid to use the entire disk drive, + subtract 20% and use that value. + + 'Level-1' is the number of first-level subdirectories which + will be created under the 'Directory'. The default is 16. + + 'Level-2' is the number of second-level subdirectories which + will be created under each first-level directory. The default + is 256. + + The aufs store type: + + "aufs" uses the same storage format as "ufs", utilizing + POSIX-threads to avoid blocking the main Squid process on + disk-I/O. This was formerly known in Squid as async-io. + + cache_dir aufs Directory-Name Mbytes L1 L2 [options] + + see argument descriptions under ufs above + + The diskd store type: + + "diskd" uses the same storage format as "ufs", utilizing a + separate process to avoid blocking the main Squid process on + disk-I/O. + + cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] + + see argument descriptions under ufs above + + Q1 specifies the number of unacknowledged I/O requests when Squid + stops opening new files. If this many messages are in the queues, + Squid won't open new files. Default is 64 + + Q2 specifies the number of unacknowledged messages when Squid + starts blocking. If this many messages are in the queues, + Squid blocks until it recevies some replies. Default is 72 + + Common options: + + read-only, this cache_dir is read only. + + max-size=n, refers to the max object size this storedir supports. + It is used to initially choose the storedir to dump the object. + Note: To make optimal use of the max-size limits you should order + the cache_dir lines with the smallest max-size value first and the + ones with no max-size specification last. + DOC_END + + + NAME: cache_access_log + TYPE: string + DEFAULT: @DEFAULT_ACCESS_LOG@ + LOC: Config.Log.access + DOC_START + Logs the client request activity. Contains an entry for + every HTTP and ICP queries received. To disable, enter "none". + DOC_END + + + NAME: cache_log + TYPE: string + DEFAULT: @DEFAULT_CACHE_LOG@ + LOC: Config.Log.log + DOC_START + Cache logging file. This is where general information about + your cache's behavior goes. You can increase the amount of data + logged to this file with the "debug_options" tag below. + DOC_END + + + NAME: cache_store_log + TYPE: string + DEFAULT: @DEFAULT_STORE_LOG@ + LOC: Config.Log.store + DOC_START + Logs the activities of the storage manager. Shows which + objects are ejected from the cache, and which objects are + saved and for how long. To disable, enter "none". There are + not really utilities to analyze this data, so you can safely + disable it. + DOC_END + + + NAME: cache_swap_log + TYPE: string + LOC: Config.Log.swap + DEFAULT: none + DOC_START + Location for the cache "swap.log." This log file holds the + metadata of objects saved on disk. It is used to rebuild the + cache during startup. Normally this file resides in each + 'cache_dir' directory, but you may specify an alternate + pathname here. Note you must give a full filename, not just + a directory. Since this is the index for the whole object + list you CANNOT periodically rotate it! + + If %s can be used in the file name then it will be replaced with a + a representation of the cache_dir name where each / is replaced + with '.'. This is needed to allow adding/removing cache_dir + lines when cache_swap_log is being used. + + If have more than one 'cache_dir', and %s is not used in the name + then these swap logs will have names such as: + + cache_swap_log.00 + cache_swap_log.01 + cache_swap_log.02 + + The numbered extension (which is added automatically) + corresponds to the order of the 'cache_dir' lines in this + configuration file. If you change the order of the 'cache_dir' + lines in this file, then these log files will NOT correspond to + the correct 'cache_dir' entry (unless you manually rename + them). We recommend that you do + NOT use this option. It is + better to keep these log files in each 'cache_dir' directory. + DOC_END + + + NAME: emulate_httpd_log + COMMENT: on|off + TYPE: onoff + DEFAULT: off + LOC: Config.onoff.common_log + DOC_START + The Cache can emulate the log file format which many 'httpd' + programs use. To disable/enable this emulation, set + emulate_httpd_log to 'off' or 'on'. The default + is to use the native log format since it includes useful + information that Squid-specific log analyzers use. + DOC_END + + NAME: log_ip_on_direct + COMMENT: on|off + TYPE: onoff + DEFAULT: on + LOC: Config.onoff.log_ip_on_direct + DOC_START + Log the destination IP address in the hierarchy log tag when going + direct. Earlier Squid versions logged the hostname here. If you + prefer the old way set + this to off. + DOC_END + + NAME: mime_table + TYPE: string + DEFAULT: @DEFAULT_MIME_TABLE@ + LOC: Config.mimeTablePathname + DOC_START + Pathname to Squid's MIME table. You shouldn't need to change + this, but the default file contains examples and formatting + information if you do. + DOC_END + + + NAME: log_mime_hdrs + COMMENT: on|off + TYPE: onoff + LOC: Config.onoff.log_mime_hdrs + DEFAULT: off + DOC_START + The Cache can record both the request and the response MIME + headers for each HTTP transaction. The headers are encoded + safely and will appear as two bracketed fields at the end of + the access log (for either the native or httpd-emulated log + formats). To enable this logging set + log_mime_hdrs to 'on'. + DOC_END + + + NAME: useragent_log + TYPE: string + LOC: Config.Log.useragent + DEFAULT: none + IFDEF: USE_USERAGENT_LOG + DOC_START + Squid will write the User-Agent field from HTTP requests + to the filename specified here. By default useragent_log + is disabled. + DOC_END + + + NAME: referer_log + TYPE: string + LOC: Config.Log.referer + DEFAULT: none + IFDEF: USE_REFERER_LOG + DOC_START + Squid will write the Referer field from HTTP requests to the + filename specified here. By default referer_log is disabled. + DOC_END + + + NAME: pid_filename + TYPE: string + DEFAULT: @DEFAULT_PID_FILE@ + LOC: Config.pidFilename + DOC_START + A filename to write the process-id to. To disable, enter "none". + DOC_END + + + NAME: debug_options + TYPE: eol + DEFAULT: ALL,1 + LOC: Config.debugOptions + DOC_START + Logging options are set + as section,level where each source file + is assigned a unique section. Lower levels result in less + output, Full debugging (level 9) can result in a very large + log file, so be careful. The magic word "ALL" sets debugging + levels for all sections. We recommend normally running with + "ALL,1". + DOC_END + + + NAME: log_fqdn + COMMENT: on|off + TYPE: onoff + DEFAULT: off + LOC: Config.onoff.log_fqdn + DOC_START + Turn this on if you wish to log fully qualified domain names + in the access.log. To do + this Squid does a DNS lookup of all + IP's connecting to it. This can (in some situations) increase + latency, which makes your cache seem slower for interactive + browsing. + DOC_END + + + NAME: client_netmask + TYPE: address + LOC: Config.Addrs.client_netmask + DEFAULT: 255.255.255.255 + DOC_START + A netmask for client addresses in logfiles and cachemgr output. + Change this to protect the privacy of your cache clients. + A netmask of 255.255.255.0 will log all IP's in that range with + the last digit set + to '0'. + DOC_END + + + COMMENT_START + OPTIONS FOR EXTERNAL SUPPORT PROGRAMS + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: ftp_user + TYPE: string + DEFAULT: Squid@ + LOC: Config.Ftp.anon_user + DOC_START + If you want the anonymous login password to be more informative + (and enable the use of picky ftp servers), set + this to something + reasonable for your domain, like wwwuser@somewhere.net + + The reason why this is domainless by default is that the + request can be made on the behalf of a user in any domain, + depending on how the cache is used. + Some ftp server also validate that the email address is valid + (for example perl.com). + DOC_END + + NAME: ftp_list_width + TYPE: size_t + DEFAULT: 32 + LOC: Config.Ftp.list_width + DOC_START + Sets the width of ftp listings. This should be set + to fit in + the width of a standard browser. Setting this too small + can cut off long filenames when browsing ftp sites. + DOC_END + + NAME: ftp_passive + TYPE: onoff + DEFAULT: on + LOC: Config.Ftp.passive + DOC_START + If your firewall does not allow Squid to use passive + connections, then turn off this option. + DOC_END + + NAME: ftp_sanitycheck + TYPE: onoff + DEFAULT: on + LOC: Config.Ftp.sanitycheck + DOC_START + For security and data integrity reasons Squid by default performs + sanity checks of the addresses of FTP data connections ensure the + data connection is to the requested server. If you need to allow + FTP connections to servers using another IP address for the data + connection then turn this off. + DOC_END + + NAME: check_hostnames + TYPE: onoff + DEFAULT: on + LOC: Config.onoff.check_hostnames + DOC_START + For security and stability reasons Squid by default checks + hostnames for Internet standard RFC compliance. If you do + not want + Squid to perform these checks then turn this directive off. + DOC_END + + NAME: cache_dns_program + TYPE: string + IFDEF: USE_DNSSERVERS + DEFAULT: @DEFAULT_DNSSERVER@ + LOC: Config.Program.dnsserver + DOC_START + Specify the location of the executable for dnslookup process. + DOC_END + + NAME: dns_children + TYPE: int + IFDEF: USE_DNSSERVERS + DEFAULT: 5 + LOC: Config.dnsChildren + DOC_START + The number of processes spawn to service DNS name lookups. + For heavily loaded caches on large servers, you should + probably increase this value to at least 10. The maximum + is 32. The default is 5. + + You must have at least one dnsserver process. + DOC_END + + NAME: dns_retransmit_interval + TYPE: time_t + DEFAULT: 5 seconds + LOC: Config.Timeout.idns_retransmit + IFDEF: !USE_DNSSERVERS + DOC_START + Initial retransmit interval for DNS queries. The interval is + doubled each time all configured DNS servers have been tried. + + DOC_END + + NAME: dns_timeout + TYPE: time_t + DEFAULT: 5 minutes + LOC: Config.Timeout.idns_query + IFDEF: !USE_DNSSERVERS + DOC_START + DNS Query timeout. If no response is received to a DNS query + within this time then all DNS servers for the queried domain + is assumed to be unavailable. + DOC_END + + NAME: dns_defnames + COMMENT: on|off + IFDEF: USE_DNSSERVERS + TYPE: onoff + DEFAULT: off + LOC: Config.onoff.res_defnames + IFDEF: USE_DNSSERVERS + DOC_START + Normally the 'dnsserver' disables the RES_DEFNAMES resolver + option (see res_init(3)). This prevents caches in a hierarchy + from interpreting single-component hostnames locally. To allow + dnsserver to handle single-component names, enable this + option. + DOC_END + + NAME: dns_nameservers + TYPE: wordlist + DEFAULT: none + LOC: Config.dns_nameservers + DOC_START + Use this if you want to specify a list of DNS name servers + (IP addresses) to use instead of those given in your + /etc/resolv.conf file. + On Windows platforms, if no value is specified here or in + the /etc/resolv.conf file, the list of DNS name servers are + taken from the Windows registry, both static and dynamic DHCP + configurations are supported. + + Example: dns_nameservers 10.0.0.1 192.172.0.4 + DOC_END + + NAME: hosts_file + TYPE: string + DEFAULT: @DEFAULT_HOSTS@ + LOC: Config.etcHostsPath + DOC_START + Location of the host-local IP name-address associations + database. Most Operating Systems have such a file on different + default locations: + - Un*X & Linux: /etc/hosts + - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts + (%SystemRoot% value install default is c:\winnt) + - Windows XP: %SystemRoot%\system32\drivers\etc\hosts + (%SystemRoot% value install default is c:\windows) + - Windows 9x/Me: %windir%\hosts + (%windir% value is usually c:\windows) + - Cygwin: /etc/hosts + + The file contains newline-separated definitions, in the + form ip_address_in_dotted_form name [name ...] names are + whitespace-separated. Lines beginnng with an hash (#) + character are comments. + + The file is checked at startup and upon configuration. + If set + to 'none', it won't be checked. + If append_domain is used, that domain will be added to + domain-local (i.e. not containing any dot character) host + definitions. + DOC_END + + NAME: diskd_program + TYPE: string + DEFAULT: @DEFAULT_DISKD@ + LOC: Config.Program.diskd + DOC_START + Specify the location of the diskd executable. + Note that this is only useful if you have compiled in + diskd as one of the store io modules. + DOC_END + + NAME: unlinkd_program + IFDEF: USE_UNLINKD + TYPE: string + DEFAULT: @DEFAULT_UNLINKD@ + LOC: Config.Program.unlinkd + DOC_START + Specify the location of the executable for file deletion process. + DOC_END + + NAME: pinger_program + TYPE: string + DEFAULT: @DEFAULT_PINGER@ + LOC: Config.Program.pinger + IFDEF: USE_ICMP + DOC_START + Specify the location of the executable for the pinger process. + DOC_END + + + NAME: redirect_program + TYPE: wordlist + LOC: Config.Program.redirect + DEFAULT: none + DOC_START + Specify the location of the executable for the URL redirector. + Since they can perform almost any function there isn't one included. + See the FAQ (section 15) for information on how to write one. + By default, a redirector is not used. + DOC_END + + + NAME: redirect_children + TYPE: int + DEFAULT: 5 + LOC: Config.redirectChildren + DOC_START + The number of redirector processes to spawn. If you start + too few Squid will have to wait for them to process a backlog of + URLs, slowing it down. If you start too many they will use RAM + and other system resources. + DOC_END + + NAME: redirect_rewrites_host_header + TYPE: onoff + DEFAULT: on + LOC: Config.onoff.redir_rewrites_host + DOC_START + By default Squid rewrites any Host: header in redirected + requests. If you are running an accelerator then this may + not be a wanted effect of a redirector. + + WARNING: Entries are cached on the result of the URL rewriting + process, so be careful if you have domain-virtual hosts. + DOC_END + + NAME: redirector_access + TYPE: acl_access + DEFAULT: none + LOC: Config.accessList.redirector + DOC_START + If defined, this access list specifies which requests are + sent to the redirector processes. By default all requests + are sent. + DOC_END + + NAME: auth_param + TYPE: authparam + LOC: Config.authConfiguration + DEFAULT: none + DOC_START + This is used to pass parameters to the various authentication + schemes. + format: auth_param scheme parameter [setting] + + auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd + would tell the basic authentication scheme it's program parameter. + + The order that authentication prompts are presented to the client_agent + is dependant on the order the scheme first appears in config file. + IE has a bug (it's not rfc 2617 compliant) in that it will use the basic + scheme if basic is the first entry presented, even if more secure schemes + are presented. For now use the order in the file below. If other browsers + have difficulties (don't recognise the schemes offered even if you are using + basic) then either put basic first, or disable the other schemes (by commenting + out their program entry). + + Once an authentication scheme is fully configured, it can only be shutdown + by shutting squid down and restarting. Changes can be made on the fly and + activated with a reconfigure. I.E. You can change to a different helper, + but not unconfigure the helper completely. + + === Parameters for the basic scheme follow. === + + "program" cmdline + Specify the command for the external authenticator. Such a + program reads a line containing "username password" and replies + "OK" or "ERR" in an endless loop. If you use an authenticator, + make sure you have 1 acl of type proxy_auth. By default, the + basic authentication sheme is not used unless a program is specified. + + If you want to use the traditional proxy authentication, + jump over to the ../auth_modules/NCSA directory and + type: + % make + % make install + + Then, set this line to something like + + auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd + + "children" numberofchildren + The number of authenticator processes to spawn (no default). + If you start too few Squid will have to wait for them to + process a backlog of usercode/password verifications, slowing + it down. When password verifications are done via a (slow) + network you are likely to need lots of authenticator + processes. + auth_param basic children 5 + + "realm" realmstring + Specifies the realm name which is to be reported to the + client for the basic proxy authentication scheme (part of + the text the user will see when prompted their username and + password). There is no default. + auth_param basic realm Squid proxy-caching web server + + "credentialsttl" timetolive + Specifies how long squid assumes an externally validated + username:password pair is valid for - in other words how + often the helper program is called for that user. Set this + low to force revalidation with short lived passwords. Note + that setting this high does not impact your susceptability + to replay attacks unless you are using an one-time password + system (such as SecureID). If you are using such a system, + you will be vulnerable to replay attacks unless you also + use the max_user_ip ACL in an http_access rule. + + === Parameters for the digest scheme follow === + + "program" cmdline + Specify the command for the external authenticator. Such + a program reads a line containing "username":"realm" and + replies with the appropriate H(A1) value base64 encoded. + See rfc 2616 for the definition of H(A1). If you use an + authenticator, make sure you have 1 acl of type proxy_auth. + By default, authentication is not used. + + If you want to use build an authenticator, + jump over to the ../digest_auth_modules directory and choose the + authenticator to use. It it's directory type + % make + % make install + + Then, set + this line to something like + + auth_param digest program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass + + + "children" numberofchildren + The number of authenticator processes to spawn (no default). + If you start too few Squid will have to wait for them to + process a backlog of H(A1) calculations, slowing it down. + When the H(A1) calculations are done via a (slow) network + you are likely to need lots of authenticator processes. + auth_param digest children 5 + + "realm" realmstring + Specifies the realm name which is to be reported to the + client for the digest proxy authentication scheme (part of + the text the user will see when prompted their username and + password). There is no default. + auth_param digest realm Squid proxy-caching web server + + "nonce_garbage_interval" timeinterval + Specifies the interval that nonces that have been issued + to client_agent's are checked for validity. + + "nonce_max_duration" timeinterval + Specifies the maximum length of time a given nonce will be + valid for. + + "nonce_max_count" number + Specifies the maximum number of times a given nonce can be + used. + + "nonce_strictness" on|off + Determines if squid requires increment-by-1 behaviour for + nonce counts (on - the default), or strictly incrementing + (off - for use when useragents generate nonce counts that + occasionally miss 1 (ie, 1,2,4,6)). + + === NTLM scheme options follow === + + "program" cmdline + Specify the command for the external ntlm authenticator. + Such a program reads a line containing the uuencoded NEGOTIATE + and replies with the ntlm CHALLENGE, then waits for the + response and answers with "OK" or "ERR" in an endless loop. + If you use an ntlm authenticator, make sure you have 1 acl + of type proxy_auth. By default, the ntlm authenticator_program + is not used. + + auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth + + "children" numberofchildren + The number of authenticator processes to spawn (no default). + If you start too few Squid will have to wait for them to + process a backlog of credential verifications, slowing it + down. When crendential verifications are done via a (slow) + network you are likely to need lots of authenticator + processes. + auth_param ntlm children 5 + + "max_challenge_reuses" number + The maximum number of times a challenge given by a ntlm + authentication helper can be reused. Increasing this number + increases your exposure to replay attacks on your network. + 0 means use the challenge only once. (disable challenge + caching) See max_ntlm_challenge_lifetime for more information. + auth_param ntlm max_challenge_reuses 0 + + "max_challenge_lifetime" timespan + The maximum time period that a ntlm challenge is reused + over. The actual period will be the minimum of this time + AND the number of reused challenges. + auth_param ntlm max_challenge_lifetime 2 minutes + + NOCOMMENT_START #Recommended minimum configuration: #auth_param digest program #auth_param digest children 5 @@ -1671,556 +1701,561 @@ NOCOMMENT_START #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes #auth_param basic program -auth_param basic children 5 -auth_param basic realm Squid proxy-caching web server -auth_param basic credentialsttl 2 hours -NOCOMMENT_END -DOC_END - -NAME: authenticate_cache_garbage_interval -TYPE: time_t -DEFAULT: 1 hour -LOC: Config.authenticateGCInterval -DOC_START - The time period between garbage collection across the - username cache. This is a tradeoff between memory utilisation - (long intervals - say 2 days) and CPU (short intervals - - say 1 minute). Only change if you have good reason to. -DOC_END - -NAME: authenticate_ttl -TYPE: time_t -DEFAULT: 1 hour -LOC: Config.authenticateTTL -DOC_START - The time a user & their credentials stay in the logged in - user cache since their last request. When the garbage - interval passes, all user credentials that have passed their - TTL are removed from memory. -DOC_END - -NAME: authenticate_ip_ttl -TYPE: time_t -LOC: Config.authenticateIpTTL -DEFAULT: 0 seconds -DOC_START - If you use proxy authentication and the 'max_user_ip' ACL, - this directive controls how long Squid remembers the IP - addresses associated with each user. Use a small value - (e.g., 60 seconds) if your users might change addresses - quickly, as is the case with dialups. You might be safe - using a larger value (e.g., 2 hours) in a corporate LAN - environment with relatively static address assignments. -DOC_END - -NAME: external_acl_type -TYPE: externalAclHelper -LOC: Config.externalAclHelperList -DEFAULT: none -DOC_START - This option defines external acl classes using a helper program - to look up the status - - external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] - - Options: - - ttl=n TTL in seconds for cached results (defaults to 3600 - for 1 hour) - negative_ttl=n - TTL for cached negative lookups (default same - as ttl) - children=n Number of acl helper processes spawn to service - external acl lookups of this type. - cache=n result cache size, 0 is unbounded (default) - - FORMAT specifications - - %LOGIN Authenticated user login name - %IDENT Ident user name - %SRC Client IP - %DST Requested host - %PROTO Requested protocol - %PORT Requested port - %PATH Requested URL path - %METHOD Request method - %USER_CERT_xx SSL User certificate attribute xx - %USER_CA_xx SSL User certificate CA attribute xx - %{Header} HTTP request header - %{Hdr:member} HTTP request header list member - %{Hdr:;member} - HTTP request header list member using ; as - list separator. ; can be any non-alphanumeric - character. - - In addition, any string specified in the referencing acl will - also be included in the helper request line, after the specified - formats (see the "acl external" directive) - - The helper receives lines per the above format specification, - and returns lines starting with OK or ERR indicating the validity - of the request and optionally followed by additional keywords with - more details. - - General result syntax: - - OK/ERR keyword=value ... - - Defined keywords: - - user= The users name (login) - error= Error description (only defined for ERR results) - - Keyword values need to be enclosed in quotes if they may - contain whitespace, or the whitespace escaped using \. Any - quotes or \ characters within the keyword value must be \ - escaped. -DOC_END - -COMMENT_START - OPTIONS FOR TUNING THE CACHE - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: wais_relay_host -TYPE: string -DEFAULT: none -LOC: Config.Wais.relayHost -DOC_NONE - -NAME: wais_relay_port -TYPE: ushort -DEFAULT: 0 -LOC: Config.Wais.relayPort -DOC_START - Relay WAIS request to host (1st arg) at port (2 arg). -DOC_END - - -NAME: request_header_max_size -COMMENT: (KB) -TYPE: b_size_t -DEFAULT: 10 KB -LOC: Config.maxRequestHeaderSize -DOC_START - This specifies the maximum size for HTTP headers in a request. - Request headers are usually relatively small (about 512 bytes). - Placing a limit on the request header size will catch certain - bugs (for example with persistent connections) and possibly - buffer-overflow or denial-of-service attacks. -DOC_END - -NAME: request_body_max_size -COMMENT: (KB) -TYPE: b_size_t -DEFAULT: 0 KB -LOC: Config.maxRequestBodySize -DOC_START - This specifies the maximum size for an HTTP request body. - In other words, the maximum size of a PUT/POST request. - A user who attempts to send a request with a body larger - than this limit receives an "Invalid Request" error message. - If you set this parameter to a zero (the default), there will - be no limit imposed. -DOC_END - -NAME: refresh_pattern -TYPE: refreshpattern -LOC: Config.Refresh -DEFAULT: none -DOC_START - usage: refresh_pattern [-i] regex min percent max [options] - - By default, regular expressions are CASE-SENSITIVE. To make - them case-insensitive, use the -i option. - - 'Min' is the time (in minutes) an object without an explicit - expiry time should be considered fresh. The recommended - value is 0, any higher values may cause dynamic applications - to be erroneously cached unless the application designer - has taken the appropriate actions. - - 'Percent' is a percentage of the objects age (time since last - modification age) an object without explicit expiry time - will be considered fresh. - - 'Max' is an upper limit on how long objects without an explicit - expiry time will be considered fresh. - - options: override-expire - override-lastmod - reload-into-ims - ignore-reload - - override-expire enforces min age even if the server - sent a Expires: header. Doing this VIOLATES the HTTP - standard. Enabling this feature could make you liable - for problems which it causes. - - override-lastmod enforces min age even on objects - that was modified recently. - - reload-into-ims changes client no-cache or ``reload'' - to If-Modified-Since requests. Doing this VIOLATES the - HTTP standard. Enabling this feature could make you - liable for problems which it causes. - - ignore-reload ignores a client no-cache or ``reload'' - header. Doing this VIOLATES the HTTP standard. Enabling - this feature could make you liable for problems which - it causes. - - Basically a cached object is: - - FRESH if expires < now, else STALE - STALE if age > max - FRESH if lm-factor < percent, else STALE - FRESH if age < min - else STALE - - The refresh_pattern lines are checked in the order listed here. - The first entry which matches is used. If none of the entries - match, then the default will be used. - - Note, you must uncomment all the default lines if you want - to change one. The default setting is only active if none is - used. - -Suggested default: -NOCOMMENT_START -refresh_pattern ^ftp: 1440 20% 10080 -refresh_pattern ^gopher: 1440 0% 1440 -refresh_pattern . 0 20% 4320 -NOCOMMENT_END -DOC_END - -NAME: quick_abort_min -COMMENT: (KB) -TYPE: kb_size_t -DEFAULT: 16 KB -LOC: Config.quickAbort.min -DOC_NONE - -NAME: quick_abort_max -COMMENT: (KB) -TYPE: kb_size_t -DEFAULT: 16 KB -LOC: Config.quickAbort.max -DOC_NONE - -NAME: quick_abort_pct -COMMENT: (percent) -TYPE: int -DEFAULT: 95 -LOC: Config.quickAbort.pct -DOC_START - The cache by default continues downloading aborted requests - which are almost completed (less than 16 KB remaining). This - may be undesirable on slow (e.g. SLIP) links and/or very busy - caches. Impatient users may tie up file descriptors and - bandwidth by repeatedly requesting and immediately aborting - downloads. - - When the user aborts a request, Squid will check the - quick_abort values to the amount of data transfered until - then. - - If the transfer has less than 'quick_abort_min' KB remaining, - it will finish the retrieval. - - If the transfer has more than 'quick_abort_max' KB remaining, - it will abort the retrieval. - - If more than 'quick_abort_pct' of the transfer has completed, - it will finish the retrieval. - - If you do not want any retrieval to continue after the client - has aborted, set both 'quick_abort_min' and 'quick_abort_max' - to '0 KB'. - - If you want retrievals to always continue if they are being - cached then set 'quick_abort_min' to '-1 KB'. -DOC_END - -NAME: read_ahead_gap -COMMENT: buffer-size -TYPE: kb_size_t -LOC: Config.readAheadGap -DEFAULT: 16 KB -DOC_START - The amount of data the cache will buffer ahead of what has been - sent to the client when retrieving an object from another server. -DOC_END - -NAME: negative_ttl -COMMENT: time-units -TYPE: time_t -LOC: Config.negativeTtl -DEFAULT: 5 minutes -DOC_START - Time-to-Live (TTL) for failed requests. Certain types of - failures (such as "connection refused" and "404 Not Found") are - negatively-cached for a configurable amount of time. The - default is 5 minutes. Note that this is different from - negative caching of DNS lookups. -DOC_END - - -NAME: positive_dns_ttl -COMMENT: time-units -TYPE: time_t -LOC: Config.positiveDnsTtl -DEFAULT: 6 hours -DOC_START - Time-to-Live (TTL) for positive caching of successful DNS lookups. - Default is 6 hours (360 minutes). If you want to minimize the - use of Squid's ipcache, set this to 1, not 0. -DOC_END - - -NAME: negative_dns_ttl -COMMENT: time-units -TYPE: time_t -LOC: Config.negativeDnsTtl -DEFAULT: 5 minutes -DOC_START - Time-to-Live (TTL) for negative caching of failed DNS lookups. -DOC_END - -NAME: range_offset_limit -COMMENT: (bytes) -TYPE: b_size_t -LOC: Config.rangeOffsetLimit -DEFAULT: 0 KB -DOC_START - Sets a upper limit on how far into the the file a Range request - may be to cause Squid to prefetch the whole file. If beyond this - limit then Squid forwards the Range request as it is and the result - is NOT cached. - - This is to stop a far ahead range request (lets say start at 17MB) - from making Squid fetch the whole object up to that point before - sending anything to the client. - - A value of -1 causes Squid to always fetch the object from the - beginning so that it may cache the result. (2.0 style) - - A value of 0 causes Squid to never fetch more than the - client requested. (default) -DOC_END - - -COMMENT_START - TIMEOUTS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: connect_timeout -COMMENT: time-units -TYPE: time_t -LOC: Config.Timeout.connect -DEFAULT: 2 minutes -DOC_START - Some systems (notably Linux) can not be relied upon to properly - time out connect(2) requests. Therefore the Squid process - enforces its own timeout on server connections. This parameter - specifies how long to wait for the connect to complete. The - default is two minutes (120 seconds). -DOC_END - -NAME: peer_connect_timeout -COMMENT: time-units -TYPE: time_t -LOC: Config.Timeout.peer_connect -DEFAULT: 30 seconds -DOC_START - This parameter specifies how long to wait for a pending TCP - connection to a peer cache. The default is 30 seconds. You - may also set different timeout values for individual neighbors - with the 'connect-timeout' option on a 'cache_peer' line. -DOC_END - -NAME: read_timeout -COMMENT: time-units -TYPE: time_t -LOC: Config.Timeout.read -DEFAULT: 15 minutes -DOC_START - The read_timeout is applied on server-side connections. After - each successful read(), the timeout will be extended by this - amount. If no data is read again after this amount of time, - the request is aborted and logged with ERR_READ_TIMEOUT. The - default is 15 minutes. -DOC_END - - -NAME: request_timeout -TYPE: time_t -LOC: Config.Timeout.request -DEFAULT: 5 minutes -DOC_START - How long to wait for an HTTP request after initial - connection establishment. -DOC_END - - -NAME: persistent_request_timeout -TYPE: time_t -LOC: Config.Timeout.persistent_request -DEFAULT: 1 minute -DOC_START - How long to wait for the next HTTP request on a persistent - connection after the previous request completes. -DOC_END - - -NAME: client_lifetime -COMMENT: time-units -TYPE: time_t -LOC: Config.Timeout.lifetime -DEFAULT: 1 day -DOC_START - The maximum amount of time that a client (browser) is allowed to - remain connected to the cache process. This protects the Cache - from having a lot of sockets (and hence file descriptors) tied up - in a CLOSE_WAIT state from remote clients that go away without - properly shutting down (either because of a network failure or - because of a poor client implementation). The default is one - day, 1440 minutes. - - NOTE: The default value is intended to be much larger than any - client would ever need to be connected to your cache. You - should probably change client_lifetime only as a last resort. - If you seem to have many client connections tying up - filedescriptors, we recommend first tuning the read_timeout, - request_timeout, persistent_request_timeout and quick_abort values. -DOC_END - -NAME: half_closed_clients -TYPE: onoff -LOC: Config.onoff.half_closed_clients -DEFAULT: on -DOC_START - Some clients may shutdown the sending side of their TCP - connections, while leaving their receiving sides open. Sometimes, - Squid can not tell the difference between a half-closed and a - fully-closed TCP connection. By default, half-closed client - connections are kept open until a read(2) or write(2) on the - socket returns an error. Change this option to 'off' and Squid - will immediately close client connections when read(2) returns - "no more data to read." -DOC_END - -NAME: pconn_timeout -TYPE: time_t -LOC: Config.Timeout.pconn -DEFAULT: 120 seconds -DOC_START - Timeout for idle persistent connections to servers and other - proxies. -DOC_END - -NAME: ident_timeout -TYPE: time_t -IFDEF: USE_IDENT -LOC: Config.Timeout.ident -DEFAULT: 10 seconds -DOC_START - Maximum time to wait for IDENT lookups to complete. - - If this is too high, and you enabled IDENT lookups from untrusted - users, then you might be susceptible to denial-of-service by having - many ident requests going at once. -DOC_END - - -NAME: shutdown_lifetime -COMMENT: time-units -TYPE: time_t -LOC: Config.shutdownLifetime -DEFAULT: 30 seconds -DOC_START - When SIGTERM or SIGHUP is received, the cache is put into - "shutdown pending" mode until all active sockets are closed. - This value is the lifetime to set for all open descriptors - during shutdown mode. Any active clients after this many - seconds will receive a 'timeout' message. -DOC_END - -COMMENT_START - ACCESS CONTROLS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: acl -TYPE: acl -LOC: Config.aclList -DEFAULT: none -DOC_START - Defining an Access List - - acl aclname acltype string1 ... - acl aclname acltype "file" ... - - when using "file", the file should contain one item per line - - acltype is one of the types described below - - By default, regular expressions are CASE-SENSITIVE. To make - them case-insensitive, use the -i option. - - acl aclname src ip-address/netmask ... (clients IP address) - acl aclname src addr1-addr2/netmask ... (range of addresses) - acl aclname dst ip-address/netmask ... (URL host's IP address) - acl aclname myip ip-address/netmask ... (local socket IP address) - - acl aclname srcdomain .foo.com ... # reverse lookup, client IP - acl aclname dstdomain .foo.com ... # Destination server from URL - acl aclname srcdom_regex [-i] xxx ... # regex matching client name - acl aclname dstdom_regex [-i] xxx ... # regex matching server - # For dstdomain and dstdom_regex a reverse lookup is tried if a IP - # based URL is used. The name "none" is used if the reverse lookup - # fails. - - acl aclname time [day-abbrevs] [h1:m1-h2:m2] - day-abbrevs: - S - Sunday - M - Monday - T - Tuesday - W - Wednesday - H - Thursday - F - Friday - A - Saturday - h1:m1 must be less than h2:m2 - acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL - acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path - acl aclname port 80 70 21 ... - acl aclname port 0-1024 ... # ranges allowed - acl aclname myport 3128 ... # (local socket TCP port) - acl aclname proto HTTP FTP ... - acl aclname method GET POST ... - acl aclname browser [-i] regexp ... - # pattern match on User-Agent header - acl aclname referer_regex [-i] regexp ... - # pattern match on Referer header - # Referer is highly unreliable, so use with care - acl aclname ident username ... - acl aclname ident_regex [-i] pattern ... - # string match on ident output. - # use REQUIRED to accept any non-null ident. - acl aclname src_as number ... - acl aclname dst_as number ... - # Except for access control, AS numbers can be used for - # routing of requests to specific caches. Here's an - # example for routing all requests for AS#1241 and only + auth_param basic children 5 + auth_param basic realm Squid proxy-caching web server + auth_param basic credentialsttl 2 hours + NOCOMMENT_END + DOC_END + + NAME: authenticate_cache_garbage_interval + TYPE: time_t + DEFAULT: 1 hour + LOC: Config.authenticateGCInterval + DOC_START + The time period between garbage collection across the + username cache. This is a tradeoff between memory utilisation + (long intervals - say 2 days) and CPU (short intervals - + say 1 minute). Only change if you have good reason to. + DOC_END + + NAME: authenticate_ttl + TYPE: time_t + DEFAULT: 1 hour + LOC: Config.authenticateTTL + DOC_START + The time a user & their credentials stay in the logged in + user cache since their last request. When the garbage + interval passes, all user credentials that have passed their + TTL are removed from memory. + DOC_END + + NAME: authenticate_ip_ttl + TYPE: time_t + LOC: Config.authenticateIpTTL + DEFAULT: 0 seconds + DOC_START + If you use proxy authentication and the 'max_user_ip' ACL, + this directive controls how long Squid remembers the IP + addresses associated with each user. Use a small value + (e.g., 60 seconds) if your users might change addresses + quickly, as is the case with dialups. You might be safe + using a larger value (e.g., 2 hours) in a corporate LAN + environment with relatively static address assignments. + DOC_END + + NAME: external_acl_type + TYPE: externalAclHelper + LOC: Config.externalAclHelperList + DEFAULT: none + DOC_START + This option defines external acl classes using a helper program + to look up the status + + external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] + + Options: + + ttl=n TTL in seconds for cached results (defaults to 3600 + for 1 hour) + negative_ttl=n + TTL for cached negative lookups (default same + as ttl) + children=n Number of acl helper processes spawn to service + external acl lookups of this type. + cache=n result cache size, 0 is unbounded (default) + + FORMAT specifications + + %LOGIN Authenticated user login name + %IDENT Ident user name + %SRC Client IP + %DST Requested host + %PROTO Requested protocol + %PORT Requested port + %PATH Requested URL path + %METHOD Request method + %USER_CERT_xx SSL User certificate attribute xx + %USER_CA_xx SSL User certificate CA attribute xx + %{Header} HTTP request header + %{Hdr:member} HTTP request header list member + %{Hdr:;member} + HTTP request header list member using ; as + list separator. ; can be any non-alphanumeric + character. + + In addition, any string specified in the referencing acl will + also be included in the helper request line, after the specified + formats (see the "acl external" directive) + + The helper receives lines per the above format specification, + and returns lines starting with OK or ERR indicating the validity + of the request and optionally followed by additional keywords with + more details. + + General result syntax: + + OK/ERR keyword=value ... + + Defined keywords: + + user= The users name (login) + error= Error description (only defined for ERR results) + tag= Apply a tag to a request (for both ERR and OK results) + Only sets a tag, does not alter existing tags. + + Keyword values need to be enclosed in quotes if they may + contain whitespace, or the whitespace escaped using \. Any + quotes or \ characters within the keyword value must be \ + escaped. + DOC_END + + COMMENT_START + OPTIONS FOR TUNING THE CACHE + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: wais_relay_host + TYPE: string + DEFAULT: none + LOC: Config.Wais.relayHost + DOC_NONE + + NAME: wais_relay_port + TYPE: ushort + DEFAULT: 0 + LOC: Config.Wais.relayPort + DOC_START + Relay WAIS request to host (1st arg) at port (2 arg). + DOC_END + + + NAME: request_header_max_size + COMMENT: (KB) + TYPE: b_size_t + DEFAULT: 10 KB + LOC: Config.maxRequestHeaderSize + DOC_START + This specifies the maximum size for HTTP headers in a request. + Request headers are usually relatively small (about 512 bytes). + Placing a limit on the request header size will catch certain + bugs (for example with persistent connections) and possibly + buffer-overflow or denial-of-service attacks. + DOC_END + + NAME: request_body_max_size + COMMENT: (KB) + TYPE: b_size_t + DEFAULT: 0 KB + LOC: Config.maxRequestBodySize + DOC_START + This specifies the maximum size for an HTTP request body. + In other words, the maximum size of a PUT/POST request. + A user who attempts to send a request with a body larger + than this limit receives an "Invalid Request" error message. + If you set this parameter to a zero (the default), there will + be no limit imposed. + DOC_END + + NAME: refresh_pattern + TYPE: refreshpattern + LOC: Config.Refresh + DEFAULT: none + DOC_START + usage: refresh_pattern [-i] regex min percent max [options] + + By default, regular expressions are CASE-SENSITIVE. To make + them case-insensitive, use the -i option. + + 'Min' is the time (in minutes) an object without an explicit + expiry time should be considered fresh. The recommended + value is 0, any higher values may cause dynamic applications + to be erroneously cached unless the application designer + has taken the appropriate actions. + + 'Percent' is a percentage of the objects age (time since last + modification age) an object without explicit expiry time + will be considered fresh. + + 'Max' is an upper limit on how long objects without an explicit + expiry time will be considered fresh. + + options: override-expire + override-lastmod + reload-into-ims + ignore-reload + + override-expire enforces min age even if the server + sent a Expires: header. Doing this VIOLATES the HTTP + standard. Enabling this feature could make you liable + for problems which it causes. + + override-lastmod enforces min age even on objects + that was modified recently. + + reload-into-ims changes client no-cache or ``reload'' + to If-Modified-Since requests. Doing this VIOLATES the + HTTP standard. Enabling this feature could make you + liable for problems which it causes. + + ignore-reload ignores a client no-cache or ``reload'' + header. Doing this VIOLATES the HTTP standard. Enabling + this feature could make you liable for problems which + it causes. + + Basically a cached object is: + + FRESH if expires < now, else STALE + STALE if age > max + FRESH if lm-factor < percent, else STALE + FRESH if age < min + else STALE + + The refresh_pattern lines are checked in the order listed here. + The first entry which matches is used. If none of the entries + match, then the default will be used. + + Note, you must uncomment all the default lines if you want + to change one. The default setting is only active if none is + used. + + Suggested default: + NOCOMMENT_START + refresh_pattern ^ftp: 1440 20% 10080 + refresh_pattern ^gopher: 1440 0% 1440 + refresh_pattern . 