From: hno <> Date: Wed, 21 May 2003 06:50:09 +0000 (+0000) Subject: Looks like someone run astule on cf.data.pre as well... X-Git-Tag: SQUID_3_0_PRE1~174 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9e7dbc519f061bc53db8146896645f73931fb456;p=thirdparty%2Fsquid.git Looks like someone run astule on cf.data.pre as well... --- diff --git a/src/cf.data.pre b/src/cf.data.pre index 1db4c6098e..fcf6dee1be 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.315 2003/05/20 12:17:38 robertc Exp $ +# $Id: cf.data.pre,v 1.316 2003/05/21 00:50:09 hno Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -31,1664 +31,1634 @@ # COMMENT_START -WELCOME TO SQUID @VERSION@ ----------------------------- + WELCOME TO SQUID @VERSION@ + ---------------------------- -This is the default Squid configuration file. You may wish + This is the default Squid configuration file. You may wish + to look at the Squid home page (http://www.squid-cache.org/) + for the FAQ and other documentation. - to look at the Squid home page (http://www.squid-cache.org/) + The default Squid config file shows what the defaults for + various options happen to be. If you don't need to change the + default, you shouldn't uncomment the line. Doing so may cause + run-time problems. In some cases "none" refers to no default + setting at all, while in other cases it refers to a valid + option - the comments for that keyword indicate if this is the + case. - for the FAQ and other documentation. +COMMENT_END - The default Squid config file shows what the defaults for - various options happen to be. If you don't need to change the - default, you shouldn't uncomment the line. Doing so may cause - run-time problems. In some cases "none" refers to no default - setting at all, while in other cases it refers to a valid - option - the comments for that keyword indicate if this is the - case. - - COMMENT_END - - COMMENT_START - NETWORK OPTIONS - ----------------------------------------------------------------------------- - COMMENT_END - - NAME: http_port ascii_port +COMMENT_START + NETWORK OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: http_port ascii_port +TYPE: http_port_list +DEFAULT: none +LOC: Config.Sockaddr.http +DOC_START + Usage: port [options] + hostname:port [options] + 1.2.3.4:port [options] + + The socket addresses where Squid will listen for HTTP client + requests. You may specify multiple socket addresses. + There are three forms: port alone, hostname with port, and + IP address with port. If you specify a hostname or IP + address, then Squid binds the socket to that specific + address. This replaces the old 'tcp_incoming_address' + option. Most likely, you do not need to bind to a specific + address, so you can use the port number alone. + + If you are running Squid in accelerator mode, then you + probably want to listen on port 80 also, or instead. + + The -a command line option will override the *first* port + number listed here. That option will NOT override an IP + address, however. + + You may specify multiple socket addresses on multiple lines. + + options are: + accel Accelerator mode + transparent Support for transparent proxies + vhost Accelerator using Host directive + vport Accelerator with IP virtual host support + vport=NN As above, but uses specified port number + rather than the http_port number. + defaultsite=xx Main web site name for accelerators. + also implies accel + protocol= Protocol to reconstruct accelerated + requests with. Defaults to http. + + If you run Squid on a dual-homed machine with an internal + and an external interface then we recommend you to specify the + internal address:port in http_port. This way Squid will only be + visible on the internal address. +NOCOMMENT_START +# Squid normally listens to port 3128 +http_port 3128 +NOCOMMENT_END +DOC_END + +NAME: https_port +IFDEF: USE_SSL +TYPE: https_port_list +DEFAULT: none +LOC: Config.Sockaddr.https +DOC_START + Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] + + The socket address where Squid will listen for HTTPS client + requests. + + This is really only useful for situations where you are running + squid in accelerator mode and you want to do the SSL work at the + accelerator level. + + You may specify multiple socket addresses on multiple lines, + each with their own SSL certificate and/or options. + + Options: + + defaultsite= The name of the https site presented on + this port. + + protocol= Protocol to reconstruct accelerated requests + with. Defaults to https. + + cert= Path to SSL certificate (PEM format) + + key= Path to SSL private key file (PEM format) + if not specified, the certificate file is + assumed to be a combined certificate and + key file + + version= The version of SSL/TLS supported + 1 automatic (default) + 2 SSLv2 only + 3 SSLv3 only + 4 TLSv1 only + + cipher= Colon separated list of supported ciphers + + options= Varions SSL engine options. The most important + being: + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1 + SINGLE_DH_USE Always create a new key when using + temporary/ephemeral DH key exchanges + See src/ssl_support.c or OpenSSL SSL_CTX_set_options + documentation for a complete list of options. + + clientca= File containing the list of CAs to use when + requesting a client certificate + + cafile= File containing additional CA certificates to + use when verifying client certificates. If unset + clientca will be used. + + capath= Directory containing additional CA certificates + to use when verifying client certificates + + dhparams= File containing DH parameters for temporary/ephemeral + DH key exchanges + + sslflags= Various flags modifying the use of SSL: + DELAYED_AUTH + Don't request client certificates + immediately, but wait until acl processing + requires a certificate + NO_DEFAULT_CA + Don't use the default CA list built in + to OpenSSL. + +DOC_END + +NAME: ssl_unclean_shutdown +IFDEF: USE_SSL +TYPE: onoff +DEFAULT: off +LOC: Config.SSL.unclean_shutdown +DOC_START + Some browsers (especially MSIE) bugs out on SSL shutdown + messages. +DOC_END + +NAME: ssl_engine +IFDEF: USE_SSL +TYPE: string +LOC: Config.SSL.ssl_engine +DEFAULT: none +DOC_START + The openssl engine to use. You will need to set this if you + would like to use hardware SSL acceleration for example. +DOC_END + +NAME: sslproxy_client_certificate +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.ssl_client.cert +TYPE: string +DOC_START + Client SSL Certificate to use when proxying https:// URLs +DOC_END + +NAME: sslproxy_client_key +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.ssl_client.key +TYPE: string +DOC_START + Client SSL Key to use when proxying https:// URLs +DOC_END + +NAME: sslproxy_version +IFDEF: USE_SSL +DEFAULT: 1 +LOC: Config.ssl_client.version +TYPE: int +DOC_START + SSL version level to use when proxying https:// URLs +DOC_END + +NAME: sslproxy_options +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.ssl_client.options +TYPE: string +DOC_START + SSL engine options to use when proxying https:// URLs +DOC_END + +NAME: sslproxy_cipher +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.ssl_client.cipher +TYPE: string +DOC_START + SSL cipher list to use when proxying https:// URLs +DOC_END + +NAME: sslproxy_cafile +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.ssl_client.cafile +TYPE: string +DOC_START +DOC_END + +NAME: sslproxy_capath +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.ssl_client.capath +TYPE: string +DOC_START +DOC_END + +NAME: sslproxy_flags +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.ssl_client.flags +TYPE: string +DOC_START +DOC_END + +NAME: icp_port udp_port +TYPE: ushort +DEFAULT: 0 +LOC: Config.Port.icp +DOC_START + The port number where Squid sends and receives ICP queries to + and from neighbor caches. The standard UDP port for ICP is 3130. + Default is disabled (0). +NOCOMMENT_START +icp_port 3130 +NOCOMMENT_END +DOC_END + +NAME: htcp_port +IFDEF: USE_HTCP +TYPE: ushort +DEFAULT: 4827 +LOC: Config.Port.htcp +DOC_START + The port number where Squid sends and receives HTCP queries to + and from neighbor caches. Default is 4827. To disable use + "0". +DOC_END + + +NAME: mcast_groups +TYPE: wordlist +LOC: Config.mcast_group_list +DEFAULT: none +DOC_START + This tag specifies a list of multicast groups which your server + should join to receive multicasted ICP queries. + + NOTE! Be very careful what you put here! Be sure you + understand the difference between an ICP _query_ and an ICP + _reply_. This option is to be set only if you want to RECEIVE + multicast queries. Do NOT set this option to SEND multicast + ICP (use cache_peer for that). ICP replies are always sent via + unicast, so this option does not affect whether or not you will + receive replies from multicast group members. + + You must be very careful to NOT use a multicast address which + is already in use by another group of caches. + + If you are unsure about multicast, please read the Multicast + chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). + + Usage: mcast_groups 239.128.16.128 224.0.1.20 + + By default, Squid doesn't listen on any multicast groups. +DOC_END + + +NAME: udp_incoming_address +TYPE: address +LOC:Config.Addrs.udp_incoming +DEFAULT: 0.0.0.0 +DOC_NONE + +NAME: udp_outgoing_address +TYPE: address +LOC: Config.Addrs.udp_outgoing +DEFAULT: 255.255.255.255 +DOC_START + udp_incoming_address is used for the ICP socket receiving packets + from other caches. + udp_outgoing_address is used for ICP packets sent out to other + caches. + + The default behavior is to not bind to any specific address. + + A udp_incoming_address value of 0.0.0.0 indicates that Squid should + listen for UDP messages on all available interfaces. + + If udp_outgoing_address is set to 255.255.255.255 (the default) + then it will use the same socket as udp_incoming_address. Only + change this if you want to have ICP queries sent using another + address than where this Squid listens for ICP queries from other + caches. + + NOTE, udp_incoming_address and udp_outgoing_address can not + have the same value since they both use port 3130. +DOC_END - TYPE: http_port_list +COMMENT_START + OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: cache_peer +TYPE: peer +DEFAULT: none +LOC: Config.peers +DOC_START + To specify other caches in a hierarchy, use the format: + + cache_peer hostname type http_port icp_port [options] + + For example, + + # proxy icp + # hostname type port port options + # -------------------- -------- ----- ----- ----------- + cache_peer parent.foo.net parent 3128 3130 [proxy-only] + cache_peer sib1.foo.net sibling 3128 3130 [proxy-only] + cache_peer sib2.foo.net sibling 3128 3130 [proxy-only] + + type: either 'parent', 'sibling', or 'multicast'. + + proxy_port: The port number where the cache listens for proxy + requests. + + icp_port: Used for querying neighbor caches about + objects. To have a non-ICP neighbor + specify '7' for the ICP port and make sure the + neighbor machine has the UDP echo port + enabled in its /etc/inetd.conf file. + + options: proxy-only + weight=n + basetime=n + ttl=n + no-query + background-ping + default + round-robin + weighted-round-robin + carp + multicast-responder + closest-only + no-digest + no-netdb-exchange + no-delay + login=user:password | PASS | *:password + connect-timeout=nn + digest-url=url + allow-miss + max-conn + originserver + name=xxx + forceddomain=name + ssl + sslcert=/path/to/ssl/certificate + sslkey=/path/to/ssl/key + sslversion=1|2|3|4 + sslcipher=... + ssloptions=... + front-end-https[=on|auto] + + use 'proxy-only' to specify that objects fetched + from this cache should not be saved locally. + + use 'weight=n' to specify a weighted parent. + The weight must be an integer. The default weight + is 1, larger weights are favored more. + + use 'basetime=n' to specify a base amount to + be subtracted from round trip times of parents. + It is subtracted before division by weight in calculating + which parent to fectch from. If the rtt is less than the + base time then the rtt is set to a minimal value. + + use 'ttl=n' to specify a IP multicast TTL to use + when sending an ICP queries to this address. + Only useful when sending to a multicast group. + Because we don't accept ICP replies from random + hosts, you must configure other group members as + peers with the 'multicast-responder' option below. + + use 'no-query' to NOT send ICP queries to this + neighbor. + + use 'background-ping' to only send ICP queries to this + neighbor infrequently. This is used to keep the neighbor + round trip time updated and is usually used in + conjunction with weighted-round-robin. + + use 'default' if this is a parent cache which can + be used as a "last-resort." You should probably + only use 'default' in situations where you cannot + use ICP with your parent cache(s). + + use 'round-robin' to define a set of parents which + should be used in a round-robin fashion in the + absence of any ICP queries. + + use 'weighted-round-robin' to define a set of parents + which should be used in a round-robin fashion with the + frequency of each parent being based on the round trip + time. Closer parents are used more often. + Usually used for background-ping parents. + + use 'carp' to define a set of parents which should + be used as a CARP array. The requests will then be + distributed among the parents based on the CARP load + balancing hash function based on their weigth. + + 'multicast-responder' indicates that the named peer + is a member of a multicast group. ICP queries will + not be sent directly to the peer, but ICP replies + will be accepted from it. + + 'closest-only' indicates that, for ICP_OP_MISS + replies, we'll only forward CLOSEST_PARENT_MISSes + and never FIRST_PARENT_MISSes. + + use 'no-digest' to NOT request cache digests from + this neighbor. + + 'no-netdb-exchange' disables requesting ICMP + RTT database (NetDB) from the neighbor. + + use 'no-delay' to prevent access to this neighbor + from influencing the delay pools. + + use 'login=user:password' if this is a personal/workgroup + proxy and your parent requires proxy authentication. + Note: The string can include URL escapes (i.e. %20 for + spaces). This also means that % must be written as %%. + + use 'login=PASS' if users must authenticate against + the upstream proxy. This will pass the users credentials + as they are to the peer proxy. This only works for the + Basic HTTP authentication sheme. Note: To combine this + with proxy_auth both proxies must share the same user + database as HTTP only allows for one proxy login. + Also be warned that this will expose your users proxy + password to the peer. USE WITH CAUTION + + use 'login=*:password' to pass the username to the + upstream cache, but with a fixed password. This is meant + to be used when the peer is in another administrative + domain, but it is still needed to identify each user. + The star can optionally be followed by some extra + information which is added to the username. This can + be used to identify this proxy to the peer, similar to + the login=username:password option above. + + use 'connect-timeout=nn' to specify a peer + specific connect timeout (also see the + peer_connect_timeout directive) + + use 'digest-url=url' to tell Squid to fetch the cache + digest (if digests are enabled) for this host from + the specified URL rather than the Squid default + location. + + use 'allow-miss' to disable Squid's use of only-if-cached + when forwarding requests to siblings. This is primarily + useful when icp_hit_stale is used by the sibling. To + extensive use of this option may result in forwarding + loops, and you should avoid having two-way peerings + with this option. (for example to deny peer usage on + requests from peer by denying cache_peer_access if the + source is a peer) + + use 'max-conn' to limit the amount of connections Squid + may open to this peer. + + 'originserver' causes this parent peer to be contacted as + a origin server. Meant to be used in accelerator setups. + + use 'name=xxx' if you have multiple peers on the same + host but different ports. This name can then be used to + differentiate the peers in cache_peer_access and similar + directives. + + use 'forceddomain=name' to forcibly set the Host header + of requests forwarded to this peer. Useful in accelerator + setups where the server (peer) expects a certain domain + name and using redirectors to feed this domainname + is not feasible. + + use 'ssl' to indicate that connections to this peer should + bs SSL/TLS encrypted. + + use 'sslcert=/path/to/ssl/certificate' to specify a client + SSL certificate to use when connecting to this peer. + + use 'sslkey=/path/to/ssl/key' to specify the private SSL + key corresponding to sslcert above. If 'sslkey' is not + specified then 'sslcert' is assumed to reference a + combined file containing both the certificate and the key. + + use sslversion=1|2|3|4 to specify the SSL version to use + when connecting to this peer + 1 = automatic (default) + 2 = SSL v2 only + 3 = SSL v3 only + 4 = TLS v1 only + + use sslcipher=... to specify the list of valid SSL chipers + to use when connecting to this peer + + use ssloptions=... to specify various SSL engine options: + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1 + See src/ssl_support.c or the OpenSSL documentation for + a more complete list. + + use cafile=... to specify a file containing additional + CA certificates to use when verifying the peer certificate + + use capath=... to specify a directory containing additional + CA certificates to use when verifying the peer certificate + + use sslflags=... to specify various flags modifying the + SSL implementation: + DONT_VERIFY_PEER + Accept certificates even if they fail to + verify. + NO_DEFAULT_CA + Don't use the default CA list built in + to OpenSSL. + DONT_VERIFY_DOMAIN + Don't verify that the peer certificate + matches the server name + + use sslname= to specify the peer name as advertised + in it's certificate. Used for verifying the correctness + of the received peer certificate. If not specified the + peer hostname will be used. + + use front-end-https to enable the "Front-End-Https: On" + header needed when using Squid as a SSL frontend infront + of Microsoft OWA. See MS KB document Q307347 for details + on this header. If set to auto then the header will + only be added if the request is forwarded as a https:// + URL. + + NOTE: non-ICP neighbors must be specified as 'parent'. +DOC_END + +NAME: cache_peer_domain cache_host_domain +TYPE: hostdomain +DEFAULT: none +LOC: none +DOC_START + Use to limit the domains for which a neighbor cache will be + queried. Usage: + + cache_peer_domain cache-host domain [domain ...] + cache_peer_domain cache-host !domain + + For example, specifying + + cache_peer_domain parent.foo.net .edu + + has the effect such that UDP query packets are sent to + 'bigserver' only when the requested object exists on a + server in the .edu domain. Prefixing the domainname + with '!' means that the cache will be queried for objects + NOT in that domain. + + NOTE: * Any number of domains may be given for a cache-host, + either on the same or separate lines. + * When multiple domains are given for a particular + cache-host, the first matched domain is applied. + * Cache hosts with no domain restrictions are queried + for all requests. + * There are no defaults. + * There is also a 'cache_peer_access' tag in the ACL + section. +DOC_END + + +NAME: neighbor_type_domain +TYPE: hostdomaintype +DEFAULT: none +LOC: none +DOC_START + usage: neighbor_type_domain parent|sibling domain domain ... + + Modifying the neighbor type for specific domains is now + possible. You can treat some domains differently than the the + default neighbor type specified on the 'cache_peer' line. + Normally it should only be necessary to list domains which + should be treated differently because the default neighbor type + applies for hostnames which do not match domains listed here. + +EXAMPLE: + cache_peer parent cache.foo.org 3128 3130 + neighbor_type_domain cache.foo.org sibling .com .net + neighbor_type_domain cache.foo.org sibling .au .de +DOC_END + +NAME: icp_query_timeout +COMMENT: (msec) +DEFAULT: 0 +TYPE: int +LOC: Config.Timeout.icp_query +DOC_START + Normally Squid will automatically determine an optimal ICP + query timeout value based on the round-trip-time of recent ICP + queries. If you want to override the value determined by + Squid, set this 'icp_query_timeout' to a non-zero value. This + value is specified in MILLISECONDS, so, to use a 2-second + timeout (the old default), you would write: + + icp_query_timeout 2000 +DOC_END + +NAME: maximum_icp_query_timeout +COMMENT: (msec) +DEFAULT: 2000 +TYPE: int +LOC: Config.Timeout.icp_query_max +DOC_START + Normally the ICP query timeout is determined dynamically. But + sometimes it can lead to very large values (say 5 seconds). + Use this option to put an upper limit on the dynamic timeout + value. Do NOT use this option to always use a fixed (instead + of a dynamic) timeout value. To set a fixed timeout see the + 'icp_query_timeout' directive. +DOC_END + +NAME: minimum_icp_query_timeout +COMMENT: (msec) +DEFAULT: 5 +TYPE: int +LOC: Config.Timeout.icp_query_min +DOC_START + Normally the ICP query timeout is determined dynamically. But + sometimes it can lead to very small timeouts, even lower than + the normal latency variance on your link due to traffic. + Use this option to put an lower limit on the dynamic timeout + value. Do NOT use this option to always use a fixed (instead + of a dynamic) timeout value. To set a fixed timeout see the + 'icp_query_timeout' directive. +DOC_END + +NAME: mcast_icp_query_timeout +COMMENT: (msec) +DEFAULT: 2000 +TYPE: int +LOC: Config.Timeout.mcast_icp_query +DOC_START + For Multicast peers, Squid regularly sends out ICP "probes" to + count how many other peers are listening on the given multicast + address. This value specifies how long Squid should wait to + count all the replies. The default is 2000 msec, or 2 + seconds. +DOC_END + +NAME: dead_peer_timeout +COMMENT: (seconds) +DEFAULT: 10 seconds +TYPE: time_t +LOC: Config.Timeout.deadPeer +DOC_START + This controls how long Squid waits to declare a peer cache + as "dead." If there are no ICP replies received in this + amount of time, Squid will declare the peer dead and not + expect to receive any further ICP replies. However, it + continues to send ICP queries, and will mark the peer as + alive upon receipt of the first subsequent ICP reply. + + This timeout also affects when Squid expects to receive ICP + replies from peers. If more than 'dead_peer' seconds have + passed since the last ICP reply was received, Squid will not + expect to receive an ICP reply on the next query. Thus, if + your time between requests is greater than this timeout, you + will see a lot of requests sent DIRECT to origin servers + instead of to your parents. +DOC_END + + +NAME: hierarchy_stoplist +TYPE: wordlist +DEFAULT: none +LOC: Config.hierarchy_stoplist +DOC_START + A list of words which, if found in a URL, cause the object to + be handled directly by this cache. In other words, use this + to not query neighbor caches for certain objects. You may + list this option multiple times. +NOCOMMENT_START +#We recommend you to use at least the following line. +hierarchy_stoplist cgi-bin ? +NOCOMMENT_END +DOC_END - DEFAULT: none - LOC: Config.Sockaddr.http - DOC_START +NAME: no_cache +TYPE: acl_access +DEFAULT: none +LOC: Config.accessList.noCache +DOC_START + A list of ACL elements which, if matched, cause the request to + not be satisfied from the cache and the reply to not be cached. + In other words, use this to force certain objects to never be cached. - Usage: port [options] + You must use the word 'DENY' to indicate the ACL names which should + NOT be cached. - hostname:port [options] +NOCOMMENT_START +#We recommend you to use the following two lines. +acl QUERY urlpath_regex cgi-bin \? +no_cache deny QUERY +NOCOMMENT_END +DOC_END + +NAME: background_ping_rate +COMMENT: time-units +TYPE: time_t +DEFAULT: 10 seconds +LOC: Config.backgroundPingRate +DOC_START + Controls how often the ICP pings are sent to siblings that + have background-ping set. +DOC_END - 1.2.3.4:port [options] - The socket addresses where Squid will listen for HTTP client - requests. You may specify multiple socket addresses. +COMMENT_START + OPTIONS WHICH AFFECT THE CACHE SIZE + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: cache_mem +COMMENT: (bytes) +TYPE: b_size_t +DEFAULT: 8 MB +LOC: Config.memMaxSize +DOC_START + NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. + IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL + USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER + THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. + + 'cache_mem' specifies the ideal amount of memory to be used + for: + * In-Transit objects + * Hot Objects + * Negative-Cached objects + + Data for these objects are stored in 4 KB blocks. This + parameter specifies the ideal upper limit on the total size of + 4 KB blocks allocated. In-Transit objects take the highest + priority. + + In-transit objects have priority over the others. When + additional space is needed for incoming data, negative-cached + and hot objects will be released. In other words, the + negative-cached and hot objects will fill up any unused space + not needed for in-transit objects. + + If circumstances require, this limit will be exceeded. + Specifically, if your incoming request rate requires more than + 'cache_mem' of memory to hold in-transit objects, Squid will + exceed this limit to satisfy the new requests. When the load + decreases, blocks will be freed until the high-water mark is + reached. Thereafter, blocks will be used to store hot + objects. +DOC_END + + +NAME: cache_swap_low +COMMENT: (percent, 0-100) +TYPE: int +DEFAULT: 90 +LOC: Config.Swap.lowWaterMark +DOC_NONE + +NAME: cache_swap_high +COMMENT: (percent, 0-100) +TYPE: int +DEFAULT: 95 +LOC: Config.Swap.highWaterMark +DOC_START + + The low- and high-water marks for cache object replacement. + Replacement begins when the swap (disk) usage is above the + low-water mark and attempts to maintain utilization near the + low-water mark. As swap utilization gets close to high-water + mark object eviction becomes more aggressive. If utilization is + close to the low-water mark less replacement is done each time. + + Defaults are 90% and 95%. If you have a large cache, 5% could be + hundreds of MB. If this is the case you may wish to set these + numbers closer together. +DOC_END + +NAME: maximum_object_size +COMMENT: (bytes) +TYPE: b_size_t +DEFAULT: 4096 KB +LOC: Config.Store.maxObjectSize +DOC_START + Objects larger than this size will NOT be saved on disk. The + value is specified in kilobytes, and the default is 4MB. If + you wish to get a high BYTES hit ratio, you should probably + increase this (one 32 MB object hit counts for 3200 10KB + hits). If you wish to increase speed more than your want to + save bandwidth you should leave this low. + + NOTE: if using the LFUDA replacement policy you should increase + this value to maximize the byte hit rate improvement of LFUDA! + See replacement_policy below for a discussion of this policy. +DOC_END + +NAME: minimum_object_size +COMMENT: (bytes) +TYPE: b_size_t +DEFAULT: 0 KB +LOC: Config.Store.minObjectSize +DOC_START + Objects smaller than this size will NOT be saved on disk. The + value is specified in kilobytes, and the default is 0 KB, which + means there is no minimum. +DOC_END + +NAME: maximum_object_size_in_memory +COMMENT: (bytes) +TYPE: b_size_t +DEFAULT: 8 KB +LOC: Config.Store.maxInMemObjSize +DOC_START + Objects greater than this size will not be attempted to kept in + the memory cache. This should be set high enough to keep objects + accessed frequently in memory to improve performance whilst low + enough to keep larger objects from hoarding cache_mem . +DOC_END + +NAME: ipcache_size +COMMENT: (number of entries) +TYPE: int +DEFAULT: 1024 +LOC: Config.ipcache.size +DOC_NONE + +NAME: ipcache_low +COMMENT: (percent) +TYPE: int +DEFAULT: 90 +LOC: Config.ipcache.low +DOC_NONE + +NAME: ipcache_high +COMMENT: (percent) +TYPE: int +DEFAULT: 95 +LOC: Config.ipcache.high +DOC_START + The size, low-, and high-water marks for the IP cache. +DOC_END + +NAME: fqdncache_size +COMMENT: (number of entries) +TYPE: int +DEFAULT: 1024 +LOC: Config.fqdncache.size +DOC_START + Maximum number of FQDN cache entries. +DOC_END + +NAME: cache_replacement_policy +TYPE: removalpolicy +LOC: Config.replPolicy +DEFAULT: lru +DOC_START + The cache replacement policy parameter determines which + objects are evicted (replaced) when disk space is needed. + + lru : Squid's original list based LRU policy + heap GDSF : Greedy-Dual Size Frequency + heap LFUDA: Least Frequently Used with Dynamic Aging + heap LRU : LRU policy implemented using a heap + + Applies to any cache_dir lines listed below this. + + The LRU policies keeps recently referenced objects. + + The heap GDSF policy optimizes object hit rate by keeping smaller + popular objects in cache so it has a better chance of getting a + hit. It achieves a lower byte hit rate than LFUDA though since + it evicts larger (possibly popular) objects. + + The heap LFUDA policy keeps popular objects in cache regardless of + their size and thus optimizes byte hit rate at the expense of + hit rate since one large, popular object will prevent many + smaller, slightly less popular objects from being cached. + + Both policies utilize a dynamic aging mechanism that prevents + cache pollution that can otherwise occur with frequency-based + replacement policies. + + NOTE: if using the LFUDA replacement policy you should increase + the value of maximum_object_size above its default of 4096 KB to + to maximize the potential byte hit rate improvement of LFUDA. + + For more information about the GDSF and LFUDA cache replacement + policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html + and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. +DOC_END + +NAME: memory_replacement_policy +TYPE: removalpolicy +LOC: Config.memPolicy +DEFAULT: lru +DOC_START + The memory replacement policy parameter determines which + objects are purged from memory when memory space is needed. + + See cache_replacement_policy for details. +DOC_END - There are three forms: port alone, hostname with port, and - IP address with port. If you specify a hostname or IP - address, then Squid binds the socket to that specific - address. This replaces the old 'tcp_incoming_address' - option. Most likely, you do - not need to bind to a specific - address, so you can use the port number alone. - If you are running Squid in