0 20% 4320 + NOCOMMENT_END + DOC_END + + NAME: quick_abort_min + COMMENT: (KB) + TYPE: kb_size_t + DEFAULT: 16 KB + LOC: Config.quickAbort.min + DOC_NONE + + NAME: quick_abort_max + COMMENT: (KB) + TYPE: kb_size_t + DEFAULT: 16 KB + LOC: Config.quickAbort.max + DOC_NONE + + NAME: quick_abort_pct + COMMENT: (percent) + TYPE: int + DEFAULT: 95 + LOC: Config.quickAbort.pct + DOC_START + The cache by default continues downloading aborted requests + which are almost completed (less than 16 KB remaining). This + may be undesirable on slow (e.g. SLIP) links and/or very busy + caches. Impatient users may tie up file descriptors and + bandwidth by repeatedly requesting and immediately aborting + downloads. + + When the user aborts a request, Squid will check the + quick_abort values to the amount of data transfered until + then. + + If the transfer has less than 'quick_abort_min' KB remaining, + it will finish the retrieval. + + If the transfer has more than 'quick_abort_max' KB remaining, + it will abort the retrieval. + + If more than 'quick_abort_pct' of the transfer has completed, + it will finish the retrieval. + + If you do not want any retrieval to continue after the client + has aborted, set both 'quick_abort_min' and 'quick_abort_max' + to '0 KB'. + + If you want retrievals to always continue if they are being + cached then set 'quick_abort_min' to '-1 KB'. + DOC_END + + NAME: read_ahead_gap + COMMENT: buffer-size + TYPE: kb_size_t + LOC: Config.readAheadGap + DEFAULT: 16 KB + DOC_START + The amount of data the cache will buffer ahead of what has been + sent to the client when retrieving an object from another server. + DOC_END + + NAME: negative_ttl + COMMENT: time-units + TYPE: time_t + LOC: Config.negativeTtl + DEFAULT: 5 minutes + DOC_START + Time-to-Live (TTL) for failed requests. Certain types of + failures (such as "connection refused" and "404 Not Found") are + negatively-cached for a configurable amount of time. The + default is 5 minutes. Note that this is different from + negative caching of DNS lookups. + DOC_END + + + NAME: positive_dns_ttl + COMMENT: time-units + TYPE: time_t + LOC: Config.positiveDnsTtl + DEFAULT: 6 hours + DOC_START + Time-to-Live (TTL) for positive caching of successful DNS lookups. + Default is 6 hours (360 minutes). If you want to minimize the + use of Squid's ipcache, set + this to 1, not 0. + DOC_END + + + NAME: negative_dns_ttl + COMMENT: time-units + TYPE: time_t + LOC: Config.negativeDnsTtl + DEFAULT: 5 minutes + DOC_START + Time-to-Live (TTL) for negative caching of failed DNS lookups. + DOC_END + + NAME: range_offset_limit + COMMENT: (bytes) + TYPE: b_size_t + LOC: Config.rangeOffsetLimit + DEFAULT: 0 KB + DOC_START + Sets a upper limit on how far into the the file a Range request + may be to cause Squid to prefetch the whole file. If beyond this + limit then Squid forwards the Range request as it is and the result + is NOT cached. + + This is to stop a far ahead range request (lets say start at 17MB) + from making Squid fetch the whole object up to that point before + sending anything to the client. + + A value of -1 causes Squid to always fetch the object from the + beginning so that it may cache the result. (2.0 style) + + A value of 0 causes Squid to never fetch more than the + client requested. (default) + DOC_END + + + COMMENT_START + TIMEOUTS + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: connect_timeout + COMMENT: time-units + TYPE: time_t + LOC: Config.Timeout.connect + DEFAULT: 2 minutes + DOC_START + Some systems (notably Linux) can not be relied upon to properly + time out connect(2) requests. Therefore the Squid process + enforces its own timeout on server connections. This parameter + specifies how long to wait for the connect to complete. The + default is two minutes (120 seconds). + DOC_END + + NAME: peer_connect_timeout + COMMENT: time-units + TYPE: time_t + LOC: Config.Timeout.peer_connect + DEFAULT: 30 seconds + DOC_START + This parameter specifies how long to wait for a pending TCP + connection to a peer cache. The default is 30 seconds. You + may also set + different timeout values for individual neighbors + with the 'connect-timeout' option on a 'cache_peer' line. + DOC_END + + NAME: read_timeout + COMMENT: time-units + TYPE: time_t + LOC: Config.Timeout.read + DEFAULT: 15 minutes + DOC_START + The read_timeout is applied on server-side connections. After + each successful read(), the timeout will be extended by this + amount. If no data is read again after this amount of time, + the request is aborted and logged with ERR_READ_TIMEOUT. The + default is 15 minutes. + DOC_END + + + NAME: request_timeout + TYPE: time_t + LOC: Config.Timeout.request + DEFAULT: 5 minutes + DOC_START + How long to wait for an HTTP request after initial + connection establishment. + DOC_END + + + NAME: persistent_request_timeout + TYPE: time_t + LOC: Config.Timeout.persistent_request + DEFAULT: 1 minute + DOC_START + How long to wait for the next HTTP request on a persistent + connection after the previous request completes. + DOC_END + + + NAME: client_lifetime + COMMENT: time-units + TYPE: time_t + LOC: Config.Timeout.lifetime + DEFAULT: 1 day + DOC_START + The maximum amount of time that a client (browser) is allowed to + remain connected to the cache process. This protects the Cache + from having a lot of sockets (and hence file descriptors) tied up + in a CLOSE_WAIT state from remote clients that go away without + properly shutting down (either because of a network failure or + because of a poor client implementation). The default is one + day, 1440 minutes. + + NOTE: The default value is intended to be much larger than any + client would ever need to be connected to your cache. You + should probably change client_lifetime only as a last resort. + If you seem to have many client connections tying up + filedescriptors, we recommend first tuning the read_timeout, + request_timeout, persistent_request_timeout and quick_abort values. + DOC_END + + NAME: half_closed_clients + TYPE: onoff + LOC: Config.onoff.half_closed_clients + DEFAULT: on + DOC_START + Some clients may shutdown the sending side of their TCP + connections, while leaving their receiving sides open. Sometimes, + Squid can not tell the difference between a half-closed and a + fully-closed TCP connection. By default, half-closed client + connections are kept open until a read(2) or write(2) on the + socket returns an error. Change this option to 'off' and Squid + will immediately close client connections when read(2) returns + "no more data to read." + DOC_END + + NAME: pconn_timeout + TYPE: time_t + LOC: Config.Timeout.pconn + DEFAULT: 120 seconds + DOC_START + Timeout for idle persistent connections to servers and other + proxies. + DOC_END + + NAME: ident_timeout + TYPE: time_t + IFDEF: USE_IDENT + LOC: Config.Timeout.ident + DEFAULT: 10 seconds + DOC_START + Maximum time to wait for IDENT lookups to complete. + + If this is too high, and you enabled IDENT lookups from untrusted + users, then you might be susceptible to denial-of-service by having + many ident requests going at once. + DOC_END + + + NAME: shutdown_lifetime + COMMENT: time-units + TYPE: time_t + LOC: Config.shutdownLifetime + DEFAULT: 30 seconds + DOC_START + When SIGTERM or SIGHUP is received, the cache is put into + "shutdown pending" mode until all active sockets are closed. + This value is the lifetime to set + for all open descriptors + during shutdown mode. Any active clients after this many + seconds will receive a 'timeout' message. + DOC_END + + COMMENT_START + ACCESS CONTROLS + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: acl + TYPE: acl + LOC: Config.aclList + DEFAULT: none + DOC_START + Defining an Access List + + acl aclname acltype string1 ... + acl aclname acltype "file" ... + + when using "file", the file should contain one item per line + + acltype is one of the types described below + + By default, regular expressions are CASE-SENSITIVE. To make + them case-insensitive, use the -i option. + + acl aclname src ip-address/netmask ... (clients IP address) + acl aclname src addr1-addr2/netmask ... (range of addresses) + acl aclname dst ip-address/netmask ... (URL host's IP address) + acl aclname myip ip-address/netmask ... (local socket IP address) + + acl aclname srcdomain .foo.com ... # reverse lookup, client IP + acl aclname dstdomain .foo.com ... # Destination server from URL + acl aclname srcdom_regex [-i] xxx ... # regex matching client name + acl aclname dstdom_regex [-i] xxx ... # regex matching server +# For dstdomain and dstdom_regex a reverse lookup is tried if a IP +# based URL is used. The name "none" is used if the reverse lookup +# fails. + + acl aclname time [day-abbrevs] [h1:m1-h2:m2] + day-abbrevs: + S - Sunday + M - Monday + T - Tuesday + W - Wednesday + H - Thursday + F - Friday + A - Saturday + h1:m1 must be less than h2:m2 + acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL + acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path + acl aclname port 80 70 21 ... + acl aclname port 0-1024 ... # ranges allowed + acl aclname myport 3128 ... # (local socket TCP port) + acl aclname proto HTTP FTP ... + acl aclname method GET POST ... + acl aclname browser [-i] regexp ... +# pattern match on User-Agent header + acl aclname referer_regex [-i] regexp ... +# pattern match on Referer header +# Referer is highly unreliable, so use with care + acl aclname ident username ... + acl aclname ident_regex [-i] pattern ... +# string match on ident output. +# use REQUIRED to accept any non-null ident. + acl aclname src_as number ... + acl aclname dst_as number ... +# Except for access control, AS numbers can be used for +# routing of requests to specific caches. Here's an +# example for routing all requests for AS#1241 and only # those to mycache.mydomain.net: # acl asexample dst_as 1241 # cache_peer_access mycache.mydomain.net allow asexample # cache_peer_access mycache_mydomain.net deny all - acl aclname proxy_auth [-i] username ... - acl aclname proxy_auth_regex [-i] pattern ... - # list of valid usernames + acl aclname proxy_auth [-i] username ... + acl aclname proxy_auth_regex [-i] pattern ... +# list of valid usernames # use REQUIRED to accept any valid username. # # NOTE: when a Proxy-Authentication header is sent but it is not @@ -2235,18 +2270,18 @@ DOC_START # the browser needs to be configured for using a proxy in order # to respond to proxy authentication. - acl aclname snmp_community string ... - # A community string to limit access to your SNMP Agent + acl aclname snmp_community string ... +# A community string to limit access to your SNMP Agent # Example: # # acl snmppublic snmp_community public - acl aclname maxconn number - # This will be matched when the client's IP address has + acl aclname maxconn number +# This will be matched when the client's IP address has # more than HTTP connections established. - acl aclname max_user_ip [-s] number - # This will be matched when the user attempts to log in from more + acl aclname max_user_ip [-s] number +# This will be matched when the user attempts to log in from more # than different ip addresses. The authenticate_ip_ttl # parameter controls the timeout on the ip entries. # If -s is specified then the limit is strict, denying browsing @@ -2258,93 +2293,93 @@ DOC_START # clients may appear to come from multiple addresses if they are # going through proxy farms, so a limit of 1 may cause user problems. - acl aclname req_mime_type mime-type1 ... - # regex match agains the mime type of the request generated + acl aclname req_mime_type mime-type1 ... +# regex match agains the mime type of the request generated # by the client. Can be used to detect file upload or some # types HTTP tunelling requests. # NOTE: This does NOT match the reply. You cannot use this # to match the returned file type. - acl aclname rep_mime_type mime-type1 ... - # regex match against the mime type of the reply recieved by + acl aclname rep_mime_type mime-type1 ... +# regex match against the mime type of the reply recieved by # squid. Can be used to detect file download or some # types HTTP tunelling requests. # NOTE: This has no effect in http_access rules. It only has # effect in rules that affect the reply data stream such as # http_reply_access. - acl acl_name external class_name [arguments...] - # external ACL lookup via a helper class defined by the + acl acl_name external class_name [arguments...] +# external ACL lookup via a helper class defined by the # external_acl_type directive. - acl aclname user_cert attribute values... - # match against attributes in a user SSL certificate + acl aclname user_cert attribute values... +# match against attributes in a user SSL certificate # attribute is one of DN/C/O/CN/L/ST - acl aclname ca_cert attribute values... - # match against attributes a users issuing CA SSL certificate + acl aclname ca_cert attribute values... +# match against attributes a users issuing CA SSL certificate # attribute is one of DN/C/O/CN/L/ST -Examples: -acl myexample dst_as 1241 -acl password proxy_auth REQUIRED -acl fileupload req_mime_type -i ^multipart/form-data$ -acl javascript rep_mime_type -i ^application/x-javascript$ + Examples: + acl myexample dst_as 1241 + acl password proxy_auth REQUIRED + acl fileupload req_mime_type -i ^multipart/form-data$ + acl javascript rep_mime_type -i ^application/x-javascript$ -NOCOMMENT_START + NOCOMMENT_START #Recommended minimum configuration: -acl all src 0.0.0.0/0.0.0.0 -acl manager proto cache_object -acl localhost src 127.0.0.1/255.255.255.255 -acl to_localhost dst 127.0.0.0/8 -acl SSL_ports port 443 563 -acl Safe_ports port 80 # http -acl Safe_ports port 21 # ftp -acl Safe_ports port 443 563 # https, snews -acl Safe_ports port 70 # gopher -acl Safe_ports port 210 # wais -acl Safe_ports port 1025-65535 # unregistered ports -acl Safe_ports port 280 # http-mgmt -acl Safe_ports port 488 # gss-http -acl Safe_ports port 591 # filemaker -acl Safe_ports port 777 # multiling http -acl CONNECT method CONNECT -NOCOMMENT_END -DOC_END - -NAME: http_access -TYPE: acl_access -LOC: Config.accessList.http -DEFAULT: none -DEFAULT_IF_NONE: deny all -DOC_START - Allowing or Denying access based on defined access lists - - Access to the HTTP port: - http_access allow|deny [!]aclname ... - - NOTE on default values: - - If there are no "access" lines present, the default is to deny - the request. - - If none of the "access" lines cause a match, the default is the - opposite of the last line in the list. If the last line was - deny, then the default is allow. Conversely, if the last line - is allow, the default will be deny. For these reasons, it is a - good idea to have an "deny all" or "allow all" entry at the end - of your access lists to avoid potential confusion. - -NOCOMMENT_START + acl all src 0.0.0.0/0.0.0.0 + acl manager proto cache_object + acl localhost src 127.0.0.1/255.255.255.255 + acl to_localhost dst 127.0.0.0/8 + acl SSL_ports port 443 563 + acl Safe_ports port 80 # http + acl Safe_ports port 21 # ftp + acl Safe_ports port 443 563 # https, snews + acl Safe_ports port 70 # gopher + acl Safe_ports port 210 # wais + acl Safe_ports port 1025-65535 # unregistered ports + acl Safe_ports port 280 # http-mgmt + acl Safe_ports port 488 # gss-http + acl Safe_ports port 591 # filemaker + acl Safe_ports port 777 # multiling http + acl CONNECT method CONNECT + NOCOMMENT_END + DOC_END + + NAME: http_access + TYPE: acl_access + LOC: Config.accessList.http + DEFAULT: none + DEFAULT_IF_NONE: deny all + DOC_START + Allowing or Denying access based on defined access lists + + Access to the HTTP port: + http_access allow|deny [!]aclname ... + + NOTE on default values: + + If there are no "access" lines present, the default is to deny + the request. + + If none of the "access" lines cause a match, the default is the + opposite of the last line in the list. If the last line was + deny, then the default is allow. Conversely, if the last line + is allow, the default will be deny. For these reasons, it is a + good idea to have an "deny all" or "allow all" entry at the end + of your access lists to avoid potential confusion. + + NOCOMMENT_START #Recommended minimum configuration: # # Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager + http_access allow manager localhost + http_access deny manager # Deny requests to unknown ports -http_access deny !Safe_ports + http_access deny !Safe_ports # Deny CONNECT to other than SSL ports -http_access deny CONNECT !SSL_ports + http_access deny CONNECT !SSL_ports # # We strongly recommend to uncomment the following to protect innocent # web applications running on the proxy server who think that the only @@ -2360,1786 +2395,1846 @@ http_access deny CONNECT !SSL_ports #http_access allow our_networks # And finally deny all other access to this proxy -http_access deny all -NOCOMMENT_END -DOC_END + http_access deny all + NOCOMMENT_END + DOC_END -NAME: http_reply_access -TYPE: acl_access -LOC: Config.accessList.reply -DEFAULT: none -DEFAULT_IF_NONE: allow all -DOC_START - Allow replies to client requests. This is complementary to http_access. + NAME: http_reply_access + TYPE: acl_access + LOC: Config.accessList.reply + DEFAULT: none + DEFAULT_IF_NONE: allow all + DOC_START + Allow replies to client requests. This is complementary to http_access. - http_reply_access allow|deny [!] aclname ... + http_reply_access allow|deny [!] aclname ... - NOTE: if there are no access lines present, the default is to allow - all replies + NOTE: if there are no access lines present, the default is to allow + all replies - If none of the access lines cause a match, then the opposite of the - last line will apply. Thus it is good practice to end the rules - with an "allow all" or "deny all" entry. + If none of the access lines cause a match, then the opposite of the + last line will apply. Thus it is good practice to end the rules + with an "allow all" or "deny all" entry. -NOCOMMENT_START + NOCOMMENT_START #Recommended minimum configuration: # # Insert your own rules here. # # # and finally allow by default -http_reply_access allow all -NOCOMMENT_END -DOC_END + http_reply_access allow all + NOCOMMENT_END + DOC_END -NAME: icp_access -TYPE: acl_access -LOC: Config.accessList.icp -DEFAULT: none -DEFAULT_IF_NONE: deny all -DOC_START - Allowing or Denying access to the ICP port based on defined - access lists + NAME: icp_access + TYPE: acl_access + LOC: Config.accessList.icp + DEFAULT: none + DEFAULT_IF_NONE: deny all + DOC_START + Allowing or Denying access to the ICP port based on defined + access lists - icp_access allow|deny [!]aclname ... + icp_access allow|deny [!]aclname ... - See http_access for details + See http_access for details -NOCOMMENT_START + NOCOMMENT_START #Allow ICP queries from everyone -icp_access allow all -NOCOMMENT_END -DOC_END + icp_access allow all + NOCOMMENT_END + DOC_END -NAME: miss_access -TYPE: acl_access -LOC: Config.accessList.miss -DEFAULT: none -DOC_START - Use to force your neighbors to use you as a sibling instead of - a parent. For example: + NAME: miss_access + TYPE: acl_access + LOC: Config.accessList.miss + DEFAULT: none + DOC_START + Use to force your neighbors to use you as a sibling instead of + a parent. For example: - acl localclients src 172.16.0.0/16 - miss_access allow localclients - miss_access deny !localclients + acl localclients src 172.16.0.0/16 + miss_access allow localclients + miss_access deny !localclients - This means that only your local clients are allowed to fetch - MISSES and all other clients can only fetch HITS. + This means that only your local clients are allowed to fetch + MISSES and all other clients can only fetch HITS. - By default, allow all clients who passed the http_access rules - to fetch MISSES from us. + By default, allow all clients who passed the http_access rules + to fetch MISSES from us. -NOCOMMENT_START + NOCOMMENT_START #Default setting: # miss_access allow all -NOCOMMENT_END -DOC_END - - -NAME: cache_peer_access -TYPE: peer_access -DEFAULT: none -LOC: none -DOC_START - Similar to 'cache_peer_domain' but provides more flexibility by - using ACL elements. - - cache_peer_access cache-host allow|deny [!]aclname ... - - The syntax is identical to 'http_access' and the other lists of - ACL elements. See the comments for 'http_access' below, or - the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html). -DOC_END - -NAME: ident_lookup_access -TYPE: acl_access -IFDEF: USE_IDENT -DEFAULT: none -DEFAULT_IF_NONE: deny all -LOC: Config.accessList.identLookup -DOC_START - A list of ACL elements which, if matched, cause an ident - (RFC 931) lookup to be performed for this request. For - example, you might choose to always perform ident lookups - for your main multi-user Unix boxes, but not for your Macs - and PCs. By default, ident lookups are not performed for - any requests. - - To enable ident lookups for specific client addresses, you - can follow this example: - - acl ident_aware_hosts src 198.168.1.0/255.255.255.0 - ident_lookup_access allow ident_aware_hosts - ident_lookup_access deny all - - Only src type ACL checks are fully supported. A src_domain - ACL might work at times, but it will not always provide - the correct result. -DOC_END - -NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp -TYPE: acl_tos -DEFAULT: none -LOC: Config.accessList.outgoing_tos -DOC_START - Allows you to select a TOS/Diffserv value to mark outgoing - connections with, based on the username or source address - making the request. - - tcp_outgoing_tos ds-field [!]aclname ... - - Example where normal_service_net uses the TOS value 0x00 - and normal_service_net uses 0x20 - - acl normal_service_net src 10.0.0.0/255.255.255.0 - acl good_service_net src 10.0.1.0/255.255.255.0 - tcp_outgoing_tos 0x00 normal_service_net 0x00 - tcp_outgoing_tos 0x20 good_service_net - - TOS/DSCP values really only have local significance - so you should - know what you're specifying. For more, see RFC 2474 - - The TOS/DSCP byte must be exactly that - a byte, value 0 - 255, or - "default" to use whatever default your host has. - - Processing proceeds in the order specified, and stops at first fully - matching line. -DOC_END - -NAME: tcp_outgoing_address -TYPE: acl_address -DEFAULT: none -LOC: Config.accessList.outgoing_address -DOC_START - Allows you to map requests to different outgoing IP addresses - based on the username or sourceaddress of the user making - the request. - - tcp_outgoing_address ipaddr [[!]aclname] ... - - Example where requests from 10.0.0.0/24 will be forwareded - with source address 10.1.0.1, 10.0.2.0/24 forwarded with - source address 10.1.0.2 and the rest will be forwarded with - source address 10.1.0.3. - - acl normal_service_net src 10.0.0.0/255.255.255.0 - acl good_service_net src 10.0.1.0/255.255.255.0 - tcp_outgoing_address 10.0.0.1 normal_service_net - tcp_outgoing_address 10.0.0.2 good_service_net - tcp_outgoing_address 10.0.0.3 - - Processing proceeds in the order specified, and stops at first fully - matching line. -DOC_END - -NAME: reply_body_max_size -COMMENT: size [acl acl...] -TYPE: acl_b_size_t -DEFAULT: none -LOC: Config.ReplyBodySize -DOC_START - This option specifies the maximum size of a reply body. It can be - used to prevent users from downloading very large files, such as - MP3's and movies. When the reply headers are recieved, the - reply_body_max_size lines are processed, and the first line where - all (if any) listed acls are true is used as the maximum body size - for this reply. - - This size is then checked twice. First when we get the reply headers, - we check the content-length value. If the content length value exists - and is larger than the allowed size, the request is denied and the - user receives an error message that says "the request or reply - is too large." If there is no content-length, and the reply - size exceeds this limit, the client's connection is just closed - and they will receive a partial reply. - - WARNING: downstream caches probably can not detect a partial reply - if there is no content-length header, so they will cache - partial responses and give them out as hits. You should NOT - use this option if you have downstream caches. - - WARNING: A maximum size smaller than the size of squid's error messages - will cause an infinite loop and crash squid. Ensure that the smallest - non-zero value you use is greater that the maximum header size plus - the size of your largest error page. - - If you set this parameter none (the default), there will be - no limit imposed. -DOC_END - -COMMENT_START - ADMINISTRATIVE PARAMETERS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: cache_mgr -TYPE: string -DEFAULT: webmaster -LOC: Config.adminEmail -DOC_START - Email-address of local cache manager who will receive - mail if the cache dies. The default is "webmaster." -DOC_END - - -NAME: cache_effective_user -TYPE: string -DEFAULT: nobody -LOC: Config.effectiveUser -DOC_NONE - -NAME: cache_effective_group -TYPE: string -DEFAULT: none -LOC: Config.effectiveGroup -DOC_START - - If you start Squid as root, it will change its effective/real - UID/GID to the UID/GID specified below. The default is to - change to UID to nobody. If you define cache_effective_user, - but not cache_effective_group, Squid sets the GID the - effective user's default group ID (taken from the password - file). - - If Squid is not started as root, the cache_effective_user - value is ignored and the GID value is unchanged by default. - However, you can make Squid change its GID to another group - that the process owner is a member of. Note that if Squid - is not started as root then you cannot set http_port to a - value lower than 1024. -DOC_END - - -NAME: visible_hostname -TYPE: string -LOC: Config.visibleHostname -DEFAULT: none -DOC_START - If you want to present a special hostname in error messages, etc, - then define this. Otherwise, the return value of gethostname() - will be used. If you have multiple caches in a cluster and - get errors about IP-forwarding you must set them to have individual - names with this setting. -DOC_END - - -NAME: unique_hostname -TYPE: string -LOC: Config.uniqueHostname -DEFAULT: none -DOC_START - If you want to have multiple machines with the same - 'visible_hostname' then you must give each machine a different - 'unique_hostname' so that forwarding loops can be detected. -DOC_END - - -NAME: hostname_aliases -TYPE: wordlist -LOC: Config.hostnameAliases -DEFAULT: none -DOC_START - A list of other DNS names that your cache has. -DOC_END - -COMMENT_START - OPTIONS FOR THE CACHE REGISTRATION SERVICE - ----------------------------------------------------------------------------- - - This section contains parameters for the (optional) cache - announcement service. This service is provided to help - cache administrators locate one another in order to join or - create cache hierarchies. - - An 'announcement' message is sent (via UDP) to the registration - service by Squid. By default, the announcement message is NOT - SENT unless you enable it with 'announce_period' below. - - The announcement message includes your hostname, plus the - following information from this configuration file: - - http_port - icp_port - cache_mgr - - All current information is processed regularly and made - available on the Web at http://www.ircache.net/Cache/Tracker/. -COMMENT_END - -NAME: announce_period -TYPE: time_t -LOC: Config.Announce.period -DEFAULT: 0 -DOC_START - This is how frequently to send cache announcements. The - default is `0' which disables sending the announcement - messages. - - To enable announcing your cache, just uncomment the line - below. - -NOCOMMENT_START + NOCOMMENT_END + DOC_END + + + NAME: cache_peer_access + TYPE: peer_access + DEFAULT: none + LOC: none + DOC_START + Similar to 'cache_peer_domain' but provides more flexibility by + using ACL elements. + + cache_peer_access cache-host allow|deny [!]aclname ... + + The syntax is identical to 'http_access' and the other lists of + ACL elements. See the comments for 'http_access' below, or + the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html). + DOC_END + + NAME: ident_lookup_access + TYPE: acl_access + IFDEF: USE_IDENT + DEFAULT: none + DEFAULT_IF_NONE: deny all + LOC: Config.accessList.identLookup + DOC_START + A list of ACL elements which, if matched, cause an ident + (RFC 931) lookup to be performed for this request. For + example, you might choose to always perform ident lookups + for your main multi-user Unix boxes, but not for your Macs + and PCs. By default, ident lookups are not performed for + any requests. + + To enable ident lookups for specific client addresses, you + can follow this example: + + acl ident_aware_hosts src 198.168.1.0/255.255.255.0 + ident_lookup_access allow ident_aware_hosts + ident_lookup_access deny all + + Only src type ACL checks are fully supported. A src_domain + ACL might work at times, but it will not always provide + the correct result. + DOC_END + + NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp + TYPE: acl_tos + DEFAULT: none + LOC: Config.accessList.outgoing_tos + DOC_START + Allows you to select a TOS/Diffserv value to mark outgoing + connections with, based on the username or source address + making the request. + + tcp_outgoing_tos ds-field [!]aclname ... + + Example where normal_service_net uses the TOS value 0x00 + and normal_service_net uses 0x20 + + acl normal_service_net src 10.0.0.0/255.255.255.0 + acl good_service_net src 10.0.1.0/255.255.255.0 + tcp_outgoing_tos 0x00 normal_service_net 0x00 + tcp_outgoing_tos 0x20 good_service_net + + TOS/DSCP values really only have local significance - so you should + know what you're specifying. For more, see RFC 2474 + + The TOS/DSCP byte must be exactly that - a byte, value 0 - 255, or + "default" to use whatever default your host has. + + Processing proceeds in the order specified, and stops at first fully + matching line. + DOC_END + + NAME: tcp_outgoing_address + TYPE: acl_address + DEFAULT: none + LOC: Config.accessList.outgoing_address + DOC_START + Allows you to map requests to different outgoing IP addresses + based on the username or sourceaddress of the user making + the request. + + tcp_outgoing_address ipaddr [[!]aclname] ... + + Example where requests from 10.0.0.0/24 will be forwareded + with source address 10.1.0.1, 10.0.2.0/24 forwarded with + source address 10.1.0.2 and the rest will be forwarded with + source address 10.1.0.3. + + acl normal_service_net src 10.0.0.0/255.255.255.0 + acl good_service_net src 10.0.1.0/255.255.255.0 + tcp_outgoing_address 10.0.0.1 normal_service_net + tcp_outgoing_address 10.0.0.2 good_service_net + tcp_outgoing_address 10.0.0.3 + + Processing proceeds in the order specified, and stops at first fully + matching line. + DOC_END + + NAME: reply_body_max_size + COMMENT: size [acl acl...] + TYPE: acl_b_size_t + DEFAULT: none + LOC: Config.ReplyBodySize + DOC_START + This option specifies the maximum size of a reply body. It can be + used to prevent users from downloading very large files, such as + MP3's and movies. When the reply headers are recieved, the + reply_body_max_size lines are processed, and the first line where + all (if any) listed acls are true is used as the maximum body size + for this reply. + + This size is then checked twice. First when we get + the reply headers, + we check the content-length value. If the content length value exists + and is larger than the allowed size, the request is denied and the + user receives an error message that says "the request or reply + is too large." If there is no content-length, and the reply + size exceeds this limit, the client's connection is just closed + and they will receive a partial reply. + + WARNING: downstream caches probably can not detect a partial reply + if there is no content-length header, so they will cache + partial responses and give them out as hits. You should NOT + use this option if you have downstream caches. + + WARNING: A maximum size smaller than the size of squid's error messages + will cause an infinite loop and crash squid. Ensure that the smallest + non-zero value you use is greater that the maximum header size plus + the size of your largest error page. + + If you set + this parameter none (the default), there will be + no limit imposed. + DOC_END + + COMMENT_START + ADMINISTRATIVE PARAMETERS + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: cache_mgr + TYPE: string + DEFAULT: webmaster + LOC: Config.adminEmail + DOC_START + Email-address of local cache manager who will receive + mail if the cache dies. The default is "webmaster." + DOC_END + + + NAME: cache_effective_user + TYPE: string + DEFAULT: nobody + LOC: Config.effectiveUser + DOC_NONE + + NAME: cache_effective_group + TYPE: string + DEFAULT: none + LOC: Config.effectiveGroup + DOC_START + + If you start Squid as root, it will change its effective/real + UID/GID to the UID/GID specified below. The default is to + change to UID to nobody. If you define cache_effective_user, + but not cache_effective_group, Squid sets the GID the + effective user's default group ID (taken from the password + file). + + If Squid is not started as root, the cache_effective_user + value is ignored and the GID value is unchanged by default. + However, you can make Squid change its GID to another group + that the process owner is a member of. Note that if Squid + is not started as root then you cannot set http_port to a + value lower than 1024. + DOC_END + + + NAME: visible_hostname + TYPE: string + LOC: Config.visibleHostname + DEFAULT: none + DOC_START + If you want to present a special hostname in error messages, etc, + then define this. Otherwise, the return value of gethostname() + will be used. If you have multiple caches in a cluster and + get errors about IP-forwarding you must set them to have individual + names with this setting. + DOC_END + + + NAME: unique_hostname + TYPE: string + LOC: Config.uniqueHostname + DEFAULT: none + DOC_START + If you want to have multiple machines with the same + 'visible_hostname' then you must give each machine a different + 'unique_hostname' so that forwarding loops can be detected. + DOC_END + + + NAME: hostname_aliases + TYPE: wordlist + LOC: Config.hostnameAliases + DEFAULT: none + DOC_START + A list of other DNS names that your cache has. + DOC_END + + COMMENT_START + OPTIONS FOR THE CACHE REGISTRATION SERVICE + ----------------------------------------------------------------------------- + + This section contains parameters for the (optional) cache + announcement service. This service is provided to help + cache administrators locate one another in order to join or + create cache hierarchies. + + An 'announcement' message is sent (via UDP) to the registration + service by Squid. By default, the announcement message is NOT + SENT unless you enable it with 'announce_period' below. + + The announcement message includes your hostname, plus the + following information from this configuration file: + + http_port + icp_port + cache_mgr + + All current information is processed regularly and made + available on the Web at http://www.ircache.net/Cache/Tracker/. + COMMENT_END + + NAME: announce_period + TYPE: time_t + LOC: Config.Announce.period + DEFAULT: 0 + DOC_START + This is how frequently to send cache announcements. The + default is `0' which disables sending the announcement + messages. + + To enable announcing your cache, just uncomment the line + below. + + NOCOMMENT_START #To enable announcing your cache, just uncomment the line below. #announce_period 1 day -NOCOMMENT_END -DOC_END - - -NAME: announce_host -TYPE: string -DEFAULT: tracker.ircache.net -LOC: Config.Announce.host -DOC_NONE - -NAME: announce_file -TYPE: string -DEFAULT: none -LOC: Config.Announce.file -DOC_NONE - -NAME: announce_port -TYPE: ushort -DEFAULT: 3131 -LOC: Config.Announce.port -DOC_START - announce_host and announce_port set the hostname and port - number where the registration message will be sent. - - Hostname will default to 'tracker.ircache.net' and port will - default default to 3131. If the 'filename' argument is given, - the contents of that file will be included in the announce - message. -DOC_END - -NAME: httpd_accel_surrogate_id -IFDEF: ESI -TYPE: string -LOC: Config.Accel.surrogate_id -DEFAULT: none -DOC_START - Surrogates (http://www.esi.org/architecture_spec_1.0.html) - need an identification token to allow control targeting. Because - a farm of surrogates may all perform the same tasks, they may share - an identification token. -DOC_END - -NAME: http_accel_surrogate_remote -IFDEF: ESI -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.surrogate_is_remote -DOC_START - Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. - Set this to on to have squid behave as a remote surrogate. -DOC_END - -NAME: esi_parser -IFDEF: ESI -COMMENT: expat|custom -TYPE: string -LOC: ESIParser::Type -DEFAULT: custom -DOC_START - ESI markup is not strictly XML compatible. The custom ESI parser - will give higher performance, but cannot handle non ASCII character - encodings. -DOC_END + NOCOMMENT_END + DOC_END + + + NAME: announce_host + TYPE: string + DEFAULT: tracker.ircache.net + LOC: Config.Announce.host + DOC_NONE + + NAME: announce_file + TYPE: string + DEFAULT: none + LOC: Config.Announce.file + DOC_NONE + + NAME: announce_port + TYPE: ushort + DEFAULT: 3131 + LOC: Config.Announce.port + DOC_START + announce_host and announce_port set + the hostname and port + number where the registration message will be sent. + + Hostname will default to 'tracker.ircache.net' and port will + default default to 3131. If the 'filename' argument is given, + the contents of that file will be included in the announce + message. + DOC_END + + NAME: httpd_accel_surrogate_id + IFDEF: ESI + TYPE: string + LOC: Config.Accel.surrogate_id + DEFAULT: none + DOC_START + Surrogates (http://www.esi.org/architecture_spec_1.0.html) + need an identification token to allow control targeting. Because + a farm of surrogates may all perform the same tasks, they may share + an identification token. + DOC_END + + NAME: http_accel_surrogate_remote + IFDEF: ESI + COMMENT: on|off + TYPE: onoff + DEFAULT: off + LOC: Config.onoff.surrogate_is_remote + DOC_START + Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. + Set this to on to have squid behave as a remote surrogate. + DOC_END + + NAME: esi_parser + IFDEF: ESI + COMMENT: expat|custom + TYPE: string + LOC: ESIParser::Type + DEFAULT: custom + DOC_START + ESI markup is not strictly XML compatible. The custom ESI parser + will give higher performance, but cannot handle non ASCII character + encodings. + DOC_END + + COMMENT_START + MISCELLANEOUS + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: dns_testnames + TYPE: wordlist + LOC: Config.dns_testname_list + DEFAULT: none + DEFAULT_IF_NONE: netscape.com internic.net nlanr.net microsoft.com + DOC_START + The DNS tests exit as soon as the first site is successfully looked up + + This test can be disabled with the -D command line option. + DOC_END + + + NAME: logfile_rotate + TYPE: int + DEFAULT: 10 + LOC: Config.Log.rotateNumber + DOC_START + Specifies the number of logfile rotations to make when you + type 'squid -k rotate'. The default is 10, which will rotate + with extensions 0 through 9. Setting logfile_rotate to 0 will + disable the rotation, but the logfiles are still closed and + re-opened. This will enable you to rename the logfiles + yourself just before sending the rotate signal. + + Note, the 'squid -k rotate' command normally sends a USR1 + signal to the running squid process. In certain situations + (e.g. on Linux with Async I/O), USR1 is used for other + purposes, so -k rotate uses another signal. It is best to get + in the habit of using 'squid -k rotate' instead of 'kill -USR1 + '. + DOC_END + + + NAME: append_domain + TYPE: string + LOC: Config.appendDomain + DEFAULT: none + DOC_START + Appends local domain name to hostnames without any dots in + them. append_domain must begin with a period. + + Be warned that there today is Internet names with no dots in + them using only top-domain names, so setting this may + cause some Internet sites to become unavailable. + + Example: + append_domain .yourdomain.com + DOC_END + + + NAME: tcp_recv_bufsize + COMMENT: (bytes) + TYPE: b_size_t + DEFAULT: 0 bytes + LOC: Config.tcpRcvBufsz + DOC_START + Size of receive buffer to set + for TCP sockets. Probably just + as easy to change your kernel's default. Set to zero to use + the default buffer size. + DOC_END + + NAME: err_html_text + TYPE: eol + LOC: Config.errHtmlText + DEFAULT: none + DOC_START + HTML text to include in error messages. Make this a "mailto" + URL to your admin address, or maybe just a link to your + organizations Web page. + + To include this in your error messages, you must rewrite + the error template files (found in the "errors" directory). + Wherever you want the 'err_html_text' line to appear, + insert a %L tag in the error template file. + DOC_END + + NAME: email_err_data + COMMENT: on|off + TYPE: onoff + LOC: Config.onoff.emailErrData + DEFAULT: on + DOC_START + If enabled, information about the occurred error will be + included in the mailto links of the ERR pages (if %W is set) + so that the email body then contains the data. + Syntax is %w + DOC_END + + + NAME: deny_info + TYPE: denyinfo + LOC: Config.denyInfoList + DEFAULT: none + DOC_START + Usage: deny_info err_page_name acl + or deny_info http://... acl + Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys + + This can be used to return a ERR_ page for requests which + do not pass the 'http_access' rules. A single ACL will cause + the http_access check to fail. If a 'deny_info' line exists + for that ACL then Squid returns a corresponding error page. + + You may use ERR_ pages that come with Squid or create your own pages + and put them into the configured errors/ directory. + + Alternatively you can specify an error URL. The browsers will then + get redirected (302) to the specified URL. %s in the redirection + URL will be replaced by the requested URL. + + Alternatively you can tell Squid to reset the TCP connection + by specifying TCP_RESET. + DOC_END + + NAME: memory_pools + COMMENT: on|off + TYPE: onoff + DEFAULT: on + LOC: Config.onoff.mem_pools + DOC_START + If set, Squid will keep pools of allocated (but unused) memory + available for future use. If memory is a premium on your + system and you believe your malloc library outperforms Squid + routines, disable this. + DOC_END + + NAME: memory_pools_limit + COMMENT: (bytes) + TYPE: b_size_t + DEFAULT: none + LOC: Config.MemPools.limit + DOC_START + Used only with memory_pools on: + memory_pools_limit 50 MB + + If set to a non-zero value, Squid will keep at most the specified + limit of allocated (but unused) memory in memory pools. All free() + requests that exceed this limit will be handled by your malloc + library. Squid does not pre-allocate any memory, just safe-keeps + objects that otherwise would be free()d. Thus, it is safe to set + memory_pools_limit to a reasonably high value even if your + configuration will use less memory. + + If not set (default) or set to zero, Squid will keep all memory it + can. That is, there will be no limit on the total amount of memory + used for safe-keeping. + + To disable memory allocation optimization, do not set + memory_pools_limit to 0. Set memory_pools to "off" instead. + + An overhead for maintaining memory pools is not taken into account + when the limit is checked. This overhead is close