accelerator mode, then you - probably want to listen on port 80 also, or instead. +COMMENT_START + LOGFILE PATHNAMES AND CACHE DIRECTORIES + ----------------------------------------------------------------------------- +COMMENT_END - The -a command line option will override the *first* port - number listed here. That option will NOT override an IP - address, however. +NAME: cache_dir +TYPE: cachedir +DEFAULT: none +DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256 +LOC: Config.cacheSwap +DOC_START + Usage: + + cache_dir Type Directory-Name Fs-specific-data [options] - You may specify multiple socket addresses on multiple lines. + cache_dir diskd Maxobjsize Directory-Name MB L1 L2 Q1 Q2 - options are: - accel Accelerator mode - transparent Support for transparent proxies - vhost Accelerator using Host directive - vport Accelerator with IP virtual host support - vport=NN As above, but uses specified port number - rather than the http_port number. - defaultsite=xx Main web site name for accelerators. - also implies accel - protocol= Protocol to reconstruct accelerated - requests with. Defaults to http. + You can specify multiple cache_dir lines to spread the + cache among different disk partitions. - If you run Squid on a dual-homed machine with an internal + Type specifies the kind of storage system to use. Only "ufs" + is built by default. To eanble any of the other storage systems + see the --enable-storeio configure option. - and an external interface then we recommend you to specify the - internal address:port in http_port. This way Squid will only be - visible on the internal address. - NOCOMMENT_START -# Squid normally listens to port 3128 - http_port 3128 - NOCOMMENT_END - DOC_END - - NAME: https_port - IFDEF: USE_SSL - TYPE: https_port_list - DEFAULT: none - LOC: Config.Sockaddr.https - DOC_START - Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] - - The socket address where Squid will listen for HTTPS client - requests. - - This is really only useful for situations where you are running - squid in accelerator mode and you want to do - the SSL work at the - accelerator level. - - You may specify multiple socket addresses on multiple lines, - each with their own SSL certificate and/or options. - - Options: - - defaultsite= The name of the https site presented on - this port. - - protocol= Protocol to reconstruct accelerated requests - with. Defaults to https. - - cert= Path to SSL certificate (PEM format) - - key= Path to SSL private key file (PEM format) - if not specified, the certificate file is - assumed to be a combined certificate and - key file - - version= The version of SSL/TLS supported - 1 automatic (default) - 2 SSLv2 only - 3 SSLv3 only - 4 TLSv1 only - - cipher= Colon separated list of supported ciphers - - options= Varions SSL engine options. The most important - being: - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 - SINGLE_DH_USE Always create a new key when using - temporary/ephemeral DH key exchanges - See src/ssl_support.c or OpenSSL SSL_CTX_set_options - documentation for a complete list of options. - - clientca= File containing the list of CAs to use when - requesting a client certificate - - cafile= File containing additional CA certificates to - use when verifying client certificates. If unset - clientca will be used. - - capath= Directory containing additional CA certificates - to use when verifying client certificates - - dhparams= File containing DH parameters for temporary/ephemeral - DH key exchanges - - sslflags= Various flags modifying the use of SSL: - DELAYED_AUTH - Don't request client certificates - immediately, but wait until acl processing - requires a certificate - NO_DEFAULT_CA - Don't use the default CA list built in - to OpenSSL. - - DOC_END - - NAME: ssl_unclean_shutdown - IFDEF: USE_SSL - TYPE: onoff - DEFAULT: off - LOC: Config.SSL.unclean_shutdown - DOC_START - Some browsers (especially MSIE) bugs out on SSL shutdown - messages. - DOC_END - - NAME: ssl_engine - IFDEF: USE_SSL - TYPE: string - LOC: Config.SSL.ssl_engine - DEFAULT: none - DOC_START - The openssl engine to use. You will need to set - this if you - would like to use hardware SSL acceleration for example. - DOC_END - - NAME: sslproxy_client_certificate - IFDEF: USE_SSL - DEFAULT: none - LOC: Config.ssl_client.cert - TYPE: string - DOC_START - Client SSL Certificate to use when proxying https:// URLs - DOC_END - - NAME: sslproxy_client_key - IFDEF: USE_SSL - DEFAULT: none - LOC: Config.ssl_client.key - TYPE: string - DOC_START - Client SSL Key to use when proxying https:// URLs - DOC_END - - NAME: sslproxy_version - IFDEF: USE_SSL - DEFAULT: 1 - LOC: Config.ssl_client.version - TYPE: int - DOC_START - SSL version level to use when proxying https:// URLs - DOC_END - - NAME: sslproxy_options - IFDEF: USE_SSL - DEFAULT: none - LOC: Config.ssl_client.options - TYPE: string - DOC_START - SSL engine options to use when proxying https:// URLs - DOC_END - - NAME: sslproxy_cipher - IFDEF: USE_SSL - DEFAULT: none - LOC: Config.ssl_client.cipher - TYPE: string - DOC_START - SSL cipher list to use when proxying https:// URLs - DOC_END - - NAME: sslproxy_cafile - IFDEF: USE_SSL - DEFAULT: none - LOC: Config.ssl_client.cafile - TYPE: string - DOC_START - DOC_END - - NAME: sslproxy_capath - IFDEF: USE_SSL - DEFAULT: none - LOC: Config.ssl_client.capath - TYPE: string - DOC_START - DOC_END - - NAME: sslproxy_flags - IFDEF: USE_SSL - DEFAULT: none - LOC: Config.ssl_client.flags - TYPE: string - DOC_START - DOC_END - - NAME: icp_port udp_port - TYPE: ushort - DEFAULT: 0 - LOC: Config.Port.icp - DOC_START - The port number where Squid sends and receives ICP queries to - and from neighbor caches. The standard UDP port for ICP is 3130. - Default is disabled (0). - NOCOMMENT_START - icp_port 3130 - NOCOMMENT_END - DOC_END - - NAME: htcp_port - IFDEF: USE_HTCP - TYPE: ushort - DEFAULT: 4827 - LOC: Config.Port.htcp - DOC_START - The port number where Squid sends and receives HTCP queries to - and from neighbor caches. Default is 4827. To disable use - "0". - DOC_END - - - NAME: mcast_groups - TYPE: wordlist - LOC: Config.mcast_group_list - DEFAULT: none - DOC_START - This tag specifies a list of multicast groups which your server - should join to receive multicasted ICP queries. - - NOTE! Be very careful what you put here! Be sure you - understand the difference between an ICP _query_ and an ICP - _reply_. This option is to be set - only if you want to RECEIVE - multicast queries. Do NOT set - this option to SEND multicast - ICP (use cache_peer for that). ICP replies are always sent via - unicast, so this option does not affect whether or not you will - receive replies from multicast group members. - - You must be very careful to NOT use a multicast address which - is already in use by another group of caches. - - If you are unsure about multicast, please read the Multicast - chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). - - Usage: mcast_groups 239.128.16.128 224.0.1.20 - - By default, Squid doesn't listen on any multicast groups. - DOC_END - - - NAME: udp_incoming_address - TYPE: address - LOC:Config.Addrs.udp_incoming - DEFAULT: 0.0.0.0 - DOC_NONE - - NAME: udp_outgoing_address - TYPE: address - LOC: Config.Addrs.udp_outgoing - DEFAULT: 255.255.255.255 - DOC_START - udp_incoming_address is used for the ICP socket receiving packets - from other caches. - udp_outgoing_address is used for ICP packets sent out to other - caches. - - The default behavior is to not bind to any specific address. - - A udp_incoming_address value of 0.0.0.0 indicates that Squid should - listen for UDP messages on all available interfaces. - - If udp_outgoing_address is set to 255.255.255.255 (the default) - then it will use the same socket as udp_incoming_address. Only - change this if you want to have ICP queries sent using another - address than where this Squid listens for ICP queries from other - caches. - - NOTE, udp_incoming_address and udp_outgoing_address can not - have the same value since they both use port 3130. - DOC_END - - COMMENT_START - OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM - ----------------------------------------------------------------------------- - COMMENT_END - - NAME: cache_peer - TYPE: peer - DEFAULT: none - LOC: Config.peers - DOC_START - To specify other caches in a hierarchy, use the format: - - cache_peer hostname type http_port icp_port [options] - - For example, - -# proxy icp -# hostname type port port options -# -------------------- -------- ----- ----- ----------- - cache_peer parent.foo.net parent 3128 3130 [proxy-only] - cache_peer sib1.foo.net sibling 3128 3130 [proxy-only] - cache_peer sib2.foo.net sibling 3128 3130 [proxy-only] - - type: either 'parent', 'sibling', or 'multicast'. - - proxy_port: The port number where the cache listens for proxy - requests. - - icp_port: Used for querying neighbor caches about - objects. To have a non-ICP neighbor - specify '7' for the ICP port and make sure the - neighbor machine has the UDP echo port - enabled in its /etc/inetd.conf file. - - options: proxy-only - weight=n - basetime=n - ttl=n - no-query - background-ping - default - round-robin - weighted-round-robin - carp - multicast-responder - closest-only - no-digest - no-netdb-exchange - no-delay - login=user:password | PASS | *:password - connect-timeout=nn - digest-url=url - allow-miss - max-conn - originserver - name=xxx - forceddomain=name - ssl - sslcert=/path/to/ssl/certificate - sslkey=/path/to/ssl/key - sslversion=1|2|3|4 - sslcipher=... - ssloptions=... - front-end-https[=on|auto] - - use 'proxy-only' to specify that objects fetched - from this cache should not be saved locally. - - use 'weight=n' to specify a weighted parent. - The weight must be an integer. The default weight - is 1, larger weights are favored more. - - use 'basetime=n' to specify a base amount to - be subtracted from round trip times of parents. - It is subtracted before division by weight in calculating - which parent to fectch from. If the rtt is less than the - base time then the rtt is set to a minimal value. - - use 'ttl=n' to specify a IP multicast TTL to use - when sending an ICP queries to this address. - Only useful when sending to a multicast group. - Because we don't accept ICP replies from random - hosts, you must configure other group members as - peers with the 'multicast-responder' option below. - - use 'no-query' to NOT send ICP queries to this - neighbor. - - use 'background-ping' to only send ICP queries to this - neighbor infrequently. This is used to keep the neighbor - round trip time updated and is usually used in - conjunction with weighted-round-robin. - - use 'default' if this is a parent cache which can - be used as a "last-resort." You should probably - only use 'default' in situations where you cannot - use ICP with your parent cache(s). - - use 'round-robin' to define a set - of parents which - should be used in a round-robin fashion in the - absence of any ICP queries. - - use 'weighted-round-robin' to define a set - of parents - which should be used in a round-robin fashion with the - frequency of each parent being based on the round trip - time. Closer parents are used more often. - Usually used for background-ping parents. - - use 'carp' to define a set - of parents which should - be used as a CARP array. The requests will then be - distributed among the parents based on the CARP load - balancing hash function based on their weigth. - - 'multicast-responder' indicates that the named peer - is a member of a multicast group. ICP queries will - not be sent directly to the peer, but ICP replies - will be accepted from it. - - 'closest-only' indicates that, for ICP_OP_MISS - replies, we'll only forward CLOSEST_PARENT_MISSes - and never FIRST_PARENT_MISSes. - - use 'no-digest' to NOT request cache digests from - this neighbor. - - 'no-netdb-exchange' disables requesting ICMP - RTT database (NetDB) from the neighbor. - - use 'no-delay' to prevent access to this neighbor - from influencing the delay pools. - - use 'login=user:password' if this is a personal/workgroup - proxy and your parent requires proxy authentication. - Note: The string can include URL escapes (i.e. %20 for - spaces). This also means that % must be written as %%. - - use 'login=PASS' if users must authenticate against - the upstream proxy. This will pass the users credentials - as they are to the peer proxy. This only works for the - Basic HTTP authentication sheme. Note: To combine this - with proxy_auth both proxies must share the same user - database as HTTP only allows for one proxy login. - Also be warned that this will expose your users proxy - password to the peer. USE WITH CAUTION - - use 'login=*:password' to pass the username to the - upstream cache, but with a fixed password. This is meant - to be used when the peer is in another administrative - domain, but it is still needed to identify each user. - The star can optionally be followed by some extra - information which is added to the username. This can - be used to identify this proxy to the peer, similar to - the login=username:password option above. - - use 'connect-timeout=nn' to specify a peer - specific connect timeout (also see the - peer_connect_timeout directive) - - use 'digest-url=url' to tell Squid to fetch the cache - digest (if digests are enabled) for this host from - the specified URL rather than the Squid default - location. - - use 'allow-miss' to disable Squid's use of only-if-cached - when forwarding requests to siblings. This is primarily - useful when icp_hit_stale is used by the sibling. To - extensive use of this option may result in forwarding - loops, and you should avoid having two-way peerings - with this option. (for example to deny peer usage on - requests from peer by denying cache_peer_access if the - source is a peer) - - use 'max-conn' to limit the amount of connections Squid - may open to this peer. - - 'originserver' causes this parent peer to be contacted as - a origin server. Meant to be used in accelerator setups. - - use 'name=xxx' if you have multiple peers on the same - host but different ports. This name can then be used to - differentiate the peers in cache_peer_access and similar - directives. - - use 'forceddomain=name' to forcibly set - the Host header - of requests forwarded to this peer. Useful in accelerator - setups where the server (peer) expects a certain domain - name and using redirectors to feed this domainname - is not feasible. - - use 'ssl' to indicate that connections to this peer should - bs SSL/TLS encrypted. - - use 'sslcert=/path/to/ssl/certificate' to specify a client - SSL certificate to use when connecting to this peer. - - use 'sslkey=/path/to/ssl/key' to specify the private SSL - key corresponding to sslcert above. If 'sslkey' is not - specified then 'sslcert' is assumed to reference a - combined file containing both the certificate and the key. - - use sslversion=1|2|3|4 to specify the SSL version to use - when connecting to this peer - 1 = automatic (default) - 2 = SSL v2 only - 3 = SSL v3 only - 4 = TLS v1 only - - use sslcipher=... to specify the list of valid SSL chipers - to use when connecting to this peer - - use ssloptions=... to specify various SSL engine options: - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 - See src/ssl_support.c or the OpenSSL documentation for - a more complete list. - - use cafile=... to specify a file containing additional - CA certificates to use when verifying the peer certificate - - use capath=... to specify a directory containing additional - CA certificates to use when verifying the peer certificate - - use sslflags=... to specify various flags modifying the - SSL implementation: - DONT_VERIFY_PEER - Accept certificates even if they fail to - verify. - NO_DEFAULT_CA - Don't use the default CA list built in - to OpenSSL. - DONT_VERIFY_DOMAIN - Don't verify that the peer certificate - matches the server name - - use sslname= to specify the peer name as advertised - in it's certificate. Used for verifying the correctness - of the received peer certificate. If not specified the - peer hostname will be used. - - use front-end-https to enable the "Front-End-Https: On" - header needed when using Squid as a SSL frontend infront - of Microsoft OWA. See MS KB document Q307347 for details - on this header. If set to auto then the header will - only be added if the request is forwarded as a https:// - URL. - - NOTE: non-ICP neighbors must be specified as 'parent'. - DOC_END - - NAME: cache_peer_domain cache_host_domain - TYPE: hostdomain - DEFAULT: none - LOC: none - DOC_START - Use to limit the domains for which a neighbor cache will be - queried. Usage: - - cache_peer_domain cache-host domain [domain ...] - cache_peer_domain cache-host !domain - - For example, specifying - - cache_peer_domain parent.foo.net .edu - - has the effect such that UDP query packets are sent to - 'bigserver' only when the requested object exists on a - server in the .edu domain. Prefixing the domainname - with '!' means that the cache will be queried for objects - NOT in that domain. - - NOTE: * Any number of domains may be given for a cache-host, - either on the same or separate lines. - * When multiple domains are given for a particular - cache-host, the first matched domain is applied. - * Cache hosts with no domain restrictions are queried - for all requests. - * There are no defaults. - * There is also a 'cache_peer_access' tag in the ACL - section. - DOC_END - - - NAME: neighbor_type_domain - TYPE: hostdomaintype - DEFAULT: none - LOC: none - DOC_START - usage: neighbor_type_domain parent|sibling domain domain ... - - Modifying the neighbor type for specific domains is now - possible. You can treat some domains differently than the the - default neighbor type specified on the 'cache_peer' line. - Normally it should only be necessary to list domains which - should be treated differently because the default neighbor type - applies for hostnames which do not match domains listed here. - - EXAMPLE: - cache_peer parent cache.foo.org 3128 3130 - neighbor_type_domain cache.foo.org sibling .com .net - neighbor_type_domain cache.foo.org sibling .au .de - DOC_END - - NAME: icp_query_timeout - COMMENT: (msec) - DEFAULT: 0 - TYPE: int - LOC: Config.Timeout.icp_query - DOC_START - Normally Squid will automatically determine an optimal ICP - query timeout value based on the round-trip-time of recent ICP - queries. If you want to override the value determined by - Squid, set this 'icp_query_timeout' to a non-zero value. This - value is specified in MILLISECONDS, so, to use a 2-second - timeout (the old default), you would write: - - icp_query_timeout 2000 - DOC_END - - NAME: maximum_icp_query_timeout - COMMENT: (msec) - DEFAULT: 2000 - TYPE: int - LOC: Config.Timeout.icp_query_max - DOC_START - Normally the ICP query timeout is determined dynamically. But - sometimes it can lead to very large values (say 5 seconds). - Use this option to put an upper limit on the dynamic timeout - value. Do NOT use this option to always use a fixed (instead - of a dynamic) timeout value. To set a fixed timeout see the - 'icp_query_timeout' directive. - DOC_END - - NAME: minimum_icp_query_timeout - COMMENT: (msec) - DEFAULT: 5 - TYPE: int - LOC: Config.Timeout.icp_query_min - DOC_START - Normally the ICP query timeout is determined dynamically. But - sometimes it can lead to very small timeouts, even lower than - the normal latency variance on your link due to traffic. - Use this option to put an lower limit on the dynamic timeout - value. Do NOT use this option to always use a fixed (instead - of a dynamic) timeout value. To set a fixed timeout see the - 'icp_query_timeout' directive. - DOC_END - - NAME: mcast_icp_query_timeout - COMMENT: (msec) - DEFAULT: 2000 - TYPE: int - LOC: Config.Timeout.mcast_icp_query - DOC_START - For Multicast peers, Squid regularly sends out ICP "probes" to - count how many other peers are listening on the given multicast - address. This value specifies how long Squid should wait to - count all the replies. The default is 2000 msec, or 2 - seconds. - DOC_END - - NAME: dead_peer_timeout - COMMENT: (seconds) - DEFAULT: 10 seconds - TYPE: time_t - LOC: Config.Timeout.deadPeer - DOC_START - This controls how long Squid waits to declare a peer cache - as "dead." If there are no ICP replies received in this - amount of time, Squid will declare the peer dead and not - expect to receive any further ICP replies. However, it - continues to send ICP queries, and will mark the peer as - alive upon receipt of the first subsequent ICP reply. - - This timeout also affects when Squid expects to receive ICP - replies from peers. If more than 'dead_peer' seconds have - passed since the last ICP reply was received, Squid will not - expect to receive an ICP reply on the next query. Thus, if - your time between requests is greater than this timeout, you - will see a lot of requests sent DIRECT to origin servers - instead of to your parents. - DOC_END - - - NAME: hierarchy_stoplist - TYPE: wordlist - DEFAULT: none - LOC: Config.hierarchy_stoplist - DOC_START - A list of words which, if found in a URL, cause the object to - be handled directly by this cache. In other words, use this - to not query neighbor caches for certain objects. You may - list this option multiple times. - NOCOMMENT_START -#We recommend you to use at least the following line. - hierarchy_stoplist cgi-bin ? - NOCOMMENT_END - DOC_END + 'Directory' is a top-level directory where cache swap + files will be stored. If you want to use an entire disk + for caching, then this can be the mount-point directory. + The directory must exist and be writable by the Squid + process. Squid will NOT create this directory for you. + The ufs store type: - NAME: no_cache - TYPE: acl_access - DEFAULT: none - LOC: Config.accessList.noCache - DOC_START - A list of ACL elements which, if matched, cause the request to - not be satisfied from the cache and the reply to not be cached. - In other words, use this to force certain objects to never be cached. + "ufs" is the old well-known Squid storage format that has always + been there. + + cache_dir ufs Directory-Name Mbytes L1 L2 [options] + + 'Mbytes' is the amount of disk space (MB) to use under this + directory. The default is 100 MB. Change this to suit your + configuration. Do NOT put the size of your disk drive here. + Instead, if you want Squid to use the entire disk drive, + subtract 20% and use that value. + + 'Level-1' is the number of first-level subdirectories which + will be created under the 'Directory'. The default is 16. + + 'Level-2' is the number of second-level subdirectories which + will be created under each first-level directory. The default + is 256. + + The aufs store type: + + "aufs" uses the same storage format as "ufs", utilizing + POSIX-threads to avoid blocking the main Squid process on + disk-I/O. This was formerly known in Squid as async-io. + + cache_dir aufs Directory-Name Mbytes L1 L2 [options] + + see argument descriptions under ufs above + + The diskd store type: + + "diskd" uses the same storage format as "ufs", utilizing a + separate process to avoid blocking the main Squid process on + disk-I/O. + + cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] + + see argument descriptions under ufs above + + Q1 specifies the number of unacknowledged I/O requests when Squid + stops opening new files. If this many messages are in the queues, + Squid won't open new files. Default is 64 + + Q2 specifies the number of unacknowledged messages when Squid + starts blocking. If this many messages are in the queues, + Squid blocks until it recevies some replies. Default is 72 + + Common options: + + read-only, this cache_dir is read only. + + max-size=n, refers to the max object size this storedir supports. + It is used to initially choose the storedir to dump the object. + Note: To make optimal use of the max-size limits you should order + the cache_dir lines with the smallest max-size value first and the + ones with no max-size specification last. +DOC_END + + +NAME: cache_access_log +TYPE: string +DEFAULT: @DEFAULT_ACCESS_LOG@ +LOC: Config.Log.access +DOC_START + Logs the client request activity. Contains an entry for + every HTTP and ICP queries received. To disable, enter "none". +DOC_END + + +NAME: cache_log +TYPE: string +DEFAULT: @DEFAULT_CACHE_LOG@ +LOC: Config.Log.log +DOC_START + Cache logging file. This is where general information about + your cache's behavior goes. You can increase the amount of data + logged to this file with the "debug_options" tag below. +DOC_END + + +NAME: cache_store_log +TYPE: string +DEFAULT: @DEFAULT_STORE_LOG@ +LOC: Config.Log.store +DOC_START + Logs the activities of the storage manager. Shows which + objects are ejected from the cache, and which objects are + saved and for how long. To disable, enter "none". There are + not really utilities to analyze this data, so you can safely + disable it. +DOC_END + + +NAME: cache_swap_log +TYPE: string +LOC: Config.Log.swap +DEFAULT: none +DOC_START + Location for the cache "swap.log." This log file holds the + metadata of objects saved on disk. It is used to rebuild the + cache during startup. Normally this file resides in each + 'cache_dir' directory, but you may specify an alternate + pathname here. Note you must give a full filename, not just + a directory. Since this is the index for the whole object + list you CANNOT periodically rotate it! + + If %s can be used in the file name then it will be replaced with a + a representation of the cache_dir name where each / is replaced + with '.'. This is needed to allow adding/removing cache_dir + lines when cache_swap_log is being used. + + If have more than one 'cache_dir', and %s is not used in the name + then these swap logs will have names such as: + + cache_swap_log.00 + cache_swap_log.01 + cache_swap_log.02 + + The numbered extension (which is added automatically) + corresponds to the order of the 'cache_dir' lines in this + configuration file. If you change the order of the 'cache_dir' + lines in this file, then these log files will NOT correspond to + the correct 'cache_dir' entry (unless you manually rename + them). We recommend that you do NOT use this option. It is + better to keep these log files in each 'cache_dir' directory. +DOC_END + + +NAME: emulate_httpd_log +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.common_log +DOC_START + The Cache can emulate the log file format which many 'httpd' + programs use. To disable/enable this emulation, set + emulate_httpd_log to 'off' or 'on'. The default + is to use the native log format since it includes useful + information that Squid-specific log analyzers use. +DOC_END + +NAME: log_ip_on_direct +COMMENT: on|off +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.log_ip_on_direct +DOC_START + Log the destination IP address in the hierarchy log tag when going + direct. Earlier Squid versions logged the hostname here. If you + prefer the old way set this to off. +DOC_END + +NAME: mime_table +TYPE: string +DEFAULT: @DEFAULT_MIME_TABLE@ +LOC: Config.mimeTablePathname +DOC_START + Pathname to Squid's MIME table. You shouldn't need to change + this, but the default file contains examples and formatting + information if you do. +DOC_END + + +NAME: log_mime_hdrs +COMMENT: on|off +TYPE: onoff +LOC: Config.onoff.log_mime_hdrs +DEFAULT: off +DOC_START + The Cache can record both the request and the response MIME + headers for each HTTP transaction. The headers are encoded + safely and will appear as two bracketed fields at the end of + the access log (for either the native or httpd-emulated log + formats). To enable this logging set log_mime_hdrs to 'on'. +DOC_END + + +NAME: useragent_log +TYPE: string +LOC: Config.Log.useragent +DEFAULT: none +IFDEF: USE_USERAGENT_LOG +DOC_START + Squid will write the User-Agent field from HTTP requests + to the filename specified here. By default useragent_log + is disabled. +DOC_END + + +NAME: referer_log +TYPE: string +LOC: Config.Log.referer +DEFAULT: none +IFDEF: USE_REFERER_LOG +DOC_START + Squid will write the Referer field from HTTP requests to the + filename specified here. By default referer_log is disabled. +DOC_END + + +NAME: pid_filename +TYPE: string +DEFAULT: @DEFAULT_PID_FILE@ +LOC: Config.pidFilename +DOC_START + A filename to write the process-id to. To disable, enter "none". +DOC_END + + +NAME: debug_options +TYPE: eol +DEFAULT: ALL,1 +LOC: Config.debugOptions +DOC_START + Logging options are set as section,level where each source file + is assigned a unique section. Lower levels result in less + output, Full debugging (level 9) can result in a very large + log file, so be careful. The magic word "ALL" sets debugging + levels for all sections. We recommend normally running with + "ALL,1". +DOC_END + + +NAME: log_fqdn +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.log_fqdn +DOC_START + Turn this on if you wish to log fully qualified domain names + in the access.log. To do this Squid does a DNS lookup of all + IP's connecting to it. This can (in some situations) increase + latency, which makes your cache seem slower for interactive + browsing. +DOC_END + + +NAME: client_netmask +TYPE: address +LOC: Config.Addrs.client_netmask +DEFAULT: 255.255.255.255 +DOC_START + A netmask for client addresses in logfiles and cachemgr output. + Change this to protect the privacy of your cache clients. + A netmask of 255.255.255.0 will log all IP's in that range with + the last digit set to '0'. +DOC_END - You must use the word 'DENY' to indicate the ACL names which should - NOT be cached. - NOCOMMENT_START -#We recommend you to use the following two lines. - acl QUERY urlpath_regex cgi-bin \? - no_cache deny QUERY - NOCOMMENT_END - DOC_END - - NAME: background_ping_rate - COMMENT: time-units - TYPE: time_t - DEFAULT: 10 seconds - LOC: Config.backgroundPingRate - DOC_START - Controls how often the ICP pings are sent to siblings that - have background-ping set. - DOC_END - - - COMMENT_START - OPTIONS WHICH AFFECT THE CACHE SIZE - ----------------------------------------------------------------------------- - COMMENT_END - - NAME: cache_mem - COMMENT: (bytes) - TYPE: b_size_t - DEFAULT: 8 MB - LOC: Config.memMaxSize - DOC_START - NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. - IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL - USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER - THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. - - 'cache_mem' specifies the ideal amount of memory to be used - for: - * In-Transit objects - * Hot Objects - * Negative-Cached objects - - Data for these objects are stored in 4 KB blocks. This - parameter specifies the ideal upper limit on the total size of - 4 KB blocks allocated. In-Transit objects take the highest - priority. - - In-transit objects have priority over the others. When - additional space is needed for incoming data, negative-cached - and hot objects will be released. In other words, the - negative-cached and hot objects will fill up any unused space - not needed for in-transit objects. - - If circumstances require, this limit will be exceeded. - Specifically, if your incoming request rate requires more than - 'cache_mem' of memory to hold in-transit objects, Squid will - exceed this limit to satisfy the new requests. When the load - decreases, blocks will be freed until the high-water mark is - reached. Thereafter, blocks will be used to store hot - objects. - DOC_END - - - NAME: cache_swap_low - COMMENT: (percent, 0-100) - TYPE: int - DEFAULT: 90 - LOC: Config.Swap.lowWaterMark - DOC_NONE - - NAME: cache_swap_high - COMMENT: (percent, 0-100) - TYPE: int - DEFAULT: 95 - LOC: Config.Swap.highWaterMark - DOC_START - - The low- and high-water marks for cache object replacement. - Replacement begins when the swap (disk) usage is above the - low-water mark and attempts to maintain utilization near the - low-water mark. As swap utilization gets close to high-water - mark object eviction becomes more aggressive. If utilization is - close to the low-water mark less replacement is done each time. - - Defaults are 90% and 95%. If you have a large cache, 5% could be - hundreds of MB. If this is the case you may wish to set these - numbers closer together. - DOC_END - - NAME: maximum_object_size - COMMENT: (bytes) - TYPE: b_size_t - DEFAULT: 4096 KB - LOC: Config.Store.maxObjectSize - DOC_START - Objects larger than this size will NOT be saved on disk. The - value is specified in kilobytes, and the default is 4MB. If - you wish to get a high BYTES hit ratio, you should probably - increase this (one 32 MB object hit counts for 3200 10KB - hits). If you wish to increase speed more than your want to - save bandwidth you should leave this low. - - NOTE: if using the LFUDA replacement policy you should increase - this value to maximize the byte hit rate improvement of LFUDA! - See replacement_policy below for a discussion of this policy. - DOC_END - - NAME: minimum_object_size - COMMENT: (bytes) - TYPE: b_size_t - DEFAULT: 0 KB - LOC: Config.Store.minObjectSize - DOC_START - Objects smaller than this size will NOT be saved on disk. The - value is specified in kilobytes, and the default is 0 KB, which - means there is no minimum. - DOC_END - - NAME: maximum_object_size_in_memory - COMMENT: (bytes) - TYPE: b_size_t - DEFAULT: 8 KB - LOC: Config.Store.maxInMemObjSize - DOC_START - Objects greater than this size will not be attempted to kept in - the memory cache. This should be set high enough to keep objects - accessed frequently in memory to improve performance whilst low - enough to keep larger objects from hoarding cache_mem . - DOC_END - - NAME: ipcache_size - COMMENT: (number of entries) - TYPE: int - DEFAULT: 1024 - LOC: Config.ipcache.size - DOC_NONE - - NAME: ipcache_low - COMMENT: (percent) - TYPE: int - DEFAULT: 90 - LOC: Config.ipcache.low - DOC_NONE - - NAME: ipcache_high - COMMENT: (percent) - TYPE: int - DEFAULT: 95 - LOC: Config.ipcache.high - DOC_START - The size, low-, and high-water marks for the IP cache. - DOC_END - - NAME: fqdncache_size - COMMENT: (number of entries) - TYPE: int - DEFAULT: 1024 - LOC: Config.fqdncache.size - DOC_START - Maximum number of FQDN cache entries. - DOC_END - - NAME: cache_replacement_policy - TYPE: removalpolicy - LOC: Config.replPolicy - DEFAULT: lru - DOC_START - The cache replacement policy parameter determines which - objects are evicted (replaced) when disk space is needed. - - lru : Squid's original list based LRU policy - heap GDSF : Greedy-Dual Size Frequency - heap LFUDA: Least Frequently Used with Dynamic Aging - heap LRU : LRU policy implemented using a heap - - Applies to any cache_dir lines listed below this. - - The LRU policies keeps recently referenced objects. - - The heap GDSF policy optimizes object hit rate by keeping smaller - popular objects in cache so it has a better chance of getting a - hit. It achieves a lower byte hit rate than LFUDA though since - it evicts larger (possibly popular) objects. - - The heap LFUDA policy keeps popular objects in cache regardless of - their size and thus optimizes byte hit rate at the expense of - hit rate since one large, popular object will prevent many - smaller, slightly less popular objects from being cached. - - Both policies utilize a dynamic aging mechanism that prevents - cache pollution that can otherwise occur with frequency-based - replacement policies. - - NOTE: if using the LFUDA replacement policy you should increase - the value of maximum_object_size above its default of 4096 KB to - to maximize the potential byte hit rate improvement of LFUDA. - - For more information about the GDSF and LFUDA cache replacement - policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html - and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. - DOC_END - - NAME: memory_replacement_policy - TYPE: removalpolicy - LOC: Config.memPolicy - DEFAULT: lru - DOC_START - The memory replacement policy parameter determines which - objects are purged from memory when memory space is needed. - - See cache_replacement_policy for details. - DOC_END - - - COMMENT_START - LOGFILE PATHNAMES AND CACHE DIRECTORIES - ----------------------------------------------------------------------------- - COMMENT_END - - NAME: cache_dir - TYPE: cachedir - DEFAULT: none - DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256 - LOC: Config.cacheSwap - DOC_START - Usage: - - cache_dir Type Directory-Name Fs-specific-data [options] - - cache_dir diskd Maxobjsize Directory-Name MB L1 L2 Q1 Q2 - - You can specify multiple cache_dir lines to spread the - cache among different disk partitions. - - Type specifies the kind of storage system to use. Only "ufs" - is built by default. To eanble any of the other storage systems - see the --enable-storeio configure option. - - 'Directory' is a top-level directory where cache swap - files will be stored. If you want to use an entire disk - for caching, then this can be the mount-point directory. - The directory must exist and be writable by the Squid - process. Squid will NOT create this directory for you. - - The ufs store type: - - "ufs" is the old well-known Squid storage format that has always - been there. - - cache_dir ufs Directory-Name Mbytes L1 L2 [options] - - 'Mbytes' is the amount of disk space (MB) to use under this - directory. The default is 100 MB. Change this to suit your - configuration. Do NOT put the size of your disk drive here. - Instead, if you want Squid to use the entire disk drive, - subtract 20% and use that value. - - 'Level-1' is the number of first-level subdirectories which - will be created under the 'Directory'. The default is 16. - - 'Level-2' is the number of second-level subdirectories which - will be created under each first-level directory. The default - is 256. - - The aufs store type: - - "aufs" uses the same storage format as "ufs", utilizing - POSIX-threads to avoid blocking the main Squid process on - disk-I/O. This was formerly known in Squid as async-io. - - cache_dir aufs Directory-Name Mbytes L1 L2 [options] - - see argument descriptions under ufs above - - The diskd store type: - - "diskd" uses the same storage format as "ufs", utilizing a - separate process to avoid blocking the main Squid process on - disk-I/O. - - cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] - - see argument descriptions under ufs above - - Q1 specifies the number of unacknowledged I/O requests when Squid - stops opening new files. If this many messages are in the queues, - Squid won't open new files. Default is 64 - - Q2 specifies the number of unacknowledged messages when Squid - starts blocking. If this many messages are in the queues, - Squid blocks until it recevies some replies. Default is 72 - - Common options: - - read-only, this cache_dir is read only. - - max-size=n, refers to the max object size this storedir supports. - It is used to initially choose the storedir to dump the object. - Note: To make optimal use of the max-size limits you should order - the cache_dir lines with the smallest max-size value first and the - ones with no max-size specification last. - DOC_END - - - NAME: cache_access_log - TYPE: string - DEFAULT: @DEFAULT_ACCESS_LOG@ - LOC: Config.Log.access - DOC_START - Logs the client request activity. Contains an entry for - every HTTP and ICP queries received. To disable, enter "none". - DOC_END - - - NAME: cache_log - TYPE: string - DEFAULT: @DEFAULT_CACHE_LOG@ - LOC: Config.Log.log - DOC_START - Cache logging file. This is where general information about - your cache's behavior goes. You can increase the amount of data - logged to this file with the "debug_options" tag below. - DOC_END - - - NAME: cache_store_log - TYPE: string - DEFAULT: @DEFAULT_STORE_LOG@ - LOC: Config.Log.store - DOC_START - Logs the activities of the storage manager. Shows which - objects are ejected from the cache, and which objects are - saved and for how long. To disable, enter "none". There are - not really utilities to analyze this data, so you can safely - disable it. - DOC_END - - - NAME: cache_swap_log - TYPE: string - LOC: Config.Log.swap - DEFAULT: none - DOC_START - Location for the cache "swap.log." This log file holds the - metadata of objects saved on disk. It is used to rebuild the - cache during startup. Normally this file resides in each - 'cache_dir' directory, but you may specify an alternate - pathname here. Note you must give a full filename, not just - a directory. Since this is the index for the whole object - list you CANNOT periodically rotate it! - - If %s can be used in the file name then it will be replaced with a - a representation of the cache_dir name where each / is replaced - with '.'. This is needed to allow adding/removing cache_dir - lines when cache_swap_log is being used. - - If have more than one 'cache_dir', and %s is not used in the name - then these swap logs will have names such as: - - cache_swap_log.00 - cache_swap_log.01 - cache_swap_log.02 - - The numbered extension (which is added automatically) - corresponds to the order of the 'cache_dir' lines in this - configuration file. If you change the order of the 'cache_dir' - lines in this file, then these log files will NOT correspond to - the correct 'cache_dir' entry (unless you manually rename - them). We recommend that you do - NOT use this option. It is - better to keep these log files in each 'cache_dir' directory. - DOC_END - - - NAME: emulate_httpd_log - COMMENT: on|off - TYPE: onoff - DEFAULT: off - LOC: Config.onoff.common_log - DOC_START - The Cache can emulate the log file format which many 'httpd' - programs use. To disable/enable this emulation, set - emulate_httpd_log to 'off' or 'on'. The default - is to use the native log format since it includes useful - information that Squid-specific log analyzers use. - DOC_END - - NAME: log_ip_on_direct - COMMENT: on|off - TYPE: onoff - DEFAULT: on - LOC: Config.onoff.log_ip_on_direct - DOC_START - Log the destination IP address in the hierarchy log tag when going - direct. Earlier Squid versions logged the hostname here. If you - prefer the old way set - this to off. - DOC_END - - NAME: mime_table - TYPE: string - DEFAULT: @DEFAULT_MIME_TABLE@ - LOC: Config.mimeTablePathname - DOC_START - Pathname to Squid's MIME table. You shouldn't need to change - this, but the default file contains examples and formatting - information if you do. - DOC_END - - - NAME: log_mime_hdrs - COMMENT: on|off - TYPE: onoff - LOC: Config.onoff.log_mime_hdrs - DEFAULT: off - DOC_START - The Cache can record both the request and the response MIME - headers for each HTTP transaction. The headers are encoded - safely and will appear as two bracketed fields at the end of - the access log (for either the native or httpd-emulated log - formats). To enable this logging set - log_mime_hdrs to 'on'. - DOC_END - - - NAME: useragent_log - TYPE: string - LOC: Config.Log.useragent - DEFAULT: none - IFDEF: USE_USERAGENT_LOG - DOC_START - Squid will write the User-Agent field from HTTP requests - to the filename specified here. By default useragent_log - is disabled. - DOC_END - - - NAME: referer_log - TYPE: string - LOC: Config.Log.referer - DEFAULT: none - IFDEF: USE_REFERER_LOG - DOC_START - Squid will write the Referer field from HTTP requests to the - filename specified here. By default referer_log is disabled. - DOC_END - - - NAME: pid_filename - TYPE: string - DEFAULT: @DEFAULT_PID_FILE@ - LOC: Config.pidFilename - DOC_START - A filename to write the process-id to. To disable, enter "none". - DOC_END - - - NAME: debug_options - TYPE: eol - DEFAULT: ALL,1 - LOC: Config.debugOptions - DOC_START - Logging options are set - as section,level where each source file - is assigned a unique section. Lower levels result in less - output, Full debugging (level 9) can result in a very large - log file, so be careful. The magic word "ALL" sets debugging - levels for all sections. We recommend normally running with - "ALL,1". - DOC_END - - - NAME: log_fqdn - COMMENT: on|off - TYPE: onoff - DEFAULT: off - LOC: Config.onoff.log_fqdn - DOC_START - Turn this on if you wish to log fully qualified domain names - in the access.log. To do - this Squid does a DNS lookup of all - IP's connecting to it. This can (in some situations) increase - latency, which makes your cache seem slower for interactive - browsing. - DOC_END - - - NAME: client_netmask - TYPE: address - LOC: Config.Addrs.client_netmask - DEFAULT: 255.255.255.255 - DOC_START - A netmask for client addresses in logfiles and cachemgr output. - Change this to protect the privacy of your cache clients. - A netmask of 255.255.255.0 will log all IP's in that range with - the last digit set - to '0'. - DOC_END - - - COMMENT_START - OPTIONS FOR EXTERNAL SUPPORT PROGRAMS - ----------------------------------------------------------------------------- - COMMENT_END - - NAME: ftp_user - TYPE: string - DEFAULT: Squid@ - LOC: Config.Ftp.anon_user - DOC_START - If you want the anonymous login password to be more informative - (and enable the use of picky ftp servers), set - this to something - reasonable for your domain, like wwwuser@somewhere.net - - The reason why this is domainless by default is that the - request can be made on the behalf of a user in any domain, - depending on how the cache is used. - Some ftp server also validate that the email address is valid - (for example perl.com). - DOC_END - - NAME: ftp_list_width - TYPE: size_t - DEFAULT: 32 - LOC: Config.Ftp.list_width - DOC_START - Sets the width of ftp listings. This should be set - to fit in - the width of a standard browser. Setting this too small - can cut off long filenames when browsing ftp sites. - DOC_END - - NAME: ftp_passive - TYPE: onoff - DEFAULT: on - LOC: Config.Ftp.passive - DOC_START - If your firewall does not allow Squid to use passive - connections, then turn off this option. - DOC_END - - NAME: ftp_sanitycheck - TYPE: onoff - DEFAULT: on - LOC: Config.Ftp.sanitycheck - DOC_START - For security and data integrity reasons Squid by default performs - sanity checks of the addresses of FTP data connections ensure the - data connection is to the requested server. If you need to allow - FTP connections to servers using another IP address for the data - connection then turn this off. - DOC_END - - NAME: check_hostnames - TYPE: onoff - DEFAULT: on - LOC: Config.onoff.check_hostnames - DOC_START - For security and stability reasons Squid by default checks - hostnames for Internet standard RFC compliance. If you do - not want - Squid to perform these checks then turn this directive off. - DOC_END - - NAME: cache_dns_program - TYPE: string - IFDEF: USE_DNSSERVERS - DEFAULT: @DEFAULT_DNSSERVER@ - LOC: Config.Program.dnsserver - DOC_START - Specify the location of the executable for dnslookup process. - DOC_END - - NAME: dns_children - TYPE: int - IFDEF: USE_DNSSERVERS - DEFAULT: 5 - LOC: Config.dnsChildren - DOC_START - The number of processes spawn to service DNS name lookups. - For heavily loaded caches on large servers, you should - probably increase this value to at least 10. The maximum - is 32. The default is 5. - - You must have at least one dnsserver process. - DOC_END - - NAME: dns_retransmit_interval - TYPE: time_t - DEFAULT: 5 seconds - LOC: Config.Timeout.idns_retransmit - IFDEF: !USE_DNSSERVERS - DOC_START - Initial retransmit interval for DNS queries. The interval is - doubled each time all configured DNS servers have been tried. - - DOC_END - - NAME: dns_timeout - TYPE: time_t - DEFAULT: 5 minutes - LOC: Config.Timeout.idns_query - IFDEF: !USE_DNSSERVERS - DOC_START - DNS Query timeout. If no response is received to a DNS query - within this time then all DNS servers for the queried domain - is assumed to be unavailable. - DOC_END - - NAME: dns_defnames - COMMENT: on|off - IFDEF: USE_DNSSERVERS - TYPE: onoff - DEFAULT: off - LOC: Config.onoff.res_defnames - IFDEF: USE_DNSSERVERS - DOC_START - Normally the 'dnsserver' disables the RES_DEFNAMES resolver - option (see res_init(3)). This prevents caches in a hierarchy - from interpreting single-component hostnames locally. To allow - dnsserver to handle single-component names, enable this - option. - DOC_END - - NAME: dns_nameservers - TYPE: wordlist - DEFAULT: none - LOC: Config.dns_nameservers - DOC_START - Use this if you want to specify a list of DNS name servers - (IP addresses) to use instead of those given in your - /etc/resolv.conf file. - On Windows platforms, if no value is specified here or in - the /etc/resolv.conf file, the list of DNS name servers are - taken from the Windows registry, both static and dynamic DHCP - configurations are supported. - - Example: dns_nameservers 10.0.0.1 192.172.0.4 - DOC_END - - NAME: hosts_file - TYPE: string - DEFAULT: @DEFAULT_HOSTS@ - LOC: Config.etcHostsPath - DOC_START - Location of the host-local IP name-address associations - database. Most Operating Systems have such a file on different - default locations: - - Un*X & Linux: /etc/hosts - - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts - (%SystemRoot% value install default is c:\winnt) - - Windows XP: %SystemRoot%\system32\drivers\etc\hosts - (%SystemRoot% value install default is c:\windows) - - Windows 9x/Me: %windir%\hosts - (%windir% value is usually c:\windows) - - Cygwin: /etc/hosts - - The file contains newline-separated definitions, in the - form ip_address_in_dotted_form name [name ...] names are - whitespace-separated. Lines beginnng with an hash (#) - character are comments. - - The file is checked at startup and upon configuration. - If set - to 'none', it won't be checked. - If append_domain is used, that domain will be added to - domain-local (i.e. not containing any dot character) host - definitions. - DOC_END - - NAME: diskd_program - TYPE: string - DEFAULT: @DEFAULT_DISKD@ - LOC: Config.Program.diskd - DOC_START - Specify the location of the diskd executable. - Note that this is only useful if you have compiled in - diskd as one of the store io modules. - DOC_END - - NAME: unlinkd_program - IFDEF: USE_UNLINKD - TYPE: string - DEFAULT: @DEFAULT_UNLINKD@ - LOC: Config.Program.unlinkd - DOC_START - Specify the location of the executable for file deletion process. - DOC_END - - NAME: pinger_program - TYPE: string - DEFAULT: @DEFAULT_PINGER@ - LOC: Config.Program.pinger - IFDEF: USE_ICMP - DOC_START - Specify the location of the executable for the pinger process. - DOC_END - - - NAME: redirect_program - TYPE: wordlist - LOC: Config.Program.redirect - DEFAULT: none - DOC_START - Specify the location of the executable for the URL redirector. - Since they can perform almost any function there isn't one included. - See the FAQ (section 15) for information on how to write one. - By default, a redirector is not used. - DOC_END - - - NAME: redirect_children - TYPE: int - DEFAULT: 5 - LOC: Config.redirectChildren - DOC_START - The number of redirector processes to spawn. If you start - too few Squid will have to wait for them to process a backlog of - URLs, slowing it down. If you start too many they will use RAM - and other system resources. - DOC_END - - NAME: redirect_rewrites_host_header - TYPE: onoff - DEFAULT: on - LOC: Config.onoff.redir_rewrites_host - DOC_START - By default Squid rewrites any Host: header in redirected - requests. If you are running an accelerator then this may - not be a wanted effect of a redirector. - - WARNING: Entries are cached on the result of the URL rewriting - process, so be careful if you have domain-virtual hosts. - DOC_END - - NAME: redirector_access - TYPE: acl_access - DEFAULT: none - LOC: Config.accessList.redirector - DOC_START - If defined, this access list specifies which requests are - sent to the redirector processes. By default all requests - are sent. - DOC_END - - NAME: auth_param - TYPE: authparam - LOC: Config.authConfiguration - DEFAULT: none - DOC_START - This is used to pass parameters to the various authentication - schemes. - format: auth_param scheme parameter [setting] - - auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd - would tell the basic authentication scheme it's program parameter. - - The order that authentication prompts are presented to the client_agent - is dependant on the order the scheme first appears in config file. - IE has a bug (it's not rfc 2617 compliant) in that it will use the basic - scheme if basic is the first entry presented, even if more secure schemes - are presented. For now use the order in the file below. If other browsers - have difficulties (don't recognise the schemes offered even if you are using - basic) then either put basic first, or disable the other schemes (by commenting - out their program entry). - - Once an authentication scheme is fully configured, it can only be shutdown - by shutting squid down and restarting. Changes can be made on the fly and - activated with a reconfigure. I.E. You can change to a different helper, - but not unconfigure the helper completely. - - === Parameters for the basic scheme follow. === - - "program" cmdline - Specify the command for the external authenticator. Such a - program reads a line containing "username password" and replies - "OK" or "ERR" in an endless loop. If you use an authenticator, - make sure you have 1 acl of type proxy_auth. By default, the - basic authentication sheme is not used unless a program is specified. - - If you want to use the traditional proxy authentication, - jump over to the ../auth_modules/NCSA directory and - type: - % make - % make install - - Then, set this line to something like - - auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd - - "children" numberofchildren - The number of authenticator processes to spawn (no default). - If you start too few Squid will have to wait for them to - process a backlog of usercode/password verifications, slowing - it down. When password verifications are done via a (slow) - network you are likely to need lots of authenticator - processes. - auth_param basic children 5 - - "realm" realmstring - Specifies the realm name which is to be reported to the - client for the basic proxy authentication scheme (part of - the text the user will see when prompted their username and - password). There is no default. - auth_param basic realm Squid proxy-caching web server - - "credentialsttl" timetolive - Specifies how long squid assumes an externally validated - username:password pair is valid for - in other words how - often the helper program is called for that user. Set this - low to force revalidation with short lived passwords. Note - that setting this high does not impact your susceptability - to replay attacks unless you are using an one-time password - system (such as SecureID). If you are using such a system, - you will be vulnerable to replay attacks unless you also - use the max_user_ip ACL in an http_access rule. - - === Parameters for the digest scheme follow === - - "program" cmdline - Specify the command for the external authenticator. Such - a program reads a line containing "username":"realm" and - replies with the appropriate H(A1) value base64 encoded. - See rfc 2616 for the definition of H(A1). If you use an - authenticator, make sure you have 1 acl of type proxy_auth. - By default, authentication is not used. - - If you want to use build an authenticator, - jump over to the ../digest_auth_modules directory and choose the - authenticator to use. It it's directory type - % make - % make install - - Then, set - this line to something like - - auth_param digest program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass - - - "children" numberofchildren - The number of authenticator processes to spawn (no default). - If you start too few Squid will have to wait for them to - process a backlog of H(A1) calculations, slowing it down. - When the H(A1) calculations are done via a (slow) network - you are likely to need lots of authenticator processes. - auth_param digest children 5 - - "realm" realmstring - Specifies the realm name which is to be reported to the - client for the digest proxy authentication scheme (part of - the text the user will see when prompted their username and - password). There is no default. - auth_param digest realm Squid proxy-caching web server - - "nonce_garbage_interval" timeinterval - Specifies the interval that nonces that have been issued - to client_agent's are checked for validity. - - "nonce_max_duration" timeinterval - Specifies the maximum length of time a given nonce will be - valid for. - - "nonce_max_count" number - Specifies the maximum number of times a given nonce can be - used. - - "nonce_strictness" on|off - Determines if squid requires increment-by-1 behaviour for - nonce counts (on - the default), or strictly incrementing - (off - for use when useragents generate nonce counts that - occasionally miss 1 (ie, 1,2,4,6)). - - === NTLM scheme options follow === - - "program" cmdline - Specify the command for the external ntlm authenticator. - Such a program reads a line containing the uuencoded NEGOTIATE - and replies with the ntlm CHALLENGE, then waits for the - response and answers with "OK" or "ERR" in an endless loop. - If you use an ntlm authenticator, make sure you have 1 acl - of type proxy_auth. By default, the ntlm authenticator_program - is not used. - - auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth - - "children" numberofchildren - The number of authenticator processes to spawn (no default). - If you start too few Squid will have to wait for them to - process a backlog of credential verifications, slowing it - down. When crendential verifications are done via a (slow) - network you are likely to need lots of authenticator - processes. - auth_param ntlm children 5 - - "max_challenge_reuses" number - The maximum number of times a challenge given by a ntlm - authentication helper can be reused. Increasing this number - increases your exposure to replay attacks on your network. - 0 means use the challenge only once. (disable challenge - caching) See max_ntlm_challenge_lifetime for more information. - auth_param ntlm max_challenge_reuses 0 - - "max_challenge_lifetime" timespan - The maximum time period that a ntlm challenge is reused - over. The actual period will be the minimum of this time - AND the number of reused challenges. - auth_param ntlm max_challenge_lifetime 2 minutes - - NOCOMMENT_START +COMMENT_START + OPTIONS FOR EXTERNAL SUPPORT PROGRAMS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: ftp_user +TYPE: string +DEFAULT: Squid@ +LOC: Config.Ftp.anon_user +DOC_START + If you want the anonymous login password to be more informative + (and enable the use of picky ftp servers), set this to something + reasonable for your domain, like wwwuser@somewhere.net + + The reason why this is domainless by default is that the + request can be made on the behalf of a user in any domain, + depending on how the cache is used. + Some ftp server also validate that the email address is valid + (for example perl.com). +DOC_END + +NAME: ftp_list_width +TYPE: size_t +DEFAULT: 32 +LOC: Config.Ftp.list_width +DOC_START + Sets the width of ftp listings. This should be set to fit in + the width of a standard browser. Setting this too small + can cut off long filenames when browsing ftp sites. +DOC_END + +NAME: ftp_passive +TYPE: onoff +DEFAULT: on +LOC: Config.Ftp.passive +DOC_START + If your firewall does not allow Squid to use passive + connections, then turn off this option. +DOC_END + +NAME: ftp_sanitycheck +TYPE: onoff +DEFAULT: on +LOC: Config.Ftp.sanitycheck +DOC_START + For security and data integrity reasons Squid by default performs + sanity checks of the addresses of FTP data connections ensure the + data connection is to the requested server. If you need to allow + FTP connections to servers using another IP address for the data + connection then turn this off. +DOC_END + +NAME: check_hostnames +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.check_hostnames +DOC_START + For security and stability reasons Squid by default checks + hostnames for Internet standard RFC compliance. If you do not want + Squid to perform these checks then turn this directive off. +DOC_END + +NAME: cache_dns_program +TYPE: string +IFDEF: USE_DNSSERVERS +DEFAULT: @DEFAULT_DNSSERVER@ +LOC: Config.Program.dnsserver +DOC_START + Specify the location of the executable for dnslookup process. +DOC_END + +NAME: dns_children +TYPE: int +IFDEF: USE_DNSSERVERS +DEFAULT: 5 +LOC: Config.dnsChildren +DOC_START + The number of processes spawn to service DNS name lookups. + For heavily loaded caches on large servers, you should + probably increase this value to at least 10. The maximum + is 32. The default is 5. + + You must have at least one dnsserver process. +DOC_END + +NAME: dns_retransmit_interval +TYPE: time_t +DEFAULT: 5 seconds +LOC: Config.Timeout.idns_retransmit +IFDEF: !USE_DNSSERVERS +DOC_START + Initial retransmit interval for DNS queries. The interval is + doubled each time all configured DNS servers have been tried. + +DOC_END + +NAME: dns_timeout +TYPE: time_t +DEFAULT: 5 minutes +LOC: Config.Timeout.idns_query +IFDEF: !USE_DNSSERVERS +DOC_START + DNS Query timeout. If no response is received to a DNS query + within this time then all DNS servers for the queried domain + is assumed to be unavailable. +DOC_END + +NAME: dns_defnames +COMMENT: on|off +IFDEF: USE_DNSSERVERS +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.res_defnames +IFDEF: USE_DNSSERVERS +DOC_START + Normally the 'dnsserver' disables