to four bytes per + object kept. However, pools may actually _save_ memory because of + reduced memory thrashing in your malloc library. + DOC_END + + NAME: via + IFDEF: HTTP_VIOLATIONS + COMMENT: on|off + TYPE: onoff + DEFAULT: on + LOC: Config.onoff.via + DOC_START + If set (default), Squid will include a Via header in requests and + replies as required by RFC2616. + DOC_END + + NAME: forwarded_for + COMMENT: on|off + TYPE: onoff + DEFAULT: on + LOC: opt_forwarded_for + DOC_START + If set, Squid will include your system's IP address or name + in the HTTP requests it forwards. By default it looks like + this: + + X-Forwarded-For: 192.1.2.3 + + If you disable this, it will appear as + + X-Forwarded-For: unknown + DOC_END + + NAME: log_icp_queries + COMMENT: on|off + TYPE: onoff + DEFAULT: on + LOC: Config.onoff.log_udp + DOC_START + If set + , ICP queries are logged to access.log. You may wish + do + disable this if your ICP load is VERY high to speed things + up or to simplify log analysis. + DOC_END + + NAME: icp_hit_stale + COMMENT: on|off + TYPE: onoff + DEFAULT: off + LOC: Config.onoff.icp_hit_stale + DOC_START + If you want to return ICP_HIT for stale cache objects, set + this + option to 'on'. If you have sibling relationships with caches + in other administrative domains, this should be 'off'. If you only + have sibling relationships with caches under your control, then + it is probably okay to set + this to 'on'. + If set + to 'on', then your siblings should use the option "allow-miss" + on their cache_peer lines for connecting to you. + DOC_END + + + NAME: minimum_direct_hops + TYPE: int + DEFAULT: 4 + LOC: Config.minDirectHops + DOC_START + If using the ICMP pinging stuff, do + direct fetches for sites + which are no more than this many hops away. + DOC_END + + NAME: minimum_direct_rtt + TYPE: int + DEFAULT: 400 + LOC: Config.minDirectRtt + DOC_START + If using the ICMP pinging stuff, do + direct fetches for sites + which are no more than this many rtt milliseconds away. + DOC_END + + NAME: cachemgr_passwd + TYPE: cachemgrpasswd + DEFAULT: none + LOC: Config.passwd_list + DOC_START + Specify passwords for cachemgr operations. + + Usage: cachemgr_passwd password action action ... + + Some valid actions are (see cache manager menu for a full list): + 5min + 60min + asndb + authenticator + cbdata + client_list + comm_incoming + config * + counters + delay + digest_stats + dns + events + filedescriptors + fqdncache + histograms + http_headers + info + io + ipcache + mem + menu + netdb + non_peers + objects + offline_toggle * + pconn + peer_select + redirector + refresh + server_list + shutdown * + store_digest + storedir + utilization + via_headers + vm_objects + + * Indicates actions which will not be performed without a + valid password, others can be performed if not listed here. + + To disable an action, set + the password to "disable". + To allow performing an action without a password, set + the + password to "none". + + Use the keyword "all" to set + the same password for all actions. + + Example: + cachemgr_passwd secret shutdown + cachemgr_passwd lesssssssecret info stats/objects + cachemgr_passwd disable all + DOC_END + + NAME: store_avg_object_size + COMMENT: (kbytes) + TYPE: kb_size_t + DEFAULT: 13 KB + LOC: Config.Store.avgObjectSize + DOC_START + Average object size, used to estimate number of objects your + cache can hold. See doc/Release-Notes-1.1.txt. The default is + 13 KB. + DOC_END + + NAME: store_objects_per_bucket + TYPE: int + DEFAULT: 20 + LOC: Config.Store.objectsPerBucket + DOC_START + Target number of objects per bucket in the store hash table. + Lowering this value increases the total number of buckets and + also the storage maintenance rate. The default is 50. + DOC_END + + NAME: client_db + COMMENT: on|off + TYPE: onoff + DEFAULT: on + LOC: Config.onoff.client_db + DOC_START + If you want to disable collecting per-client statistics, then + turn off client_db here. + DOC_END + + + NAME: netdb_low + TYPE: int + DEFAULT: 900 + LOC: Config.Netdb.low + DOC_NONE + + NAME: netdb_high + TYPE: int + DEFAULT: 1000 + LOC: Config.Netdb.high + DOC_START + The low and high water marks for the ICMP measurement + database. These are counts, not percents. The defaults are + 900 and 1000. When the high water mark is reached, database + entries will be deleted until the low mark is reached. + DOC_END + + + NAME: netdb_ping_period + TYPE: time_t + LOC: Config.Netdb.period + DEFAULT: 5 minutes + DOC_START + The minimum period for measuring a site. There will be at + least this much delay between successive pings to the same + network. The default is five minutes. + DOC_END + + + NAME: query_icmp + COMMENT: on|off + TYPE: onoff + DEFAULT: off + LOC: Config.onoff.query_icmp + DOC_START + If you want to ask your peers to include ICMP data in their ICP + replies, enable this option. + + If your peer has configured Squid (during compilation) with + '--enable-icmp' then that peer will send ICMP pings to origin server + sites of the URLs it receives. If you enable this option then the + ICP replies from that peer will include the ICMP data (if available). + Then, when choosing a parent cache, Squid will choose the parent with + the minimal RTT to the origin server. When this happens, the + hierarchy field of the access.log will be + "CLOSEST_PARENT_MISS". This option is off by default. + DOC_END + + NAME: test_reachability + COMMENT: on|off + TYPE: onoff + DEFAULT: off + LOC: Config.onoff.test_reachability + DOC_START + When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH + instead of ICP_MISS if the target host is NOT in the ICMP + database, or has a zero RTT. + DOC_END + + NAME: buffered_logs + COMMENT: on|off + TYPE: onoff + DEFAULT: off + LOC: Config.onoff.buffered_logs + DOC_START + cache.log log file is written with stdio functions, and as such + it can be buffered or unbuffered. By default it will be unbuffered. + Buffering it can speed up the writing slightly (though you are + unlikely to need to worry unless you run with tons of debugging + enabled in which case performance will suffer badly anyway..). + DOC_END + + NAME: reload_into_ims + IFDEF: HTTP_VIOLATIONS + COMMENT: on|off + TYPE: onoff + DEFAULT: off + LOC: Config.onoff.reload_into_ims + DOC_START + When you enable this option, client no-cache or ``reload'' + requests will be changed to If-Modified-Since requests. + Doing this VIOLATES the HTTP standard. Enabling this + feature could make you liable for problems which it + causes. + + see also refresh_pattern for a more selective approach. + DOC_END + + NAME: always_direct + TYPE: acl_access + LOC: Config.accessList.AlwaysDirect + DEFAULT: none + DOC_START + Usage: always_direct allow|deny [!]aclname ... + + Here you can use ACL elements to specify requests which should + ALWAYS be forwarded directly to origin servers. For example, + to always directly forward requests for local servers use + something like: + + acl local-servers dstdomain my.domain.net + always_direct allow local-servers + + To always forward FTP requests directly, use + + acl FTP proto FTP + always_direct allow FTP + + NOTE: There is a similar, but opposite option named + 'never_direct'. You need to be aware that "always_direct deny + foo" is NOT the same thing as "never_direct allow foo". You + may need to use a deny rule to exclude a more-specific case of + some other rule. Example: + + acl local-external dstdomain external.foo.net + acl local-servers dstdomain .foo.net + always_direct deny local-external + always_direct allow local-servers + + This option replaces some v1.1 options such as local_domain + and local_ip. + DOC_END + + NAME: never_direct + TYPE: acl_access + LOC: Config.accessList.NeverDirect + DEFAULT: none + DOC_START + Usage: never_direct allow|deny [!]aclname ... + + never_direct is the opposite of always_direct. Please read + the description for always_direct if you have not already. + + With 'never_direct' you can use ACL elements to specify + requests which should NEVER be forwarded directly to origin + servers. For example, to force the use of a proxy for all + requests, except those in your local domain use something like: + + acl local-servers dstdomain .foo.net + acl all src 0.0.0.0/0.0.0.0 + never_direct deny local-servers + never_direct allow all + + or if squid is inside a firewall and there is local intranet + servers inside the firewall then use something like: + + acl local-intranet dstdomain .foo.net + acl local-external dstdomain external.foo.net + always_direct deny local-external + always_direct allow local-intranet + never_direct allow all + + This option replaces some v1.1 options such as inside_firewall + and firewall_ip. + DOC_END + + NAME: header_access + IFDEF: HTTP_VIOLATIONS + TYPE: http_header_access[] + LOC: Config.header_access + DEFAULT: none + DOC_START + Usage: header_access header_name allow|deny [!]aclname ... + + WARNING: Doing this VIOLATES the HTTP standard. Enabling + this feature could make you liable for problems which it + causes. + + This option replaces the old 'anonymize_headers' and the + older 'http_anonymizer' option with something that is much + more configurable. This new method creates a list of ACLs + for each header, allowing you very fine-tuned header + mangling. + + You can only specify known headers for the header name. + Other headers are reclassified as 'Other'. You can also + refer to all the headers with 'All'. + + For example, to achieve the same behaviour as the old + 'http_anonymizer standard' option, you should use: + + header_access From deny all + header_access Referer deny all + header_access Server deny all + header_access User-Agent deny all + header_access WWW-Authenticate deny all + header_access Link deny all + + Or, to reproduce the old 'http_anonymizer paranoid' feature + you should use: + + header_access Allow allow all + header_access Authorization allow all + header_access WWW-Authenticate allow all + header_access Cache-Control allow all + header_access Content-Encoding allow all + header_access Content-Length allow all + header_access Content-Type allow all + header_access Date allow all + header_access Expires allow all + header_access Host allow all + header_access If-Modified-Since allow all + header_access Last-Modified allow all + header_access Location allow all + header_access Pragma allow all + header_access Accept allow all + header_access Accept-Charset allow all + header_access Accept-Encoding allow all + header_access Accept-Language allow all + header_access Content-Language allow all + header_access Mime-Version allow all + header_access Retry-After allow all + header_access Title allow all + header_access Connection allow all + header_access Proxy-Connection allow all + header_access All deny all + + By default, all headers are allowed (no anonymizing is + performed). + DOC_END + + NAME: header_replace + IFDEF: HTTP_VIOLATIONS + TYPE: http_header_replace[] + LOC: Config.header_access + DEFAULT: none + DOC_START + Usage: header_replace header_name message + Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) + + This option allows you to change the contents of headers + denied with header_access above, by replacing them with + some fixed string. This replaces the old fake_user_agent + option. + + By default, headers are removed if denied. + DOC_END + + NAME: icon_directory + + TYPE: string + + LOC: Config.icons.directory + + DEFAULT: @DEFAULT_ICON_DIR@ + DOC_START + Where the icons are stored. These are normally kept in + @DEFAULT_ICON_DIR@ + DOC_END + + NAME: error_directory + + TYPE: string + + LOC: Config.errorDirectory + + DEFAULT: @DEFAULT_ERROR_DIR@ + DOC_START + If you wish to create your own versions of the default + (English) error files, either to customize them to suit your + language or company copy the template English files to another + directory and point this tag at them. + DOC_END + + NAME: minimum_retry_timeout + + COMMENT: (seconds) + + TYPE: time_t + + LOC: Config.retry.timeout + + DEFAULT: 5 seconds + DOC_START + This specifies the minimum connect timeout, for when the + connect timeout is reduced to compensate for the availability + of multiple IP addresses. + + When a connection to a host is initiated, and that host has + several IP addresses, the default connection timeout is reduced + by dividing it by the number of addresses. So, a site with 15 + addresses would then have a timeout of 8 seconds for each + address attempted. To avoid having the timeout reduced to the + point where even a working host would not have a chance to + respond, this setting is provided. The default, and the + minimum value, is five seconds, and the maximum value is sixty + seconds, or half of connect_timeout, whichever is greater and + less than connect_timeout. + DOC_END + + NAME: maximum_single_addr_tries + + TYPE: int + + LOC: Config.retry.maxtries + + DEFAULT: 3 + DOC_START + This sets the maximum number of connection attempts for a + host that only has one address (for multiple-address hosts, + each address is tried once). + + The default value is three tries, the (not recommended) + maximum is 255 tries. A warning message will be generated + if it is set to a value greater than ten. + DOC_END + + NAME: snmp_port + + TYPE: ushort + + LOC: Config.Port.snmp + + DEFAULT: 3401 + + IFDEF: SQUID_SNMP + DOC_START + Squid can now serve statistics and status information via SNMP. + By default it listens to port 3401 on the machine. If you don't + wish to use SNMP, set this to "0". + DOC_END + + NAME: snmp_access + TYPE: acl_access + LOC: Config.accessList.snmp + DEFAULT: none + DEFAULT_IF_NONE: deny all + IFDEF: SQUID_SNMP + DOC_START + Allowing or denying access to the SNMP port. + + All access to the agent is denied by default. + usage: + + snmp_access allow|deny [!]aclname ... + + Example: + snmp_access allow snmppublic localhost + snmp_access deny all + DOC_END + + NAME: snmp_incoming_address + TYPE: address + LOC: Config.Addrs.snmp_incoming + DEFAULT: 0.0.0.0 + IFDEF: SQUID_SNMP + DOC_NONE + NAME: snmp_outgoing_address + TYPE: address + LOC: Config.Addrs.snmp_outgoing + DEFAULT: 255.255.255.255 + IFDEF: SQUID_SNMP + DOC_START + Just like 'udp_incoming_address' above, but for the SNMP port. + + snmp_incoming_address is used for the SNMP socket receiving + messages from SNMP agents. + snmp_outgoing_address is used for SNMP packets returned to SNMP + agents. + + The default snmp_incoming_address (0.0.0.0) is to listen on all + available network interfaces. + + If snmp_outgoing_address is set to 255.255.255.255 (the default) + then it will use the same socket as snmp_incoming_address. Only + change this if you want to have SNMP replies sent using another + address than where this Squid listens for SNMP queries. + + NOTE, snmp_incoming_address and snmp_outgoing_address can not have + the same value since they both use port 3401. + DOC_END + + NAME: as_whois_server + TYPE: string + LOC: Config.as_whois_server + DEFAULT: whois.ra.net + DEFAULT_IF_NONE: whois.ra.net + DOC_START + WHOIS server to query for AS numbers. NOTE: AS numbers are + queried only when Squid starts up, not for every request. + DOC_END + + NAME: wccp_router + TYPE: address + LOC: Config.Wccp.router + DEFAULT: 0.0.0.0 + IFDEF: USE_WCCP + DOC_START + Use this option to define your WCCP ``home'' router for + Squid. Setting the 'wccp_router' to 0.0.0.0 (the default) + disables WCCP. + DOC_END + + NAME: wccp_version + TYPE: int + LOC: Config.Wccp.version + DEFAULT: 4 + IFDEF: USE_WCCP + DOC_START + According to some users, Cisco IOS 11.2 only supports WCCP + version 3. If you're using that version of IOS, change + this value to 3. + DOC_END + + NAME: wccp_incoming_address + + TYPE: address + + LOC: Config.Wccp.incoming + + DEFAULT: 0.0.0.0 + + IFDEF: USE_WCCP + DOC_NONE + + NAME: wccp_outgoing_address + + TYPE: address + + LOC: Config.Wccp.outgoing + + DEFAULT: 255.255.255.255 + + IFDEF: USE_WCCP + DOC_START + wccp_incoming_address Use this option if you require WCCP + messages to be received on only one + interface. Do NOT use this option if + you're unsure how many interfaces you + have, or if you know you have only one + interface. + + wccp_outgoing_address Use this option if you require WCCP + messages to be sent out on only one + interface. Do NOT use this option if + you're unsure how many interfaces you + have, or if you know you have only one + interface. + + The default behavior is to not bind to any specific address. + + NOTE, wccp_incoming_address and wccp_outgoing_address can not have + the same value since they both use port 2048. + DOC_END + + + COMMENT_START + DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option) + ----------------------------------------------------------------------------- + COMMENT_END + + NAME: delay_pools + + TYPE: delay_pool_count + + DEFAULT: 0 + + IFDEF: DELAY_POOLS + + LOC: Config.Delay + DOC_START + This represents the number of delay pools to be used. For example, + if you have one class 2 delay pool and one class 3 delays pool, you + have a total of 2 delay pools. + DOC_END -COMMENT_START - MISCELLANEOUS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: dns_testnames -TYPE: wordlist -LOC: Config.dns_testname_list -DEFAULT: none -DEFAULT_IF_NONE: netscape.com internic.net nlanr.net microsoft.com -DOC_START - The DNS tests exit as soon as the first site is successfully looked up - - This test can be disabled with the -D command line option. -DOC_END - - -NAME: logfile_rotate -TYPE: int -DEFAULT: 10 -LOC: Config.Log.rotateNumber -DOC_START - Specifies the number of logfile rotations to make when you - type 'squid -k rotate'. The default is 10, which will rotate - with extensions 0 through 9. Setting logfile_rotate to 0 will - disable the rotation, but the logfiles are still closed and - re-opened. This will enable you to rename the logfiles - yourself just before sending the rotate signal. - - Note, the 'squid -k rotate' command normally sends a USR1 - signal to the running squid process. In certain situations - (e.g. on Linux with Async I/O), USR1 is used for other - purposes, so -k rotate uses another signal. It is best to get - in the habit of using 'squid -k rotate' instead of 'kill -USR1 - '. -DOC_END - - -NAME: append_domain -TYPE: string -LOC: Config.appendDomain -DEFAULT: none -DOC_START - Appends local domain name to hostnames without any dots in - them. append_domain must begin with a period. - - Be warned that there today is Internet names with no dots in - them using only top-domain names, so setting this may - cause some Internet sites to become unavailable. - -Example: - append_domain .yourdomain.com -DOC_END - - -NAME: tcp_recv_bufsize -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: 0 bytes -LOC: Config.tcpRcvBufsz -DOC_START - Size of receive buffer to set for TCP sockets. Probably just - as easy to change your kernel's default. Set to zero to use - the default buffer size. -DOC_END - -NAME: err_html_text -TYPE: eol -LOC: Config.errHtmlText -DEFAULT: none -DOC_START - HTML text to include in error messages. Make this a "mailto" - URL to your admin address, or maybe just a link to your - organizations Web page. - - To include this in your error messages, you must rewrite - the error template files (found in the "errors" directory). - Wherever you want the 'err_html_text' line to appear, - insert a %L tag in the error template file. -DOC_END - -NAME: email_err_data -COMMENT: on|off -TYPE: onoff -LOC: Config.onoff.emailErrData -DEFAULT: on -DOC_START - If enabled, information about the occurred error will be - included in the mailto links of the ERR pages (if %W is set) - so that the email body then contains the data. - Syntax is %w -DOC_END - - -NAME: deny_info -TYPE: denyinfo -LOC: Config.denyInfoList -DEFAULT: none -DOC_START - Usage: deny_info err_page_name acl - or deny_info http://... acl - Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys - - This can be used to return a ERR_ page for requests which - do not pass the 'http_access' rules. A single ACL will cause - the http_access check to fail. If a 'deny_info' line exists - for that ACL then Squid returns a corresponding error page. - - You may use ERR_ pages that come with Squid or create your own pages - and put them into the configured errors/ directory. - - Alternatively you can specify an error URL. The browsers will then - get redirected (302) to the specified URL. %s in the redirection - URL will be replaced by the requested URL. - - Alternatively you can tell Squid to reset the TCP connection - by specifying TCP_RESET. -DOC_END - -NAME: memory_pools -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.mem_pools -DOC_START - If set, Squid will keep pools of allocated (but unused) memory - available for future use. If memory is a premium on your - system and you believe your malloc library outperforms Squid - routines, disable this. -DOC_END - -NAME: memory_pools_limit -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: none -LOC: Config.MemPools.limit -DOC_START - Used only with memory_pools on: - memory_pools_limit 50 MB - - If set to a non-zero value, Squid will keep at most the specified - limit of allocated (but unused) memory in memory pools. All free() - requests that exceed this limit will be handled by your malloc - library. Squid does not pre-allocate any memory, just safe-keeps - objects that otherwise would be free()d. Thus, it is safe to set - memory_pools_limit to a reasonably high value even if your - configuration will use less memory. - - If not set (default) or set to zero, Squid will keep all memory it - can. That is, there will be no limit on the total amount of memory - used for safe-keeping. - - To disable memory allocation optimization, do not set - memory_pools_limit to 0. Set memory_pools to "off" instead. - - An overhead for maintaining memory pools is not taken into account - when the limit is checked. This overhead is close to four bytes per - object kept. However, pools may actually _save_ memory because of - reduced memory thrashing in your malloc library. -DOC_END - -NAME: via -IFDEF: HTTP_VIOLATIONS -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.via -DOC_START - If set (default), Squid will include a Via header in requests and - replies as required by RFC2616. -DOC_END - -NAME: forwarded_for -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: opt_forwarded_for -DOC_START - If set, Squid will include your system's IP address or name - in the HTTP requests it forwards. By default it looks like - this: - - X-Forwarded-For: 192.1.2.3 - - If you disable this, it will appear as - - X-Forwarded-For: unknown -DOC_END - -NAME: log_icp_queries -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.log_udp -DOC_START - If set, ICP queries are logged to access.log. You may wish - do disable this if your ICP load is VERY high to speed things - up or to simplify log analysis. -DOC_END - -NAME: icp_hit_stale -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.icp_hit_stale -DOC_START - If you want to return ICP_HIT for stale cache objects, set this - option to 'on'. If you have sibling relationships with caches - in other administrative domains, this should be 'off'. If you only - have sibling relationships with caches under your control, then - it is probably okay to set this to 'on'. - If set to 'on', then your siblings should use the option "allow-miss" - on their cache_peer lines for connecting to you. -DOC_END - - -NAME: minimum_direct_hops -TYPE: int -DEFAULT: 4 -LOC: Config.minDirectHops -DOC_START - If using the ICMP pinging stuff, do direct fetches for sites - which are no more than this many hops away. -DOC_END - -NAME: minimum_direct_rtt -TYPE: int -DEFAULT: 400 -LOC: Config.minDirectRtt -DOC_START - If using the ICMP pinging stuff, do direct fetches for sites - which are no more than this many rtt milliseconds away. -DOC_END - -NAME: cachemgr_passwd -TYPE: cachemgrpasswd -DEFAULT: none -LOC: Config.passwd_list -DOC_START - Specify passwords for cachemgr operations. - - Usage: cachemgr_passwd password action action ... - - Some valid actions are (see cache manager menu for a full list): - 5min - 60min - asndb - authenticator - cbdata - client_list - comm_incoming - config * - counters - delay - digest_stats - dns - events - filedescriptors - fqdncache - histograms - http_headers - info - io - ipcache - mem - menu - netdb - non_peers - objects - offline_toggle * - pconn - peer_select - redirector - refresh - server_list - shutdown * - store_digest - storedir - utilization - via_headers - vm_objects - - * Indicates actions which will not be performed without a - valid password, others can be performed if not listed here. - - To disable an action, set the password to "disable". - To allow performing an action without a password, set the - password to "none". - - Use the keyword "all" to set the same password for all actions. - -Example: - cachemgr_passwd secret shutdown - cachemgr_passwd lesssssssecret info stats/objects - cachemgr_passwd disable all -DOC_END - -NAME: store_avg_object_size -COMMENT: (kbytes) -TYPE: kb_size_t -DEFAULT: 13 KB -LOC: Config.Store.avgObjectSize -DOC_START - Average object size, used to estimate number of objects your - cache can hold. See doc/Release-Notes-1.1.txt. The default is - 13 KB. -DOC_END - -NAME: store_objects_per_bucket -TYPE: int -DEFAULT: 20 -LOC: Config.Store.objectsPerBucket -DOC_START - Target number of objects per bucket in the store hash table. - Lowering this value increases the total number of buckets and - also the storage maintenance rate. The default is 50. -DOC_END - -NAME: client_db -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.client_db -DOC_START - If you want to disable collecting per-client statistics, then - turn off client_db here. -DOC_END - - -NAME: netdb_low -TYPE: int -DEFAULT: 900 -LOC: Config.Netdb.low -DOC_NONE - -NAME: netdb_high -TYPE: int -DEFAULT: 1000 -LOC: Config.Netdb.high -DOC_START - The low and high water marks for the ICMP measurement - database. These are counts, not percents. The defaults are - 900 and 1000. When the high water mark is reached, database - entries will be deleted until the low mark is reached. -DOC_END - - -NAME: netdb_ping_period -TYPE: time_t -LOC: Config.Netdb.period -DEFAULT: 5 minutes -DOC_START - The minimum period for measuring a site. There will be at - least this much delay between successive pings to the same - network. The default is five minutes. -DOC_END - - -NAME: query_icmp -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.query_icmp -DOC_START - If you want to ask your peers to include ICMP data in their ICP - replies, enable this option. - - If your peer has configured Squid (during compilation) with - '--enable-icmp' then that peer will send ICMP pings to origin server - sites of the URLs it receives. If you enable this option then the - ICP replies from that peer will include the ICMP data (if available). - Then, when choosing a parent cache, Squid will choose the parent with - the minimal RTT to the origin server. When this happens, the - hierarchy field of the access.log will be - "CLOSEST_PARENT_MISS". This option is off by default. -DOC_END - -NAME: test_reachability -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.test_reachability -DOC_START - When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH - instead of ICP_MISS if the target host is NOT in the ICMP - database, or has a zero RTT. -DOC_END - -NAME: buffered_logs -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.buffered_logs -DOC_START - cache.log log file is written with stdio functions, and as such - it can be buffered or unbuffered. By default it will be unbuffered. - Buffering it can speed up the writing slightly (though you are - unlikely to need to worry unless you run with tons of debugging - enabled in which case performance will suffer badly anyway..). -DOC_END - -NAME: reload_into_ims -IFDEF: HTTP_VIOLATIONS -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.reload_into_ims -DOC_START - When you enable this option, client no-cache or ``reload'' - requests will be changed to If-Modified-Since requests. - Doing this VIOLATES the HTTP standard. Enabling this - feature could make you liable for problems which it - causes. - - see also refresh_pattern for a more selective approach. -DOC_END - -NAME: always_direct -TYPE: acl_access -LOC: Config.accessList.AlwaysDirect -DEFAULT: none -DOC_START - Usage: always_direct allow|deny [!]aclname ... - - Here you can use ACL elements to specify requests which should - ALWAYS be forwarded directly to origin servers. For example, - to always directly forward requests for local servers use - something like: - - acl local-servers dstdomain my.domain.net - always_direct allow local-servers - - To always forward FTP requests directly, use - - acl FTP proto FTP - always_direct allow FTP - - NOTE: There is a similar, but opposite option named - 'never_direct'. You need to be aware that "always_direct deny - foo" is NOT the same thing as "never_direct allow foo". You - may need to use a deny rule to exclude a more-specific case of - some other rule. Example: - - acl local-external dstdomain external.foo.net - acl local-servers dstdomain .foo.net - always_direct deny local-external - always_direct allow local-servers - - This option replaces some v1.1 options such as local_domain - and local_ip. -DOC_END - -NAME: never_direct -TYPE: acl_access -LOC: Config.accessList.NeverDirect -DEFAULT: none -DOC_START - Usage: never_direct allow|deny [!]aclname ... - - never_direct is the opposite of always_direct. Please read - the description for always_direct if you have not already. - - With 'never_direct' you can use ACL elements to specify - requests which should NEVER be forwarded directly to origin - servers. For example, to force the use of a proxy for all - requests, except those in your local domain use something like: - - acl local-servers dstdomain .foo.net - acl all src 0.0.0.0/0.0.0.0 - never_direct deny local-servers - never_direct allow all - - or if squid is inside a firewall and there is local intranet - servers inside the firewall then use something like: - - acl local-intranet dstdomain .foo.net - acl local-external dstdomain external.foo.net - always_direct deny local-external - always_direct allow local-intranet - never_direct allow all - - This option replaces some v1.1 options such as inside_firewall - and firewall_ip. -DOC_END - -NAME: header_access -IFDEF: HTTP_VIOLATIONS -TYPE: http_header_access[] -LOC: Config.header_access -DEFAULT: none -DOC_START - Usage: header_access header_name allow|deny [!]aclname ... - - WARNING: Doing this VIOLATES the HTTP standard. Enabling - this feature could make you liable for problems which it - causes. - - This option replaces the old 'anonymize_headers' and the - older 'http_anonymizer' option with something that is much - more configurable. This new method creates a list of ACLs - for each header, allowing you very fine-tuned header - mangling. - - You can only specify known headers for the header name. - Other headers are reclassified as 'Other'. You can also - refer to all the headers with 'All'. - - For example, to achieve the same behaviour as the old - 'http_anonymizer standard' option, you should use: - - header_access From deny all - header_access Referer deny all - header_access Server deny all - header_access User-Agent deny all - header_access WWW-Authenticate deny all - header_access Link deny all - - Or, to reproduce the old 'http_anonymizer paranoid' feature - you should use: - - header_access Allow allow all - header_access Authorization allow all - header_access WWW-Authenticate allow all - header_access Cache-Control allow all - header_access Content-Encoding allow all - header_access Content-Length allow all - header_access Content-Type allow all - header_access Date allow all - header_access Expires allow all - header_access Host allow all - header_access If-Modified-Since allow all - header_access Last-Modified allow all - header_access Location allow all - header_access Pragma allow all - header_access Accept allow all - header_access Accept-Charset allow all - header_access Accept-Encoding allow all - header_access Accept-Language allow all - header_access Content-Language allow all - header_access Mime-Version allow all - header_access Retry-After allow all - header_access Title allow all - header_access Connection allow all - header_access Proxy-Connection allow all - header_access All deny all - - By default, all headers are allowed (no anonymizing is - performed). -DOC_END - -NAME: header_replace -IFDEF: HTTP_VIOLATIONS -TYPE: http_header_replace[] -LOC: Config.header_access -DEFAULT: none -DOC_START - Usage: header_replace header_name message - Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) - - This option allows you to change the contents of headers - denied with header_access above, by replacing them with - some fixed string. This replaces the old fake_user_agent - option. - - By default, headers are removed if denied. -DOC_END - -NAME: icon_directory -TYPE: string -LOC: Config.icons.directory -DEFAULT: @DEFAULT_ICON_DIR@ -DOC_START - Where the icons are stored. These are normally kept in - @DEFAULT_ICON_DIR@ -DOC_END - -NAME: error_directory -TYPE: string -LOC: Config.errorDirectory -DEFAULT: @DEFAULT_ERROR_DIR@ -DOC_START - If you wish to create your own versions of the default - (English) error files, either to customize them to suit your - language or company copy the template English files to another - directory and point this tag at them. -DOC_END - -NAME: minimum_retry_timeout -COMMENT: (seconds) -TYPE: time_t -LOC: Config.retry.timeout -DEFAULT: 5 seconds -DOC_START - This specifies the minimum connect timeout, for when the - connect timeout is reduced to compensate for the availability - of multiple IP addresses. - - When a connection to a host is initiated, and that host has - several IP addresses, the default connection timeout is reduced - by dividing it by the number of addresses. So, a site with 15 - addresses would then have a timeout of 8 seconds for each - address attempted. To avoid having the timeout reduced to the - point where even a working host would not have a chance to - respond, this setting is provided. The default, and the - minimum value, is five seconds, and the maximum value is sixty - seconds, or half of connect_timeout, whichever is greater and - less than connect_timeout. -DOC_END - -NAME: maximum_single_addr_tries -TYPE: int -LOC: Config.retry.maxtries -DEFAULT: 3 -DOC_START - This sets the maximum number of connection attempts for a - host that only has one address (for multiple-address hosts, - each address is tried once). - - The default value is three tries, the (not recommended) - maximum is 255 tries. A warning message will be generated - if it is set to a value greater than ten. -DOC_END - -NAME: snmp_port -TYPE: ushort -LOC: Config.Port.snmp -DEFAULT: 3401 -IFDEF: SQUID_SNMP -DOC_START - Squid can now serve statistics and status information via SNMP. - By default it listens to port 3401 on the machine. If you don't - wish to use SNMP, set this to "0". -DOC_END - -NAME: snmp_access -TYPE: acl_access -LOC: Config.accessList.snmp -DEFAULT: none -DEFAULT_IF_NONE: deny all -IFDEF: SQUID_SNMP -DOC_START - Allowing or denying access to the SNMP port. - - All access to the agent is denied by default. - usage: - - snmp_access allow|deny [!]aclname ... - -Example: - snmp_access allow snmppublic localhost - snmp_access deny all -DOC_END - -NAME: snmp_incoming_address -TYPE: address -LOC: Config.Addrs.snmp_incoming -DEFAULT: 0.0.0.0 -IFDEF: SQUID_SNMP -DOC_NONE -NAME: snmp_outgoing_address -TYPE: address -LOC: Config.Addrs.snmp_outgoing -DEFAULT: 255.255.255.255 -IFDEF: SQUID_SNMP -DOC_START - Just like 'udp_incoming_address' above, but for the SNMP port. - - snmp_incoming_address is used for the SNMP socket receiving - messages from SNMP agents. - snmp_outgoing_address is used for SNMP packets returned to SNMP - agents. - - The default snmp_incoming_address (0.0.0.0) is to listen on all - available network interfaces. - - If snmp_outgoing_address is set to 255.255.255.255 (the default) - then it will use the same socket as snmp_incoming_address. Only - change this if you want to have SNMP replies sent using another - address than where this Squid listens for SNMP queries. - - NOTE, snmp_incoming_address and snmp_outgoing_address can not have - the same value since they both use port 3401. -DOC_END - -NAME: as_whois_server -TYPE: string -LOC: Config.as_whois_server -DEFAULT: whois.ra.net -DEFAULT_IF_NONE: whois.ra.net -DOC_START - WHOIS server to query for AS numbers. NOTE: AS numbers are - queried only when Squid starts up, not for every request. -DOC_END - -NAME: wccp_router -TYPE: address -LOC: Config.Wccp.router -DEFAULT: 0.0.0.0 -IFDEF: USE_WCCP -DOC_START - Use this option to define your WCCP ``home'' router for - Squid. Setting the 'wccp_router' to 0.0.0.0 (the default) - disables WCCP. -DOC_END - -NAME: wccp_version -TYPE: int -LOC: Config.Wccp.version -DEFAULT: 4 -IFDEF: USE_WCCP -DOC_START - According to some users, Cisco IOS 11.2 only supports WCCP - version 3. If you're using that version of IOS, change - this value to 3. -DOC_END - -NAME: wccp_incoming_address -TYPE: address -LOC: Config.Wccp.incoming -DEFAULT: 0.0.0.0 -IFDEF: USE_WCCP -DOC_NONE -NAME: wccp_outgoing_address -TYPE: address -LOC: Config.Wccp.outgoing -DEFAULT: 255.255.255.255 -IFDEF: USE_WCCP -DOC_START - wccp_incoming_address Use this option if you require WCCP - messages to be received on only one - interface. Do NOT use this option if - you're unsure how many interfaces you - have, or if you know you have only one - interface. - - wccp_outgoing_address Use this option if you require WCCP - messages to be sent out on only one - interface. Do NOT use this option if - you're unsure how many interfaces you - have, or if you know you have only one - interface. - - The default behavior is to not bind to any specific address. - - NOTE, wccp_incoming_address and wccp_outgoing_address can not have - the same value since they both use port 2048. -DOC_END + NAME: delay_class + TYPE: delay_pool_class -COMMENT_START - DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option) - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: delay_pools -TYPE: delay_pool_count -DEFAULT: 0 -IFDEF: DELAY_POOLS -LOC: Config.Delay -DOC_START - This represents the number of delay pools to be used. For example, - if you have one class 2 delay pool and one class 3 delays pool, you - have a total of 2 delay pools. -DOC_END - -NAME: delay_class -TYPE: delay_pool_class -DEFAULT: none -IFDEF: DELAY_POOLS -LOC: Config.Delay -DOC_START - This defines the class of each delay pool. There must be exactly one - delay_class line for each delay pool. For example, to define two - delay pools, one of class 2 and one of class 3, the settings above - and here would be: - -Example: - delay_pools 3 # 2 delay pools - delay_class 1 2 # pool 1 is a class 2 pool - delay_class 2 3 # pool 2 is a class 3 pool - delay_class 3 4 # pool 3 is a class 4 pool - - The delay pool classes are: - - class 1 Everything is limited by a single aggregate - bucket. - - class 2 Everything is limited by a single aggregate - bucket as well as an "individual" bucket chosen - from bits 25 through 32 of the IP address. - - class 3 Everything is limited by a single aggregate - bucket as well as a "network" bucket chosen - from bits 17 through 24 of the IP address and a - "individual" bucket chosen from bits 17 through - 32 of the IP address. - - class 4 Everything in a class 3 delay pool, with an - additional limit on a per user basis. This - only takes effect if the username is established - in advance - by forcing authentication in your - http_access rules. - - NOTE: If an IP address is a.b.c.d - -> bits 25 through 32 are "d" - -> bits 17 through 24 are "c" - -> bits 17 through 32 are "c * 256 + d" -DOC_END - -NAME: delay_access -TYPE: delay_pool_access -DEFAULT: none -IFDEF: DELAY_POOLS -LOC: Config.Delay -DOC_START - This is used to determine which delay pool a request falls into. - The first matched delay pool is always used, i.e., if a request falls - into delay pool number one, no more delay are checked, otherwise the - rest are checked in order of their delay pool number until they have - all been checked. For example, if you want some_big_clients in delay - pool 1 and lotsa_little_clients in delay pool 2: - -Example: - delay_access 1 allow some_big_clients - delay_access 1 deny all - delay_access 2 allow lotsa_little_clients - delay_access 2 deny all - delay_access 3 allow authenticated_clients -DOC_END - -NAME: delay_parameters -TYPE: delay_pool_rates -DEFAULT: none -IFDEF: DELAY_POOLS -LOC: Config.Delay -DOC_START - This defines the parameters for a delay pool. Each delay pool has - a number of "buckets" associated with it, as explained in the - description of delay_class. For a class 1 delay pool, the syntax is: - -delay_parameters pool aggregate - - For a class 2 delay pool: - -delay_parameters pool aggregate individual - - For a class 3 delay pool: - -delay_parameters pool aggregate network individual - - For a class 4 delay pool: - -delay_parameters pool aggregate network individual user - - The variables here are: - - pool a pool number - ie, a number between 1 and the - number specified in delay_pools as used in - delay_class lines. - - aggregate the "delay parameters" for the aggregate bucket - (class 1, 2, 3). - - individual the "delay parameters" for the individual - buckets (class 2, 3). - - network the "delay parameters" for the network buckets - (class 3). - - user the delay parameters for the user buckets - (class 4). - - A pair of delay parameters is written restore/maximum, where restore is - the number of bytes (not bits - modem and network speeds are usually - quoted in bits) per second placed into the bucket, and maximum is the - maximum number of bytes which can be in the bucket at any time. - - For example, if delay pool number 1 is a class 2 delay pool as in the - above example, and is being used to strictly limit each host to 64kbps - (plus overheads), with no overall limit, the line is: - -delay_parameters 1 -1/-1 8000/8000 - - Note that the figure -1 is used to represent "unlimited". - - And, if delay pool number 2 is a class 3 delay pool as in the above - example, and you want to limit it to a total of 256kbps (strict limit) - with each 8-bit network permitted 64kbps (strict limit) and each - individual host permitted 4800bps with a bucket maximum size of 64kb - to permit a decent web page to be downloaded at a decent speed - (if the network is not being limited due to overuse) but slow down - large downloads more significantly: - -delay_parameters 2 32000/32000 8000/8000 600/8000 - - There must be one delay_parameters line for each delay pool. - - Finally, for a class 4 delay pool as in the example - each user will - be limited to 128Kb no matter how many workstations they are logged into.: - -delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 -DOC_END - -NAME: delay_initial_bucket_level -COMMENT: (percent, 0-100) -TYPE: ushort -DEFAULT: 50 -IFDEF: DELAY_POOLS -LOC: Config.Delay.initial -DOC_START - The initial bucket percentage is used to determine how much is put - in each bucket when squid starts, is reconfigured, or first notices - a host accessing it (in class 2 and class 3, individual hosts and - networks only have buckets associated with them once they have been - "seen" by squid). -DOC_END - -NAME: incoming_icp_average -TYPE: int -DEFAULT: 6 -LOC: Config.comm_incoming.icp_average -DOC_NONE - -NAME: incoming_http_average -TYPE: int -DEFAULT: 4 -LOC: Config.comm_incoming.http_average -DOC_NONE - -NAME: incoming_dns_average -TYPE: int -DEFAULT: 4 -LOC: Config.comm_incoming.dns_average -DOC_NONE - -NAME: min_icp_poll_cnt -TYPE: int -DEFAULT: 8 -LOC: Config.comm_incoming.icp_min_poll -DOC_NONE - -NAME: min_dns_poll_cnt -TYPE: int -DEFAULT: 8 -LOC: Config.comm_incoming.dns_min_poll -DOC_NONE - -NAME: min_http_poll_cnt -TYPE: int -DEFAULT: 8 -LOC: Config.comm_incoming.http_min_poll -DOC_START - Heavy voodoo here. I can't even believe you are reading this. - Are you crazy? Don't even think about adjusting these unless - you understand the algorithms in comm_select.c first! -DOC_END - -NAME: max_open_disk_fds -TYPE: int -LOC: Config.max_open_disk_fds -DEFAULT: 0 -DOC_START - To avoid having disk as the I/O bottleneck Squid can optionally - bypass the on-disk cache if more than this amount of disk file - descriptors are open. - - A value of 0 indicates no limit. -DOC_END - -NAME: offline_mode -TYPE: onoff -LOC: Config.onoff.offline -DEFAULT: off -DOC_START - Enable this option and Squid will never try to validate cached - objects. -DOC_END - -NAME: uri_whitespace -TYPE: uri_whitespace -LOC: Config.uri_whitespace -DEFAULT: strip -DOC_START - What to do with requests that have whitespace characters in the - URI. Options: - - strip: The whitespace characters are stripped out of the URL. - This is the behavior recommended by RFC2616. - deny: The request is denied. The user receives an "Invalid - Request" message. - allow: The request is allowed and the URI is not changed. The - whitespace characters remain in the URI. Note the - whitespace is passed to redirector processes if they - are in use. - encode: The request is allowed and the whitespace characters are - encoded according to RFC1738. This could be considered - a violation of the HTTP/1.1 - RFC because proxies are not allowed to rewrite URI's. - chop: The request is allowed and the URI is chopped at the - first whitespace. This might also be considered a - violation. -DOC_END - -NAME: broken_posts -TYPE: acl_access -DEFAULT: none -LOC: Config.accessList.brokenPosts -DOC_START - A list of ACL elements which, if matched, causes Squid to send - an extra CRLF pair after the body of a PUT/POST request. - - Some HTTP servers has broken implementations of PUT/POST, - and rely on an extra CRLF pair sent by some WWW clients. - - Quote from RFC 2068 section 4.1 on this matter: - - Note: certain buggy HTTP/1.0 client implementations generate an - extra CRLF's after a POST request. To restate what is explicitly - forbidden by the BNF, an HTTP/1.1 client must not preface or follow - a request with an extra CRLF. - -Example: - acl buggy_server url_regex ^http://.... - broken_posts allow buggy_server -DOC_END - -NAME: mcast_miss_addr -IFDEF: MULTICAST_MISS_STREAM -TYPE: address -LOC: Config.mcast_miss.addr -DEFAULT: 255.255.255.255 -DOC_START - If you enable this option, every "cache miss" URL will - be sent out on the specified multicast address. - - Do not enable this option unless you are are absolutely - certain you understand what you are doing. -DOC_END - -NAME: mcast_miss_ttl -IFDEF: MULTICAST_MISS_TTL -TYPE: ushort -LOC: Config.mcast_miss.ttl -DEFAULT: 16 -DOC_START - This is the time-to-live value for packets multicasted - when multicasting off cache miss URLs is enabled. By - default this is set to 'site scope', i.e. 16. -DOC_END - -NAME: mcast_miss_port -IFDEF: MULTICAST_MISS_STREAM -TYPE: ushort -LOC: Config.mcast_miss.port -DEFAULT: 3135 -DOC_START - This is the port number to be used in conjunction with - 'mcast_miss_addr'. -DOC_END - -NAME: mcast_miss_encode_key -IFDEF: MULTICAST_MISS_STREAM -TYPE: string -LOC: Config.mcast_miss.encode_key -DEFAULT: XXXXXXXXXXXXXXXX -DOC_START - The URLs that are sent in the multicast miss stream are - encrypted. This is the encryption key. -DOC_END - -NAME: nonhierarchical_direct -TYPE: onoff -LOC: Config.onoff.nonhierarchical_direct -DEFAULT: on -DOC_START - By default, Squid will send any non-hierarchical requests - (matching hierarchy_stoplist or not cachable request type) direct - to origin servers. - - If you set this to off, then Squid will prefer to send these - requests to parents. - - Note that in most configurations, by turning this off you will only - add latency to these request without any improvement in global hit - ratio. - - If you are inside an firewall then see never_direct instead of - this directive. -DOC_END - -NAME: prefer_direct -TYPE: onoff -LOC: Config.onoff.prefer_direct -DEFAULT: off -DOC_START - Normally Squid tries to use parents for most requests. If you by some - reason like it to first try going direct and only use a parent if - going direct fails then set this to on. - - By combining nonhierarchical_direct off and prefer_direct on you - can set up Squid to use a parent as a backup path if going direct - fails. -DOC_END - -NAME: strip_query_terms -TYPE: onoff -LOC: Config.onoff.strip_query_terms -DEFAULT: on -DOC_START - By default, Squid strips query terms from requested URLs before - logging. This protects your user's privacy. -DOC_END - -NAME: coredump_dir -TYPE: string -LOC: Config.coredump_dir -DEFAULT: none -DEFAULT_IF_NONE: none -DOC_START - By default Squid leaves core files in the directory from where - it was started. If you set 'coredump_dir' to a directory - that exists, Squid will chdir() to that directory at startup - and coredump files will be left there. - -NOCOMMENT_START + DEFAULT: none + + IFDEF: DELAY_POOLS + + LOC: Config.Delay + DOC_START + This defines the class of each delay pool. There must be exactly one + delay_class line for each delay pool. For example, to define two + delay pools, one of class 2 and one of class 3, the settings above + + and here would be: + + Example: + delay_pools 4 # 4 delay pools + delay_class 1 2 # pool 1 is a class 2 pool + delay_class 2 3 # pool 2 is a class 3 pool + delay_class 3 4 # pool 3 is a class 4 pool + delay_class 4 5 # pool 4 is a class 5 pool + + The delay pool classes are: + + class 1 Everything is limited by a single aggregate + bucket. + + class 2 Everything is limited by a single aggregate + bucket as well as an "individual" bucket chosen + from bits 25 through 32 of the IP address. + + class 3 Everything is limited by a single aggregate + bucket as well as a "network" bucket chosen + from bits 17 through 24 of the IP address and a + "individual" bucket chosen from bits 17 through + 32 of the IP address. + + class 4 Everything in a class 3 delay pool, with an + additional limit on a per user basis. This + only takes effect if the username is established + in advance - by forcing authentication in your + http_access rules. + + class 5 Requests are grouped according their tag (see + external_acl's tag= reply). + + NOTE: If an IP address is a.b.c.d + -> bits 25 through 32 are "d" + -> bits 17 through 24 are "c" + -> bits 17 through 32 are "c * 256 + d" + DOC_END + + NAME: delay_access + TYPE: delay_pool_access + DEFAULT: none + IFDEF: DELAY_POOLS + LOC: Config.Delay + DOC_START + This is used to determine which delay pool a request falls into. + The first matched delay pool is always used, i.e., if a request falls + into delay pool number one, no more delay are checked, otherwise the + rest are checked in order of their delay pool number until they have + all been checked. For example, if you want some_big_clients in delay + pool 1 and lotsa_little_clients in delay pool 2: + + Example: + delay_access 1 allow some_big_clients + delay_access 1 deny all + delay_access 2 allow lotsa_little_clients + delay_access 2 deny all + delay_access 3 allow authenticated_clients + DOC_END + + NAME: delay_parameters + TYPE: delay_pool_rates + DEFAULT: none + IFDEF: DELAY_POOLS + LOC: Config.Delay + DOC_START + This defines the parameters for a delay pool. Each delay pool has + a number of "buckets" associated with it, as explained in the + description of delay_class. For a class 1 delay pool, the syntax is: + + delay_parameters pool aggregate + + For a class 2 delay pool: + + delay_parameters pool aggregate individual + + For a class 3 delay pool: + + delay_parameters pool aggregate network individual + + For a class 4 delay pool: + + delay_parameters pool aggregate network individual user + + For a class 5 delay pool: + + delay_parameters pool tag + + The variables here are: + + pool a pool number - ie, a number between 1 and the + number specified in delay_pools as used in + delay_class lines. + + aggregate the "delay parameters" for the aggregate bucket + (class 1, 2, 3). + + individual the "delay parameters" for the individual + buckets (class 2, 3). + + network the "delay parameters" for the network buckets + (class 3). + + user the delay parameters for the user buckets + (class 4). + + tag the delay parameters for the tag buckets + (class 5). + + A pair of delay parameters is written restore/maximum, where restore is + the number of bytes (not bits - modem and network speeds are usually + quoted in bits) per second placed into the bucket, and maximum is the + maximum number of bytes which can be in the bucket at any time. + + For example, if delay pool number 1 is a class 2 delay pool as in the + above example, and is being used to strictly limit each host to 64kbps + (plus overheads), with no overall limit, the line is: + + delay_parameters 1 -1/-1 8000/8000 + + Note that the figure -1 is used to represent "unlimited". + + And, if delay pool number 2 is a class 3 delay pool as in the above + example, and you want to limit it to a total of 256kbps (strict limit) + with each 8-bit network permitted 64kbps (strict limit) and each + individual host permitted 4800bps with a bucket maximum size of 64kb + to permit a decent web page to be downloaded at a decent speed + (if the network is not being limited due to overuse) but slow down + large downloads more significantly: + + delay_parameters 2 32000/32000 8000/8000 600/8000 + + There must be one delay_parameters line for each delay pool. + + Finally, for a class 4 delay pool as in the example - each user will + be limited to 128Kb no matter how many workstations they are logged into.: + + delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 + DOC_END + + NAME: delay_initial_bucket_level + COMMENT: (percent, 0-100) + TYPE: ushort + DEFAULT: 50 + IFDEF: DELAY_POOLS + LOC: Config.Delay.initial + DOC_START + The initial bucket percentage is used to determine how much is put + in each bucket when squid starts, is reconfigured, or first notices + a host accessing it (in class 2 and class 3, individual hosts and + networks only have buckets associated with them once they have been + "seen" by squid). + DOC_END + + NAME: incoming_icp_average + TYPE: int + DEFAULT: 6 + LOC: Config.comm_incoming.icp_average + DOC_NONE + + NAME: incoming_http_average + TYPE: int + DEFAULT: 4 + LOC: Config.comm_incoming.http_average + DOC_NONE + + NAME: incoming_dns_average + TYPE: int + DEFAULT: 4 + LOC: Config.comm_incoming.dns_average + DOC_NONE + + NAME: min_icp_poll_cnt + TYPE: int + DEFAULT: 8 + LOC: Config.comm_incoming.icp_min_poll + DOC_NONE + + NAME: min_dns_poll_cnt + TYPE: int + DEFAULT: 8 + LOC: Config.comm_incoming.dns_min_poll + DOC_NONE + + NAME: min_http_poll_cnt + TYPE: int + DEFAULT: 8 + LOC: Config.comm_incoming.http_min_poll + DOC_START + Heavy voodoo here. I can't even believe you are reading this. + Are you crazy? Don't even think about adjusting these unless + you understand the algorithms in comm_select.c first! + DOC_END + + NAME: max_open_disk_fds + TYPE: int + LOC: Config.max_open_disk_fds + DEFAULT: 0 + DOC_START + To avoid having disk as the I/O bottleneck Squid can optionally + bypass the on-disk cache if more than this amount of disk file + descriptors are open. + + A value of 0 indicates no limit. + DOC_END + + NAME: offline_mode + TYPE: onoff + LOC: Config.onoff.offline + DEFAULT: off + DOC_START + Enable this option and Squid will never try to validate cached + objects. + DOC_END + + NAME: uri_whitespace + TYPE: uri_whitespace + LOC: Config.uri_whitespace + DEFAULT: strip + DOC_START + What to do with requests that have whitespace characters in the + URI. Options: + + strip: The whitespace characters are stripped out of the URL. + This is the behavior recommended by RFC2616. + deny: The request is denied. The user receives an "Invalid + Request" message. + allow: The request is allowed and the URI is not changed. The + whitespace characters remain in the URI. Note the + whitespace is passed to redirector processes if they + are in use. + encode: The request is allowed and the whitespace characters are + encoded according to RFC1738. This could be considered + a violation of the HTTP/1.1 + RFC because proxies are not allowed to rewrite URI's. + chop: The request is allowed and the URI is chopped at the + first whitespace. This might also be considered a + violation. + DOC_END + + NAME: broken_posts + TYPE: acl_access + DEFAULT: none + LOC: Config.accessList.brokenPosts + DOC_START + A list of ACL elements which, if matched, causes Squid to send + an extra CRLF pair after the body of a PUT/POST request. + + Some HTTP servers has broken implementations of PUT/POST, + and rely on an extra CRLF pair sent by some WWW clients. + + Quote from RFC 2068 section 4.1 on this matter: + + Note: certain buggy HTTP/1.0 client implementations generate an + extra CRLF's after a POST request. To restate what is explicitly + forbidden by the BNF, an HTTP/1.1 client must not preface or follow + a request with an extra CRLF. + + Example: + acl buggy_server url_regex ^http://.... + broken_posts allow buggy_server + DOC_END + + NAME: mcast_miss_addr + IFDEF: MULTICAST_MISS_STREAM + TYPE: address + LOC: Config.mcast_miss.addr + DEFAULT: 255.255.255.255 + DOC_START + If you enable this option, every "cache miss" URL will + be sent out on the specified multicast address. + + Do not enable this option unless you are are absolutely + certain you understand what you are doing. + DOC_END + + NAME: mcast_miss_ttl + IFDEF: MULTICAST_MISS_TTL + TYPE: ushort + LOC: Config.mcast_miss.ttl + DEFAULT: 16 + DOC_START + This is the time-to-live value for packets multicasted + when multicasting off cache miss URLs is enabled. By + default this is set to 'site scope', i.e. 16. + DOC_END + + NAME: mcast_miss_port + IFDEF: MULTICAST_MISS_STREAM + TYPE: ushort + LOC: Config.mcast_miss.port + DEFAULT: 3135 + DOC_START + This is the port number to be used in conjunction with + 'mcast_miss_addr'. + DOC_END + + NAME: mcast_miss_encode_key + IFDEF: MULTICAST_MISS_STREAM + TYPE: string + LOC: Config.mcast_miss.encode_key + DEFAULT: XXXXXXXXXXXXXXXX + DOC_START + The URLs that are sent in the multicast miss stream are + encrypted. This is the encryption key. + DOC_END + + NAME: nonhierarchical_direct + TYPE: onoff + LOC: Config.onoff.nonhierarchical_direct + DEFAULT: on + DOC_START + By default, Squid will send any non-hierarchical requests + (matching hierarchy_stoplist or not cachable request type) direct + to origin servers. + + If you set this to off, then Squid will prefer to send these + requests to parents. + + Note that in most configurations, by turning this off you will only + add latency to these request without any improvement in global hit + ratio. + + If you are inside an firewall then see never_direct instead of + this directive. + DOC_END + + NAME: prefer_direct + TYPE: onoff + LOC: Config.onoff.prefer_direct + DEFAULT: off + DOC_START + Normally Squid tries to use parents for most requests. If you by some + reason like it to first try going direct and only use a parent if + going direct fails then set this to on. + + By combining nonhierarchical_direct off and prefer_direct on you + can set up Squid to use a parent as a backup path if going direct + fails. + DOC_END + + NAME: strip_query_terms + TYPE: onoff + LOC: Config.onoff.strip_query_terms + DEFAULT: on + DOC_START + By default, Squid strips query terms from requested URLs before + logging. This protects your user's privacy. + DOC_END + + NAME: coredump_dir + TYPE: string + LOC: Config.coredump_dir + DEFAULT: none + DEFAULT_IF_NONE: none + DOC_START + By default Squid leaves core files in the directory from where + it was started. If you set 'coredump_dir' to a directory + that exists, Squid will chdir() to that directory at startup + and coredump files will be left there. + + NOCOMMENT_START # Leave coredumps in the first cache dir -coredump_dir @DEFAULT_SWAP_DIR@ -NOCOMMENT_END -DOC_END - -NAME: redirector_bypass -TYPE: onoff -LOC: Config.onoff.redirector_bypass -DEFAULT: off -DOC_START - When this is 'on', a request will not go through the - redirector if all redirectors are busy. If this is 'off' - and the redirector queue grows too large, Squid will exit - with a FATAL error and ask you to increase the number of - redirectors. You should only enable this if the redirectors - are not critical to your caching system. If you use - redirectors for access control, and you enable this option, - then users may have access to pages that they should not - be allowed to request. -DOC_END - -NAME: ignore_unknown_nameservers -TYPE: onoff -LOC: Config.onoff.ignore_unknown_nameservers -DEFAULT: on -DOC_START - By default Squid checks that DNS responses are received - from the same IP addresses that they are sent to. If they - don't match, Squid ignores the response and writes a warning - message to cache.log. You can allow responses from unknown - nameservers by setting this option to 'off'. -DOC_END - -NAME: digest_generation -IFDEF: USE_CACHE_DIGESTS -TYPE: onoff -LOC: Config.onoff.digest_generation -DEFAULT: on -DOC_START - This controls whether the server will generate a Cache Digest - of its contents. By default, Cache Digest generation is - enabled if Squid is compiled with USE_CACHE_DIGESTS defined. -DOC_END - -NAME: digest_bits_per_entry -IFDEF: USE_CACHE_DIGESTS -TYPE: int -LOC: Config.digest.bits_per_entry -DEFAULT: 5 -DOC_START - This is the number of bits of the server's Cache Digest which - will be associated with the Digest entry for a given HTTP - Method and URL (public key) combination. The default is 5. -DOC_END - -NAME: digest_rebuild_period -IFDEF: USE_CACHE_DIGESTS -COMMENT: (seconds) -TYPE: time_t -LOC: Config.digest.rebuild_period -DEFAULT: 1 hour -DOC_START - This is the number of seconds between Cache Digest rebuilds. -DOC_END - -NAME: digest_rewrite_period -COMMENT: (seconds) -IFDEF: USE_CACHE_DIGESTS -TYPE: time_t -LOC: Config.digest.rewrite_period -DEFAULT: 1 hour -DOC_START - This is the number of seconds between Cache Digest writes to - disk. -DOC_END - -NAME: digest_swapout_chunk_size -COMMENT: (bytes) -TYPE: b_size_t -IFDEF: USE_CACHE_DIGESTS -LOC: Config.digest.swapout_chunk_size -DEFAULT: 4096 bytes -DOC_START - This is the number of bytes of the Cache Digest to write to - disk at a time. It defaults to 4096 bytes (4KB), the Squid - default swap page. -DOC_END - -NAME: digest_rebuild_chunk_percentage -COMMENT: (percent, 0-100) -IFDEF: USE_CACHE_DIGESTS -TYPE: int -LOC: Config.digest.rebuild_chunk_percentage -DEFAULT: 10 -DOC_START - This is the percentage of the Cache Digest to be scanned at a - time. By default it is set to 10% of the Cache Digest. -DOC_END - -NAME: chroot -TYPE: string -LOC: Config.chroot_dir -DEFAULT: none -DOC_START - Use this to have Squid do a chroot() while initializing. This - also causes Squid to fully drop root privileges after - initializing. This means, for example, that if you use a HTTP - port less than 1024 and try to reconfigure, you will get an - error. -DOC_END - -NAME: client_persistent_connections -TYPE: onoff -LOC: Config.onoff.client_pconns -DEFAULT: on -DOC_NONE - -NAME: server_persistent_connections -TYPE: onoff -LOC: Config.onoff.server_pconns -DEFAULT: on -DOC_START - Persistent connection support for clients and servers. By - default, Squid uses persistent connections (when allowed) - with its clients and servers. You can use these options to - disable persistent connections with clients and/or servers. -DOC_END - -NAME: pipeline_prefetch -TYPE: onoff -LOC: Config.onoff.pipeline_prefetch -DEFAULT: off -DOC_START - To boost the performance of pipelined requests to closer - match that of a non-proxied environment Squid can try to fetch - up to two requests in parallell from a pipeline. - - Defaults to off for bandwidth management and access logging - reasons. -DOC_END - -NAME: extension_methods -TYPE: wordlist -LOC: Config.ext_methods -DEFAULT: none -DOC_START - Squid only knows about standardized HTTP request methods. - You can add up to 20 additional "extension" methods here. -DOC_END - -NAME: request_entities -TYPE: onoff -LOC: Config.onoff.request_entities -DEFAULT: off -DOC_START - Squid defaults to deny GET and HEAD requests with request entities, - as the meaning of such requests are undefined in the HTTP standard - even if not explicitly forbidden. - - Set this directive to on if you have clients which insists - on sending request entities in GET or HEAD requests. -DOC_END - -NAME: high_response_time_warning -TYPE: int -COMMENT: (msec) -LOC: Config.warnings.high_rptm -DEFAULT: 0 -DOC_START - If the one-minute median response time exceeds this value, - Squid prints a WARNING with debug level 0 to get the - administrators attention. The value is in milliseconds. -DOC_END - -NAME: high_page_fault_warning -TYPE: int -LOC: Config.warnings.high_pf -DEFAULT: 0 -DOC_START - If the one-minute average page fault rate exceeds this - value, Squid prints a WARNING with debug level 0 to get - the administrators attention. The value is in page faults - per second. -DOC_END - -NAME: high_memory_warning -TYPE: b_size_t -LOC: Config.warnings.high_memory -DEFAULT: 0 -DOC_START - If the memory usage (as determined by mallinfo) exceeds - value, Squid prints a WARNING with debug level 0 to get - the administrators attention. -DOC_END - -NAME: store_dir_select_algorithm -TYPE: string -LOC: Config.store_dir_select_algorithm -DEFAULT: least-load -DOC_START - Set this to 'round-robin' as an alternative. -DOC_END - -NAME: forward_log -IFDEF: WIP_FWD_LOG -TYPE: string -DEFAULT: none -LOC: Config.Log.forward -DOC_START - Logs the server-side requests. - - This is currently work in progress. -DOC_END - -NAME: ie_refresh -COMMENT: on|off -TYPE: onoff -LOC: Config.onoff.ie_refresh -DEFAULT: off -DOC_START - Microsoft Internet Explorer up until version 5.5 Service - Pack 1 has an issue with transparent proxies, wherein it - is impossible to force a refresh. Turning this on provides - a partial fix to the problem, by causing all IMS-REFRESH - requests from older IE versions to check the origin server - for fresh content. This reduces hit ratio by some amount - (~10% in my experience), but allows users to actually get - fresh content when they want it. Note that because Squid - cannot tell if the user is using 5.5 or 5.5SP1, the behavior - of 5.5 is unchanged from old versions of Squid (i.e. a - forced refresh is impossible). Newer versions of IE will, - hopefully, continue to have the new behavior and will be - handled based on that assumption. This option defaults to - the old Squid behavior, which is better for hit ratios but - worse for clients using IE, if they need to be able to - force fresh content. -DOC_END - -NAME: vary_ignore_expire -COMMENT: on|off -TYPE: onoff -LOC: Config.onoff.vary_ignore_expire -DEFAULT: off -DOC_START - Many HTTP servers supporting Vary gives such objects - immediate expiry time with no cache-control header - when requested by a HTTP/1.0 client. This option - enables Squid to ignore such expiry times until - HTTP/1.1 is fully implemented. - WARNING: This may eventually cause some varying - objects not intended for caching to get cached. -DOC_END - -NAME: sleep_after_fork -COMMENT: (microseconds) -TYPE: int -LOC: Config.sleep_after_fork -DEFAULT: 0 -DOC_START - When this is set to a non-zero value, the main Squid process - sleeps the specified number of microseconds after a fork() - system call. This sleep may help the situation where your - system reports fork() failures due to lack of (virtual) - memory. Note, however, that if you have a lot of child - processes, then these sleep delays will add up and your - Squid will not service requests for some amount of time - until all the child processes have been started. -DOC_END - -EOF + coredump_dir @DEFAULT_SWAP_DIR@ + NOCOMMENT_END + DOC_END + + NAME: redirector_bypass + TYPE: onoff + LOC: Config.onoff.redirector_bypass + DEFAULT: off + DOC_START + When this is 'on', a request will not go through the + redirector if all redirectors are busy. If this is 'off' + and the redirector queue grows too large, Squid will exit + with a FATAL error and ask you to increase the number of + redirectors. You should only enable this if the redirectors + are not critical to your caching system. If you use + redirectors for access control, and you enable this option, + then users may have access to pages that they should not + be allowed to request. + DOC_END + + NAME: ignore_unknown_nameservers + TYPE: onoff + LOC: Config.onoff.ignore_unknown_nameservers + DEFAULT: on + DOC_START + By default Squid checks that DNS responses are received + from the same IP addresses that they are sent to. If they + don't match, Squid ignores the response and writes a warning + message to cache.log. You can allow responses from unknown + nameservers by setting this option to 'off'. + DOC_END + + NAME: digest_generation + IFDEF: USE_CACHE_DIGESTS + TYPE: onoff + LOC: Config.onoff.digest_generation + DEFAULT: on + DOC_START + This controls whether the server will generate a Cache Digest + of its contents. By default, Cache Digest generation is + enabled if Squid is compiled with USE_CACHE_DIGESTS defined. + DOC_END + + NAME: digest_bits_per_entry + IFDEF: USE_CACHE_DIGESTS + TYPE: int + LOC: Config.digest.bits_per_entry + DEFAULT: 5 + DOC_START + This is the number of bits of the server's Cache Digest which + will be associated with the Digest entry for a given HTTP + Method and URL (public key) combination. The default is 5. + DOC_END + + NAME: digest_rebuild_period + IFDEF: USE_CACHE_DIGESTS + COMMENT: (seconds) + TYPE: time_t + LOC: Config.digest.rebuild_period + DEFAULT: 1 hour + DOC_START + This is the number of seconds between Cache Digest rebuilds. + DOC_END + + NAME: digest_rewrite_period + COMMENT: (seconds) + IFDEF: USE_CACHE_DIGESTS + TYPE: time_t + LOC: Config.digest.rewrite_period + DEFAULT: 1 hour + DOC_START + This is the number of seconds between Cache Digest writes to + disk. + DOC_END + + NAME: digest_swapout_chunk_size + COMMENT: (bytes) + TYPE: b_size_t + IFDEF: USE_CACHE_DIGESTS + LOC: Config.digest.swapout_chunk_size + DEFAULT: 4096 bytes + DOC_START + This is the number of bytes of the Cache Digest to write to + disk at a time. It defaults to 4096 bytes (4KB), the Squid + default swap page. + DOC_END + + NAME: digest_rebuild_chunk_percentage + COMMENT: (percent, 0-100) + IFDEF: USE_CACHE_DIGESTS + TYPE: int + LOC: Config.digest.rebuild_chunk_percentage + DEFAULT: 10 + DOC_START + This is the percentage of the Cache Digest to be scanned at a + time. By default it is set to 10% of the Cache Digest. + DOC_END + + NAME: chroot + TYPE: string + LOC: Config.chroot_dir + DEFAULT: none + DOC_START + Use this to have Squid do a chroot() while initializing. This + also causes Squid to fully drop root privileges after + initializing. This means, for example, that if you use a HTTP + port less than 1024 and try to reconfigure, you will get an + error. + DOC_END + + NAME: client_persistent_connections + TYPE: onoff + LOC: Config.onoff.client_pconns + DEFAULT: on + DOC_NONE + + NAME: server_persistent_connections + TYPE: onoff + LOC: Config.onoff.server_pconns + DEFAULT: on + DOC_START + Persistent connection support for clients and servers. By + default, Squid uses persistent connections (when allowed) + with its clients and servers. You can use these options to + disable persistent connections with clients and/or servers. + DOC_END + + NAME: pipeline_prefetch + TYPE: onoff + LOC: Config.onoff.pipeline_prefetch + DEFAULT: off + DOC_START + To boost the performance of pipelined requests to closer + match that of a non-proxied environment Squid can try to fetch + up to two requests in parallell from a pipeline. + + Defaults to off for bandwidth management and access logging + reasons. + DOC_END + + NAME: extension_methods + TYPE: wordlist + LOC: Config.ext_methods + DEFAULT: none + DOC_START + Squid only knows about standardized HTTP request methods. + You can add up to 20 additional "extension" methods here. + DOC_END + + NAME: request_entities + TYPE: onoff + LOC: Config.onoff.request_entities + DEFAULT: off + DOC_START + Squid defaults to deny GET and HEAD requests with request entities, + as the meaning of such requests are undefined in the HTTP standard + even if not explicitly forbidden. + + Set this directive to on if you have clients which insists + on sending request entities in GET or HEAD requests. + DOC_END + + NAME: high_response_time_warning + TYPE: int + COMMENT: (msec) + LOC: Config.warnings.high_rptm + DEFAULT: 0 + DOC_START + If the one-minute median response time exceeds this value, + Squid prints a WARNING with debug level 0 to get the + administrators attention. The value is in milliseconds. + DOC_END + + NAME: high_page_fault_warning + TYPE: int + LOC: Config.warnings.high_pf + DEFAULT: 0 + DOC_START + If the one-minute average page fault rate exceeds this + value, Squid prints a WARNING with debug level 0 to get + the administrators attention. The value is in page faults + per second. + DOC_END + + NAME: high_memory_warning + TYPE: b_size_t + LOC: Config.warnings.high_memory + DEFAULT: 0 + DOC_START + If the memory usage (as determined by mallinfo) exceeds + value, Squid prints a WARNING with debug level 0 to get + the administrators attention. + DOC_END + + NAME: store_dir_select_algorithm + TYPE: string + LOC: Config.store_dir_select_algorithm + DEFAULT: least-load + DOC_START + Set this to 'round-robin' as an alternative. + DOC_END + + NAME: forward_log + IFDEF: WIP_FWD_LOG + TYPE: string + DEFAULT: none + LOC: Config.Log.forward + DOC_START + Logs the server-side requests. + + This is currently work in progress. + DOC_END + + NAME: ie_refresh + COMMENT: on|off + TYPE: onoff + LOC: Config.onoff.ie_refresh + DEFAULT: off + DOC_START + Microsoft Internet Explorer up until version 5.5 Service + Pack 1 has an issue with transparent proxies, wherein it + is impossible to force a refresh. Turning this on provides + a partial fix to the problem, by causing all IMS-REFRESH + requests from older IE versions to check the origin server + for fresh content. This reduces hit ratio by some amount + (~10% in my experience), but allows users to actually get + fresh content when they want it. Note that because Squid + cannot tell if the user is using 5.5 or 5.5SP1, the behavior + of 5.5 is unchanged from old versions of Squid (i.e. a + forced refresh is impossible). Newer versions of IE will, + hopefully, continue to have the new behavior and will be + handled based on that assumption. This option defaults to + the old Squid behavior, which is better for hit ratios but + worse for clients using IE, if they need to be able to + force fresh content. + DOC_END + + NAME: vary_ignore_expire + COMMENT: on|off + TYPE: onoff + LOC: Config.onoff.vary_ignore_expire + DEFAULT: off + DOC_START + Many HTTP servers supporting Vary gives such objects + immediate expiry time with no cache-control header + when requested by a HTTP/1.0 client. This option + enables Squid to ignore such expiry times until + HTTP/1.1 is fully implemented. + WARNING: This may eventually cause some varying + objects not intended for caching to get cached. + DOC_END + + NAME: sleep_after_fork + COMMENT: (microseconds) + TYPE: int + LOC: Config.sleep_after_fork + DEFAULT: 0 + DOC_START + When this is set to a non-zero value, the main Squid process + sleeps the specified number of microseconds after a fork() + system call. This sleep may help the situation where your + system reports fork() failures due to lack of (virtual) + memory. Note, however, that if you have a lot of child + processes, then these sleep delays will add up and your + Squid will not service requests for some amount of time + until all the child processes have been started. + DOC_END + + EOF diff --git a/src/delay_pools.cc b/src/delay_pools.cc index 8f096dc6cc..aa3e5536e6 100644 --- a/src/delay_pools.cc +++ b/src/delay_pools.cc @@ -1,6 +1,6 @@ /* - * $Id: delay_pools.cc,v 1.38 2003/03/08 09:43:50 robertc Exp $ + * $Id: delay_pools.cc,v 1.39 2003/05/20 12:17:39 robertc Exp $ * * DEBUG: section 77 Delay Pools * AUTHOR: Robert Collins @@ -58,21 +58,7 @@ #include "NullDelayId.h" #include "DelayBucket.h" #include "DelayUser.h" - -/* - * class 1 Everything is limited by a single aggregate - * bucket. - * - * class 2 Everything is limited by a single aggregate - * bucket as well as an "individual" bucket chosen - * from bits 25 through 32 of the IP address. - * - * class 3 Everything is limited by a single aggregate - * bucket as well as a "network" bucket chosen - * from bits 17 through 24 of the IP address and a - * "individual" bucket chosen from bits 17 through - * 32 of the IP address. - */ +#include "DelayTagged.h" long DelayPools::MemoryUsed = 0; @@ -95,7 +81,7 @@ public: virtual void update(int incr); virtual void parse(); - virtual DelayIdComposite::Pointer id(struct in_addr &src_addr, AuthUserRequest *); + virtual DelayIdComposite::Pointer id(CompositeSelectionDetails &); private: @@ -152,7 +138,7 @@ public: virtual void update(int incr); virtual void stats(StoreEntry * sentry); - virtual DelayIdComposite::Pointer id(struct in_addr &src_addr, AuthUserRequest *); + virtual DelayIdComposite::Pointer id(CompositeSelectionDetails &); VectorMap buckets; VectorPool(); ~VectorPool(); @@ -243,7 +229,7 @@ public: virtual void update(int incr); virtual void stats(StoreEntry * sentry); - virtual DelayIdComposite::Pointer id(struct in_addr &src_addr, AuthUserRequest *); + virtual DelayIdComposite::Pointer id(CompositeSelectionDetails &); ClassCHostPool(); ~ClassCHostPool(); @@ -361,6 +347,11 @@ CommonPool::Factory(unsigned char _class, CompositePoolNode::Pointer& compositeC break; + case 5: + result->typeLabel = "5"; + compositeCopy = new DelayTagged; + break; + default: fatal ("unknown delay pool class"); return NULL; @@ -523,7 +514,7 @@ Aggregate::parse() DelayIdComposite::Pointer -Aggregate::id(struct in_addr &src_addr, AuthUserRequest *) +Aggregate::id(CompositeSelectionDetails &details) { if (rate()->restore_bps != -1) return new AggregateId (this); @@ -834,12 +825,12 @@ VectorMap::findKeyIndex (Key const key) const DelayIdComposite::Pointer -VectorPool::id(struct in_addr &src_addr, AuthUserRequest *) +VectorPool::id(CompositeSelectionDetails &details) { if (rate()->restore_bps == -1) return new NullDelayId; - unsigned int key = makeKey (src_addr); + unsigned int key = makeKey (details.src_addr); if (keyAllocated (key)) return new Id (this, buckets.findKeyIndex(key)); @@ -1006,14 +997,14 @@ ClassCHostPool::makeKey (struct in_addr &src_addr) const DelayIdComposite::Pointer -ClassCHostPool::id(struct in_addr &src_addr, AuthUserRequest *) +ClassCHostPool::id(CompositeSelectionDetails &details) { if (rate()->restore_bps == -1) return new NullDelayId; - unsigned int key = makeKey (src_addr); + unsigned int key = makeKey (details.src_addr); - unsigned char host = makeHostKey (src_addr); + unsigned char host = makeHostKey (details.src_addr); unsigned char hostIndex; diff --git a/src/external_acl.cc b/src/external_acl.cc index a98e594049..a1bed3d499 100644 --- a/src/external_acl.cc +++ b/src/external_acl.cc @@ -1,6 +1,6 @@ /* - * $Id: external_acl.cc,v 1.40 2003/05/17 19:02:15 hno Exp $ + * $Id: external_acl.cc,v 1.41 2003/05/20 12:17:39 robertc Exp $ * * DEBUG: section 82 External ACL * AUTHOR: Henrik Nordstrom, MARA Systems AB @@ -42,6 +42,7 @@ #include "squid.h" #include "ExternalACL.h" +#include "ExternalACLEntry.h" #include "authenticate.h" #include "Store.h" #include "fde.h" @@ -65,41 +66,47 @@ static char *makeExternalAclKey(ACLChecklist * ch, external_acl_data * acl_data) static void external_acl_cache_delete(external_acl * def, external_acl_entry * entry); static int external_acl_entry_expired(external_acl * def, external_acl_entry * entry); static void external_acl_cache_touch(external_acl * def, external_acl_entry * entry); - -/******************************************************************* - * external_acl cache entry - * Used opaqueue in the interface - */ - -struct _external_acl_entry: public hash_link -{ - dlink_node lru; - int result; - time_t date; - char *user; - char *error; - external_acl *def; -}; +static external_acl_entry *external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const &data); /****************************************************************** * external_acl directive */ -struct _external_acl +class external_acl { + +public: external_acl *next; + + void add + (ExternalACLEntry *); + + void trimCache(); + int ttl; + int negative_ttl; + char *name; + external_acl_format *format; + wordlist *cmdline; + int children; + helper *theHelper; + hash_table *cache; + dlink_list lru_list; + int cache_size; + int cache_entries; + dlink_list queue; + int require_auth; }; @@ -433,6 +440,26 @@ find_externalAclHelper(const char *name) return NULL; } +void + +external_acl::add + (ExternalACLEntry *anEntry) +{ + trimCache(); + assert (anEntry->def == NULL); + anEntry->def = this; + hash_join(cache, anEntry); + dlinkAdd(anEntry, &anEntry->lru, &lru_list); + cache_entries++; +} + +void +external_acl::trimCache() +{ + if (cache_size && cache_entries >= cache_size) + external_acl_cache_delete(this, static_cast(lru_list.tail->data)); +} + /****************************************************************** * external acl type @@ -553,6 +580,9 @@ aclMatchExternal(external_acl_data *acl, ACLChecklist * ch) if (entry->user && cbdataReferenceValid(ch->conn()) && !ch->conn()->rfc931[0]) xstrncpy(ch->conn()->rfc931, entry->user, USER_IDENT_SZ); + if (ch->request && !ch->request->tag.size()) + ch->request->tag = entry->tag; + return result; } @@ -585,8 +615,6 @@ ACLExternal::dump() const * external_acl cache */ -CBDATA_TYPE(external_acl_entry); - static void external_acl_cache_touch(external_acl * def, external_acl_entry * entry) { @@ -741,66 +769,38 @@ external_acl_entry_expired(external_acl * def, external_acl_entry * entry) return 0; } -static void -free_external_acl_entry(void *data) -{ - external_acl_entry *entry = static_cast(data); - safe_free(entry->key); - safe_free(entry->user); - safe_free(entry->error); -} - static external_acl_entry * -external_acl_cache_add(external_acl * def, const char *key, int result, char *user, char *error) +external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const & data) { - external_acl_entry *entry = static_cast(hash_lookup(def->cache, key)); - debug(82, 2) ("external_acl_cache_add: Adding '%s' = %d\n", key, result); + ExternalACLEntry *entry = static_cast(hash_lookup(def->cache, key)); + debug(82, 2) ("external_acl_cache_add: Adding '%s' = %d\n", key, data.result); if (entry) { - debug(82, 3) ("external_acl_cache_add: updating existing entry\n"); - entry->date = squid_curtime; - entry->result = result; - safe_free(entry->user); - safe_free(entry->error); - - if (user) - entry->user = xstrdup(user); - - if (error) - entry->error = xstrdup(error); - + debug(82, 3) ("ExternalACLEntry::update: updating existing entry\n"); + entry->update (data); external_acl_cache_touch(def, entry); return entry; } - CBDATA_INIT_TYPE_FREECB(external_acl_entry, free_external_acl_entry); - /* Maintain cache size */ - - if (def->cache_size && def->cache_entries >= def->cache_size) - external_acl_cache_delete(def, static_cast(def->lru_list.tail->data)); - entry = cbdataAlloc(external_acl_entry); + entry = new ExternalACLEntry; entry->key = xstrdup(key); - entry->date = squid_curtime; - entry->result = result; - if (user) - entry->user = xstrdup(user); - if (error) - entry->error = xstrdup(error); - entry->def = def; - hash_join(def->cache, entry); - dlinkAdd(entry, &entry->lru, &def->lru_list); - def->cache_entries += 1; + entry->update (data); + + def->add + (entry); + return entry; } static void external_acl_cache_delete(external_acl * def, external_acl_entry * entry) { + assert (entry->def == def); hash_remove_link(def->cache, entry); dlinkDelete(&entry->lru, &def->lru_list); def->cache_entries -= 1; - cbdataFree(entry); + entry->deleteSelf(); } /****************************************************************** @@ -845,6 +845,9 @@ free_externalAclState(void *data) * * user= The users name (login) * error= Error description (only defined for ERR results) + * tag= A string tag to be applied to the request that triggered the acl match. + * applies to both OK and ERR responses. + * Won't override existing request tags. * * Other keywords may be added to the protocol later * @@ -858,13 +861,12 @@ externalAclHandleReply(void *data, char *reply) { externalAclState *state = static_cast(data); externalAclState *next; - int result = 0; char *status; char *token; char *value; char *t; - char *user = NULL; - char *error = NULL; + ExternalACLEntryData entryData; + entryData.result = 0; external_acl_entry *entry = NULL; debug(82, 2) ("externalAclHandleReply: reply=\"%s\"\n", reply); @@ -873,7 +875,7 @@ externalAclHandleReply(void *data, char *reply) status = strwordtok(reply, &t); if (status && strcmp(status, "OK") == 0) - result = 1; + entryData.result = 1; while ((token = strwordtok(NULL, &t))) { value = strchr(token, '='); @@ -881,10 +883,13 @@ externalAclHandleReply(void *data, char *reply) if (value) { *value++ = '\0'; /* terminate the token, and move up to the value */ + if (strcmp(token, "tag") == 0) + entryData.tag = value; + if (strcmp(token, "user") == 0) - user = value; + entryData.user = value; else if (strcmp(token, "error") == 0) - error = value; + entryData.error = value; } } } @@ -893,7 +898,7 @@ externalAclHandleReply(void *data, char *reply) if (cbdataReferenceValid(state->def)) { if (reply) - entry = external_acl_cache_add(state->def, state->key, result, user, error); + entry = external_acl_cache_add(state->def, state->key, entryData); else { if (reply) entry = (external_acl_entry *)hash_lookup(state->def->cache, state->key); @@ -1003,7 +1008,7 @@ ACLExternal::ExternalAclLookup(ACLChecklist * ch, ACLExternal * me, EAH * callba helperSubmit(def->theHelper, buf.buf, externalAclHandleReply, state); - external_acl_cache_add(def, key, -1, NULL, NULL); + external_acl_cache_add(def, key, ExternalACLEntryData()); dlinkAdd(state, &state->list, &def->queue); diff --git a/src/structs.h b/src/structs.h index da61d6a49f..3d4026f920 100644 --- a/src/structs.h +++ b/src/structs.h @@ -1,6 +1,6 @@ /* - * $Id: structs.h,v 1.463 2003/05/17 17:35:06 hno Exp $ + * $Id: structs.h,v 1.464 2003/05/20 12:17:39 robertc Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -226,6 +226,8 @@ struct _RemovalPolicySettings wordlist *args; }; +class external_acl; + struct _SquidConfig { @@ -1699,6 +1701,7 @@ public: time_t lastmod; /* Used on refreshes */ const char *vary_headers; /* Used when varying entities are detected. Changes how the store key is calculated */ char *peer_domain; /* Configured peer forceddomain */ + String tag; /* Internal tag for this request */ }; #endif diff --git a/src/typedefs.h b/src/typedefs.h index 1e9435f6ca..bb06920a8c 100644 --- a/src/typedefs.h +++ b/src/typedefs.h @@ -1,6 +1,6 @@ /* - * $Id: typedefs.h,v 1.161 2003/05/17 17:35:06 hno Exp $ + * $Id: typedefs.h,v 1.162 2003/05/20 12:17:39 robertc Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -370,9 +370,4 @@ typedef struct _htcpReplyData htcpReplyData; typedef RemovalPolicy *REMOVALPOLICYCREATE(wordlist * args); typedef int STDIRSELECT(const StoreEntry *); - -typedef struct _external_acl external_acl; - -typedef struct _external_acl_entry external_acl_entry; - #endif /* SQUID_TYPEDEFS_H */