the RES_DEFNAMES resolver + option (see res_init(3)). This prevents caches in a hierarchy + from interpreting single-component hostnames locally. To allow + dnsserver to handle single-component names, enable this + option. +DOC_END + +NAME: dns_nameservers +TYPE: wordlist +DEFAULT: none +LOC: Config.dns_nameservers +DOC_START + Use this if you want to specify a list of DNS name servers + (IP addresses) to use instead of those given in your + /etc/resolv.conf file. + On Windows platforms, if no value is specified here or in + the /etc/resolv.conf file, the list of DNS name servers are + taken from the Windows registry, both static and dynamic DHCP + configurations are supported. + + Example: dns_nameservers 10.0.0.1 192.172.0.4 +DOC_END + +NAME: hosts_file +TYPE: string +DEFAULT: @DEFAULT_HOSTS@ +LOC: Config.etcHostsPath +DOC_START + Location of the host-local IP name-address associations + database. Most Operating Systems have such a file on different + default locations: + - Un*X & Linux: /etc/hosts + - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts + (%SystemRoot% value install default is c:\winnt) + - Windows XP: %SystemRoot%\system32\drivers\etc\hosts + (%SystemRoot% value install default is c:\windows) + - Windows 9x/Me: %windir%\hosts + (%windir% value is usually c:\windows) + - Cygwin: /etc/hosts + + The file contains newline-separated definitions, in the + form ip_address_in_dotted_form name [name ...] names are + whitespace-separated. Lines beginnng with an hash (#) + character are comments. + + The file is checked at startup and upon configuration. + If set to 'none', it won't be checked. + If append_domain is used, that domain will be added to + domain-local (i.e. not containing any dot character) host + definitions. +DOC_END + +NAME: diskd_program +TYPE: string +DEFAULT: @DEFAULT_DISKD@ +LOC: Config.Program.diskd +DOC_START + Specify the location of the diskd executable. + Note that this is only useful if you have compiled in + diskd as one of the store io modules. +DOC_END + +NAME: unlinkd_program +IFDEF: USE_UNLINKD +TYPE: string +DEFAULT: @DEFAULT_UNLINKD@ +LOC: Config.Program.unlinkd +DOC_START + Specify the location of the executable for file deletion process. +DOC_END + +NAME: pinger_program +TYPE: string +DEFAULT: @DEFAULT_PINGER@ +LOC: Config.Program.pinger +IFDEF: USE_ICMP +DOC_START + Specify the location of the executable for the pinger process. +DOC_END + + +NAME: redirect_program +TYPE: wordlist +LOC: Config.Program.redirect +DEFAULT: none +DOC_START + Specify the location of the executable for the URL redirector. + Since they can perform almost any function there isn't one included. + See the FAQ (section 15) for information on how to write one. + By default, a redirector is not used. +DOC_END + + +NAME: redirect_children +TYPE: int +DEFAULT: 5 +LOC: Config.redirectChildren +DOC_START + The number of redirector processes to spawn. If you start + too few Squid will have to wait for them to process a backlog of + URLs, slowing it down. If you start too many they will use RAM + and other system resources. +DOC_END + +NAME: redirect_rewrites_host_header +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.redir_rewrites_host +DOC_START + By default Squid rewrites any Host: header in redirected + requests. If you are running an accelerator then this may + not be a wanted effect of a redirector. + + WARNING: Entries are cached on the result of the URL rewriting + process, so be careful if you have domain-virtual hosts. +DOC_END + +NAME: redirector_access +TYPE: acl_access +DEFAULT: none +LOC: Config.accessList.redirector +DOC_START + If defined, this access list specifies which requests are + sent to the redirector processes. By default all requests + are sent. +DOC_END + +NAME: auth_param +TYPE: authparam +LOC: Config.authConfiguration +DEFAULT: none +DOC_START + This is used to pass parameters to the various authentication + schemes. + format: auth_param scheme parameter [setting] + + auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd + would tell the basic authentication scheme it's program parameter. + + The order that authentication prompts are presented to the client_agent + is dependant on the order the scheme first appears in config file. + IE has a bug (it's not rfc 2617 compliant) in that it will use the basic + scheme if basic is the first entry presented, even if more secure schemes + are presented. For now use the order in the file below. If other browsers + have difficulties (don't recognise the schemes offered even if you are using + basic) then either put basic first, or disable the other schemes (by commenting + out their program entry). + + Once an authentication scheme is fully configured, it can only be shutdown + by shutting squid down and restarting. Changes can be made on the fly and + activated with a reconfigure. I.E. You can change to a different helper, + but not unconfigure the helper completely. + + === Parameters for the basic scheme follow. === + + "program" cmdline + Specify the command for the external authenticator. Such a + program reads a line containing "username password" and replies + "OK" or "ERR" in an endless loop. If you use an authenticator, + make sure you have 1 acl of type proxy_auth. By default, the + basic authentication sheme is not used unless a program is specified. + + If you want to use the traditional proxy authentication, + jump over to the ../auth_modules/NCSA directory and + type: + % make + % make install + + Then, set this line to something like + + auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd + + "children" numberofchildren + The number of authenticator processes to spawn (no default). + If you start too few Squid will have to wait for them to + process a backlog of usercode/password verifications, slowing + it down. When password verifications are done via a (slow) + network you are likely to need lots of authenticator + processes. + auth_param basic children 5 + + "realm" realmstring + Specifies the realm name which is to be reported to the + client for the basic proxy authentication scheme (part of + the text the user will see when prompted their username and + password). There is no default. + auth_param basic realm Squid proxy-caching web server + + "credentialsttl" timetolive + Specifies how long squid assumes an externally validated + username:password pair is valid for - in other words how + often the helper program is called for that user. Set this + low to force revalidation with short lived passwords. Note + that setting this high does not impact your susceptability + to replay attacks unless you are using an one-time password + system (such as SecureID). If you are using such a system, + you will be vulnerable to replay attacks unless you also + use the max_user_ip ACL in an http_access rule. + + === Parameters for the digest scheme follow === + + "program" cmdline + Specify the command for the external authenticator. Such + a program reads a line containing "username":"realm" and + replies with the appropriate H(A1) value base64 encoded. + See rfc 2616 for the definition of H(A1). If you use an + authenticator, make sure you have 1 acl of type proxy_auth. + By default, authentication is not used. + + If you want to use build an authenticator, + jump over to the ../digest_auth_modules directory and choose the + authenticator to use. It it's directory type + % make + % make install + + Then, set this line to something like + + auth_param digest program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass + + + "children" numberofchildren + The number of authenticator processes to spawn (no default). + If you start too few Squid will have to wait for them to + process a backlog of H(A1) calculations, slowing it down. + When the H(A1) calculations are done via a (slow) network + you are likely to need lots of authenticator processes. + auth_param digest children 5 + + "realm" realmstring + Specifies the realm name which is to be reported to the + client for the digest proxy authentication scheme (part of + the text the user will see when prompted their username and + password). There is no default. + auth_param digest realm Squid proxy-caching web server + + "nonce_garbage_interval" timeinterval + Specifies the interval that nonces that have been issued + to client_agent's are checked for validity. + + "nonce_max_duration" timeinterval + Specifies the maximum length of time a given nonce will be + valid for. + + "nonce_max_count" number + Specifies the maximum number of times a given nonce can be + used. + + "nonce_strictness" on|off + Determines if squid requires increment-by-1 behaviour for + nonce counts (on - the default), or strictly incrementing + (off - for use when useragents generate nonce counts that + occasionally miss 1 (ie, 1,2,4,6)). + + === NTLM scheme options follow === + + "program" cmdline + Specify the command for the external ntlm authenticator. + Such a program reads a line containing the uuencoded NEGOTIATE + and replies with the ntlm CHALLENGE, then waits for the + response and answers with "OK" or "ERR" in an endless loop. + If you use an ntlm authenticator, make sure you have 1 acl + of type proxy_auth. By default, the ntlm authenticator_program + is not used. + + auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth + + "children" numberofchildren + The number of authenticator processes to spawn (no default). + If you start too few Squid will have to wait for them to + process a backlog of credential verifications, slowing it + down. When crendential verifications are done via a (slow) + network you are likely to need lots of authenticator + processes. + auth_param ntlm children 5 + + "max_challenge_reuses" number + The maximum number of times a challenge given by a ntlm + authentication helper can be reused. Increasing this number + increases your exposure to replay attacks on your network. + 0 means use the challenge only once. (disable challenge + caching) See max_ntlm_challenge_lifetime for more information. + auth_param ntlm max_challenge_reuses 0 + + "max_challenge_lifetime" timespan + The maximum time period that a ntlm challenge is reused + over. The actual period will be the minimum of this time + AND the number of reused challenges. + auth_param ntlm max_challenge_lifetime 2 minutes + +NOCOMMENT_START #Recommended minimum configuration: #auth_param digest program #auth_param digest children 5 @@ -1701,561 +1671,556 @@ This is the default Squid configuration file. You may wish #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes #auth_param basic program - auth_param basic children 5 - auth_param basic realm Squid proxy-caching web server - auth_param basic credentialsttl 2 hours - NOCOMMENT_END - DOC_END - - NAME: authenticate_cache_garbage_interval - TYPE: time_t - DEFAULT: 1 hour - LOC: Config.authenticateGCInterval - DOC_START - The time period between garbage collection across the - username cache. This is a tradeoff between memory utilisation - (long intervals - say 2 days) and CPU (short intervals - - say 1 minute). Only change if you have good reason to. - DOC_END - - NAME: authenticate_ttl - TYPE: time_t - DEFAULT: 1 hour - LOC: Config.authenticateTTL - DOC_START - The time a user & their credentials stay in the logged in - user cache since their last request. When the garbage - interval passes, all user credentials that have passed their - TTL are removed from memory. - DOC_END - - NAME: authenticate_ip_ttl - TYPE: time_t - LOC: Config.authenticateIpTTL - DEFAULT: 0 seconds - DOC_START - If you use proxy authentication and the 'max_user_ip' ACL, - this directive controls how long Squid remembers the IP - addresses associated with each user. Use a small value - (e.g., 60 seconds) if your users might change addresses - quickly, as is the case with dialups. You might be safe - using a larger value (e.g., 2 hours) in a corporate LAN - environment with relatively static address assignments. - DOC_END - - NAME: external_acl_type - TYPE: externalAclHelper - LOC: Config.externalAclHelperList - DEFAULT: none - DOC_START - This option defines external acl classes using a helper program - to look up the status - - external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] - - Options: - - ttl=n TTL in seconds for cached results (defaults to 3600 - for 1 hour) - negative_ttl=n - TTL for cached negative lookups (default same - as ttl) - children=n Number of acl helper processes spawn to service - external acl lookups of this type. - cache=n result cache size, 0 is unbounded (default) - - FORMAT specifications - - %LOGIN Authenticated user login name - %IDENT Ident user name - %SRC Client IP - %DST Requested host - %PROTO Requested protocol - %PORT Requested port - %PATH Requested URL path - %METHOD Request method - %USER_CERT_xx SSL User certificate attribute xx - %USER_CA_xx SSL User certificate CA attribute xx - %{Header} HTTP request header - %{Hdr:member} HTTP request header list member - %{Hdr:;member} - HTTP request header list member using ; as - list separator. ; can be any non-alphanumeric - character. - - In addition, any string specified in the referencing acl will - also be included in the helper request line, after the specified - formats (see the "acl external" directive) - - The helper receives lines per the above format specification, - and returns lines starting with OK or ERR indicating the validity - of the request and optionally followed by additional keywords with - more details. - - General result syntax: - - OK/ERR keyword=value ... - - Defined keywords: - - user= The users name (login) - error= Error description (only defined for ERR results) - tag= Apply a tag to a request (for both ERR and OK results) - Only sets a tag, does not alter existing tags. - - Keyword values need to be enclosed in quotes if they may - contain whitespace, or the whitespace escaped using \. Any - quotes or \ characters within the keyword value must be \ - escaped. - DOC_END - - COMMENT_START - OPTIONS FOR TUNING THE CACHE - ----------------------------------------------------------------------------- - COMMENT_END - - NAME: wais_relay_host - TYPE: string - DEFAULT: none - LOC: Config.Wais.relayHost - DOC_NONE - - NAME: wais_relay_port - TYPE: ushort - DEFAULT: 0 - LOC: Config.Wais.relayPort - DOC_START - Relay WAIS request to host (1st arg) at port (2 arg). - DOC_END - - - NAME: request_header_max_size - COMMENT: (KB) - TYPE: b_size_t - DEFAULT: 10 KB - LOC: Config.maxRequestHeaderSize - DOC_START - This specifies the maximum size for HTTP headers in a request. - Request headers are usually relatively small (about 512 bytes). - Placing a limit on the request header size will catch certain - bugs (for example with persistent connections) and possibly - buffer-overflow or denial-of-service attacks. - DOC_END - - NAME: request_body_max_size - COMMENT: (KB) - TYPE: b_size_t - DEFAULT: 0 KB - LOC: Config.maxRequestBodySize - DOC_START - This specifies the maximum size for an HTTP request body. - In other words, the maximum size of a PUT/POST request. - A user who attempts to send a request with a body larger - than this limit receives an "Invalid Request" error message. - If you set this parameter to a zero (the default), there will - be no limit imposed. - DOC_END - - NAME: refresh_pattern - TYPE: refreshpattern - LOC: Config.Refresh - DEFAULT: none - DOC_START - usage: refresh_pattern [-i] regex min percent max [options] - - By default, regular expressions are CASE-SENSITIVE. To make - them case-insensitive, use the -i option. - - 'Min' is the time (in minutes) an object without an explicit - expiry time should be considered fresh. The recommended - value is 0, any higher values may cause dynamic applications - to be erroneously cached unless the application designer - has taken the appropriate actions. - - 'Percent' is a percentage of the objects age (time since last - modification age) an object without explicit expiry time - will be considered fresh. - - 'Max' is an upper limit on how long objects without an explicit - expiry time will be considered fresh. - - options: override-expire - override-lastmod - reload-into-ims - ignore-reload - - override-expire enforces min age even if the server - sent a Expires: header. Doing this VIOLATES the HTTP - standard. Enabling this feature could make you liable - for problems which it causes. - - override-lastmod enforces min age even on objects - that was modified recently. - - reload-into-ims changes client no-cache or ``reload'' - to If-Modified-Since requests. Doing this VIOLATES the - HTTP standard. Enabling this feature could make you - liable for problems which it causes. - - ignore-reload ignores a client no-cache or ``reload'' - header. Doing this VIOLATES the HTTP standard. Enabling - this feature could make you liable for problems which - it causes. - - Basically a cached object is: - - FRESH if expires < now, else STALE - STALE if age > max - FRESH if lm-factor < percent, else STALE - FRESH if age < min - else STALE - - The refresh_pattern lines are checked in the order listed here. - The first entry which matches is used. If none of the entries - match, then the default will be used. - - Note, you must uncomment all the default lines if you want - to change one. The default setting is only active if none is - used. - - Suggested default: - NOCOMMENT_START - refresh_pattern ^ftp: 1440 20% 10080 - refresh_pattern ^gopher: 1440 0% 1440 - refresh_pattern . 0 20% 4320 - NOCOMMENT_END - DOC_END - - NAME: quick_abort_min - COMMENT: (KB) - TYPE: kb_size_t - DEFAULT: 16 KB - LOC: Config.quickAbort.min - DOC_NONE - - NAME: quick_abort_max - COMMENT: (KB) - TYPE: kb_size_t - DEFAULT: 16 KB - LOC: Config.quickAbort.max - DOC_NONE - - NAME: quick_abort_pct - COMMENT: (percent) - TYPE: int - DEFAULT: 95 - LOC: Config.quickAbort.pct - DOC_START - The cache by default continues downloading aborted requests - which are almost completed (less than 16 KB remaining). This - may be undesirable on slow (e.g. SLIP) links and/or very busy - caches. Impatient users may tie up file descriptors and - bandwidth by repeatedly requesting and immediately aborting - downloads. - - When the user aborts a request, Squid will check the - quick_abort values to the amount of data transfered until - then. - - If the transfer has less than 'quick_abort_min' KB remaining, - it will finish the retrieval. - - If the transfer has more than 'quick_abort_max' KB remaining, - it will abort the retrieval. - - If more than 'quick_abort_pct' of the transfer has completed, - it will finish the retrieval. - - If you do not want any retrieval to continue after the client - has aborted, set both 'quick_abort_min' and 'quick_abort_max' - to '0 KB'. - - If you want retrievals to always continue if they are being - cached then set 'quick_abort_min' to '-1 KB'. - DOC_END - - NAME: read_ahead_gap - COMMENT: buffer-size - TYPE: kb_size_t - LOC: Config.readAheadGap - DEFAULT: 16 KB - DOC_START - The amount of data the cache will buffer ahead of what has been - sent to the client when retrieving an object from another server. - DOC_END - - NAME: negative_ttl - COMMENT: time-units - TYPE: time_t - LOC: Config.negativeTtl - DEFAULT: 5 minutes - DOC_START - Time-to-Live (TTL) for failed requests. Certain types of - failures (such as "connection refused" and "404 Not Found") are - negatively-cached for a configurable amount of time. The - default is 5 minutes. Note that this is different from - negative caching of DNS lookups. - DOC_END - - - NAME: positive_dns_ttl - COMMENT: time-units - TYPE: time_t - LOC: Config.positiveDnsTtl - DEFAULT: 6 hours - DOC_START - Time-to-Live (TTL) for positive caching of successful DNS lookups. - Default is 6 hours (360 minutes). If you want to minimize the - use of Squid's ipcache, set - this to 1, not 0. - DOC_END - - - NAME: negative_dns_ttl - COMMENT: time-units - TYPE: time_t - LOC: Config.negativeDnsTtl - DEFAULT: 5 minutes - DOC_START - Time-to-Live (TTL) for negative caching of failed DNS lookups. - DOC_END - - NAME: range_offset_limit - COMMENT: (bytes) - TYPE: b_size_t - LOC: Config.rangeOffsetLimit - DEFAULT: 0 KB - DOC_START - Sets a upper limit on how far into the the file a Range request - may be to cause Squid to prefetch the whole file. If beyond this - limit then Squid forwards the Range request as it is and the result - is NOT cached. - - This is to stop a far ahead range request (lets say start at 17MB) - from making Squid fetch the whole object up to that point before - sending anything to the client. - - A value of -1 causes Squid to always fetch the object from the - beginning so that it may cache the result. (2.0 style) - - A value of 0 causes Squid to never fetch more than the - client requested. (default) - DOC_END - - - COMMENT_START - TIMEOUTS - ----------------------------------------------------------------------------- - COMMENT_END - - NAME: connect_timeout - COMMENT: time-units - TYPE: time_t - LOC: Config.Timeout.connect - DEFAULT: 2 minutes - DOC_START - Some systems (notably Linux) can not be relied upon to properly - time out connect(2) requests. Therefore the Squid process - enforces its own timeout on server connections. This parameter - specifies how long to wait for the connect to complete. The - default is two minutes (120 seconds). - DOC_END - - NAME: peer_connect_timeout - COMMENT: time-units - TYPE: time_t - LOC: Config.Timeout.peer_connect - DEFAULT: 30 seconds - DOC_START - This parameter specifies how long to wait for a pending TCP - connection to a peer cache. The default is 30 seconds. You - may also set - different timeout values for individual neighbors - with the 'connect-timeout' option on a 'cache_peer' line. - DOC_END - - NAME: read_timeout - COMMENT: time-units - TYPE: time_t - LOC: Config.Timeout.read - DEFAULT: 15 minutes - DOC_START - The read_timeout is applied on server-side connections. After - each successful read(), the timeout will be extended by this - amount. If no data is read again after this amount of time, - the request is aborted and logged with ERR_READ_TIMEOUT. The - default is 15 minutes. - DOC_END - - - NAME: request_timeout - TYPE: time_t - LOC: Config.Timeout.request - DEFAULT: 5 minutes - DOC_START - How long to wait for an HTTP request after initial - connection establishment. - DOC_END - - - NAME: persistent_request_timeout - TYPE: time_t - LOC: Config.Timeout.persistent_request - DEFAULT: 1 minute - DOC_START - How long to wait for the next HTTP request on a persistent - connection after the previous request completes. - DOC_END - - - NAME: client_lifetime - COMMENT: time-units - TYPE: time_t - LOC: Config.Timeout.lifetime - DEFAULT: 1 day - DOC_START - The maximum amount of time that a client (browser) is allowed to - remain connected to the cache process. This protects the Cache - from having a lot of sockets (and hence file descriptors) tied up - in a CLOSE_WAIT state from remote clients that go away without - properly shutting down (either because of a network failure or - because of a poor client implementation). The default is one - day, 1440 minutes. - - NOTE: The default value is intended to be much larger than any - client would ever need to be connected to your cache. You - should probably change client_lifetime only as a last resort. - If you seem to have many client connections tying up - filedescriptors, we recommend first tuning the read_timeout, - request_timeout, persistent_request_timeout and quick_abort values. - DOC_END - - NAME: half_closed_clients - TYPE: onoff - LOC: Config.onoff.half_closed_clients - DEFAULT: on - DOC_START - Some clients may shutdown the sending side of their TCP - connections, while leaving their receiving sides open. Sometimes, - Squid can not tell the difference between a half-closed and a - fully-closed TCP connection. By default, half-closed client - connections are kept open until a read(2) or write(2) on the - socket returns an error. Change this option to 'off' and Squid - will immediately close client connections when read(2) returns - "no more data to read." - DOC_END - - NAME: pconn_timeout - TYPE: time_t - LOC: Config.Timeout.pconn - DEFAULT: 120 seconds - DOC_START - Timeout for idle persistent connections to servers and other - proxies. - DOC_END - - NAME: ident_timeout - TYPE: time_t - IFDEF: USE_IDENT - LOC: Config.Timeout.ident - DEFAULT: 10 seconds - DOC_START - Maximum time to wait for IDENT lookups to complete. - - If this is too high, and you enabled IDENT lookups from untrusted - users, then you might be susceptible to denial-of-service by having - many ident requests going at once. - DOC_END - - - NAME: shutdown_lifetime - COMMENT: time-units - TYPE: time_t - LOC: Config.shutdownLifetime - DEFAULT: 30 seconds - DOC_START - When SIGTERM or SIGHUP is received, the cache is put into - "shutdown pending" mode until all active sockets are closed. - This value is the lifetime to set - for all open descriptors - during shutdown mode. Any active clients after this many - seconds will receive a 'timeout' message. - DOC_END - - COMMENT_START - ACCESS CONTROLS - ----------------------------------------------------------------------------- - COMMENT_END - - NAME: acl - TYPE: acl - LOC: Config.aclList - DEFAULT: none - DOC_START - Defining an Access List - - acl aclname acltype string1 ... - acl aclname acltype "file" ... - - when using "file", the file should contain one item per line - - acltype is one of the types described below - - By default, regular expressions are CASE-SENSITIVE. To make - them case-insensitive, use the -i option. - - acl aclname src ip-address/netmask ... (clients IP address) - acl aclname src addr1-addr2/netmask ... (range of addresses) - acl aclname dst ip-address/netmask ... (URL host's IP address) - acl aclname myip ip-address/netmask ... (local socket IP address) - - acl aclname srcdomain .foo.com ... # reverse lookup, client IP - acl aclname dstdomain .foo.com ... # Destination server from URL - acl aclname srcdom_regex [-i] xxx ... # regex matching client name - acl aclname dstdom_regex [-i] xxx ... # regex matching server -# For dstdomain and dstdom_regex a reverse lookup is tried if a IP -# based URL is used. The name "none" is used if the reverse lookup -# fails. - - acl aclname time [day-abbrevs] [h1:m1-h2:m2] - day-abbrevs: - S - Sunday - M - Monday - T - Tuesday - W - Wednesday - H - Thursday - F - Friday - A - Saturday - h1:m1 must be less than h2:m2 - acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL - acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path - acl aclname port 80 70 21 ... - acl aclname port 0-1024 ... # ranges allowed - acl aclname myport 3128 ... # (local socket TCP port) - acl aclname proto HTTP FTP ... - acl aclname method GET POST ... - acl aclname browser [-i] regexp ... -# pattern match on User-Agent header - acl aclname referer_regex [-i] regexp ... -# pattern match on Referer header -# Referer is highly unreliable, so use with care - acl aclname ident username ... - acl aclname ident_regex [-i] pattern ... -# string match on ident output. -# use REQUIRED to accept any non-null ident. - acl aclname src_as number ... - acl aclname dst_as number ... -# Except for access control, AS numbers can be used for -# routing of requests to specific caches. Here's an -# example for routing all requests for AS#1241 and only +auth_param basic children 5 +auth_param basic realm Squid proxy-caching web server +auth_param basic credentialsttl 2 hours +NOCOMMENT_END +DOC_END + +NAME: authenticate_cache_garbage_interval +TYPE: time_t +DEFAULT: 1 hour +LOC: Config.authenticateGCInterval +DOC_START + The time period between garbage collection across the + username cache. This is a tradeoff between memory utilisation + (long intervals - say 2 days) and CPU (short intervals - + say 1 minute). Only change if you have good reason to. +DOC_END + +NAME: authenticate_ttl +TYPE: time_t +DEFAULT: 1 hour +LOC: Config.authenticateTTL +DOC_START + The time a user & their credentials stay in the logged in + user cache since their last request. When the garbage + interval passes, all user credentials that have passed their + TTL are removed from memory. +DOC_END + +NAME: authenticate_ip_ttl +TYPE: time_t +LOC: Config.authenticateIpTTL +DEFAULT: 0 seconds +DOC_START + If you use proxy authentication and the 'max_user_ip' ACL, + this directive controls how long Squid remembers the IP + addresses associated with each user. Use a small value + (e.g., 60 seconds) if your users might change addresses + quickly, as is the case with dialups. You might be safe + using a larger value (e.g., 2 hours) in a corporate LAN + environment with relatively static address assignments. +DOC_END + +NAME: external_acl_type +TYPE: externalAclHelper +LOC: Config.externalAclHelperList +DEFAULT: none +DOC_START + This option defines external acl classes using a helper program + to look up the status + + external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] + + Options: + + ttl=n TTL in seconds for cached results (defaults to 3600 + for 1 hour) + negative_ttl=n + TTL for cached negative lookups (default same + as ttl) + children=n Number of acl helper processes spawn to service + external acl lookups of this type. + cache=n result cache size, 0 is unbounded (default) + + FORMAT specifications + + %LOGIN Authenticated user login name + %IDENT Ident user name + %SRC Client IP + %DST Requested host + %PROTO Requested protocol + %PORT Requested port + %PATH Requested URL path + %METHOD Request method + %USER_CERT_xx SSL User certificate attribute xx + %USER_CA_xx SSL User certificate CA attribute xx + %{Header} HTTP request header + %{Hdr:member} HTTP request header list member + %{Hdr:;member} + HTTP request header list member using ; as + list separator. ; can be any non-alphanumeric + character. + + In addition, any string specified in the referencing acl will + also be included in the helper request line, after the specified + formats (see the "acl external" directive) + + The helper receives lines per the above format specification, + and returns lines starting with OK or ERR indicating the validity + of the request and optionally followed by additional keywords with + more details. + + General result syntax: + + OK/ERR keyword=value ... + + Defined keywords: + + user= The users name (login) + error= Error description (only defined for ERR results) + + Keyword values need to be enclosed in quotes if they may + contain whitespace, or the whitespace escaped using \. Any + quotes or \ characters within the keyword value must be \ + escaped. +DOC_END + +COMMENT_START + OPTIONS FOR TUNING THE CACHE + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: wais_relay_host +TYPE: string +DEFAULT: none +LOC: Config.Wais.relayHost +DOC_NONE + +NAME: wais_relay_port +TYPE: ushort +DEFAULT: 0 +LOC: Config.Wais.relayPort +DOC_START + Relay WAIS request to host (1st arg) at port (2 arg). +DOC_END + + +NAME: request_header_max_size +COMMENT: (KB) +TYPE: b_size_t +DEFAULT: 10 KB +LOC: Config.maxRequestHeaderSize +DOC_START + This specifies the maximum size for HTTP headers in a request. + Request headers are usually relatively small (about 512 bytes). + Placing a limit on the request header size will catch certain + bugs (for example with persistent connections) and possibly + buffer-overflow or denial-of-service attacks. +DOC_END + +NAME: request_body_max_size +COMMENT: (KB) +TYPE: b_size_t +DEFAULT: 0 KB +LOC: Config.maxRequestBodySize +DOC_START + This specifies the maximum size for an HTTP request body. + In other words, the maximum size of a PUT/POST request. + A user who attempts to send a request with a body larger + than this limit receives an "Invalid Request" error message. + If you set this parameter to a zero (the default), there will + be no limit imposed. +DOC_END + +NAME: refresh_pattern +TYPE: refreshpattern +LOC: Config.Refresh +DEFAULT: none +DOC_START + usage: refresh_pattern [-i] regex min percent max [options] + + By default, regular expressions are CASE-SENSITIVE. To make + them case-insensitive, use the -i option. + + 'Min' is the time (in minutes) an object without an explicit + expiry time should be considered fresh. The recommended + value is 0, any higher values may cause dynamic applications + to be erroneously cached unless the application designer + has taken the appropriate actions. + + 'Percent' is a percentage of the objects age (time since last + modification age) an object without explicit expiry time + will be considered fresh. + + 'Max' is an upper limit on how long objects without an explicit + expiry time will be considered fresh. + + options: override-expire + override-lastmod + reload-into-ims + ignore-reload + + override-expire enforces min age even if the server + sent a Expires: header. Doing this VIOLATES the HTTP + standard. Enabling this feature could make you liable + for problems which it causes. + + override-lastmod enforces min age even on objects + that was modified recently. + + reload-into-ims changes client no-cache or ``reload'' + to If-Modified-Since requests. Doing this VIOLATES the + HTTP standard. Enabling this feature could make you + liable for problems which it causes. + + ignore-reload ignores a client no-cache or ``reload'' + header. Doing this VIOLATES the HTTP standard. Enabling + this feature could make you liable for problems which + it causes. + + Basically a cached object is: + + FRESH if expires < now, else STALE + STALE if age > max + FRESH if lm-factor < percent, else STALE + FRESH if age < min + else STALE + + The refresh_pattern lines are checked in the order listed here. + The first entry which matches is used. If none of the entries + match, then the default will be used. + + Note, you must uncomment all the default lines if you want + to change one. The default setting is only active if none is + used. + +Suggested default: +NOCOMMENT_START +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern . 0 20% 4320 +NOCOMMENT_END +DOC_END + +NAME: quick_abort_min +COMMENT: (KB) +TYPE: kb_size_t +DEFAULT: 16 KB +LOC: Config.quickAbort.min +DOC_NONE + +NAME: quick_abort_max +COMMENT: (KB) +TYPE: kb_size_t +DEFAULT: 16 KB +LOC: Config.quickAbort.max +DOC_NONE + +NAME: quick_abort_pct +COMMENT: (percent) +TYPE: int +DEFAULT: 95 +LOC: Config.quickAbort.pct +DOC_START + The cache by default continues downloading aborted requests + which are almost completed (less than 16 KB remaining). This + may be undesirable on slow (e.g. SLIP) links and/or very busy + caches. Impatient users may tie up file descriptors and + bandwidth by repeatedly requesting and immediately aborting + downloads. + + When the user aborts a request, Squid will check the + quick_abort values to the amount of data transfered until + then. + + If the transfer has less than 'quick_abort_min' KB remaining, + it will finish the retrieval. + + If the transfer has more than 'quick_abort_max' KB remaining, + it will abort the retrieval. + + If more than 'quick_abort_pct' of the transfer has completed, + it will finish the retrieval. + + If you do not want any retrieval to continue after the client + has aborted, set both 'quick_abort_min' and 'quick_abort_max' + to '0 KB'. + + If you want retrievals to always continue if they are being + cached then set 'quick_abort_min' to '-1 KB'. +DOC_END + +NAME: read_ahead_gap +COMMENT: buffer-size +TYPE: kb_size_t +LOC: Config.readAheadGap +DEFAULT: 16 KB +DOC_START + The amount of data the cache will buffer ahead of what has been + sent to the client when retrieving an object from another server. +DOC_END + +NAME: negative_ttl +COMMENT: time-units +TYPE: time_t +LOC: Config.negativeTtl +DEFAULT: 5 minutes +DOC_START + Time-to-Live (TTL) for failed requests. Certain types of + failures (such as "connection refused" and "404 Not Found") are + negatively-cached for a configurable amount of time. The + default is 5 minutes. Note that this is different from + negative caching of DNS lookups. +DOC_END + + +NAME: positive_dns_ttl +COMMENT: time-units +TYPE: time_t +LOC: Config.positiveDnsTtl +DEFAULT: 6 hours +DOC_START + Time-to-Live (TTL) for positive caching of successful DNS lookups. + Default is 6 hours (360 minutes). If you want to minimize the + use of Squid's ipcache, set this to 1, not 0. +DOC_END + + +NAME: negative_dns_ttl +COMMENT: time-units +TYPE: time_t +LOC: Config.negativeDnsTtl +DEFAULT: 5 minutes +DOC_START + Time-to-Live (TTL) for negative caching of failed DNS lookups. +DOC_END + +NAME: range_offset_limit +COMMENT: (bytes) +TYPE: b_size_t +LOC: Config.rangeOffsetLimit +DEFAULT: 0 KB +DOC_START + Sets a upper limit on how far into the the file a Range request + may be to cause Squid to prefetch the whole file. If beyond this + limit then Squid forwards the Range request as it is and the result + is NOT cached. + + This is to stop a far ahead range request (lets say start at 17MB) + from making Squid fetch the whole object up to that point before + sending anything to the client. + + A value of -1 causes Squid to always fetch the object from the + beginning so that it may cache the result. (2.0 style) + + A value of 0 causes Squid to never fetch more than the + client requested. (default) +DOC_END + + +COMMENT_START + TIMEOUTS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: connect_timeout +COMMENT: time-units +TYPE: time_t +LOC: Config.Timeout.connect +DEFAULT: 2 minutes +DOC_START + Some systems (notably Linux) can not be relied upon to properly + time out connect(2) requests. Therefore the Squid process + enforces its own timeout on server connections. This parameter + specifies how long to wait for the connect to complete. The + default is two minutes (120 seconds). +DOC_END + +NAME: peer_connect_timeout +COMMENT: time-units +TYPE: time_t +LOC: Config.Timeout.peer_connect +DEFAULT: 30 seconds +DOC_START + This parameter specifies how long to wait for a pending TCP + connection to a peer cache. The default is 30 seconds. You + may also set different timeout values for individual neighbors + with the 'connect-timeout' option on a 'cache_peer' line. +DOC_END + +NAME: read_timeout +COMMENT: time-units +TYPE: time_t +LOC: Config.Timeout.read +DEFAULT: 15 minutes +DOC_START + The read_timeout is applied on server-side connections. After + each successful read(), the timeout will be extended by this + amount. If no data is read again after this amount of time, + the request is aborted and logged with ERR_READ_TIMEOUT. The + default is 15 minutes. +DOC_END + + +NAME: request_timeout +TYPE: time_t +LOC: Config.Timeout.request +DEFAULT: 5 minutes +DOC_START + How long to wait for an HTTP request after initial + connection establishment. +DOC_END + + +NAME: persistent_request_timeout +TYPE: time_t +LOC: Config.Timeout.persistent_request +DEFAULT: 1 minute +DOC_START + How long to wait for the next HTTP request on a persistent + connection after the previous request completes. +DOC_END + + +NAME: client_lifetime +COMMENT: time-units +TYPE: time_t +LOC: Config.Timeout.lifetime +DEFAULT: 1 day +DOC_START + The maximum amount of time that a client (browser) is allowed to + remain connected to the cache process. This protects the Cache + from having a lot of sockets (and hence file descriptors) tied up + in a CLOSE_WAIT state from remote clients that go away without + properly shutting down (either because of a network failure or + because of a poor client implementation). The default is one + day, 1440 minutes. + + NOTE: The default value is intended to be much larger than any + client would ever need to be connected to your cache. You + should probably change client_lifetime only as a last resort. + If you seem to have many client connections tying up + filedescriptors, we recommend first tuning the read_timeout, + request_timeout, persistent_request_timeout and quick_abort values. +DOC_END + +NAME: half_closed_clients +TYPE: onoff +LOC: Config.onoff.half_closed_clients +DEFAULT: on +DOC_START + Some clients may shutdown the sending side of their TCP + connections, while leaving their receiving sides open. Sometimes, + Squid can not tell the difference between a half-closed and a + fully-closed TCP connection. By default, half-closed client + connections are kept open until a read(2) or write(2) on the + socket returns an error. Change this option to 'off' and Squid + will immediately close client connections when read(2) returns + "no more data to read." +DOC_END + +NAME: pconn_timeout +TYPE: time_t +LOC: Config.Timeout.pconn +DEFAULT: 120 seconds +DOC_START + Timeout for idle persistent connections to servers and other + proxies. +DOC_END + +NAME: ident_timeout +TYPE: time_t +IFDEF: USE_IDENT +LOC: Config.Timeout.ident +DEFAULT: 10 seconds +DOC_START + Maximum time to wait for IDENT lookups to complete. + + If this is too high, and you enabled IDENT lookups from untrusted + users, then you might be susceptible to denial-of-service by having + many ident requests going at once. +DOC_END + + +NAME: shutdown_lifetime +COMMENT: time-units +TYPE: time_t +LOC: Config.shutdownLifetime +DEFAULT: 30 seconds +DOC_START + When SIGTERM or SIGHUP is received, the cache is put into + "shutdown pending" mode until all active sockets are closed. + This value is the lifetime to set for all open descriptors + during shutdown mode. Any active clients after this many + seconds will receive a 'timeout' message. +DOC_END + +COMMENT_START + ACCESS CONTROLS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: acl +TYPE: acl +LOC: Config.aclList +DEFAULT: none +DOC_START + Defining an Access List + + acl aclname acltype string1 ... + acl aclname acltype "file" ... + + when using "file", the file should contain one item per line + + acltype is one of the types described below + + By default, regular expressions are CASE-SENSITIVE. To make + them case-insensitive, use the -i option. + + acl aclname src ip-address/netmask ... (clients IP address) + acl aclname src addr1-addr2/netmask ... (range of addresses) + acl aclname dst ip-address/netmask ... (URL host's IP address) + acl aclname myip ip-address/netmask ... (local socket IP address) + + acl aclname srcdomain .foo.com ... # reverse lookup, client IP + acl aclname dstdomain .foo.com ... # Destination server from URL + acl aclname srcdom_regex [-i] xxx ... # regex matching client name + acl aclname dstdom_regex [-i] xxx ... # regex matching server + # For dstdomain and dstdom_regex a reverse lookup is tried if a IP + # based URL is used. The name "none" is used if the reverse lookup + # fails. + + acl aclname time [day-abbrevs] [h1:m1-h2:m2] + day-abbrevs: + S - Sunday + M - Monday + T - Tuesday + W - Wednesday + H - Thursday + F - Friday + A - Saturday + h1:m1 must be less than h2:m2 + acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL + acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path + acl aclname port 80 70 21 ... + acl aclname port 0-1024 ... # ranges allowed + acl aclname myport 3128 ... # (local socket TCP port) + acl aclname proto HTTP FTP ... + acl aclname method GET POST ... + acl aclname browser [-i] regexp ... + # pattern match on User-Agent header + acl aclname referer_regex [-i] regexp ... + # pattern match on Referer header + # Referer is highly unreliable, so use with care + acl aclname ident username ... + acl aclname ident_regex [-i] pattern ... + # string match on ident output. + # use REQUIRED to accept any non-null ident. + acl aclname src_as number ... + acl aclname dst_as number ... + # Except for access control, AS numbers can be used for + # routing of requests to specific caches. Here's an + # example for routing all requests for AS#1241 and only # those to mycache.mydomain.net: # acl asexample dst_as 1241 # cache_peer_access mycache.mydomain.net allow asexample # cache_peer_access mycache_mydomain.net deny all - acl aclname proxy_auth [-i] username ... - acl aclname proxy_auth_regex [-i] pattern ... -# list of valid usernames + acl aclname proxy_auth [-i] username ... + acl aclname proxy_auth_regex [-i] pattern ... + # list of valid usernames # use REQUIRED to accept any valid username. # # NOTE: when a Proxy-Authentication header is sent but it is not @@ -2270,18 +2235,18 @@ This is the default Squid configuration file. You may wish # the browser needs to be configured for using a proxy in order # to respond to proxy authentication. - acl aclname snmp_community string ... -# A community string to limit access to your SNMP Agent + acl aclname snmp_community string ... + # A community string to limit access to your SNMP Agent # Example: # # acl snmppublic snmp_community public - acl aclname maxconn number -# This will be matched when the client's IP address has + acl aclname maxconn number + # This will be matched when the client's IP address has # more than HTTP connections established. - acl aclname max_user_ip [-s] number -# This will be matched when the user attempts to log in from more + acl aclname max_user_ip [-s] number + # This will be matched when the user attempts to log in from more # than different ip addresses. The authenticate_ip_ttl # parameter controls the timeout on the ip entries. # If -s is specified then the limit is strict, denying browsing @@ -2293,93 +2258,93 @@ This is the default Squid configuration file. You may wish # clients may appear to come from multiple addresses if they are # going through proxy farms, so a limit of 1 may cause user problems. - acl aclname req_mime_type mime-type1 ... -# regex match agains the mime type of the request generated + acl aclname req_mime_type mime-type1 ... + # regex match agains the mime type of the request generated # by the client. Can be used to detect file upload or some # types HTTP tunelling requests. # NOTE: This does NOT match the reply. You cannot use this # to match the returned file type. - acl aclname rep_mime_type mime-type1 ... -# regex match against the mime type of the reply recieved by + acl aclname rep_mime_type mime-type1 ... + # regex match against the mime type of the reply recieved by # squid. Can be used to detect file download or some # types HTTP tunelling requests. # NOTE: This has no effect in http_access rules. It only has # effect in rules that affect the reply data stream such as # http_reply_access. - acl acl_name external class_name [arguments...] -# external ACL lookup via a helper class defined by the + acl acl_name external class_name [arguments...] + # external ACL lookup via a helper class defined by the # external_acl_type directive. - acl aclname user_cert attribute values... -# match against attributes in a user SSL certificate + acl aclname user_cert attribute values... + # match against attributes in a user SSL certificate # attribute is one of DN/C/O/CN/L/ST - acl aclname ca_cert attribute values... -# match against attributes a users issuing CA SSL certificate + acl aclname ca_cert attribute values... + # match against attributes a users issuing CA SSL certificate # attribute is one of DN/C/O/CN/L/ST - Examples: - acl myexample dst_as 1241 - acl password proxy_auth REQUIRED - acl fileupload req_mime_type -i ^multipart/form-data$ - acl javascript rep_mime_type -i ^application/x-javascript$ +Examples: +acl myexample dst_as 1241 +acl password proxy_auth REQUIRED +acl fileupload req_mime_type -i ^multipart/form-data$ +acl javascript rep_mime_type -i ^application/x-javascript$ - NOCOMMENT_START +NOCOMMENT_START #Recommended minimum configuration: - acl all src 0.0.0.0/0.0.0.0 - acl manager proto cache_object - acl localhost src 127.0.0.1/255.255.255.255 - acl to_localhost dst 127.0.0.0/8 - acl SSL_ports port 443 563 - acl Safe_ports port 80 # http - acl Safe_ports port 21 # ftp - acl Safe_ports port 443 563 # https, snews - acl Safe_ports port 70 # gopher - acl Safe_ports port 210 # wais - acl Safe_ports port 1025-65535 # unregistered ports - acl Safe_ports port 280 # http-mgmt - acl Safe_ports port 488 # gss-http - acl Safe_ports port 591 # filemaker - acl Safe_ports port 777 # multiling http - acl CONNECT method CONNECT - NOCOMMENT_END - DOC_END - - NAME: http_access - TYPE: acl_access - LOC: Config.accessList.http - DEFAULT: none - DEFAULT_IF_NONE: deny all - DOC_START - Allowing or Denying access based on defined access lists - - Access to the HTTP port: - http_access allow|deny [!]aclname ... - - NOTE on default values: - - If there are no "access" lines present, the default is to deny - the request. - - If none of the "access" lines cause a match, the default is the - opposite of the last line in the list. If the last line was - deny, then the default is allow. Conversely, if the last line - is allow, the default will be deny. For these reasons, it is a - good idea to have an "deny all" or "allow all" entry at the end - of your access lists to avoid potential confusion. - - NOCOMMENT_START +acl all src 0.0.0.0/0.0.0.0 +acl manager proto cache_object +acl localhost src 127.0.0.1/255.255.255.255 +acl to_localhost dst 127.0.0.0/8 +acl SSL_ports port 443 563 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 563 # https, snews +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT +NOCOMMENT_END +DOC_END + +NAME: http_access +TYPE: acl_access +LOC: Config.accessList.http +DEFAULT: none +DEFAULT_IF_NONE: deny all +DOC_START + Allowing or Denying access based on defined access lists + + Access to the HTTP port: + http_access allow|deny [!]aclname ... + + NOTE on default values: + + If there are no "access" lines present, the default is to deny + the request. + + If none of the "access" lines cause a match, the default is the + opposite of the last line in the list. If the last line was + deny, then the default is allow. Conversely, if the last line + is allow, the default will be deny. For these reasons, it is a + good idea to have an "deny all" or "allow all" entry at the end + of your access lists to avoid potential confusion. + +NOCOMMENT_START #Recommended minimum configuration: # # Only allow cachemgr access from localhost - http_access allow manager localhost - http_access deny manager +http_access allow manager localhost +http_access deny manager # Deny requests to unknown ports - http_access deny !Safe_ports +http_access deny !Safe_ports # Deny CONNECT to other than SSL ports - http_access deny CONNECT !SSL_ports +http_access deny CONNECT !SSL_ports # # We strongly recommend to uncomment the following to protect innocent # web applications running on the proxy server who think that the only @@ -2395,1846 +2360,1797 @@ This is the default Squid configuration file. You may wish #http_access allow our_networks # And finally deny all other access to this proxy - http_access deny all - NOCOMMENT_END - DOC_END +http_access deny all +NOCOMMENT_END +DOC_END - NAME: http_reply_access - TYPE: acl_access - LOC: Config.accessList.reply - DEFAULT: none - DEFAULT_IF_NONE: allow all - DOC_START - Allow replies to client requests. This is complementary to http_access. +NAME: http_reply_access +TYPE: acl_access +LOC: Config.accessList.reply +DEFAULT: none +DEFAULT_IF_NONE: allow all +DOC_START + Allow replies to client requests. This is complementary to http_access. - http_reply_access allow|deny [!] aclname ... + http_reply_access allow|deny [!] aclname ... - NOTE: if there are no access lines present, the default is to allow - all replies + NOTE: if there are no access lines present, the default is to allow + all replies - If none of the access lines cause a match, then the opposite of the - last line will apply. Thus it is good practice to end the rules - with an "allow all" or "deny all" entry. + If none of the access lines cause a match, then the opposite of the + last line will apply. Thus it is good practice to end the rules + with an "allow all" or "deny all" entry. - NOCOMMENT_START +NOCOMMENT_START #Recommended minimum configuration: # # Insert your own rules here. # # # and finally allow by default - http_reply_access allow all - NOCOMMENT_END - DOC_END +http_reply_access allow all +NOCOMMENT_END +DOC_END - NAME: icp_access - TYPE: acl_access - LOC: Config.accessList.icp - DEFAULT: none - DEFAULT_IF_NONE: deny all - DOC_START - Allowing or Denying access to the ICP port based on defined - access lists +NAME: icp_access +TYPE: acl_access +LOC: Config.accessList.icp +DEFAULT: none +DEFAULT_IF_NONE: deny all +DOC_START + Allowing or Denying access to the ICP port based on defined + access lists - icp_access allow|deny [!]aclname ... + icp_access allow|deny [!]aclname ... - See http_access for details + See http_access for details - NOCOMMENT_START +NOCOMMENT_START #Allow ICP queries from everyone - icp_access allow all - NOCOMMENT_END - DOC_END +icp_access allow all +NOCOMMENT_END +DOC_END - NAME: miss_access - TYPE: acl_access - LOC: Config.accessList.miss - DEFAULT: none - DOC_START - Use to force your neighbors to use you as a sibling instead of - a parent. For example: +NAME: miss_access +TYPE: acl_access +LOC: Config.accessList.miss +DEFAULT: none +DOC_START + Use to force your neighbors to use you as a sibling instead of + a parent. For example: - acl localclients src 172.16.0.0/16 - miss_access allow localclients - miss_access deny !localclients + acl localclients src 172.16.0.0/16 + miss_access allow localclients + miss_access deny !localclients - This means that only your local clients are allowed to fetch - MISSES and all other clients can only fetch HITS. + This means that only your local clients are allowed to fetch + MISSES and all other clients can only fetch HITS. - By default, allow all clients who passed the http_access rules - to fetch MISSES from us. + By default, allow all clients who passed the http_access rules + to fetch MISSES from us. - NOCOMMENT_START +NOCOMMENT_START #Default setting: # miss_access allow all - NOCOMMENT_END - DOC_END - - - NAME: cache_peer_access - TYPE: peer_access - DEFAULT: none - LOC: none - DOC_START - Similar to 'cache_peer_domain' but provides more flexibility by - using ACL elements. - - cache_peer_access cache-host allow|deny [!]aclname ... - - The syntax is identical to 'http_access' and the other lists of - ACL elements. See the comments for 'http_access' below, or - the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html). - DOC_END - - NAME: ident_lookup_access - TYPE: acl_access - IFDEF: USE_IDENT - DEFAULT: none - DEFAULT_IF_NONE: deny all - LOC: Config.accessList.identLookup - DOC_START - A list of ACL elements which, if matched, cause an ident - (RFC 931) lookup to be performed for this request. For - example, you might choose to always perform ident lookups - for your main multi-user Unix boxes, but not for your Macs - and PCs. By default, ident lookups are not performed for - any requests. - - To enable ident lookups for specific client addresses, you - can follow this example: - - acl ident_aware_hosts src 198.168.1.0/255.255.255.0 - ident_lookup_access allow ident_aware_hosts - ident_lookup_access deny all - - Only src type ACL checks are fully supported. A src_domain - ACL might work at times, but it will not always provide - the correct result. - DOC_END - - NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp - TYPE: acl_tos - DEFAULT: none - LOC: Config.accessList.outgoing_tos - DOC_START - Allows you to select a TOS/Diffserv value to mark outgoing - connections with, based on the username or source address - making the request. - - tcp_outgoing_tos ds-field [!]aclname ... - - Example where normal_service_net uses the TOS value 0x00 - and normal_service_net uses 0x20 - - acl normal_service_net src 10.0.0.0/255.255.255.0 - acl good_service_net src 10.0.1.0/255.255.255.0 - tcp_outgoing_tos 0x00 normal_service_net 0x00 - tcp_outgoing_tos 0x20 good_service_net - - TOS/DSCP values really only have local significance - so you should - know what you're specifying. For more, see RFC 2474 - - The TOS/DSCP byte must be exactly that - a byte, value 0 - 255, or - "default" to use whatever default your host has. - - Processing proceeds in the order specified, and stops at first fully - matching line. - DOC_END - - NAME: tcp_outgoing_address - TYPE: acl_address - DEFAULT: none - LOC: Config.accessList.outgoing_address - DOC_START - Allows you to map requests to different outgoing IP addresses - based on the username or sourceaddress of the user making - the request. - - tcp_outgoing_address ipaddr [[!]aclname] ... - - Example where requests from 10.0.0.0/24 will be forwareded - with source address 10.1.0.1, 10.0.2.0/24 forwarded with - source address 10.1.0.2 and the rest will be forwarded with - source address 10.1.0.3. - - acl normal_service_net src 10.0.0.0/255.255.255.0 - acl good_service_net src 10.0.1.0/255.255.255.0 - tcp_outgoing_address 10.0.0.1 normal_service_net - tcp_outgoing_address 10.0.0.2 good_service_net - tcp_outgoing_address 10.0.0.3 - - Processing proceeds in the order specified, and stops at first fully - matching line. - DOC_END - - NAME: reply_body_max_size - COMMENT: size [acl acl...] - TYPE: acl_b_size_t - DEFAULT: none - LOC: Config.ReplyBodySize - DOC_START - This option specifies the maximum size of a reply body. It can be - used to prevent users from downloading very large files, such as - MP3's and movies. When the reply headers are recieved, the - reply_body_max_size lines are processed, and the first line where - all (if any) listed acls are true is used as the maximum body size - for this reply. - - This size is then checked twice. First when we get - the reply headers, - we check the content-length value. If the content length value exists - and is larger than the allowed size, the request is denied and the - user receives an error message that says "the request or reply - is too large." If there is no content-length, and the reply - size exceeds this limit, the client's connection is just closed - and they will receive a partial reply. - - WARNING: downstream caches probably can not detect a partial reply - if there is no content-length header, so they will cache - partial responses and give them out as hits. You should NOT - use this option if you have downstream caches. - - WARNING: A maximum size smaller than the size of squid's error messages - will cause an infinite loop and crash squid. Ensure that the smallest - non-zero value you use is greater that the maximum header size plus - the size of your largest error page. - - If you set - this parameter none (the default), there will be - no limit imposed. - DOC_END - - COMMENT_START - ADMINISTRATIVE PARAMETERS - ----------------------------------------------------------------------------- - COMMENT_END - - NAME: cache_mgr - TYPE: string - DEFAULT: webmaster - LOC: Config.adminEmail - DOC_START - Email-address of local cache manager who will receive - mail if the cache dies. The default is "webmaster." - DOC_END - - - NAME: cache_effective_user - TYPE: string - DEFAULT: nobody - LOC: Config.effectiveUser - DOC_NONE - - NAME: cache_effective_group - TYPE: string - DEFAULT: none - LOC: Config.effectiveGroup - DOC_START - - If you start Squid as root, it will change its effective/real - UID/GID to the UID/GID specified below. The default is to - change to UID to nobody. If you define cache_effective_user, - but not cache_effective_group, Squid sets the GID the - effective user's default group ID (taken from the password - file). - - If Squid is not started as root, the cache_effective_user - value is ignored and the GID value is unchanged by default. - However, you can make Squid change its GID to another group - that the process owner is a member of. Note that if Squid - is not started as root then you cannot set http_port to a - value lower than 1024. - DOC_END - - - NAME: visible_hostname - TYPE: string - LOC: Config.visibleHostname - DEFAULT: none - DOC_START - If you want to present a special hostname in error messages, etc, - then define this. Otherwise, the return value of gethostname() - will be used. If you have multiple caches in a cluster and - get errors about IP-forwarding you must set them to have individual - names with this setting. - DOC_END - - - NAME: unique_hostname - TYPE: string - LOC: Config.uniqueHostname - DEFAULT: none - DOC_START - If you want to have multiple machines with the same - 'visible_hostname' then you must give each machine a different - 'unique_hostname' so that forwarding loops can be detected. - DOC_END - - - NAME: hostname_aliases - TYPE: wordlist - LOC: Config.hostnameAliases - DEFAULT: none - DOC_START - A list of other DNS names that your cache has. - DOC_END - - COMMENT_START - OPTIONS FOR THE CACHE REGISTRATION SERVICE - ----------------------------------------------------------------------------- - - This section contains parameters for the (optional) cache - announcement service. This service is provided to help - cache administrators locate one another in order to join or - create cache hierarchies. - - An 'announcement' message is sent (via UDP) to the registration - service by Squid. By default, the announcement message is NOT - SENT unless you enable it with 'announce_period' below. - - The announcement message includes your hostname, plus the - following information from this configuration file: - - http_port - icp_port - cache_mgr - - All current information is processed regularly and made - available on the Web at http://www.ircache.net/Cache/Tracker/. - COMMENT_END - - NAME: announce_period - TYPE: time_t - LOC: Config.Announce.period - DEFAULT: 0 - DOC_START - This is how frequently to send cache announcements. The - default is `0' which disables sending the announcement - messages. - - To enable announcing your cache, just uncomment the line - below. - - NOCOMMENT_START -#To enable announcing your cache, just uncomment the line below. -#announce_period 1 day - NOCOMMENT_END - DOC_END - - - NAME: announce_host - TYPE: string - DEFAULT: tracker.ircache.net - LOC: Config.Announce.host - DOC_NONE - - NAME: announce_file - TYPE: string - DEFAULT: none - LOC: Config.Announce.file - DOC_NONE - - NAME: announce_port - TYPE: ushort - DEFAULT: 3131 - LOC: Config.Announce.port - DOC_START - announce_host and announce_port set - the hostname and port - number where the registration message will be sent. - - Hostname will default to 'tracker.ircache.net' and port will - default default to 3131. If the 'filename' argument is given, - the contents of that file will be included in the announce - message. - DOC_END - - NAME: httpd_accel_surrogate_id - IFDEF: ESI - TYPE: string - LOC: Config.Accel.surrogate_id - DEFAULT: none - DOC_START - Surrogates (http://www.esi.org/architecture_spec_1.0.html) - need an identification token to allow control targeting. Because - a farm of surrogates may all perform the same tasks, they may share - an identification token. - DOC_END - - NAME: http_accel_surrogate_remote - IFDEF: ESI - COMMENT: on|off - TYPE: onoff - DEFAULT: off - LOC: Config.onoff.surrogate_is_remote - DOC_START - Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. - Set this to on to have squid behave as a remote surrogate. - DOC_END - - NAME: esi_parser - IFDEF: ESI - COMMENT: expat|custom - TYPE: string - LOC: ESIParser::Type - DEFAULT: custom - DOC_START - ESI markup is not strictly XML compatible. The custom ESI parser - will give higher performance, but cannot handle non ASCII character - encodings. - DOC_END - - COMMENT_START - MISCELLANEOUS - ----------------------------------------------------------------------------- - COMMENT_END - - NAME: dns_testnames - TYPE: wordlist - LOC: Config.dns_testname_list - DEFAULT: none - DEFAULT_IF_NONE: netscape.com internic.net nlanr.net microsoft.com - DOC_START - The DNS tests exit as soon as the first site is successfully looked up - - This test can be disabled with the -D command line option. - DOC_END - - - NAME: logfile_rotate - TYPE: int - DEFAULT: 10 - LOC: Config.Log.rotateNumber - DOC_START - Specifies the number of logfile rotations to make when you - type 'squid -k rotate'. The default is 10, which will rotate - with extensions 0 through 9. Setting logfile_rotate to 0 will - disable the rotation, but the logfiles are still closed and - re-opened. This will enable you to rename the logfiles - yourself just before sending the rotate signal. - - Note, the 'squid -k rotate' command normally sends a USR1 - signal to the running squid process. In certain situations - (e.g. on Linux with Async I/O), USR1 is used for other - purposes, so -k rotate uses another signal. It is best to get - in the habit of using 'squid -k rotate' instead of 'kill -USR1 - '. - DOC_END - - - NAME: append_domain - TYPE: string - LOC: Config.appendDomain - DEFAULT: none - DOC_START - Appends local domain name to hostnames without any dots in - them. append_domain must begin with a period. - - Be warned that there today is Internet names with no dots in - them using only top-domain names, so setting this may - cause some Internet sites to become unavailable. - - Example: - append_domain .yourdomain.com - DOC_END - - - NAME: tcp_recv_bufsize - COMMENT: (bytes) - TYPE: b_size_t - DEFAULT: 0 bytes - LOC: Config.tcpRcvBufsz - DOC_START - Size of receive buffer to set - for TCP sockets. Probably just - as easy to change your kernel's default. Set to zero to use - the default buffer size. - DOC_END - - NAME: err_html_text - TYPE: eol - LOC: Config.errHtmlText - DEFAULT: none - DOC_START - HTML text to include in error messages. Make this a "mailto" - URL to your admin address, or maybe just a link to your - organizations Web page. - - To include this in your error messages, you must rewrite - the error template files (found in the "errors" directory). - Wherever you want the 'err_html_text' line to appear, - insert a %L tag in the error template file. - DOC_END - - NAME: email_err_data - COMMENT: on|off - TYPE: onoff - LOC: Config.onoff.emailErrData - DEFAULT: on - DOC_START - If enabled, information about the occurred error will be - included in the mailto links of the ERR pages (if %W is set) - so that the email body then contains the data. - Syntax is %w - DOC_END - - - NAME: deny_info - TYPE: denyinfo - LOC: Config.denyInfoList - DEFAULT: none - DOC_START - Usage: deny_info err_page_name acl - or deny_info http://... acl - Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys - - This can be used to return a ERR_ page for requests which - do not pass the 'http_access' rules. A single ACL will cause - the http_access check to fail. If a 'deny_info' line exists - for that ACL then Squid returns a corresponding error page. - - You may use ERR_ pages that come with Squid or create your own pages - and put them into the configured errors/ directory. - - Alternatively you can specify an error URL. The browsers will then - get redirected (302) to the specified URL. %s in the redirection - URL will be replaced by the requested URL. - - Alternatively you can tell Squid to reset the TCP connection - by specifying TCP_RESET. - DOC_END - - NAME: memory_pools - COMMENT: on|off - TYPE: onoff - DEFAULT: on - LOC: Config.onoff.mem_pools - DOC_START - If set, Squid will keep pools of allocated (but unused) memory - available for future use. If memory is a premium on your - system and you believe your malloc library outperforms Squid - routines, disable this. - DOC_END - - NAME: memory_pools_limit - COMMENT: (bytes) - TYPE: b_size_t - DEFAULT: none - LOC: Config.MemPools.limit - DOC_START - Used only with memory_pools on: - memory_pools_limit 50 MB - - If set to a non-zero value, Squid will keep at most the specified - limit of allocated (but unused) memory in memory pools. All free() - requests that exceed this limit will be handled by your malloc - library. Squid does not pre-allocate any memory, just safe-keeps - objects that otherwise would be free()d. Thus, it is safe to set - memory_pools_limit to a reasonably high value even if your - configuration will use less memory. - - If not set (default) or set to zero, Squid will keep all memory it - can. That is, there will be no limit on the total amount of memory - used for safe-keeping. - - To disable memory allocation optimization, do not set - memory_pools_limit to 0. Set memory_pools to "off" instead. - - An overhead for maintaining memory pools is not taken into account - when the limit is checked. This overhead is close to four bytes per - object kept. However, pools may actually _save_ memory because of - reduced memory thrashing in your malloc library. - DOC_END - - NAME: via - IFDEF: HTTP_VIOLATIONS - COMMENT: on|off - TYPE: onoff - DEFAULT: on - LOC: Config.onoff.via - DOC_START - If set (default), Squid will include a Via header in requests and - replies as required by RFC2616. - DOC_END - - NAME: forwarded_for - COMMENT: on|off - TYPE: onoff - DEFAULT: on - LOC: opt_forwarded_for - DOC_START - If set, Squid will include your system's IP address or name - in the HTTP requests it forwards. By default it looks like - this: - - X-Forwarded-For: 192.1.2.3 - - If you disable this, it will appear as - - X-Forwarded-For: unknown - DOC_END - - NAME: log_icp_queries - COMMENT: on|off - TYPE: onoff - DEFAULT: on - LOC: Config.onoff.log_udp - DOC_START - If set - , ICP queries are logged to access.log. You may wish - do - disable this if your ICP load is VERY high to speed things - up or to simplify log analysis. - DOC_END - - NAME: icp_hit_stale - COMMENT: on|off - TYPE: onoff - DEFAULT: off - LOC: Config.onoff.icp_hit_stale - DOC_START - If you want to return ICP_HIT for stale cache objects, set - this - option to 'on'. If you have sibling relationships with caches - in other administrative domains, this should be 'off'. If you only - have sibling relationships with caches under your control, then - it is probably okay to set - this to 'on'. - If set - to 'on', then your siblings should use the option "allow-miss" - on their cache_peer lines for connecting to you. - DOC_END - - - NAME: minimum_direct_hops - TYPE: int - DEFAULT: 4 - LOC: Config.minDirectHops - DOC_START - If using the ICMP pinging stuff, do - direct fetches for sites - which are no more than this many hops away. - DOC_END - - NAME: minimum_direct_rtt - TYPE: int - DEFAULT: 400 - LOC: Config.minDirectRtt - DOC_START - If using the ICMP pinging stuff, do - direct fetches for sites - which are no more than this many rtt milliseconds away. - DOC_END - - NAME: cachemgr_passwd - TYPE: cachemgrpasswd - DEFAULT: none - LOC: Config.passwd_list - DOC_START - Specify passwords for cachemgr operations. - - Usage: cachemgr_passwd password action action ... - - Some valid actions are (see cache manager menu for a full list): - 5min - 60min - asndb - authenticator - cbdata - client_list - comm_incoming - config * - counters - delay - digest_stats - dns - events - filedescriptors - fqdncache - histograms - http_headers - info - io - ipcache - mem - menu - netdb - non_peers - objects - offline_toggle * - pconn - peer_select - redirector - refresh - server_list - shutdown * - store_digest - storedir - utilization - via_headers - vm_objects - - * Indicates actions which will not be performed without a - valid password, others can be performed if not listed here. - - To disable an action, set - the password to "disable". - To allow performing an action without a password, set - the - password to "none". - - Use the keyword "all" to set - the same password for all actions. - - Example: - cachemgr_passwd secret shutdown - cachemgr_passwd lesssssssecret info stats/objects - cachemgr_passwd disable all - DOC_END - - NAME: store_avg_object_size - COMMENT: (kbytes) - TYPE: kb_size_t - DEFAULT: 13 KB - LOC: Config.Store.avgObjectSize - DOC_START - Average object size, used to estimate number of objects your - cache can hold. See doc/Release-Notes-1.1.txt. The default is - 13 KB. - DOC_END - - NAME: store_objects_per_bucket - TYPE: int - DEFAULT: 20 - LOC: Config.Store.objectsPerBucket - DOC_START - Target number of objects per bucket in the store hash table. - Lowering this value increases the total number of buckets and - also the storage maintenance rate. The default is 50. - DOC_END - - NAME: client_db - COMMENT: on|off - TYPE: onoff - DEFAULT: on - LOC: Config.onoff.client_db - DOC_START - If you want to disable collecting per-client statistics, then - turn off client_db here. - DOC_END - - - NAME: netdb_low - TYPE: int - DEFAULT: 900 - LOC: Config.Netdb.low - DOC_NONE - - NAME: netdb_high - TYPE: int - DEFAULT: 1000 - LOC: Config.Netdb.high - DOC_START - The low and high water marks for the ICMP measurement - database. These are counts, not percents. The defaults are - 900 and 1000. When the high water mark is reached, database - entries will be deleted until the low mark is reached. - DOC_END - - - NAME: netdb_ping_period - TYPE: time_t - LOC: Config.Netdb.period - DEFAULT: 5 minutes - DOC_START - The minimum period for measuring a site. There will be at - least this much delay between successive pings to the same - network. The default is five minutes. - DOC_END - - - NAME: query_icmp - COMMENT: on|off - TYPE: onoff - DEFAULT: off - LOC: Config.onoff.query_icmp - DOC_START - If you want to ask your peers to include ICMP data in their ICP - replies, enable this option. - - If your peer has configured Squid (during compilation) with - '--enable-icmp' then that peer will send ICMP pings to origin server - sites of the URLs it receives. If you enable this option then the - ICP replies from that peer will include the ICMP data (if available). - Then, when choosing a parent cache, Squid will choose the parent with - the minimal RTT to the origin server. When this happens, the - hierarchy field of the access.log will be - "CLOSEST_PARENT_MISS". This option is off by default. - DOC_END - - NAME: test_reachability - COMMENT: on|off - TYPE: onoff - DEFAULT: off - LOC: Config.onoff.test_reachability - DOC_START - When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH - instead of ICP_MISS if the target host is NOT in the ICMP - database, or has a zero RTT. - DOC_END - - NAME: buffered_logs - COMMENT: on|off - TYPE: onoff - DEFAULT: off - LOC: Config.onoff.buffered_logs - DOC_START - cache.log log file is written with stdio functions, and as such - it can be buffered or unbuffered. By default it will be unbuffered. - Buffering it can speed up the writing slightly (though you are - unlikely to need to worry unless you run with tons of debugging - enabled in which case performance will suffer badly anyway..). - DOC_END - - NAME: reload_into_ims - IFDEF: HTTP_VIOLATIONS - COMMENT: on|off - TYPE: onoff - DEFAULT: off - LOC: Config.onoff.reload_into_ims - DOC_START - When you enable this option, client no-cache or ``reload'' - requests will be changed to If-Modified-Since requests. - Doing this VIOLATES the HTTP standard. Enabling this - feature could make you liable for problems which it - causes. - - see also refresh_pattern for a more selective approach. - DOC_END - - NAME: always_direct - TYPE: acl_access - LOC: Config.accessList.AlwaysDirect - DEFAULT: none - DOC_START - Usage: always_direct allow|deny [!]aclname ... - - Here you can use ACL elements to specify requests which should - ALWAYS be forwarded directly to origin servers. For example, - to always directly forward requests for local servers use - something like: - - acl local-servers dstdomain my.domain.net - always_direct allow local-servers - - To always forward FTP requests directly, use - - acl FTP proto FTP - always_direct allow FTP - - NOTE: There is a similar, but opposite option named - 'never_direct'. You need to be aware that "always_direct deny - foo" is NOT the same thing as "never_direct allow foo". You - may need to use a deny rule to exclude a more-specific case of - some other rule. Example: - - acl local-external dstdomain external.foo.net - acl local-servers dstdomain .foo.net - always_direct deny local-external - always_direct allow local-servers - - This option replaces some v1.1 options such as local_domain - and local_ip. - DOC_END - - NAME: never_direct - TYPE: acl_access - LOC: Config.accessList.NeverDirect - DEFAULT: none - DOC_START - Usage: never_direct allow|deny [!]aclname ... - - never_direct is the opposite of always_direct. Please read - the description for always_direct if you have not already. - - With 'never_direct' you can use ACL elements to specify - requests which should NEVER be forwarded directly to origin - servers. For example, to force the use of a proxy for all - requests, except those in your local domain use something like: - - acl local-servers dstdomain .foo.net - acl all src 0.0.0.0/0.0.0.0 - never_direct deny local-servers - never_direct allow all - - or if squid is inside a firewall and there is local intranet - servers inside the firewall then use something like: - - acl local-intranet dstdomain .foo.net - acl local-external dstdomain external.foo.net - always_direct deny local-external - always_direct allow local-intranet - never_direct allow all - - This option replaces some v1.1 options such as inside_firewall - and firewall_ip. - DOC_END - - NAME: header_access - IFDEF: HTTP_VIOLATIONS - TYPE: http_header_access[] - LOC: Config.header_access - DEFAULT: none - DOC_START - Usage: header_access header_name allow|deny [!]aclname ... - - WARNING: Doing this VIOLATES the HTTP standard. Enabling - this feature could make you liable for problems which it - causes. - - This option replaces the old 'anonymize_headers' and the - older 'http_anonymizer' option with something that is much - more configurable. This new method creates a list of ACLs - for each header, allowing you very fine-tuned header - mangling. - - You can only specify known headers for the header name. - Other headers are reclassified as 'Other'. You can also - refer to all the headers with 'All'. - - For example, to achieve the same behaviour as the old - 'http_anonymizer standard' option, you should use: - - header_access From deny all - header_access Referer deny all - header_access Server deny all - header_access User-Agent deny all - header_access WWW-Authenticate deny all - header_access Link deny all - - Or, to reproduce the old 'http_anonymizer paranoid' feature - you should use: - - header_access Allow allow all - header_access Authorization allow all - header_access WWW-Authenticate allow all - header_access Cache-Control allow all - header_access Content-Encoding allow all - header_access Content-Length allow all - header_access Content-Type allow all - header_access Date allow all - header_access Expires allow all - header_access Host allow all - header_access If-Modified-Since allow all - header_access Last-Modified allow all - header_access Location allow all - header_access Pragma allow all - header_access Accept allow all - header_access Accept-Charset allow all - header_access Accept-Encoding allow all - header_access Accept-Language allow all - header_access Content-Language allow all - header_access Mime-Version allow all - header_access Retry-After allow all - header_access Title allow all - header_access Connection allow all - header_access Proxy-Connection allow all - header_access All deny all - - By default, all headers are allowed (no anonymizing is - performed). - DOC_END - - NAME: header_replace - IFDEF: HTTP_VIOLATIONS - TYPE: http_header_replace[] - LOC: Config.header_access - DEFAULT: none - DOC_START - Usage: header_replace header_name message - Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) - - This option allows you to change the contents of headers - denied with header_access above, by replacing them with - some fixed string. This replaces the old fake_user_agent - option. - - By default, headers are removed if denied. - DOC_END - - NAME: icon_directory - - TYPE: string - - LOC: Config.icons.directory - - DEFAULT: @DEFAULT_ICON_DIR@ - DOC_START - Where the icons are stored. These are normally kept in - @DEFAULT_ICON_DIR@ - DOC_END - - NAME: error_directory - - TYPE: string - - LOC: Config.errorDirectory - - DEFAULT: @DEFAULT_ERROR_DIR@ - DOC_START - If you wish to create your own versions of the default - (English) error files, either to customize them to suit your - language or company copy the template English files to another - directory and point this tag at them. - DOC_END - - NAME: minimum_retry_timeout - - COMMENT: (seconds) - - TYPE: time_t - - LOC: Config.retry.timeout - - DEFAULT: 5 seconds - DOC_START - This specifies the minimum connect timeout, for when the - connect timeout is reduced to compensate for the availability - of multiple IP addresses. - - When a connection to a host is initiated, and that host has - several IP addresses, the default connection timeout is reduced - by dividing it by the number of addresses. So, a site with 15 - addresses would then have a timeout of 8 seconds for each - address attempted. To avoid having the timeout reduced to the - point where even a working host would not have a chance to - respond, this setting is provided. The default, and the - minimum value, is five seconds, and the maximum value is sixty - seconds, or half of connect_timeout, whichever is greater and - less than connect_timeout. - DOC_END - - NAME: maximum_single_addr_tries - - TYPE: int - - LOC: Config.retry.maxtries - - DEFAULT: 3 - DOC_START - This sets the maximum number of connection attempts for a - host that only has one address (for multiple-address hosts, - each address is tried once). - - The default value is three tries, the (not recommended) - maximum is 255 tries. A warning message will be generated - if it is set to a value greater than ten. - DOC_END - - NAME: snmp_port - - TYPE: ushort - - LOC: Config.Port.snmp - - DEFAULT: 3401 - - IFDEF: SQUID_SNMP - DOC_START - Squid can now serve statistics and status information via SNMP. - By default it listens to port 3401 on the machine. If you don't - wish to use SNMP, set this to "0". - DOC_END - - NAME: snmp_access - TYPE: acl_access - LOC: Config.accessList.snmp - DEFAULT: none - DEFAULT_IF_NONE: deny all - IFDEF: SQUID_SNMP - DOC_START - Allowing or denying access to the SNMP port. - - All access to the agent is denied by default. - usage: - - snmp_access allow|deny [!]aclname ... - - Example: - snmp_access allow snmppublic localhost - snmp_access deny all - DOC_END - - NAME: snmp_incoming_address - TYPE: address - LOC: Config.Addrs.snmp_incoming - DEFAULT: 0.0.0.0 - IFDEF: SQUID_SNMP - DOC_NONE - NAME: snmp_outgoing_address - TYPE: address - LOC: Config.Addrs.snmp_outgoing - DEFAULT: 255.255.255.255 - IFDEF: SQUID_SNMP - DOC_START - Just like 'udp_incoming_address' above, but for the SNMP port. - - snmp_incoming_address is used for the SNMP socket receiving - messages from SNMP agents. - snmp_outgoing_address is used for SNMP packets returned to SNMP - agents. - - The default snmp_incoming_address (0.0.0.0) is to listen on all - available network interfaces. - - If snmp_outgoing_address is set to 255.255.255.255 (the default) - then it will use the same socket as snmp_incoming_address. Only - change this if you want to have SNMP replies sent using another - address than where this Squid listens for SNMP queries. - - NOTE, snmp_incoming_address and snmp_outgoing_address can not have - the same value since they both use port 3401. - DOC_END - - NAME: as_whois_server - TYPE: string - LOC: Config.as_whois_server - DEFAULT: whois.ra.net - DEFAULT_IF_NONE: whois.ra.net - DOC_START - WHOIS server to query for AS numbers. NOTE: AS numbers are - queried only when Squid starts up, not for every request. - DOC_END - - NAME: wccp_router - TYPE: address - LOC: Config.Wccp.router - DEFAULT: 0.0.0.0 - IFDEF: USE_WCCP - DOC_START - Use this option to define your WCCP ``home'' router for - Squid. Setting the 'wccp_router' to 0.0.0.0 (the default) - disables WCCP. - DOC_END - - NAME: wccp_version - TYPE: int - LOC: Config.Wccp.version - DEFAULT: 4 - IFDEF: USE_WCCP - DOC_START - According to some users, Cisco IOS 11.2 only supports WCCP - version 3. If you're using that version of IOS, change - this value to 3. - DOC_END - - NAME: wccp_incoming_address - - TYPE: address - - LOC: Config.Wccp.incoming - - DEFAULT: 0.0.0.0 - - IFDEF: USE_WCCP - DOC_NONE - - NAME: wccp_outgoing_address - - TYPE: address - - LOC: Config.Wccp.outgoing - - DEFAULT: 255.255.255.255 - - IFDEF: USE_WCCP - DOC_START - wccp_incoming_address Use this option if you require WCCP - messages to be received on only one - interface. Do NOT use this option if - you're unsure how many interfaces you - have, or if you know you have only one - interface. - - wccp_outgoing_address Use this option if you require WCCP - messages to be sent out on only one - interface. Do NOT use this option if - you're unsure how many interfaces you - have, or if you know you have only one - interface. - - The default behavior is to not bind to any specific address. - - NOTE, wccp_incoming_address and wccp_outgoing_address can not have - the same value since they both use port 2048. - DOC_END - - - COMMENT_START - DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option) - ----------------------------------------------------------------------------- - COMMENT_END - - NAME: delay_pools - - TYPE: delay_pool_count - - DEFAULT: 0 - - IFDEF: DELAY_POOLS - - LOC: Config.Delay - DOC_START - This represents the number of delay pools to be used. For example, - if you have one class 2 delay pool and one class 3 delays pool, you - have a total of 2 delay pools. - DOC_END - - NAME: delay_class - - TYPE: delay_pool_class - - DEFAULT: none - - IFDEF: DELAY_POOLS - - LOC: Config.Delay - DOC_START - This defines the class of each delay pool. There must be exactly one - delay_class line for each delay pool. For example, to define two - delay pools, one of class 2 and one of class 3, the settings above - - and here would be: - - Example: - delay_pools 4 # 4 delay pools - delay_class 1 2 # pool 1 is a class 2 pool - delay_class 2 3 # pool 2 is a class 3 pool - delay_class 3 4 # pool 3 is a class 4 pool - delay_class 4 5 # pool 4 is a class 5 pool - - The delay pool classes are: - - class 1 Everything is limited by a single aggregate - bucket. - - class 2 Everything is limited by a single aggregate - bucket as well as an "individual" bucket chosen - from bits 25 through 32 of the IP address. +NOCOMMENT_END +DOC_END + + +NAME: cache_peer_access +TYPE: peer_access +DEFAULT: none +LOC: none +DOC_START + Similar to 'cache_peer_domain' but provides more flexibility by + using ACL elements. + + cache_peer_access cache-host allow|deny [!]aclname ... + + The syntax is identical to 'http_access' and the other lists of + ACL elements. See the comments for 'http_access' below, or + the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html). +DOC_END + +NAME: ident_lookup_access +TYPE: acl_access +IFDEF: USE_IDENT +DEFAULT: none +DEFAULT_IF_NONE: deny all +LOC: Config.accessList.identLookup +DOC_START + A list of ACL elements which, if matched, cause an ident + (RFC 931) lookup to be performed for this request. For + example, you might choose to always perform ident lookups + for your main multi-user Unix boxes, but not for your Macs + and PCs. By default, ident lookups are not performed for + any requests. + + To enable ident lookups for specific client addresses, you + can follow this example: + + acl ident_aware_hosts src 198.168.1.0/255.255.255.0 + ident_lookup_access allow ident_aware_hosts + ident_lookup_access deny all + + Only src type ACL checks are fully supported. A src_domain + ACL might work at times, but it will not always provide + the correct result. +DOC_END + +NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp +TYPE: acl_tos +DEFAULT: none +LOC: Config.accessList.outgoing_tos +DOC_START + Allows you to select a TOS/Diffserv value to mark outgoing + connections with, based on the username or source address + making the request. + + tcp_outgoing_tos ds-field [!]aclname ... + + Example where normal_service_net uses the TOS value 0x00 + and normal_service_net uses 0x20 + + acl normal_service_net src 10.0.0.0/255.255.255.0 + acl good_service_net src 10.0.1.0/255.255.255.0 + tcp_outgoing_tos 0x00 normal_service_net 0x00 + tcp_outgoing_tos 0x20 good_service_net + + TOS/DSCP values really only have local significance - so you should + know what you're specifying. For more, see RFC 2474 + + The TOS/DSCP byte must be exactly that - a byte, value 0 - 255, or + "default" to use whatever default your host has. + + Processing proceeds in the order specified, and stops at first fully + matching line. +DOC_END + +NAME: tcp_outgoing_address +TYPE: acl_address +DEFAULT: none +LOC: Config.accessList.outgoing_address +DOC_START + Allows you to map requests to different outgoing IP addresses + based on the username or sourceaddress of the user making + the request. + + tcp_outgoing_address ipaddr [[!]aclname] ... + + Example where requests from 10.0.0.0/24 will be forwareded + with source address 10.1.0.1, 10.0.2.0/24 forwarded with + source address 10.1.0.2 and the rest will be forwarded with + source address 10.1.0.3. + + acl normal_service_net src 10.0.0.0/255.255.255.0 + acl good_service_net src 10.0.1.0/255.255.255.0 + tcp_outgoing_address 10.0.0.1 normal_service_net + tcp_outgoing_address 10.0.0.2 good_service_net + tcp_outgoing_address 10.0.0.3 + + Processing proceeds in the order specified, and stops at first fully + matching line. +DOC_END + +NAME: reply_body_max_size +COMMENT: size [acl acl...] +TYPE: acl_b_size_t +DEFAULT: none +LOC: Config.ReplyBodySize +DOC_START + This option specifies the maximum size of a reply body. It can be + used to prevent users from downloading very large files, such as + MP3's and movies. When the reply headers are recieved, the + reply_body_max_size lines are processed, and the first line where + all (if any) listed acls are true is used as the maximum body size + for this reply. + + This size is then checked twice. First when we get the reply headers, + we check the content-length value. If the content length value exists + and is larger than the allowed size, the request is denied and the + user receives an error message that says "the request or reply + is too large." If there is no content-length, and the reply + size exceeds this limit, the client's connection is just closed + and they will receive a partial reply. + + WARNING: downstream caches probably can not detect a partial reply + if there is no content-length header, so they will cache + partial responses and give them out as hits. You should NOT + use this option if you have downstream caches. + + WARNING: A maximum size smaller than the size of squid's error messages + will cause an infinite loop and crash squid. Ensure that the smallest + non-zero value you use is greater that the maximum header size plus + the size of your largest error page. + + If you set this parameter none (the default), there will be + no limit imposed. +DOC_END - class 3 Everything is limited by a single aggregate - bucket as well as a "network" bucket chosen - from bits 17 through 24 of the IP address and a - "individual" bucket chosen from bits 17 through - 32 of the IP address. - - class 4 Everything in a class 3 delay pool, with an - additional limit on a per user basis. This - only takes effect if the username is established - in advance - by forcing authentication in your - http_access rules. - - class 5 Requests are grouped according their tag (see - external_acl's tag= reply). - - NOTE: If an IP address is a.b.c.d - -> bits 25 through 32 are "d" - -> bits 17 through 24 are "c" - -> bits 17 through 32 are "c * 256 + d" - DOC_END - - NAME: delay_access - TYPE: delay_pool_access - DEFAULT: none - IFDEF: DELAY_POOLS - LOC: Config.Delay - DOC_START - This is used to determine which delay pool a request falls into. - The first matched delay pool is always used, i.e., if a request falls - into delay pool number one, no more delay are checked, otherwise the - rest are checked in order of their delay pool number until they have - all been checked. For example, if you want some_big_clients in delay - pool 1 and lotsa_little_clients in delay pool 2: - - Example: - delay_access 1 allow some_big_clients - delay_access 1 deny all - delay_access 2 allow lotsa_little_clients - delay_access 2 deny all - delay_access 3 allow authenticated_clients - DOC_END +COMMENT_START + ADMINISTRATIVE PARAMETERS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: cache_mgr +TYPE: string +DEFAULT: webmaster +LOC: Config.adminEmail +DOC_START + Email-address of local cache manager who will receive + mail if the cache dies. The default is "webmaster." +DOC_END + + +NAME: cache_effective_user +TYPE: string +DEFAULT: nobody +LOC: Config.effectiveUser +DOC_NONE + +NAME: cache_effective_group +TYPE: string +DEFAULT: none +LOC: Config.effectiveGroup +DOC_START + + If you start Squid as root, it will change its effective/real + UID/GID to the UID/GID specified below. The default is to + change to UID to nobody. If you define cache_effective_user, + but not cache_effective_group, Squid sets the GID the + effective user's default group ID (taken from the password + file). + + If Squid is not started as root, the cache_effective_user + value is ignored and the GID value is unchanged by default. + However, you can make Squid change its GID to another group + that the process owner is a member of. Note that if Squid + is not started as root then you cannot set http_port to a + value lower than 1024. +DOC_END + + +NAME: visible_hostname +TYPE: string +LOC: Config.visibleHostname +DEFAULT: none +DOC_START + If you want to present a special hostname in error messages, etc, + then define this. Otherwise, the return value of gethostname() + will be used. If you have multiple caches in a cluster and + get errors about IP-forwarding you must set them to have individual + names with this setting. +DOC_END + + +NAME: unique_hostname +TYPE: string +LOC: Config.uniqueHostname +DEFAULT: none +DOC_START + If you want to have multiple machines with the same + 'visible_hostname' then you must give each machine a different + 'unique_hostname' so that forwarding loops can be detected. +DOC_END + + +NAME: hostname_aliases +TYPE: wordlist +LOC: Config.hostnameAliases +DEFAULT: none +DOC_START + A list of other DNS names that your cache has. +DOC_END - NAME: delay_parameters - TYPE: delay_pool_rates - DEFAULT: none - IFDEF: DELAY_POOLS - LOC: Config.Delay - DOC_START - This defines the parameters for a delay pool. Each delay pool has - a number of "buckets" associated with it, as explained in the - description of delay_class. For a class 1 delay pool, the syntax is: +COMMENT_START + OPTIONS FOR THE CACHE REGISTRATION SERVICE + ----------------------------------------------------------------------------- + + This section contains parameters for the (optional) cache + announcement service. This service is provided to help + cache administrators locate one another in order to join or + create cache hierarchies. + + An 'announcement' message is sent (via UDP) to the registration + service by Squid. By default, the announcement message is NOT + SENT unless you enable it with 'announce_period' below. + + The announcement message includes your hostname, plus the + following information from this configuration file: + + http_port + icp_port + cache_mgr + + All current information is processed regularly and made + available on the Web at http://www.ircache.net/Cache/Tracker/. +COMMENT_END + +NAME: announce_period +TYPE: time_t +LOC: Config.Announce.period +DEFAULT: 0 +DOC_START + This is how frequently to send cache announcements. The + default is `0' which disables sending the announcement + messages. + + To enable announcing your cache, just uncomment the line + below. + +NOCOMMENT_START +#To enable announcing your cache, just uncomment the line below. +#announce_period 1 day +NOCOMMENT_END +DOC_END + + +NAME: announce_host +TYPE: string +DEFAULT: tracker.ircache.net +LOC: Config.Announce.host +DOC_NONE + +NAME: announce_file +TYPE: string +DEFAULT: none +LOC: Config.Announce.file +DOC_NONE + +NAME: announce_port +TYPE: ushort +DEFAULT: 3131 +LOC: Config.Announce.port +DOC_START + announce_host and announce_port set the hostname and port + number where the registration message will be sent. + + Hostname will default to 'tracker.ircache.net' and port will + default default to 3131. If the 'filename' argument is given, + the contents of that file will be included in the announce + message. +DOC_END + +NAME: httpd_accel_surrogate_id +IFDEF: ESI +TYPE: string +LOC: Config.Accel.surrogate_id +DEFAULT: none +DOC_START + Surrogates (http://www.esi.org/architecture_spec_1.0.html) + need an identification token to allow control targeting. Because + a farm of surrogates may all perform the same tasks, they may share + an identification token. +DOC_END + +NAME: http_accel_surrogate_remote +IFDEF: ESI +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.surrogate_is_remote +DOC_START + Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. + Set this to on to have squid behave as a remote surrogate. +DOC_END + +NAME: esi_parser +IFDEF: ESI +COMMENT: expat|custom +TYPE: string +LOC: ESIParser::Type +DEFAULT: custom +DOC_START + ESI markup is not strictly XML compatible. The custom ESI parser + will give higher performance, but cannot handle non ASCII character + encodings. +DOC_END - delay_parameters pool aggregate +COMMENT_START + MISCELLANEOUS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: dns_testnames +TYPE: wordlist +LOC: Config.dns_testname_list +DEFAULT: none +DEFAULT_IF_NONE: netscape.com internic.net nlanr.net microsoft.com +DOC_START + The DNS tests exit as soon as the first site is successfully looked up + + This test can be disabled with the -D command line option. +DOC_END + + +NAME: logfile_rotate +TYPE: int +DEFAULT: 10 +LOC: Config.Log.rotateNumber +DOC_START + Specifies the number of logfile rotations to make when you + type 'squid -k rotate'. The default is 10, which will rotate + with extensions 0 through 9. Setting logfile_rotate to 0 will + disable the rotation, but the logfiles are still closed and + re-opened. This will enable you to rename the logfiles + yourself just before sending the rotate signal. + + Note, the 'squid -k rotate' command normally sends a USR1 + signal to the running squid process. In certain situations + (e.g. on Linux with Async I/O), USR1 is used for other + purposes, so -k rotate uses another signal. It is best to get + in the habit of using 'squid -k rotate' instead of 'kill -USR1 + '. +DOC_END + + +NAME: append_domain +TYPE: string +LOC: Config.appendDomain +DEFAULT: none +DOC_START + Appends local domain name to hostnames without any dots in + them. append_domain must begin with a period. + + Be warned that there today is Internet names with no dots in + them using only top-domain names, so setting this may + cause some Internet sites to become unavailable. + +Example: + append_domain .yourdomain.com +DOC_END + + +NAME: tcp_recv_bufsize +COMMENT: (bytes) +TYPE: b_size_t +DEFAULT: 0 bytes +LOC: Config.tcpRcvBufsz +DOC_START + Size of receive buffer to set for TCP sockets. Probably just + as easy to change your kernel's default. Set to zero to use + the default buffer size. +DOC_END + +NAME: err_html_text +TYPE: eol +LOC: Config.errHtmlText +DEFAULT: none +DOC_START + HTML text to include in error messages. Make this a "mailto" + URL to your admin address, or maybe just a link to your + organizations Web page. + + To include this in your error messages, you must rewrite + the error template files (found in the "errors" directory). + Wherever you want the 'err_html_text' line to appear, + insert a %L tag in the error template file. +DOC_END + +NAME: email_err_data +COMMENT: on|off +TYPE: onoff +LOC: Config.onoff.emailErrData +DEFAULT: on +DOC_START + If enabled, information about the occurred error will be + included in the mailto links of the ERR pages (if %W is set) + so that the email body then contains the data. + Syntax is %w +DOC_END + + +NAME: deny_info +TYPE: denyinfo +LOC: Config.denyInfoList +DEFAULT: none +DOC_START + Usage: deny_info err_page_name acl + or deny_info http://... acl + Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys + + This can be used to return a ERR_ page for requests which + do not pass the 'http_access' rules. A single ACL will cause + the http_access check to fail. If a 'deny_info' line exists + for that ACL then Squid returns a corresponding error page. + + You may use ERR_ pages that come with Squid or create your own pages + and put them into the configured errors/ directory. + + Alternatively you can specify an error URL. The browsers will then + get redirected (302) to the specified URL. %s in the redirection + URL will be replaced by the requested URL. + + Alternatively you can tell Squid to reset the TCP connection + by specifying TCP_RESET. +DOC_END + +NAME: memory_pools +COMMENT: on|off +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.mem_pools +DOC_START + If set, Squid will keep pools of allocated (but unused) memory + available for future use. If memory is a premium on your + system and you believe your malloc library outperforms Squid + routines, disable this. +DOC_END + +NAME: memory_pools_limit +COMMENT: (bytes) +TYPE: b_size_t +DEFAULT: none +LOC: Config.MemPools.limit +DOC_START + Used only with memory_pools on: + memory_pools_limit 50 MB + + If set to a non-zero value, Squid will keep at most the specified + limit of allocated (but unused) memory in memory pools. All free() + requests that exceed this limit will be handled by your malloc + library. Squid does not pre-allocate any memory, just safe-keeps + objects that otherwise would be free()d. Thus, it is safe to set + memory_pools_limit to a reasonably high value even if your + configuration will use less memory. + + If not set (default) or set to zero, Squid will keep all memory it + can. That is, there will be no limit on the total amount of memory + used for safe-keeping. + + To disable memory allocation optimization, do not set + memory_pools_limit to 0. Set memory_pools to "off" instead. + + An overhead for maintaining memory pools is not taken into account + when the limit is checked. This overhead is close to four bytes per + object kept. However, pools may actually _save_ memory because of + reduced memory thrashing in your malloc library. +DOC_END + +NAME: via +IFDEF: HTTP_VIOLATIONS +COMMENT: on|off +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.via +DOC_START + If set (default), Squid will include a Via header in requests and + replies as required by RFC2616. +DOC_END + +NAME: forwarded_for +COMMENT: on|off +TYPE: onoff +DEFAULT: on +LOC: opt_forwarded_for +DOC_START + If set, Squid will include your system's IP address or name + in the HTTP requests it forwards. By default it looks like + this: + + X-Forwarded-For: 192.1.2.3 + + If you disable this, it will appear as + + X-Forwarded-For: unknown +DOC_END + +NAME: log_icp_queries +COMMENT: on|off +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.log_udp +DOC_START + If set, ICP queries are logged to access.log. You may wish + do disable this if your ICP load is VERY high to speed things + up or to simplify log analysis. +DOC_END + +NAME: icp_hit_stale +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.icp_hit_stale +DOC_START + If you want to return ICP_HIT for stale cache objects, set this + option to 'on'. If you have sibling relationships with caches + in other administrative domains, this should be 'off'. If you only + have sibling relationships with caches under your control, then + it is probably okay to set this to 'on'. + If set to 'on', then your siblings should use the option "allow-miss" + on their cache_peer lines for connecting to you. +DOC_END + + +NAME: minimum_direct_hops +TYPE: int +DEFAULT: 4 +LOC: Config.minDirectHops +DOC_START + If using the ICMP pinging stuff, do direct fetches for sites + which are no more than this many hops away. +DOC_END + +NAME: minimum_direct_rtt +TYPE: int +DEFAULT: 400 +LOC: Config.minDirectRtt +DOC_START + If using the ICMP pinging stuff, do direct fetches for sites + which are no more than this many rtt milliseconds away. +DOC_END + +NAME: cachemgr_passwd +TYPE: cachemgrpasswd +DEFAULT: none +LOC: Config.passwd_list +DOC_START + Specify passwords for cachemgr operations. + + Usage: cachemgr_passwd password action action ... + + Some valid actions are (see cache manager menu for a full list): + 5min + 60min + asndb + authenticator + cbdata + client_list + comm_incoming + config * + counters + delay + digest_stats + dns + events + filedescriptors + fqdncache + histograms + http_headers + info + io + ipcache + mem + menu + netdb + non_peers + objects + offline_toggle * + pconn + peer_select + redirector + refresh + server_list + shutdown * + store_digest + storedir + utilization + via_headers + vm_objects + + * Indicates actions which will not be performed without a + valid password, others can be performed if not listed here. + + To disable an action, set the password to "disable". + To allow performing an action without a password, set the + password to "none". + + Use the keyword "all" to set the same password for all actions. + +Example: + cachemgr_passwd secret shutdown + cachemgr_passwd lesssssssecret info stats/objects + cachemgr_passwd disable all +DOC_END + +NAME: store_avg_object_size +COMMENT: (kbytes) +TYPE: kb_size_t +DEFAULT: 13 KB +LOC: Config.Store.avgObjectSize +DOC_START + Average object size, used to estimate number of objects your + cache can hold. See doc/Release-Notes-1.1.txt. The default is + 13 KB. +DOC_END + +NAME: store_objects_per_bucket +TYPE: int +DEFAULT: 20 +LOC: Config.Store.objectsPerBucket +DOC_START + Target number of objects per bucket in the store hash table. + Lowering this value increases the total number of buckets and + also the storage maintenance rate. The default is 50. +DOC_END + +NAME: client_db +COMMENT: on|off +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.client_db +DOC_START + If you want to disable collecting per-client statistics, then + turn off client_db here. +DOC_END + + +NAME: netdb_low +TYPE: int +DEFAULT: 900 +LOC: Config.Netdb.low +DOC_NONE + +NAME: netdb_high +TYPE: int +DEFAULT: 1000 +LOC: Config.Netdb.high +DOC_START + The low and high water marks for the ICMP measurement + database. These are counts, not percents. The defaults are + 900 and 1000. When the high water mark is reached, database + entries will be deleted until the low mark is reached. +DOC_END + + +NAME: netdb_ping_period +TYPE: time_t +LOC: Config.Netdb.period +DEFAULT: 5 minutes +DOC_START + The minimum period for measuring a site. There will be at + least this much delay between successive pings to the same + network. The default is five minutes. +DOC_END + + +NAME: query_icmp +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.query_icmp +DOC_START + If you want to ask your peers to include ICMP data in their ICP + replies, enable this option. + + If your peer has configured Squid (during compilation) with + '--enable-icmp' then that peer will send ICMP pings to origin server + sites of the URLs it receives. If you enable this option then the + ICP replies from that peer will include the ICMP data (if available). + Then, when choosing a parent cache, Squid will choose the parent with + the minimal RTT to the origin server. When this happens, the + hierarchy field of the access.log will be + "CLOSEST_PARENT_MISS". This option is off by default. +DOC_END + +NAME: test_reachability +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.test_reachability +DOC_START + When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH + instead of ICP_MISS if the target host is NOT in the ICMP + database, or has a zero RTT. +DOC_END + +NAME: buffered_logs +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.buffered_logs +DOC_START + cache.log log file is written with stdio functions, and as such + it can be buffered or unbuffered. By default it will be unbuffered. + Buffering it can speed up the writing slightly (though you are + unlikely to need to worry unless you run with tons of debugging + enabled in which case performance will suffer badly anyway..). +DOC_END + +NAME: reload_into_ims +IFDEF: HTTP_VIOLATIONS +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.reload_into_ims +DOC_START + When you enable this option, client no-cache or ``reload'' + requests will be changed to If-Modified-Since requests. + Doing this VIOLATES the HTTP standard. Enabling this + feature could make you liable for problems which it + causes. + + see also refresh_pattern for a more selective approach. +DOC_END + +NAME: always_direct +TYPE: acl_access +LOC: Config.accessList.AlwaysDirect +DEFAULT: none +DOC_START + Usage: always_direct allow|deny [!]aclname ... + + Here you can use ACL elements to specify requests which should + ALWAYS be forwarded directly to origin servers. For example, + to always directly forward requests for local servers use + something like: + + acl local-servers dstdomain my.domain.net + always_direct allow local-servers + + To always forward FTP requests directly, use + + acl FTP proto FTP + always_direct allow FTP + + NOTE: There is a similar, but opposite option named + 'never_direct'. You need to be aware that "always_direct deny + foo" is NOT the same thing as "never_direct allow foo". You + may need to use a deny rule to exclude a more-specific case of + some other rule. Example: + + acl local-external dstdomain external.foo.net + acl local-servers dstdomain .foo.net + always_direct deny local-external + always_direct allow local-servers + + This option replaces some v1.1 options such as local_domain + and local_ip. +DOC_END + +NAME: never_direct +TYPE: acl_access +LOC: Config.accessList.NeverDirect +DEFAULT: none +DOC_START + Usage: never_direct allow|deny [!]aclname ... + + never_direct is the opposite of always_direct. Please read + the description for always_direct if you have not already. + + With 'never_direct' you can use ACL elements to specify + requests which should NEVER be forwarded directly to origin + servers. For example, to force the use of a proxy for all + requests, except those in your local domain use something like: + + acl local-servers dstdomain .foo.net + acl all src 0.0.0.0/0.0.0.0 + never_direct deny local-servers + never_direct allow all + + or if squid is inside a firewall and there is local intranet + servers inside the firewall then use something like: + + acl local-intranet dstdomain .foo.net + acl local-external dstdomain external.foo.net + always_direct deny local-external + always_direct allow local-intranet + never_direct allow all + + This option replaces some v1.1 options such as inside_firewall + and firewall_ip. +DOC_END + +NAME: header_access +IFDEF: HTTP_VIOLATIONS +TYPE: http_header_access[] +LOC: Config.header_access +DEFAULT: none +DOC_START + Usage: header_access header_name allow|deny [!]aclname ... + + WARNING: Doing this VIOLATES the HTTP standard. Enabling + this feature could make you liable for problems which it + causes. + + This option replaces the old 'anonymize_headers' and the + older 'http_anonymizer' option with something that is much + more configurable. This new method creates a list of ACLs + for each header, allowing you very fine-tuned header + mangling. + + You can only specify known headers for the header name. + Other headers are reclassified as 'Other'. You can also + refer to all the headers with 'All'. + + For example, to achieve the same behaviour as the old + 'http_anonymizer standard' option, you should use: + + header_access From deny all + header_access Referer deny all + header_access Server deny all + header_access User-Agent deny all + header_access WWW-Authenticate deny all + header_access Link deny all + + Or, to reproduce the old 'http_anonymizer paranoid' feature + you should use: + + header_access Allow allow all + header_access Authorization allow all + header_access WWW-Authenticate allow all + header_access Cache-Control allow all + header_access Content-Encoding allow all + header_access Content-Length allow all + header_access Content-Type allow all + header_access Date allow all + header_access Expires allow all + header_access Host allow all + header_access If-Modified-Since allow all + header_access Last-Modified allow all + header_access Location allow all + header_access Pragma allow all + header_access Accept allow all + header_access Accept-Charset allow all + header_access Accept-Encoding allow all + header_access Accept-Language allow all + header_access Content-Language allow all + header_access Mime-Version allow all + header_access Retry-After allow all + header_access Title allow all + header_access Connection allow all + header_access Proxy-Connection allow all + header_access All deny all + + By default, all headers are allowed (no anonymizing is + performed). +DOC_END + +NAME: header_replace +IFDEF: HTTP_VIOLATIONS +TYPE: http_header_replace[] +LOC: Config.header_access +DEFAULT: none +DOC_START + Usage: header_replace header_name message + Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) + + This option allows you to change the contents of headers + denied with header_access above, by replacing them with + some fixed string. This replaces the old fake_user_agent + option. + + By default, headers are removed if denied. +DOC_END + +NAME: icon_directory +TYPE: string +LOC: Config.icons.directory +DEFAULT: @DEFAULT_ICON_DIR@ +DOC_START + Where the icons are stored. These are normally kept in + @DEFAULT_ICON_DIR@ +DOC_END + +NAME: error_directory +TYPE: string +LOC: Config.errorDirectory +DEFAULT: @DEFAULT_ERROR_DIR@ +DOC_START + If you wish to create your own versions of the default + (English) error files, either to customize them to suit your + language or company copy the template English files to another + directory and point this tag at them. +DOC_END + +NAME: minimum_retry_timeout +COMMENT: (seconds) +TYPE: time_t +LOC: Config.retry.timeout +DEFAULT: 5 seconds +DOC_START + This specifies the minimum connect timeout, for when the + connect timeout is reduced to compensate for the availability + of multiple IP addresses. + + When a connection to a host is initiated, and that host has + several IP addresses, the default connection timeout is reduced + by dividing it by the number of addresses. So, a site with 15 + addresses would then have a timeout of 8 seconds for each + address attempted. To avoid having the timeout reduced to the + point where even a working host would not have a chance to + respond, this setting is provided. The default, and the + minimum value, is five seconds, and the maximum value is sixty + seconds, or half of connect_timeout, whichever is greater and + less than connect_timeout. +DOC_END + +NAME: maximum_single_addr_tries +TYPE: int +LOC: Config.retry.maxtries +DEFAULT: 3 +DOC_START + This sets the maximum number of connection attempts for a + host that only has one address (for multiple-address hosts, + each address is tried once). + + The default value is three tries, the (not recommended) + maximum is 255 tries. A warning message will be generated + if it is set to a value greater than ten. +DOC_END + +NAME: snmp_port +TYPE: ushort +LOC: Config.Port.snmp +DEFAULT: 3401 +IFDEF: SQUID_SNMP +DOC_START + Squid can now serve statistics and status information via SNMP. + By default it listens to port 3401 on the machine. If you don't + wish to use SNMP, set this to "0". +DOC_END + +NAME: snmp_access +TYPE: acl_access +LOC: Config.accessList.snmp +DEFAULT: none +DEFAULT_IF_NONE: deny all +IFDEF: SQUID_SNMP +DOC_START + Allowing or denying access to the SNMP port. + + All access to the agent is denied by default. + usage: + + snmp_access allow|deny [!]aclname ... + +Example: + snmp_access allow snmppublic localhost + snmp_access deny all +DOC_END + +NAME: snmp_incoming_address +TYPE: address +LOC: Config.Addrs.snmp_incoming +DEFAULT: 0.0.0.0 +IFDEF: SQUID_SNMP +DOC_NONE +NAME: snmp_outgoing_address +TYPE: address +LOC: Config.Addrs.snmp_outgoing +DEFAULT: 255.255.255.255 +IFDEF: SQUID_SNMP +DOC_START + Just like 'udp_incoming_address' above, but for the SNMP port. + + snmp_incoming_address is used for the SNMP socket receiving + messages from SNMP agents. + snmp_outgoing_address is used for SNMP packets returned to SNMP + agents. + + The default snmp_incoming_address (0.0.0.0) is to listen on all + available network interfaces. + + If snmp_outgoing_address is set to 255.255.255.255 (the default) + then it will use the same socket as snmp_incoming_address. Only + change this if you want to have SNMP replies sent using another + address than where this Squid listens for SNMP queries. + + NOTE, snmp_incoming_address and snmp_outgoing_address can not have + the same value since they both use port 3401. +DOC_END + +NAME: as_whois_server +TYPE: string +LOC: Config.as_whois_server +DEFAULT: whois.ra.net +DEFAULT_IF_NONE: whois.ra.net +DOC_START + WHOIS server to query for AS numbers. NOTE: AS numbers are + queried only when Squid starts up, not for every request. +DOC_END + +NAME: wccp_router +TYPE: address +LOC: Config.Wccp.router +DEFAULT: 0.0.0.0 +IFDEF: USE_WCCP +DOC_START + Use this option to define your WCCP ``home'' router for + Squid. Setting the 'wccp_router' to 0.0.0.0 (the default) + disables WCCP. +DOC_END + +NAME: wccp_version +TYPE: int +LOC: Config.Wccp.version +DEFAULT: 4 +IFDEF: USE_WCCP +DOC_START + According to some users, Cisco IOS 11.2 only supports WCCP + version 3. If you're using that version of IOS, change + this value to 3. +DOC_END + +NAME: wccp_incoming_address +TYPE: address +LOC: Config.Wccp.incoming +DEFAULT: 0.0.0.0 +IFDEF: USE_WCCP +DOC_NONE +NAME: wccp_outgoing_address +TYPE: address +LOC: Config.Wccp.outgoing +DEFAULT: 255.255.255.255 +IFDEF: USE_WCCP +DOC_START + wccp_incoming_address Use this option if you require WCCP + messages to be received on only one + interface. Do NOT use this option if + you're unsure how many interfaces you + have, or if you know you have only one + interface. + + wccp_outgoing_address Use this option if you require WCCP + messages to be sent out on only one + interface. Do NOT use this option if + you're unsure how many interfaces you + have, or if you know you have only one + interface. + + The default behavior is to not bind to any specific address. + + NOTE, wccp_incoming_address and wccp_outgoing_address can not have + the same value since they both use port 2048. +DOC_END - For a class 2 delay pool: - delay_parameters pool aggregate individual - - For a class 3 delay pool: - - delay_parameters pool aggregate network individual - - For a class 4 delay pool: - - delay_parameters pool aggregate network individual user - - For a class 5 delay pool: - - delay_parameters pool tag - - The variables here are: - - pool a pool number - ie, a number between 1 and the - number specified in delay_pools as used in - delay_class lines. - - aggregate the "delay parameters" for the aggregate bucket - (class 1, 2, 3). - - individual the "delay parameters" for the individual - buckets (class 2, 3). - - network the "delay parameters" for the network buckets - (class 3). - - user the delay parameters for the user buckets - (class 4). - - tag the delay parameters for the tag buckets - (class 5). - - A pair of delay parameters is written restore/maximum, where restore is - the number of bytes (not bits - modem and network speeds are usually - quoted in bits) per second placed into the bucket, and maximum is the - maximum number of bytes which can be in the bucket at any time. - - For example, if delay pool number 1 is a class 2 delay pool as in the - above example, and is being used to strictly limit each host to 64kbps - (plus overheads), with no overall limit, the line is: - - delay_parameters 1 -1/-1 8000/8000 - - Note that the figure -1 is used to represent "unlimited". - - And, if delay pool number 2 is a class 3 delay pool as in the above - example, and you want to limit it to a total of 256kbps (strict limit) - with each 8-bit network permitted 64kbps (strict limit) and each - individual host permitted 4800bps with a bucket maximum size of 64kb - to permit a decent web page to be downloaded at a decent speed - (if the network is not being limited due to overuse) but slow down - large downloads more significantly: - - delay_parameters 2 32000/32000 8000/8000 600/8000 - - There must be one delay_parameters line for each delay pool. - - Finally, for a class 4 delay pool as in the example - each user will - be limited to 128Kb no matter how many workstations they are logged into.: - - delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 - DOC_END - - NAME: delay_initial_bucket_level - COMMENT: (percent, 0-100) - TYPE: ushort - DEFAULT: 50 - IFDEF: DELAY_POOLS - LOC: Config.Delay.initial - DOC_START - The initial bucket percentage is used to determine how much is put - in each bucket when squid starts, is reconfigured, or first notices - a host accessing it (in class 2 and class 3, individual hosts and - networks only have buckets associated with them once they have been - "seen" by squid). - DOC_END - - NAME: incoming_icp_average - TYPE: int - DEFAULT: 6 - LOC: Config.comm_incoming.icp_average - DOC_NONE - - NAME: incoming_http_average - TYPE: int - DEFAULT: 4 - LOC: Config.comm_incoming.http_average - DOC_NONE - - NAME: incoming_dns_average - TYPE: int - DEFAULT: 4 - LOC: Config.comm_incoming.dns_average - DOC_NONE - - NAME: min_icp_poll_cnt - TYPE: int - DEFAULT: 8 - LOC: Config.comm_incoming.icp_min_poll - DOC_NONE - - NAME: min_dns_poll_cnt - TYPE: int - DEFAULT: 8 - LOC: Config.comm_incoming.dns_min_poll - DOC_NONE - - NAME: min_http_poll_cnt - TYPE: int - DEFAULT: 8 - LOC: Config.comm_incoming.http_min_poll - DOC_START - Heavy voodoo here. I can't even believe you are reading this. - Are you crazy? Don't even think about adjusting these unless - you understand the algorithms in comm_select.c first! - DOC_END - - NAME: max_open_disk_fds - TYPE: int - LOC: Config.max_open_disk_fds - DEFAULT: 0 - DOC_START - To avoid having disk as the I/O bottleneck Squid can optionally - bypass the on-disk cache if more than this amount of disk file - descriptors are open. - - A value of 0 indicates no limit. - DOC_END - - NAME: offline_mode - TYPE: onoff - LOC: Config.onoff.offline - DEFAULT: off - DOC_START - Enable this option and Squid will never try to validate cached - objects. - DOC_END - - NAME: uri_whitespace - TYPE: uri_whitespace - LOC: Config.uri_whitespace - DEFAULT: strip - DOC_START - What to do with requests that have whitespace characters in the - URI. Options: - - strip: The whitespace characters are stripped out of the URL. - This is the behavior recommended by RFC2616. - deny: The request is denied. The user receives an "Invalid - Request" message. - allow: The request is allowed and the URI is not changed. The - whitespace characters remain in the URI. Note the - whitespace is passed to redirector processes if they - are in use. - encode: The request is allowed and the whitespace characters are - encoded according to RFC1738. This could be considered - a violation of the HTTP/1.1 - RFC because proxies are not allowed to rewrite URI's. - chop: The request is allowed and the URI is chopped at the - first whitespace. This might also be considered a - violation. - DOC_END - - NAME: broken_posts - TYPE: acl_access - DEFAULT: none - LOC: Config.accessList.brokenPosts - DOC_START - A list of ACL elements which, if matched, causes Squid to send - an extra CRLF pair after the body of a PUT/POST request. - - Some HTTP servers has broken implementations of PUT/POST, - and rely on an extra CRLF pair sent by some WWW clients. - - Quote from RFC 2068 section 4.1 on this matter: - - Note: certain buggy HTTP/1.0 client implementations generate an - extra CRLF's after a POST request. To restate what is explicitly - forbidden by the BNF, an HTTP/1.1 client must not preface or follow - a request with an extra CRLF. - - Example: - acl buggy_server url_regex ^http://.... - broken_posts allow buggy_server - DOC_END - - NAME: mcast_miss_addr - IFDEF: MULTICAST_MISS_STREAM - TYPE: address - LOC: Config.mcast_miss.addr - DEFAULT: 255.255.255.255 - DOC_START - If you enable this option, every "cache miss" URL will - be sent out on the specified multicast address. - - Do not enable this option unless you are are absolutely - certain you understand what you are doing. - DOC_END - - NAME: mcast_miss_ttl - IFDEF: MULTICAST_MISS_TTL - TYPE: ushort - LOC: Config.mcast_miss.ttl - DEFAULT: 16 - DOC_START - This is the time-to-live value for packets multicasted - when multicasting off cache miss URLs is enabled. By - default this is set to 'site scope', i.e. 16. - DOC_END - - NAME: mcast_miss_port - IFDEF: MULTICAST_MISS_STREAM - TYPE: ushort - LOC: Config.mcast_miss.port - DEFAULT: 3135 - DOC_START - This is the port number to be used in conjunction with - 'mcast_miss_addr'. - DOC_END - - NAME: mcast_miss_encode_key - IFDEF: MULTICAST_MISS_STREAM - TYPE: string - LOC: Config.mcast_miss.encode_key - DEFAULT: XXXXXXXXXXXXXXXX - DOC_START - The URLs that are sent in the multicast miss stream are - encrypted. This is the encryption key. - DOC_END - - NAME: nonhierarchical_direct - TYPE: onoff - LOC: Config.onoff.nonhierarchical_direct - DEFAULT: on - DOC_START - By default, Squid will send any non-hierarchical requests - (matching hierarchy_stoplist or not cachable request type) direct - to origin servers. - - If you set this to off, then Squid will prefer to send these - requests to parents. - - Note that in most configurations, by turning this off you will only - add latency to these request without any improvement in global hit - ratio. - - If you are inside an firewall then see never_direct instead of - this directive. - DOC_END - - NAME: prefer_direct - TYPE: onoff - LOC: Config.onoff.prefer_direct - DEFAULT: off - DOC_START - Normally Squid tries to use parents for most requests. If you by some - reason like it to first try going direct and only use a parent if - going direct fails then set this to on. - - By combining nonhierarchical_direct off and prefer_direct on you - can set up Squid to use a parent as a backup path if going direct - fails. - DOC_END - - NAME: strip_query_terms - TYPE: onoff - LOC: Config.onoff.strip_query_terms - DEFAULT: on - DOC_START - By default, Squid strips query terms from requested URLs before - logging. This protects your user's privacy. - DOC_END - - NAME: coredump_dir - TYPE: string - LOC: Config.coredump_dir - DEFAULT: none - DEFAULT_IF_NONE: none - DOC_START - By default Squid leaves core files in the directory from where - it was started. If you set 'coredump_dir' to a directory - that exists, Squid will chdir() to that directory at startup - and coredump files will be left there. - - NOCOMMENT_START +COMMENT_START + DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option) + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: delay_pools +TYPE: delay_pool_count +DEFAULT: 0 +IFDEF: DELAY_POOLS +LOC: Config.Delay +DOC_START + This represents the number of delay pools to be used. For example, + if you have one class 2 delay pool and one class 3 delays pool, you + have a total of 2 delay pools. +DOC_END + +NAME: delay_class +TYPE: delay_pool_class +DEFAULT: none +IFDEF: DELAY_POOLS +LOC: Config.Delay +DOC_START + This defines the class of each delay pool. There must be exactly one + delay_class line for each delay pool. For example, to define two + delay pools, one of class 2 and one of class 3, the settings above + and here would be: + +Example: + delay_pools 4 # 4 delay pools + delay_class 1 2 # pool 1 is a class 2 pool + delay_class 2 3 # pool 2 is a class 3 pool + delay_class 3 4 # pool 3 is a class 4 pool + delay_class 4 5 # pool 4 is a class 5 pool + + The delay pool classes are: + + class 1 Everything is limited by a single aggregate + bucket. + + class 2 Everything is limited by a single aggregate + bucket as well as an "individual" bucket chosen + from bits 25 through 32 of the IP address. + + class 3 Everything is limited by a single aggregate + bucket as well as a "network" bucket chosen + from bits 17 through 24 of the IP address and a + "individual" bucket chosen from bits 17 through + 32 of the IP address. + + class 4 Everything in a class 3 delay pool, with an + additional limit on a per user basis. This + only takes effect if the username is established + in advance - by forcing authentication in your + http_access rules. + + class 5 Requests are grouped according their tag (see + external_acl's tag= reply). + + NOTE: If an IP address is a.b.c.d + -> bits 25 through 32 are "d" + -> bits 17 through 24 are "c" + -> bits 17 through 32 are "c * 256 + d" +DOC_END + +NAME: delay_access +TYPE: delay_pool_access +DEFAULT: none +IFDEF: DELAY_POOLS +LOC: Config.Delay +DOC_START + This is used to determine which delay pool a request falls into. + The first matched delay pool is always used, i.e., if a request falls + into delay pool number one, no more delay are checked, otherwise the + rest are checked in order of their delay pool number until they have + all been checked. For example, if you want some_big_clients in delay + pool 1 and lotsa_little_clients in delay pool 2: + +Example: + delay_access 1 allow some_big_clients + delay_access 1 deny all + delay_access 2 allow lotsa_little_clients + delay_access 2 deny all + delay_access 3 allow authenticated_clients +DOC_END + +NAME: delay_parameters +TYPE: delay_pool_rates +DEFAULT: none +IFDEF: DELAY_POOLS +LOC: Config.Delay +DOC_START + This defines the parameters for a delay pool. Each delay pool has + a number of "buckets" associated with it, as explained in the + description of delay_class. For a class 1 delay pool, the syntax is: + +delay_parameters pool aggregate + + For a class 2 delay pool: + +delay_parameters pool aggregate individual + + For a class 3 delay pool: + +delay_parameters pool aggregate network individual + + For a class 4 delay pool: + +delay_parameters pool aggregate network individual user + + For a class 5 delay pool: + +delay_parameters pool tag + + The variables here are: + + pool a pool number - ie, a number between 1 and the + number specified in delay_pools as used in + delay_class lines. + + aggregate the "delay parameters" for the aggregate bucket + (class 1, 2, 3). + + individual the "delay parameters" for the individual + buckets (class 2, 3). + + network the "delay parameters" for the network buckets + (class 3). + + user the delay parameters for the user buckets + (class 4). + + tag the delay parameters for the tag buckets + (class 5). + + A pair of delay parameters is written restore/maximum, where restore is + the number of bytes (not bits - modem and network speeds are usually + quoted in bits) per second placed into the bucket, and maximum is the + maximum number of bytes which can be in the bucket at any time. + + For example, if delay pool number 1 is a class 2 delay pool as in the + above example, and is being used to strictly limit each host to 64kbps + (plus overheads), with no overall limit, the line is: + +delay_parameters 1 -1/-1 8000/8000 + + Note that the figure -1 is used to represent "unlimited". + + And, if delay pool number 2 is a class 3 delay pool as in the above + example, and you want to limit it to a total of 256kbps (strict limit) + with each 8-bit network permitted 64kbps (strict limit) and each + individual host permitted 4800bps with a bucket maximum size of 64kb + to permit a decent web page to be downloaded at a decent speed + (if the network is not being limited due to overuse) but slow down + large downloads more significantly: + +delay_parameters 2 32000/32000 8000/8000 600/8000 + + There must be one delay_parameters line for each delay pool. + + Finally, for a class 4 delay pool as in the example - each user will + be limited to 128Kb no matter how many workstations they are logged into.: + +delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +DOC_END + +NAME: delay_initial_bucket_level +COMMENT: (percent, 0-100) +TYPE: ushort +DEFAULT: 50 +IFDEF: DELAY_POOLS +LOC: Config.Delay.initial +DOC_START + The initial bucket percentage is used to determine how much is put + in each bucket when squid starts, is reconfigured, or first notices + a host accessing it (in class 2 and class 3, individual hosts and + networks only have buckets associated with them once they have been + "seen" by squid). +DOC_END + +NAME: incoming_icp_average +TYPE: int +DEFAULT: 6 +LOC: Config.comm_incoming.icp_average +DOC_NONE + +NAME: incoming_http_average +TYPE: int +DEFAULT: 4 +LOC: Config.comm_incoming.http_average +DOC_NONE + +NAME: incoming_dns_average +TYPE: int +DEFAULT: 4 +LOC: Config.comm_incoming.dns_average +DOC_NONE + +NAME: min_icp_poll_cnt +TYPE: int +DEFAULT: 8 +LOC: Config.comm_incoming.icp_min_poll +DOC_NONE + +NAME: min_dns_poll_cnt +TYPE: int +DEFAULT: 8 +LOC: Config.comm_incoming.dns_min_poll +DOC_NONE + +NAME: min_http_poll_cnt +TYPE: int +DEFAULT: 8 +LOC: Config.comm_incoming.http_min_poll +DOC_START + Heavy voodoo here. I can't even believe you are reading this. + Are you crazy? Don't even think about adjusting these unless + you understand the algorithms in comm_select.c first! +DOC_END + +NAME: max_open_disk_fds +TYPE: int +LOC: Config.max_open_disk_fds +DEFAULT: 0 +DOC_START + To avoid having disk as the I/O bottleneck Squid can optionally + bypass the on-disk cache if more than this amount of disk file + descriptors are open. + + A value of 0 indicates no limit. +DOC_END + +NAME: offline_mode +TYPE: onoff +LOC: Config.onoff.offline +DEFAULT: off +DOC_START + Enable this option and Squid will never try to validate cached + objects. +DOC_END + +NAME: uri_whitespace +TYPE: uri_whitespace +LOC: Config.uri_whitespace +DEFAULT: strip +DOC_START + What to do with requests that have whitespace characters in the + URI. Options: + + strip: The whitespace characters are stripped out of the URL. + This is the behavior recommended by RFC2616. + deny: The request is denied. The user receives an "Invalid + Request" message. + allow: The request is allowed and the URI is not changed. The + whitespace characters remain in the URI. Note the + whitespace is passed to redirector processes if they + are in use. + encode: The request is allowed and the whitespace characters are + encoded according to RFC1738. This could be considered + a violation of the HTTP/1.1 + RFC because proxies are not allowed to rewrite URI's. + chop: The request is allowed and the URI is chopped at the + first whitespace. This might also be considered a + violation. +DOC_END + +NAME: broken_posts +TYPE: acl_access +DEFAULT: none +LOC: Config.accessList.brokenPosts +DOC_START + A list of ACL elements which, if matched, causes Squid to send + an extra CRLF pair after the body of a PUT/POST request. + + Some HTTP servers has broken implementations of PUT/POST, + and rely on an extra CRLF pair sent by some WWW clients. + + Quote from RFC 2068 section 4.1 on this matter: + + Note: certain buggy HTTP/1.0 client implementations generate an + extra CRLF's after a POST request. To restate what is explicitly + forbidden by the BNF, an HTTP/1.1 client must not preface or follow + a request with an extra CRLF. + +Example: + acl buggy_server url_regex ^http://.... + broken_posts allow buggy_server +DOC_END + +NAME: mcast_miss_addr +IFDEF: MULTICAST_MISS_STREAM +TYPE: address +LOC: Config.mcast_miss.addr +DEFAULT: 255.255.255.255 +DOC_START + If you enable this option, every "cache miss" URL will + be sent out on the specified multicast address. + + Do not enable this option unless you are are absolutely + certain you understand what you are doing. +DOC_END + +NAME: mcast_miss_ttl +IFDEF: MULTICAST_MISS_TTL +TYPE: ushort +LOC: Config.mcast_miss.ttl +DEFAULT: 16 +DOC_START + This is the time-to-live value for packets multicasted + when multicasting off cache miss URLs is enabled. By + default this is set to 'site scope', i.e. 16. +DOC_END + +NAME: mcast_miss_port +IFDEF: MULTICAST_MISS_STREAM +TYPE: ushort +LOC: Config.mcast_miss.port +DEFAULT: 3135 +DOC_START + This is the port number to be used in conjunction with + 'mcast_miss_addr'. +DOC_END + +NAME: mcast_miss_encode_key +IFDEF: MULTICAST_MISS_STREAM +TYPE: string +LOC: Config.mcast_miss.encode_key +DEFAULT: XXXXXXXXXXXXXXXX +DOC_START + The URLs that are sent in the multicast miss stream are + encrypted. This is the encryption key. +DOC_END + +NAME: nonhierarchical_direct +TYPE: onoff +LOC: Config.onoff.nonhierarchical_direct +DEFAULT: on +DOC_START + By default, Squid will send any non-hierarchical requests + (matching hierarchy_stoplist or not cachable request type) direct + to origin servers. + + If you set this to off, then Squid will prefer to send these + requests to parents. + + Note that in most configurations, by turning this off you will only + add latency to these request without any improvement in global hit + ratio. + + If you are inside an firewall then see never_direct instead of + this directive. +DOC_END + +NAME: prefer_direct +TYPE: onoff +LOC: Config.onoff.prefer_direct +DEFAULT: off +DOC_START + Normally Squid tries to use parents for most requests. If you by some + reason like it to first try going direct and only use a parent if + going direct fails then set this to on. + + By combining nonhierarchical_direct off and prefer_direct on you + can set up Squid to use a parent as a backup path if going direct + fails. +DOC_END + +NAME: strip_query_terms +TYPE: onoff +LOC: Config.onoff.strip_query_terms +DEFAULT: on +DOC_START + By default, Squid strips query terms from requested URLs before + logging. This protects your user's privacy. +DOC_END + +NAME: coredump_dir +TYPE: string +LOC: Config.coredump_dir +DEFAULT: none +DEFAULT_IF_NONE: none +DOC_START + By default Squid leaves core files in the directory from where + it was started. If you set 'coredump_dir' to a directory + that exists, Squid will chdir() to that directory at startup + and coredump files will be left there. + +NOCOMMENT_START # Leave coredumps in the first cache dir - coredump_dir @DEFAULT_SWAP_DIR@ - NOCOMMENT_END - DOC_END - - NAME: redirector_bypass - TYPE: onoff - LOC: Config.onoff.redirector_bypass - DEFAULT: off - DOC_START - When this is 'on', a request will not go through the - redirector if all redirectors are busy. If this is 'off' - and the redirector queue grows too large, Squid will exit - with a FATAL error and ask you to increase the number of - redirectors. You should only enable this if the redirectors - are not critical to your caching system. If you use - redirectors for access control, and you enable this option, - then users may have access to pages that they should not - be allowed to request. - DOC_END - - NAME: ignore_unknown_nameservers - TYPE: onoff - LOC: Config.onoff.ignore_unknown_nameservers - DEFAULT: on - DOC_START - By default Squid checks that DNS responses are received - from the same IP addresses that they are sent to. If they - don't match, Squid ignores the response and writes a warning - message to cache.log. You can allow responses from unknown - nameservers by setting this option to 'off'. - DOC_END - - NAME: digest_generation - IFDEF: USE_CACHE_DIGESTS - TYPE: onoff - LOC: Config.onoff.digest_generation - DEFAULT: on - DOC_START - This controls whether the server will generate a Cache Digest - of its contents. By default, Cache Digest generation is - enabled if Squid is compiled with USE_CACHE_DIGESTS defined. - DOC_END - - NAME: digest_bits_per_entry - IFDEF: USE_CACHE_DIGESTS - TYPE: int - LOC: Config.digest.bits_per_entry - DEFAULT: 5 - DOC_START - This is the number of bits of the server's Cache Digest which - will be associated with the Digest entry for a given HTTP - Method and URL (public key) combination. The default is 5. - DOC_END - - NAME: digest_rebuild_period - IFDEF: USE_CACHE_DIGESTS - COMMENT: (seconds) - TYPE: time_t - LOC: Config.digest.rebuild_period - DEFAULT: 1 hour - DOC_START - This is the number of seconds between Cache Digest rebuilds. - DOC_END - - NAME: digest_rewrite_period - COMMENT: (seconds) - IFDEF: USE_CACHE_DIGESTS - TYPE: time_t - LOC: Config.digest.rewrite_period - DEFAULT: 1 hour - DOC_START - This is the number of seconds between Cache Digest writes to - disk. - DOC_END - - NAME: digest_swapout_chunk_size - COMMENT: (bytes) - TYPE: b_size_t - IFDEF: USE_CACHE_DIGESTS - LOC: Config.digest.swapout_chunk_size - DEFAULT: 4096 bytes - DOC_START - This is the number of bytes of the Cache Digest to write to - disk at a time. It defaults to 4096 bytes (4KB), the Squid - default swap page. - DOC_END - - NAME: digest_rebuild_chunk_percentage - COMMENT: (percent, 0-100) - IFDEF: USE_CACHE_DIGESTS - TYPE: int - LOC: Config.digest.rebuild_chunk_percentage - DEFAULT: 10 - DOC_START - This is the percentage of the Cache Digest to be scanned at a - time. By default it is set to 10% of the Cache Digest. - DOC_END - - NAME: chroot - TYPE: string - LOC: Config.chroot_dir - DEFAULT: none - DOC_START - Use this to have Squid do a chroot() while initializing. This - also causes Squid to fully drop root privileges after - initializing. This means, for example, that if you use a HTTP - port less than 1024 and try to reconfigure, you will get an - error. - DOC_END - - NAME: client_persistent_connections - TYPE: onoff - LOC: Config.onoff.client_pconns - DEFAULT: on - DOC_NONE - - NAME: server_persistent_connections - TYPE: onoff - LOC: Config.onoff.server_pconns - DEFAULT: on - DOC_START - Persistent connection support for clients and servers. By - default, Squid uses persistent connections (when allowed) - with its clients and servers. You can use these options to - disable persistent connections with clients and/or servers. - DOC_END - - NAME: pipeline_prefetch - TYPE: onoff - LOC: Config.onoff.pipeline_prefetch - DEFAULT: off - DOC_START - To boost the performance of pipelined requests to closer - match that of a non-proxied environment Squid can try to fetch - up to two requests in parallell from a pipeline. - - Defaults to off for bandwidth management and access logging - reasons. - DOC_END - - NAME: extension_methods - TYPE: wordlist - LOC: Config.ext_methods - DEFAULT: none - DOC_START - Squid only knows about standardized HTTP request methods. - You can add up to 20 additional "extension" methods here. - DOC_END - - NAME: request_entities - TYPE: onoff - LOC: Config.onoff.request_entities - DEFAULT: off - DOC_START - Squid defaults to deny GET and HEAD requests with request entities, - as the meaning of such requests are undefined in the HTTP standard - even if not explicitly forbidden. - - Set this directive to on if you have clients which insists - on sending request entities in GET or HEAD requests. - DOC_END - - NAME: high_response_time_warning - TYPE: int - COMMENT: (msec) - LOC: Config.warnings.high_rptm - DEFAULT: 0 - DOC_START - If the one-minute median response time exceeds this value, - Squid prints a WARNING with debug level 0 to get the - administrators attention. The value is in milliseconds. - DOC_END - - NAME: high_page_fault_warning - TYPE: int - LOC: Config.warnings.high_pf - DEFAULT: 0 - DOC_START - If the one-minute average page fault rate exceeds this - value, Squid prints a WARNING with debug level 0 to get - the administrators attention. The value is in page faults - per second. - DOC_END - - NAME: high_memory_warning - TYPE: b_size_t - LOC: Config.warnings.high_memory - DEFAULT: 0 - DOC_START - If the memory usage (as determined by mallinfo) exceeds - value, Squid prints a WARNING with debug level 0 to get - the administrators attention. - DOC_END - - NAME: store_dir_select_algorithm - TYPE: string - LOC: Config.store_dir_select_algorithm - DEFAULT: least-load - DOC_START - Set this to 'round-robin' as an alternative. - DOC_END - - NAME: forward_log - IFDEF: WIP_FWD_LOG - TYPE: string - DEFAULT: none - LOC: Config.Log.forward - DOC_START - Logs the server-side requests. - - This is currently work in progress. - DOC_END - - NAME: ie_refresh - COMMENT: on|off - TYPE: onoff - LOC: Config.onoff.ie_refresh - DEFAULT: off - DOC_START - Microsoft Internet Explorer up until version 5.5 Service - Pack 1 has an issue with transparent proxies, wherein it - is impossible to force a refresh. Turning this on provides - a partial fix to the problem, by causing all IMS-REFRESH - requests from older IE versions to check the origin server - for fresh content. This reduces hit ratio by some amount - (~10% in my experience), but allows users to actually get - fresh content when they want it. Note that because Squid - cannot tell if the user is using 5.5 or 5.5SP1, the behavior - of 5.5 is unchanged from old versions of Squid (i.e. a - forced refresh is impossible). Newer versions of IE will, - hopefully, continue to have the new behavior and will be - handled based on that assumption. This option defaults to - the old Squid behavior, which is better for hit ratios but - worse for clients using IE, if they need to be able to - force fresh content. - DOC_END - - NAME: vary_ignore_expire - COMMENT: on|off - TYPE: onoff - LOC: Config.onoff.vary_ignore_expire - DEFAULT: off - DOC_START - Many HTTP servers supporting Vary gives such objects - immediate expiry time with no cache-control header - when requested by a HTTP/1.0 client. This option - enables Squid to ignore such expiry times until - HTTP/1.1 is fully implemented. - WARNING: This may eventually cause some varying - objects not intended for caching to get cached. - DOC_END - - NAME: sleep_after_fork - COMMENT: (microseconds) - TYPE: int - LOC: Config.sleep_after_fork - DEFAULT: 0 - DOC_START - When this is set to a non-zero value, the main Squid process - sleeps the specified number of microseconds after a fork() - system call. This sleep may help the situation where your - system reports fork() failures due to lack of (virtual) - memory. Note, however, that if you have a lot of child - processes, then these sleep delays will add up and your - Squid will not service requests for some amount of time - until all the child processes have been started. - DOC_END - - EOF +coredump_dir @DEFAULT_SWAP_DIR@ +NOCOMMENT_END +DOC_END + +NAME: redirector_bypass +TYPE: onoff +LOC: Config.onoff.redirector_bypass +DEFAULT: off +DOC_START + When this is 'on', a request will not go through the + redirector if all redirectors are busy. If this is 'off' + and the redirector queue grows too large, Squid will exit + with a FATAL error and ask you to increase the number of + redirectors. You should only enable this if the redirectors + are not critical to your caching system. If you use + redirectors for access control, and you enable this option, + then users may have access to pages that they should not + be allowed to request. +DOC_END + +NAME: ignore_unknown_nameservers +TYPE: onoff +LOC: Config.onoff.ignore_unknown_nameservers +DEFAULT: on +DOC_START + By default Squid checks that DNS responses are received + from the same IP addresses that they are sent to. If they + don't match, Squid ignores the response and writes a warning + message to cache.log. You can allow responses from unknown + nameservers by setting this option to 'off'. +DOC_END + +NAME: digest_generation +IFDEF: USE_CACHE_DIGESTS +TYPE: onoff +LOC: Config.onoff.digest_generation +DEFAULT: on +DOC_START + This controls whether the server will generate a Cache Digest + of its contents. By default, Cache Digest generation is + enabled if Squid is compiled with USE_CACHE_DIGESTS defined. +DOC_END + +NAME: digest_bits_per_entry +IFDEF: USE_CACHE_DIGESTS +TYPE: int +LOC: Config.digest.bits_per_entry +DEFAULT: 5 +DOC_START + This is the number of bits of the server's Cache Digest which + will be associated with the Digest entry for a given HTTP + Method and URL (public key) combination. The default is 5. +DOC_END + +NAME: digest_rebuild_period +IFDEF: USE_CACHE_DIGESTS +COMMENT: (seconds) +TYPE: time_t +LOC: Config.digest.rebuild_period +DEFAULT: 1 hour +DOC_START + This is the number of seconds between Cache Digest rebuilds. +DOC_END + +NAME: digest_rewrite_period +COMMENT: (seconds) +IFDEF: USE_CACHE_DIGESTS +TYPE: time_t +LOC: Config.digest.rewrite_period +DEFAULT: 1 hour +DOC_START + This is the number of seconds between Cache Digest writes to + disk. +DOC_END + +NAME: digest_swapout_chunk_size +COMMENT: (bytes) +TYPE: b_size_t +IFDEF: USE_CACHE_DIGESTS +LOC: Config.digest.swapout_chunk_size +DEFAULT: 4096 bytes +DOC_START + This is the number of bytes of the Cache Digest to write to + disk at a time. It defaults to 4096 bytes (4KB), the Squid + default swap page. +DOC_END + +NAME: digest_rebuild_chunk_percentage +COMMENT: (percent, 0-100) +IFDEF: USE_CACHE_DIGESTS +TYPE: int +LOC: Config.digest.rebuild_chunk_percentage +DEFAULT: 10 +DOC_START + This is the percentage of the Cache Digest to be scanned at a + time. By default it is set to 10% of the Cache Digest. +DOC_END + +NAME: chroot +TYPE: string +LOC: Config.chroot_dir +DEFAULT: none +DOC_START + Use this to have Squid do a chroot() while initializing. This + also causes Squid to fully drop root privileges after + initializing. This means, for example, that if you use a HTTP + port less than 1024 and try to reconfigure, you will get an + error. +DOC_END + +NAME: client_persistent_connections +TYPE: onoff +LOC: Config.onoff.client_pconns +DEFAULT: on +DOC_NONE + +NAME: server_persistent_connections +TYPE: onoff +LOC: Config.onoff.server_pconns +DEFAULT: on +DOC_START + Persistent connection support for clients and servers. By + default, Squid uses persistent connections (when allowed) + with its clients and servers. You can use these options to + disable persistent connections with clients and/or servers. +DOC_END + +NAME: pipeline_prefetch +TYPE: onoff +LOC: Config.onoff.pipeline_prefetch +DEFAULT: off +DOC_START + To boost the performance of pipelined requests to closer + match that of a non-proxied environment Squid can try to fetch + up to two requests in parallell from a pipeline. + + Defaults to off for bandwidth management and access logging + reasons. +DOC_END + +NAME: extension_methods +TYPE: wordlist +LOC: Config.ext_methods +DEFAULT: none +DOC_START + Squid only knows about standardized HTTP request methods. + You can add up to 20 additional "extension" methods here. +DOC_END + +NAME: request_entities +TYPE: onoff +LOC: Config.onoff.request_entities +DEFAULT: off +DOC_START + Squid defaults to deny GET and HEAD requests with request entities, + as the meaning of such requests are undefined in the HTTP standard + even if not explicitly forbidden. + + Set this directive to on if you have clients which insists + on sending request entities in GET or HEAD requests. +DOC_END + +NAME: high_response_time_warning +TYPE: int +COMMENT: (msec) +LOC: Config.warnings.high_rptm +DEFAULT: 0 +DOC_START + If the one-minute median response time exceeds this value, + Squid prints a WARNING with debug level 0 to get the + administrators attention. The value is in milliseconds. +DOC_END + +NAME: high_page_fault_warning +TYPE: int +LOC: Config.warnings.high_pf +DEFAULT: 0 +DOC_START + If the one-minute average page fault rate exceeds this + value, Squid prints a WARNING with debug level 0 to get + the administrators attention. The value is in page faults + per second. +DOC_END + +NAME: high_memory_warning +TYPE: b_size_t +LOC: Config.warnings.high_memory +DEFAULT: 0 +DOC_START + If the memory usage (as determined by mallinfo) exceeds + value, Squid prints a WARNING with debug level 0 to get + the administrators attention. +DOC_END + +NAME: store_dir_select_algorithm +TYPE: string +LOC: Config.store_dir_select_algorithm +DEFAULT: least-load +DOC_START + Set this to 'round-robin' as an alternative. +DOC_END + +NAME: forward_log +IFDEF: WIP_FWD_LOG +TYPE: string +DEFAULT: none +LOC: Config.Log.forward +DOC_START + Logs the server-side requests. + + This is currently work in progress. +DOC_END + +NAME: ie_refresh +COMMENT: on|off +TYPE: onoff +LOC: Config.onoff.ie_refresh +DEFAULT: off +DOC_START + Microsoft Internet Explorer up until version 5.5 Service + Pack 1 has an issue with transparent proxies, wherein it + is impossible to force a refresh. Turning this on provides + a partial fix to the problem, by causing all IMS-REFRESH + requests from older IE versions to check the origin server + for fresh content. This reduces hit ratio by some amount + (~10% in my experience), but allows users to actually get + fresh content when they want it. Note that because Squid + cannot tell if the user is using 5.5 or 5.5SP1, the behavior + of 5.5 is unchanged from old versions of Squid (i.e. a + forced refresh is impossible). Newer versions of IE will, + hopefully, continue to have the new behavior and will be + handled based on that assumption. This option defaults to + the old Squid behavior, which is better for hit ratios but + worse for clients using IE, if they need to be able to + force fresh content. +DOC_END + +NAME: vary_ignore_expire +COMMENT: on|off +TYPE: onoff +LOC: Config.onoff.vary_ignore_expire +DEFAULT: off +DOC_START + Many HTTP servers supporting Vary gives such objects + immediate expiry time with no cache-control header + when requested by a HTTP/1.0 client. This option + enables Squid to ignore such expiry times until + HTTP/1.1 is fully implemented. + WARNING: This may eventually cause some varying + objects not intended for caching to get cached. +DOC_END + +NAME: sleep_after_fork +COMMENT: (microseconds) +TYPE: int +LOC: Config.sleep_after_fork +DEFAULT: 0 +DOC_START + When this is set to a non-zero value, the main Squid process + sleeps the specified number of microseconds after a fork() + system call. This sleep may help the situation where your + system reports fork() failures due to lack of (virtual) + memory. Note, however, that if you have a lot of child + processes, then these sleep delays will add up and your + Squid will not service requests for some amount of time + until all the child processes have been started. +DOC_END + +EOF